Wow! - Concise scripting and delivery while still connecting the long trail of dots in how this (and by implication many other) network and computer security problems keep showing up. And all without tech jargon! - I bow in respect!
Fantastic video, really well explained. I think I am of an age, where I still call the key on the alpha side of the keyboard carriage return and the one on the number pad enter.
I'd like to add a small nuance about CR+LF. On teletypes, it takes more time to execute a carriage return than to type a letter. The difference is so big that when you were sending teletype using punched tape, you'd often send CR+CR+LF to give the receiving machine enough time to reach the correct position before next symbol was sent.
I originally had a bit about this in the video but it didn't make the cut. As I understand it, the characters (both control characters and printed characters) were sent at a fixed rate. For the sake of an example, let's say it's one every second. CR, LF, Print = 3 seconds. If the carriage takes 3.5 seconds to make it back to the start, then the character gets printed while the carriage is still moving, and it smears across the paper. If you send CR, CR, LF, Print; the second carriage return doesn't really do anything because you're just repeating a command to return to the start, but it does introduce a delay. Now the sequence takes 4 seconds instead of 3, giving the carriage time to make it back to the start before printing. I read that in some cases it was necessary to send three CR characters, but I can't say I have personal experience. Maybe Tor-Björn can confirm!
I won't quibble over typewriters vs teletypes I appreciate this as an example of perimeter security (firewalls) are such a terrible idea. Once you get by them there is no stopping you. We need more nuanced trust models.
I've seen certain programs disallow mixed use of CRLF and LF and forcefully convert them one way or the other, to think that this implementation could've potentially prevented this
Congratulations on promoting fake security report. Instead of telling how typewriter works, you could explain to SEC Consult how email works and how security bugs are reported to vendors.
It was acknowledged by the developers and there were patches released to fix it. How do you manage to patch a fake report? The . pattern in the video is taken from Postfix's own attack example. It is not the . pattern they've said was misreported and didn't actually work.
Wow! - Concise scripting and delivery while still connecting the long trail of dots in how this (and by implication many other) network and computer security problems keep showing up. And all without tech jargon! - I bow in respect!
Thanks!
Fantastic video, really well explained.
I think I am of an age, where I still call the key on the alpha side of the keyboard carriage return and the one on the number pad enter.
Thanks, Mark 🙂
I'd like to add a small nuance about CR+LF. On teletypes, it takes more time to execute a carriage return than to type a letter. The difference is so big that when you were sending teletype using punched tape, you'd often send CR+CR+LF to give the receiving machine enough time to reach the correct position before next symbol was sent.
I guess at least the LF can happen at the same time as a CR
I originally had a bit about this in the video but it didn't make the cut.
As I understand it, the characters (both control characters and printed characters) were sent at a fixed rate. For the sake of an example, let's say it's one every second. CR, LF, Print = 3 seconds. If the carriage takes 3.5 seconds to make it back to the start, then the character gets printed while the carriage is still moving, and it smears across the paper.
If you send CR, CR, LF, Print; the second carriage return doesn't really do anything because you're just repeating a command to return to the start, but it does introduce a delay. Now the sequence takes 4 seconds instead of 3, giving the carriage time to make it back to the start before printing.
I read that in some cases it was necessary to send three CR characters, but I can't say I have personal experience. Maybe Tor-Björn can confirm!
I won't quibble over typewriters vs teletypes
I appreciate this as an example of perimeter security (firewalls) are such a terrible idea. Once you get by them there is no stopping you. We need more nuanced trust models.
I've seen certain programs disallow mixed use of CRLF and LF and forcefully convert them one way or the other, to think that this implementation could've potentially prevented this
So interesting!
Thanks!
Congratulations on promoting fake security report. Instead of telling how typewriter works, you could explain to SEC Consult how email works and how security bugs are reported to vendors.
It was acknowledged by the developers and there were patches released to fix it. How do you manage to patch a fake report?
The . pattern in the video is taken from Postfix's own attack example. It is not the . pattern they've said was misreported and didn't actually work.