guest - flak

observations re packet socket exploit

A few thoughts I had after reading Exploiting the Linux kernel via packet sockets. Not really about the exploit itself, but what it reveals about the state of systems security.

“It should be noted that if a kernel has unprivileged user namespaces enabled, then an unprivileged user is able to create packet sockets.”

Two types of privilege restriction are currently in vogue. There’s the seccomp/pledge model of restricting access to system calls, often referred to as sandboxes. Then there’s the jail/container approach. Hey, sure, give away root access because it’s not really root. Pseudo virtualization. In some sense, these two approaches are similar. Take some code, let it do some stuff, hope it can’t do too much.

Continue reading observations re packet socket exploit...

Posted 2017-05-10 18:41:52 by tedu Updated: 2017-05-10 18:41:52
Tagged: security thoughts

vuln disclosure and risk equilibrium

Some thoughts based on a series of tweets.

“For offence, it doesn’t matter whether the vendor knows a vulnerability exists, it only matters whether the attack works against a target. Fetishising 0day leads to bizarre situations where ppl think that making more vulnerabilities known to more people reduces risk. Fetishising 0day means that people think once a vulnerability is public there’s some sort of automagic immunity.”

So is it possible for disclosing a vulnerability to result in net harm? Maybe, in some circumstances, with some assumptions.

It’s interesting to consider the case of CVE-2016-4657. This is the webkit vulnerability detected when somebody sent a 0day exploit link to an activist. Instead of visiting, he forwarded the link and the malware (Trident/Pegasus) was detected. The bug was of course fixed. But then sometime later, this same vulnerability turned up in the Nintendo Switch. They hadn’t updated their version of webkit, even though the vulnerability was widely known.

Continue reading vuln disclosure and risk equilibrium...

Posted 2017-04-19 14:37:49 by tedu Updated: 2017-04-19 14:39:16
Tagged: security thoughts

missing features as features

Whenever I plug an external monitor into my laptop, nothing happens. Then I run xrandr, and gears turn, and displays appear. Not too surprising. Whenever I unplug an external monitor, nothing happens. Then I run xrandr, gears turn, and all those hidden offscreen windows come screaming back. This is absurd, right? Shouldn’t my desktop software be, I don’t know, desktopping?

I actually like it, and I wouldn’t want it any other way. Like many people, I have a particular desktop setup I like. An arrangement of xterms for this, an arrangement of xterms for that, an email client here, a browser there. Some of it is big time serious business and goes on the big monitor. Other stuff lives on the small screen.

Continue reading missing features as features...

Posted 2017-03-03 19:04:28 by tedu Updated: 2017-03-03 19:04:28
Tagged: software thoughts

colliding, fast and slow

I found it hard to locate a good reference explaining how various hash attacks apply to password hashing. Somebody might reasonably ask how the SHA1 collision, or an extension thereof, would apply to bcrypt. Can bcrypt have collisions? It’s a strange question if you know the answer, but knowing that much requires synthesizing a fair bit of knowledge that’s not all in one place.

Start with the usual crypto hashes. Classics like MD5, current standards like SHA2, new hotness like BLAKE2. All of them are supposed to be collision resistant, and it’s bad news when somebody finds that they’re not. A collision attack is pretty simple to understand. Two inputs have the same hash.

An example attack is Mallory generates two messages with identical hashes, “IOU $10” and “IOU $1000”, and borrows $1000 from Alice, who accepts SHA1(“IOU $1000”) = 0x65de12 as a contract. (Digital signatures usually involve signing a hash of the document.) Later, Mallory pays Alice $10 and produces SHA1(“IOU $10”) = 0x65de12 to prove the debt has been paid. Alice is out $990. This is a collision attack. The adversary has control over both messages and the hash.

Continue reading colliding, fast and slow...

Posted 2017-02-28 22:38:41 by tedu Updated: 2017-03-05 19:12:50
Tagged: security software thoughts

1000 links later

Some reflections on life, the universe, and everything after posting 1000 links to inks. I started inks on a lark because one day I was annoyed with HN or Lobsters or something and it seemed easy enough to make my own cooler version, but there wasn’t much of a mission statement. Maybe Daring Fireball but without the fucking Yankees. It’s been a few months and 1000 links is enough to notice some trends and evaluate results.

The site was setup expecting fewer than 20 links per day. Visit once in the afternoon and scroll down and eventually come across a link from yesterday, knowing you’d seen it all. Twenty good links per day is plenty, right? Not always. Some days I’d end up posting considerably more than that without really trying. At a minimum of five minutes per link, that’s easily two hours of reading. Who has time to read all that? Wait, how do I have time to read all that? Not to mention all the links I read and didn’t post, although it’s easier to bail early on a bad article. I never really reflected on how much time I spent just treading information water until there was a timestamped record. Of course, the time wasn’t all exclusively spent on links. I could multitask leisure time watching a season of The X-Files and reading simultaneously.

Continue reading 1000 links later...

Posted 2017-02-26 17:45:28 by tedu Updated: 2017-02-26 17:45:28
Tagged: thoughts web

features are faults redux

Last week I gave a talk for the security class at Notre Dame based on features are faults but with some various commentary added. It was an exciting trip, with the opportunity to meet and talk with the computer vision group as well. Some other highlights include the Indiana skillet I had for breakfast, which came with pickles and was amazing, and explaining the many wonders of cvs to the Linux users group over lunch. After that came the talk, which went a little something like this.

welcome

I’m a developer with the OpenBSD project. If you’ve never heard of OpenBSD, it’s a free unix like system. So kind of like Linux, but better in every way. Totally unbiased opinion.

Continue reading features are faults redux...

Posted 2017-02-21 22:02:11 by tedu Updated: 2017-02-21 22:18:32
Tagged: security software thoughts

how to influence friends and win people

I rarely comment about politics, and rarely regret not posting, but this is one of those times I thought about saying something earlier and didn’t, and now I regret it. This should have been said months ago, but there will be more elections to come, so better late than never. It’s about talking to people, but don’t worry, it has nothing to do with respect.

There are two ways to persuade people. Find something they care about and convince them you’re right, or convince them to care about something, and then convince them you’re right. The second is a lot more work than the first.

The more obviously persuasive an argument seems to you, the less persuasive it probably is for the people who don’t already agree. This doesn’t mean they can’t be persuaded, but it means shouting louder won’t work. It’s like pulling a lever to effect a change. Some of the levers are connected, and some aren’t, and it doesn’t matter how hard you pull on the ones that aren’t. The levers that are connected, however, still work.

Continue reading how to influence friends and win people...

Posted 2016-11-14 01:38:18 by tedu Updated: 2016-11-14 01:38:18
Tagged: politics thoughts

production ready

A few thoughts on what it means for software to be production ready. Or rather, what if any information is conveyed to me when I’m told that something is used in production. Millions of users can’t be wrong!

Some time ago, I worked with a framework. It doesn’t matter which, the bugs have all been fixed, and I don’t think it was remarkable. But our team picked it because it was production ready, and then I discovered it wasn’t quite so ready.

Egregious performance because of a naive N^2 algorithm for growing a buffer.

A timezone library that could handle DST, but couldn’t handle the absence of DST, as in it would crash in such exotic locales as Arizona that don’t have DST.

A mail library that didn’t escape dots, thus terminating the SMTP conversation early.

Continue reading production ready...

Posted 2016-11-11 20:11:29 by tedu Updated: 2016-11-11 20:11:29
Tagged: software thoughts

all that’s not golden

Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

Secure Boot

Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

Continue reading all that’s not golden...

Posted 2016-08-18 18:52:56 by tedu Updated: 2016-09-08 19:47:47
Tagged: security thoughts

ratfucked

Strolling through the book store, among the new titles on display in the politics section was Ratfucked by David Daley. What could this be about? The subtitle, The True Story Behind the Secret Plan to Steal America’s Democracy, conjured up images of telepathic lizard men so I passed it by. A little while later, though, I saw the New Yorker’s review and summary which sounds a lot better. It describes a plan to target particular districts in local elections, win control of the state, then aggressively gerrymander the map to ensure future victories as well. Of particular interest, the summary focused on some local Pennsylvania elections and the damned Arlen Specter library. Sounds great, this is worth a read. In fact, the cover image subtitle for the Kindle version, How the Democrats Won the Presidency But Lost America, is much more accurate and less sensational. (The book title is actually stylized Ratf**ked because the author is a pussy.)

Continue reading ratfucked...

Posted 2016-07-12 13:41:55 by tedu Updated: 2016-11-09 00:32:02
Tagged: bookreview politics thoughts

regarding embargoes

Personal thoughts. To each their own.

Yesterday I jumped the gun committing some patches to LibreSSL. We receive advance copies of the advisory and patches so that when the new OpenSSL ships, we’re ready to ship as well. Between the time we receive advance notice and the public release, we’re supposed to keep this information confidential. This is the embargo. During the embargo time we get patches lined up and a source tree for each cvs branch in a precommit state. Then we wait with our fingers on the trigger.

What happened yesterday was I woke up to a couple OpenBSD developers talking about the EBCDIC CVE. Oh, it’s public already? Check the OpenSSL git repo and sure enough, there are a bunch of commits for embargoed issues. Pull the trigger! Pull the trigger! Launch the missiles! Alas, we didn’t look closely enough at the exact issues fixed and had missed the fact that only low severity issues had been made public. The high severity issues were still secret. We were too hasty.

Continue reading regarding embargoes...

Posted 2016-05-04 14:04:17 by tedu Updated: 2016-05-04 21:17:51
Tagged: security software thoughts

when i wore a younger fool’s cap

A few grumpy remarks about the amazing tale of Slack bot tokens on GitHub. Auth tokens used for business accounts get committed into Jurassic Park quote bots saved on GitHub, allowing random passersby to eavesdrop on your paradigm shifting startup’s latest pivot? That didn’t happen back in my day! Of course, since then multiple changes have combined to change the world. A perfect storm of convergence and disruption.

First off, let’s start with the centralized Slack service. Even if somebody stole your chat server credentials, they wouldn’t be of much use if your chat server wasn’t in the cloud. We used to run an IRC server with no credentials at all because it was only on the internal network. Not terribly secure, but we got by. If I built an IRC bot one weekend, it wouldn’t come with credentials for a critical service because it wasn’t developed with credentials for a critical service.

Continue reading when i wore a younger fool’s cap...

Posted 2016-04-29 02:13:23 by tedu Updated: 2016-04-29 02:13:23
Tagged: rants software thoughts

not smart is not stupid

There’s already a few other posts about the perils of complex software. Features are faults is one. The more we ask a program (or any system) to do, the more likely something will go wrong. This post is about various time saving features that backfire, when some feature promises to save me time but ends up costing more. Or in short, when the smart feature is really stupid.

Some time ago, I needed to install Ubuntu to for competitive research. Download the ISO, start VMWare, and voila, the install wizard takes it away. Instead of making me drive through the Ubuntu installer, the VMWare smart install offered to do all those mundane tasks for me. But something bad happened and what I was left with was an Ubuntu system that allowed me to login at a graphical prompt, but then left me staring at an empty desktop with no means of interaction. Not even so much as an xterm. Logging in on a virtual console helpfully informed me that installation was in progress, but after leaving the system in this state for some time, no progress was observed. I had a very pretty but otherwise useless husk of an Ubuntu system. This may have been a recoverable error, but I wasn’t sufficiently motivated to find out.

Continue reading not smart is not stupid...

Posted 2016-04-15 03:28:33 by tedu Updated: 2016-04-15 03:28:33
Tagged: software thoughts

effect and cause

I’m reading Most Secret War by R. V. Jones, an English physicist’s account of his intelligence work in the Air Staff during World War II. I’m only up to the beginning of 1941, but it’s been a terrific read so far, with many enlightening anecdotes. A few dealing with erroneous assumptions were particularly good.

Much of Jones’s work dealt with radio and radar and similar phenomena. At the outbreak of WWII, we were just beginning to understand and develop this technology, and nobody knew for certain what was possible and what was not. As a result, some fairly incredible rumors were taken quite seriously. Early plans for a radio wave death ray were scrapped after calculating the necessary power output were too great, but there were still rumors that the the Germans had developed an engine killing beam of some sort.

Continue reading effect and cause...

Posted 2016-03-03 17:26:40 by tedu Updated: 2016-03-03 17:26:40
Tagged: bookreview thoughts

outrageous roaming fees

Unexpected roaming fees are the worst. You’re just cruising along, having a jolly old time, and then boom. $20 per megabyte??? Should have read the fine print. Of course, if you had known to read the fine print, you probably would have already known about the roaming fees, and therefore not needed to read the fine print. And so it goes, in life and in ssh.

What, ssh has roaming??? Should have read the fine print. The Qualys Security Advisory is more than thorough. Now that we’ve read the fine print, what can we do differently?

The main bug (ignoring the second overflow for now) is that some sensitive memory was recycled and leaked. The possibility of this happening has been known for some time, and there’s some countermeasures in place, but they’re not foolproof.

Continue reading outrageous roaming fees...

Posted 2016-01-15 14:55:50 by tedu Updated: 2016-01-19 04:17:28
Tagged: c openbsd programming security thoughts

rough code and working consensus

On their better days, standards groups follow a principle of rough consensus and working code. Somebody builds something, announces it to some friends and maybe a few competitors, and says, hey, if you build something similar, it’s possible for our implementations to interoperate. Everyone’s a winner. Sometimes the design isn’t perfect, but the fact that at least one person/group has built an implementation is an existence proof that it can be built. Valuable knowledge to have.

On their lesser days, standards groups follow a process that looks more like a political pork swap, trading favors and votes for pet features until the end result is a congealed mass of hopes and dreams. Then the committee reconvenes five years later to standardize whatever ended up getting built, trying to salvage the bits and pieces into a cohesive whole.

Continue reading rough code and working consensus...

Posted 2015-11-17 14:48:21 by tedu Updated: 2015-11-19 06:31:18
Tagged: openbsd programming thoughts

hoarding and reuse

At many a BSD conference, there’s a keynote from somebody involved in the early development of BSD. They get up and talk about the history of some program they contributed, and explain how some of the strange quirks it has came to be. This is usually a good opportunity to then go into the source and review it to see if it can perhaps be simplified.

For example, the gettytab man page has for at least 20 years (even before import into NetBSD and FreeBSD) said, “The he capability is stupid.” Why does anyone even need hostname editing here? Dennis Ferguson mentioned, as an aside, at AsiaBSDCon 2015 that this was a holdover because somebody somewhere didn’t like the way their hostname was printed. Actually, I’ve forgotten exactly how or why it was added, it was that obscure. But finally, Dennis gave us permission to delete this feature. So I did.

Continue reading hoarding and reuse...

Posted 2015-10-04 08:21:44 by tedu Updated: 2015-10-05 01:29:18
Tagged: c openbsd programming thoughts

reproducible builds are a waste of time

Sort of. Maybe. It depends.

Yesterday I read an article on Motherboard about Debian’s plan to shut down 83% of the CIA with reproducible builds. Ostensibly this defends against an attack where the compiler is modified to insert backdoors in the packages it builds. Of course, the defense only works if only some of the compilers are backdoored. The article then goes off on a bit of a tangent about self propagating compiler backdoors, which may be theoretically possible, but also terribly, unworkably fragile.

I think the idea is that if I’m worried about the CIA tampering with Debian, I can rebuild everything myself from source. Because there’s no way the CIA would be able to insert a trojan in the source package. Then I check if what I’ve built matches what they built. If I were willing to do all that, I’m not sure why I need to check that the output is the same. I would always build from scratch, and ignore upstream entirely. I can do this today. I don’t actually need the builds to match to feel confident that my build is clean. Perhaps the idea is that a team of incorruptible volunteers will be building and checking for me, much like millions of eyeballs are carefully reviewing the source to all the software I run.

Continue reading reproducible builds are a waste of time...

Posted 2015-09-08 17:55:54 by tedu Updated: 2015-09-19 20:19:36
Tagged: rants security software thoughts

a prettier web, not a thicker one

There’s been a lot of fuss recently about the state of the web. quirksmode got the party started by telling us to stop pushing the web forward. Enough, enough, there’s too much! From the other direction, The Verge points out it’s really only too much because Microsoft refuses to release IE for iPhone. Whatever. For the morbidly curious, two fairly long recaps are Stop blaming the web. Stop breaking the web. and What’s wrong with the web?

Mostly the focus has been on overwhelming cognitive load for developers and a worsening user experience for, uh, users. What about security? Or privacy? The things nobody cares about because they can’t be A/B tested. Let’s take a look at a few feature fuckups. Bear with me, I had to dig to find these examples, so some links could be as much as a month old.

Continue reading a prettier web, not a thicker one...

Posted 2015-08-13 17:05:33 by tedu Updated: 2015-08-13 17:05:33
Tagged: software thoughts web

branchless development

Among other developmental heresies, I’m also a believer in everybody working in the same branch. I’ve dropped hints from time to time, and of course OpenBSD practitioners are familiar with this ideology, but I’ve only tried explaining it in full to a few coworkers. Who sat through my talk alternating between being shocked and appalled. Good times.

There’s not much of a narrative here, just some scattered thoughts. Now revised with a few more thoughts. No promises about the cohesion, however. This post started out as a longer form followup to Why OpenBSD doesn’t use GitHub but it’s gone in a slightly different direction. (Wow, that email is three years old.)

Continue reading branchless development...

Posted 2015-07-19 03:40:03 by tedu Updated: 2015-09-17 15:22:19
Tagged: programming thoughts