Giant WTF

it’s either real or it’s a dream, there’s nothing that is in-between

26 Apr 2021

The Security-Industrial complex is full of companies that like to play in the gray zone, selling products to shady authoritarian regimes that have histories of harassing and disappearing people they deem enemies of the state. One such company is Cellebrite, an Israeli company known for its products for collecting data off cell phones.

A simplistic descripton of Cellebrite’s software is that it copies the contents of files on smartphones automatically so that law enforcement and murderous tyrant dictators don’t have to manually do it themselves. Cellebrite’s product figures out what format all the different files are in and supports automatic content extraction for those file formats.

Recently, Cellebrite announced that they could now parse Signal files to extract chat data. Signal is a popular privacy-focused messaging app that is open source and is truly end-to-end encrypted. No one has a key to your conversation and no one can decrypt your messages except for the intended recipients.

Many of us, myself included, have used Signal to varying degrees for many years. Ironically, it’s also become more popular recently with the slow-to-security-awareness conservative crowd who thinks they’re being persecuted by platforms who justifiably don’t like their hate speech. Bear in mind, some of these are the same people who never realized their phones could be used to pinpoint their locations relative to the attempted coup at the Capitol. Regardless, Signal is a good product and should not be judged by the quality of some of its more recent adopters.

The point is, the ability to grab Signal chats is something Cellebrite knows that law enforcement and dictators alike would enjoy, and that it would be something to proclaim triumphantly.

It did not go unnoticed.

One of the best things about Signal is its founder and CEO, Moxie Marlinspike. Moxie Marlinspike is a man with a particular view of the world that I quite enjoy. As he puts it:

In general, I hope to contribute to a world where we value skills and relationships over careers and money, where we know better than to trust cops or politicians, and where we’re passionate about building and creating things in a self-motivated and self-directed way.

Apparently Moxie has a distaste for companies that help tyrants and murders spy on journalists and dissidents, especially ones that poke at him and his company by announcing with great fanfare that they’ve cracked his product (which technically isn’t true).

Moxie decided to get even. And when Moxie gets even, he plans his response to the nth degree.

On April 21st, 2021, Moxie posted a blog post to the Signal website titled Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective. It’s a doozy. It basically lays waste to Cellebrite’s software and then tears into its trustworthiness and threatens to make sure it can never be trusted again by promising to keep exploiting its vulnerabilities over time.

The way that Cellebrite is vulnerable lies in its need to read all kinds of different file formats. Because of this, it should be very careful about what it does with files it’s working with and what it allows those files to do. But it isn’t. On top of that, it uses various old, insecure libraries to do its job, which means that any app (let’s say Signal, for example) can manipulate the data that Cellebrite presents to its customers, and even install malware that makes it keep doing so in the future.

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

The fun doesn’t stop there. Moxie goes even further and implies that he’s going to make use of these capabilities on an ongoing basis to invalidate anything that their software tools report to their customers.

In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software. Files will only be returned for accounts that have been active installs for some time already, and only probabilistically in low percentages based on phone number sharding. We have a few different versions of files that we think are aesthetically pleasing, and will iterate through those slowly over time. There is no other significance to these files.

Moxie is essentially promising to undermine the credibility of Cellebrite’s software both immediately and into the foreseeable future. This will be impactful to Cellebrite, because Signal is going to remain a focus of interest by law enforcement and murderers alike1, so these aesthetically pleasing files are certainly going to get a chance to … well, be aesthetically pleasing. Additionally, Moxie has given other developers who want to poke a stick in Cellebrite’s eye an idea of what can be done.

I also particularly enjoyed Moxie’s outing of Cellebrite’s probable copyright violations with respect to Apple software:

It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.

You can read more about the implications of Moxie’s research on Motherboard2 and Ars Technica.

I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain in Portland.

You can find my thoughts on tech and other projects on my personal site at scottwillsey.com


  1. Notice how I pretended those aren’t sometimes the same people? 😂 ↩︎

  2. If Lorenzo Franceschi-Bicchierai doesn’t have the most amazing sounding name in journalism, I dont’ know who does. ↩︎

 

01 Apr 2021

It’s always intriguing when someone gets caught with their pants down and then tries their hardest to convince you that the pants are just drooping a tiny bit and they’re still well-covered. It insults everyone’s intelligence and ensures that, whatever you thought of them before, now you’ve got SERIOUS doubts about them.

Well, Ubiquiti’s pants are down, exposing not only their own rear-ends, but also those of their many customers.

At first Ubiquiti tried the droopy jeans act, then reverted to lawyer-speak after being called on their intentional misrepresentations by a whistleblower. The whistleblower appears to be someone on the incident response team who wasn’t at all impressed with the way Ubiquiti tried to downplay both the severity of the breach and the matter of who was responsible.

There’s a lot to question about statements like “we have no evidence that customer information was accessed , or even targeted”. If you don’t rigorously log what accounts access what data, you can honestly state that you have no evidence of it being accessed, even if it was. That, according to the whistleblower, is the situation with Ubiquiti with regards to this data breach. They can claim ignorance of data access because they are in fact completely ignorant about what was actually accessed.

Furthermore, Ubiquiti also understated the damaging nature of this data breach. The data accessible to the Ubiquiti hackers apparently would allow them to log into and access Ubiquiti devices owned and operated by customers of Ubiquiti – in other words, customer networks. This isn’t just about some usernames and passwords that only affect a Ubiquiti website. This is a vulnerability that exposed networks belonging to a variety of organizations all around the globe.

I couldn’t help but notice Ubiquiti’s claim that the hacker was apparently someone very familiar with their cloud infrastructure. But their cloud infrastructure is AWS. That means that description probably easily fits tens of thousands of people, if not hundreds of thousands. The statement is designed to make it sound like their data wasn’t really as easily exploitable as it was, but AWS isn’t exactly an unknown entity in the world of computers.

Unless you can catch a hacker or group of hackers in the act, poking around on your network and visibly changing things, reconstructing what happened is usually a matter of digging through lots and lots of log files. This means that first you have to log things like network access, file access, modifications to files, file transfers, etc, etc, and then you have to make sure your logs can’t be deleted or edited easily by the hackers. That’s more easily said than done when they’re already tromping around your filesystem.

In the case of Ubiquiti, the hackers got credentials to their database servers hosted on AWS, and then set up some Linux boxes that connected to the databases. That could have been easily detectable if Ubiquiti was logging adequately and had automated log checking for unusual activity (like new IP addresses suddenly accessing the database).

It’s really bad when anyone makes rookie mistakes like not logging anything so that they can’t even assess the damage accurately once they are hacked, but a company like Ubiquiti who is in the business of selling networking solutions that they hold remote access credentials to needs to take security very seriously. Both their lack of network security measures and their inadequate response with regards to their customers shows that Ubiquiti did not do so at all.

I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain in Portland.

You can find my thoughts on tech and other projects on my personal site at scottwillsey.com

 

22 Mar 2021

When I started this site, then called WTF Weekly, with a corresponding domain name, the goal was to highlight items of interest that I came across on a variety of topics, and to do so at least once per week.

I quickly found that I would never stick to the weekly schedule, because too many of my other priorities were higher on my internal must-do ranking scale. So I recently ditched the old name and came up with Giant WTF and the giant.wtf domain name.

And still I fail.

I think the way to keep me motivated to writing on this site and actually making it compelling is to pivot once again. It’s actually less of a pivot and more of a narrowing of the current scope. A filtering, if you will.

Starting with the very next thing that I publish to Giant WTF, I am only going to write about computer security related issues here. I am not a security expert, but I do know the general principles pretty well, and it’s a topic that I am fascinated by.

What it means is that you can expect to see both security related news (and some deeper dives into specific incidents) and fascinating truisms of security – information that can help raise people’s awareness of how their devices work.

So let’s all yell out a giant “WTF!” at the prospect of yet another change of direction for this site, and then get on with the work of embracing change.

I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain.

You can find my thoughts on tech and other projects on my personal site at scottwillsey.com

 

01 Feb 2021

I was going to write about the insurrection at the Capitol where ignorant angry white entitled men heeded their ignorant and unintelligent leader’s voice to perform acts of treason in attempting to overturn a fair election and subvert democracy.

I waited too long. And I’m glad that I did.

Because then Amanda Gorman opened our eyes from our long national nightmare with her voice, and now I don’t want to revisit the insurrection and the fools who partook in it ever again.

She is amazing. She is a human of a quality that no QAnon follower, insurrectionist, separatist, white supremacist could dream of being. We need more like her in this country.

The people we’ve been ignoring for four years are the real patriots.

Bless them for nurturing their goodness and their souls and their humanity, keeping them intact and alive for a reawakening of our collective intellectual senses.

The people we’ve been magnifying for four years are the real traitors.

Damn them and theirs to misery and torment for what they’ve wrought and the evil they intended.

The funny thing about every day since Joe Biden’s inauguration is that it seems so MUNDANE. It’s funny how tame things can feel when grownups are doing grownup things in grownup ways. What I’m saying is, if Biden does nothing else other than allow extremely competent administrative types to do their jobs, it’ll be a one billion percent improvement over the last four years of hellhole government brought to you by awful people who just sincerely want others to fail so they can feel like they’ve succeeded.

And not insignificantly, as noted by Laura Bassett on Twitter:

Of course, not all is kittens and ice cream just because we ousted the orange Oompa Loompa. A much larger than desirable percentage of Americans still believe the election was stolen and are invested in some or all of the right’s conspiracy theories. Some of them are even teaching these things to kids in our schools.

In his book Fall: Or, Dodge in Hell, Neal Stephenson goes off on a bit of a tangent (in terms of the overall storyline) about the division of America into the recognizable (the coastal regions) and the less recognizable (the de-evolution of the flyover states into a region known as Ameristan).

The idea that the U.S. could fracture into separate nation states based on ideologies seems more plausible than any other time in recent history. The only problem is that Ameristan is already here, it just can’t be extracted neatly in geographic terms the way Stephenson portrays it. The crazies are all amongst us, coiled around our feet like the physics-defying serpent on their beloved Gadsden flag (those poor oppressed souls).

I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain.

You can find my thoughts on tech and other projects on my personal site at scottwillsey.com

 

13 Jan 2021

WTF Weekly is now Giant WTF. First of all, life is a giant WTF at the moment, and also me pretending my posting frequency belongs in the same universe as the word “weekly” was getting embarrassing.

Giant WTF will be aimed at more focused posts on one topic. This might result in fewer posts1 or more frequent posts, but either way, it’ll require more thought on my part and more clickety-clacking and practicing choosing verbs and adjectives and things. The words, they hard.

I wouldn’t be me if I didn’t hand you my first future broken promise: I’ll be back very soon, because I’ve already started writing about the first major WTF of 2021, and you already know what that is.

I am on Twitter if you want to talk about anything I’ve posted here or to block me when I tell you I like the rain.

You can find my thoughts on tech and other projects on my personal site at scottwillsey.com


  1. Hard to imagine that’s possible though. ↩︎