Domain: outflux.net
Stories and comments across the archive that link to outflux.net.
Comments · 11
-
Not enough
Its not enough to just be reactive about computer security. This still means that sophisticated attackers can hoard security vulnerabilities and develop advanced tools that find vulnerabilities the moment they are introduced. Instead, you should already design the system in a way that frustrates attacks and hopefully prevents some attacks entirely. A good talk about this:
https://www.youtube.com/watch?...
Slides:
-
Re:Don't worry
In fact you can even fix it yourself while waiting for a patch with systemtap: http://www.outflux.net/blog/archives/2012/01/22/fixing-vulnerabilities-with-systemtap/
-
Re:Any programmers which connect to a Linux box ?
You can build one yourself: http://outflux.net/unix/software/EPROM/
-
Dropping SUID doesn't improve security
Here's one of the better criticisms of dropping SUID, and it's from an Openwall developer. These criticisms are echoed by almost everyone thinking about removing SUID.
There's a lot of talk lately regarding replacing the SUID bit on program
binaries in Linux distros with filesystem capabilities. Specifically,
Fedora and Ubuntu are heading in that direction.Fedora:
http://fedoraproject.org/wiki/Features/RemoveSETUID
https://bugzilla.redhat.com/show_bug.cgi?id=646440Ubuntu:
http://www.outflux.net/blog/archives/2010/02/09/easy-example-of-fscaps/
https://wiki.ubuntu.com/Security/FilesystemCapabiltiesWhile in general this is a good idea, there are issues with it, in
arbitrary order:- Some currently-SUID programs are aware of them being (potentially)
SUID, and will drop the "more privileged" euid when it is no longer
needed, but they will probably not be aware of them possessing
capabilities. This may result in larger parts of the programs
(sometimes orders of magnitude larger) running with elevated privileges
(or with allowed-to-be-elevated privileges, which is a privilege on its
own and is usable through vulnerabilities that allow for arbitrary code
execution). Let's consider ping, which appears to be the classical
example of "where filesystem capabilities will help" (or so it is
claimed). IIRC, it starts by acquiring a raw socket (NB: of a certain
somewhat-limited type), then drops root privs (if it was installed SUID
root and run by non-root), then proceeds to parse the command-line,
resolve the provided hostname, and so on. If the SUID bit is replaced
with cap_net_raw+ep, as seen in Kees' example above, will ping know to
drop this capability? Hardly. Not without a source code patch.
Besides, dropping the capability might [need to] require privileges
beyond CAP_NET_RAW itself (recall the capability-dropping attack on
sendmail from a decade ago). So does moving from SUID root to
cap_net_raw+ep improve security? Most likely not. On the contrary, it
results in hundreds of lines of ping's code and thousands of lines of
library code (DNS resolver) running with elevated privileges, as
compared to just a few lines of ping.c, which was the case with simple
SUID root. Granted, those "elevated privileges" are a lot less than
root privileges, but they're a lot more than having a single raw socket
of a specific type.- In some cases, the capability sets being granted are (almost)
equivalent (or expandable to) full root powers. This is seen in:http://people.fedoraproject.org/~dwalsh/policycoreutils_setuid.patch
-%attr(4755,root,root) %{_bindir}/newrole
+%attr(0755,root,root) %caps(cap_audit_write,cap_setuid) %{_bindir}/newrole-%{_sbindir}/seunshare
+%attr(0755,root,root) %caps(cap_setuid,cap_dac_override,cap_sys_admin,cap_sys_nice) %{_sbindir}/seunshareThis mostly just sweeps the SUID root under the rug, where the sysadmin
will hopefully not see it and thus feel safer. However, it may expose
more problems in the programs if they knew to drop root, but wouldn't
know to drop the capabilities (same issue I described above for ping).Granted, vulnerabilities of certain classes might become unexploitable
or be partially mitigated. For example, if no direct code execution is
possible (not a buffer overflow, etc.), but "only" privileged access to
an attacker-provided arbitrary pathname is possible, then "newrole"
above would be protected, but "seunshare" above would not (because of
cap_dac_override).- Completely getting rid of SUID root pro
-
Google geolocation
Enjoy: http://outflux.net/geoloc/
-
Sumbitted a while ago
I submitted this a while ago after reading http://www.outflux.net/blog/archives/2010/01/24/google-is-wardriving/trackback/.
-
Re:Popcorn anyone?
As an option, but not by default. As I understand it, someone asked why SELinux wasn't in Ubuntu, and when told "nobody wants to do the work", they went and did it.
-
Re:Let me be the first to say...You have it wrong.
Iron Man lives!
-
for cd rip & burn
-
Re:It's already easy enough under linux
The only bad thing is that, currently, I still find the best application for editing commercials out of shows I want to archive, to be virtualdub [a win32 app]. It runs under wine, sure, but it still kind of hurts to have to do it. At least it's GPLd, though.
I recently dropped an Ethernet card into my TiVo, and now I can pull the video off to my Linux box directly without redigitizing from analog. After doing that, I looked for a cuts-only mpeg2 editor and found GOPchop. It took a few tries to get it to compile, but once it did, it worked out great.
I haven't completely automated the extraction process yet; basically it's currently a three step process. (1) List the filestream id numbers corresponding to a particular tyStream; (2) Start a receiver process on the Linux box using netcat; (3) extract the tyStream on the TiVo and pipe it via netcat over to the remote receiver process. It means I need to telnet to the TiVo to kick off the extraction process, instead of having a one-click interface, but it gets the job done. Oh, and I have to pipe it through tyc to convert it from the tyStream format to normal mpeg; apparently a tyStream has some extra stuff multiplexed in along with the mpeg audio and video.
I'm storing them on removable IDE drives; apparently most other folks burn video cds instead.
-
Re:Self Destruct Features in HWHey.
If someone hacks your computer, the worst thing that could happen is you'd lose some data and have to do a fresh install of everything. If you put fucking thermite in a PC, you're out $2000 worth of hardware.
If we look at the original post (emphasis mine):
about a year ago I suggested wiring the embedded device we were working on with thermite so that if one of those wise-ass kids in Sweden tried to hack our hardware, it'd quitely fry the motherboard and hard drive.
An embedded device isn't a desktop computer or a server. It's a proessor that's 'embedded' in another device. Take a TiVo for instance. It is an embedded device. The original poster's usage of the term 'hack' was not as in crack but as in 'classic' hacking.
The definition is important. If I was to crack a server, I would be breaking in and acessing data without authorisation. If I were to hack an embedded device, I could for example add more recording time to my TiVo.
Some companies are annoyed by peope hacking thier embedded hardware, since they can but low-spec versions and make them into high-spec versions.
The original poster was likely making a joke. He proposed a device that if you opened the case to upgrade it, would destroy itself.
It's funny. Laugh.
Michael
...another comment from Michael Tandy.