Loading...
 

the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

PuTTY 0.68 released

Alexander Bochmann Thursday 23 of February, 2017
PuTTY releases are rare enough to be somewhat of a surprise when they happen (the last was nearly a year ago). Most noteworthy, this is the first PuTTY version to support elliptic curve cryptography (previously only available in development snapshots).

PuTTY latest release page (currently 0.68)

PuTTY changelog wrote:
These features are new in 0.68 (released 2017-02-21):

  • Security fix: an integer overflow bug in the agent forwarding code. See vuln-agent-fwd-overflow.
  • Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory (on versions of Windows where they previously were). See vuln-indirect-dll-hijack.
  • Windows PuTTY no longer sets a restrictive process ACL by default, because this turned out to inconvenience too many legitimate applications such as NVDA and TortoiseGit. You can still manually request a restricted ACL using the command-line option -restrict-acl.
  • The Windows PuTTY tools now come in a 64-bit version.
  • The Windows PuTTY tools now have Windows's ASLR and DEP security features turned on.
  • Support for elliptic-curve cryptography (the NIST curves and 25519), for host keys, user authentication keys, and key exchange.
  • Support for importing and exporting OpenSSH's new private key format.
  • Host key preference policy change: PuTTY prefers host key formats for which it already knows the key.
  • Run-time option (from the system menu / Ctrl-right-click menu) to retrieve other host keys from the same server (which cross-certifies them using the session key established using an already-known key) and add them to the known host-keys database.
  • The Unix GUI PuTTY tools can now be built against GTK 3.
  • There is now a Unix version of Pageant.

Google announces "first practical SHA1 collision attack"

Alexander Bochmann Thursday 23 of February, 2017
Google security blog: Announcing the first SHA1 collision.

Google wrote:
Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. .. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions.


So it seems the attack is not generalizable for all scenarios at this point in time (and we'll not yet see a collision for, say, a SHA-1 certificate hash), but that's how things started to go bad for MD5 too...

pfSense 2.3.3 released - with Let's Encrypt support

Alexander Bochmann Wednesday 22 of February, 2017
According to to the pfSense blog, pfSense 2.3.3 has been released a couple of days ago.

pfSense now has a acme package (also available for the previous release, 2.3.2p1), which can be found right at the top of the list under System -> Package Manager -> Available Packages.

When the package is installed, there's a new service available, Services -> Acme Certificates. Even though the pfSense wiki currently doesn't seem to have any documentation on this module, activation is relatively straightforward for everyone who has seen the Let's Encrypt workflow:

Create an account key with the Let's Encrypt production CA, create a certificate (I had to add a folder name for the webroot local folder verification method, the path is shown in the first example of the pfSense web UI), issue certificate. The certificate is then available in the SSL Certificate selection for the Web Configurator. The UI has options for auto-renewal and additional jobs to run on certificate updates - I'll see if those work in about 60 days ;)

(Admittedly, things are not quite self explaining for first time Let's Encrypt users... *cough*)

I only have a pfSense test system, so I don't have much of an idea about the other changes in this release.

Internet Society publishes "The IANA Timeline" document

Alexander Bochmann Tuesday 21 of February, 2017
The IANA Timeline is available here (cache) in HTML format (and as optional PDF download).

It has some of the early history, but it's focus is on the IANA stewardship transition, over to a new non-profit, operating under contracts with ICANN:

“Public Technical Identifiers” (PTI) is incorporated in California as a non-profit public benefit corporation. (The company was originally referred to as PTI, Post-Transition IANA, in the transition documents, thus giving birth to the awkward final name.) This company will be responsible for performing all of the IANA functions regarding DNS names, IP Addresses, and Protocol Parameters under three separate contracts with ICANN


(Via Lutz Donnerhacke on Google+)

Daikatana "1.3"

Alexander Bochmann Sunday 19 of February, 2017
Another one I've seen on Fun with Virtualization - bringing Daikatana back to life.

The new version can be installed right over the old game files - and Daikatana is on sale for €1.49 on Steam right now...

On the game server code,
neozeed wrote:
The biggest initial problem is that plenty of it was valid GCC 2.x syntax which later versions would barf on. And of course endian issues as Solaris was defined and set as big endian. As a matter of fact there is all kinds of variable sizing issues that had to me messed with. But thanks to iD’s general portable code, and separated IO, it only took about 10 days of on and off hacking to get it running using GCC 2.8.1 on Solaris, and only 2 days to get it running on Linux with GCC 2.8.1 … There is a lot of gotchas and hidden traps in the code, and of course bad assumptions about platforms in the code and all kinds of fun.

Linux processes with cgroup memory limits can still use swap?

Alexander Bochmann Sunday 19 of February, 2017
I wasn't aware of that, but Julia Evans has collected some info on the topic.

Julia Evans wrote:
swap + cgroup memory limits = a little surprising
My model of memory limits on cgroups was always “if you use more than X memory, you will get killed right away”. It turns out that that assumptions was wrong! If you use more than X memory, you can still use swap!

And apparently some kernels also support setting separate swap limits. So you could set your memory limit to X and your swap limit to 0, which would give you more predictable behavior.


I have to admit I'm only vaguely informed of advanced cgroups features, as my personal Linux systems usually don't have that feature compiled in, and they haven't been getting in my way on Debian distribution kernels either (where I mostly ignore them).

Techdirt sets up "Survival Fund" to help defending against the guy who claims to have invented email

Alexander Bochmann Sunday 19 of February, 2017
Well, Shiva Ayyadurai wrote a program that he called "Email", but the word (and similar messaging services) had been in use for a long time before...

Techdirt Survival Fund

Techdirt wrote:
As we mentioned last month, we are currently being sued for $15 million by Shiva Ayyadurai, represented by Charles Harder, the lawyer who helped bring down Gawker. We have written, at great length, about Ayyadurai's claims and our opinion — backed up by detailed and thorough evidence — that email existed long before Ayyadurai created any software. Once again, we believe the legal claims in the lawsuit are meritless and we intend to fight them and win. Earlier today, we filed a motion to dismiss (along with our memorandum in support) and a special motion to strike under California's anti-SLAPP law (along with a memorandum in support).

PCem - an emulator for classic PC XT/AT systems

Alexander Bochmann Sunday 19 of February, 2017
I didn't know about the PCem emulator (cache) until Fun with virtualization pointed to it's new v12 release today. It's an emulator for several PC XT/AT systems, and some of the common hardware of the time (graphics and sound cards). Needs independently sourced BIOS ROM files from the respective emulated systems.

I should try to use this to boot that old SuSE Linux with graphics...

"Gefährder ist Neusprech für Verdächtiger."

Alexander Bochmann Sunday 19 of February, 2017
Zum Passentzug für "Gefährder":

https://plus.google.com/+AljoschaRittner/posts/HyUFvkcPjph

Aljoscha Rittner wrote:
Man darf es nicht vergessen: Gefährder ist Neusprech für Verdächtiger. In einem Rechtsstaat darf es nicht Zwei-Klassen-Verdächtige geben. Für die einen gilt die Unschuldsvermutung, die andere sind angebliche Terroristen und haben schon bei Verdacht ihre Rechte verloren. Aber nach welchen Kriterien?

T-DSL: "profile not sufficient"

Alexander Bochmann Saturday 18 of February, 2017
Heute von Gert Doering auf dem IRC, mal hier gesammelt, falls irgendwer danach googeln will:

Gert Doering wrote:
oh, "profile not sufficient" kenn ich
das hat mich glaub ich 6 Wochen beschäftigt :-)
bei mir war das ein alter Vertrag der auf 1Mbit DSL limitiert war, und am 16Mbit-freshly-upgraded nicht wollte,
weil "im Profil hinterlegt dass da nicht mehr geht!" - vermutlich, denn das war nicht final zu bestätigen, weil es
niemand gibt (weder über Support noch über Vertrieb noch über $Kontakte) der in die entsprechenden Datenbanken
schauen und das bestätigen konnte
Lösung: T-Online-Tarif kündigen und neuen Tarif abschliessen...


removing the entropy from ASLR using exact timers

Alexander Bochmann Friday 17 of February, 2017
VUSec wrote:
We have built a side-channel attack, specifically an EVICT+TIME cache attack, that can detect which locations in the page table pages are accessed during a page table walk performed by the MMU. For example, on the x86_64 architecture, our attack can find the offsets that are accessed by the MMU for each of the four page table pages. The offset within each page breaks nine bits of entropy so even a perfect ASLR implementation with 36 bits of entropy is not safe.


Here is their announcement.

But all is not lost, click on the "Read our suggested plan of actions to CPU, browser and OS vendors" - Link.

Martin Reeh in der taz: "Martin Schulz - Ein überzeugter Deutscher"

Alexander Bochmann Sunday 12 of February, 2017
taz-Ressortleiter Martin Reeh interpretiert in seinem Essay heute in der taz den SPD-Kanzlerkandidaten Martin Schulz nicht als "überzeugten Europäer", sondern als deutschen Machtpolitiker, der die europäische Bühne zum Vorteil der deutschen Industrie nutzt, ohne Rücksicht auf die Probleme der anderen EU-Länder zu nehmen.

taz wrote:
Würde also Europa den Euro beibehalten und die Steuern vereinheitlichen, hätte Deutschland einen zusätzlichen Wettbewerbsvorteil. Schulz, der wie Matthäus-Maier niemals darüber redet, was die deutschen Exporte im Ausland anrichten, betreibt mit seiner Steuerkampagne blame your neighbour-Populismus.

identifying propaganda networks by monitoring failed social media campagins

Alexander Bochmann Sunday 12 of February, 2017
This article by "@AtlanticCouncil's Digital Forensic Research Lab", Spread it on Reddit (cache), illustrates how the author(s) found out about the Reddit (and associated) accounts driving political social media campaigns. They monitored the spread of a campaign that didn't really take off, resulting in much less polluted data about it's originators.

Via Joerg Fliege on G+.

Capsule8 announces cloudy Linux threat protection

Alexander Bochmann Friday 10 of February, 2017
Right now there's no technical info at all, which makes me somewhat noninterested for the time being, despite the current buzz and the well-known names involved.

Capsule8 wrote:
Capsule8's real-time threat protection will detect and prevent known and zero-day attacks throughout an organization’s production infrastructure. Capsule8's protection will span the entire Linux infrastructure — across clouds and data centers, as well as throughout virtual machines, bare metal and containers.
With intelligent investigation that leverages both artificial intelligence and human-in-the-loop analytics, we will provide complete visibility for complex, multi-system applications, with high-fidelity alerting to reduce fatigue.


Buzzwords galore. Their Introducing Capsule8 blog post is only slighly more informative.

two conflicting news items about Samsung Knox on the same page in my RSS reader

Alexander Bochmann Friday 10 of February, 2017
Heh.

One: ZDNet: Google Project Zero: How we cracked Samsung's DoD- and NSA-certified Knox

Two: The german Federal Office for Information Security has published a guide on how to secure Android systems using Samsung Knox (in german) - Heise: BSI veröffentlicht Leitfaden für sicheres Android mit Samsung Knox

safecast comments on news reports about "spiking" radiation levels in the Fukushima reactor runis

Alexander Bochmann Friday 10 of February, 2017
Yeah, that's press hyperbole... safecast blog: "No, radiation levels at Fukushima Daiichi are not rising." (cache) They also have some of the images taken during that measurement, in an area below the reactor pressure vessel.

safecast wrote:
It must be stressed that radiation in this area has not been measured before, and it was expected to be extremely high. While 530 Sv/hr is the highest measured so far at Fukushima Daiichi, it does not mean that levels there are rising, but that a previously unmeasurable high-radiation area has finally been measured. Similar remote investigations are being planned for Daiichi Units 1 and 3. We should not be surprised if even higher radiation levels are found there, but only actual measurements will tell.