Posts by harrysintonen@infosec.exchange
(DIR) Post #Axu8tlbhJkdacXmefY by harrysintonen@infosec.exchange
2025-09-04T17:35:42Z
0 likes, 0 repeats
Windows defender now detects #FanControl, well regarded Windows application, as malicious. While Fan Control isn't malicious per se, since it uses #WinRing0 driver, it will allow any user level app to gain privileged access to the system as NT AUTHORITY\SYSTEM. Fan Control needs to find a way to access the registers by other means.https://nvd.nist.gov/vuln/detail/cve-2020-14979
(DIR) Post #Axu8tmYtldzba9Tvwe by harrysintonen@infosec.exchange
2025-09-04T17:57:14Z
1 likes, 0 repeats
The security issue with WinRing0 is explained in layman’s terms by Gamers Nexus & Level1 Techs in this video: https://www.youtube.com/watch?v=H_O5JtBqODA
(DIR) Post #Ay57IJcESmvvsRAerg by harrysintonen@infosec.exchange
2025-09-10T19:39:13Z
1 likes, 0 repeats
As it happens, we still use CVS in our operating system project (there are reasons for doing this, but migration to git would indeed make sense).While working on our project, we occasionally have to do a full checkout of the whole codebase, which is several gigabytes. Over time, this operation has gotten very, very, very slow - I mean "2+ hours to perform a checkout" slow.This was getting quite ridiculous. Even though it's CVS, it shouldn't crawl like this. A quick build of CVS with debug symbols and sampling the "cvs server" process with Linux perf showed something peculiar: The code was spending the majority of the time inside one function.So what is this get_memnode() function? Turns out this is a support function from Gnulib that enables page-aligned memory allocations. (NOTE: I have no clue why CVS thinks doing page-aligned allocations is beneficial here - but here we are.)The code in question has support for three different backend allocators:1. mmap2. posix_memalign3. mallocSounds nice, except that both 1 and 3 use a linked list to track the allocations. The get_memnode() function is called when deallocating memory to find out the original pointer to pass to the backend deallocation function: The node search code appears as: for (c = *p_next; c != NULL; p_next = &c->next, c = c->next) if (c->aligned_ptr == aligned_ptr) break;The get_memnode() function is called from pagealign_free():#if HAVE_MMAP if (munmap (aligned_ptr, get_memnode (aligned_ptr)) < 0) error (EXIT_FAILURE, errno, "Failed to unmap memory");#elif HAVE_POSIX_MEMALIGN free (aligned_ptr);#else free (get_memnode (aligned_ptr));#endifThis is an O(n) operation. CVS must be allocating a huge number of small allocations, which will result in it spending most of the CPU time in get_memnode() trying to find the node to remove from the list.Why should we care? This is "just CVS" after all. Well, Gnulib is used in a lot of projects, not just CVS. While pagealign_alloc() is likely not the most used functionality, it can still end up hurting performance in many places.The obvious easy fix is to prefer the posix_memalign method over the other options (I quickly made this happen for my personal CVS build by adding tactical #undef HAVE_MMAP). Even better, the list code should be replaced with something more sensible. In fact, there is no need to store the original pointer in a list; a better solution is to allocate enough memory and store the pointer before the calculated aligned pointer. This way, the original pointer can be fetched from the negative offset of the pointer passed to pagealign_free(). This way, it will be O(1).I tried to report this to the Gnulib project, but I have trouble reaching gnu.org services currently. I'll be sure to do that once things recover.#opensource #development #bugstories
(DIR) Post #Ay57IONAmCrGdBACaO by harrysintonen@infosec.exchange
2025-09-10T21:33:22Z
0 likes, 0 repeats
So how does CVS use pagealign_xalloc? Like this:/* Allocate more buffer_data structures. *//* Get a new buffer_data structure. */static struct buffer_data *get_buffer_data (void){ struct buffer_data *ret; ret = xmalloc (sizeof (struct buffer_data)); ret->text = pagealign_xalloc (BUFFER_DATA_SIZE); return ret;}Surely BUFFER_DATA_SIZE will be something sensible? Unfortunately it is not:#define BUFFER_DATA_SIZE getpagesize ()So it will by create total_data_size / pagesize number of list nodes in the linear list. Maybe it's not that bad if the nodes are released in an optimal order?The pagealign code stores new nodes always to the head of its list: new_node->next = memnode_table; memnode_table = new_node;The datanodes in CVS code are however inserted into a list tail: newdata = get_buffer_data (); if (newdata == NULL) { (*buf->memory_error) (buf); return; } if (buf->data == NULL) buf->data = newdata; else buf->last->next = newdata; newdata->next = NULL; buf->last = newdata;This creates a pathological situation where the nodes in the aligned list are in worst possible order as buf_free_datas() walks the internal list in first to last node, calling the pagealign_free:static inline voidbuf_free_datas (struct buffer_data *first, struct buffer_data *last){ struct buffer_data *b, *n, *p; b = first; do { p = b; n = b->next; pagealign_free (b->text); free (b); b = n; } while (p != last);}In short: This is very bad. It will be slow as heck as soon as large amounts of data is processed by this code.So imagine you have 2GB buffer allocated by using this code on a system that has 4KB pagesize. This would result in 524288 nodes. Each node would be stored in two lists, in first one they're last-head and in the other they're last-tail.When the buf_free_datas is called for this buffer, it will walk totalnodes - index pagealign nodes for each of the released nodes. First iteration is (524288 - 1) "unnecessary" node walks, second (524288 - 2) and so forth. In other terms "sum of all integers smaller than itself", so in total totalnodes * (totalnodes - 1) / 2 extra operations.This gives 137438691328 iterations.
(DIR) Post #Ay57IOQiZ1h4oAp26y by harrysintonen@infosec.exchange
2025-09-10T20:55:30Z
0 likes, 0 repeats
Presumably mmap should always return pagesize aligned memory, so it is a bit puzzling why the mmap codepath uses the list at all. Possibly an oversight there as well?
(DIR) Post #Ay57ISRZdmktFzFm08 by harrysintonen@infosec.exchange
2025-09-10T22:15:17Z
1 likes, 0 repeats
So, has CVS always been this broken?It doesn't look like it. At least some versions of CVS use far more sensible code: https://github.com/openbsd/src/blob/56696e8786be09c79aaaadb09d99b103c314f835/gnu/usr.bin/cvs/src/buffer.c#L92This code doesn't suffer from the "two lists" syndrome, so it remains fast no matter what. It allocates 16 pages at a time. It never frees the memory and just keeps it in a list to be reused when the need arises.
(DIR) Post #Ay69aApEHKUYtQqxtY by harrysintonen@infosec.exchange
2025-09-11T08:45:50Z
7 likes, 6 repeats
Many moons ago, a friend ran an SSH honeypot that had a unique feature: when the attacker gained "access" to the system, he could then send responses to the interactive commands the attackers executed over an IRC channel.One day, some attacker popped in, and he started to taunt them live. Often, the attackers were just throwing in some copypasta and weren't actually checking the responses. This one time, the attacker realised what was going on and was quite amused, and started to chat back, sending fake commands to see if he would get obvious human responses back (Note: that this was well before generative AI). This went on for some time, and some kind of a connection was formed. The attacker would come back to chat with my friend, logging in over SSH to this honeypot.Eventually, the attacker divulged other means to communicate with him. He told my friend he was a bored Romanian guy who ran a kind of academy for young hacking talent. They'd gain access to some box, install their SSH bruteforcer (random IPv4 addresses and fixed password lists), and rinse and repeat.Eventually, the attackers seemed to stop and disappear. My friend contacted them and asked what had happened: maybe they had been caught by authorities?No such luck. Apparently, they had discovered some addictive online game that was more interesting.Threat actor group defeated by Candy Crush.
(DIR) Post #AyhXSdwcfOiIHZFfDU by harrysintonen@infosec.exchange
2025-09-28T15:11:10Z
1 likes, 2 repeats
If #git makes #Rust mandatory it will block future git versions to be ported to our niche platform. While this would not immediately lock us out of repos (the current version will likely continue to work fine some time) it eventually would complicate access (all git work would need to be circulated via some proxy setups or similar).Needless to say I'm not thrilled by this idea.I am not against Rust. I am against breaking change that leaves everyone not embracing Rust behind.https://lore.kernel.org/git/20250904-b4-pks-rust-breaking-change-v1-0-3af1d25e0be9@pks.im/
(DIR) Post #AyjGikPd4qvU4Rpfqi by harrysintonen@infosec.exchange
2025-09-28T16:57:04Z
0 likes, 0 repeats
@kornel We of course employ cross-compiling. But still, being left out in that manner is still unfortunate, as we try to offer as complete and modern native SDK as possible.I fully acknowledge that this is something we just have to live with. We are doing our own thing, and we can't possibly expect everyone else to cater for our platform quirks.However, there are other platforms far from being this obscure that will be hit as well: Various legacy Debian platforms (alpha, hppa, m68k and sh4) and NonStop, AIX and Solaris come to mind at least. There are likely more.
(DIR) Post #AyjnS5p9Vrn42gR9Bg by harrysintonen@infosec.exchange
2025-09-30T16:03:13Z
1 likes, 1 repeats
#GitHub - Please make it possible to remove the autogenerated source archive links from releases. This is a cause of endless confusion as people accidentally download the wrong source code archive instead of the actual release one. I got bitten by this just moments ago. https://github.com/openssl/openssl/issues/28707 - sure it was my own mistake to accidentally pick the wrong link, but just making this possible is stupid and would be trivial to fix.I know #curl project gets annoyed by this issue periodically as well and has requested this feature from GitHub.
(DIR) Post #AyyRBNrzskZZT1nH6W by harrysintonen@infosec.exchange
2025-10-07T13:58:04Z
0 likes, 0 repeats
Despite the recent media reporting, #Windows installation with local accounts is working just fine. Create a regular Windows installation media and drop autounattend.xml to the root of the USB device and install it.You can craft the autounattend.xml yourself or use a service like https://schneegans.de/windows/unattend-generator/ to generate it.If the installation demands you to connect to the internet, you can bypass this part by pressing Shift+F10 and then entering oobe\bypassnro + <return>. After the installer restart, you'll have the "I don't have internet" option, and the installation will proceed.EDIT: To clarify: While I did not test the latest insider build I believe this method will continue to work, even with it. I'll be sure to edit the post if this turns out to be incorrect.
(DIR) Post #AzOZ8x0SdjQPJd3rzk by harrysintonen@infosec.exchange
2025-10-20T08:45:26Z
0 likes, 1 repeats
IRC is working just fine. As always.
(DIR) Post #AzOa8NKJOdx0bvdUcS by harrysintonen@infosec.exchange
2025-10-20T08:10:58Z
4 likes, 5 repeats
A lot of services that are supposedly running in EU are currently having significant issues due to AWS US-EAST-1 being impacted. But surely this is just some dependencies that are down and all our data is really stored in EU. Right?https://health.aws.amazon.com/health/status
(DIR) Post #AzdUGEYkHvRaVrIvJY by harrysintonen@infosec.exchange
2025-10-27T12:12:50Z
1 likes, 0 repeats
Six people - including City of Helsinki officials and a machine operator - have been charged with environmental degradation after a protected brook was damaged during logging in Laajasalo in 2023.In the trial, the environmental activists, who tried to stop the logging to protect the brook, were acquitted. The Helsinki District Court ruled that the activists were justified in defying police orders, and their actions likely prevented further environmental harm.This ruling is considered a historic precedent, as the court recognised that protecting nature can, in some cases, justify actions otherwise deemed criminal.News (in finnish): https://www.hs.fi/alueet/art-2000011586455.html#environment #activism #civildisobedience
(DIR) Post #AzfKRdRZUz4TeMfNQ0 by harrysintonen@infosec.exchange
2025-10-28T10:47:23Z
0 likes, 1 repeats
A draft proposal for Finnish Transport and Communications Agency’s domain name fees includes:- The annual domain name fee would increase from €9 to €12 (+33%)- The annual registrar fee would be €400 per yearCurrently individuals can manage their own domains by registering as private registrar (not offering the service to others). The 400€ fee effectively kills this option. Having managed my own domains until now I'm not happy with this proposal.The proposal open for comments (in finnish and swedish): https://www.lausuntopalvelu.fi/FI/Proposal/Participation?proposalId=bb3cd297-6c3b-456e-b647-e434208148ef
(DIR) Post #AziVSvUvXcgSu4vxuC by harrysintonen@infosec.exchange
2025-10-29T22:51:01Z
0 likes, 1 repeats
The recent #AWS and #Azure outages have been a wake-up call for anyone working in critical sectors (transport, healthcare, finance, utilities - both digital and traditional, food production, administration, etc). If your core service could not function during these minor outages, you need to take action to remedy this. #Preparedness is essential in ensuring a functioning society even in exceptional conditions.#AWSOutage #AzureOutage
(DIR) Post #Azo7K3iGOdc3pBAcJE by harrysintonen@infosec.exchange
2025-11-01T14:55:09Z
4 likes, 2 repeats
#Microsoft is clearly becoming desperate due to low adoption rates of #Copilot.Apparently, Microsoft is now pushing Copilot to all #Microsoft365 personal subscribers and calling it a "subscription price increase". Only when you decide to cancel your subscription are you presented with the option to switch to "Microsoft 365 Personal Classic" without Copilot (and nearly the old price). The classic plan is not presented as an option unless you try to cancel your subscription.This is a classic scammy trick: Modify the existing plan and add the feature no one wants and hide the old plan from view. Presto, now you have an insane adoption rate you can present to investors as a great success.I personally don't use Microsoft subscription services, so I don't know if they tried this bullshit in the EU, but if they did, they're asking for trouble. They got sued in Australia over this already: https://www.accc.gov.au/media-release/microsoft-in-court-for-allegedly-misleading-millions-of-australians-over-microsoft-365-subscriptions "Microsoft in court for allegedly misleading millions of Australians over Microsoft 365 subscriptions"
(DIR) Post #B0AL6SmoPMjQ7VP9u4 by harrysintonen@infosec.exchange
2025-11-11T23:02:24Z
2 likes, 4 repeats
This is a reminder to everyone that security is more than just memory safety. https://www.phoronix.com/news/sudo-rs-security-ubuntu-25.10#rust #vulnerability #sudo_rs
(DIR) Post #B0X5HACJ9q9Dw5eAsq by harrysintonen@infosec.exchange
2025-11-21T19:56:31Z
0 likes, 0 repeats
I'm no fan of #Rust by any measure, but I think it's unfair to blame Rust for the Cloudflare outage - Mistakes are language agnostic and very portable.
(DIR) Post #B2kOBRdXb1nSjgvVBY by harrysintonen@infosec.exchange
2026-01-28T14:16:00Z
1 likes, 0 repeats
It was interesting to read up on the AI assisted code review at https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-while-curl-cancelled-itsFor context: I'm personally responsible for at least 29 curl CVEs. Out of the recent 6 CVEs mentioned in the blog post I found two. This gives me some perspective, I think.I do not utilise AI tools in my vulnerability research. I am also fiercely critical of harmful proliferation of AI. This is due to the unsustainable way it is currently pushed, and use of as marketing ploy and gimmick rather than producing measurable benefit to users. This leads to negative impacts on economy, education & learning, not to mention impacts to nature due to wasteful use of energy.This doesn't mean I am be against AI. I have written by own AI tooling (fully local RAG with support for arbitrary number of models running on local nodes, implemented in python). I found the usefulness of such tool to be limited at best. It is somewhat useful in mass analysis of large document bases, but the level of analysis is superficial at best. These AI models are after all just language models, and do not have any true understanding or intelligence.And here is the gist of it: The current tools are not intelligent. Understanding this limitation is the key of successful deployment and utilisation of AI tools. The tools can be useful in certain tasks, but they do not replace true intelligence.The AI tooling AISLE are developing certainly is one of the better uses of AI, and definitely surpasses all my personal dabbling around it. It is clear that the tool does find vulnerabilities. The key question is how much hallucinations and false positives it produces: If the tool generates thousands of FPs and the true findings are hidden among them this limits the value and usefulness of the tool (of course it doesn't entirely negate it, many tools produce false positives). In short: The quality of the findings is key, and poor signal-to-noise ratio is highly undesirable.Either way, I think there is a future for AI tools and they definitely will be helpful in vulnerability research.I personally will keep exercising my wetware for this work, however.#cybersecurity #infosec #vulnerabilityresearch #thoughtoftheday