explain xkcd - User contributions [en]

1957: 2018 CVE List

2018-02-19T13:05:34Z

Rell: typo

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==
{{incomplete|Created by HACKING THIS WIKI VIA THE EDIT BOX - The explanation looks like a list. Explain the comic and put the security vulnerabilities in a table. Do NOT delete this tag too soon.}}

{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain Telugu or Bengali letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic released <ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref>.
|-
|An attacker can use a timing attack to extploit[sic] a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in cloud server like the ones in Wikipedia. Claude Shannon was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits - hence the pertinence of extracting just some of the bits from his Wikipedia entry.
|-
|At the cafe on third street, the post-it note with the wifi password is visible from the sidewalk.
|Writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]] the agency received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref> However, if a cafe posts their wifi password for customers then having it visible through the window as well presents a very minor reduction in security.
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by the user is displayed to other users in a dangerous fashion that allows attackers to inject arbitrary HTML or Javascript code into e.g. a comment section. It might also be a humorous reference to the events before, during and after the 2016 US Presidential elections where Internet Research Agency employees based remotely in St. Petersburg, Russia, but disguised as US citizens, "injected" arbitrary text in the form of political propaganda into comments on multiple web sites, according to an indictment returned by a federal grand jury on February 16, 2018.
|-
|MySQL server 55.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "SQL" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system, the latest GA version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|This vulnerability refers to DOM0 attacks on Virtualization CPUs, regulary escalate from normal(few privileges) to root (full privileges), this is the inverse.
|-
|Apple products catch fire when displaying emoji with diacritics.
|Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not be found on emojis. It is also a reference to a common problem of modern gadgets catching fire.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This likely refers to the movie {{w|Air Bud}}. It is a movie about a dog playing basketball. This has been a common theme in xkcd comics, see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]]
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. Computer in Missouri that no one's checked on in a while.
|Haskell is a functional programming language, functional programming is characterized by using functions that dont have side effects in other parts of the program.
|-
|Nobody really knows how hypervisors work.
|Virtualization programing is hard, Meltdown and Specter are related to this
|-
|CRITICAL: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|Jokes about arcane systems that are running linux, that have bugs that nobody can replicate because there are no more machines on this type where reproduce the bug to fix it. UTC+14 is also a time zone used only on some islands in the Pacific Ocean, i.e., [[Wikipedia:Line_Islands|the Line Islands]], and is also the earliest time zone on earth.
|-
|x86 has way too many instructions.
|The x86 architecture is considered "CISC" (a "complex instruction set computer"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first Apple Mac. In the 1980s, this design philosophy was countered by the "RISC" ("reduced instruction set computer") design movement exemplified by SPARC, MIPS, PowerPC (previously used by Apple) and the ARM chips common in mobile phones - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. At the time, there was an internet war about the merits of each approach (with the Mac and PC being on different sides, at one time; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s); this "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk; however, the 64-bit architecture introduced by AMD and since adopted by Intel does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues such as the speculative cache load issue in Meltdown and Spectre depend more on details of implementation rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.
|-
|NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with Python. If something can find the prime factors of a number this quickly, there are attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem.
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and a common English writing rule of thumb, which fails almost as often as it succeeds.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors. Yes, you can forcefully remove any processor from his socket with a screwdriver. There are many reports from people not using common sense.
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|Linux Torvals is the benevolent dictator of the Linux kernel codebase, normally it is hard to pass a change because he has the last word about what merge to the code base because that code is replicated in all linux installations, but apparently he is easy to bribe, that is a severe critical vulnerability to all linux server and machines
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code, but this would usually not be described as an attack.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where javascript is executed by some application, only this time is in a printed photo instead of a file .
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|This is another common CVE description, Flash was discontinued because is abismal security record. All security experts advise against install.
|-
|Turns out the cloud is just other people's computers.
|This refers to a computer meme where replace "cloud" with "other people's computers" must be used in all marketing presentation to CEOs and not computer literate persons to evaluate the security impact of using "Cloud services"
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[~~CLICK HERE FOR CHEAP VIAGRA~~]
|Mitre's CVE database is the database where all CVE are listed, this is a joke between the 4th CVE in this list pointing that the site is also vulnerable
|-
|It turns out Bruce Schneier is just two mischievous kids in a trenchcoat. (title text)
|Bruce Schneier is security researcher and blogger. He was mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039: RuBisCO]]. The "two kids in a trenchcoat" is a reference to the Totem Pole Trench trope.<ref>[http://tvtropes.org/pmwiki/pmwiki.php/Main/TotemPoleTrench TV Tropes:Totem Pole Trench trope]</ref> Bruce Schneier .
|}

== References ==
<references/>

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}

LEAKED LIST OF MAJOR 2018 SECURITY VULNERABILITIES

CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.

CVE-2018-????? An attacker can use a timing attack to extploit[sic] a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.

CVE-2018-????? At the cafe on third street, the post-it note with the wifi password is visible from the sidewalk.

CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.

CVE-2018-????? MySQL server 55.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."

CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.

CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.

CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.

CUE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. Computer in Missouri that no one's checked on in a while.

CVE-2018-????? Nobody really knows how hypervisors work.

CVE-2018-????? CRITICAL: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.

CVE-2018-????? x86 has way too many instructions.

CVE-2018-????? NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices.

CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.

CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.

CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.

CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.

CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.

CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.

CVE-2018-????? Turns out the cloud is just other people's computers.

CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.<span style="color:blue">[~~CLICK HERE FOR CHEAP VIAGRA~~]</span>

{{comic discussion}}

1957: 2018 CVE List

2018-02-19T13:02:46Z

Rell: Corrected Bruce Schneier being a "conceptual character"

{{comic
| number = 1957
| date = February 19, 2018
| title = 2018 CVE List
| image = 2018_cve_list.png
| titletext = CVE-2018-?????: It turns out Bruce Schneier is just two mischevious kids in a trenchcoat.
}}

==Explanation==
{{incomplete|Created by HACKING THIS WIKI VIA THE EDIT BOX - The explanation looks like a list. Explain the comic and put the security vulnerabilities in a table. Do NOT delete this tag too soon.}}

{|class="wikitable"
! style="width: 30%;" | Security Vulnerability
! style="width: 70%;" | Notes
|-
|Apple products crash when displaying certain Telugu or Bengali letter combinations.
|This refers to a real vulnerability in iOS and MacOS publicized a few days before the comic released <ref>https://techcrunch.com/2018/02/15/iphone-text-bomb-ios-mac-crash-apple/</ref>.
|-
|An attacker can use a timing attack to extploit[sic] a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.
|Timing Attack to exploit a race condition in garbage collection refers to Meltdown and Spectre CPU flaws that can be exploited in cloud server like the ones in Wikipedia. Claude Shannon was an early and highly influential information scientist whose work underlies compression, encryption, security, and the theory behind how information is encoded into binary digits - hence the pertinence of extracting just some of the bits from his Wikipedia entry.
|-
|At the cafe on third street, the post-it note with the wifi password is visible from the sidewalk.
|Writing passwords in a visible place is a major security flaw. For instance, following the [[wikipedia:2018 Hawaii false missile alert|2018 Hawaii false missile alert]] the agency received criticism for a press photo showing a password written on a sticky note attached to a monitor.<ref>http://uk.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1?r=US&IR=T</ref> However, if a cafe posts their wifi password for customers then having it visible through the window as well presents a very minor reduction in security.
|-
|A remote attacker can inject arbitrary text into public-facing pages via the comments box.
|Describes a common feature on news sites or social media sites like Facebook. The possibility for users to "inject" text into the page is by design. This is a humorous reference to the relatively common security vulnerability "[[Wikipedia:Cross-site_scripting|persistent cross-site scripting]]", where input provided by the user is displayed to other users in a dangerous fashion that allows attackers to inject arbitrary HTML or Javascript code into e.g. a comment section. It might also be a humorous reference to the events before, during and after the 2016 US Presidential elections where Internet Research Agency employees based remotely in St. Petersburg, Russia, but disguised as US citizens, "injected" arbitrary text in the form of political propaganda into comments on multiple web sites, according to an indictment returned by a federal grand jury on February 16, 2018.
|-
|MySQL server 55.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."
|Some people pronounce "SQL" like "sequel", after SQL's predecessor "SEQUEL (Structured English Query Language)". The standard for SQL suggests that it should be pronounced as separate letters; however, the author of SQL pronounces it "sequel", so the debate is persisting (with even more justification than arguments about how to pronounce "GIF"). MySQL is an open-source relational database management system, the latest GA version (at the time of writing) is MySQL 5.7.
|-
|A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.
|This vulnerability refers to DOM0 attacks on Virtualization CPUs, regulary escalate from normal(few privileges) to root (full privileges), this is the inverse.
|-
|Apple products catch fire when displaying emoji with diacritics.
|Diacritics are the accents found on letters in some languages (eg. č, ģ ķ, ļ, ņ, š, ž). These would not be found on emojis. It is also a reference to a common problem of modern gadgets catching fire.
|-
|An oversight in the rules allows a dog to join a basketball team.
|This likely refers to the movie {{w|Air Bud}}. It is a movie about a dog playing basketball. This has been a common theme in xkcd comics, see [[115: Meerkat]], [[1439: Rack Unit]], [[1819: Sweet 16]], [[1552: Rulebook]]
|-
|Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. Computer in Missouri that no one's checked on in a while.
|Haskell is a functional programming language, functional programming is characterized by using functions that dont have side effects in other parts of the program.
|-
|Nobody really knows how hypervisors work.
|Virtualization programing is hard, Meltdown and Specter are related to this
|-
|CRITICAL: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.
|Jokes about arcane systems that are running linux, that have bugs that nobody can replicate because there are no more machines on this type where reproduce the bug to fix it. UTC+14 is also a time zone used only on some islands in the Pacific Ocean, i.e., [[Wikipedia:Line_Islands|the Line Islands]], and is also the earliest time zone on earth.
|-
|x86 has way too many instructions.
|The x86 architecture is considered "CISC" (a "complex instruction set computer"), having many instructions originally provided to make programming by a human simpler; other examples include the 68000 series used in the first Apple Mac. In the 1980s, this design philosophy was countered by the "RISC" ("reduced instruction set computer") design movement exemplified by SPARC, MIPS, PowerPC (previously used by Apple) and the ARM chips common in mobile phones - based on the observation that computer programs were increasingly generated by compilers (which only used a few instructions) rather than directly by people, and that the chip area dedicated to extra instructions could be better dedicated to, for example, cache. At the time, there was an internet war about the merits of each approach (with the Mac and PC being on different sides, at one time; owners of other competing systems such as the Archimedes and Amiga had similar arguments on usenet in the early 1990s); this "issue" may be posted by someone who still recalls these debates. Technically, the extra instructions do slightly complicate the task of validating correct chip behaviour and complicate the tool chains that manage software, which could be seen as a minor security risk; however, the 64-bit architecture introduced by AMD and since adopted by Intel does rationalise things somewhat, and all recent x86 chips break down instructions into RISC-like micro-operations, so the complication from a hardware perspective is localised. Recent security issues such as the speculative cache load issue in Meltdown and Spectre depend more on details of implementation rather than instruction set, and have been exhibited both by x86 (CISC) and ARM (RISC) processors.
|-
|NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices.
|NumPy is the fundamental package for scientific computing with Python. If something can find the prime factors of a number this quickly, there are attacks to break many crypto functions used in internet security. However, prime numbers have only a single factor, and "factoring primes" quickly is a simpler problem.
|-
|Apple products grant remote access if you send them words that break the "I before E" rule.
|Another joke on the first CVE and a common English writing rule of thumb, which fails almost as often as it succeeds.
|-
|Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.
|Skylake x86 chips are a line of microprocessors. Yes, you can forcefully remove any processor from his socket with a screwdriver. There are many reports from people not using common sense.
|-
|Apparently Linus Torvalds can be bribed pretty easily.
|Linux Torvals is the benevolent dictator of the Linux kernel codebase, normally it is hard to pass a change because he has the last word about what merge to the code base because that code is replicated in all linux installations, but apparently he is easy to bribe, that is a severe critical vulnerability to all linux server and machines
|-
|An attacker can execute malicious code on their own machine and no one can stop them.
|The point of an attack is to make someone else's machine perform actions against the owner's will. Anyone can make their own machine execute any code, but this would usually not be described as an attack.
|-
|Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.
|This could refer to a CVE vulnerability of JPG files where javascript is executed by some application, only this time is in a printed photo instead of a file .
|-
|Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.
|This is another common CVE description, Flash was discontinued because is abismal security record. All security experts advise against install.
|-
|Turns out the cloud is just other people's computers.
|This refers to a computer meme where replace "cloud" with "other people's computers" must be used in all marketing presentation to CEOs and not computer literate persons to evaluate the security impact of using "Cloud services"
|-
|A flaw in Mitre's CVE database allows arbitrary code insertion.[~~CLICK HERE FOR CHEAP VIAGRA~~]
|Mitre's CVE database is the database where all CVE are listed, this is a joke between the 4th CVE in this list pointing that the site is also vulnerable
|-
|It turns out Bruce Schneier is just two mischievous kids in a trenchcoat. (title text)
|Bruce Schneier is security researcher and blogger. He was mentioned in the title texts of [[748: Worst-Case Scenario]] and [[1039:RuBisCO]]. The "two kids in a trenchcoat" is a reference to the Totem Pole Trench trope.<ref>[http://tvtropes.org/pmwiki/pmwiki.php/Main/TotemPoleTrench TV Tropes:Totem Pole Trench trope]</ref> Bruce Schneier .
|}

== References ==
<references/>

==Transcript==
{{incomplete transcript|Do NOT delete this tag too soon.}}

LEAKED LIST OF MAJOR 2018 SECURITY VULNERABILITIES

CVE-2018-????? Apple products crash when displaying certain Telugu or Bengali letter combinations.

CVE-2018-????? An attacker can use a timing attack to extploit[sic] a race condition in garbage collection to extract a limited number of bits from the Wikipedia article on Claude Shannon.

CVE-2018-????? At the cafe on third street, the post-it note with the wifi password is visible from the sidewalk.

CVE-2018-????? A remote attacker can inject arbitrary text into public-facing pages via the comments box.

CVE-2018-????? MySQL server 55.45 secretly runs two parallel databases for people who say "S-Q-L" and "sequel."

CVE-2018-????? A flaw in some x86 CPUs could allow a root user to de-escalate to normal account privileges.

CVE-2018-????? Apple products catch fire when displaying emoji with diacritics.

CVE-2018-????? An oversight in the rules allows a dog to join a basketball team.

CUE-2018-????? Haskell isn't side-effect-free after all; the effects are all just concentrated in this one. Computer in Missouri that no one's checked on in a while.

CVE-2018-????? Nobody really knows how hypervisors work.

CVE-2018-????? CRITICAL: Under Linux 3.14.8 on System/390 in a UTC+14 time zone, a local user could potentially use a buffer overflow to change another user's default system clock from 12-hour to 24-hour.

CVE-2018-????? x86 has way too many instructions.

CVE-2018-????? NumPy 1.8.0 can factor primes in O(log n) time and must be quietly deprecated before anyone notices.

CVE-2018-????? Apple products grant remote access if you send them words that break the "I before E" rule.

CVE-2018-????? Skylake x86 chips can be pried from their sockets using certain flathead screwdrivers.

CVE-2018-????? Apparently Linus Torvalds can be bribed pretty easily.

CVE-2018-????? An attacker can execute malicious code on their own machine and no one can stop them.

CVE-2018-????? Apple products execute any code printed over a photo of a dog with a saddle and a baby riding it.

CVE-2018-????? Under rare circumstances, a flaw in some versions of Windows could allow Flash to be installed.

CVE-2018-????? Turns out the cloud is just other people's computers.

CVE-2018-????? A flaw in Mitre's CVE database allows arbitrary code insertion.<span style="color:blue">[~~CLICK HERE FOR CHEAP VIAGRA~~]</span>

{{comic discussion}}