Popping shell in a hospital

•March 22, 2016 • Leave a Comment

…ok, it’s almost popping shell.

A few months ago, a family member was in the hospital for surgery. The hospital, New York Presbyterian, had courteously set up a computer for family members to use. However, it was running Windows XP, which is a no-longer-supported security nightmare.

Curious, I decided to investigate.

They’d disabled nearly everything. No “run” box, no explorer, nothing except an outdated copy of IE, and Office 2003. In the “Open” dialog, nearly every folder was empty. All modifications are dumped at logoff.

So, all the easiest ways to pop shell on this security nightmare are blocked off. They at least made some effort to secure things. It’s time to look into the wonderful rabbit hole that is Excel.

The wonderful thing about Excel is that it’s extremely flexible: Even an ancient version of Office (2003, which is what they had) can embed ActiveX controls, it can run Visual Basic, it can attach any of the Windows common controls as inputs to individual cells, and many other things.

The dangerous thing about Excel is (also) that it’s extremely flexible: Every single feature increases the attack surface, and exponentially complicates security.

In this case, the ability to embed a hyperlink is the most useful feature for me. Because of the way Windows Explorer/Windows Shell works, we can point a hyperlink at a local file, and the shell will execute the action associated with that file. If the file is an html file, Windows will open it in IE; if it’s a txt file, Windows will open it in Notepad; if it’s an exe file, Windows will execute it. I think you can see where I’m going with this.

When I attempted to “customize” the link, excel popped a version of the Common File Dialog… but all accessible folders were empty!

 

Empty My Documents folder, with path to CMD.exe manually entered.

The “My Documents” folder, like every other browsable location, is devoid of clickable items.

So they’ve clearly tried to shrink the attack surface by hiding every clickable file, which has some value.

But again, Windows Shell link/path handling features are here to help me sneak past their security.

If you type the full path to a file in the “Address” field (or, more generally, the “Name” field), and then click OK (or, “Open”/”Save”), Windows accepts the (valid) path, and closes the dialog.

Opening the link then executes cmd.exe:

"The command prompt has been disabled by your administrator."

Tada! Command prompt opened… kinda

They (thankfully) have “disabled” the command prompt, which means I can’t easily use it to do any harm. There’s probably a way around it, but I was satisfied with getting CMD.exe to execute at all, and so I went on my way.

Posted in Computing, Featured Posts

This might just be the last straw for Windows Phone

•March 18, 2016 • Leave a Comment

I’ve long been a (slightly begrudging) Windows Phone user, in spite of its many shortcomings (few apps, unfixed bugs, sluggishness, etc…). I have a Lumia 928, which isn’t yet eligible for Windows 10 mobile.

I just recorded the last few minutes of a family vacation, leaving my grandmother, and took a video of us saying goodbye. Space was low, so I was worried, but I figured that Lumia Camera – Microsoft’s supposedly special camera app – would at least save the beginning of the video. Instead, the WHOLE VIDEO DISAPPEARED.

What the hell?!? I’m tired of Microsoft’s neglect of an OS that’s full of potential, and already has a large user base.

I’ve always liked Windows Phone enough to overcome these issues. It has a bunch of little features that I really like, features that surprise me in the best of ways, and some smart design decisions, but this might just push me over the edge.

Maybe I’ll buy an Android. I hear Google makes a line of their own? Goodbye Microsoft.

Posted in Featured Posts, Generally applicable to life
Tags: , , , , ,

1984… 1993… 2016.

•February 19, 2016 • Leave a Comment

Yesterday on Bloomberg West, Nico Sell said: “I believe that Tim Cook is saving [more] lives” [than the FBI, in rejecting the court order]

Krypt3ia

apple_logo

I remember seeing the Apple commercial back in the day when it came out that depicted 1984 as the catchy advertising plot point for the Mac computer at the time. If only Woz and Jobs has known just how prophetic those images would be today. I remember too back in 1993 when the idea was floated and a governmental movement began to have a back door (aka a clipper chip) inserted into systems to allow access by the government *cough NSA cough* to be able to see the “evil doers” and stop them. I also remember the sane stopped that from happening. Well, that was then and this is now, well past 9/11 and nigh on 16 years later, we are faced with not only a government toying with the idea again but a federal body demanding through writ of law that a company break the system they have created…

View original post 703 more words

Posted in Uncategorized

Why Does Hot Water Freeze Faster Than Cold?

•December 16, 2015 • Leave a Comment

In the Dark

Many years ago I had to take a day off School to travel down to Cambridge in order to be interviewed for a place on the Natural Sciences Tripos at Magdalene College. One of the questions I was asked was the following:

If you put a bucket of hot water and a bucket of cold water outside on a freezing cold day, which would freeze first?

I think I gave the right answer, which is that it’s not obvious..

My main argument was that evaporation would increase the rate of cooling of the hot water and also mean that when it did get down to freezing point there would be less of it to freeze. I attempted to work something out based on the heat capacity of liquid water versus the latent heat of freezing, but didn’t get very far with that as I couldn’t remember any numbers. I do…

View original post 498 more words

Posted in Uncategorized

Luck Has Nothing To Do With It

•November 14, 2015 • Leave a Comment

The Honest Courtesan

Sex worker rights are human rights, and there can never be too many voices speaking up for them, nor too many occasions on which to speak.  –  “Never Too Many

many red umbrellasIt’s that day again:  Friday the 13th, the day on which I ask non-sex workers to speak up for us.  As I’ve explained many times before, there is no possible way we can ever hope to win our rights without the help of allies; since only about 0.3% of the female population are whores at any given time (about 1% over their lifetimes), we simply don’t constitute a large enough voting bloc for politicians to give a damn about us, especially at a time when the popular fad is to pretend that we’re passive victims in need of “rescue” from our own choices.  As I explained two years ago,

…the gay rights movement didn’t really…

View original post 496 more words

Posted in Uncategorized

New Excuse

•October 17, 2015 • Leave a Comment

The Honest Courtesan

The most dangerous prohibitionists…are those who oppose no particular behavior or thing, but rather the very freedom of choice itself.  –  “Thou Shalt Not

As I have pointed out many times in the past, all prohibitionism is the same:

…some object, substance or activity is depicted as intrinsically harmful regardless of context or actual outcome, a connection to children is invented if one does not exist, and the prohibitionists then argue that any abrogation of personal liberty (no matter how invasive) and any expansion of the police state (no matter how destructive, evil and counterproductive) is justified to stop the threat to Our Treasured Way of Life…

The primary tool used by prohibitionists to drum up support for their crusades is the Big Lie, a gigantic state-sponsored myth totally unsupported by facts which plays upon people’s primitive fears and tribalism to justify the criminalization of consensual…

View original post 799 more words

Posted in Uncategorized

The stillness and solitude of a New York rooftop

•June 1, 2015 • Leave a Comment

Ephemeral New York

Few artists convey the disquieting solitude of city life like Edward Hopper, as he does here in “Untitled (Rooftops)” from 1926.

Hopperuntitledrooftops

Hopper, who worked out of his studio on Washington Square until his death in 1967, was fascinated by urban scenes: “our native architecture with its hideous beauty, its fantastic roofs, pseudo-gothic, French Mansard, Colonial, mongrel or what not, with eye-searing color or delicate harmonies of faded paint, shouldering one another along interminable streets that taper off into swamps or dump heaps.”

View original post

Posted in Uncategorized

Using SAL in the SQLite API

•May 10, 2015 • Leave a Comment

I’ve just finished adding annotations to a huge portion of the SQLite API, and I see a LOT of potential. This is going to be awesome.

See the changes that I’ve made so far on GitHub: https://github.com/ariccio/SQLite-Test-SAL

I’m not a core SQLite dev, so I just hacked on the amalgamation 😊

Posted in Computing, Projects, Science/Innovation
Tags: , , , ,

Preventing bugs, and improving code quality with Microsoft SAL (Part 2, custom preconditions for structs & objects)

•April 2, 2015 • Leave a Comment

Note: At the end of part 1, I’d suggested that part 2 would be about invalid handles. This post however isn’t about invalid handles. That’ll be the next part in this series.

I very frequently come across code like this:

void dosomething( _In_ somestruct* in ) {
    //Not detected at compile time
    assert(in->some_precondition);
    }

The function, dosomething, expects/requires a specific condition. So, the author asserts it, and resolves to test every possible code path, thus verifying code correctness. When all their tests pass, they build in release mode, and the assert disappears.

Some time later, someone calls dosomething under different conditions, all of their tests pass, and they release the modified code.  Users start seeing their data mysteriously corrupt itself, and their once-reliable program is crashing in ways that nobody can reproduce. After several days worth of investigation, developers thoroughly audit the code, and spot the new (and incorrect) code path. They refactor the faulty code path, add a VERY LOUD comment to dosomething, and forget about the whole thing.

 

Some number of months later, the same thing happens. This time, a developer has a bright idea: Let’s return an error code! Whoever wrote the code without a proper check for invalid arguments is an idiot!

The function now looks like this:

 

HRESULT dosomething( _In_ somestruct* in ) {
    //Not detected at compile time
    assert(in->some_precondition);
    if ( !in->some_precondition ) {
        return E_INVALIDARG;
        }
    }

We’re better off now, or at least we think so.

Now of course, everybody has to check the return code, which means more complexity, more ways to go wrong, and more code paths to test. Since there are far too many code paths to test every single one, some end user might still get to one of the untested, and also invalid, path.

Yet a third developer comes along, and thinks: What a silly C programmer. Someone will inevitably ignore the return value and the error will go unnoticed. Even worse, because I have to check the return value every single time, I can’t compose this function, and thus it’s less practical. This is an exceptional case, so we should treat it as one.

The function now looks like this:

void dosomething( _In_ somestruct* in ) {
    //Not detected at compile time
    assert(in->some_precondition);
    if ( !in->some_precondition ) {
        throw std::invalid_argument( "Function preconditions not met!" );
        }
    }

 

We’re a little bit better off now, at least we’re pretty sure that we are.

Now, exception safety becomes an issue. We still have to test every possible code path to make sure that none of them incorrectly call dosomething. We still can’t be confident about it.

Perhaps somebody else comes along, and writes a wrapper object, thus only “allowing” correct uses of dosomething. Now everybody has to rewrite their code use that wrapper.

Complexity has increased, this function has been refactored thrice, and we still haven’t even found a way to be code-correctness-confident, at compile-time, for all the uses of dosomething.

The cycle repeats, no end in sight.

Nearly every program stops there – they choose error codes or C++ exceptions, to carefully handle bad logic WHEN it happens. Preventing them from happening, well that becomes an issue of “professionalism” and “discipline”.

 

Neither “professionalism” nor “discipline”, actually prevent the mistakes of logic, but blaming the mistake on a given individual’s moral or personal failings works nicely to…well I’m not actually sure; I have noticed it is a fairly pervasive and pathological mindset in case studies of engineering disasters (Therac-25, Toyota electronic throttle malfunctions, others). But, I digress.

 A few examples from Microsoft’s headers

One of Microsoft’s motivating factors in developing SAL, was the infamous blue screen. Drivers. particularly kernel-mode drivers, are extremely sensitive to misuse.  A failure in the kernel can mean system instability, serious security vulnerabilities, or massive data corruption. Furthermore, the kernel APIs that drivers rely on are often very complex, interacting with many components of hardware and software – and thus very hard to get right.

Continue reading ‘Preventing bugs, and improving code quality with Microsoft SAL (Part 2, custom preconditions for structs & objects)’

Posted in Computing, Featured Posts, Science/Innovation
Tags: , , , ,

A hydrogen bomb detonated against your eyeball

•March 24, 2015 • Leave a Comment

10 Minute Astronomy

…would deliver less energy to your retina than a supernova observed from a distance of one astronomical unit (AU; the distance from the Earth to the sun). How much less? From this XKCD What If:

Which of the following would be brighter, in terms of the amount of energy delivered to your retina:

A supernova, seen from as far away as the Sun is from the Earth, or

The detonation of a hydrogen bomb pressed against your eyeball?

Applying the physicist rule of thumb suggests that the supernova is brighter. And indeed, it is … by nine orders of magnitude.

That rocked me back on my heels. And it got me thinking: how far away would one have to be for a supernova to be only as bright as an h-bomb pressed against one’s eyeball?

H-Bomb

Radiated energy is subject to the inverse-square law, by which intensity of radiation…

View original post 327 more words

Posted in Uncategorized

« Previous Entries
Next Entries »
 
Shelly L. Miller

I am an environmental engineer. I teach and research urban air pollution.

evolutionistx

Lucky's Notes

Notes on math, coding, and other stuff

Guido Vranken

AbandonedNYC

Abandoned places and history in the five boroughs

The Vivid World of Psychomania

Tales of a Sinner

Open Mind

KIDS' LIVES MATTER so let's stop climate change

I learned it. I share it.

A software engineering blog by György Balássy

Untapped Cities

Kitware Inc

Delivering Innovation

Threatpost

Bit9 Blog

The Electric Chronicles: Power in Flux

If someone ever tells you that you don't need more power, walk away. You don't need that kind of negativity in your life.

Ted's Energy Tips

Practical tips for making your home more comfortable, efficient and safe

love n grace

feel happy, be happy

Recognition, Evaluation, Control

News and views from Diamond Environmental Ltd.

greg tinkers

Sharing the successes and disasters.

Sam Thursfield

Software and technology from Galicia, Spain

Always In Motion

Cranraspberry Blog

Sharing the things I love

Biosingularity

Advances in biological systems.

The Embedded Code

Designing From Scratch

Sean Heelan's Blog

Verification, Program Analysis and Security

EduResearcher

Connecting Research, Policy, and Practice in Education

Trail of Bits Blog

Popehat

A Group Complaint about Law, Liberty, and Leisure

Warners' Stellian Appliance

Home & Kitchen Appliance Blog

Bad Science Debunked

Debunking dangerous junk science found on the Internet. Non-scientist friendly!

4 gravitons

The trials and tribulations of four gravitons and a physicist

Strange Quark In London

A blog about physics, citylive and much procastination

The Lumber Room

"Consign them to dust and damp by way of preserving them"

In the Dark

A blog about the Universe, and all that surrounds it

andrea elizabeth

passionate - vibrant - ambitious

Probably Dance

I can program and like games

a totally unnecessary blog

paolo severini's waste of bandwidth

Musing Mortoray

Programming and Life

PJ Naughter's space

Musings on Native mode development on Windows using C++

Jessica's Blog

  Bartosz Milewski's Programming Cafe

Category Theory, Haskell, Concurrency, C++

Brandon's Thoughts

Thoughts on programming

Sieve

David Crocker's Verification Blog

Formal verification of C/C++ code for critical systems

10 Minute Astronomy

Stargazing for people who think they don't have time for stargazing.

One Dev Job

notes of an interactive developer

Chief Cloud Architect & DevSecOps SME, Enterprise Architect, Agile Coach, Digital Transformation Leader, Presales & Tech Evangelist, Development Manager, Agilist, Mentor, Speaker and Author

TOGAF Certified Enterprise Architect • AWS Cloud Certified Solutions Architect • Azure Cloud Certified Solutions Architect • Scrum Alliance: Certified Scrum Professional (CSP), Certified Agile Leadership I (CAL 1), CSM, ACSM • Kanban Management Professional (KMP I & KMP II), Certified Enterprise Agility Coach (CEAC) • SAFe: Certified SAFe Architect, SAFe DevOps, Release Train Engineer (RTE), SAFe Consultant (SPC) • Certified Less Practitioner (CLP), Six Sigma (Greenbelt), Training from the Back of the Room (TBR) Trainer • Certified Agile Coach & Facilitator: ICP-ACF & ICP-ACC

The Angry Technician

No, the Internet is not broken.

Kenny Kerr

Creator of C++/WinRT and the Windows crate for Rust • Engineer on the Windows team at Microsoft • Romans 1:16

IT affinity!

The Ultimate Question of Life, the Universe, and Everything is answered somewhere else. This is just about IT.

Eat/Play/Hate

The ramblings of a crazed mind

Molecular Musings

Development blog of the Molecule Engine