Post 9ptSk3AWeFTgsGyfb6 by 0x00@social.panthermodern.net
(DIR) More posts by 0x00@social.panthermodern.net
(DIR) Post #9prvSD8JN4yWv6rru4 by seven@social.panthermodern.net
2019-12-11T22:13:06Z
0 likes, 0 repeats
You know all those roms out there for all those androids, how do you know if any of them are... compromised or not?! I mean it's not like most people would have a clue... :blobcatfearful:
(DIR) Post #9prxadHOF8TYEkG2t6 by 0x00@social.panthermodern.net
2019-12-11T22:37:01Z
2 likes, 1 repeats
@seven This is often my go-to argument against Android in general.Like, sure, "owning" your device is from an infosec point of view better than just using the stock rom your manufacturer shipped your device with, which could (and sometimes does) contain bloatware, adware, invasive telemetry and so on.But "owning your device" doesn't mean "installing a random LineageOS rom from an xda developers post made by some russian 16 yo miracle tech boy.And more often than not, making a rom yourself is literally impossible because of privative drivers, so rom makers very often resort to just throwing in some blobs from the original roms.So basically now you not only have the manufacturer's bugs and backdoors but also potentially the russian government's and the kid backdoors (even if he was well-intentioned, he could have his Android Studio infected by a supply chain attack, this even happens to big manufacturers like Realtek so...).Yeah I'll keep my iPhone thanks.
(DIR) Post #9prxu56n02a236Zbnc by seven@social.panthermodern.net
2019-12-11T22:40:33Z
0 likes, 0 repeats
@0x00 Sooooooooooooooo much this!But I mean, you have to admit making one that's attractive to a certain population has some kind of appeal, and if it does for us, you have to know US gov already does this (and most certainly other govs)...
(DIR) Post #9pryFTdF18QOBjxFTc by 0x00@social.panthermodern.net
2019-12-11T22:44:25Z
0 likes, 0 repeats
@seven Some people don't seem to realise that if the Russians "hacked" the US elections mostly through social engineering, there's much bigger things they can do. (They as in "government", like any country, not just Russia).And one of those things that would be crazy profitable would be to have a few hackers working on making roms for xda under a pseudonym, and just have people install those roms.It's not like they go through a rigorous testing anyway. People just flash and forget, nobody is going to tcpdump their phone traffic to inspect it closely...Boy, I should learn Android rom cooking :P
(DIR) Post #9pryKauZNbdqDHV3zs by seven@social.panthermodern.net
2019-12-11T22:45:21Z
0 likes, 0 repeats
@0x00 Fuck roms, try kernels... ;)
(DIR) Post #9pryS5CLAnYcAlNo7E by 0x00@social.panthermodern.net
2019-12-11T22:46:42Z
0 likes, 0 repeats
@seven Oh BOY, I remember the first MIUI versions. They would completely bork kernel debug output if you dared to install a different kernel than the stock one.I wonder why that would be? Surely just to protect their IP and for no other nefarious purposes...
(DIR) Post #9pt7OAQQtE6lyK8sC0 by pertho@bsd.network
2019-12-12T12:01:29Z
0 likes, 0 repeats
@0x00 @seven I'm still waiting for an OpenBSD-based phone. Of course I doubt this will ever happen.
(DIR) Post #9pt8n2mIYjrjRpnO2S by 0x00@social.panthermodern.net
2019-12-12T12:17:15Z
0 likes, 0 repeats
@pertho @seven For what purpose would you need an OpenBSD-based phone exactly?
(DIR) Post #9pt8sc7UaQoOVTMgTI by pertho@bsd.network
2019-12-12T12:18:08Z
0 likes, 0 repeats
@0x00 @seven Security? built-in pf? However the baseband drivers are closed blobs so it'd never happen.
(DIR) Post #9pt9Ao64nJuurjNTs0 by 0x00@social.panthermodern.net
2019-12-12T12:21:33Z
0 likes, 0 repeats
@pertho @seven OpenBSD's kernel is pretty secure....Until you start adding third party software to the installation, then you add more points of failure.You know what's crazy secure and just as useful as a bare OpenBSD phone with no apps? A dumbphone with monocrome screen and no Internet connectivity.https://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/
(DIR) Post #9pt9Ezl9NLfKC7aRLk by pertho@bsd.network
2019-12-12T12:22:18Z
0 likes, 0 repeats
@0x00 @seven Agreed, but these days you want some kind of functionality on your phone.I don't know if I could go back to a dumb phone.
(DIR) Post #9pt9UnHbWyKY8HIgM4 by 0x00@social.panthermodern.net
2019-12-12T12:25:09Z
0 likes, 0 repeats
@pertho @seven What I'm saying is that OpenBSD is as secure as the services you run on an OpenBSD box.For example, OpenBSD with all ports closed is literally unhackable (well, probably not true but let's just say so for the sake of the argument).Now, if you install Apache web server (or Nginx, I don't care), your system is now approximately as vulnerable as a Linux server with all ports closed and the same web server running.And probably much more vulnerable than a Linux server with the same web server and SELinux.
(DIR) Post #9pt9uhUZgQxjhZiiXY by pertho@bsd.network
2019-12-12T12:29:49Z
0 likes, 0 repeats
@0x00 @seven OpenBSD "much more" vulnerable than a Linux server with the same web server and SELinux. I disagree.OpenBSD has security features Linux just doesn't have and they continue to improve upon that. Linux just doesn't concentrate on security as much as OpenBSD does.I'm sure another #OpenBSD developer can elucidate on this, but the first things that come to mind are: pledge, unveil, W^X, and more.
(DIR) Post #9ptAIJkTc3Z90qQ5a4 by pertho@bsd.network
2019-12-12T12:34:05Z
0 likes, 0 repeats
@0x00 @seven How many Linux web servers run under a chroot jail these days? I've seen none. (I'm a Sysadmin of 20+ years and I work with Linux daily)By default OpenBSD's web root is chroot'able and enabled as such. To me, that's a lot more secure. If you run services, put them in a compartmentalized box. That way, if some hacker does somehow get in, they only have a tiny sandbox to mess with, not an entire system.
(DIR) Post #9ptAIanaDl9TtP0JHc by 0x00@social.panthermodern.net
2019-12-12T12:34:10Z
0 likes, 0 repeats
@pertho @seven Are you familiar with SELinux?Do you remember Shellshock? It affected everything with bash. From routers running NetBSD, to Apache Linux servers, OpenBSD included.You know what distributions were considerably more secure against Shellshock? Take a guess. Yes, SELinux-enabled ones. Have a read https://www.nexor.com/shellshock-selinux/You can disagree if you wish, but this is just one example of a vulnerability that was mitigated by Shellshock which affected OpenBSD and Linux equally.Mind you: SELinux is not an excuse not to patch your systems, but it offers great protection against zero-days at least until a workaround is found.Oh, you know what also runs SELinux? Android. Since 5.0. https://source.android.com/security/selinux/
(DIR) Post #9ptAPKBQOYzsO6Mjq4 by 0x00@social.panthermodern.net
2019-12-12T12:35:23Z
0 likes, 0 repeats
@pertho @seven You don't really need chroot if your applications are SELinux-aware :)
(DIR) Post #9ptAVxbAlMnmMyZbX6 by 0x00@social.panthermodern.net
2019-12-12T12:36:35Z
0 likes, 0 repeats
@pertho @seven Besides, a chroot won't prevent a hacker for example, from taking advantage of an RCE vulnerability on Nginx that allows him to send customizable packets to LAN peers.You know what would prevent that? That's right, SELinux again.
(DIR) Post #9ptAa3R10RbDd1m4xs by pertho@bsd.network
2019-12-12T12:37:19Z
0 likes, 0 repeats
@0x00 @seven Actually the pf firewall can stop that nonsense pretty effectively.
(DIR) Post #9ptAhckO76ldAvRfm4 by pertho@bsd.network
2019-12-12T12:38:40Z
0 likes, 0 repeats
@0x00 @seven I'd rather run an OS that strives to be secure by default than one that needs a massive band-aid (Selinux) put on it to be secure.And yes, I used to be a massive Linux fan back in the day.
(DIR) Post #9ptAineD4WCVGu7GmO by 0x00@social.panthermodern.net
2019-12-12T12:38:55Z
0 likes, 0 repeats
@pertho @seven Sure, you can spend hours tweaking and locking down your system, putting everything into chroots with restrictive firewalls and all that...... or you can just use the CentOS repositories to get SELinux-aware software which has all these restrictions already in place.
(DIR) Post #9ptAvNvtzPobHeOPeC by 0x00@social.panthermodern.net
2019-12-12T12:41:11Z
0 likes, 0 repeats
@pertho @seven Nothing is a silver bullet. Nothing can be secure by default all the time every time.Defense in depth is the only logical solution.You can disagree but you're not disagreeing just with me but with the entire infosec community.You can't just rely on a single solution from a single vendor. It just doesn't really work like that at all.The most secure system is the one that's disconnected from mains, network, user input devices and locked away in a safe, buried 5 km underground.
(DIR) Post #9ptBVdi8nwWudxFAIa by pertho@bsd.network
2019-12-12T12:47:42Z
0 likes, 0 repeats
@0x00 @seven Of course nothing is a silver bullet. All you can do is secure it the best way you can. People find bugs all the time.Sorry but you're not going to get me to run CentOS anytime soon. Systemd, Libraries that are ancient, software that is more ancient. No thanks.
(DIR) Post #9ptC7YeY3fZxxcdzbE by 0x00@social.panthermodern.net
2019-12-12T12:54:35Z
1 likes, 0 repeats
@pertho @seven Ah yes the typical "systemd bad".
(DIR) Post #9ptCJCqYxWBnnxomZ6 by pertho@bsd.network
2019-12-12T12:56:40Z
0 likes, 0 repeats
@0x00 @seven systemd has an extremely bad security record.
(DIR) Post #9ptCkHafQk6gKsIIOO by 0x00@social.panthermodern.net
2019-12-12T13:01:34Z
0 likes, 0 repeats
@pertho @seven so did Windows. And now it's crazy secure. Good luck running anything on a properly platformed enterprise laptop.And so did (and to some extent still does) Android and iOS. But really it all boils down to social engineering. Why develop a super complex exploit that requires 4 stages to deploy when you can just call IT posing as the manager to tell them to reimage all office computers with a poisoned file...And there's also the "many eyes" theory. The more something is used, the more likely it's going to be that someone finds a vulnerability in it.I don't remember ever reading about Inferno vulnerabilities, or OpenBSD for that matter.I do however remember reading about vulnerabilities that targeted the exact same software stack CentOS was running and were immediately mitigated by SELinux without sysadmin intervention.
(DIR) Post #9ptCrKr5gptyUML5A8 by irl@57n.org
2019-12-12T13:00:11.490599Z
0 likes, 0 repeats
@0x00 @pertho @seven I actually like systemd as a user, things like user lingering combined with "systemctl --user" services, timers, etc. are really cool. I don't want to look under that hood though and I wouldn't trust myself to understand it well enough to secure it.OpenBSD I understood well enough in the space of weeks to start kernel hacking on it. See hambsd.org. The readable code makes things easy to understand, easy to review, and as a side effect you get some security too.
(DIR) Post #9ptCrL6gkqNXGjdXTU by 0x00@social.panthermodern.net
2019-12-12T13:02:49Z
0 likes, 0 repeats
@irl @pertho @seven systemd is amazing from a sysadmin perspective.If you want to manage a server farm with hundreds or thousands of servers, systemd is just built properly to accomodate that usecase.runit, upstart, sysv... Well, not so much.
(DIR) Post #9ptCwMEZzUTuDGijS4 by pertho@bsd.network
2019-12-12T13:03:44Z
0 likes, 0 repeats
@0x00 @irl @seven I ran 100s of Ubuntu Linux boxes with upstart/sysv with Puppet for years before systemd came along.*shrug*
(DIR) Post #9ptCyyKXJzVIwekmEC by 0x00@social.panthermodern.net
2019-12-12T13:04:15Z
0 likes, 0 repeats
@pertho @irl @seven Puppet, Puppet's the keyword. Yes.
(DIR) Post #9ptD5J3RBML8xQmAdc by irl@57n.org
2019-12-12T13:04:15.265769Z
0 likes, 0 repeats
@0x00 @pertho @seven there is a difference between having the feature set you want and having quality secure code. I'm not arguing it doesn't have the features.
(DIR) Post #9ptD5JUNZBtIIzNgdE by 0x00@social.panthermodern.net
2019-12-12T13:05:22Z
0 likes, 0 repeats
@irl @pertho @seven Like I said before, a computer that is shut down can't really do anything in such a state. It doesn't have features at all. But it is also secure.A C program that sleeps 1 second and then exits is also very secure.Useful? Not so much.
(DIR) Post #9ptDAFSrxMVFGv1nlI by 0x00@social.panthermodern.net
2019-12-12T13:06:16Z
0 likes, 0 repeats
@irl @pertho @seven And RHEL, systemd, GNOME, KVM, SELinux and related technologies are backed by industry leaders with funds to hire the best of the best.OpenBSD doesn't really have many sponsors. And you can't hire developers with promises.
(DIR) Post #9ptDYyLQkGQzPmL0V6 by pertho@bsd.network
2019-12-12T13:10:41Z
0 likes, 0 repeats
@0x00 @irl @seven If that were true, wouldn't we be seeing some of the BEST code written by Google, Facebook and Amazon developers?I remain unconvinced. Especially after hearing that the AWS code is mix of unmaintable Perl 4 code with Java and Ruby thrown in.
(DIR) Post #9ptDbVILCyFYBf6Fyy by irl@57n.org
2019-12-12T13:08:23.712943Z
0 likes, 0 repeats
@0x00 @pertho @seven you'd need to point me at something that shows that financial pressure turns into better code than would be produced by someone that is doing it because they enjoy it
(DIR) Post #9ptDbVYeELIH0EjHOq by 0x00@social.panthermodern.net
2019-12-12T13:11:12Z
0 likes, 0 repeats
@irl @pertho @seven Simple logic.Eventually, developers would like to feed themselves and their families too. Working for Red Hat or any big corporation would help you out.For OpenBSD... You can hack it during your free time but not much else. Maybe if you're unemployed you can devote more time to it, but that's really about it.I'm not saying it's a direct relationship that holds every time, but it seems logical there is an implication there. A one-sided implication.
(DIR) Post #9ptDk6sbLuxD4TAF04 by 0x00@social.panthermodern.net
2019-12-12T13:12:45Z
0 likes, 0 repeats
@pertho @irl @seven Well... Let's first define "best".More features? More secure? More user-friendly?I bet GIMP's code quality is much better than Photoshop in terms of documentation and accessibility. But which is the more powerful of those two applications?
(DIR) Post #9ptEXu5nAYkLtK4rdw by irl@57n.org
2019-12-12T13:17:54.389187Z
0 likes, 0 repeats
@0x00 @pertho @seven When your goal is to make money, you will make different decisions than if your goal were to do the best thing for your users, whatever your definition of "best" is (unless your users are exclusively shareholders).
(DIR) Post #9ptEXuMo9IMEk62SAK by 0x00@social.panthermodern.net
2019-12-12T13:21:44Z
0 likes, 0 repeats
@irl @pertho @seven Well I'm sure Red Hat would want to build the best, most secure Linux distribution for enterprises.
(DIR) Post #9ptLCxABFxg10s5TP6 by qbit@bsd.network
2019-12-12T14:36:21Z
0 likes, 0 repeats
@0x00 @pertho @seven pf is a lot easer to configure than selinux!Sure selinux can stop a ton of things.. but it has to be enabled to do so. Most places don't enable it.I was at a very large company when shellshock hit.. vendors were hit.. the company was hit.. machines running selinux were hit.. Security that is hard to put into practice isn't used.
(DIR) Post #9ptSk3AWeFTgsGyfb6 by 0x00@social.panthermodern.net
2019-12-12T16:00:48Z
0 likes, 0 repeats
@qbit @pertho @seven And you find OpenBSD roots easier to configure than SELinux which comes enabled, enforced out of the box, and repositories full of SELinux aware applications? Give me a break.
(DIR) Post #9ptSyJgK3CAa8seXtA by qbit@bsd.network
2019-12-12T16:02:15Z
0 likes, 0 repeats
@0x00 @pertho @seven you mean chroots?nginx is literally configured with chroot out of the box.
(DIR) Post #9ptV8dax4GE2hsBqjY by seven@social.panthermodern.net
2019-12-12T16:27:39Z
0 likes, 0 repeats
@qbit @0x00 @pertho Ehhhh I tend to avoid SELinux if possible (and I do mean stripping it from the kernel as well). There is something about NSA code that bugs me...I dunno that anyone can necessarily win the security argument BSD vs Linux really, they both have pros and cons, it really comes down to what the system itself is being used for. I tend to use FreeBSD a ton for purpose built application servers for example. When the box is going to have multiple responsibilities I tend to use some linux variant, again the distro choice varies based on what that machine will be doing, and the maintenance of the applications that box will need to run.I can say though, Arch is looking very attractive on mobiles, I really think that will be the kind of future we have, and move away from stuff like slim os's on handsets soon, which is about freaking time. It's generally just about getting those binary drivers into such systems.
(DIR) Post #9ptXAuEeN1F0nqy5PU by 0x00@social.panthermodern.net
2019-12-12T16:50:29Z
0 likes, 0 repeats
@qbit @pertho @seven I meant chroot yes. You say Nginx, I say the entire CentOS, Fedora, RHEL and EPEL repositories come configured with SELinux rules.Do all programs on OpenBSD’s repositories come with chroot enabled?
(DIR) Post #9ptXlCU20ASHp7T8lM by qbit@bsd.network
2019-12-12T16:57:01Z
0 likes, 0 repeats
@0x00 @pertho @seven a large number of things in base are pledged and unveiled which has overlap into the selinux rules.chroot is a mechanism that is used in conjunction with many other mitigations (priv sep, pledge, unveil, least access... etc).Layered security is best.I am not saying that selinux is crap.. or that either mechanism is better at securing entire systems. All i am saying is that in practice most people/companies disable or nuder selinux because it causes strange issues.
(DIR) Post #9ptgkq764VNM22e15c by 0x00@social.panthermodern.net
2019-12-12T18:37:47Z
0 likes, 0 repeats
@qbit @pertho @seven if by "strange issues" you mean "our junior technician who earns 10 dollars an hour who just finished college is unable to configure and diagnose SELinux properly even when there's tons of documentation online and we prefer to turn it off instead of hiring an experienced system administrator" then yes, it does cause strange issues indeed.
(DIR) Post #9pth9N8QwxCFOdy3qC by qbit@bsd.network
2019-12-12T18:42:13Z
0 likes, 0 repeats
@0x00 @pertho @seven all I am saying is.. there are enterprise deployment polices that say "disable selinux". I am not arguing the technical ability of anyone.. I am not even saying that the policy _should_ exist. I am simply saying that it does and that the practice is common place.And that's a shame.
(DIR) Post #9pthIgKQxSdfWx1I9Y by 0x00@social.panthermodern.net
2019-12-12T18:43:56Z
0 likes, 0 repeats
@qbit @pertho @seven Those enterprise deployment policies won't suggest to use OpenBSD with chroots either.They will most likely instruct you to install a vanilla Ubuntu Server and blindly copy-paste a few bash commands and perhaps run one or two Docker containers for good measure.If you don't care about security, you don't care about security.
(DIR) Post #9pthbu5m0fB3ifKPnE by qbit@bsd.network
2019-12-12T18:47:24Z
0 likes, 0 repeats
@0x00 @pertho @seven possibly! My guess is it would be entirely dependent on the development cycle of what ever app. (I have seen a lot of prod must match dev env BS)That said. On OpenBSD there are levels of mitigation that are non-configurable like pledge and unveil (baked into binaries). So the only option for "disabling" these things would be to not use OpenBSD.