Post 3276891 by levi@the.hedgehoghunter.club
(DIR) More posts by levi@the.hedgehoghunter.club
(DIR) Post #3268278 by aral@mastodon.ar.al
2019-01-22T23:00:49Z
0 likes, 1 repeats
Remote Code Execution in apt/apt-gethttps://justi.cz/security/2019/01/22/apt-rce.html#debian #ubuntu #security #apt
(DIR) Post #3268455 by rysiek@mastodon.social
2019-01-22T23:24:51Z
0 likes, 0 repeats
@aral Debian *really* needs to enable HTTPS repos by default. Enough is enough. #InfoSec
(DIR) Post #3268456 by alrs@lsngl.us
2019-01-22T23:26:18Z
1 likes, 0 repeats
@rysiek @aral it's all PGP signed, what's the point? Allow registrars to MITM?
(DIR) Post #3268469 by rysiek@mastodon.social
2019-01-22T23:26:52Z
0 likes, 0 repeats
@alrs @aral perhaps consider reading the link in the parent toot, and then let's talk.
(DIR) Post #3268560 by kaniini@pleroma.site
2019-01-22T23:29:46.862984Z
1 likes, 0 repeats
@rysiek @aral @alrs the problem is with the way APT does the signature check, not HTTPS.HTTPS is a bandaid that will hide security problems in these types of parsing scenarios.so no, https is not the solution.
(DIR) Post #3268607 by alcinnz@floss.social
2019-01-22T23:32:51Z
0 likes, 0 repeats
@rysiek @aral Personally I don't care too much whether they do HTTP or HTTPS, the other fixes would be needed as well anyways.
(DIR) Post #3268646 by rysiek@mastodon.social
2019-01-22T23:31:24Z
0 likes, 0 repeats
@kaniini @alrs @aral fair. But I'll take a band-aid in the meantime. It would have stopped this attack (and others linked to in the article).
(DIR) Post #3268647 by kaniini@pleroma.site
2019-01-22T23:34:00.733714Z
0 likes, 0 repeats
@rysiek @aral @alrs https does not do shit. at all. okay now you upgraded the risk factor from script kiddie to script kiddie who has a reseller agreement with a CA. cool.
(DIR) Post #3268789 by rysiek@mastodon.social
2019-01-22T23:35:05Z
0 likes, 0 repeats
@kaniini @alrs @aral I will take that upgrade, especially since the cost is negligible and deployment trivial.
(DIR) Post #3268790 by kaniini@pleroma.site
2019-01-22T23:38:56.283991Z
0 likes, 0 repeats
@rysiek @aral @alrs the cost to who? you?what about the cost to the planet for all of the additional energy wasted on unnecessary TLS to transport already cryptographically secure data?what about the labor costs for companies and projects to manage their X509 hygiene?#InfoSec people are charlatans as usual
(DIR) Post #3268923 by rysiek@mastodon.social
2019-01-22T23:41:00Z
0 likes, 0 repeats
@kaniini @alrs @aral Debian already maintains X509 infrastructure, so no additional management/deployment/etc cost there.And for the other thing, I'd like to see a study of TLS energy impact (I really would).
(DIR) Post #3268924 by kaniini@pleroma.site
2019-01-22T23:43:34.363956Z
0 likes, 0 repeats
@rysiek @aral @alrs hey, did you know that 99.9999999999% of Debian repo traffic is on third-party mirrors? if people followed your X509 advice there's be leaked certificates all over the damn place.again, #InfoSec = charlatanism
(DIR) Post #3269051 by bob@soc.freedombone.net
2019-01-22T23:45:49.328030Z
1 likes, 0 repeats
@rysiek @aral @alrs @kaniini This is one of those arguments I got into five years ago. There are of course other reasons why you might not want the entire package list for a given server to be transferred in the clear.
(DIR) Post #3269052 by kaniini@pleroma.site
2019-01-22T23:48:22.986132Z
0 likes, 1 repeats
@bob @rysiek @aral @alrs approximately zero package managers send your package list anywhere. except conary and that package manager is dead.they may fetch files, sure, but if you want to prevent inference of server package lists you should be using an internal mirror anyway.
(DIR) Post #3269073 by schmittlauch@toot.matereal.eu
2019-01-22T23:46:11Z
0 likes, 0 repeats
@kaniini @alrs @aral @rysiek multi-layer defense is a lie anyways! Just force people to write bug-free code and fire them if they don't.Why bother with partial mitigations…But for real, it mostly looks like you value different threats differently. Not whether InfoSec is heart worms or not.
(DIR) Post #3269074 by kaniini@pleroma.site
2019-01-22T23:49:01.947117Z
1 likes, 0 repeats
@schmittlauch @rysiek @aral @alrs the real threat is infosec idiocy and the cure comes in the form of .45 caliber ammunition honestly.
(DIR) Post #3269171 by alcinnz@floss.social
2019-01-22T23:53:06Z
0 likes, 0 repeats
@bob @alrs @aral @rysiek @kaniini I'm curious, so can you expand please?
(DIR) Post #3269237 by resist__berlin@chaos.social
2019-01-22T23:51:42Z
0 likes, 1 repeats
@bob @alrs @aral @rysiek @kaniini apt-transport-tor ftw
(DIR) Post #3269238 by rysiek@mastodon.social
2019-01-22T23:54:16Z
0 likes, 0 repeats
@resist__berlin @bob @alrs @aral @kaniini Tor? OH NOES THINK OF THE ENERGY COSTS OF DOING ALL THAT CRYPTO!
(DIR) Post #3269239 by kaniini@pleroma.site
2019-01-22T23:55:03.364930Z
0 likes, 0 repeats
@rysiek @aral @alrs @bob @resist__berlin at least that's crypto that is useful. https for CDN scenario is not.
(DIR) Post #3269303 by schmittlauch@toot.matereal.eu
2019-01-22T23:55:54Z
0 likes, 0 repeats
@kaniini are you already looking forward to QUIC and http/2 or /3 enforcing crypto by default?
(DIR) Post #3269304 by kaniini@pleroma.site
2019-01-22T23:57:20.888479Z
0 likes, 0 repeats
@schmittlauch good for them, CDN scenarios will keep with HTTP/1.1 for the foreseeable future
(DIR) Post #3269327 by rysiek@mastodon.social
2019-01-22T23:56:10Z
0 likes, 0 repeats
@kaniini @resist__berlin @alrs @aral @bob oh are you saying CDNs should not use HTTPS at all?I.e. when User A visits https://example.org and some resources are on cdn.example.org, that should not go via HTTPS?..
(DIR) Post #3269328 by kaniini@pleroma.site
2019-01-22T23:58:40.437756Z
0 likes, 0 repeats
@rysiek @bob @aral @alrs @resist__berlin stop putting words in my mouth. obviously https CDN is needed for cases where https websites are used.but not for package distribution.
(DIR) Post #3274770 by dredmorbius@mastodon.cloud
2019-01-23T03:55:59Z
0 likes, 0 repeats
@kaniini Seeing what packages are requested, particularly during major upgrades / release updates, is effectively identical to transferring your local package list to the server. Or, over HTTP transport, all points between you and same.You seem to have strong feelings, violent tendencies, and little actual clue as to security. This has proved a poor mix in my experience. I hope your mileage differs.I somehow doubt it.@alrs @aral @rysiek @bob
(DIR) Post #3276438 by kaniini@pleroma.site
2019-01-23T05:02:18.524579Z
4 likes, 4 repeats
@dredmorbius @bob @rysiek @aral @alrs with all due respect, you have no idea who the fuck i am or what the fuck i do. but you sure talk a big game.i've been designing actually secure systems and networks for the past decade, and have also written major parts of a major package manager and i can tell you this: https is not the point at all here, but having the repos locally.#InfoSec charlatans always talk the talk, but you all never walk the walk, and i'm the person that gets hired to fix your mess when the project gets blown to hell.
(DIR) Post #3276532 by yolo@anime.website
2019-01-23T05:09:36.978694Z
5 likes, 1 repeats
@kaniini @dredmorbius @bob @rysiek @aral @alrs I'd just like to interject for a moment. I've literally been removing trash from the internet for the past decade plus. i know how to form coalitions of upstream ISPs to force deplatforming. don't play with me unless you want to learn what this means.
(DIR) Post #3276622 by levi@the.hedgehoghunter.club
2019-01-23T05:12:30.189918Z
2 likes, 0 repeats
@yolo @kaniini @dredmorbius @bob @rysiek @aral @alrs imagine pretending to be an internet tough guy with a bunny girl avatar lololololol
(DIR) Post #3276815 by kaniini@pleroma.site
2019-01-23T05:20:33.931414Z
2 likes, 0 repeats
@levi @yolo i wasn't really going for that aesthetic with that response, but i can see the resemblance i guess...i just didn't like his own internet tough guy response to me.
(DIR) Post #3276860 by yolo@anime.website
2019-01-23T05:24:40.324778Z
1 likes, 0 repeats
@kaniini @levi it's all good, we still love you all the same69276847_p0.jpg
(DIR) Post #3276891 by levi@the.hedgehoghunter.club
2019-01-23T05:25:49.851550Z
1 likes, 0 repeats
@yolo @kaniiniDqgrZQrUcAAzVCg.jpg
(DIR) Post #3276892 by levi@the.hedgehoghunter.club
2019-01-23T05:25:52.281522Z
2 likes, 0 repeats
@kaniini @yoloDvMgxXDV4AINr_k.jpg
(DIR) Post #3278147 by dredmorbius@mastodon.cloud
2019-01-23T06:29:19Z
0 likes, 0 repeats
@levi Yeah, but the _other_ dog in this fight is a space alien cat.Who's a girl gonna bet the bank on in this mad mad mad mad mad mad world?
(DIR) Post #3278264 by noorul@s.noorul.xyz
2019-01-23T06:34:13.966345Z
0 likes, 0 repeats
Finally, the rabbit roared...😀@kaniini
(DIR) Post #3279709 by tga@mastodon.xyz
2019-01-23T07:40:57Z
0 likes, 0 repeats
@kaniiniYou do of course realize that leaked certs don't provide worse security than no cert...Right now, RCE on the most popular Linux distributions at public networks around the world is a simple mitmproxy away. This has happened repeatedly, and every time infosec says the same thing: TLS would have made this attack too expensive for 99% of attackers. All we ever hear back is inane comments like "it's just this once" or "we verify the signatures, it doesn't really matter".
(DIR) Post #3279710 by kaniini@pleroma.site
2019-01-23T07:44:38.879860Z
0 likes, 0 repeats
@tga the solution is not TLS. like all other vulnerable software, the solution is fixing the package manager's parsers, so that invalid data is correctly rejected.whether TLS should be used to secure a repository or not is an entirely different subject, but TLS itself is not a prevention of RCE, in fact it will cause people to stop fuzzing package managers, and bugs will stop being fixed.to recap, in case you missed it, the solution is to FIX THE DAMN BUGS.
(DIR) Post #3279840 by tga@mastodon.xyz
2019-01-23T07:48:34Z
0 likes, 0 repeats
@kaniiniOnce again, TLS would have stopped 99% of attackers, and stops them in the future. Who knows who else found this before it was disclosed? There will never be no security bugs. Nobody is going to stop looking for bugs. Just like nobody stopped looming for bugs in any other program that switched to TLS.
(DIR) Post #3279841 by kaniini@pleroma.site
2019-01-23T07:50:10.240612Z
1 likes, 0 repeats
@tga tired: properly fixing software bugswired: using TLS as a generic internet condom and praying that a root certificate authority's keys aren't factored
(DIR) Post #3279856 by lanodan@queer.hacktivis.me
2019-01-23T07:52:17.906931Z
0 likes, 0 repeats
@kaniini @tga Or that a root CA is not having some fun.
(DIR) Post #3279917 by zalandocalrissian@ieji.de
2019-01-23T07:52:11Z
1 likes, 0 repeats
@levi @alrs @dredmorbius @yolo @rysiek @bob @kaniini @aral i guess i'll link to this thread the next time someone gets excited because people in the fediverse are so much nicer than those on twitter :)
(DIR) Post #3279918 by levi@the.hedgehoghunter.club
2019-01-23T07:54:29.716840Z
0 likes, 0 repeats
@zalandocalrissian @aral @kaniini @bob @rysiek @yolo @dredmorbius @alrs Just link them to the kiwi farms pagehttps://kiwifarms.net/threads/mastodon.36417/
(DIR) Post #3279943 by tga@mastodon.xyz
2019-01-23T07:53:49Z
0 likes, 0 repeats
@kaniiniAnd in the process, stop countless abusive spouses, stalkers, and bosses from installing spyware on computers all over the world.But no, if it doesn't stop a state adversary, of course it serves no purpose in your self-absorbed thought experiment.
(DIR) Post #3279944 by kaniini@pleroma.site
2019-01-23T07:54:53.443840Z
0 likes, 0 repeats
@tga yeah man, TLS definitely stops abusive spouses, stalkers and bosses from installing spyware on computers.
(DIR) Post #3279989 by tga@mastodon.xyz
2019-01-23T07:55:46Z
0 likes, 0 repeats
@kaniiniIt literally does in this case. I don't think you understand how hard it is to exploit a CA, versus how trivial this attack is.
(DIR) Post #3279990 by kaniini@pleroma.site
2019-01-23T07:56:57.893849Z
0 likes, 0 repeats
@tga you must be smoking some real good shit to come up with this threat model!see, if i want to spy on what my spouse is doing, i will just put a RAT on their computer, which will take screenshots and log keystrokes.i would definitely not suggest anyone come to you for espionage strategies.
(DIR) Post #3280009 by kaniini@pleroma.site
2019-01-23T07:57:56.593351Z
0 likes, 0 repeats
@tga i mean, i want to reiterate: your threat model is really bizzare! if i am a boss or jealous spouse, i have physical access to the machine! why do i need to fuck around with an MITM at all?
(DIR) Post #3280089 by levi@the.hedgehoghunter.club
2019-01-23T08:02:12.647035Z
0 likes, 0 repeats
@zalandocalrissian @aral @kaniini @bob @rysiek @yolo @dredmorbius @alrs what in the name of autism, kaniini is still keeping this thread going. Just call them faggots and move on with it kaniini, it's not worth arguing about whatever it is
(DIR) Post #3280114 by tga@mastodon.xyz
2019-01-23T08:00:50Z
0 likes, 0 repeats
@kaniiniOne of my coworkers has a stalker. You think this is outside of their threat model?
(DIR) Post #3280115 by kaniini@pleroma.site
2019-01-23T08:02:23.891948Z
0 likes, 0 repeats
@tga if a stalker can perform an MITM, they can just install a RAT (e.g. “evil maid” attack) on the machine when you get up to go to the bathroom.i maintain you’re smoking really good shit and your threat model is reflective of that.
(DIR) Post #3280129 by tga@mastodon.xyz
2019-01-23T08:02:22Z
0 likes, 0 repeats
@kaniiniMy boss does not have physical access to my machine, and abusive spouses often do not live together.It's almost like you've never thought about these threat models.
(DIR) Post #3280130 by kaniini@pleroma.site
2019-01-23T08:03:37.586106Z
0 likes, 0 repeats
@tga i have, and the RAT is going to appear on those machines/phones through phishing, not through some MITM crap.and the solution to phishing is simple: don't click on shit you don't know
(DIR) Post #3280141 by rysiek@mastodon.social
2019-01-23T08:04:22Z
0 likes, 0 repeats
@levi Look, I don't enjoy name-calling and ad personam arguments regadles of which side of the discussion I am on.If you want to call people autists, do it somewhere where I don't have to interface with it.
(DIR) Post #3280142 by levi@the.hedgehoghunter.club
2019-01-23T08:04:39.408497Z
0 likes, 0 repeats
@rysiek shut up you autistic nigger faggot
(DIR) Post #3280160 by zalandocalrissian@ieji.de
2019-01-23T08:00:37Z
0 likes, 0 repeats
@levi ooooohhkaaay, (but that site is a normal forum and not in the fediverse, is it?)
(DIR) Post #3280161 by levi@the.hedgehoghunter.club
2019-01-23T08:05:25.085027Z
0 likes, 0 repeats
@zalandocalrissian ye or just link them the ED pagehttps://encyclopediadramatica.rs/PleromaIt's a good way to see back to the time when the fediverse was "twitter without n*zis"i.e. before me
(DIR) Post #3280183 by kaniini@pleroma.site
2019-01-23T08:05:52.165698Z
0 likes, 0 repeats
@tga by the way, the most commonly deployed RAT by law enforcement (finfisher) gets installed through phishing: they send a text message to the target which then directs them to the exploit kit. not through some fantasy MITM scenario.
(DIR) Post #3280228 by kaniini@pleroma.site
2019-01-23T08:07:36.637471Z
0 likes, 0 repeats
@tga also, bluntly, in the boss scenario, they take control of your device using Mobile Device Management as soon as you associate your work accounts, or connect to the Active Directory domain or whatever. BYOD is a great way to leave with a RAT on your own hardware, and company hardware is always going to be pre-owned.
(DIR) Post #3280350 by tga@mastodon.xyz
2019-01-23T08:11:17Z
0 likes, 0 repeats
@kaniiniI work in a security research lab, phishing isn't going to work, since this coworker, as you put it, won't "click on shit they don't know". The stalker does not have physical access, as is, once again, extremely common in these situations.In any case, you clearly know you're wrong about this, and are just arguing to save face at this point, so enjoy your haxord by teh pentag0n fantasies.
(DIR) Post #3280351 by kaniini@pleroma.site
2019-01-23T08:12:31.357040Z
0 likes, 0 repeats
@tga > works in a security research lab> haxord by teh pentag0n fantasies.actually, I believe it is you playing the wargames, and me applying common sense practices here in the real world.enjoy your wargames though.