the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

no more free grsecurity patches

Alexander Bochmann Thursday 27 of April, 2017
grsecurity announcement (cache). Same for PAX.

Brad Spengler & The PaX Team wrote:
Today we are handing over future maintenance of grsecurity test patches to the community. This makes grsecurity for Linux 4.9 the last version Open Source Security Inc. will release to non-subscribers.

grsecurity-3.1-4.9.24-201704252333.patch will be the last available patch for non-customers.

Theo de Raadt on OpenBSD CD releases (of which 6.0 was the last one)

Alexander Bochmann Monday 17 of April, 2017
On openbsd-misc: http://marc.info/?l=openbsd-misc&m=149232307018311&w=2 (cache)

Theo de Raadt wrote:
Having done 6.1 without a CD, we learn that incorporating CDs into the production cycle has been a big drag, basically 1 month out of 6. Other project developers and processes were locked to that cycle. It is shocking how easy a release cycle is without a CD. Generally our tree is always ready, we may be able to do future releases at the drop of a hat.

speculating on why nobody paid for the Shadow Brokers cache

Alexander Bochmann Saturday 15 of April, 2017
After the Shadow Brokers group dumped another piece of their "Equation Group" exploit cache yesterday, Microsoft anounced that almost all of the vulnerabilities from that had already been fixed. In September of last year, they also advised customers on disabling SMB1 on servers and getting rid of remaining Windows XP and Server 2003 installations.

There's been some speculation on the timeline of events (emptywheel.net).

I'd currently assume that the data that the Shadow Brokers have is in several hands (outside of the original owners), and that bits and pieces have been making their way around the ITSEC community for quite some time. Which might also be one of the reasons why no one ever bid on one of the several auction attempts.

IoT not done completely wrong: Ikea Trådfri

Alexander Bochmann Sunday 09 of April, 2017
Matthew Garrett has had a look at the Ikea Trådfri smart lighting plattform, and surprisingly found a rather competent software setup:

mjg59 wrote:
Overall: as far as design goes, this is one of the most secure IoT-style devices I've looked at. I haven't examined the COAP stack in detail to figure out whether it has any exploitable bugs, but the attack surface is pretty much as minimal as it could be while still retaining any functionality at all. I'm impressed.

it's also the year of exploiting the software in the hardware

Alexander Bochmann Sunday 09 of April, 2017
Couple of days ago: Project Zero publishes an exploit for the embedded firmware in Broadcom Wifi chips - using WLAN packets.

Today: News of an attack on Huawei LTE baseband modems.

In his talk, Weinmann gave an overview of several baseband vulnerabilities found in the Kirin application processor, citing them as an examples of a new and vulnerable attack surface worth the security community’s attention.
“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”

Weinmann suspects HiSilicon may have inadvertently released the Kirin firmware source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data. Further analysis allowed him to find additional vulnerabilities within the baseband’s POSIX compliant operating system.

Microsoft: tool to convert MBR disks to GPT

Alexander Bochmann Sunday 09 of April, 2017

Microsoft wrote:
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).

Available in Windows 10 1703 (the "Creators Update")

(Via Firmware Security.)

details on the Xen exploit

Alexander Bochmann Sunday 09 of April, 2017
Hypervisor exploits seem to be quite popular this year - first VMware with CVE-2017-4903 (which was first announced as only affecting VMware Workstation, but according to the VMware advisory, ESXi is vulnerable too), now Xen (XSA-212).

Google Project Zero has published the details of the exploit.

At this point, the attacker can control a live pagetable, which allows the attacker to map arbitrary physical memory into the guest's virtual address space. This means that the attacker can reliably read from and write to the memory, both code and data, of the hypervisor and all other VMs on the system.

So I uninstalled the Windows 10 "Creators Update" tonight...

Alexander Bochmann Saturday 08 of April, 2017
...and not even because I particularly dislike any of the the user-visible changes. There's certainly some more polish here and there, and the Settings app has a much better organization. Not sure if I like the collapsing scrollbars in "modern" apps though, and most of the new system app additions (basically anthing with "holo" or "xbox" in it's name, and the "3D paint" thing too) are completely useless to me. I also noticed that Microsoft is starting to set up the infrastructure to push users onto modern apps and the appstore (there's a setting to disable or at least supervise the installation of classic windows programs).

No, the deal-braker for me is graphics perfomance in games - World of Warships, in particular. Not that I expect any wonders on my six years old notebook - ATI has discontinued driver updates for the Radeon Mobility HD5000 series over a year ago, for example. But on the previous W10 1607, WoWs is well playable (at 1280x1024, with low-midrange graphics settings). After the update, it's being pushed into "unplayable" territory, even with further reduced graphics settings. The problem seems not so much the absolute frame rate, but graphics updates stutter more often, and scenes that were slow before are now chopped up and jolty. I didn't check if the much-touted Game Mode is active for WoWs, but I don't know why it should make much of a difference with the game being the only running application.

Yeah well. Since the notebook (upgraded with 8G RAM and an SSD maybe two years ago) is still just fine as a general-purpose computing platform, I'll probably just wait for some deal on a small PC with one of the new AMD CPUs and a decent graphics card later this year, to use for games.

Calomel SSL Validation Firefox plugin

Alexander Bochmann Tuesday 04 of April, 2017
Another victim of the deprecation of XUL and XPCOM in Firefox seems to be the Calomel SSL Validation plugin (cache), that I've been using for a long time to get a quick view on the encryption quality of SSL connections.

Development of the Calomel SSL Validation addon has been put on hold. Mozilla is disabling XUL and XPCOM in Firefox which means the addon is no longer able to query the current browser tab for the TLS certificate and cipher information.

On Pale Moon, I'm using Cipherfox to the same end, though with a somewhat less polished interface (which still allows for simple one-click access to certificate chain information and displays current encryption parameters on the status bar).

DMARC, DKIM, SPF, and mailinglists

Alexander Bochmann Sunday 02 of April, 2017
Alan Hodgson explains on a post to the NANOG mailinglist (cache), how DMARC with DKIM and SPF checks are supposed to work:

Alan Hodgson wrote:
SPF checks the envelope sender only. [..]

DKIM doesn't by default check anything except that the headers and body that
were signed have not been altered since the signature was added. It definitely
has nothing to do with the envelope sender. [..]

DMARC adds sender policy to both mechanisms. For DMARC to pass, either SPF or
DKIM must pass and the identifier must be aligned with the header From:.

So for DMARC+SPF to pass not only must the message come from a source
authorized by the envelope sender domain, but that domain must be the same
domain (or parent domain or subdomain) of the header From: address.

For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM signing
domain must be the same domain (or parent domain or subdomain) of the header
From: address.

Again, DMARC requires only one or the other mechanism to pass. So messages
forwarded intact should be OK if they have an aligned DKIM signature.

Mailing lists run by mailing list software usually alter the envelope sender.
They can therefore create and pass their own SPF policy. However, if the From:
address is preserved, this will not be an aligned message and will not pass

So, as far as I understand, a mail routed through a mailing list that keeps the original From: address will always fail DMARC+SPF (envelope sender and header From: are not aligned). But DMARC+DKIM should be fine as long as no headers or body parts that are covered by the DKIM signature are touched - and passing one of both mechanisms is enough.

New Model Army sind dieses Jahr mal wieder auf dem ZMF...

Alexander Bochmann Sunday 02 of April, 2017
...fällt mir gerade auf, als iTunes Another Imperial Day auswürfelt und ich nach den Lyrics schaue: Offensichtlich am 22. Juli.

It's dawn and there's fog in Rotterdam harbour
And the guard's on his break and the dogs are chained by the wire
Three figures come out from behind the cranes
And make it across the train tracks
Clamber aboard a Panamanian freighter headed for the Isle of Grain
Find a place to hide in a stack of containers - another payload of World Trade
Because goods are free to move but not people
Oil is free to move but not people
Jobs are free to move but not people
Money is free to move but not people

Vermutlich jeden Tag aktuell die letzten 12 Jahre...

US aerial surveillance

Alexander Bochmann Sunday 26 of March, 2017
This is old news (last fall), but I wasn't aware that the FBI and DHS run extensive aerial surveillance programs throughout the US (except on weekends). Buzzfeed has identified some of the planes involved, and tracked their flight paths on Flightradar24:

buzzfeed wrote:
We detected nearly 100 FBI fixed-wing planes, mostly small Cessnas, plus about a dozen helicopters. Collectively, they made more than 1,950 flights over our four-month-plus observation period. The aircraft frequently circled or hovered around specific locations, often for several hours in the daytime over urban areas.

We also tracked more than 90 aircraft, about two-thirds of them helicopters, that were registered to the DHS [..]

I wouldn't be surprised of some of this work is being moved to (unregistered) drones...

(Via FlowingData.)

didn't know there was a disagreement over NTP development

Alexander Bochmann Friday 24 of March, 2017
The New Stack: Paving with Good Intentions: The Attempt to Rescue the Network Time Protocol

After the Heartbleed bug revealed in April 2014 how understaffed and under-funded the OpenSSL project was, the Network Time Foundation was discovered to be one of several projects in a similar condition. Unfortunately, thanks to a project fork, the efforts to lend NTP support have only divided the development community and created two projects scrambling for funds where originally there was only one.


The effort to rescue NTP started becoming complicated when Stenn approached the Internet Civil Engineering Institute (ICEI) for funding and ended up attempting to collaborate with ICEI representatives Eric S. Raymond and Susan Sons. Accounts differ about exactly what happened, but the collaboration was unsuccessful.

(Via Russ White).

SixXS project shutting down

Alexander Bochmann Thursday 23 of March, 2017
For years, the SixXS project has been providing tunneling services for IPv6 internet access. SixXS will be shutting down in June '17 (cache).

SixXS will be sunset in H1 2017. All services will be turned down on 2017-06-06, after which the SixXS project will be retired. Users will no longer be able to use their IPv6 tunnels or subnets after this date, and are required to obtain IPv6 connectivity elsewhere, primarily with their Internet service provider.