the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

tedu: OpenBSD pledge doesn't work well on preexisting code

Alexander Bochmann Monday 22 of May, 2017
...he has staged a little exercise with ffmpeg to illustrate that, quite a fun read.

Also, I learned a new thing:

tedu wrote:
To find out more, we turn to ktrace’s little cousin, ltrace. It works almost exactly like ktrace (the output is even viewed with kdump), but it traces ld.so, the dynamic linker, instead of system calls.

Didn't know about ltrace up to now.

currently playing with Mastodon

Alexander Bochmann Sunday 21 of May, 2017
Mastodon is a federated microblogging platform that uses the OStatus protocol (amongst others), which allows it to talk to GNU Social / PostActiv / Friendica instances.

It's relatively easy to run your own instance, so I quickly set up one of them.

For the time being, I'm over there as @galaxis@mastodon.infra.de

Not yet sure if I'll move posting from this blog over there - probably I'll want to push posts from here into my Mastodon timeline instead. Since I'm running my own instance, it's the first service I'm relative comfortable to use via an app on my phone, so it's possible that I use the Mastodon account some more in the near future.

grsecurity discussion on the kernel-hardening list

Alexander Bochmann Thursday 11 of May, 2017
Long post by the "PaX Team" (cache) on the kernel-hardening mailinglist.

I'm generally sympathetic towards PaX and grsecurity developers, who have been developing innovative mitigations against several classes of attacks on the Linux kernel and applications over a long time - and I've personally been using their work on my own machines for ages. But really, communication is not their thing. Ok, they're in excellent company in the open source world with that, but it really harms their cause.

PaX Team wrote:
Upstream's goal is protecting as many people as possible.

the KSPP's goal is to further the agenda of the companies behind
it (which is extracting profits for shareholders). that has nothing
to do with "protecting as many people as possible" but everything
to do with business goals du jour. if what you claim was true,
they would have done it since the beginning and in a way that is
not restricted to only linux users.

(KSPP = Kernel Self Protection Project, sponsored by Google and the Linux Foundation, which tries to upstream select parts of the grsecurity patches into mainline Linux.)

slow weeks

Alexander Bochmann Wednesday 10 of May, 2017
Been on holidays, fought various IT- and real-life - problems, and set up a Mastodon instance.

Not sure if a microblogging service like Mastodon is what I'm actually looking for (I've never really warmed up to Twitter either), but it seems at least worth looking at. Or maybe I should have another go at running my own Diaspora pod (though I didn't use the last one I set up a whole lot).

I've not yet found a whole lot of interesting people, and the TrendingBot isn't much of a help, seeing as the most stable trending thing is #nsfw - I guess the porn sharing crowd is one of the early adopters again, unfortunately.

Cisco Nexus dropping commands due to old Linux kernel bug

Alexander Bochmann Tuesday 09 of May, 2017
Ivan Pepelnjak got feedback about his earlier post where he complains that Nexus OS is dropping lines from commands that are pasted into a terminal session with the system.

The drops were caused by a very old bug in Linux TTY device driver introduced in 2009, discovered in Ubuntu ~4 years ago and present in all Linux distributions with kernels between 2.6.31 and 3.11.0.

fallout of Chrome removing support for commonName matching in certificates

Alexander Bochmann Tuesday 09 of May, 2017
Some time ago, Google announced that they would only look at the subjectAltName in certificates from Chrome 58 on.

The compatibility risk for removing commonName is low. RFC 2818 has deprecated this for nearly two decades, and the baseline requirements (which all publicly trusted certificate authorities must abide by) has required the presence of a subjectAltName since 2012.

Yeah. Turns out that no one in our company had known about that, and almost all of the SSL server certificates signed by our internal CAs don't carry a subjectAltName. Which wouldn't be that bad if it meant just one more click to bypass the error message... But no, even when acknowledging the certificate problem dialog, Chromium refuses to load most of the resources from an affected server (Javascribpt, CSS files, images, and such)...

no more free grsecurity patches

Alexander Bochmann Thursday 27 of April, 2017
grsecurity announcement (cache). Same for PAX.

Brad Spengler & The PaX Team wrote:
Today we are handing over future maintenance of grsecurity test patches to the community. This makes grsecurity for Linux 4.9 the last version Open Source Security Inc. will release to non-subscribers.

grsecurity-3.1-4.9.24-201704252333.patch will be the last available patch for non-customers.

Theo de Raadt on OpenBSD CD releases (of which 6.0 was the last one)

Alexander Bochmann Monday 17 of April, 2017
On openbsd-misc: http://marc.info/?l=openbsd-misc&m=149232307018311&w=2 (cache)

Theo de Raadt wrote:
Having done 6.1 without a CD, we learn that incorporating CDs into the production cycle has been a big drag, basically 1 month out of 6. Other project developers and processes were locked to that cycle. It is shocking how easy a release cycle is without a CD. Generally our tree is always ready, we may be able to do future releases at the drop of a hat.

speculating on why nobody paid for the Shadow Brokers cache

Alexander Bochmann Saturday 15 of April, 2017
After the Shadow Brokers group dumped another piece of their "Equation Group" exploit cache yesterday, Microsoft anounced that almost all of the vulnerabilities from that had already been fixed. In September of last year, they also advised customers on disabling SMB1 on servers and getting rid of remaining Windows XP and Server 2003 installations.

There's been some speculation on the timeline of events (emptywheel.net).

I'd currently assume that the data that the Shadow Brokers have is in several hands (outside of the original owners), and that bits and pieces have been making their way around the ITSEC community for quite some time. Which might also be one of the reasons why no one ever bid on one of the several auction attempts.

IoT not done completely wrong: Ikea Trådfri

Alexander Bochmann Sunday 09 of April, 2017
Matthew Garrett has had a look at the Ikea Trådfri smart lighting plattform, and surprisingly found a rather competent software setup:

mjg59 wrote:
Overall: as far as design goes, this is one of the most secure IoT-style devices I've looked at. I haven't examined the COAP stack in detail to figure out whether it has any exploitable bugs, but the attack surface is pretty much as minimal as it could be while still retaining any functionality at all. I'm impressed.

it's also the year of exploiting the software in the hardware

Alexander Bochmann Sunday 09 of April, 2017
Couple of days ago: Project Zero publishes an exploit for the embedded firmware in Broadcom Wifi chips - using WLAN packets.

Today: News of an attack on Huawei LTE baseband modems.

In his talk, Weinmann gave an overview of several baseband vulnerabilities found in the Kirin application processor, citing them as an examples of a new and vulnerable attack surface worth the security community’s attention.
“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”

Weinmann suspects HiSilicon may have inadvertently released the Kirin firmware source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data. Further analysis allowed him to find additional vulnerabilities within the baseband’s POSIX compliant operating system.

Microsoft: tool to convert MBR disks to GPT

Alexander Bochmann Sunday 09 of April, 2017

Microsoft wrote:
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).

Available in Windows 10 1703 (the "Creators Update")

(Via Firmware Security.)

details on the Xen exploit

Alexander Bochmann Sunday 09 of April, 2017
Hypervisor exploits seem to be quite popular this year - first VMware with CVE-2017-4903 (which was first announced as only affecting VMware Workstation, but according to the VMware advisory, ESXi is vulnerable too), now Xen (XSA-212).

Google Project Zero has published the details of the exploit.

At this point, the attacker can control a live pagetable, which allows the attacker to map arbitrary physical memory into the guest's virtual address space. This means that the attacker can reliably read from and write to the memory, both code and data, of the hypervisor and all other VMs on the system.

So I uninstalled the Windows 10 "Creators Update" tonight...

Alexander Bochmann Saturday 08 of April, 2017
...and not even because I particularly dislike any of the the user-visible changes. There's certainly some more polish here and there, and the Settings app has a much better organization. Not sure if I like the collapsing scrollbars in "modern" apps though, and most of the new system app additions (basically anthing with "holo" or "xbox" in it's name, and the "3D paint" thing too) are completely useless to me. I also noticed that Microsoft is starting to set up the infrastructure to push users onto modern apps and the appstore (there's a setting to disable or at least supervise the installation of classic windows programs).

No, the deal-braker for me is graphics perfomance in games - World of Warships, in particular. Not that I expect any wonders on my six years old notebook - ATI has discontinued driver updates for the Radeon Mobility HD5000 series over a year ago, for example. But on the previous W10 1607, WoWs is well playable (at 1280x1024, with low-midrange graphics settings). After the update, it's being pushed into "unplayable" territory, even with further reduced graphics settings. The problem seems not so much the absolute frame rate, but graphics updates stutter more often, and scenes that were slow before are now chopped up and jolty. I didn't check if the much-touted Game Mode is active for WoWs, but I don't know why it should make much of a difference with the game being the only running application.

Yeah well. Since the notebook (upgraded with 8G RAM and an SSD maybe two years ago) is still just fine as a general-purpose computing platform, I'll probably just wait for some deal on a small PC with one of the new AMD CPUs and a decent graphics card later this year, to use for games.

Calomel SSL Validation Firefox plugin

Alexander Bochmann Tuesday 04 of April, 2017
Another victim of the deprecation of XUL and XPCOM in Firefox seems to be the Calomel SSL Validation plugin (cache), that I've been using for a long time to get a quick view on the encryption quality of SSL connections.

Development of the Calomel SSL Validation addon has been put on hold. Mozilla is disabling XUL and XPCOM in Firefox which means the addon is no longer able to query the current browser tab for the TLS certificate and cipher information.

On Pale Moon, I'm using Cipherfox to the same end, though with a somewhat less polished interface (which still allows for simple one-click access to certificate chain information and displays current encryption parameters on the status bar).

DMARC, DKIM, SPF, and mailinglists

Alexander Bochmann Sunday 02 of April, 2017
Alan Hodgson explains on a post to the NANOG mailinglist (cache), how DMARC with DKIM and SPF checks are supposed to work:

Alan Hodgson wrote:
SPF checks the envelope sender only. [..]

DKIM doesn't by default check anything except that the headers and body that
were signed have not been altered since the signature was added. It definitely
has nothing to do with the envelope sender. [..]

DMARC adds sender policy to both mechanisms. For DMARC to pass, either SPF or
DKIM must pass and the identifier must be aligned with the header From:.

So for DMARC+SPF to pass not only must the message come from a source
authorized by the envelope sender domain, but that domain must be the same
domain (or parent domain or subdomain) of the header From: address.

For DMARC+DKIM to pass, the DKIM signature must pass and the DKIM signing
domain must be the same domain (or parent domain or subdomain) of the header
From: address.

Again, DMARC requires only one or the other mechanism to pass. So messages
forwarded intact should be OK if they have an aligned DKIM signature.

Mailing lists run by mailing list software usually alter the envelope sender.
They can therefore create and pass their own SPF policy. However, if the From:
address is preserved, this will not be an aligned message and will not pass

So, as far as I understand, a mail routed through a mailing list that keeps the original From: address will always fail DMARC+SPF (envelope sender and header From: are not aligned). But DMARC+DKIM should be fine as long as no headers or body parts that are covered by the DKIM signature are touched - and passing one of both mechanisms is enough.

New Model Army sind dieses Jahr mal wieder auf dem ZMF...

Alexander Bochmann Sunday 02 of April, 2017
...fällt mir gerade auf, als iTunes Another Imperial Day auswürfelt und ich nach den Lyrics schaue: Offensichtlich am 22. Juli.

It's dawn and there's fog in Rotterdam harbour
And the guard's on his break and the dogs are chained by the wire
Three figures come out from behind the cranes
And make it across the train tracks
Clamber aboard a Panamanian freighter headed for the Isle of Grain
Find a place to hide in a stack of containers - another payload of World Trade
Because goods are free to move but not people
Oil is free to move but not people
Jobs are free to move but not people
Money is free to move but not people

Vermutlich jeden Tag aktuell die letzten 12 Jahre...