- WhatsApp Web has privacy holes that could expose user photos
- IsAnybodyDown's Craig Brittain banned from the 'revenge porn' business
- Does size matter? It does if you're French...and a chess-loving hacker!
Posted: 30 Jan 2015 12:39 PM PST
WhatsApp has just rolled out a new service called WhatsApp Web that allows users to sync the messaging app between their mobile devices and desktop, but the new web client has a couple of privacy pitfalls that show it's not really ready for its close-up.
The problems with the web client, which were reported to us by Indrajeet Bhuyan, a 17-year-old security blogger, undermine privacy settings that work just fine on the WhatsApp mobile app.
According to Bhuyan, in some situations users of WhatsApp Web can see photos they're not supposed to view and which they wouldn't see on the mobile app.
In the WhatsApp mobile app, you can delete a photo from your device after sending it and the recipient will see only a blurred out version of the photo.
But Bhuyan reported that a photo sent from his mobile device and then deleted was still visible without the blurring in the web client.
As WhatsApp noted in a 21 January 2015 blog post announcing the new service, WhatsApp Web "mirrors conversations and messages from your mobile device," and all messages "live on your phone."
But since photos deleted from your phone are still showing up in the web client, we can infer that the mobile and web apps are not syncing properly.
The second problem, says Bhuyan, is that your profile photo may remain visible on WhatsApp Web even after you've used the feature in the mobile app to restrict your photo to contacts only.
Ironically, this seems to be the reverse of various mobile-versus-web problems we've written about before, where it was the mobile version that fell short of the security offered by its web-based equivalent.
Both of these bugs seem like they could have or should have been caught before WhatsApp Web was released - as though WhatsApp rushed this product out the door without enough testing.
A few other issues with WhatsApp Web make me think it wasn't quite ready and could have waited: so far the web client only works in Chrome, and it isn't available yet for users of the iOS mobile app (due to "Apple platform limitations," WhatsApp says).
WhatsApp, which has more than 500 million users worldwide and was purchased by Facebook in 2014 for a mind-boggling $19 billion, has run afoul of regulators and privacy advocates for its past sloppy behavior.
We applauded WhatsApp when it rolled out end-to-end encryption to protect users' private messages.
But this latest privacy bungle has me, in the shorthand of chat initialisms, SMH (translation - shaking my head).
Posted: 30 Jan 2015 07:13 AM PST
Craig Brittain, the owner of 'revenge porn' website IsAnybodyDown, has been given a firm slap on the wrist by the Federal Trade Commission and ordered not to post nude photos anywhere online again - unless he has been given explicit permission to do so.
He was also ordered to permanently delete all the naked pictures he had collected via his website but, in what appears to be a somewhat lenient agreement with the FTC, he avoided having to pay a fine, despite having made around $12,000 off the back of his victims' humiliation.
In one ruse he posed as a woman on a Craigslist forum and offered to swap photos, supposedly of himself, in exchange for snaps of other women. He then posted those on his IsAnybodyDown website without their permission or knowledge.
According to the FTC's complaint, Brittain also solicited further photos from visitors to his website by offering $100 to users who sent in snaps along with personal information such as names, locations, Facebook profiles and phone numbers which he then published.
Brittain's collection methods ultimately proved quite successful - the FTC says he acquired photos of more than 1000 people.
Women who discovered their images on Brittain's site had little success in getting them removed by contacting IsAnybodyDown directly.
The FTC notes how he very rarely responded to removal requests, despite some women alerting him to the fact that they were attracting attention from strangers who had seen their photos and contact information on his site.
The successful removal of the material was far more likely through specialised sites such as "Takedown Hammer" and "Takedown Lawyer" which could have content removed in return for a fee ranging between $200 and $500. Though not proven, the FTC alleged that both of the sites were in fact owned and operated by Brittain himself.
FTC's Bureau of Consumer Protection director Jessica Rich said:
While it might be seen that Brittain has got off lightly, the FTC consent order has at least effectively put a permanent end to Brittain's revenge porn days.
Should he ever be caught posting naked photos online again without consent, the order mandates that he will be issued with a civil penalty of $16,000 for each and every violation.
The lasting effects of his actions are not likely to be positive for Brittain, as noted by ex-federal prosecutor Ken White:
The consent order will last 20 years and Brittain will be monitored throughout its duration.
Posted: 30 Jan 2015 04:56 AM PST
Old-school computer programmer Olivier Poudade is a French hacker (in the upbeat sense of the word) whose involvement in low, low level coding goes way, way back.
Going as Baudsurfer, he was part of an online community called RSI (Red Sector Inc.), which established what is now claimed as Canada's first ever BBS, right back in early 1985.
For those who've only ever known the internet and the World Wide Web, a BBS is a Bulletin Board System.
That's a sort-of text-mode website, with news, comments, forums, downloads and more, that you access using a modem on your telephone line.
Unlike the modern internet, where you pay a local company for local access, and from there "fan out" at little or no extra cost to servers all over the world, BBSes were mano a mano affairs.
Each BBS had its own modems and telephone lines that you called up directly, so that local BBSes were cheaper to use than long-distance ones, and much, much cheaper than overseas ones.
Around that time, other aspects of the home computing scene were a bit different, too.
In the UK, for example, the influential and popular ZX81 (sold as the short-lived Timex Sinclair 1000 in the USA) came out of the box with just 1KB of RAM.
Nevertheless, in 1983, the source code of a chess program was published for the ZX81:
And if that sounds amazing, consider that 1KB was all the RAM that the ZX81 had, leaving just 672 bytes for the chess playing code.
There were certain simplifications, of course.
The program could only play with the white pieces, and you had to prepare two different versions of the game, one for "Queen's Pawn Moved" and the other for "King's Pawn Moved."
In fact, bought copies of the game came on a cassette tape, with the Queen's Pawn version on one side of the tape and the King's Pawn version on the other.
And you couldn't castle, for example.
Castling is a special and important move in chess, available only once to each player in each game.
When castling, your king and a rook effectively jump over each other, swapping places in order to shield the king and bring the rook out of its corner and into play.
Because of its significance to chess, and the fact that almost all games include the move, you can argue that a program that omits it isn't actually playing chess at all, in the same way that a Scrabble game without blank tiles wouldn't be Scrabble at all.
But a lot of complexity and size (not to mention many bugs) in programming arise from dealing with special cases, and with just 672 bytes to play with, castling had to fall away.
Many years later...
Fast forward almost exactly 25 years, and Olivier Poudade, aka Baudsurfer, thinks he's cracked the record.
He set a target of 512 bytes - the size of a boot sector.
After many iterations, and the help of Aussie anti-virus and machine code expert Peter Ferrie, he delivered BootChess:
You can quite literally write it to the first sector of a USB key, a hard disk or a floppy disk, boot up, and you're playing.
BootChess is your operating system, your run-time libraries and your application suite, all in one.
It's Chess, or nothing:
Actually, Poudade's next challenge is to squeeze BootChess just a little bit more, so that it leaves enough space to be a regularly-formatted, bootable boot sector as well as a chess game.
That way, after playing the game, it could proceed with a normal bootstrap.
I know exactly what you're thinking!
What happens if you pit BootChess against 1K ZX Chess?
Sadly, that's not possible, because both programs can only play with the white pieces.
(Like 1K Chess, BootChess has a hard-coded first move, set to e2-e4, or "King's Pawn Moved," as seen above.)
But I did pit BootChess against Oscar Toledo Gutiérrez's Toldeo Picochess.
Where BootChess fits into 512 bytes of machine code, Picochess fits into 1024 bytes of C source code:
That's a similarly spectacular achievement - even when redundant characters and comments are stripped from BootChess's assembly language, you end up with close to 3KB of source code.
Chess master Tim Harding is supposed to have said, of 1K ZX Chess, that although it was the work of a genius to make the program fit into the available space, its playing ability was "so appalling that it would be hard to make it beat you."
Sadly, the same is true of BootChess.
Where Picochess actually managed to develop a few pieces in the course of 12 moves, coming out swinging with a bishop and a queen, BootChess managed little more than advancing several pawns, mostly by one square, and wasting a bishop. (That's not a phrase you hear often.)
BootChess then proceeded to throw away the game by making an illegal move, failing to notice it was in check.
The bottom line
Apologies to our diehard security readers: there isn't an obvious security angle here.
Except, of course, that this shows how much you can do in apparently impossibly small amounts of memory, if you are willing to make practicable simplifications, and if you don't care about correctness.
This is a trick used to good effect by crooks when they have only a tiny hole into which to squeeze an exploit.
Their code doesn't have to win reliability awards; it doesn't even have to work all the time.
It just has to work when it runs on your computer, and that's you pwned...
|You are subscribed to email updates from RSS Feed Full Text Parser with Regex Filter |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|