Search
Items tagged with: CommonSense
There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.
- The Team Fortress 2 Source Code has been leaked.
- Hackers discovered a Remote Code Execution exploit.
The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)
The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.
Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.
I will explain.
Professor Dreamseeker is in the house. Twitch Emote by Swizz.
Why Source Code Leaks Don’t Matter for Security
You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.
How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.
But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.
How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.
Why are you making that sound trivial?
Because it is trivial!
If you don’t believe me, choose a random game from your Steam library.
Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
Me, following these steps to locate the No Man’s Sky binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.
Other platforms and their respective tools:
If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.
Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Decompiled code from No Man’s Sky’s NMS.exe file on Windows.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.
Every Information Security Expert Knows This
Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.
There’s a derisive term for this belief: Security Through Obscurity.
The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.
In Conclusion
Remote Code Execution is bad.
The Source Code being public? Yawn.
Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.
With the Source leaks happening today, I think everyone is missing the most important part: how much does Valve swear? I tallied up instances of these words in the leak*:"fuck": 116
"shit": 63
"damn": 109*There was some non-Valve stuff in the leak; I didn't count it
— @tj (@tjhorner) April 22, 2020
Well damn if that doesn’t capture my interest.
Now this is the kind of story that makes Twitter worthwhile!
Is the RCE Exploit Even Real?
Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:
We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.— CS2 (@CounterStrike) April 22, 2020
Fake news and old news are strange (yet strangely common) bedfellows.
https://soatok.blog/2020/04/22/source-code-leak-is-effectively-meaningless-to-endpoint-security/
#commonSense #informationSecurity #infosec #misinformation #reverseEngineering #security #securityThroughObscurity #sourceCode
There are two news stories today. Unfortunately, some people have difficulty uncoupling the two.
- The Team Fortress 2 Source Code has been leaked.
- Hackers discovered a Remote Code Execution exploit.
The second point is something to be concerned about. RCE is game over. The existence of an unpatched RCE vulnerability, with public exploits, is sufficient reason to uninstall the game and wait for a fix to be released. Good on everyone for reporting that. You’re being responsible. (If it’s real, that is! See update at the bottom.)
The first point might explain why the second happened, which is fine for the sake of narrative… but by itself, a source code leak is a non-issue that nobody in their right mind should worry about from a security perspective.
Anyone who believes they’re less secure because the source code is public is either uninformed or misinformed.
I will explain.
Professor Dreamseeker is in the house. Twitch Emote by Swizz.Why Source Code Leaks Don’t Matter for Security
You should know that, throughout my time online as a furry, I have been awarded thousand dollar bounties through public bounty programs.How did you earn those bounties?
By finding zero-day vulnerabilities in those companies’ software.But only some of those were for open source software projects. CreditKarma definitely does not share their Android app’s source code with security researchers.
How did you do it?
I simply reverse engineered their apps using off-the-shelf tools, and studied the decompiled source code.Why are you making that sound trivial?
Because it is trivial!If you don’t believe me, choose a random game from your Steam library.
Right click > Properties. Click on the Local Files tab, then click “Browse Local Files”. Now search for a binary.
Me, following these steps to locate the No Man’s Sky binary.
If your game is a typical C/C++ project, you’ll next want to install Ghidra.Other platforms and their respective tools:
If you see a bunch of HTML and JS files, you can literally use beautifier.io to make the code readable.
Open your target binary in the appropriate reverse engineering software, and you can decompile the binary into C/C++ code.
Decompiled code from No Man’s Sky’s NMS.exe file on Windows.
Congratulations! If you’ve made it this far, you’re neck-and-neck with any attacker who has a leaked copy of the source code.Every Information Security Expert Knows This
Almost literally everyone working in infosec knows that keeping a product’s source code a secret doesn’t actually improve the security of the product.There’s a derisive term for this belief: Security Through Obscurity.
The only people whose job will be made more difficult with the source code leak are lawyers dealing with Intellectual Property (IP) disputes.
In Conclusion
Remote Code Execution is bad.The Source Code being public? Yawn.
Pictured: Soatok trying to figure out why people are worried about source code disclosure when he publishes everything publicly on Github anyway (2020). Art by Riley.
Update: Shortly after I made this post, I was made aware of another news story worthy of everyone’s attention far more than FUD about source code leaks.With the Source leaks happening today, I think everyone is missing the most important part: how much does Valve swear? I tallied up instances of these words in the leak*:"fuck": 116
"shit": 63
"damn": 109*There was some non-Valve stuff in the leak; I didn't count it
— @tj (@tjhorner) April 22, 2020
Well damn if that doesn’t capture my interest.
Now this is the kind of story that makes Twitter worthwhile!Is the RCE Exploit Even Real?
Update 2: I’ve heard a lot of reports that the alleged RCE exploit is fake. I haven’t taken the time to look at Team Fortress 2 or CS:GO in any meaningful way, but the CS:GO team did have this to say about the leaks:We have reviewed the leaked code and believe it to be a reposting of a limited CS:GO engine code depot released to partners in late 2017, and originally leaked in 2018. From this review, we have not found any reason for players to be alarmed or avoid the current builds.— CS2 (@CounterStrike) April 22, 2020
Fake news and old news are strange (yet strangely common) bedfellows.
https://soatok.blog/2020/04/22/source-code-leak-is-effectively-meaningless-to-endpoint-security/
#commonSense #informationSecurity #infosec #misinformation #reverseEngineering #security #securityThroughObscurity #sourceCode
UK's mindless, hostile & aggressive local councils
Stoke-on-Trent couple fined £1,200 after clearing up rubbish
Their road had been blighted with “disgusting” #litter for years.
But after Mr Pinter cleaned up some of the rubbish and left it out in a cardboard box by the full bins, the pair each received £600 fines.
The city council said all fly-tippers would be punished with fixed penalty notices and considered the matter resolved.
Ms Mike, 41, said people would often dump waste around the bins on their street which she claimed would not get collected and would attract animals.
I’m actually afraid to walk past it in the street because I’ve seen a lot of #rats and what looks like stray cats
Mr Pinter, 46, collected the rubbish into the box, which had his name printed on it, on 29 April after seeing the litter blowing around.
He said the bins on the street were full so he had to leave the box next to them in the hope it would be collected.
https://www.bbc.co.uk/news/articles/cldyny34kx4o
#ToryDamage #councils #UK #hostile #HostileEnvironment #trash #rubbish #authoritarian #FlyTipping #CommonSense
Stoke-on-Trent couple fined £1,200 after clearing up rubbish
The pair say they were fined after cleaning up rubbish and leaving it out in a box for collection.Alex McIntyre (BBC News)