Post 1882554 by burek@linuxrocks.online
(DIR) More posts by burek@linuxrocks.online
(DIR) Post #1882140 by malin@linuxrocks.online
2018-12-10T13:51:56Z
0 likes, 0 repeats
Looks like alarmism to me, but second opinions welcome on a "new" Linux vulnerability:https://www.zdnet.com/article/eset-discovers-21-new-linux-malware-families/
(DIR) Post #1882261 by burek@linuxrocks.online
2018-12-10T13:59:28Z
0 likes, 0 repeats
@malin Linux teaches your security this way or another. So chances of you getting a virus/malware or anything else are really small. You have to be really unlucky. On the other hand, Linux is a much faster moving eco system so things get fixed in a matter of hours. Example: that AUR package malware and Ubuntu snap miner virus were fixed on the same day afaik, while the viruses on windows can sometimes go unnoticed for God knows how long. #PowerOfOpenSource
(DIR) Post #1882332 by malin@linuxrocks.online
2018-12-10T14:02:22Z
0 likes, 0 repeats
@burek I'm updating Arch daily, but pretty much every package is common, so hopefully less chances of bugs in there.I presume if one came with a keylogger, it would neither be noticed, nor removed by an update.
(DIR) Post #1882383 by burek@linuxrocks.online
2018-12-10T14:05:22Z
0 likes, 0 repeats
@malin If you're talking about AUR, a lot of people actually read PKGBUILDs, so they will be the first to notice some suspicious shit going on. As for the Arch repos, they do test all the software in there, so you're good. Now bugs... that's a different story :linus:
(DIR) Post #1882386 by malin@linuxrocks.online
2018-12-10T14:05:34Z
0 likes, 0 repeats
@burek Oh, and totally YES about Windows. I tried patching a security problem a week ago. I'm STILL hunting viruses and they're EVERYWHERE - the entire place is rotten, the automatic blocks don't work and I have to use two types of antivirus to catch just what I've caught - no idea if I've caught everything.It's a few times a day I want to tell clients "Maybe just delete everything, and install Linux?". Especially when talking about people who need only browsers and spreadsheets.
(DIR) Post #1882427 by malin@linuxrocks.online
2018-12-10T14:06:52Z
0 likes, 0 repeats
@burek I tried doing my homework with this - I couldn't get to the end of a single day's announcements on the RSS feed, and couldn't understand anything, but well done to anyone who does - doing God's work every one of them.
(DIR) Post #1882432 by burek@linuxrocks.online
2018-12-10T14:07:23Z
0 likes, 0 repeats
@malin Damn dude, that sucks big time. I have the same mentality, but it's best to let people decide for themselves after you give them options. ¯\_(ツ)_/ ¯
(DIR) Post #1882451 by burek@linuxrocks.online
2018-12-10T14:08:16Z
0 likes, 0 repeats
@malin Amen to that 🙏
(DIR) Post #1882468 by malin@linuxrocks.online
2018-12-10T14:08:44Z
0 likes, 0 repeats
@burek Nobody gets options. The company is a 'partner' of Microsoft, so they only support Microsoft. The users don't know the difference between Windows 7 and 10.We patch enough to make it work for a bit, then patch again next month.
(DIR) Post #1882554 by burek@linuxrocks.online
2018-12-10T14:12:34Z
0 likes, 0 repeats
@malin I mean... Time will tell what's best for them, but until then let them be :stallman: Sucks for you that you have to work in such environment. 😭
(DIR) Post #1882625 by cyrillico@mastodon.social
2018-12-10T14:14:58Z
0 likes, 0 repeats
@malin This isn't a big deal, but fact no one found the xorg privilege escalation stuff and the intel ME + out of order/hyperthreading attacks has made me lose faith in the ability for computers to be secure. Gonna try to move my SSH/PGP keys and hopefully TLS client keys to a Nitrokey/offline machine.
(DIR) Post #1882681 by malin@linuxrocks.online
2018-12-10T14:16:58Z
0 likes, 0 repeats
@burek Time won't tell if there's no comparison, though I have no doubt that those using only spreadsheets and a browser would be better off without the malware, forced updates, lack of scripting, and remote access restricted to GUIs, so I need to interrupt their work to solve problems.If this doesn't work out, I'm just gonna turn into a Libre-burglar - jumping into cafes and offices at night, then open-sourcing everything.
(DIR) Post #1882713 by burek@linuxrocks.online
2018-12-10T14:18:05Z
0 likes, 0 repeats
@malin hahahahahahaha yes pls, open source vigilante 😂
(DIR) Post #1882809 by malin@linuxrocks.online
2018-12-10T14:22:10Z
0 likes, 0 repeats
@cyrillico I've never imagined that a networked computer could be 100% secure - it's kinda like a house. My house is secure, but there's always some chance of an unexpected hole, or a grenade opening the thing.That said, aren't there easier ways to be more secure, like keeping some alarms on /var/log/auth?
(DIR) Post #1883119 by cyrillico@mastodon.social
2018-12-10T14:36:28Z
0 likes, 0 repeats
@malin Alarms don't protect from managment engine attacks that can access the network/RAM/storage invisibly to the OS. I don't think this will be too irritating. Nitrokey start works with firefox authentication, gpg and openssh. Think you can get it to authenticate otr also. Only going to use the offline computer for key generation/backup so really it just means I have to carry a dongle and enter the pin whenever I want to use a private key. NSA 100% has kernal and ME backdoors.
(DIR) Post #1883158 by malin@linuxrocks.online
2018-12-10T14:38:32Z
0 likes, 0 repeats
@cyrillico TBH I'm kinda up for cyber-warfare with countries at this point. I'm waiting for my gorvernment to die off, so the next are young enough to understand that all of their computers being controlled by a single American corporation isn't a great idea.For the back door, are you talking about the elliptical curve vulnerability?
(DIR) Post #1883571 by cyrillico@mastodon.social
2018-12-10T14:49:00Z
0 likes, 0 repeats
@malin The Nist curves? I have no idea if that's real. I'm talking about silicon vulnerabilities. Spectre/Meltdown are unpatched till kernal 4.20 and they show the basis of modern CPUs are inherently insecure. Out of order CPUs are so complex they switch registers between processes in unpredictable/exploitable ways. The only solution is hardware isolation. They NSA spends billions on this, they definitely know about more exploits. (If they aren't forcing Intel to implement them)
(DIR) Post #1883588 by neoncipher@mastodon.social
2018-12-10T14:52:56Z
0 likes, 0 repeats
(1/2) @malin That article looks like advertisement for ESET antivirus products. It lacks crucial details about the discovered malware. How exactly can the malware be installed on a victim's computer? What executables are affected? What are the indicators of the malware? What address does it "call" if we deal with a trojan? All those questions are far away from being answered and the readers are treated like housewives without any brain cells.
(DIR) Post #1883591 by neoncipher@mastodon.social
2018-12-10T14:55:00Z
0 likes, 0 repeats
(2/2) Instead, the article is hyped with the scary tone. What I would like is simple analysis and instructions to check the system. Let's say: run so and so command to find malware with so and so hashes. But no: here is an over-complicated 53-page report. Figure it out yourself or pay ESET to check the system for you. @malin thank you for the link though. This report is better than nothing.
(DIR) Post #1895262 by malin@linuxrocks.online
2018-12-10T23:05:32Z
0 likes, 0 repeats
@cyrillico Elliptical curve vulnerabilities seem real enough - there's a numberphile vid on them (or computerphile?).As to Spectre, yea just seems all round worrying. So - complete Arch reinstall when the next one's out? At least there's been little evidence of the NSA targeting everyone, ... Well at least not getting into all computers, just traffic. Jesus it can actually only get one stage worse.
(DIR) Post #1895309 by neoncipher@mastodon.social
2018-12-10T15:20:34Z
0 likes, 0 repeats
@cyrillico @malin Intel ME is so evil it's unbelievable that cybersecurity experts failed to make that information available for the masses. Majority of people still have no idea what ME is capable of doing.
(DIR) Post #1895310 by malin@linuxrocks.online
2018-12-10T23:07:34Z
0 likes, 0 repeats
@neoncipher @cyrillico I've not seen ME. Want to give me some bedtime reading?
(DIR) Post #1897628 by cyrillico@mastodon.social
2018-12-11T01:05:34Z
0 likes, 0 repeats
@malin The P256 curve vulnerabilities are predicated on the requirment that the NSA knows a secret about ECC that no one else been able to discover. It's suss and Nist should be avoided but so should RSA.Check out Dan Burnstein's safecurves.cr.yp.to Project. It's not such a big deal cause most people seem to be moving to his cv25519/ed25519 curves.
(DIR) Post #1897678 by cyrillico@mastodon.social
2018-12-11T01:08:25Z
0 likes, 0 repeats
@malin @neoncipher I
(DIR) Post #1897826 by cyrillico@mastodon.social
2018-12-11T01:17:20Z
0 likes, 0 repeats
@malin @neoncipher https://bitkeks.eu/blog/2017/12/the-intel-management-engine.htmlThere is firmware mitigation using: https://github.com/corna/me_cleaner You might have better luck getting it to work cause thinkpads have decent coreboot support. Basically the NSA demanded Intel include a bit that disables ME for their internal use which me_cleaner/Purism utilise.
(DIR) Post #1900689 by neoncipher@mastodon.social
2018-12-11T04:26:12Z
0 likes, 0 repeats
@malin Here is some addition to the excellent article that @cyrillico provided:https://www.bleepingcomputer.com/news/hardware/researchers-find-a-way-to-disable-much-hated-intel-me-component-courtesy-of-the-nsa/http://blog.ptsecurity.com/2017/08/disabling-intel-me.htmlAlso from myself: the benefits of using Intel ME is so insignificant in comparison to the disastrous privacy and security breaches, that it's getting obvious that the technology was intentionally designed as a backdoor.