Lilith Wittmann hat wieder mal was gefunden.
Au weia.
WDR, 26. Juni 2024: Schwere Sicherheitslücke bei Gefängnis-Telefonanlagen aufgedeckt
#itsec
Hallo zusammen, seit kurzem interagieren ja einige ausgesuchte #Threads Konten mit der #Fediverse. Und zukünftig soll Threads ja komplett mit der Fediverse interagieren können. So zumindest deren Plan.
So habe ich mir in den letzten Tagen, wie andere vermutlich auch, Gedanken über Threads hier in der Fediverse gemacht. Dieses Thema wird ja sehr kontrovers diskutiert, was ich auch sehr gut verstehen kann. Schließlich ist es ja bekannt, wie der Konzern Meta, zu der ja Threads ebenfalls gehört, mit diversen Themen wie Rassismus, Nazis, Geschwurbel und vieles mehr umgeht. Durch die fehlende Moderation dort ist es solchen Menschen möglich, ihren geistigen Dünnpfiff in der Welt zu verbreiten. Aber das sind inhaltliche Themen, bei der meiner Meinung nach die Fediverse den Usern genügend Werkzeuge in die Hand gibt, um damit umzugehen. Was ich meine ist das, dass jeder User in der Fediverse in der Lage ist selber entscheiden zu können, ob er einen einzelnen User von Threads oder eben Threads komplett zu blocken.
Dieses „inhaltliche“ Thema soll NICHT Teil meines Beitrages hier sein.
Mich beschäftigt viel mehr der (datenschutz)technische Aspekt zu Threads. Und ehrlich gesagt komme ich da zu keiner wirklichen Erkenntnis, weil mir hierzu einfach das tiefer gehende Wissen fehlt.
Eines ist mir klar: Wenn ich als User einen Beitrag öffentlich erstelle, ist dieser für die große weite Welt sichtbar, nicht nur für Threads. Logisch. Neben diesen inhaltlichen Informationen werden auch so Sachen wie die IP meiner verwendeten Instanz oder andere technische Details an Threads übermittelt. Dann werden auch noch persönliche Daten Richtung Threads geschoben wie der Handle, der Profilname, das Profilfoto, Timestamps oder Likes. Falls in den Einstellungen nicht beschränkt, werden auch noch die Profilbeschreibung sowie die Kontakte mit Threads ausgetauscht werden.
Wie ist das aber für User, die auf ihren Datenschutz bzw. auf die Privatsphäre achten bzw. denen das wichtig ist?
Wenn so ein User einfach in der Timeline scrollt und dort ein Beitrag von Threads auftaucht, werden dann schon die Daten von so einem User an Threads übermittelt? Also ohne jeglicher Interaktion mit so einem Beitrag?
Wenn so ein User in einem Beitrag, der von einem Threads-User erstellt worden ist, eine Antwort oder ein Like hinterlässt, welche personenbezogenen Daten bekommt dann Threads?
Wie schaut es mit dem Thema Metadaten aus, wenn Threads solche Daten mit Daten aus anderen Quellen verknüpft?
Welche Gefahren bestehen generell für datenschutzbewusste User, wenn ihre Instanz Threads NICHT blockt?
Noch einmal: Wie am Anfang erwähnt, geht es mir nicht um die Inhalte selber, die durch Threads reingespült werden.
Ich habe mit meinem Testkonto (Friendica) einmal einen der Threads-User als Kontakt hinzugefügt.
Nachdem ich im Firefox die Browserkonsole geöffnet habe, habe ich dort die Netzwerkanalyse gestartet. Danach habe ich das Profil des Users geöffnet, durch die Beiträge des Users gescrollt und auch einzelne Beiträge des Users geöffnet. Bei diversen Beiträgen habe ich ein Like hinterlassen oder auch mal einen Beitrag geteilt. In der Netzwerkanalyse ist mir keine Kommunikation in Richtung, #Meta, #Threads, #Facebook oder #Instagram aufgefallen. Bedeutet das, dass die Kommunikation mit Threads-Usern über #Friendica oder einer anderen Fediverse-Software datenschutzfreundlich ist bzw. Meta von mir keine Daten bekommt, außer den öffentlichen? Oder übersehe ich hierbei was?
Diese Frage(n) ist nicht nur für mich als User, sondern auch als Friendica-Admin relevant.
Von daher erhoffe ich mir von #Fedinauten, die zu diesem Thema mehr fachliches Wissen haben, Antworten oder sonstigen Input zu bekommen, die mir bei der Beantwortung meiner Fragen behilflich sein können. Das wäre wirklich klasse. 😛
Ich bin jetzt auch einfach mal so frei Kontakte anzupingen, bei denen ich mir denke, zu diesem Thema das richtige Fachwissen zu haben. Bitte verzeiht mir, falls es euch nicht recht ist. 😊
@Eva Wolfangel @Mike Kuketz 🛡 @KubikPixel™ @qbi @Matthias Eberl @Bashinho - Sohn der Bash @Friendica Admins
(Gerne darf dieser Beitrag geteilt werden.)
08.08.2023 Zerforschung: Tatü-Tata, ein Databreach ist da #itsec
Langsam wird es wirklich unheimlich. Um herauszufinden, welche Institutionen weltweit von dem Problem betroffen sein könnten, schauen wir uns die Koordinaten aus den Datensätzen auf einer Karte an. Dabei zeigt sich: Im Trackerverzeichnis finden sich nicht nur Feuerwehren in ganz Europa, sondern in der ganzen Welt. Außerhalb Deutschlands meist auf Flughäfen. Außerdem scheint die Firma auch Kunden im Iran zu haben – trotz der politischen Situation dort.
Die Zerforscher haben eine Schnittstelle gefunden, über die sich der Standort von tausenden von Feuerwehr-Fahrzeugen herausfinden ließ. Die Lücke ist wohl geschlossen worden, aber die Firma hatte es nicht nötig, sich mal zurückzumelden.
18.07.2022 SwissCyberSecurity: Cyberkriminelle greifen 1,6 Millionen Wordpress-Seiten an
Die Angreifer suchen Webseiten, die das Modern WPBackery Page Builder Plugin installiert haben.
“The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine.”
“Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system.
If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.” (https://hackaday.com/tag/intel-me/)
Intel might have installed – over the course of at least a decade (to this day?) a closed source backdoor in your computer’s firmware, that might never receive updates and is hard to remove.
Once this backdoor is fully cracked, everyone (Russia, China and North Korea) can use it.
Having remote control over a server down to the BIOS is a neat feature.
Hackers think so too.
Because a firmware is sometimes hard to update.
BIOS-UEFI updates need to be as easy to install than OS updates.
There are even parts of Intel ME that can not be updated at all (yet) because they are encrypted & signed and the system won’t start if they are missing (security by obscurity).
another dramatic way to put it:
“The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine.”
“Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system.
If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.” (https://hackaday.com/tag/intel-me/)
Currently the OS must be hacked or USB access (“physical access equals root access”) before it is possible to malware very deeply in the system = having this guy say: “only solution” “shredder mainboard”
But it might be just a matter of time, until new attack vectors are found, that allow exploit over network, maybe even in the security-nightmare language that every browser runs: JavaScript? X-D (just turn it off globally thanks!)
https://www.golem.de/news/conti-ransomware-gruppe-arbeitet-an-exploit-fuer-intel-me-2206-165848.html
(Conti is a hacker group associated with Russia)
https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html
https://www.golem.de/news/security-hackern-gelingt-vollzugriff-auf-intel-me-per-usb-1711-131065.html
Intel ME: Will Intel deliver updates? I hope so. Otherwise: Seriously sue intel to put your IT hardware at danger of being destroyed PERMANENTLY.
As it has happened with those KA-SAT satellite modems.
solutions anyone?
Yes multiple hard one’s.
- try turning AMT BMC Intel ME off in the bios
- some BIOS even allow to disable Intel ME permanently
- some BIOS even allow to disable Intel ME permanently
- on some systems BMC can be disabled with a jumper on the motherboard
- Flash GNU Linux to the BIOS! (CoreBoot, LibreBoot with the Lenovo x60s no problem, with newer notebooks / PCs probably more effort)
- “Just use AMD”, yes better but according to this video only a partial solution?
intel needs to work with it’s damaged customers to fix this mess
Or be sued for every hack and every ransomware attack and every downtime and every destroyed motherboard.
seriously.
open source backdoors instead of closed source backdoors!
ok ideally no backdoors at all?
“Intel had already found the vulnerability (CVE-2019-0090) itself last year, described only as a privilege escalation and tried to fix a possible attack vector.
According to PT, however, there are probably other attack vectors and the real problem in ROM still remains, as this part cannot be updated.
This is the preliminary culmination of an embarrassment on the part of Intel, which the manufacturer is trying to sell as security.
By now at the latest, Intel should mothball the concept of a proprietary ME and work on the open hardware security chip that Google“
“Customers, users and Intel would be the winners.”
translated from: https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html
“Together with partners, Google has announced the Open Titan project.
The goal is a completely openly designed chip based on RISC-V, which is to be used as root-of-trust in many different devices.”
links:
https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/
#linux #gnu #gnulinux #opensource #administration #sysops #cybersec #itsec #cyber #intel #intel-me #intelme
Originally posted at: https://dwaves.de/2022/06/10/russias-conti-working-on-exploits-for-intel-me-bmc-amt-ipmi-intel-me-the-biggest-security-fuck-up-in-computing-history-sue-intel/
Intel might have installed – over the course of at least a decade (to this day?) a closed source backdoor in your computer’s firmware, that might never receive updates and is hard to remove.
Once this backdoor is fully cracked, everyone (Russia, China and North Korea) can use it.
Having remote control over a server down to the BIOS is a neat feature.
Hackers think so too.
Because a firmware is sometimes hard to update.
BIOS-UEFI updates need to be as easy to install than OS updates.
There are even parts of Intel ME that can not be updated at all (yet) because they are encrypted & signed (security by obscurity).
Currently the OS must be hacked or USB access (“physical access equals root access”) before it is possible to malware very deeply in the system = having this guy say: “only solution” “shredder mainboard”
But it might be just a matter of time, until new attack vectors are found, that allow exploit over network, maybe even in the security-nightmare language that every browser runs: JavaScript? X-D (just turn it off globally thanks!)
https://www.golem.de/news/conti-ransomware-gruppe-arbeitet-an-exploit-fuer-intel-me-2206-165848.html
(Conti is a hacker group associated with Russia)
https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html
https://www.golem.de/news/security-hackern-gelingt-vollzugriff-auf-intel-me-per-usb-1711-131065.html
Intel ME: Will Intel deliver updates? I hope so. Otherwise: Seriously sue intel to put your IT hardware at danger of being destroyed PERMANENTLY.
As it has happened with those KA-SAT satellite modems.
solutions anyone?
Yes multiple hard one’s.
- try turning AMT BMC Intel ME off in the bios
- some BIOS even allow to disable Intel ME permanently
- some BIOS even allow to disable Intel ME permanently
- on some systems BMC can be disabled with a jumper on the motherboard
- Flash GNU Linux to the BIOS! (CoreBoot, LibreBoot with the Lenovo x60s no problem, with newer notebooks / PCs probably more effort)
- “Just use AMD”, yes better but according to this video only a partial solution?
intel needs to work with it’s damaged customers to fix this mess
Or be sued for every hack and every ransomware attack and every downtime and every destroyed motherboard.
seriously.
open source backdoors instead of closed source backdoors!
ok ideally no backdoors at all?
“Intel had already found the vulnerability (CVE-2019-0090) itself last year, described only as a privilege escalation and tried to fix a possible attack vector.
According to PT, however, there are probably other attack vectors and the real problem in ROM still remains, as this part cannot be updated.
This is the preliminary culmination of an embarrassment on the part of Intel, which the manufacturer is trying to sell as security.
By now at the latest, Intel should mothball the concept of a proprietary ME and work on the open hardware security chip that Google“
“Customers, users and Intel would be the winners.”
translated from: https://www.golem.de/news/security-das-intel-me-chaos-kommt-2003-147099.html
“Together with partners, Google has announced the Open Titan project. The goal is a completely openly designed chip based on RISC-V, which is to be used as root-of-trust in many different devices.”
#linux #gnu #gnulinux #opensource #administration #sysops #cybersec #itsec #cyber #intel #intel-me #intelme
Originally posted at: https://dwaves.de/2022/05/17/russias-conti-working-on-exploits-for-intel-me-bmc-amt-intel-me-the-biggest-security-fuck-up-in-computing-history-sue-intel/
The Unix philosophy - simple and beautiful (so it "just works")
“The Unix Philosophy in One Lesson”
“All the philosophy really boils down to one iron law, the hallowed ‘KISS principle’ of master engineers everywhere:”
https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s07.html
src: https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s07.html
“Keep It Simple, Stupid” or “Keep It Super Simple” (less offensive)
The Unix philosophy emphasizes building simple, short, clear, modular, and extensible code that can be easily maintained and repurposed by developers other than its creators.
This is what allows a system to “boom” “it just work” as Mr Jobs puts it.
The Unix philosophy favors composability as opposed to monolithic design.
Later summarized by Peter H. Salus in A Quarter-Century of Unix (1994):[1] This is the Unix philosophy:
- Write programs that do one thing and do it well.
- Write programs to work together.
- Write programs to handle text streams, because that is a universal interface.
- there is more to learn from the “Elders of UNIX”:
would add:
- Keep it as simple as possible and as complex as ABSOLUTELY necessary (more moving parts = more problems)
- simplify & agree on common standards & automate:
- design standards together “open standards”, so they can take care of (almost) all required use cases
- software minimalism
- only run as little software on a system (even if it has plenty of resources) as absolutely necessary
- in GNU Linux Debian that would be:
- 1) “start from scratch” with the net install minimal iso (working LAN internet connection required) - if the user knows there are “Open Source” drivers for (networking, wifi) hardware: go with “Free” version https://www.debian.org/CD/netinst/ - otherwise go with the “Cloused Source” blobs of evil “Non-Free” version: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/amd64/iso-cd/
- 2) then from there only install what the system absolutely needs
- in GNU Linux Debian that would be:
- for example: don’t run full blown desktop guis on servers that do not need them
- a lot of admins rely on the “html gui” webmin, and virtualmin
- if that helps to keep a system in well working secure shape, that’s fine but… it is not optimal for two reasons: - less software = always better - at least enhance security with a ssh-tunnel, meaning the port to access web-console (80 or 443) should only be accessible by localhost via ssh-tunnel (if there are zero-day exploits against latest OpenSSH (aka OpenSSH hacked) it’s “all internet offline doomsday” anyway… so this very very critical piece of software needs relentless testing and fast updates/patching) - gui-admins using this software, know “the gui buttons” but not the bash commands - thus: the gui-admins do not really know, what the software is actually doing in the background when they click a button, thus they might be unable to debug the problem, if things fail (that is where this “monitor all logs” bash script comes in handy)
- a lot of admins rely on the “html gui” webmin, and virtualmin
- only run as little software on a system (even if it has plenty of resources) as absolutely necessary
genius: “the genius is in control of chaos” (maybe true for a while, but long term it’s deadly wrong)
- A true genius keeps everything simple, so that there is no chaos (“mess”) in the first place and almost everyone immediately can understand the program and fix a bug or develop it further (while always keeping the k.i.s.s principles in mind 🙂
standards:
- to standardize is a good thing, imagine a world, where every electronic device would have it’s own power plug… nobody could plugin anywhere without adapters… adding adapters increases complexity (fire hazard?) and decreasing simplicity
- https://dwaves.de/2019/02/26/usb-cable-salad-of-madness-usb-3-0-and-wifi-interference-micro-usb-usb-c-mess-has-finally-arrived/
- what existing standards are there?
- can they be adapted? (try to identify & contact the creators)
- instead of everyone making a new standard -> mess-of-standards (maximum incompatibility to each other)
- is it really necessary to create a new standard? (e.g. one fine day, someone might decide to use /config for config files and not /etc, because what does etc stand for? (it stands for “all other files that do not fall in the /bin /dev /lib /usr /sbin… category” it stands for “et cetera” (lat. “the rest”))
- it evolved into “the directory where config files are stored” and everyone knows that, so it has “grown” into a standard
- it is agreed, that things should be called what they are and the naming of this directory is just bad (not self speaking)
- but changing that standard would mess up this “grown-into-standard” and get a lot of users and programs confused… worth it?
- imho THE worst idea is to add another directory and place another network config file, so that there are 2, 3, 4, 5 different places to configure network = complete mess
Malcolm Douglas McIlroy: “Everything was small… and my heart sinks for Linux when I see the size of it. […]
The manual page, which really used to be a manual page, is now a small volume, with a thousand options…
We used to sit around in the Unix Room saying, ‘What can we throw out? Why is there this option?’
It’s often because there is some deficiency in the basic design — you didn’t really hit the right design point.
Instead of adding an option, think about what was forcing you to add that option.” (src: https://en.wikiquote.org/wiki/Doug_McIlroy)
https://archive.org/details/DougMcIlroy_AncestryOfLinux_DLSLUG
Ken Thompson and Dennis Ritchie, key proponents of the Unix philosophy.
“we are trying to make computing as simple as possible – in the late 1960s Dennis Richie and I realized that the then current Operating System where much way too complex – we attempted to reverse this trend by building a small simple operating system on a minicomputer” (Ken Thompson)
“What we wanted to preserve was not just a good programming environment in which to do programming – but a system around which a community could form – fellowship – we knew from experience that the essence of communal computing – as supplied by remote access time sharing systems – is not just to type programs into a terminal instead of a key-punch – but to encourage close communication” (Dennis M. Ritchie)
https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s06.html
https://en.wikipedia.org/wiki/Unix_philosophy
“As a programmer, it is your job to put yourself out of business. What you do today can be automated tomorrow.”
Damn this guy is a philosopher.
Working in IT seems to be just like capitalism itself: working to make one’s job obsolete. “great” outlook.
There need to be alternative lifestyles that make sense and are sustainable.
https://ytpak.net/watch?v=JoVQTPbD6UY
[video width=”586″ height=”436″ mp4=”https://dwaves.de/wp-content/uploads/2017/05/Ken-Thompson-and-Dennis-Ritchie-Explain-UNIX-Bell-Labs.mp4″\]\[/video\]
what happens if companies can not agree on standards:
probably the best example:
- Apple and the “one button vs two button mouse”
“Steven P. Jobs, once said that one was the obvious answer because that made it impossible to push the wrong button” (src)
- turns out: two button mouses are “easy enough” for users that used them for more than 3 days straight
- by now, approx 99% of Apple’s one-button mouses are in the (recycling?)trash and got replaced by at least two-button mouses (what a waste of resources, right?)
- GNU Linux users would want a 3 button mouse (the middle button is for pasting stuff)
-
- probably: so Apple can sell more power adapters
- turns out: shipping iphones without adapters while charging the same price makes even more money
finally in 2020 (after aprox. 10 years?) they came along and adopted USB-C Macbook ARM M1 CPU
- they are still refusing to make the iPhone charge via USB-C - [](https://dissectiontable.com/best-chargers-iphone-12-pro-mini-max/) > <https://dissectiontable.com/best-chargers-iphone-12-pro-mini-max/> - so the user STILL in 2022 needs a special Apple cable to plug into “everyone’s else’s” chargers - it is… - 1) truly ridiculous - 2) wasting resources (in 2022 the electronic trash recycling quotas are still pretty bad, only [13% to 35%](https://duckduckgo.com/?t=ffab&q=how+much+of+electronic+waste+get%27s+recycled) of disposed electronics becomes new electronics) - 3) #wtf Apple seriously?
#linux #gnu #gnulinux #opensource #administration #sysops #unix #philosophy #m #mcilroy #philosophie #torvalds #itsec #cybersecurity #security #kernel #thompson #ritchie #apple #jobs #standards #standard #gnu-linux #simplify #open #source #openstandards
Originally posted at: https://dwaves.de/2017/05/02/the-unix-philosophy-simple-and-beautiful-so-it-just-works/
Open Source is about enabling users "Amazon, Microsoft, Google" and the White House, want to help make Open Source more secure... [caption id="attachment_26251" align="alignnone" width="430"] https://www.youtube.com/watch?v=U-8KopUKMzA\[/caption\] https://www.golem.de/news/openssf-150-millionen-us-dollar-sollen-open-source-absichern-2205-165382.html https://www.golem.de/news/openssf-linux-foundation-will-security-praxis-vereinheitlichen-2008-150036.html src of src: "White House OSS Mobilization Plan" 2022: https://openssf.org/blog/2022/05/11/testimony-to-the-us-house-committee-on-science-and-technology/ 2020: "The OpenSSF is[...]
#linux #gnu #gnulinux #opensource #administration #sysops #dev #c #development #rust #go #google #security #itsec #cybersec #cybersecurity #kernel #linus #torvalds #mozilla #licence #licencing #patents #patent
Originally posted at: https://dwaves.de/2022/05/16/rust-vs-go-open-source-is-about-enabling-users-rust-lang-will-complement-c-around-the-gnu-linux-kernel-for-better-safety-amazon-microsoft-google-and-the-white-house-want-to-make-open-sour/
Open Source is about enabling users
“Amazon, Microsoft, Google” and the White House, want to help make Open Source more secure…
- https://www.golem.de/news/openssf-150-millionen-us-dollar-sollen-open-source-absichern-2205-165382.html
-
- src of src: “White House OSS Mobilization Plan”
- 2022: https://openssf.org/blog/2022/05/11/testimony-to-the-us-house-committee-on-science-and-technology/
- 2020: “The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by:
- building a broader community with targeted initiatives and best practices
- It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others.
- Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.
- Open source software has become pervasive in data centers, consumer devices and services, representing its value among technologists and businesses alike.
- Because of its development process, open source that ultimately reaches end users has a chain of contributors and dependencies.
- It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain.” (src linuxfoundation.org)
so far so good eh?
How will this exactly play out? What will be the “modi operandi”? (Pentagon & JP Morgan Bank, are interested in making the software supply chain more secure, as the IT of banks (!!!) not very good (say the banks THEMSELVES (that fired a lot of IT staff to save on money))
Just an idea for the govs & big corps with the money:
- put up a “Open Source” “kickstarter” like website
- where companies & gov can put up their requirements
- Open Source developers either accept to tackle those requirements
- or:
- post their own projects & investors can allocate their resorces to Open Source
- ABSOLUTE transparency is critical here, not a “pay to play” “taking power” “taking over” “Open Source” “influencing” sealing deals behind closed doors.
long version:
https://peertube.co.uk/w/jKvQozs7xDqpQvbwQFdKbF
The Star Trek economy: will it ever exist?
Afaik Dutch historian Rutger Bregman confirms in his book “Humankind: A Hopeful History” (BE WARNED: it is a realist’s thriller!), that “the nature” of humans (also under constant development), is as such, that only a small percentage are reckless “psychopaths”,
the majority of mankind rather wants to help each other, than shoot each other.
Rust “second in command” around the GNU Linux Kernel
Because Rust lang promises improvements around cyber/itsecurity (no more buffer over/underruns), it might become “second in command” around the Kernel.
The cons: Rust is more C++ than C, which might be a problem for the (long term) C nerds.
Unless (Linus?) & Greg (or someone else) wants to develop a brand new “C” “2.0” lang + compiler designed around security…
Unless Google wants to change it’s Go lang licence…
…Rust it is.
Is Go (a more C like) alternative?
(2018: developer Voit wrote a Network driver (GNU Linux kernel module) in Go)
https://www.net.in.tum.de/fileadmin/bibtex/publications/theses/2018-ixy-go.pdf
C ixy vs Go ixy: performance (only) “10% slower then the C implementation under optimal circumstance” (optimal meaning: system’s CPU needs fast single threading)
“One of the biggest problem during development was low-level memory management.”
“Specifically register access has proven itself to be difficult in Go”
“On the other hand we were surprised about the garbage collection.”
“Originally named as the reason why Go is nor suited for systems programming, our analysis has proven otherwise”
“easier to read and does not require much understanding of the language itself in order to understand the code, especially compared to some C constructs like function pointer, pointer casting and other more intricate operations” (src)
the Go lang licencing MumboJumbo:
“Copyright (c) 2009 The Go Authors. All rights reserved.”
“Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.”
that’s not all… there is more licencing mumbojumbo for all those Free Software Foundation & lawyerzzz:
‘Additional IP Rights Grant (Patents)’
‘”This implementation” means the copyrightable works distributed by Google as part of the Go project.
Google hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section)
patent license to make, have made, use, offer to sell, sell, import, transfer and otherwise run, modify and propagate
the contents of this implementation of Go,
where such license applies only to those patent claims,
both currently owned or controlled by Google and acquired in the future,
licensable by Google that are necessarily infringed by this implementation of Go.
This grant does not include claims that would be infringed only as a consequence of further modification of this implementation.
If you or your agent or exclusive licensee institute or order or agree to the institution of patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that this implementation of Go or any code incorporated within this implementation of Go constitutes direct or contributory patent infringement,
or inducement of patent infringement, then any patent rights granted to you under this License for this implementation of Go shall terminate as of the date such litigation is filed.’
src: https://raw.githubusercontent.com/golang/go/master/PATENTS
While the sources of the Go lang are indeed accessible via github, it’s licence is neither GPL 2.0 nor GPL 3.0 nor Apache licence nor MIT licence and thus questionable if:
- Google can be trusted (?)
- the Go lang licence is “compact” but (currently) not at all Open Source compatible (not a word about if modifcations are allowed)
- why did Google not simply pick a “well known” Open source licence? https://opensource.org/licenses
One fine day, Google might to decide, to change the licence, and from this to:
- stop providing the (latest) source code (the old one yes, not the new one)
- re-distribute Go only in it’s binary form
- charge licence fees for it’s usage
- it is called: “building up dependencies, then cashing in on something that used to be free” (as Oracle did with Java)
- until it was out of the testing-phase
- and every developer and every company was using it/became dependant on it
- it is called: “building up dependencies, then cashing in on something that used to be free” (as Oracle did with Java)
Next problem: Rust (src here) was started by Mozilla, is used by Mozilla for Firefox, but Mozilla has build up financial dependencies to Google.
(Rust in contrast is licenced under MIT & Apache licence https://www.rust-lang.org/policies/licenses)
While this is all not really: K.I.S.S (the UNIX philosophy of Keep it Super Simple)
No dispair, just do your best.
Sticking to the default?
The problem is that systems designed & “Made in the 1970s” (C compiler, Phones, Mail), were not designed around security (because it was not really a problem in those days).
So…
- unless Google won’t change the Go lang licence to something Open Source compatible
- unless Linus & Greg or someone else wants to build a C 2.0 around security, Rust is it.
The Go lang licencing problem is the ZFS Oracle licencing problematic all over again:
In other words: Licences (money) have more than once, instead of enabling developers & users, have hindered developers & users.
Another company that M$ successfully killed by buying it…
Another example how Microsoft successfully made this planet worse:
IT WAS AN EXCELLENT learning platform, with high quality video learning courses with…
- 2000 courses in German
- 1200 courses in Spanish
- 1300 courses in French
- 500 courses in Japanese (as of September 2017)
- 0 in English? (a bit strange, but this company was from Austria and has focused on the EU market, that might be one reason)
Microsoft bought it up… now it is… dead? MS killed it. #wtf?
Now a high quality Video2Brain Rust videos would be needed (luckily – again – Youtube volunteers are chipping in THANKS! (MS maybe transfer some money to them? eh? thanks!))
PS: so that’s my take, could not ask that question via…
stackoverflow.com and serverfault.com suck and DESPERATELY needs competition
#linux #gnu #gnulinux #opensource #administration #sysops #dev #c #development #rust #go #google #security #itsec #cybersec #cybersecurity #kernel #linus #torvalds #mozilla #licence #licencing #patents #patent
Originally posted at: https://dwaves.de/2022/05/16/rst-vs-go-open-source-is-about-enabling-users-rust-lang-will-complement-c-around-the-gnu-linux-kernel-for-better-safety-amazon-microsoft-google-and-the-white-house-want-to-make-open-sourc/
how much is the phish? The phone-system but also the E-Mail system, are amongst the oldest, digital systems still in use today (the first E-Mail was send 1971). Unfortunately both systems - back then - were not designed with security in mind.[...]
#linux #gnu #gnulinux #opensource #administration #sysops #cyber #itsec #cybersec #itsecurity #dkb #bank #banking #phishing #phish #yandex #sdk #privacy
Originally posted at: https://dwaves.de/2022/05/10/cyber-it-security-news-dkb-phishing-fake-mails-and-sms-software-minimalism-is-data-protection-is-privacy-is-key-36-of-android-apps-build-with-yandex-sdk/
cyber it-security news - DKB phishing fake mails AND sms
how much is the phish? The phone-system but also the E-Mail system, are amongst the oldest, digital systems still in use today (the first E-Mail was send 1971). Unfortunately both systems - back then - were not designed with security in mind.[...]
#linux #gnu #gnulinux #opensource #administration #sysops #cyber #itsec #cybersec #itsecurity #dkb #bank #banking #phishing #phish
Originally posted at: https://dwaves.de/2022/05/10/cyber-it-security-news-dkb-phishing-fake-mails-and-sms/
cyber is on heightened alarm levels
… ya’ll know why.
timeline of a successful attack on the most basic tools like: exiftool
- cve-2021-22204 (failed to properly validate parsed input)
- This was reported by a security researcher on April 7, 2021, initially confidentially via the bug bounty platform HackerOne at the affected GitLab.
- They reacted quickly, passed this on to the exiftool maintainers, who already provided a patched version 12.24 on April 13 and on April 14, the researcher received a $19,000 reward.
- But the story wasn’t over.
- On April 30 – more than two weeks later – CySrc filed a report with Google’s Vulnerability Reward Program.
- They had found that DjVu images uploaded to Virustotal gave them access to scan servers.
- Had the operators of these servers overslept the patches?
- Probably not. I rather think that they simply relied on the security updates of their Linux distribution.
- And with Debian, for example, that didn’t happen until May 2nd; at Fedora even on May 4th.
- So, after the release of the patch that exposed the problem, there was a window of over 2 weeks in which Linux systems with exiftool were vulnerable to a known, easy-to-exploit vulnerability.
- CySrc used this window of opportunity to score points on Google’s Vulnerability Reward Program (although it’s not clear if they got a reward).
- But just as well, state APT or cybercrime hackers could have exploited this gateway for their own purposes and caused real harm.
possibly mitigation: Debian need to push updates more frequently
maybe even like a “hotline” to put together, updates/patches that are URGENT on track to be published IMMEDIATELY.
kernel-live patching?
ubuntu does it already.
https://ubuntu.com/blog/an-overview-of-live-kernel-patching
possibly mitigation:
/usr/bin/unshare
“For exiftool it would therefore have been the right approach not to start it with root rights (!), but rather to run it with unshare (/usr/bin/unshare) in an extremely downtripped context. Linux comes with a lot of security features that you just have to use.”
(src)
possibly mitigation:
- only run programs with the privileges they absolutely need
- that is sometimes a bit cumbersome, like users having to be in the right group, then completely log out to make changes effective (example: virtualbox’s user vboxuser (the setup ideally should ask the user “what users should be allowed to run virtual machines on this host?” (list of user appears -> checkbox those that are allowed))
- monitor the network for illicit connections to strange places and strange hosts
another: possibly mitigation:
Yes C++ is “ugly”.
So is RUST.
But RUST comes with “build-in” safety (hardware control might be lacking somewhat).
So yes it is an hard-to-understand-and-what-is-actually-going-on-syntax-language… but unless there comes the “C with safety build in” RUST is the best option for Open Source to be secure, reliable and fast in the future.
Links:
https://dwaves.de/2019/09/27/compile-rust-hello-world-for-arm7/
https://dwaves.de/2021/07/24/how-to-step-debug-debugging-rust-in-vim-8-1/
java had it’s oopsi time
#linux #gnu #gnulinux #opensource #administration #sysops #itsec #cyber #debian #gnu-linux #ubuntu
Originally posted at: https://dwaves.de/2022/05/03/heightened-cyber-alarm-levels-timeline-of-a-successful-attack-on-the-most-basic-tools-like-exiftool-possible-mitigations/
cyber is on heightened alarm levels
… ya’ll know why.
timeline of a successful attack on the most basic tools like: exiftool
- This was reported by a security researcher on April 7, 2021, initially confidentially via the bug bounty platform HackerOne at the affected GitLab.
- They reacted quickly, passed this on to the exiftool maintainers, who already provided a patched version 12.24 on April 13 and on April 14, the researcher received a $19,000 reward.
- But the story wasn’t over.
- On April 30 – more than two weeks later – CySrc filed a report with Google’s Vulnerability Reward Program.
- They had found that DjVu images uploaded to Virustotal gave them access to scan servers.
- Had the operators of these servers overslept the patches?
- Probably not. I rather think that they simply relied on the security updates of their Linux distribution.
- And with Debian, for example, that didn’t happen until May 2nd; at Fedora even on May 4th.
- So, after the release of the patch that exposed the problem, there was a window of over 2 weeks in which Linux systems with exiftool were vulnerable to a known, easy-to-exploit vulnerability.
- CySrc used this window of opportunity to score points on Google’s Vulnerability Reward Program (although it’s not clear if they got a reward).
- But just as well, state APT or cybercrime hackers could have exploited this gateway for their own purposes and caused real harm.
possibly mitigation:
/usr/bin/unshare
“For exiftool it would therefore have been the right approach not to start it with root rights (!), but rather to run it with unshare (/usr/bin/unshare) in an extremely downtripped context. Linux comes with a lot of security features that you just have to use.”
(src)
possibly mitigation:
- only run programs with the privileges they absolutely need
- that is sometimes a bit cumbersome, like users having to be in the right group, then completely log out to make changes effective (example: virtualbox’s user vboxuser (the setup ideally should ask the user “what users should be allowed to run virtual machines on this host?” (list of user appears -> checkbox those that are allowed))
- monitor the network for illicit connections to strange places and strange hosts
another: possibly mitigation:
Yes C++ is “ugly”.
So is RUST.
But RUST comes with “build-in” safety (hardware control might be lacking somewhat).
So yes it is an hard-to-understand-and-what-is-actually-going-on-syntax-language… but unless there comes the “C with safety build in” RUST is the best option for Open Source to be secure, reliable and fast in the future.
Links:
https://dwaves.de/2019/09/27/compile-rust-hello-world-for-arm7/
https://dwaves.de/2021/07/24/how-to-step-debug-debugging-rust-in-vim-8-1/
java had it’s oopsi time
#linux #gnu #gnulinux #opensource #administration #sysops #itsec #cyber
Originally posted at: https://dwaves.de/2022/05/03/heightened-cyber-alarm-levels-timeline-of-a-successful-attack-on-the-most-basic-tools-like-exiftool-possible-mitigations/
“The Duri malware, for example, uses the Javascript blob technique.
The attacks are triggered by visiting a website with the malicious code.”
(this could be a well known, sincere, but hacked website)
“By downloading, the malware can install itself on the target device.”
“HTML smuggling is also made possible by the HTML5 “Download” attribute for anchor tags.”
“When a user clicks the HTML link, a download of the file is triggered.”
“The attack therefore uses conventional HTML5 and JavaScript functions.”
“The attack occurs especially in email campaigns.”
“That is, users with Exchange Online mailboxes are also affected.”
“Spear phishing campaign can ransomware”
“This technique was noticed in a spear phishing campaign in May 2021.
“As part of these attacks, the banking Trojan Mekotio as well as AsyncRAT/NJRAT and Trickbot were infiltrated – this also means remote code execution and complete takeover of computers is possible.”
“Ransomware also enters networks in this way.”
“The Microsoft 365 Defender Threat Intelligence Team shows what such an attack looks like in a Twitter post.
“ISOMorph Infection: In-Depth Analysis of a New HTML Smuggling Campaign”
src: translated from https://www.security-insider.de/html-smuggling-greift-netzwerke-von-innen-an-a-1109311/
Links:
https://dwaves.de/2018/09/10/javascript-is-evil-a-major-security-problem/
https://dwaves.de/2021/02/26/the-evilness-of-javascript-dont-be-evil-twitter-strikes-again/
https://dwaves.de/2019/12/17/mail-thunderbird-disable-javascript/
#linux #gnu #gnulinux #opensource #administration #sysops #itsec #itsecurity #js #html5 #html #javascript #cyber #cybersecurity #cybersec
Originally posted at: https://dwaves.de/2022/04/13/from-html5-javascript-blob-technique-to-ransomeware-js-is-evil-when-it-is-allowed-to-do-more-than-gui-animations/
Weil immer so viele fragen wieso man eine #Festplatte #verschlüsseln sollte, #Verschlüsselung schützt auch in einem solchen Fall.
16.01.2022 The Hacker News: High-Severity Vulnerability in 3 WordPress Plugins Affected 84,000 Websites
Tracked as CVE-2022-0215, the cross-site request forgery (CSRF) flaw is rated 8.8 on the CVSS scale and impacts three plugins maintained by Xootix —
* Login/Signup Popup (Inline Form + Woocommerce),
* Side Cart Woocommerce (Ajax), and
* Waitlist Woocommerce (Back in stock notifier)
privacy in peril - criminals abusing tor for malicous behavior should be blocked, right?
criminals abusing tor for malicous behavior should be blocked, right?
“50% of the attacks are leveraging the Tor anonymity service to mask their true origins”
https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
this could destroy the “honest” part of the network that truly exists, because it could criminalize the honest users, that want nothing but avoid a #1984 style of digital dictatorship.
or is malbehaving small group found in every nation just something that the tor network / democracy has to tolerate for the sake of freedom of speech & privacy?
There are many many attacks on Tor in order to try to break it
(just recently a probably gov sponsored group called KAX17)
“Given the number of servers run by KAX17 the calculated probability of a Tor user connecting to the Tor network through one of KAX17’s servers was 16%, there was a 35% chance they would pass through one of its middle relays, and up to 5% chance to exit through one.” (src)
This is a problem that probably can be fixed, but what about the first one?
#linux #gnu #gnulinux #opensource #administration #sysops #tor #log4j #attacks #cybersec #cyber #itsec #privacy #KAX17 #1984
Originally posted at: https://dwaves.de/2021/12/21/privacy-in-peril-criminals-abusing-tor-for-malicous-behavior-should-be-blocked-right/
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/
- “log4j is a reliable, fast and flexible logging framework (APIs) written in Java, which is distributed under the Apache Software License. log4j has been ported to the C, C++, C#, Perl, Python, Ruby, and Eiffel languages.” (src: tutorialspoint.com)
- easy exploitable security problem in Java library Log4j (run the search)
- worst case scenario: a widely used and publicly accessible (internet communication message handling) software allows loading and running code from a remote site (this is not a feature, this is CyberSec madness, deseriously wtf!?)
- JavaUpdates? some do them some don’t because it could break functionality (vendor will have to update and re-test the program’s functionalities)
- Log4Shell, the widespread Apache Log4j vulnerability
- Microsoft’s threat intelligence teams reported on Saturday that they’ve seen Log4Shell exploited to install Cobalt Strike, a popular tool with cybercriminals that is often seen as a precursor to deploying ransomware.
- (src: venturebeat.com)
- “The vulnerability affects any application that uses Apache Log4j, an open source logging library, and many applications and services written in Java are potentially vulnerable”
- “The Log4Shell vulnerability has impacted version 2.0 through version 2.14.1 of Apache Log4j, and organizations are advised to update to version 2.15.0 as quickly as possible. Vendors including Cisco, VMware, and Red Hat have issued advisories about potentially vulnerable products.”
- (src: venturebeat.com)
https://www.tagesschau.de/inland/bsi-schadsoftware-103.html
the “runs everywhere” JavaScript attack vector:
the once hailed cross-platform language is allowed to do too much, as often mentioned the security implications of #evilness of a JavaScript that allows more than nicely render text is massive, it goes as far as attacking not-so-up-to-date devices within the user’s network, simply by visiting a (hacked? or just hosted with great content but evil intentions) website.
https://thehackernews.com/2021/12/new-local-attack-vector-expands-attack.html
what software was/is affected?
https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
https://www.rumble.run/blog/finding-log4j/
already hacked: belgian military
“The breach reportedly targeted a security flaw in a widely used utility known as Log4j, a fault that was first observed by cyber experts earlier this month, stoking fears that hackers could use the vulnerability to compromise millions of devices. While many attackers have exploited the flaw to install cryptocurrency mining software on computers without the owners’ knowledge, others have taken aim at businesses and even government agencies, according to Check Point, an Israel-based cyber security firm.
Companies and officials in Belgium and beyond have raced to patch up the vulnerability, with Google reportedly tasking 500 engineers to ensure its code is airtight, while the US Cybersecurity and Infrastructure Security Agency issued an emergency directive last week urging other federal agencies to fix the flaw.”
https://www.rt.com/news/543825-belgium-military-cyber-attack/
was affected but now fixed: server side of TeamViewer: (written in Java?)
CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Impacted productsRemediationRemediation statusUser ActionTeamViewer IoTServer-side hot fixdonenot requiredTeamViewer EngageServer-side hot fixdonenot requiredTeamViewer FrontlineServer-side hot fixdonenot required*(2021-12-20) Update on* CVE-2021-45105:
In the night between the 17th and 18th of December a third vulnerability in the log4J library (tracked as CVE-2021-45105) has been disclosed. The version, with the provided fix for the previously disclosed CVEs (CVE-2021-44228, CVE-2021-45046), has been found vulnerable to a DoS attack. A new version has been provided by the project maintainers. TeamViewer again has deployed a server-side hotfix for all affected products. User action is not required.
(2021-12-15) Update on CVE-2021-45046:
After it was found that the third-party provided fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete, we have deployed an additional server-side hotfix to address the new CVE-2021-45046. User action is not required. We will continue to monitor the situation closely.
(2021-12-13) Statement on CVE-2021-44228:
The third-party Java library Log4J2, which is widely used in the software industry, is subject to a critical vulnerability tracked as CVE-2021-44228. For our potentially impacted services including TeamViewer IoT, TeamViewer Engage, and TeamViewer Frontline, we have deployed an immediate server-side hotfix. User action is not required.
Other TeamViewer products are not impacted. Furthermore, we have diligently investigated our IT infrastructure and taken appropriate steps to mitigate any supply chain risks. TeamViewer will continue to monitor the situation closely.
#linux #gnu #gnulinux #opensource #administration #sysops #java #cyber #itsec #log4j #cybersec #javascript #Log4Shell
Originally posted at: https://dwaves.de/2021/12/13/cyberinsecurity-ah-oh-its-java-time-log4j-called-log4shell-dynamically-remote-loading-code-or-any-other-resources-is-always-a-bad-cybersec-idea/