the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

Google announces "first practical SHA1 collision attack"

Alexander Bochmann Thursday 23 of February, 2017
Google security blog: Announcing the first SHA1 collision.

Google wrote:
Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. .. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.

So it seems the attack is not generalizable for all scenarios at this point in time (and we'll not yet see a collision for, say, a SHA-1 certificate hash), but that's how things started to go bad for MD5 too...

pfSense 2.3.3 released - with Let's Encrypt support

Alexander Bochmann Wednesday 22 of February, 2017
According to to the pfSense blog, pfSense 2.3.3 has been released a couple of days ago.

pfSense now has a acme package (also available for the previous release, 2.3.2p1), which can be found right at the top of the list under System -> Package Manager -> Available Packages.

When the package is installed, there's a new service available, Services -> Acme Certificates. Even though the pfSense wiki currently doesn't seem to have any documentation on this module, activation is relatively straightforward for everyone who has seen the Let's Encrypt workflow:

Create an account key with the Let's Encrypt production CA, create a certificate (I had to add a folder name for the webroot local folder verification method, the path is shown in the first example of the pfSense web UI), issue certificate. The certificate is then available in the SSL Certificate selection for the Web Configurator. The UI has options for auto-renewal and additional jobs to run on certificate updates - I'll see if those work in about 60 days ;)

(Admittedly, things are not quite self explaining for first time Let's Encrypt users... *cough*)

I only have a pfSense test system, so I don't have much of an idea about the other changes in this release.

Internet Society publishes "The IANA Timeline" document

Alexander Bochmann Tuesday 21 of February, 2017
The IANA Timeline is available here (cache) in HTML format (and as optional PDF download).

It has some of the early history, but it's focus is on the IANA stewardship transition, over to a new non-profit, operating under contracts with ICANN:

“Public Technical Identifiers” (PTI) is incorporated in California as a non-profit public benefit corporation. (The company was originally referred to as PTI, Post-Transition IANA, in the transition documents, thus giving birth to the awkward final name.) This company will be responsible for performing all of the IANA functions regarding DNS names, IP Addresses, and Protocol Parameters under three separate contracts with ICANN

(Via Lutz Donnerhacke on Google+)

Daikatana "1.3"

Alexander Bochmann Sunday 19 of February, 2017
Another one I've seen on Fun with Virtualization - bringing Daikatana back to life.

The new version can be installed right over the old game files - and Daikatana is on sale for €1.49 on Steam right now...

On the game server code,
neozeed wrote:
The biggest initial problem is that plenty of it was valid GCC 2.x syntax which later versions would barf on. And of course endian issues as Solaris was defined and set as big endian. As a matter of fact there is all kinds of variable sizing issues that had to me messed with. But thanks to iD’s general portable code, and separated IO, it only took about 10 days of on and off hacking to get it running using GCC 2.8.1 on Solaris, and only 2 days to get it running on Linux with GCC 2.8.1 … There is a lot of gotchas and hidden traps in the code, and of course bad assumptions about platforms in the code and all kinds of fun.

Linux processes with cgroup memory limits can still use swap?

Alexander Bochmann Sunday 19 of February, 2017
I wasn't aware of that, but Julia Evans has collected some info on the topic.

Julia Evans wrote:
swap + cgroup memory limits = a little surprising
My model of memory limits on cgroups was always “if you use more than X memory, you will get killed right away”. It turns out that that assumptions was wrong! If you use more than X memory, you can still use swap!

And apparently some kernels also support setting separate swap limits. So you could set your memory limit to X and your swap limit to 0, which would give you more predictable behavior.

I have to admit I'm only vaguely informed of advanced cgroups features, as my personal Linux systems usually don't have that feature compiled in, and they haven't been getting in my way on Debian distribution kernels either (where I mostly ignore them).

Techdirt sets up "Survival Fund" to help defending against the guy who claims to have invented email

Alexander Bochmann Sunday 19 of February, 2017
Well, Shiva Ayyadurai wrote a program that he called "Email", but the word (and similar messaging services) had been in use for a long time before...

Techdirt Survival Fund

Techdirt wrote:
As we mentioned last month, we are currently being sued for $15 million by Shiva Ayyadurai, represented by Charles Harder, the lawyer who helped bring down Gawker. We have written, at great length, about Ayyadurai's claims and our opinion — backed up by detailed and thorough evidence — that email existed long before Ayyadurai created any software. Once again, we believe the legal claims in the lawsuit are meritless and we intend to fight them and win. Earlier today, we filed a motion to dismiss (along with our memorandum in support) and a special motion to strike under California's anti-SLAPP law (along with a memorandum in support).

PCem - an emulator for classic PC XT/AT systems

Alexander Bochmann Sunday 19 of February, 2017
I didn't know about the PCem emulator (cache) until Fun with virtualization pointed to it's new v12 release today. It's an emulator for several PC XT/AT systems, and some of the common hardware of the time (graphics and sound cards). Needs independently sourced BIOS ROM files from the respective emulated systems.

I should try to use this to boot that old SuSE Linux with graphics...

"Gefährder ist Neusprech für Verdächtiger."

Alexander Bochmann Sunday 19 of February, 2017
Zum Passentzug für "Gefährder":


Aljoscha Rittner wrote:
Man darf es nicht vergessen: Gefährder ist Neusprech für Verdächtiger. In einem Rechtsstaat darf es nicht Zwei-Klassen-Verdächtige geben. Für die einen gilt die Unschuldsvermutung, die andere sind angebliche Terroristen und haben schon bei Verdacht ihre Rechte verloren. Aber nach welchen Kriterien?

T-DSL: "profile not sufficient"

Alexander Bochmann Saturday 18 of February, 2017
Heute von Gert Doering auf dem IRC, mal hier gesammelt, falls irgendwer danach googeln will:

Gert Doering wrote:
oh, "profile not sufficient" kenn ich
das hat mich glaub ich 6 Wochen beschäftigt :-)
bei mir war das ein alter Vertrag der auf 1Mbit DSL limitiert war, und am 16Mbit-freshly-upgraded nicht wollte,
weil "im Profil hinterlegt dass da nicht mehr geht!" - vermutlich, denn das war nicht final zu bestätigen, weil es
niemand gibt (weder über Support noch über Vertrieb noch über $Kontakte) der in die entsprechenden Datenbanken
schauen und das bestätigen konnte
Lösung: T-Online-Tarif kündigen und neuen Tarif abschliessen...

removing the entropy from ASLR using exact timers

Alexander Bochmann Friday 17 of February, 2017
VUSec wrote:
We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe.

Here is their announcement.

But all is not lost, click on the "Read our suggested plan of actions to CPU, browser and OS vendors" - Link.

Martin Reeh in der taz: "Martin Schulz - Ein überzeugter Deutscher"

Alexander Bochmann Sunday 12 of February, 2017
taz-Ressortleiter Martin Reeh interpretiert in seinem Essay heute in der taz den SPD-Kanzlerkandidaten Martin Schulz nicht als "überzeugten Europäer", sondern als deutschen Machtpolitiker, der die europäische Bühne zum Vorteil der deutschen Industrie nutzt, ohne Rücksicht auf die Probleme der anderen EU-Länder zu nehmen.

taz wrote:
Würde also Europa den Euro beibehalten und die Steuern vereinheitlichen, hätte Deutschland einen zusätzlichen Wettbewerbsvorteil. Schulz, der wie Matthäus-Maier niemals darüber redet, was die deutschen Exporte im Ausland anrichten, betreibt mit seiner Steuerkampagne blame your neighbour-Populismus.

identifying propaganda networks by monitoring failed social media campagins

Alexander Bochmann Sunday 12 of February, 2017
This article by "@AtlanticCouncil's Digital Forensic Research Lab", Spread it on Reddit (cache), illustrates how the author(s) found out about the Reddit (and associated) accounts driving political social media campaigns. They monitored the spread of a campaign that didn't really take off, resulting in much less polluted data about it's originators.

Via Joerg Fliege on G+.

Capsule8 announces cloudy Linux threat protection

Alexander Bochmann Friday 10 of February, 2017
Right now there's no technical info at all, which makes me somewhat noninterested for the time being, despite the current buzz and the well-known names involved.

Capsule8 wrote:
Capsule8's real-time threat protection will detect and prevent known and zero-day attacks throughout an organization’s production infrastructure. Capsule8's protection will span the entire Linux infrastructure — across clouds and data centers, as well as throughout virtual machines, bare metal and containers.
With intelligent investigation that leverages both artificial intelligence and human-in-the-loop analytics, we will provide complete visibility for complex, multi-system applications, with high-fidelity alerting to reduce fatigue.

Buzzwords galore. Their Introducing Capsule8 blog post is only slighly more informative.

two conflicting news items about Samsung Knox on the same page in my RSS reader

Alexander Bochmann Friday 10 of February, 2017

One: ZDNet: Google Project Zero: How we cracked Samsung's DoD- and NSA-certified Knox

Two: The german Federal Office for Information Security has published a guide on how to secure Android systems using Samsung Knox (in german) - Heise: BSI veröffentlicht Leitfaden für sicheres Android mit Samsung Knox

safecast comments on news reports about "spiking" radiation levels in the Fukushima reactor runis

Alexander Bochmann Friday 10 of February, 2017
Yeah, that's press hyperbole... safecast blog: "No, radiation levels at Fukushima Daiichi are not rising." (cache) They also have some of the images taken during that measurement, in an area below the reactor pressure vessel.

safecast wrote:
It must be stressed that radiation in this area has not been measured before, and it was expected to be extremely high. While 530 Sv/hr is the highest measured so far at Fukushima Daiichi, it does not mean that levels there are rising, but that a previously unmeasurable high-radiation area has finally been measured. Similar remote investigations are being planned for Daiichi Units 1 and 3. We should not be surprised if even higher radiation levels are found there, but only actual measurements will tell.

33C3 talk: Linux in my baseband?

Alexander Bochmann Sunday 05 of February, 2017
Ok, I missed this during 33C3: Harald Welte and Holger Freyther dissect a Quectel 3G/LTE modem that's based on the Qualcomm MDM9615 chipset...

The MDM9615 contains an ARM core that runs a bastardized Android kernel (including an adb shell) with busybox and OpenEmbedded userland, with lots of strange stuff that translates between the user-facing interface and the closed Qualcomm baseband core. A user can run programs on the ARM core using AT+QLINUXCMD... All the infrastructure (including firmware updates) is completely unprotected from manipulation...

Full talk on media.ccc.de: Dissecting modern (3G/4G) cellular modems

More info on the Osmocom wiki: http://osmocom.org/projects/quectel-modems/wiki

@morganmpage on Twitter: "gamification of the alt-right"

Alexander Bochmann Saturday 04 of February, 2017
The thread following this post by @morganmpage on Twitter (cache), via Brianna Sheldon on Google+, mirrors some of my own thoughts on certain supporters of the Trump administration. During the recent months, I've thought "damn, this reminds me of ingame politics during my times playing EVE Online" so much when looking at news from the presidential campaign...

Some selected snippets from the above link:

@morganmpage wrote:
Ten years ago I would not have predicted that geek culture would plunge the world into political chaos.
So much of the alt-right grew out of online geek culture (GG is a good example).
A layer the media has not picked up on is the gamification of the alt-right. It is a game played for nihilistic pleasure.
Every woman, POC, queer, trans person intimidated - every social justice space 'infiltrated' - scores points for the nerd nazis.
Geek culture was perfect breeding ground for this. Like geeks intensely nostalgize the media culture of their youths, so too the altright
It became easy to like a nostalgia for media culture to a nostalgia for nationalist culture. Both are reactions to a rapidly changing world.
Reddit and the chans, w/their male-centric and game-ified trolling cultures, gave birth to the bastard child that is the alt-right.
Don't "not ALL gamers!" at me. Of course it is not all individual geeks. But this subculture is what gave birth to the alt-right.
The sneering way the left dismisses the alt-right as uneducated is simply not the case, which I guess is one of the points I'm making here.
The Gaters are really the direct antecedents of the current alt-right. The Gate is how they learned to organize, gameify harassment, etc.
They don't actually care about politics: they're using it as a game and as a tool for lashing out about their feelings of disenfranchisement

("GG" refers to Wikipedia: Gamergate controversy)

Currently, it seems a similar game has started around Martin Schulz, SPD candidate for chancellor in the upcoming general elections here in Germany.