SMTP over XXE − how to send emails using Java’s XML parser

The (presumably ancient) code has a bug, though: it does not verify the syntax of the user name. RFC 959 specifies that a username may consist of a sequence of any of the 128 ASCII characters except <CR> and <LF>. Guess what the JRE implementers forgot? Exactly − to check for the presence of <CR> or <LF>. This means that if we put %0D%0A anywhere in the user part of the URL (or the password part for that matter), we can terminate the USER (or PASS) command and inject a new command into the FTP session.

Source: SMTP over XXE − how to send emails using Java’s XML parser – shift or die

So, if we send a USER command to a mail server instead of a FTP server, it will answer with an error code (since USER is not a valid SMTP command), but let us continue with our session. Combined with the bug mentioned above, this allows us to send arbitrary SMTP commands, which allows us to send emails. For example, let’s set the URL to the following (newlines added for readability):

Techdirt lawyers ask judge to throw out suit over “Inventor of E-mail”

n the end, this isn’t a debate about facts, say Masnick’s lawyers. Both Ayyadurai and Masnick acknowledge that the MAILBOX program was created at MIT in the 1960s and that Ray Tomlinson created the “@” symbol protocol in 1971. The two draw different conclusions, however. Ayyadurai calls the ARPANET creations “command-line protocols for transferring text messages” or “primitive electronic communication systems.” In Masnick’s view, Ayyadurai doesn’t dispute the historical facts, but instead “attacks Techdirt’

Source: Techdirt lawyers ask judge to throw out suit over “Inventor of E-mail” | Ars Technica

How IoT hackers turned a university’s network against itself

While this incident represents one of the first of its kind, the bad news is this form of attack is only going to become more common as more and more everyday items get connected to the internet, providing hackers with greater numbers of potential zombie devices.”

The reason behind it is the issue of default credentials for wireless devices. This is going to bring billions of devices into the fold by 2020, which is only three years away. Whenever it is, there’s going to be so many of these things used by people with very limited understanding of what they are,” says Dine.

Source: How IoT hackers turned a university’s network against itself | ZDNet

The network that IoT devices must use should be isolated and secured by a firewall.  This isn’t that difficult to do.

Microsoft Azure now offers patent troll IP protection

Microsoft quotes a report from Boston consulting group which estimates a 22% rise in IP lawsuits relating to cloud products over the last five years in the U.S. alone. It also observes that non-practicing entities have increased their spending on cloud patents by 35% over the same period of time.

Source: Microsoft Azure now offers patent troll IP protection

How to Spot Ingenico Self-Checkout Skimmers

The overlay skimming devices pictured here include their own tiny magnetic read heads to snarf card data from the magnetic stripe when customers swipe their cards. Consequently, those tiny readers often interfere with the legitimate magnetic card reader on the underlying device, meaning compromised self-checkout lines may move a bit slower than others.

Source: How to Spot Ingenico Self-Checkout Skimmers — Krebs on Security

Math and the Best Life

If mathematics is a medium for human flourishing, it stands to reason that everyone should have a chance to participate in it. But in his talk Su identified what he views as structural barriers in the mathematical community that dictate who gets the opportunity to succeed in the field — from the requirements attached to graduate school admissions to implicit assumptions about who looks the part of a budding mathematician.

Source: Math and the Best Life — an Interview With Francis Su | Quanta Magazine

Microsoft shows Windows 10 market share growing steadily, but the numbers are fake

That means that when Microsoft showed Windows 10 overtaking Windows 7, this apparently happened in August last year. Most other analysts don’t see that seismic shift happening globally until December 2017, at the earliest.

Source: Microsoft shows Windows 10 market share growing steadily, but the numbers are fake [Updated]

Tesla’s Battery Revolution Just Reached Critical Mass

But prices for lithium-ion batteries have fallen fast—by almost half just since 2014. Electric cars are largely responsible, increasing demand and requiring a new scale of manufacturing for the same battery cells used in grid storage. California is mandating that its utilities begin testing batteries by adding more than 1.32 gigawatts by 2020. For context, consider this: In 2016, the global market for storage was less than a gigawatt.

Source: Tesla’s Battery Revolution Just Reached Critical Mass – Bloomberg

CMU AI Is Tough Poker Player

Libratus was developed by Computer Science Professor Tuomas Sandholm and his Ph.D. student, Noam Brown. Libratus is being used in this contest to play poker, an imperfect information game that requires the AI to bluff and correctly interpret misleading information to win. Ultimately programs like Libratus also could be used to negotiate business deals, set military strategy or plan a course of medical treatment — all cases that involve complicated decisions based on imperfect information.

Source: CMU AI Is Tough Poker Player | Carnegie Mellon School of Computer Science