titaniumbunker.com

Evil geniuses and world domination are 2 of our goals... we also like Dr Who

Talked at #OggCamp

no comment

This afternoon Dave gave his talk at #OggCamp – you can find his talk here – and a video will be uploaded as soon as we can get it rendered.

Snail Tales Final Project
Snail Tales Final Project
snail tales final project- (1).pptx
2.2 MiB
250 Downloads
Details...

 

Off to OggCamp on Friday

no comment

Dave and I are off to Liverpool over the weekend to attend OggCamp.  This year Dave is speaking about his Snail Tales project development.  I’m looking forward to it. I’m also looking forward to the Unconference aspect of the weekend – for me this has always been the biggest draw rather than the scheduled track.

I hate to say I told you so… but….

no comment

cooper says soWell – like the title says : I hate to say I told you so, but I did so tell you so.  Way back in the Volkswagen problems post, I suggested that the ground work was probably  under way to attempt to divert the responsibility for the software issue away from the board, and towards software engineers.

Artur’s first point about software group size could – if I were more cynical – be an attempt to create a narrative around this.  Something along the lines of “It was a few rogue programmers that released this code”

 

Michael HornVolkswagen’s US boss said to US Congress :

My understanding is that it was a couple of software engineers who put these in

I’m really concerned with Volkswagen – with the quality of their processes. According to Michael Horn, 3 people were able to get software onto millions of cars world wide with no quality or compliance checks? 3 people?

The assertion that the board had no knowledge of this seems to suggest that the board had no idea of what was going on in their own company – so are they actually admitting that the board was incompetent?  This seems like deflection – particularly if the reports from CNBC that the board were informed in 2007 and 2011 by Bosch, and their own technicians are to be believed.

A worst-case scenario for Volkswagen would be a steady drips of new revelation. And, indeed, new reports published by several German newspapers, including the weekend Frankfurter Allgemeine Sonntagszeitung, indicate the Volkswagen AG supervisory board was warned of the diesel cheating scam by both a key supplier and some of the company’s own engineers.

A letter dated 2007 shows that the automotive mega-supplier Bosch pointed to illegal modifications to its control software, the reports said.

And VW’s own technicians flagged the issue for the automaker’s board in 2011, they said.

I also think that it’s troubling that the potential fix for this is the installation of a urea treatment tank (on certain models).  So I think the decision was made based on a manufacturing hardware decision – it’s certainly cheaper to manufacture the same car for European and US markets – and to get it through the tests a software patch was needed.  The decision will therefore be blamed on the last person involved – which will be the software department, rather then the originator of this scheme.

I think the point I’m trying to make here is that there is more than software at fault – so with that in mind I’m going to suggest that Volkswagen start moving away from cars, and instead work on public transport infrastructure.  Here’s a Bus design idea that I really think that Volkswagen should attempt to implement

Suggestion for the new Volkswagen Bus

Suggestion for the new Volkswagen Bus

At least there wouldn’t be the amount of carnage that I suspect there will be when Volkswagen start throwing people under the bus.

Electoral Reform Services feedback form

no comment

I received a letter from my local council regarding the electoral register, and that I needed to refresh my information.  So I visited their website and entered the super secret codes from the letter to obtain access to my records.  I must say the process seemed straightforward enough – until I reached the feedback section.

Now I hadn’t noticed until the feedback form, but the querystring contained quite a lot of information. I had a quick play with the feedback form, and sent the following communication to the technical department at (I assume) Electoral reform services Ltd.  Here’s what I sent them – I’ve censored some of the data within this communication. For more information, the code1/code2 are the security codes from my letter.

I was just looking around the feedback form (I just completed my form on-line) – Have you guys seen how much data is sloshing around in the query string? Here’s the address of this page :

https://registerbyinternet.com/Home/Feedback?authorityId=xxx&
LanguageId=1&PropertyId=xxxxx&
Address=xx%20Xxxxxxx%20Xxxxxx%20%2CXxxxxxx%20Xxxxx%20%2CXxx%20xXX&
code1=ZZZZZZ&
code2=ZZZZZZZZ&
OnlineRespondentId=xxxxxx&
OnlineRespondentName=Michael%20Anthony%20Hingley&
ClientName=Xxxxxxxx%20Xxxxxxxxxxxx%20Xxxxxxx%20Xxxxxxx

https://registerbyinternet.com/Home/Feedback?authorityId=xxx&LanguageId=1&PropertyId=xxxxx&Address=xx%20Xxxxxxx%20Xxxxxx%20%2CXxxxxxx%20Xxxxx%20%2CXxx%20xXX&code1=ZZZZZZ&code2=ZZZZZZZZ&OnlineRespondentId=xxxxxx&OnlineRespondentName=Michael%20Anthony%20Hingley&ClientName=Xxxxxxxx%20Xxxxxxxxxxxx%20Xxxxxxx%20Xxxxxxx

What’s interesting is that this query string data is just slapped into the fields, meaning that if you change the URL, you can effectively send a feedback about a different authority, or person, or address or indeed anything. Why not store this stuff in session, where I can’t access it?

Potential implication : Spam messages sent to every council about every property from a fake name. Once feedback is sent feedback cannot be re sent – this would be a denial of service for all legitimate users.

Potential implication : XSS – These values are posted into the page into fields. It should be possible to strip out anything that looks like JS, and hopefully you’ve done that. I’m too scared to try it.

Cheers

Mike Hingley

It’s possible that this information was floating around all the time on my query string but I never saw it.

Categories

Archives

Tags