Hacking & Security
Lance Ealy, an Ohio man who fled home confinement last year just prior to his conviction on charges of filing phony tax refund requests on more than 150 Americans, was apprehended in a pre-dawn raid by federal marshals in Atlanta on Wednesday.
Ealy, 28, of Dayton, Ohio, was the subject of no fewer than three previous posts on this blog. Ealy reached out to me in February 2014, after being arrested by the U.S. Secret Service for using his email account to purchase Social Security numbers and other personal information from an online identity theft service run by a guy named Hieu Minh Ngo.
Ngo is a Vietnamese national who, for several years, ran an online identity theft service called Superget.info. Shortly after my 2011 initial story about his service, Ngo tauntingly renamed his site to findget.me. The Secret Service took him up on that challenge, and succeeded in luring him out of Vietnam into Guam, where he was arrested and brought to New Hampshire for trial. He pleaded guilty last year to running the ID theft service, and the government has been working on rounding up his customers ever since.
Mr. Ealy was one of several individuals found guilty of identity theft charges after buying from Ngo’s service, which relied in part on data obtained through a company owned by big-three credit bureau Experian.
After being indicted on 46 counts of fraudulent activity, Ealy fired his attorney and chose to represent himself in court. In mid-November 2014 — just days before the jury in his trial was to issue its guilty verdict — Ealy slipped his ankle monitor and skipped town, but not before posting a taunting selfie to his Twitter account.
In the four months since his disappearance, investigators caught glimpses of Ealy jumping online as he made his way south to Atlanta. Incredibly, Ealy took time to file several lengthy pro se legal arguments (PDF) stating why the judge in the case was not impartial and that he deserved a retrial. When federal officials prosecuting his case responded (PDF) incredulously to his request, Ealy took it upon himself to file a response (PDF) to their motion for dismissal — all while on the lam.
Investigators close to the case say Ealy continued filing false tax refund requests while on the run from the law. But instead of turning to an underground identity theft service as he did previously, investigators say Ealy appears to have paid numerous inmates serving time in Ohio prisons for permission to file tax refund requests on their behalf with the Internal Revenue Service (IRS) — topping up the inmates’ commissary funds to the tune of $100 per filing while pocketing the rest of the fraudulent refunds.
According to whio.com, Ealy remains in the Northern District of Georgia until he can be extradited.
Apple uses iOS (operating system) to power many of its mobile devices such as iPhone, iPad and so on. From the beginning, security has been placed at the core of iOS. There are many inherent features that secure the device and its resources at different levels. This article aims to provide answers to questions such […]
Introduction The Global System for Mobile Communication or GSM is a wireless communication that uses digital technology and is widely deployed across the globe for mobile communications, such as mobile phones. This technology utilizes microwaves, and its signal transmission is divided by time, mostly known as Time Division Multiple Access (TDMA). In this article, I […]
<Ms2ger> htmlparser, perhaps
<Ms2ger> Since BeautifulSoup is already taken
<jdm> you just hate good ideas
<pcwalton> kmc: if you don't call it html5ever that will be a massive missed opportunity
By that point we already had a few contributors. Now we have 469 commits from 18 people, which is just amazing. Thank you to everyone who helped with the project. Over the past year we've upgraded Rust almost 50 times; I'm extremely grateful to the community members who had a turn at this Sisyphean task.
Several people have also contributed major enhancements. For example:
Clark Gaebel implemented zero-copy parsing. I'm in the process of reviewing this code and will be landing pieces of it in the next few weeks.
Josh Matthews made it possible to suspend and resume parsing from the tree sink. Servo needs this to do async resource fetching for external <script>s of the old-school (non-async/defer) variety.
Chris Paris implemented fragment parsing and improved serialization. This means Servo can use html5ever not only for parsing whole documents, but also for the innerHTML/outerHTML getters and setters within the DOM.
Adam Roben brought us dramatically closer to spec conformance. Aside from foreign (XML) content and <template>, we pass 99.6% of the html5lib tokenizer and tree builder tests! Adam also improved the build and test infrastructure in a number of ways.
I'd also like to thank Simon Sapin for doing the initial review of my code, and finding a few bugs in the process.
html5ever makes heavy use of Rust's metaprogramming features. It's been something of a wild ride, and we've collaborated with the Rust team in a number of ways. Felix Klock came through in a big way when a Rust upgrade broke the entire tree builder. Lately, I've been working on improvements to Rust's macro system ahead of the 1.0 release, based in part on my experience with html5ever.
Even with the early-adopter pains, the use of metaprogramming was absolutely worth it. Most of the spec-conformance patches were only a few lines, because our encoding of parser rules is so close to what's written in the spec. This is especially valuable with a "living standard" like HTML.The future
Two upcoming enhancements are a high priority for Web compatibility in Servo:
Character encoding detection and conversion. This will build on the zero-copy UTF-8 parsing mentioned above. Non-UTF-8 content (~15% of the Web) will have "one-copy parsing" after a conversion to UTF-8. This keeps the parser itself lean and mean.
document.write support. This API can insert arbitrary UTF-16 code units (which might not even be valid Unicode) in the middle of the UTF-8 stream. To handle this, we might switch to WTF-8. Along with document.write we'll start to do speculative parsing.
It's likely that I'll work on one or both of these in the next quarter.
Servo may get SVG support in the near future, thanks to canvg. SVG nodes can be embedded in HTML or loaded from an external XML file. To support the first case, html5ever needs to implement WHATWG's rules for parsing foreign content in HTML. To handle external SVG we could use a proper XML parser, or we could extend html5ever to support "XML5", an error-tolerant XML syntax similar to WHATWG HTML. Ygg01 made some progress towards implementing XML5. Servo would most likely use it for XHTML as well.
Improved performance is always a goal. html5ever describes itself as "high-performance" but does not have specific comparisons to other HTML parsers. I'd like to fix that in the near future. Zero-copy parsing will be a substantial improvement, once some performance issues in Rust get fixed. I'd like to revisit SSE-accelerated parsing as well.
I'd also like to support html5ever on some stable Rust 1.xversion, although it probably won't happen for 1.0.0. The main obstacle here is procedural macros. Erick Tryzelaar has done some great work recently with syntex, aster, and quasi. Switching to this ecosystem will get us close to 1.x compatibility and will clean up the macro code quite a bit. I'll be working with Erick to use html5ever as an early validation of his approach.
The C API for html5ever still builds, thanks to continuous integration. But it's not complete or well-tested. With the removal of Rust's runtime, maintaining the C API does not restrict the kind of code we can write in other parts of the parser. All we need now is to complete the C API and write tests. This would be a great thing for a community member to work on. Then we can write bindings for every language under the sun and bring fast, correct, memory-safe HTML parsing to the masses :)
On Tuesday, Ars chronicled Microsoft's four- to six-week delay responding to a Finnish man who had obtained a Windows Live e-mail address that allowed him to register unauthorized transport layer security certificates for the live.fi domain. Today comes the tale of a Belgian IT worker who has waited more than four years to return two similar addresses for the live.be domain.
Microsoft's delay in securing the addresses such as firstname.lastname@example.org and email@example.com has potential consequences for huge numbers of people. Browser-trusted certificate authorities such as Comodo grant unusually powerful privileges to people with such an address. All the account holders had to do was ask for a domain-validated TLS certificate for live.fi or live.be. Once they clicked a validation link Comodo sent to their e-mail addresses, the certificates were theirs. Comodo's automatic certificate application also works for addresses with the words admin, postmaster, and webmaster immediately to the left of the @ and the domain name for which the certificate is being applied.
It came as a surprise that Microsoft waited until this week to respond to the Finnish man's report, reportedly from January, that he came into possession of the firstname.lastname@example.org address. One would have expected such addresses to be locked down tight to begin with. Once a breach of this policy was reported, it would have been reasonable to assume Microsoft security personnel would respond to it within a day or two, if not sooner. But the Belgian IT worker's e-mail reveals a mind-boggling wait of more than four years for company officials to respond to his private and voluntary report he was sitting on the addresses email@example.com and firstname.lastname@example.org.
The world is about to get another reminder about just how much of the Internet runs on technology maintained by a handful of coders working on a shoestring budget. OpenSSL — the software used by thousands of companies to encrypt online communications — is set to get a security makeover this week: The OpenSSL project said it plans to release new versions of its code to fix a number of security weaknesses, including some classified as “high” severity.
OpenSSL is deployed at countless organizations, including at Web giants like Facebook, Google and Yahoo — as well as broadly across U.S. federal government networks. As its name suggests, OpenSSL implements Secure Sockets Layer (SSL) encryption (also known as “transport layer security” or TLS) for Web sites and associated networks, ensuring that the data cannot be read by untrusted parties.
The patch is likely to set off a mad scramble by security teams at organizations that rely on OpenSSL. That’s because security updates — particularly those added to open-source software like OpenSSL that anyone can view — give cybercriminals a road map toward finding out where the fixed vulnerabilities lie and insight into how to exploit those flaws.
Indeed, while the OpenSSL project plans to issue the updates on Thursday, Mar. 19, the organization isn’t pre-releasing any details about the fixes. Steve Marquess, a founding partner at the OpenSSL Software Foundation, said that information will only be shared in advance with the major operating system vendors.
“We’d like to let everyone know so they can be prepared and so forth, but we have been slowly driven to a pretty brutal policy of no [advance] disclosure,” Marquess said. “One of our main revenue sources is support contracts, and we don’t even give them advance notice.”
Advance notice helps not only defenders, but attackers as well. Last year, ne’er-do-wells pounced on Heartbleed, the nickname given to an extremely critical flaw in OpenSSL that allowed anyone to extract passwords, cookies and other sensitive data from servers that were running vulnerable versions of OpenSSL. This Heartbleed disclosure timeline explains a great deal about how that process unfolded in a less-than-ideal manner.
In the wake of Heartbleed, media organizations asked how such a bug — which many security experts said was a fairly obvious blunder in hindsight — could have gone undetected in the guts of the open-source code for so long. Marquess took to his blog to explain, posting an open letter requesting additional financial support for the OpenSSL project and pointing out the stark fact that so much of the Internet runs on top of software that is maintained by a tiny team with a shoestring budget.
“So the mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often,” said of the Heartbleed bug.
In an interview with KrebsOnSecurity, Marquess said the updates to be released tomorrow are partly the product of a spike in donations and funding the organization received in the wake of Heartbleed.
In that brief glare of publicity, the OpenSSL Foundation landed two Linux Foundation fellowships — meaning the group gained two new people who are paid for three years to work full-time on improving the security and stability of OpenSSL. Using donations and some commercial revenues, the foundation also is self-funding two additional people to maintain the code.
“We have four people working full-time on OpenSSL doing just what needs to be done, as opposed to working on stuff that brings in revenue,” Marquess said. “We have a lot more manpower resources, and one of the reasons you’re seeing all these bug and vulnerability fixes coming out now is that not only are outsiders looking for problems but we are too. “We’re also doing a major overhaul of the source code, in conjunction with what is going to be probably the biggest crypto audit ever.”