Tag Archive: chilliwack iphone unlock


Critical crypto bug leaves Linux, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library.

The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.

The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical “goto fail” flaw that for months put users of Apple’s iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug.

“It was discovered that GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification,” an advisory issued by Red Hat warned. “An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker.”

GnuTLS developers published this bare-bones advisory that urges all users to upgrade to version 3.2.12. The flaw, formally indexed as CVE-2014-0092, is described by a GnuTLS developer as “an important (and at the same time embarrassing) bug discovered during an audit for Red Hat.” Debian’s advisory is here.

As was the case with last week’s critical encryption bug from Apple, the GnuTLS vulnerability is the result of someone making mistakes in source code that controls critical functions of the program. This time, instead of a single misplaced “goto fail” command, the mistakes involve errors with several “goto cleanup” calls. The GnuTLS program, in turn, prematurely terminates code sections that are supposed to establish secure TLS connections only after the other side presents a valid X509 certificate signed by a trusted source. Attackers can exploit the error by presenting vulnerable systems with a fraudulent certificate that is never rejected, despite its failure to pass routine security checks. The failure may allow attackers using a self-signed certificate to pose as the cryptographically authenticated operator of a vulnerable website and to decrypt protected communications. It’s significant that no one managed to notice such glaring errors, particularly since they were contained in code that anyone can review.

Security researchers are still studying the vulnerability and assessing its effect on the wide array of OSes and applications that depend on GnuTLS. For the moment, readers should assume that the severity is critical given the dizzying amount of downstream code that may be affected. One example: the apt-get installer some distributions of Linux use to distribute and update applications relies on GnuTLS, although exploits against the package can probably be caught by cryptographic code-signing of the downloaded program (thanks to readers for pointing out this secondary level of protection). Version 3 of lib-curl, which is distributed in Debian and Ubuntu, also depends on GnuTLS. Some Debian- and Ubuntu-based virtual private networking applications that work with Cisco Systems hardware are also affected. This list goes on and on.

Source: ArsTechnica

Is Aliyun OS really Linux? Android? A rip-off of both?

When Acer was ready to announce a new smartphone running Alibaba’s Aliyun operating system, Google responded with force. If it were to be released, Google would end its parternship with Acer, which uses Android for 90 percent of its smartphones.

Acer swiftly cancelled the release, but clearly Acer wasn’t happy about the state of affairs. Alibaba, China’s largest e-commerce company, was even less happy.

Alibaba says it wants Aliyun OS to be the “Android of China,” claimign that they’ve spent years working on their Linux-based mobile operating system.

Google didn’t see it that way. Google thinks Alibaba is an Android rip-off.

In Google’s Android Official Blog, Andy Rubin, Google’s senior vice president of mobile and digital content said:

“We built Android to be an open source mobile platform freely available to anyone wishing to use it. In 2008, Android was released under the Apache open source license and we continue to develop and innovate the platform under the same open source license — it is available to everyone at: http://source.android.com. This openness allows device manufacturers to customize Android and enable new user experiences, driving innovation and consumer choice.”

But: “While Android remains free for anyone to use as they would like, only Android compatible devices benefit from the full Android ecosystem. By joining the Open Handset Alliance (OHA), each member contributes to and builds one Android platform — not a bunch of incompatible versions.”

Android is a mobile operating system branch of Linux. While there have been disagreements between developers, Android and mainstream Linux buried the hatchet in March 2012.

So, from where Google sits, Aliyun OS is an incompatible Android fork.  John Spelich, Alibaba vice president of international corporate affairs replied oddly: “[Google] have no idea and are just speculating. Aliyun is different.”

How can Google have no idea about what Aliyun is if it is indeed, as Alibaba claims, a Linux fork? Linux is licensed under the GNU General Public License, version 2 (GPLv2). Part of that license insists that if a GPLv2 program is released to general users, the source code must be made publicly available. Thus, perhaps Google doesn’t have any idea because, as Spelich indidicted and far as I’ve been able to find, Aliyun’s source code is not available anywhere. If indeed the source code isn’t open and freely available, even if Aliyun has no Android connection, this would still make it an illegal Linux fork.

Spelich went on to claim that Aliyun is “not a fork,” adding: “Ours is built on open-source Linux.” In addition, Aliyon runs “our own applications. It’s designed to run cloud apps designed in our own ecosystem. It can run some but not all Android apps.”

Rubin, in a Google+ post, replied, “We agree that the Aliyun OS is not part of the Android ecosystem and you’re under no requirement to be compatible.”

“However, ” he continued, “[t]he fact is, Aliyun uses the Android runtime, framework and tools. And your app store contains Android apps (including pirated Google apps). So there’s really no disputing that Aliyun is based on the Android platform and takes advantage of all the hard work that’s gone into that platform by the OHA.”

Hands on research by Android Police, a publication dedicated to Android reporting and analysis, shows that Aliyun app store includes pirated Google apps.

Android Police found that, “Aliyun’s app store appeared to be distributing Android apps scraped from the Play Store and other websites, not only downloadable to Aliyun devices as .apk files, but also provided by third parties not involved with the apps’ or games’ development. What’s more, we’ve received independent confirmation from the original developers of some of these apps that they did not in fact give consent for their products to be distributed in Aliyun’s app store.”

Not the least of the evidence is that the Aliyun includes Google’s own Android applications such as Google Translate, Google Sky Map, Google Drive, and Google Play Books. The odds of Google giving Aliyun permission to use its own applications are somewhere zero and none.

What we seem to have in Aliyun is an illegal Android and Linux fork, which supports a pirated software ecosystem. I only wonder that Google didn’t come down even harder on Acer and I really wonder how much due diligence, if any, Acer did before signing a deal with Alibaba.

Source: ZDNet