the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

stealing messenger.com sessions to access Facebook accounts

Alexander Bochmann Wednesday 22 of March, 2017
This has been fixed, obviously. Stephen Sclafani describes how he managed to steal messenger.com sessions, which then could be used to access the corresponding Facebook account.

Stephen Sclafani wrote:
It was possible to create a URL that when loaded by a user who was logged into their Facebook account would redirect a nonce for their account to another site. The nonce could then be used to create a messenger.com session for the user. Since messenger.com session cookies are interchangeable with facebook.com this gave full access to the user’s Facebook account.

(Via tedu.)

new Pyra pictures

Alexander Bochmann Wednesday 22 of March, 2017
In response to a critic, Michael has written a long post about why the Pyra pocket computer project is where it is right now, and has attached a couple of pictures of one of the dev units (scroll to the end of the post), running the latest OS image.

I really hope they're going to sell enough of the things to make it possible to produce the redesigned case he mentioned - shaving a couple of millimetres off the height would be great...

ISOC on the use of personal data

Alexander Bochmann Wednesday 22 of March, 2017
I didn't know there's a World Consumer Rights Day...

"My Data. Your Business." on the ISOC blog worries that consumers might lose trust in online businesses over data privacy issues, and calls for a definition of acceptable business ethics.

We may not know the specifics, but we do know that somewhere out there someone is tracking us online: in fact, most of the data monetization machine is invisible to consumers — the individuals whose data fuels it.

All this has, understandably, left many people wary. Why WOULD you trust someone or something that is gathering information on you with no real insight into how it will be used?

The consequences of this could be devasting to the economy. If do not understand how their data will be handled and used and therefore don’t trust online transactions, online business will wither and die.

Mirai botnet FAQ

Alexander Bochmann Tuesday 21 of March, 2017
The APNIC blog has a guest post that explains quite a few operational details about the inner workings of the Mirai botnet components.

APNIC blog wrote:
Do C2 master and bot have heartbeat communication?

Yes. The heartbeat will involve sending and receiving the same 2 bytes of data (content is 0x0000). The interval time is about 60 seconds and the maximum timeout is 180 seconds.

Maybe having an IDS is not such a bad idea...

APNIC blog wrote:
What are the characteristics in GRE IP/ETH flood?

GRE ETH flood adds a custom ETH layer then GRE IP flood; the ETH layer is randomly filled. The destination IP in the packet is also randomly filled if it is not specified in the command.

I remember that one puzzling quite a few people when they first noticed that kind of traffic...

Datenweitergabe nach dem Bundesmeldegesetz

Alexander Bochmann Tuesday 21 of March, 2017
netzpolitik.org weist heute im Hinblick auf die anstehenden Wahlen darauf hin, dass man der Weitergabe von Adressdaten aus dem Melderegister an Parteien wiedersprechen kann. Dazu stellen sie "gemeinsam mit der Plattform selbstauskunft.net" ein entsprechendes Wiederspruchsformular zur Verfügung.

Zumindest in Freiburg kann man das noch einfacher haben: Auf der Webseite der Stadt ist ein Formular zum Widerspruch nach dem Bundesmeldegesetz verlinkt (Quelle hier, unter "Meldewesen"), das man online ausfüllen und direkt abschicken kann.

"Defense-in-Depth has Failed Us" (Security Week)

Alexander Bochmann Sunday 19 of March, 2017
Marc Solomon: Defense-in-Depth has Failed Us. Now What?

Wow, there's so much wrong with this article that I don't even know where to start... Defense in depth does not mean, as the author seems to think, to heap "disparate" "point products" onto one another in the hopes that one will probably catch an attack attempt. Defense in depth means to understand both the threat landscape and the environment you're trying to defend, tailor solutions to make an attacker's job as hard as possible, and find the right points to place meaningful alarms. (Which rarely anyone ever does, but that's a different topic.)

Oh, I do get that threat intelligence services are the current hot stuff in the security industry (and the author wants to help sell his own), but when a defender doesn't get the basics of IT security design, heaping another "point product" on top won't help a whole lot.

Cisco IOS / IOS XE Cluster Management Protocol Remote Code Execution

Alexander Bochmann Saturday 18 of March, 2017


Cisco wrote:
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. [..]

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. [..]

This vulnerability was found during the analysis of documents related to the Vault 7 disclosure.

The security notice also has a few interesting hints about IOS configurations that don't actually disable telnet...

Nexen - privilege separation in the Xen hypervisor

Alexander Bochmann Saturday 18 of March, 2017
Adrian Colyer sumarizes a research paper published on the NDSS Symposium 2017, Deconstructing Xen:

Deconstructing Xen wrote:
Our contributions: To summarize, this paper makes the following contributions:

* A systematic analysis on 191 Xen vulnerabilities (Sections II and V).
* Nexen, a novel deconstruction of Xen into a securitymonitor, shared service domain, and sandboxed per-VM slices (Section III) implemented in Xen (Section IV) that efficiently uses paged based isolation mechanisms for fine-grained data isolation.
* As informed by the analysis, a novel least-privilege decomposition strategy that places highly vulnerable code into per-VM slices while maintaining high performance and either eliminating vulnerabilities entirely or confining exploits (evaluated in Section V).
* Efficient code, memory, and control-flow integrity enforcement between Xen and VMs (evaluated in Section VI).

The design mitigates about 2/3rds of the vulnerabilities that have been discovered in the Xen hypervisor over the past years.

(Via tedu.)

KEXP: Cherry Glazerr

Alexander Bochmann Saturday 18 of March, 2017
Woah, either the KEXP audio engineers had a really, really bad day, or Clem Creevy has been completely done in by the drugs by now. KEXP has released a new set with Cherry Glazerr a couple of days ago. Clem's voice already seemed weak on their new record, but there's barely anything left in this recording (couldn't bear to listen for more than a couple of minutes, maybe it gets better later on).

Compare to their KEXP session two years ago.

Xenix copy protection

Alexander Bochmann Wednesday 15 of March, 2017
Tales From the Xenix Crypt analyzes the inner workings of the Xenix copy protection scheme.

os2museum wrote:
If there’s any lesson to be learned, it’s probably that 30-year old copy protection is relatively easy to break using tools and computing power that did not exist 30 years ago.

OS/2 Museum now also is a new feed in my RSS reader...

(Via Ted Unangst.)

PM/FF extension: Cookies Exterminator

Alexander Bochmann Wednesday 15 of March, 2017
I'm trying to switch back from the Vivaldi web browser to Pale Moon (a Firefox fork that aims to keep supporting XUL and may other technologies that Mozilla has abandoned) - mostly to get back a working bookmarks / history sync between my various browser installations. Pale Moon still supports the old Weave sync protocol, and works fine with the old weave minimal server (I should probably switch to FSyncMS, but I'm lazy)...

Anyway - I used to be using the Self Destructing Cookies addon to automatically get rid of unused objects from closed tabs, and it turns out not to work anymore in Pale Moon 27... A discussion on the Pale Moon forums pointed to Cookies Exterminator as an alternative. So far, I've not seen any problems. The author is active on the PM forums, too.

Cisco IOS XE NETCONF surprises

Alexander Bochmann Monday 13 of March, 2017
Ok, probably not a surprise when you have read all the documentation...

Ivan Pepelnjak recently mentioned that Cisco IOS XE still doesn't have candidate configuration or commit capabilities, at least when using NETCONF automation.

One of the comments then has this hint:

Port 22 hosts the legacy netconf agent on IOS-XE, which only supports netconf 1.0 with a Cisco-proprietary payload (same as all other vendors). Port 830, when netconf-yang is enabled, hosts the model-based agent.

acmetool - yet another Let's Encrypt automation tool

Alexander Bochmann Sunday 12 of March, 2017
acmetool (GitHub: hlandau/acme) seems to bring a couple of interesting options for serving acme http challenges, and a hook for external programs to handle the DNS challenge method. Configuration through simple files in a predefined directory structure. Looks like a workable compromise between the rather heavyweight official client and the various shell scripts.

Regina Spektor on KEXP

Alexander Bochmann Friday 10 of March, 2017
That was a most welcome surprise for tonight... Five songs from the new album and a half-hour interview in this "full performance" video on the KEXP channel on YouTube.

The interview part is just as excellent as the music, and starts at 18:18 in the video. Lots of information about her life and her songwriting. Just listen to the three minutes from 47:37 for a strong reminder that these are not the times to stay depressed over.

The Trapper and the Furrier nicely shows off some of the flexibility of her voice.

android backup file header

Alexander Bochmann Wednesday 08 of March, 2017
I'll spoil the fun from Florian Haas' question on G+ right away - the resulting info seems useful:

Florian Haas wrote:
OK people, try to guess (without googling) what this does:

( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 oldfile ) > newfile

Clue: head→desk, seriously.

Obviously, this replaces the header of a file. But why?

Florian Haas wrote:
This is how you "transform" an Android backup file into a regular gzipped tarball.

packagecloud blog debian-howto category

Alexander Bochmann Tuesday 07 of March, 2017
The packagecloud people (which I didn't know about until Ted Unangst linked to one of their recent sycall performance blog posts) have a debian-howto category on their blog with some posts that seem rather useful.

Nothing that can't be found elsewhere (like the official Debian documentation), but the descriptions of package creation workflows, for example, are condensed down to the essentials quite well:

reverse engineering the Newton MessagePad ROM card

Alexander Bochmann Tuesday 07 of March, 2017
Here, with Eagle schematics.

Matthias Melcher wrote:
Anyway, wouldn't it be fantastic to create a souped-up ROM board? 8MB Flash and 8MB NewtonOS, also in Flash, being able to patch it, fix it, extend it, have fun. Maybe have even more that 16MB if that is possible. Is it possible? How can we find out?

An early draft of the licensee information for this ROM card exists, but it is not detailed enough to build such a card. Before starting a patch wire solution, I wanted to know how the original board worked, and then fill in the missing information in that draft.

Well, I went all the way and reverse engineered the entire ROM board. Here are my findings.

The article also reminded me of this old post by Landon Dyer, which explains how they came up with the ROM-patching idea...

(Via tedu's inks.)

WikiLeaks just announced another fun few weeks of emergency patching...

Alexander Bochmann Tuesday 07 of March, 2017

Wikileaks wrote:
The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. [..]
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.