Posts by djm@cybervillains.com
(DIR) Post #ATfcqFghcyR8K7MSFk by djm@cybervillains.com
2023-03-16T06:48:52Z
0 likes, 1 repeats
OpenSSH 9.3 has been released. This release contains fixes for a security problem relating to destination-restricted smartcard keys in ssh-agent, a memory safety fault (out-of-bound stack read) in some DNS-related code used by VerifyHostKeyDNS as well as a number of small bugfixes and minor featureshttps://www.openssh.org/releasenotes.html#9.3
(DIR) Post #ATxDrtlxwUuS2VF6ye by djm@cybervillains.com
2023-03-24T10:09:37Z
0 likes, 0 repeats
@isomer @mjg59 @offby1 my opinion is basically https://cybervillains.com/@djm/110077675622139561OpenSSH already supports graceful key rotation that could have helped GitHub avoid breaking clients. However they don't use OpenSSH for serving and AFAIK haven't implemented the protocol extension (which has other benefits) for their server.
(DIR) Post #ATxDsVhguq4LgFXEae by djm@cybervillains.com
2023-03-24T22:13:10Z
0 likes, 0 repeats
@isomer @mjg59 @offby1 the key rotation support means that the client would _already have_ alternate keys for the endpoint and that Github could have stopped serving RSA keys to them. They could have identified the clients that supported the extension via SSH- banner string
(DIR) Post #ATxECbtpac8CginWV6 by djm@cybervillains.com
2023-03-24T22:19:29Z
0 likes, 0 repeats
@mjg59 @isomer @offby1 right - key rotation requires online proof of possession of the private key.In this case however, it was just one of them leaked - the RSA key and not the ECDSA or Ed25519 keys.
(DIR) Post #ATxFLeMpsq70u0Es8e by djm@cybervillains.com
2023-03-24T10:00:32Z
0 likes, 0 repeats
I see it's SSH Key Security Take Night, so here's mine: if GitHub implemented OpenSSH's key rotation protocol they could have gracefully rolled past their RSA key disclosure with no trust continuity break for most clients
(DIR) Post #AU0IULyqUusHoqjtQ0 by djm@cybervillains.com
2023-03-26T07:22:06Z
0 likes, 1 repeats
@adrianco @rss @mmasnick had friends https://www.wsj.com/articles/elon-musk-affair-sergey-brin-wife-divorce-11658674840
(DIR) Post #AXX8s34Ggm1UA5cOJc by djm@cybervillains.com
2023-07-09T23:46:51Z
0 likes, 0 repeats
@twylo if you had asked me this in 1997 I could have helped you :(I still remember SGI sending me the compiler license as a single piece of paper surrounded by bagged air in a giant box.
(DIR) Post #AXoJ2bPXD6Hb6aIXaK by djm@cybervillains.com
2023-07-18T04:19:57Z
0 likes, 1 repeats
did hell freeze over too? https://sourceware.org/git/?p=glibc.git;a=commit;h=454a20c8756c9c1d55419153255fc7692b3d2199
(DIR) Post #AXr8ERCfP7Fn02EXbM by djm@cybervillains.com
2023-07-19T14:32:43Z
1 likes, 4 repeats
We've just made an OpenSSH release to fix a remotely exploitable RCE vulnerability in ssh-agent's PKCS#11 support (CVE-2023-38408). Details at https://openssh.com/releasenotes.html#9.3p2Thanks to the Qualys Security Advisory Team for finding and reporting this bug.
(DIR) Post #AYafIo0kuE7QhXn5eK by djm@cybervillains.com
2023-08-10T05:41:46Z
0 likes, 1 repeats
I'm happy to announce that #OpenSSH 9.4 has been released.This release fixes a few bugs and adds a few small features. Full release notes at https://www.openssh.com/releasenotes.html#9.4p1
(DIR) Post #AZoVSojWzVQWnkkifI by djm@cybervillains.com
2023-09-16T02:35:53Z
0 likes, 1 repeats
We quietly released the code a little while ago but this is the official announcement of Capslock, our contribution to the supply-chain security conversation.https://security.googleblog.com/2023/09/capslock-what-is-your-code-really.htmlCapslock is a tool for understanding at high level what a given piece of (Golang) code is capable of and for detecting when an update to a library changes this capability set, to give users a chance to catch supply-chain attacks in progress.1/2
(DIR) Post #AZoVSqVmNbcCJgKlVY by djm@cybervillains.com
2023-09-16T02:37:00Z
0 likes, 0 repeats
We look forward to further improving the tool and bringing this analysis to more languages. Keep a look out for Jess' talk at Gophercon in a couple of weeks for more information. https://www.gophercon.com/agendaIf you use third-party Go libraries, then please give Capslock a try and let us know your feedback.
(DIR) Post #AaRGMt7jeYn5m6PS0u by djm@cybervillains.com
2023-10-04T10:28:52Z
0 likes, 1 repeats
OpenSSH 9.5 has just been released. https://www.openssh.com/releasenotes.html#9.5This release fixes some bugs and adds keystroke timing analysis countermeasures.
(DIR) Post #AbBdZaK6InSWNtNNz6 by djm@cybervillains.com
2023-10-26T15:13:26Z
0 likes, 0 repeats
@lcamtuf and I'm doing mushroom foraging tips. AMA!
(DIR) Post #Acca3zofYrZ2qDPaC0 by djm@cybervillains.com
2023-12-09T03:45:47Z
0 likes, 0 repeats
@fugueish @patrickod you can take printf from my cold dead hands
(DIR) Post #AcwFfJQyUFwC0pnRKK by djm@cybervillains.com
2023-12-18T15:46:36Z
0 likes, 1 repeats
OpenSSH 9.6 has just been released: https://openssh.com/releasenotes.html#9.6Among other things, this release contains a fix for the so-called Terrapin Attack (https://terrapin-attack.com/)
(DIR) Post #AczLPcbobsfy32eFNo by djm@cybervillains.com
2023-12-20T03:11:40Z
0 likes, 1 repeats
Nice to see ... basically everyone adopt OpenSSH's mitigation to the Terrapin attack https://www.openwall.com/lists/oss-security/2023/12/19/5
(DIR) Post #Ad0Ctxkcp2i1VBfHWq by djm@cybervillains.com
2023-12-20T09:27:35Z
0 likes, 1 repeats
The "robustness principle" is the most destructive concept in protocol design and implementation of all time. We should be embracing its inverse: strict, explicit state-machines with model-checked proofs
(DIR) Post #Ad0Ctz83hP31m9dVh2 by djm@cybervillains.com
2023-12-20T09:28:08Z
0 likes, 0 repeats
this post brought to you by the Terrapin attack
(DIR) Post #Ad0Cu1D5xeGUEM0Yoy by djm@cybervillains.com
2023-12-20T09:28:16Z
0 likes, 0 repeats
and gin