Tag Archives: Technology

Bitlocker is a Sleeping Cryptolocker Virus

This is a sincere warning for anyone purchasing a laptop with Windows 10, Bitlocker, and/or the Trusted Platform Module (TPM). As of yet I’m not sure which part of this is the culprit, but there is something severely defective with this hardware/software combination on some laptops, which will turn a dormant/disabled Bitlocker security feature into an active/enabled Cryptolocker virus.

A Cryptolocker virus is something that encrypts all the files on your hard drive without your permission. Once encrypted, the files are basically impossible to recover.

I seriously can’t believe this happened!

I purchased three Dell Latitude 7480 laptops, both with the same specs. All three laptops were prepared by me and then sent to users in the field, like always.

Two of those laptops remain fine (I’m crossing my fingers still), but one of them decided to go into Bitlocker Recovery mode on startup for some reason, even though we never enabled this feature or received a Bitlocker Recovery key from Dell.

There is absolutely no way around it. Bitlocker without a recovery key, stuck at the Bitlocker Recovery screen, is essentially a Cryptolocker virus. It’s the same EXACT thing.

Keep in mind that I absolutely despise drive encryption for our company laptops because we have nothing that important to encrypt and it only causes issues like this. I never enabled or configured Bitlocker on any of these laptops.

In fact, every time I purchase laptops from Dell – and I’ve purchased at least 200 so far – I specifically choose no Dell Data Protection (DDPE), no Trusted Platform Module (TPM), no Bitlocker, and no full drive encryption. We don’t want or need those features, they are a burden to us.

Needless to say, the user was surprised to see one morning when he turned on his brand new Dell Latitude 7480, a Bitlocker Recovery screen was prompting for some kind of key which he did not have. This user contacted me for the key, which I did not have either. I can only assume this is some kind of defect in Windows or with the Dell laptop where Bitlocker turned itself on.

So I had the user return his new laptop and pick up his old one.

I contacted Dell a total of three times. The first time they gave me a bunch of options to disable in BIOS, per this article:

http://www.dell.com/support/article/us/en/19/sln304584/bitlocker-asks-for-a-recovery-key-every-boot-on-usb-c—thunderbolt-systems-when-docked-or-undocked?lang=en

None of that advice helped. At this point I needed to recover some of the users work from the drive. Turns out Microsoft OneDrive hadn’t synced his work for a week, so the copies in the cloud were too old. Not knowing much about Bitlocker (I never use it), I decided to pick up an M.2 hard drive adapter and stick the drive into another computer so I could try recovering the data. No dice, a Bitlocker screen popped up asking for that same key.

Stepping out of the official support lanes for a moment, I decided to do some research. It turns out other people are experiencing this problem too, and the “answers/solutions” are a bit unnerving:

BitLocker locked me out on Surface Pro 3; I’ve never set up BitLocker and key is not stored anywhere

Bitlocker Enabled Without Warning, No Recovery Key!

Bitlocker – becoming an irritation

Soooo…the answer is Bitlocker can’t possibly do this? But I should nuke the drive and start over?

On the final call with Dell, they acknowledged that their engineers are looking into a potential issue where automatic updates might be triggering Bitlocker somehow. The only thing they could do is tell me to contact Microsoft and get back to them with an update so they could follow through with replacing the hard drive if necessary.

I have a feeling that a Windows Update changed something on the system like a driver, or the Dell Update Client automatically installed something like a BIOS or TPM update, which triggered Bitlocker to somehow turn on unattended and encrypt the drive.

You have been warned.

A Game Engine From Scratch In JavaScript Part 4 – Editor & Debugger

View post on imgur.com

The editor serves as a live debugger and allows modifying the game objects in real-time. These are canvas sprites we’re talking about, not DOM elements. While this is still a work in progress, I wanted to share a screen capture so you can see how it might end up looking. The next screen capture shows some live editing capabilities.

Continue reading

A Game Engine From Scratch in JavaScript Part 3 – Breakout

I wanted to make sure this engine would be comparable or maybe even easier to use than some of the other engines out there, with the ability to build a variety of game types and not just the game I was hoping to build. For this, I decided to go with Breakouts, which is a website that aims to help other developers compare and choose a game engine. So here’s my attempt…

It’s a work in progress, please check back soon for the full article:

View post on imgur.com

This GIF was recorded at 20 FPS; the game runs at 60.

Working: sound effects, level progression, game states, mouse/keyboard input, collision (a bit buggy), ball-bounce physics (a bit crude), sprites, spritesheets, sprite animations, rendering layers, async module/asset loader, fixed timestep. These are all provided by the core engine.

Not Working: power-ups, variable timestep, improved physics.

Continue reading

A Game Engine From Scratch In JavaScript Part 2 – Physics

About 1-2 weeks ago I decided to make a game engine in my spare time. The most challenging aspect so far has been the handling of physics – how objects in the game behave when they collide.

I was able to get a few collision prototypes working. Here’s what the first prototype looks like, it could handle many moving objects, but the accuracy wasn’t perfect:

View post on imgur.com

Disclaimer: I do not own the graphics depicted in this article, nor do I have permission to use them in a commercial product. The graphics were found using Google Image search, and they are being used here solely for showcasing the engine’s capabilities and progress. The tree sprites are from Here Be Monsters, and the player/wolf sprites are from Ragnarok Online.

What you’re seeing in the screen capture above is a bunch of objects (wolf sprites) being spawned with a “roam” AI package, which just makes the objects move around. This AI package idea will be expanded upon later, but it’s kind of how Skyrim AI works, mixed with Final Fantasy XII Gambits – interchangeable and override-able behavior stacks for different scenarios.

(The screen capture above doesn’t reflect 60 FPS due to gif recording at the time. It’s also a .gifv image hosted by Imgur, my apology if the buffering is choppy…)

Continue reading

WP-OAuth Is Not Vulnerable to SpoofedMe Social Login Exploit

The SpoofedMe social login exploit is a known weakness of the OAuth2 “spec”. The OAuth2 spec doesn’t define strict implementation standards, so developers have free reign to come up with some pretty wild implementations, or hack together a few libraries until it works. And that’s where the problem lies. There is no standard. Furthermore, social login is something that is normally built on top of OAuth2, and there’s no standard for that either. Some folks are trying to standardize social login with OpenID Connect (I like to think of this as “OAuth2-Strict”), but until then we will be facing issues like SpoofedMe because developers are not gods.

The SpoofedMe exploit is actually similar to this one, from a Google security advisory earlier this year:

“An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.” –Link

Thankfully, I read the spec and decided not to implement this gaping security hole in WP-OAuth to begin with. Properly identifying users to perform the account match was one of the biggest design challenges that I encountered because not only were there numerous docs and specs to work through, there were a lot of existing implementations that did it wrong. I had to start from scratch.

Mist – Alpha Preview 1

Yet another project I’m working on…

Screenshot of the Edit menu, for real-time editing of meta-data, somewhat resembling a CMS:

mist1

Continue reading

WP-OAuth Screenshot Preview

While I’m working on the next version of WP-OAuth – a free social login plugin for WordPress – I thought I’d drop this screenshot preview of some upcoming features.

There will be some new settings, such as having the ability to automatically logout inactive users, suppress the welcome email during registration, or assign a user role during registration (even in Multisite, which removes this option). We also have a bug fix for cloud-based hosting providers such as Heroku, courtesy of our first open-source contributor, larsschenk.

But aside from that, I’ve included provider icons for the login buttons and you’ll be able to change the icon size, choose from different icon sets, or easily design/include your own icons. This leads us towards new layouts, all of which are configurable via the settings page or shortcode attributes:

Links-Column layout, styling handled by the theme:

login-form-layout1a

Buttons-Column layout:

login-form-layout2c

Buttons-Row layout, no prefix or name:

login-form-layout3a

Buttons-Row layout, no prefix, name or padding:

login-form-layout3b

Settings page overhaul (again), now includes a shortcode designer and fully responsive/fluid layout for mobile devices:

settings page

Settings page responsive/fluid layout for mobile devices: Continue reading

Choices & Chances – A Choose Your Own Adventure Platform

Yet another project I’m working on…

Continue reading