|
Rooney McNibnug posted:There are a lot of features in EMET that aren't being rolled into Win10: https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-applications-like-emet-can.html Cool, thank you. Lol at not including untrusted font blocking in the OS
|
# ? May 28, 2017 00:27 |
|
|
# ? May 17, 2024 14:19 |
|
hackbunny posted:this is mega retarded. giga retarded even. think about what you just wrote and then throw your computer in the trash. what an idiotic thing to say, I'm not even attempting to refute this ridiculous assertion. what is it about security that makes people into the smartest idiots on earth to be fair it's not like our other organs are significantly more secure than that and can't be targeted and knocked permanently offline, remotely ... and this remotely exploitable vulnerability is something like centuries old at this point and there is still no comprehensive fix available! more than anything this shows there's this disturbing idea of "if I murder someone by messing with their pacemaker then that's not really murder if I only murder them for their own benefit" that only a computer person would argue for
|
# ? May 28, 2017 05:58 |
|
i don't think anyone here would argue that sshing to a pacemaker and disabling whatever cron job calls heartbeat.py isn't murder regardless of circumstances
|
# ? May 28, 2017 06:29 |
|
an invisible, immaterial weapon that requires no physical contact and goes through skin and clothes leaving them intact and requires no physical exertion and can't be defended against: exactly the same thing as stabbing someone through the heart
|
# ? May 28, 2017 14:21 |
|
hackbunny posted:an invisible, immaterial weapon that requires no physical contact and goes through skin and clothes leaving them intact and requires no physical exertion and can't be defended against: exactly the same thing as stabbing someone through the heart Nobody is saying this. ymgve posted:Maybe they could make some two-tier system, where skin contact programming requires no auth, but wireless programming requires some kind of authentication. Instant Grat posted:I read the argument a while ago that if someone wants to kill you by reprogramming the pacemaker, and they have to get close enough to do it that they'd be able to stab you to death anyway, extra authentication and poo poo on the pacemaker isn't gonna save your life
|
# ? May 28, 2017 14:57 |
|
A Pinball Wizard posted:Nobody is saying this. you loving imbecile don't ever "actually" or quote me again
|
# ? May 28, 2017 15:03 |
|
hackbunny posted:you loving imbecile don't ever "actually" or quote me again Calm down.
|
# ? May 28, 2017 15:04 |
|
hackbunny posted:you loving imbecile don't ever "actually" or quote me again nice meltdown
|
# ? May 28, 2017 15:05 |
|
hackbunny posted:you loving imbecile don't ever "actually" or quote me again cool
|
# ? May 28, 2017 15:26 |
|
i think this whole discussion is the plot to one of the iron man movies
|
# ? May 28, 2017 16:03 |
|
BangersInMyKnickers posted:Cool, thank you. Lol at not including untrusted font blocking in the OS That quoted table is out of date. Font blocking came in a later version (not sure which) of Win10: https://docs.microsoft.com/en-us/windows/threat-protection/block-untrusted-fonts-in-enterprise The EAF list is also a hard-coded list of known targeted functions, which is why it periodically breaks Chrome, and the list is not well-maintained because it's whack-a-mole, as is the HeapSpray list. The one I truly miss is ASR, because Flash and Java are still way more commonly installed than they need to be.
|
# ? May 28, 2017 18:20 |
|
vOv posted:isn't that just a question of transmitter power though, or is there a distance-bounding protocol somewhere? In either case those who say you could just stab the person are missing the point. Stabbing tends to create a scene, leave evidence, etc. Reconfiguring a pacemaker could look just like a hardware failure or simply a known questionable heart giving up, depending on what sorts of audit logging these devices actually keep. Imagine a gold digging spouse or just a pissed off lover reprogramming a pacemaker while the victim sleeps. An "evil maid" works pretty much the same way. Depending on how much time the initial authentication takes and the range at which it works an attacker might even just be able to bump in to the target or stand near them in a crowd, then they'd be able to do the rest from a moderate distance. Stabbing is generally easier to do, but a lot harder to get away with. quote:also my favorite part of that eaglesoft video is the godawful ui that looks like a desk
|
# ? May 28, 2017 18:38 |
|
wolrah posted:In either case those who say you could just stab the person are missing the point. Stabbing tends to create a scene, leave evidence, etc. Reconfiguring a pacemaker could look just like a hardware failure or simply a known questionable heart giving up, depending on what sorts of audit logging these devices actually keep. now imagine the programming device being compromised by some internet of poo poo connection too
|
# ? May 28, 2017 18:45 |
|
Cocoa Crispies posted:now imagine the programming device being compromised by some internet of poo poo connection too Which is another point I've seen brought up by other people looking at these sorts of things. The home monitoring/programming gateway, which is generally internet connected, might also be full of vulnerabilities. No need to break in to the device's authentication system if you just break in to a device that's already been authenticated.
|
# ? May 28, 2017 18:56 |
|
how would a wireless device specifically require skin contact to reprogram anyway? even if it only picks up signals from at most a foot away, that's a big difference from actually requiring skin contact
|
# ? May 28, 2017 19:16 |
|
rjmccall posted:how would a wireless device specifically require skin contact to reprogram anyway? even if it only picks up signals from at most a foot away, that's a big difference from actually requiring skin contact ymgve posted:edit: Reading the article, it seems like programmers already do something like this - requires skin contact programming to read a device key which is then used for wireless programming.
|
# ? May 28, 2017 19:19 |
|
rjmccall posted:how would a wireless device specifically require skin contact to reprogram anyway? even if it only picks up signals from at most a foot away, that's a big difference from actually requiring skin contact capacitative sensor and near field rf with timing sensitivity
|
# ? May 28, 2017 19:23 |
|
hackbunny posted:an invisible, immaterial weapon that requires no physical contact and goes through skin and clothes leaving them intact and requires no physical exertion and can't be defended against: exactly the same thing as stabbing someone through the heart I was actually thinking something like a .17 from 400 yards away flat trajectory and low recoil == easy mode FTW for script kiddies wanting to troll someone's heart
|
# ? May 28, 2017 19:33 |
|
whatever happened to body area networks, anyway
|
# ? May 28, 2017 19:36 |
|
duTrieux. posted:whatever happened to body area networks, anyway turned out you could put all the functionality you wanted into the phone by itself, maybe a phone and a watch
|
# ? May 28, 2017 19:40 |
|
Max Facetime posted:I was actually thinking something like a .17 from 400 yards away yes all the times people hang out places with a clear line of sight four football fields away also at 400 yards your looking like ten feet of drop on 17hmr lol
|
# ? May 28, 2017 19:45 |
|
fishmech posted:turned out you could put all the functionality you wanted into the phone by itself, maybe a phone and a watch and headphones
|
# ? May 28, 2017 20:05 |
rjmccall posted:how would a wireless device specifically require skin contact to reprogram anyway? even if it only picks up signals from at most a foot away, that's a big difference from actually requiring skin contact iirc they use tight magnetic coupling with loop antennae instead of electromagnetic coupling because being embedded inside the big bag of variable arrangements of lovely dielectric material that is the human body really fucks with monopole and dipole antenna designs. doubly so when dealing the horrible transmit powers the implants manage.
|
|
# ? May 28, 2017 20:13 |
At the end of the day, I can still go back and rewatch the first few seasons of Archer and laugh my rear end off. I can't say that about the most recent seasons. That doesn't mean they're not entertaining in their own way, just not what brought me to Archer originally.
|
|
# ? May 28, 2017 21:09 |
|
rafikki posted:At the end of the day, I can still go back and rewatch the first few seasons of Archer and laugh my rear end off. I can't say that about the most recent seasons. That doesn't mean they're not entertaining in their own way, just not what brought me to Archer originally. what
|
# ? May 28, 2017 21:23 |
|
the right post in the wrong thread
|
# ? May 28, 2017 21:39 |
|
https://www.youtube.com/watch?v=44uYz6PuTj0
|
# ? May 28, 2017 21:48 |
|
Cocoa Crispies posted:capacitative sensor and near field rf with timing sensitivity capacitative sensor sounds like a protection against accidental mis-use, not malicious, since it's presumably only enforced in the programmer. or is it reading some bio signal and using that to "authenticate" with the implant?
|
# ? May 28, 2017 22:09 |
whoops
|
|
# ? May 28, 2017 22:09 |
|
wolrah posted:In either case those who say you could just stab the person are missing the point. Stabbing tends to create a scene, leave evidence, etc. Reconfiguring a pacemaker could look just like a hardware failure or simply a known questionable heart giving up, depending on what sorts of audit logging these devices actually keep. the other thing is that depending on how programmable those things are you might be able to make them keep working for a couple days and then stop, at which point you've got no chance in hell of identifying who did it
|
# ? May 28, 2017 23:14 |
|
check /var/log?
|
# ? May 28, 2017 23:24 |
|
vOv posted:the other thing is that depending on how programmable those things are you might be able to make them keep working for a couple days and then stop, at which point you've got no chance in hell of identifying who did it Hmm, this guy died after someone change the firmware on his pacemaker and his son ( who stands to inherit ) is an embedded developer. Nope mystery, guess we'll never know. Unless of course you think it's likely that someone would put the effort into finding someone in the .001% of the population who are paced, find out which model they have and then following them round with a big gently caress off attenna This is getting as bad the grey thread.
|
# ? May 28, 2017 23:36 |
|
Deep Dish Fuckfest posted:check /var/log? this is if you can do unauthed reprogramming, if you have to auth then that obviously makes it harder because you can look at who changed it, figure out if their credentials got stolen, etc. jre posted:Unless of course you think it's likely that someone would put the effort into finding someone in the .001% of the population who are paced, find out which model they have and then following them round with a big gently caress off attenna this is a good point though, my bad. i was more thinking of 'someone just wants to kill random people and get away with it' than 'someone with a motive wants to target a specific person'
|
# ? May 28, 2017 23:46 |
|
Cocoa Crispies posted:now imagine the programming device being compromised by some internet of poo poo connection too Not sure what my current home reporting device does under the hood but it's not connected to my home internet, and the previous one just used a direct phone connection (complete with loud 28K modem sounds when it connected). I also haven't seen any doctor programming devices being connected via wired networking but there are probably some stupid vendors that make them wifi compatible with all the issues that will cause. To get around the "just crank the power of the transmitter to 1000x" issue, you could probably do some extreme low-latency stuff in the initial handshake - like you'd need to overcome the speed of light if you want to do anything from more than a few inches away.
|
# ? May 28, 2017 23:58 |
|
jre posted:
this isn't really a threat for most people but it's something that organizations charged with protecting important individuals (who may have multiple news stories written about their pacemakers) may need to consider.
|
# ? May 29, 2017 00:27 |
|
jre posted:Hmm, this guy died after someone change the firmware on his pacemaker and his son ( who stands to inherit ) is an embedded developer. a 51-year-old man sits behind a desk, well-dressed but disheveled. on the wall is a framed portrait of a stern-looking elderly man in the door of an imposing manor house. a towering stack of letters on the desk nearly reaches the man's eyes; we can clearly see they are gambling debts. his right hand holds a wrench, which he is attempting to use to fasten a two-foot satellite tv antenna to a belt. his attention seems to flit desperately between that and a dense technical book, held in his left hand, entitled "learn systems programming for the MSP 430F1611 in just 15 days". he sighs and looks up at the camera. "there's got to be a better way!" like, y'know, buying a device that he can stick behind a chair
|
# ? May 29, 2017 00:40 |
|
jre posted:Hmm, this guy died after someone change the firmware on his pacemaker and his son ( who stands to inherit ) is an embedded developer. guy with heart problem dies of heart problem doesn't usually get csi cyber called
|
# ? May 29, 2017 01:22 |
|
PCjr sidecar posted:guy with heart problem dies of heart problem doesn't usually get csi cyber called actually one with a pacemaker would probably get a rudimentary private forensic analysis because pacemaker companies are probably really interested in figuring out why their device didn't save the owner
|
# ? May 29, 2017 01:35 |
|
One thing that comes to mind with a PRINGLE CAN PACEMAKER HACK, assuming there's a handshake protocol, just how the poo poo is the device going to talk loud enough to respond to these super powered far away antennas? I would think that these things have a super limited range having to transmit through meat/skin to begin with, I just don't see the signal being good for anything other than extreme close range. Proteus Jones fucked around with this message at 01:54 on May 29, 2017 |
# ? May 29, 2017 01:51 |
|
|
# ? May 17, 2024 14:19 |
|
ymgve posted:Not sure what my current home reporting device does under the hood but it's not connected to my home internet, and the previous one just used a direct phone connection (complete with loud 28K modem sounds when it connected). I also haven't seen any doctor programming devices being connected via wired networking but there are probably some stupid vendors that make them wifi compatible with all the issues that will cause. yeah there's a pretty simple distance-bounding protocol of just 'generate a random 128-bit sequence, send it, and require the receiver to send it back within N nanolightseconds'
|
# ? May 29, 2017 01:52 |