the stream

Links to articles, short comments on various topics - basically the sort of posts I would have put out on Google+ in previous years.

US aerial surveillance

Alexander Bochmann Sunday 26 of March, 2017
This is old news (last fall), but I wasn't aware that the FBI and DHS run extensive aerial surveillance programs throughout the US (except on weekends). Buzzfeed has identified some of the planes involved, and tracked their flight paths on Flightradar24:

buzzfeed wrote:
We detected nearly 100 FBI fixed-wing planes, mostly small Cessnas, plus about a dozen helicopters. Collectively, they made more than 1,950 flights over our four-month-plus observation period. The aircraft frequently circled or hovered around specific locations, often for several hours in the daytime over urban areas.

We also tracked more than 90 aircraft, about two-thirds of them helicopters, that were registered to the DHS [..]

I wouldn't be surprised of some of this work is being moved to (unregistered) drones...

(Via FlowingData.)

didn't know there was a disagreement over NTP development

Alexander Bochmann Friday 24 of March, 2017
The New Stack: Paving with Good Intentions: The Attempt to Rescue the Network Time Protocol

After the Heartbleed bug revealed in April 2014 how understaffed and under-funded the OpenSSL project was, the Network Time Foundation was discovered to be one of several projects in a similar condition. Unfortunately, thanks to a project fork, the efforts to lend NTP support have only divided the development community and created two projects scrambling for funds where originally there was only one.


The effort to rescue NTP started becoming complicated when Stenn approached the Internet Civil Engineering Institute (ICEI) for funding and ended up attempting to collaborate with ICEI representatives Eric S. Raymond and Susan Sons. Accounts differ about exactly what happened, but the collaboration was unsuccessful.

(Via Russ White).

SixXS project shutting down

Alexander Bochmann Thursday 23 of March, 2017
For years, the SixXS project has been providing tunneling services for IPv6 internet access. SixXS will be shutting down in June '17 (cache).

SixXS will be sunset in H1 2017. All services will be turned down on 2017-06-06, after which the SixXS project will be retired. Users will no longer be able to use their IPv6 tunnels or subnets after this date, and are required to obtain IPv6 connectivity elsewhere, primarily with their Internet service provider.

stealing messenger.com sessions to access Facebook accounts

Alexander Bochmann Wednesday 22 of March, 2017
This has been fixed, obviously. Stephen Sclafani describes how he managed to steal messenger.com sessions, which then could be used to access the corresponding Facebook account.

Stephen Sclafani wrote:
It was possible to create a URL that when loaded by a user who was logged into their Facebook account would redirect a nonce for their account to another site. The nonce could then be used to create a messenger.com session for the user. Since messenger.com session cookies are interchangeable with facebook.com this gave full access to the user’s Facebook account.

(Via tedu.)

new Pyra pictures

Alexander Bochmann Wednesday 22 of March, 2017
In response to a critic, Michael has written a long post about why the Pyra pocket computer project is where it is right now, and has attached a couple of pictures of one of the dev units (scroll to the end of the post), running the latest OS image.

I really hope they're going to sell enough of the things to make it possible to produce the redesigned case he mentioned - shaving a couple of millimetres off the height would be great...

ISOC on the use of personal data

Alexander Bochmann Wednesday 22 of March, 2017
I didn't know there's a World Consumer Rights Day...

"My Data. Your Business." on the ISOC blog worries that consumers might lose trust in online businesses over data privacy issues, and calls for a definition of acceptable business ethics.

We may not know the specifics, but we do know that somewhere out there someone is tracking us online: in fact, most of the data monetization machine is invisible to consumers — the individuals whose data fuels it.

All this has, understandably, left many people wary. Why WOULD you trust someone or something that is gathering information on you with no real insight into how it will be used?

The consequences of this could be devasting to the economy. If do not understand how their data will be handled and used and therefore don’t trust online transactions, online business will wither and die.

Mirai botnet FAQ

Alexander Bochmann Tuesday 21 of March, 2017
The APNIC blog has a guest post that explains quite a few operational details about the inner workings of the Mirai botnet components.

APNIC blog wrote:
Do C2 master and bot have heartbeat communication?

Yes. The heartbeat will involve sending and receiving the same 2 bytes of data (content is 0x0000). The interval time is about 60 seconds and the maximum timeout is 180 seconds.

Maybe having an IDS is not such a bad idea...

APNIC blog wrote:
What are the characteristics in GRE IP/ETH flood?

GRE ETH flood adds a custom ETH layer then GRE IP flood; the ETH layer is randomly filled. The destination IP in the packet is also randomly filled if it is not specified in the command.

I remember that one puzzling quite a few people when they first noticed that kind of traffic...

Datenweitergabe nach dem Bundesmeldegesetz

Alexander Bochmann Tuesday 21 of March, 2017
netzpolitik.org weist heute im Hinblick auf die anstehenden Wahlen darauf hin, dass man der Weitergabe von Adressdaten aus dem Melderegister an Parteien wiedersprechen kann. Dazu stellen sie "gemeinsam mit der Plattform selbstauskunft.net" ein entsprechendes Wiederspruchsformular zur Verfügung.

Zumindest in Freiburg kann man das noch einfacher haben: Auf der Webseite der Stadt ist ein Formular zum Widerspruch nach dem Bundesmeldegesetz verlinkt (Quelle hier, unter "Meldewesen"), das man online ausfüllen und direkt abschicken kann.

"Defense-in-Depth has Failed Us" (Security Week)

Alexander Bochmann Sunday 19 of March, 2017
Marc Solomon: Defense-in-Depth has Failed Us. Now What?

Wow, there's so much wrong with this article that I don't even know where to start... Defense in depth does not mean, as the author seems to think, to heap "disparate" "point products" onto one another in the hopes that one will probably catch an attack attempt. Defense in depth means to understand both the threat landscape and the environment you're trying to defend, tailor solutions to make an attacker's job as hard as possible, and find the right points to place meaningful alarms. (Which rarely anyone ever does, but that's a different topic.)

Oh, I do get that threat intelligence services are the current hot stuff in the security industry (and the author wants to help sell his own), but when a defender doesn't get the basics of IT security design, heaping another "point product" on top won't help a whole lot.

Cisco IOS / IOS XE Cluster Management Protocol Remote Code Execution

Alexander Bochmann Saturday 18 of March, 2017


Cisco wrote:
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges. [..]

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. [..]

This vulnerability was found during the analysis of documents related to the Vault 7 disclosure.

The security notice also has a few interesting hints about IOS configurations that don't actually disable telnet...

Nexen - privilege separation in the Xen hypervisor

Alexander Bochmann Saturday 18 of March, 2017
Adrian Colyer sumarizes a research paper published on the NDSS Symposium 2017, Deconstructing Xen:

Deconstructing Xen wrote:
Our contributions: To summarize, this paper makes the following contributions:

* A systematic analysis on 191 Xen vulnerabilities (Sections II and V).
* Nexen, a novel deconstruction of Xen into a securitymonitor, shared service domain, and sandboxed per-VM slices (Section III) implemented in Xen (Section IV) that efficiently uses paged based isolation mechanisms for fine-grained data isolation.
* As informed by the analysis, a novel least-privilege decomposition strategy that places highly vulnerable code into per-VM slices while maintaining high performance and either eliminating vulnerabilities entirely or confining exploits (evaluated in Section V).
* Efficient code, memory, and control-flow integrity enforcement between Xen and VMs (evaluated in Section VI).

The design mitigates about 2/3rds of the vulnerabilities that have been discovered in the Xen hypervisor over the past years.

(Via tedu.)

KEXP: Cherry Glazerr

Alexander Bochmann Saturday 18 of March, 2017
Woah, either the KEXP audio engineers had a really, really bad day, or Clem Creevy has been completely done in by the drugs by now. KEXP has released a new set with Cherry Glazerr a couple of days ago. Clem's voice already seemed weak on their new record, but there's barely anything left in this recording (couldn't bear to listen for more than a couple of minutes, maybe it gets better later on).

Compare to their KEXP session two years ago.

Xenix copy protection

Alexander Bochmann Wednesday 15 of March, 2017
Tales From the Xenix Crypt analyzes the inner workings of the Xenix copy protection scheme.

os2museum wrote:
If there’s any lesson to be learned, it’s probably that 30-year old copy protection is relatively easy to break using tools and computing power that did not exist 30 years ago.

OS/2 Museum now also is a new feed in my RSS reader...

(Via Ted Unangst.)

PM/FF extension: Cookies Exterminator

Alexander Bochmann Wednesday 15 of March, 2017
I'm trying to switch back from the Vivaldi web browser to Pale Moon (a Firefox fork that aims to keep supporting XUL and may other technologies that Mozilla has abandoned) - mostly to get back a working bookmarks / history sync between my various browser installations. Pale Moon still supports the old Weave sync protocol, and works fine with the old weave minimal server (I should probably switch to FSyncMS, but I'm lazy)...

Anyway - I used to be using the Self Destructing Cookies addon to automatically get rid of unused objects from closed tabs, and it turns out not to work anymore in Pale Moon 27... A discussion on the Pale Moon forums pointed to Cookies Exterminator as an alternative. So far, I've not seen any problems. The author is active on the PM forums, too.

Cisco IOS XE NETCONF surprises

Alexander Bochmann Monday 13 of March, 2017
Ok, probably not a surprise when you have read all the documentation...

Ivan Pepelnjak recently mentioned that Cisco IOS XE still doesn't have candidate configuration or commit capabilities, at least when using NETCONF automation.

One of the comments then has this hint:

Port 22 hosts the legacy netconf agent on IOS-XE, which only supports netconf 1.0 with a Cisco-proprietary payload (same as all other vendors). Port 830, when netconf-yang is enabled, hosts the model-based agent.