|
I'm studying security -on my own- and need to clear out a few things !
If I've learned this correctly HTTPS connections do these things:
1)public key from server to client
2)client encrypts a key he generates using public key
3) sends encrypted key to server
4) server decrypts the message with his private key
5) voilà! the two sides are ready to exchange information using symetric ciphers
so asymmetric encryptiong is only used for sending a symmetric key over the network
suppose I have a certificate and I can decrypt messages encrypted with its public key
I perform a MITM attack (say ARP spoof),intercept and change the certificate the server sends with the one I know its private key.
browsers pops a little warning most users ignore ("WTF is a trusted certificate anyway ??")
most of the times user proceeds
the key is encrypted using my public key and sent to the server
I intercept the key,decrypt it,and encrypt it again with the public key the server sent
then let it go to the server. server decrypts the key and I can see every info the two sides exchange.
well...is it that simple ?
I don't have time to test it these days so Im asking you
I believe/hope I am mistaken and a "do you want to proceed" message is not the only guard
|
|
|
|
|
Member 10964099 wrote: browsers pops a little warning most users ignore ("WTF is a trusted certificate anyway ??")
You can't fix stupid; but browser vendors are making it a lot more than "bad cert, continue anyway? Yes. No." FF's current procedure always involves swearing when I need to remember how to make it work because some internal dev server only has a selfsigned cert.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
|
I suggest you start running now before the Salma Hayek fans see it and decide to shoot the messenger since they can't get at the author of the article and restraining orders prevent them from getting within 10 miles of Salma herself.
Did you ever see history portrayed as an old man with a wise brow and pulseless heart, waging all things in the balance of reason?
Is not rather the genius of history like an eternal, imploring maiden, full of fire, with a burning heart and flaming soul, humanly warm and humanly beautiful?
--Zachris Topelius
Training a telescope on one’s own belly button will only reveal lint. You like that? You go right on staring at it. I prefer looking at galaxies.
-- Sarah Hoyt
|
|
|
|
|
Not safe for my blood pressure in that I feel a pressing need to scream "Noooooooooooooooooooooooooooooooooooo!", you mean? Beautiful? Pah!
|
|
|
|
|
Something that really bothers me about the current Volkswagen scandal is that the engine management system 'cheat switch' didn't write itself. Assuming that Volkswagen followed a fairly traditional software development model:
* someone wrote a specification
* someone approved it
* someone modified the code
* someone reviewed the code
* someone tested it
So that's at least five people who were involved who either didn't think about the ethical or commercial consequences of what they were doing, or were too scared to do anything. And presumably they all considered themselves to be 'Engineers'.
I know software engineers don't have the equivalent of a Hippocratic Oath, but I'm disappointed that those involved at a technical level allowed this to go as far as it did.
|
|
|
|
|
Keith Barrett wrote: I'm disappointed that those involved at a technical level allowed this to go as far as it did.
Don't be: they did it for this... [^]
|
|
|
|
|
I suspect no money found its way into the hands of the engineers. Only the VW executives would have gained. The engineers were probably just following orders.
|
|
|
|
|
Keith Barrett wrote: probably just following orders
and keep their jobs
Mongo: Mongo only pawn... in game of life.
|
|
|
|
|
Keith Barrett wrote: So that's at least five people who were involved who either didn't think about the ethical or commercial consequences of what they were doing, or were too scared to do anything. And presumably they all considered themselves to be 'Engineers'.
I wouldn't mind being one of them. There's nothing unethical in avoiding government standard and commercial consequences are all on management stuff which made the decision.
|
|
|
|
|
I disagree. It was unethical. The ACM's code of ethics and professional standards says:
1.03. Approve software only if they have a well-founded belief that it is safe, meets specifications, passes appropriate tests, and does not diminish quality of life, diminish privacy or harm the environment. The ultimate effect of the work should be to the public good.
What VW did drove a cart-and horses through that one.
|
|
|
|
|
From my experience in large companies, I can tell you that the instruction to write the specification in this manner, most probably came from a high level in the organization. In any case, top management may delegate responsibility, but they cannot delegate accountability. Regardless of whether the top man knew about the cheat, he remains accountable for the actions of his underlings.
How do we preserve the wisdom men will need,
when their violent passions are spent?
- The Lost Horizon
|
|
|
|
|
Keith Barrett wrote: I'm disappointed that those involved at a technical level allowed this to go as far as it did You're disappointed that engineers are also people?
|
|
|
|
|
No - people make mistakes for sure. But for this to happen a whole gang of people had to collude in doing something which should have set all their inner alarm bells ringing.
|
|
|
|
|
I'm not talking about mistakes as this probably wasn't a mistake.
I'm talking about the evil that men do (which lives on and on[^]).
This is one of the lesser evils that probably filled the pockets of quite some people.
And they would've gotten away with it too if it weren't for those meddling kids!
|
|
|
|
|
There's nothing surprising at all about this. In my 30 years of coding I've met all manner of unscrupulous developers who only care about making money and don't give a rats arse if the code they write is right or legal.
I wouldn't be the least bit surprised if this came straight from the top.
If it's not broken, fix it until it is
|
|
|
|
|
Yes, I've seen it too. I see it from employees who don't care and consultants quite frequently.
|
|
|
|
|
How can you know whether what you write is legal, unless you know all the applicable laws and bye-laws for for every country in the world?
Globalisation has a downside where we as engineers cannot know everything and are very likely to be reliant on market experts to know the laws we have to comply with in their target geographies.
|
|
|
|
|
Yes but what we have here is something that is patently wrong by anyone's standards. The code was deliberately designed to cheat during the emissions testing. It's not a question of not knowing the local laws - they knew the law and deliberately flouted it.
|
|
|
|
|
That's the point they would have known at a minimum that they were 'working around' the law, but certainly in some places (thinking UK here) the law is poorly worded.
In the UK the test rules use terms like 'at the time of the test', while the term is meant to mean that the driver couldn't be prosecuted 10 months after the test if their emissions had crept up, some corporate lawyer type can use that clause to mean that what VW did is not illegal. Clearly morally incorrect, but legally okay, it should be caught by a 'no specific changes for the test / test being representative of normal running' type clause, but the diesel tests in the uk have been messed up pretty much since emissions test for diesel were introduced.
|
|
|
|
|
Don't know about other countries but, in the UK the emissions are tested by sticking a pipe up the exhaust - I read that the software knew when the emissions were being tested HOW ? that implies any time someone stuck a pipe in its exhaust the engine would run in clean mode Anyone shed any light on this ?
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|
|
pkfox wrote: I read that the software knew when the emissions were being tested HOW ? Google that question and you will find the answer.
My understanding is that when testing, the steering and use of accelerator pedal of the car match a certain pattern. The software looked for that pattern and when it saw the pattern it put the engine into a mode where it was less fuel efficient and worked at a hotter temperature reducing emissions - please pardon my less than scientific explanation
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Therefore a similar thing like designing a cpu for specific benchmark tests
modified 19-Jan-21 21:04pm.
|
|
|
|
|
When my car was checked at the last (mandatory) checkup, they plugged in some diagnostics equipment and also monitored the values from the car's chipset. The interface supposedly was a standard across all manufacturers. If a special clean mode exists, it would be a good time to start it when someone connects to this interface.
The language is JavaScript. that of Mordor, which I will not utter here
This is Javascript. If you put big wheels and a racing stripe on a golf cart, it's still a f***ing golf cart.
"I don't know, extraterrestrial?"
"You mean like from space?"
"No, from Canada."
If software development were a circus, we would all be the clowns.
|
|
|
|
|
OK - I've only seen diagnostics used this way by mechanics err diagnosing - but as you say a perfect time to trigger it
We can’t stop here, this is bat country - Hunter S Thompson RIP
|
|
|
|