The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,947 other followers

Archive for November 23rd, 2016

Meet PoisonTap, the $5 tool that ransacks password-protected computers | Ars Technica

Posted by jpluimers on 2016/11/23

Too bad Ars Technica redirects https to http while preaching anyone should use https.

Anyway: OS device driver install and network configuration should probably be less automatic than it is now.

All the more reason to go fully https (hello LetsEncrypt, goodbye Embarcadero).

A video showing how it works is below.

The clever device emulates a USB ethernet adapter (that virtually every operating system has default drivers for) then fakes being handing out DHCP address with a netmask of thereby routing almost all network traffic over it.

It makes a tiny peace of the internet unreachable (like itself in Brisbane Australia).

More details on how it works at [WayBackSamy Kamkar: PoisonTap – exploiting locked computers over USB.

Lets not leave this out:

Securing Against PoisonTap

Server-Side Security

If you are running a web server, securing against PoisonTap is simple:

  • Use HTTPS exclusively, at the very least for authentication and authenticated content
    • Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
  • Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
  • When loading remote Javascript resources, use the Subresource Integrity script tag attribute
  • Use HSTS to prevent HTTPS downgrade attacks

Desktop Security

  • Adding cement to your USB and Thunderbolt ports can be effective
  • Closing your browser every time you walk away from your machine can work, but is entirely impractical
  • Disabling USB ports is also effective, though also impractical
  • Locking your computer has no effect as the network and USB stacks operate while the machine is locked, however, going into an encrypted sleep mode where a key is required to decrypt memory (e.g., FileVault2 + deep sleep) solves most of the issues as your browser will no longer make requests, even if woken up


via Joe C. Hecht – Google+

Read the rest of this entry »

Posted in Development, Hardware Development, Raspberry Pi | Leave a Comment »


Posted by jpluimers on 2016/11/23

Apple fanboys all know about 1 Infinite Loop. Turbo Pascal adepts about the index entries “infinite loop See loop, infinite” and “loop, infinite See infinite loop”.

Google as a more direct approach:


Posted in Algorithms, Apple, Borland Pascal, Design Patterns, Development, Google, Pascal, Power User, Software Development, Turbo Pascal | Leave a Comment »

%d bloggers like this: