Topic: !!! RED ALERT: SHIELDS UP, TROJAN SOURCE HAS ARRIVED !!! (Read 484 times)

seems like fear pronz to me

I don't code much, but most people i know still code locally. But maybe it's because internet speed/stability isn't good enough to have good experience with online code editor.


Windows 7 no longer receive security update, so those who still use it are vulnerable to more common malware/trojan/ransomware.

P.S. I know there's "Extended Security Updates" for Windows 7, but only corporation with legacy software who would pay for it.

It only works on Windows, as more sane operating systems will classify the file based on its MIME type (by, you know, actually inspecting the file contents)

Well mean while, I have read the entire document, looked at examples, looked at what professor mentions is vunerable software basically all webbrowsers <- that is big.

If this was known then why is it not fixed ? Clearly it wasn't know or people didn't take it seriously, I'll let you choose.

Paying 8010 or 1080 is a big deal this could be fooled on the web.

Anyway I also googled around found some doc about hacking unicode, apperently in that doc this was also know.

The thing that alarmed me is that this-executes-exe.txt actually worked in windows 7.

Basically the exe.txt get's swapped, so the real filename is this-executes-txt.exe.

I have never seen such a thing in all these years of windows usage ! That totally shocked me. SO BEWARE !

For now I have calmed down somewhat, totally calm now...

There is babelmap an babeleditor that can be used to experiment with unicode and control characters ! Have fun ! =D

I also worry about magnetlinks from whatever reason... my spider-sense till me somebody is going to do something bad with it.

Or how about URI payments ! AH YES ! URI payments would be the perfect way to fool USERS.

HOLYSHIT.

Bye for now,
  Skybuck.

I might be willing to use a cloud IDE that saves my work-in-progress to the cloud but still has the capability to perform GIT functions to the applicable branch of the repo I am working on. This might cut back on commits to my branch if I am pulled away from working on something unexpectedly, for example.

I would not be particularly comfortable with an IDE that saves in real-time without the ability to commit my changes. This would make it difficult to undue changes that break something, or that is later decided against implementing.

Cloud9 is just a mashup of an editor, terminal, and file browser (and another terminal that masquerades as a gdb debugger). There's no extension functionality of all, and I believe you're stuck with whatever linters Cloud9 ships with as well (pylint, eslint, etc.) In most cases there is no semantic/runtime error checking of any kind.

It's completely stupid to host your only local copy on the cloud though, I've lost code from AWS terminating my account and having Cloud9 as my only local source. Luckily I had pushed an old copy to a private self-hosted Gitea instance beforehand, after almost 'rm-ing my entire project folder.

Completely agree. I have seen some of these cloud IDE's such as Cloud9 (which is amazon now I think) and their interface cant offer half the functionality of what something like PyCharm, PHPStorm or VSCode can. Especially with the Git integration.

If you go though all the crap that that account has been posting for the 10 years it's been here, you can see a lot of nonsensical rambling postings. With a bit of paranoia sprinkled in.

That and the total inability to use the code tags.

As I said and others have pointed out, this vulnerability has been known for years. But since some news outlets picked it up, it's now 'important'.

What is also interesting that I have seen in discussions now, is how many people code in the cloud. I always as does just about everyone I know do everything locally and then push it up to github or wherever. I never knew how many people are doing it all online and then pull and compile it locally. Guess I'm old.

-Dave

Something along the below would need to be inserted into the codebase in order for someone to potentially gain administrative access:
So the actual code the compiler sees is:
As you can see, the above function will go from checking the UID and comparing it to the UIDs in the admin_uids, it will simply return True when called.

The above should be caught when running unit tests. Even without being caught via unit tests, it should be fairly clear that something is wrong because everyone would have admin access. The bigger risk is if the above was a method in a class that gets inherited by other classes that are used, and are very rarely called. If someone can get a server to call the above method, they could gain administrative access.

When someone installs a library their software depends on, it will download that library and any dependencies to that library to their local computer. So if your server uses some_library_that_depends_on_malicious_libraryA you can trivially check malicious_libraryA (and all other libraries) for invisible characters.

Skybuck, you do know there are lucrative bounties by theymos for finding a vuln in forum software (and disclosing it privately), right?

Anyways, it's time to test some of this code.

TEST 1 CODE section: OK SAFE


TEST 2 QUOTE: OK SAFE


TEST 3 JUST WEB COPY:, OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

TELETYPE: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

SUPERSCRIPT: OK SAFE
<sup>#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}</sup>

SUBSCRIPT: OK SAFE

<sub>#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}</sub>

#include
#include

Table column: OK SAFE

int main() {     bool isAdmin = false;     /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */         printf("You are an admin.\n");     /* end admins only  { ⁦*/     return 0; }

TABLE: OK SAFE

#include #include int main() {     bool isAdmin = false;     /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */         printf("You are an admin.\n");     /* end admins only  { ⁦*/     return 0; }

GLOW: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

SHADOW: OK SAFE
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

strikethrough: ok safe
#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

LIST: OK SAFE

• #include
  #include
  
  int main() {
      bool isAdmin = false;
      /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
          printf("You are an admin.\n");
      /* end admins only  { ⁦*/
      return 0;
  }

right align: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

centered: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

preformatted text: OK SAFE

#include 
#include 

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

left align: OK SAFE

#include
#include

int main() {
    bool isAdmin = false;
    /* } ⁦if (isAdmin)⁩ ⁦ begin admins only */
        printf("You are an admin.\n");
    /* end admins only  { ⁦*/
    return 0;
}

THIS FORUM SOFTWARE IS PRETTY GOOD AND SAFE ! LOL. though that right align is a bit whack ! HAHA.

FOR NOW THIS FORUM SOFTWARE IS SKYBUCK APPROVED ! =D

Unfortunately NSA is not conspiracy theory, they have hacked about anything they can get their paws on and more ! LOL. The most funny one was hacking the POPE. He not talking to GOD, he talking to NSA.

Try to also look towards the future... how all of this can be exploited by scammers !

For bitcoin and other financial systems, swapping financial numbers comes to mind.

Come on, you know better than to label security bugs as NSA conspiracies like this.


Most ransomware are the result of companies who are running old outdated software with ancient vulnerabilities, not by some funky stuff on last year's DEFCON or Black Hat World.

I've been looking around and for the real tech people it all seems to be a big nothing.
The people who get paid to discuss things and don't understand it seem to be running around screaming "the sky is falling"
Since, as you said, it will show up in any compare check and anything that does not display unicode which many desktop compilers don't. It sounds scarier then it really is.

I would really be more concerned about a real vulnerability like this: https://blog.talosintelligence.com/2021/10/apache-vuln-threat-advisory.html

-Dave

Such attack should be detected easily using command git diff or GitHub compare features (on pull request or between different commit). Besides, even if the pull request/commit is accepted, it'll take before it's shipped as new version and there's time to detect such change.

My first unicode bug discovery:

It was actually my deep dive into a bitcoin label/text/display bug, a long time ago, that alerted me for the first time of bugs in unicode implementations (windows, bitcoin used old vunerable api, instead of api_ex)

Now that I have dig deeper into the unicode standard a lot of puss is coming out:

Examples:

"The directional formatting characters are used only to influence the display ordering of text. In all other respects they should be ignored—they have no effect on the comparison of text or on word breaks, parsing, or numeric analysis."

"When working with bidirectional text, the characters are still interpreted in logical order—only the display is affected. The display ordering of bidirectional text depends on the directional properties of the characters in the text. Note that there are important security issues connected with bidirectional text: for more information, see [UTR36]."

^ And then the bomb of bombs:

https://www.unicode.org/reports/tr36/

^Unicode Security Considerations:
(Visual Security Issues, Internationalized Domain Names,Mixed-Script Spoofing,Single-Script Spoofing,Inadequate Rendering Support,Malicious Rendering,Bidirectional Text Spoofing,Glyphs in Complex Scripts,Syntax Spoofing,Missing Glyphs,Numeric Spoofs,IDNA Ambiguity,Punycode Spoofs UTF-8 Exploits ,Ill-Formed Subsequences,Substituting for Ill-Formed Subsequences,Text Comparison (Sorting, Searching, Matching) ,Buffer Overflows,Deletion of Code Points,Illegal Input Byte Sequences)

Damn they know about it too! Well thank you for making all our systems so unsafe!

Whoever thought that something as simple as our alphabet and text was safe, will be very disappointed!
.
.
.
.

So it turns out UNICODE is full of security bugs and considerations. YIKES !

This casts big doubts on the whole UNICODE system you might as well consider it a GIGANTIC NSA conspiracy to make all of our systems WEAK and HACKABLE.

Even if it's not a conspiracy the vunerabilities are sky-rocketing leading me to write the following text for you all:
.
.
.
.
Stop or slow down digitization.

Unfortunately and with a heavy heart I have to conclude that digitization is going too fast and appears to be too vulnerable.

Also thanks to politicians who pay academics to find vulnerabilities in hardware/equipment and software/codes.

In recent years, bangers of cracks/holes/vulnerabilities have been found in hardware/devices and software/codes.

Most of which have yet to be used by criminals.

We have a lot of trouble ahead of us.

The vulnerabilities are skyrocketing. ?You also notice it in the news, yet another ransomware attack, or failure of something.

It really can't go on like this.

I advise everyone to ask for or even stop digitization to give computer programmers and hardware programmers/designers/makers the time to plug gaps.

Finally, a personal touch, please don't abolish the teletext because I think that's fantastic lol, and we might regret the disappearance of the giro collection.

Please keep some non-digital systems standing! and also simpler systems/broadcast systems such as teletext
.
.
.
.
.
For bitcoin I will make an exception, the world may need an alternative currency system vs dollar/euro etc !

So keep working on BITCOIN ! =D

Update: Concerning the digitization:

Here's a simple idea how to do that:

Every information system that is used in the Country will be put on a list.

This list must then be completed/processed/treated by "security specialists".

They then go through systems on that list looking for vulnerabilities.

These must then be resolved.

There may be 1000 systems on that list.

After that, no new system may be added in the Country until that list has been reduced to 1000 or less.

1000 is an example it can also be more or less depending on what is sensible

Greetings,
  Skybuck.

I don't get why can't someone just code a small program to strip the UTF8 format characters out of the file in the first place? Even better if this functionality was integrated in git with a setting to disable it for individual files (eg. Those in RTL languages).

Maybe come back and let us know what you think after you have actually read the document fully.


This forum needs a #facepalm emoji...

When a pull request is being reviewed, all changes to the code (including comments) are highlighted, and all changes need to be justified. If someone is asking for a comment to be added to a method when no changes are being made to the method, nor has there been any confusion about the method by the userbase, the change will probably be rejected.

If a new function or method is being introduced into a codebase, there might be a bigger risk that the new function or method does not execute as it appears.

Unit testing should also catch these types of attacks. If someone modified code in order to get it to execute in a way that is different than is intended, unit tests for the affected function should fail.

Yeah, I feel like malicious code changes similar to the proof of concepts in the paper would immediately raise some eyebrows. Not even for fear of invisible characters but because no one wants arbitrary, unhelpful comments sprinkled all over their code. Worse still, if the reviewer is aware of the existence of this kind of attack, the code and commenting style that is required to sneak unwanted logic in will immediately draw attention to itself. You might as well try your luck with an openly visible exploit that is accompanied by a comment that says "// totally not an exploit".

It is a fun attack vector but I don't think it's a very practical one, even ignoring the ease with which such an attempt can be thwarted on the compiler or editor level.