Posts by harrysintonen@infosec.exchange
(DIR) Post #Ay57IONAmCrGdBACaO by harrysintonen@infosec.exchange
2025-09-10T21:33:22Z
0 likes, 0 repeats
So how does CVS use pagealign_xalloc? Like this:/* Allocate more buffer_data structures. *//* Get a new buffer_data structure. */static struct buffer_data *get_buffer_data (void){ struct buffer_data *ret; ret = xmalloc (sizeof (struct buffer_data)); ret->text = pagealign_xalloc (BUFFER_DATA_SIZE); return ret;}Surely BUFFER_DATA_SIZE will be something sensible? Unfortunately it is not:#define BUFFER_DATA_SIZE getpagesize ()So it will by create total_data_size / pagesize number of list nodes in the linear list. Maybe it's not that bad if the nodes are released in an optimal order?The pagealign code stores new nodes always to the head of its list: new_node->next = memnode_table; memnode_table = new_node;The datanodes in CVS code are however inserted into a list tail: newdata = get_buffer_data (); if (newdata == NULL) { (*buf->memory_error) (buf); return; } if (buf->data == NULL) buf->data = newdata; else buf->last->next = newdata; newdata->next = NULL; buf->last = newdata;This creates a pathological situation where the nodes in the aligned list are in worst possible order as buf_free_datas() walks the internal list in first to last node, calling the pagealign_free:static inline voidbuf_free_datas (struct buffer_data *first, struct buffer_data *last){ struct buffer_data *b, *n, *p; b = first; do { p = b; n = b->next; pagealign_free (b->text); free (b); b = n; } while (p != last);}In short: This is very bad. It will be slow as heck as soon as large amounts of data is processed by this code.So imagine you have 2GB buffer allocated by using this code on a system that has 4KB pagesize. This would result in 524288 nodes. Each node would be stored in two lists, in first one they're last-head and in the other they're last-tail.When the buf_free_datas is called for this buffer, it will walk totalnodes - index pagealign nodes for each of the released nodes. First iteration is (524288 - 1) "unnecessary" node walks, second (524288 - 2) and so forth. In other terms "sum of all integers smaller than itself", so in total totalnodes * (totalnodes - 1) / 2 extra operations.This gives 137438691328 iterations.
(DIR) Post #Ay57IOQiZ1h4oAp26y by harrysintonen@infosec.exchange
2025-09-10T20:55:30Z
0 likes, 0 repeats
Presumably mmap should always return pagesize aligned memory, so it is a bit puzzling why the mmap codepath uses the list at all. Possibly an oversight there as well?
(DIR) Post #Ay57ISRZdmktFzFm08 by harrysintonen@infosec.exchange
2025-09-10T22:15:17Z
1 likes, 0 repeats
So, has CVS always been this broken?It doesn't look like it. At least some versions of CVS use far more sensible code: https://github.com/openbsd/src/blob/56696e8786be09c79aaaadb09d99b103c314f835/gnu/usr.bin/cvs/src/buffer.c#L92This code doesn't suffer from the "two lists" syndrome, so it remains fast no matter what. It allocates 16 pages at a time. It never frees the memory and just keeps it in a list to be reused when the need arises.
(DIR) Post #Ay69aApEHKUYtQqxtY by harrysintonen@infosec.exchange
2025-09-11T08:45:50Z
7 likes, 6 repeats
Many moons ago, a friend ran an SSH honeypot that had a unique feature: when the attacker gained "access" to the system, he could then send responses to the interactive commands the attackers executed over an IRC channel.One day, some attacker popped in, and he started to taunt them live. Often, the attackers were just throwing in some copypasta and weren't actually checking the responses. This one time, the attacker realised what was going on and was quite amused, and started to chat back, sending fake commands to see if he would get obvious human responses back (Note: that this was well before generative AI). This went on for some time, and some kind of a connection was formed. The attacker would come back to chat with my friend, logging in over SSH to this honeypot.Eventually, the attacker divulged other means to communicate with him. He told my friend he was a bored Romanian guy who ran a kind of academy for young hacking talent. They'd gain access to some box, install their SSH bruteforcer (random IPv4 addresses and fixed password lists), and rinse and repeat.Eventually, the attackers seemed to stop and disappear. My friend contacted them and asked what had happened: maybe they had been caught by authorities?No such luck. Apparently, they had discovered some addictive online game that was more interesting.Threat actor group defeated by Candy Crush.
(DIR) Post #AyhXSdwcfOiIHZFfDU by harrysintonen@infosec.exchange
2025-09-28T15:11:10Z
1 likes, 2 repeats
If #git makes #Rust mandatory it will block future git versions to be ported to our niche platform. While this would not immediately lock us out of repos (the current version will likely continue to work fine some time) it eventually would complicate access (all git work would need to be circulated via some proxy setups or similar).Needless to say I'm not thrilled by this idea.I am not against Rust. I am against breaking change that leaves everyone not embracing Rust behind.https://lore.kernel.org/git/20250904-b4-pks-rust-breaking-change-v1-0-3af1d25e0be9@pks.im/
(DIR) Post #AyjGikPd4qvU4Rpfqi by harrysintonen@infosec.exchange
2025-09-28T16:57:04Z
0 likes, 0 repeats
@kornel We of course employ cross-compiling. But still, being left out in that manner is still unfortunate, as we try to offer as complete and modern native SDK as possible.I fully acknowledge that this is something we just have to live with. We are doing our own thing, and we can't possibly expect everyone else to cater for our platform quirks.However, there are other platforms far from being this obscure that will be hit as well: Various legacy Debian platforms (alpha, hppa, m68k and sh4) and NonStop, AIX and Solaris come to mind at least. There are likely more.
(DIR) Post #AyjnS5p9Vrn42gR9Bg by harrysintonen@infosec.exchange
2025-09-30T16:03:13Z
1 likes, 1 repeats
#GitHub - Please make it possible to remove the autogenerated source archive links from releases. This is a cause of endless confusion as people accidentally download the wrong source code archive instead of the actual release one. I got bitten by this just moments ago. https://github.com/openssl/openssl/issues/28707 - sure it was my own mistake to accidentally pick the wrong link, but just making this possible is stupid and would be trivial to fix.I know #curl project gets annoyed by this issue periodically as well and has requested this feature from GitHub.
(DIR) Post #AyyRBNrzskZZT1nH6W by harrysintonen@infosec.exchange
2025-10-07T13:58:04Z
0 likes, 0 repeats
Despite the recent media reporting, #Windows installation with local accounts is working just fine. Create a regular Windows installation media and drop autounattend.xml to the root of the USB device and install it.You can craft the autounattend.xml yourself or use a service like https://schneegans.de/windows/unattend-generator/ to generate it.If the installation demands you to connect to the internet, you can bypass this part by pressing Shift+F10 and then entering oobe\bypassnro + <return>. After the installer restart, you'll have the "I don't have internet" option, and the installation will proceed.EDIT: To clarify: While I did not test the latest insider build I believe this method will continue to work, even with it. I'll be sure to edit the post if this turns out to be incorrect.
(DIR) Post #AzOZ8x0SdjQPJd3rzk by harrysintonen@infosec.exchange
2025-10-20T08:45:26Z
0 likes, 1 repeats
IRC is working just fine. As always.
(DIR) Post #AzOa8NKJOdx0bvdUcS by harrysintonen@infosec.exchange
2025-10-20T08:10:58Z
4 likes, 5 repeats
A lot of services that are supposedly running in EU are currently having significant issues due to AWS US-EAST-1 being impacted. But surely this is just some dependencies that are down and all our data is really stored in EU. Right?https://health.aws.amazon.com/health/status
(DIR) Post #AzdUGEYkHvRaVrIvJY by harrysintonen@infosec.exchange
2025-10-27T12:12:50Z
1 likes, 0 repeats
Six people - including City of Helsinki officials and a machine operator - have been charged with environmental degradation after a protected brook was damaged during logging in Laajasalo in 2023.In the trial, the environmental activists, who tried to stop the logging to protect the brook, were acquitted. The Helsinki District Court ruled that the activists were justified in defying police orders, and their actions likely prevented further environmental harm.This ruling is considered a historic precedent, as the court recognised that protecting nature can, in some cases, justify actions otherwise deemed criminal.News (in finnish): https://www.hs.fi/alueet/art-2000011586455.html#environment #activism #civildisobedience
(DIR) Post #AzfKRdRZUz4TeMfNQ0 by harrysintonen@infosec.exchange
2025-10-28T10:47:23Z
0 likes, 1 repeats
A draft proposal for Finnish Transport and Communications Agency’s domain name fees includes:- The annual domain name fee would increase from €9 to €12 (+33%)- The annual registrar fee would be €400 per yearCurrently individuals can manage their own domains by registering as private registrar (not offering the service to others). The 400€ fee effectively kills this option. Having managed my own domains until now I'm not happy with this proposal.The proposal open for comments (in finnish and swedish): https://www.lausuntopalvelu.fi/FI/Proposal/Participation?proposalId=bb3cd297-6c3b-456e-b647-e434208148ef
(DIR) Post #AziVSvUvXcgSu4vxuC by harrysintonen@infosec.exchange
2025-10-29T22:51:01Z
0 likes, 1 repeats
The recent #AWS and #Azure outages have been a wake-up call for anyone working in critical sectors (transport, healthcare, finance, utilities - both digital and traditional, food production, administration, etc). If your core service could not function during these minor outages, you need to take action to remedy this. #Preparedness is essential in ensuring a functioning society even in exceptional conditions.#AWSOutage #AzureOutage
(DIR) Post #Azo7K3iGOdc3pBAcJE by harrysintonen@infosec.exchange
2025-11-01T14:55:09Z
4 likes, 2 repeats
#Microsoft is clearly becoming desperate due to low adoption rates of #Copilot.Apparently, Microsoft is now pushing Copilot to all #Microsoft365 personal subscribers and calling it a "subscription price increase". Only when you decide to cancel your subscription are you presented with the option to switch to "Microsoft 365 Personal Classic" without Copilot (and nearly the old price). The classic plan is not presented as an option unless you try to cancel your subscription.This is a classic scammy trick: Modify the existing plan and add the feature no one wants and hide the old plan from view. Presto, now you have an insane adoption rate you can present to investors as a great success.I personally don't use Microsoft subscription services, so I don't know if they tried this bullshit in the EU, but if they did, they're asking for trouble. They got sued in Australia over this already: https://www.accc.gov.au/media-release/microsoft-in-court-for-allegedly-misleading-millions-of-australians-over-microsoft-365-subscriptions "Microsoft in court for allegedly misleading millions of Australians over Microsoft 365 subscriptions"
(DIR) Post #B0AL6SmoPMjQ7VP9u4 by harrysintonen@infosec.exchange
2025-11-11T23:02:24Z
2 likes, 4 repeats
This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10#rust #vulnerability #sudo_rs
(DIR) Post #B0X5HACJ9q9Dw5eAsq by harrysintonen@infosec.exchange
2025-11-21T19:56:31Z
0 likes, 0 repeats
I'm no fan of #Rust by any measure, but I think it's unfair to blame Rust for the Cloudflare outage - Mistakes are language agnostic and very portable.
(DIR) Post #B2kOBRdXb1nSjgvVBY by harrysintonen@infosec.exchange
2026-01-28T14:16:00Z
1 likes, 0 repeats
It was interesting to read up on the AI assisted code review at https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-while-curl-cancelled-itsFor context: I'm personally responsible for at least 29 curl CVEs. Out of the recent 6 CVEs mentioned in the blog post I found two. This gives me some perspective, I think.I do not utilise AI tools in my vulnerability research. I am also fiercely critical of harmful proliferation of AI. This is due to the unsustainable way it is currently pushed, and use of as marketing ploy and gimmick rather than producing measurable benefit to users. This leads to negative impacts on economy, education & learning, not to mention impacts to nature due to wasteful use of energy.This doesn't mean I am be against AI. I have written by own AI tooling (fully local RAG with support for arbitrary number of models running on local nodes, implemented in python). I found the usefulness of such tool to be limited at best. It is somewhat useful in mass analysis of large document bases, but the level of analysis is superficial at best. These AI models are after all just language models, and do not have any true understanding or intelligence.And here is the gist of it: The current tools are not intelligent. Understanding this limitation is the key of successful deployment and utilisation of AI tools. The tools can be useful in certain tasks, but they do not replace true intelligence.The AI tooling AISLE are developing certainly is one of the better uses of AI, and definitely surpasses all my personal dabbling around it. It is clear that the tool does find vulnerabilities. The key question is how much hallucinations and false positives it produces: If the tool generates thousands of FPs and the true findings are hidden among them this limits the value and usefulness of the tool (of course it doesn't entirely negate it, many tools produce false positives). In short: The quality of the findings is key, and poor signal-to-noise ratio is highly undesirable.Either way, I think there is a future for AI tools and they definitely will be helpful in vulnerability research.I personally will keep exercising my wetware for this work, however.#cybersecurity #infosec #vulnerabilityresearch #thoughtoftheday
(DIR) Post #B4gNXxOgUf46LUTysa by harrysintonen@infosec.exchange
2026-03-25T23:47:28Z
1 likes, 0 repeats
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.Also Microsoft enabled #github to collect all your "inputs, outputs and associated context to train and improve AI models". This new tickbox is enabled by default, even if you explicitly disabled Copilot before.Actions speak louder than words.You can disable the option at https://github.com/settings/copilot/features#enshittification
(DIR) Post #B5ZsBmzOIDZpy5MCtU by harrysintonen@infosec.exchange
2026-04-22T21:06:25Z
0 likes, 1 repeats
I've tried to report a security vulnerability to @signalapp for months now (first attempt was 2025-11-23 to the official security-at email address). I haven't gotten any response from them, even after repeated attempts. This is highly frustrating.Is there a way to reach them? I don't need any kind of special treatment, just someone acknowledging that the message has been received would be okay.#signalapp
(DIR) Post #B6BCkeKVfQLlB9eX5M by harrysintonen@infosec.exchange
2026-05-11T07:09:45Z
1 likes, 3 repeats
Vulnerabilities found from #curl:#Mythos: 1Me: 30- https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/- https://sintonen.fi/advisories/