Loading...
 

the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

reverse engineering the Newton MessagePad ROM card

Alexander Bochmann Tuesday 07 of March, 2017
Here, with Eagle schematics.

Matthias Melcher wrote:
Anyway, wouldn't it be fantastic to create a souped-up ROM board? 8MB Flash and 8MB NewtonOS, also in Flash, being able to patch it, fix it, extend it, have fun. Maybe have even more that 16MB if that is possible. Is it possible? How can we find out?

An early draft of the licensee information for this ROM card exists, but it is not detailed enough to build such a card. Before starting a patch wire solution, I wanted to know how the original board worked, and then fill in the missing information in that draft.

Well, I went all the way and reverse engineered the entire ROM board. Here are my findings.


The article also reminded me of this old post by Landon Dyer, which explains how they came up with the ROM-patching idea...

(Via tedu's inks.)

WikiLeaks just announced another fun few weeks of emergency patching...

Alexander Bochmann Tuesday 07 of March, 2017
https://wikileaks.org/ciav7p1/

Wikileaks wrote:
The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. [..]
Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

OpenBSD malloc.conf(5)

Alexander Bochmann Tuesday 07 of March, 2017
Yikes. I've been using OpenBSD on and off since release 2.3, but I wasn't aware of malloc.conf(5) (which seems to have been introduced with OpenBSD 2.5, back in 1999, and allows control over several features of the memory allocator):

Upon the first call to the malloc(3) family of functions, an initialization sequence inspects the symbolic link /etc/malloc.conf, next checks the environment for a variable called MALLOC_OPTIONS, and finally looks at the global variable malloc_options in the program. Each is scanned for the following flags. [..]


SHA1-collisions applied to Bittorrent

Alexander Bochmann Monday 06 of March, 2017
Unless more generic SHA1 collisions turn up, this looks like a somewhat forced scenario (that doesn't really warrant an own name and web site, but hey) - someone has thought up a way to apply the SHAttered attack to Bittorrent:

As far as I understand from the BitErrant web site, they're proposing to use the two colliding data blocks from SHAttered to create two torrents that contain one differing chunk (with the same SHA1 hash nevertheless), and then look at the contents of that chunk as a trigger to decide whether to execute a "hidden" malicious payload that's contained elsewhere in both versions of the torrent. (Bittorrent uses a SHA1 hash to identify each 32k chunk in the torrent.)

Yeah, ok. I don't think I'm particularly scared now...

(Via Isotopp.)

Red Hat website: Information? Subscription-only...

Alexander Bochmann Monday 06 of March, 2017
Not that I mind - if people absolutely want to use Red Hat, they should be paying for it...

Case in point: An article about recommendations for configuring swap on modern linux systems, which contains no useful information about why an admin should select 20% of the available memory as swap size - for that part, it links to a "solution document", which in turn requires a subscription...

Since "modern Linux" doesn't use swap as backing for crash dumps, there never was a reason to tie swap size to real mem in the first place. (And I don't think I've used - or even set up - kdump on any system in the past 10 years...)

(Via Scot Stevenson on G+.)

ISC Kea dhcp server

Alexander Bochmann Saturday 04 of March, 2017
I wasn't aware that the ISC is working on a new high-performance DHCP server, Kea. (Let's hope it'll meet a better fate than the BIND 10 effort. )

ISC wrote:
Kea is designed to be easily extensible through an applications API. This API can be called at multiple places during the DHCP processing, to consult or update enterprise provisioning systems, for example. Kea DHCP leases may be stored in a memory file database, or in a MySQL or Postgres database.


The Kea web page also has a short table with a comparison to the classic ISC dhcpd.

"oldssh" alias

Alexander Bochmann Friday 03 of March, 2017
Similar to "secure" (SSL) web admin interfaces on various systems, which are by now so outdated that modern browsers refuse to talk to them, it now gets increasingly difficult to get OpenSSH to connect to old ssh servers... For the web stuff, it's useful to keep an old version of Portable Firefox available...

For ssh, I've seen this hint on IRC today:

alias oldssh='ssh -o '\''HostKeyAlgorithms=+ssh-dss'\'' -o '\''KexAlgorithms=+diffie-hellman-group1-sha1'\'''

That should work with everything, unless you're trying to connect to a server that only supports ssh1 - which is usually disabled in current OpenSSH builds, and will go away completely later this year: "In approximately August 2017, removing remaining support for the SSH v.1 protocol (client-only and currently compile-time disabled)." (From the OpenSSH 7.4 release notes).

Well, I guess PuTTY can still do that.

selling your weapons to all sides

Alexander Bochmann Thursday 02 of March, 2017
Ok, so not really weapons, more like an online outrage generator: BuzzFeed News traced a group of liberal and conservative websites back to the same company. “The product they’re pitching is outrage,” said one liberal writer.

buzzfeed wrote:
It’s unclear if the people running American News LLC use the same writers for their conservative and liberal websites, or if they have separate teams. What is clear is at least one of their sites is using fake author photos. The author page for God Today lists two writers, Henry Freeman and John Sullivan. The photos for these writers are taken from stock video footage.


(Via netzpolitik.org (german).)

ipspace: Leaf-and-spine fabrics versus fabric extenders

Alexander Bochmann Monday 27 of February, 2017
http://blog.ipspace.net/2017/02/leaf-and-spine-fabrics-versus-fabric.html

Ivan Pepelnjak wrote:
It’s obvious that a bunch of fabric extenders (leafs) connected to a pair of Nexus switches (spines) form a leaf-and-spine fabric.
However, there are several important differences between a fabric extender-based fabric and a leaf-and-spine fabric built with standard data center switches:
* In a well-designed leaf-and-spine fabric the spine nodes are completely independent – they share no configuration, state or risk. Nexus switches configured as a vPC pair share a lot of configuration and state (and risk).
* Leaf nodes in a traditional leaf-and-spine fabric are independent devices, whereas fabric extenders act as linecards of the spine switches. The blast radius (how many things can go wrong based on a single failure) on a fabric extender-based architecture is much larger than in a fabric built with independent switches.
* Independent leaf nodes can do local packet switching whereas in a fabric extender environment all traffic has to traverse the spine layer.


We don't use Nexus fabrics in our datacenter, but the "blast radius" of a Juniper EX or QFX Virtual Chassis (Fabric) control plane failure isn't much different (though they can do local packet switching on linecards, unlike the FEXen). Our next DC design will probably go towards a routed fabric - though we'll have to build up all the automation infrastructure and skills that comes with that. The Virtual Chassis black box, for all it's downsides, removes a lot of the configuration complexity.

Ted Unangst: (l)inks

Alexander Bochmann Monday 27 of February, 2017
I wasn't aware (should probably think up a tag for posts that begin with those or similar words) that tedu had started a link collection fed from things he was reading a while ago - somewhat similar to what I'm trying to do here (and now another input for my RSS reader).

Today, he reflected on 1000 links having been posted to that collection. I can relate to a lot of what he wrote.

tedu wrote:
There was also the question of whether to post popular links seen elsewhere or focus on hidden gems. ICYMI YOLO FOMO. A curated best of list is good for people who want to replace social aggregators, but redundant for those who don’t. Focusing on the underserved link market means the site is less useful as an archive. It feels weird to exclude a link because other people liked it, and being able to flip back and find a link a week later has actually been immensely helpful.


His format is somewhat more terse than mine, usually with a one-line quote and a few words of comment. Okay, mabe it just seems more terse because the site is using a very simple layout.

tedu wrote:
There’s always some proposal or another about how to fix or replace sites like Twitter and HN. One possibility is for everybody to run a little site where they post their favorite links. Subscribe to the people who post good stuff, and boom, all those complaints about clickbait rising to the top disappear.


Hey, a distributed social network ;)

ftp protocol stream injection with Java and Python URL handling code

Alexander Bochmann Sunday 26 of February, 2017
Abusing FTP protocol inspection on firewalls to make them open arbitrary ports is an old game (and you should really disable that for "active" ftp data channel negotiation), but here's a new combination of attack vectors:

It's possible to create ftp:// URLs that contain additional FTP commands, which then get picked up by protocol inspection (Linux conntrack for example, but other implementations seem to use similar heuristics) to create inbound port forwardings. Java and Python protocol handlers don't sanitize input to remove such command injections, so if you find a setup suspectible to SSRF or XXE vulnerabilities, it might be possible to inject appropriately manipulated URLs.

Full writeup here: Blindspot Advisory: Java/Python FTP Injections Allow for Firewall Bypass .

(Via Oluf Lorenzen on G+.)

Linus Torvalds on effects of the SHA1 collision attack on git

Alexander Bochmann Sunday 26 of February, 2017
He wrote a summary on Google+, I'll just quote the intro, skip over to G+ for the whole thing:

Linus Torvalds wrote:
I thought I'd write an update on git and SHA1, since the SHA1 collision attack was so prominently in the news.

Quick overview first, with more in-depth explanation below:

(1) First off - the sky isn't falling. There's a big difference between using a cryptographic hash for things like security signing, and using one for generating a "content identifier" for a content-addressable system like git.

(2) Secondly, the nature of this particular SHA1 attack means that it's actually pretty easy to mitigate against, and there's already been two sets of patches posted for that mitigation.

(3) And finally, there's actually a reasonably straightforward transition to some other hash that won't break the world - or even old git repositories.

Anyway, that's the high-level overview, you can stop there unless you are interested in some more details (keyword: "some". If you want more, you should participate in the git mailing list discussions - I'm posting this for the casual git users that might just want to see some random comments).


In one of the comments, Linus also explains why objects with a colliding SHA1 hash won't be an immediate problem for git, while they can be used to destroy, for example, an SVN repository:

Linus Torvalds wrote:
SVN (unlike git) just does the SHA1 on the raw object data as the de-dupe mechanism, which is why just feeding the colliding pdf files into SVN triggered the problem.

Git ends up doing the SHA1 not on the raw user data, but on a "git object data", which includes a header with a type and a length. That means that if you just use the poisoned pdf's, git won't actually see the same SHA1 at all for them, and so we don't actually have a "real" git test case for the SHA1 collision yet.


SANS reading room: Tor Browser Artifacts in Windows 10

Alexander Bochmann Saturday 25 of February, 2017
This new document (PDF) in the forensics category of the SANS reading room introduces quite a few basic Windows-specific forensic tools being used on an example of tracking down the changes caused by a Tor Browser installation.

The first one being mentioned, Regshot (to compare the Registry before and after installation), seems immediately useful.

Airbus Cybersecurity: Playing defence against the Equation Group

Alexander Bochmann Saturday 25 of February, 2017
I missed this back in October: Airbus Cybersecurity has a long post examining specifically the documentation files from the Equation Group data leaked by Shadow Brokers...

Seems like quite a good summary on that part of the information.

These tools and exploits do not change the path of a normal killchain. What we see here is reconnaissance (command sets), lateral movement (RCEs on admin interfaces), privilege escalation [..], persistence [..]. This leak contains no initial intrusion material. This means that regular detection and defence strategies still apply. Even if we assume the worst-case scenario of a remote code execution on the public interface of a border firewall, it still takes us back to a defence-in-depth doctrine. [..]
What the exploits, tools and procedures contained in the package show is that Equation Group is actively pursuing admin networks and infrastructures. In this respect, the fact that they abort if logs are sent to separate equipment unless they “own” this equipment is a tell-tale sign of their operational tactics. [..]
What stand out are the professionalism, the organisation given to this task, and their focus on retaining stealth. As Rob Lee of SANS says, “It’s an army set-up to hack your organization”. That makes them a formidable opponent.