The Null Device
2006/6/9
According to this article, there are two ways to compromise computer security by plugging an untrusted USB/FireWire device into a computer.
The first one's the obvious one: somehow convince a user to plug a USB flash drive or similar into their Windows PC, without disabling autostarting. The PC will automatically run whatever program the AUTORUN.INF file on the flash drive tells it to, and this can then do whatever it likes to the PC. Of course, this won't work if the user holds down SHIFT, disables auto-starting or uses a machine with a less-brain-damaged operating system.
The second method is more intriguing. To allow fast data transfers along USB and FireWire buses, such buses implement direct memory access (DMA). What this means is that anything plugged into them can access (or modify) anything mapped into the machine's memory space at the hardware level, bypassing the operating system altogether. Of course, it requires more work (the device has to be an actual programmable computer, and not just a flash drive), but once that hurdle is crossed, the possibilities, as they say, are endless:
Recently a number of computer security researchers realized the tremendous potential of using DMA over FireWire or USB as an attack vector. At the CanSec West '05 conference, Michael Becher, Maximillian Dornseif and Christian N. Klein demonstrated an exploit that used DMA read arbitrary memory locations of a FireWire-enabled system. The exploit was based on an iPod running Linux. For example, they could plug their customized iPod into a victim computer and grab a copy of that computer's screen--not just without the computer's permission, but even without its knowledge!The article goes on to mention that this attack has not been demonstrated on USB devices, only with FireWire. If it works with USB, it could be interesting. I imagine that sooner or later, they'll start making USB chipsets which take steps to filter DMA requests.
Aside: I wonder whether it'd be possible to use such an approach on, say, a PlayStation 2 (which has two USB ports on the front, sitting rather uselessly), or indeed any other notionally tamperproof computer-based device with USB/FireWire ports. If one could access arbitrary memory inside such a device, one could get up to all sorts of mischief.
The Age looks at the Australian government's push to prevent official recognition of homosexual relationships, interviewing various prominent gay public figures, including Kerryn Phelps, Bob Brown and small-L-liberal columnist Margo Kingston, whose columns have been taking up the "anvil" side of the culture war for years:
Margo Kingston, a self-confessed Howard hater, argues it is a piece of executive arrogance. "Caesar Howard," she says. "Yes, it's a sensitive issue; yes, there are people of many opinions, but this is absolutely gutless and indefensible. The basic 'liberal' position is that whatever you do in your bedroom is private," says Kingston.Therein lies the rub. Kingston makes the mistake of assuming that Australia is a liberal society. Australia, as envisioned and reengineered by the Howard government, leans significantly more towards majoritarianism than libertarianism than most "liberal" societies (think Britain, Canada, the US blue states, and the northwest of Europe). The key distinction is that in libertarianism (not to be confused with Libertarianism, of the guns-and-Ayn-Rand stripe, but I digress), what individuals say or do privately is their own business. Under majoritarianism, there is one set of community/national values, in areas such as propriety, culture and sexual morality, and deviation from those values is seen as inherently corrosive and harmful and thus officially disapproved of and disincentivised. The majority of Australians are heterosexuals, hence tax breaks for having children, subsidised by higher taxes paid by non-breeders (both gay and straight) and official non-recognition of non-heterosexual lifestyles, making noises about "moral values" to pander to the reactionary heartland (and build up a US-style evangelical powerbase) whilst stopping short of outright persecution (as per Peter Costello's statement that gays in Australia are lucky because homosexuality is not a crime).
As football mania sweeps England and one scarcely sees a white van or large shaven-headed geezer without a dozen St. George's flags, England's neighbours are reacting to the conflagration of jingoism in different ways. In North Wales, the heartland of Welsh nationalism, a police chief has warned England fans to avoid flying the flag for fear of antagonising Welsh fans. Meanwhile, up in Scotland (a nation which usually supports whoever's playing against England; it's not uncommon to see Scots declaring themselves as honorary Bosnians or Ghanaians or whatever for the duration of a football match), schoolchildren who say bad things about the sassenach will be excluded from classrooms.
In a bid to show that they're not just for left-coast liberals and get more of a following in the US "red states", the Church of Scientology is sponsoring its own NASCAR racing team:
The venture will be called the Dianetics Racing Team - the name is based on the belief system drawn up by the late L Ron Hubbard, Scientology's founder, during the 1950s.
Looks like there's another WiFi-based, standalone cordless Skype phone coming out; unlike the Netgear and Belkin offerings, this one will hedge its bets and speak both Skype and SIP. It also does text messaging, which the Netgear phone may or may not do.
The PDF files on the manufacturer's web site say that the phones are firmware upgradeable through a USB serial console. I wonder whether they run something standard like Linux, and if so, how hackable they are. If would be rather cool if it were possible to add third-party extensions to the interface (for example, a version of Gaim, or even the promised Linux port of Google Talk).
What happens when a company known for its ethical principles and alternative business culture is taken over by a multinational corporation? The outcomes vary; in many cases, the "funky"/ethical brand becomes merely a fig leaf over the parent's more conventional business practices:
Body Shop has just become part of the French cosmetics giant L'Oréal; Tom's of Maine fell to Colgate-Palmolive last month; Wales-based Rachel's Organic is a subsidiary of the American conglomerate Dean Foods, which has come under fire in the US over its industrial-scale organic dairies and factory-farm milk production. Pret A Manger is one-third owned by McDonald's; Ben & Jerry's has been under Unilever's ownership for six years and Green & Black's belongs to Cadbury-Schweppes, the world's biggest confectionery company.
At Ben & Jerry's in the US, the relationship with Unilever remains an uneasy one. Ben & Jerry's most recent social audit highlighted a "disappointing" lack of social initiatives at the company and poor morale among employees. It questioned whether the company was "simply a Unilever marketing operation using the brand's reputation for social responsibility to promote sales."
Ethical Consumer magazine runs an online shoppers guide, at www.ethiscore.org, which rates companies and their products on their ethical credentials. Body Shop's rating has plunged from 11 out of 20 to just 2.5 since the L'Oréal deal and the magazine has urged a boycott of its products in protest not only at the French cosmetics group's ownership, but also its links with Nestlé, which owns 26% of L'Oréal. Nestlé has faced boycott campaigns over issues from animal testing to the marketing of baby milk substitutes.This gloomy scenario, however, is not always the case; occasionally, a parent manages to keep its hands off a smaller unit and its culture, and the subsidiary continues on as before, only with the benefit of the parent's resources:
Like most of the niche businesses bought by multinationals, Green & Black's is run as an entirely separate operation within the Cadbury empire. "It's a case of how they can help us, not telling us what to do," Mr Palmer says.
He adds: "You can be fiercely independent and not have any funds to grow. But does that help the cocoa growers in Belize?"Perhaps Green & Black's having fared well is more a result of Cadbury's not particularly ruthless corporate culture (weren't the Cadbury family, who owned the company until not that long ago, Quakers or something?). I suspect that had they been bought out by, say, Nestlé, it may be a different picture altogether.