[sf-lug] Plain text = remote code execution??

Rick Moen rick at linuxmafia.com
Thu May 25 17:28:35 PDT 2017


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> Yeah, well, initially I considered linking this instead:
> http://www.telegraph.co.uk/technology/2017/05/25/hackers-hiding-computer-viruses-film-subtitles-experts-warn/
> I think what I linked instead is quite the improvement over it.
> (Kidding.)

Heh.

You notice that, to IT journalists, anything bad that happens on a
computer is construed to be a 'virus'?  I used to joke that the
difference between an 'IT journalist' and the regular type is that
editors assigned anyone who's a touch-typist to the former beat.

In this case, reporter James Titcomb swallows whole the Check Point
big-fish story with zero effort to determine what the threat model
involves, and then makes that ludicrous statement about how 'Check Point
showed it was possible to include debilitating computer viruses within
the files that are activated as soon as subtitles are switched on'.

Unfortunately, this is what most IT journalism has amounted to, for
decade upon decade: copying and pasting from press releases.  (In this
case, Titcomb further embellished further beyond Check Point's somewhat
unlikely claim of a well-developed exploit, because he doesn't even
understand what a virus is.)

In all likelihood, it's going to be difficult verging on impossible to
make a .srt file deterministically do a particular _thing_ to the host
instance of VLC, Kodi, etc.  They're rather more likely to crash or
freeze than to turn into obedient zombies.




More information about the sf-lug mailing list