Added eScan in the list of affected vendors.
More details here.
Enjoy,
kyREcon
A short write-up on a tiny update introduced in NT kernel version 10.0.15063 inside nt!SepCreateAccessStateFromSubjectContext that can mess up with your kernel exploits in case you abuse _SEP_TOKEN_PRIVILEGES.Enabled through a Read-Write Primitive to gain EoP.
Read more here.
Enjoy,
kyREcon
Howdy,
Recently, I noticed that protonmail treats users that attempt to use their service via tor a bit differently.
So if you are ready and/or willing to laugh or cry a bit about it, then keep on reading.
Let’s go…
First of all protonmail owners are happy to talk a lot about privacy and security, which is a good thing. They even offer a Tor hidden service!
They even mention that protonmail “does not require any personally identifiable information to register”.
However, how true is all that about privacy and anonymity?
So in case you actually attempt to signup for a new account on protonmail, via tor, this is what happens:
Wait a minute!!!
Isn’t Tor’s purpose to offer anonymity and privacy to the user?!?!
Are you actually telling to the users to connect via Tor for which you also provide a URL and then you are asking them to give you their mobile number and/or their credit card information?!?!?
Didn’t you say that you don’t require any personal information to register?!?!
This makes no sense…this makes no fucking sense!!!
To make things clear, asking for a mobile number and/or credit card information has nothing to do with “Human Verification”.
This is clearly an “Identification” of the person that attempts to signup to their service…using Tor…for which they also provide a URL…for which process they were supposed not to ask any personal information.
After having a conversation over twitter with @bartcbutler (Protonmail’s CTO), it seems that they still believe that promoting privacy via Tor and then asking someone to provide personal information makes total sense to them.
Their excuse is that they do that to fight spammers and people creating multiple accounts, which could cause to make the whole service suffer.
But…do they do this for users that don’t attempt to signup via Tor?
No they don’t!!!
So, let me get this straight…if that makes any sense.
When I asked them what is the point of allowing people to signup via Tor and also offering a Tor URL if they assume that Tor users are spammers, @bartcbutler said that they don’t assume anything like that.
Apparently, though this is not the case, again!
If it was the case, then why not always ask for personal information?
Can’t spammers create multiple accounts without using Tor?
Well…the difference is that it makes it easier to identify people that create an account without using Tor.
Because that’s the difference. That’s the only difference.
So clearly, this doesn’t make any sense and definitely it’s not for fighting spammers.
Nothing from what they claim and say adds up, and for me protonmail is definitely not an option anymore.
If you see shit on one side of the cake:
a. You clean that part up and eat the rest of the cake.
b. You throw away the whole fucking cake.
The choice is yours.
Take care,
kyREcon
Sadly, Kris passed away recently.
I never had the opportunity to meet him in person, but I can remember in a way that still puts a smile in my face, that he was one of the first people that I rushed to be connected with in linkedin when I firstly created an account about 10 years ago.
Who is ever going to forget the “remote code execution through Intel CPU bugs” and so many other things discovered and written by Kris.
I wish all the best to his family and close friends, and may he stay alive in everyone’s memories forever.
“Death is not the greatest loss in life. The greatest loss is what dies inside us while we live.” -Norman Cousins
kyREcon
This article describes a new mitigation in the latest Windows 10 v1607 against a common attack vector user by many kernel exploits until today.
Read more here.
Enjoy,
kyREcon