Slashdot Mirror

20 years ago I used to build Linux 2.0.x without module support, and this sort of made sense. It still could make a little bit of sense, but the reality is that current kernels are huge (meaning an increase in vulnerability count, too) and most systems are running distro-provided kernels built with module support anyway.

If you want to protect the kernel from root, you need something other than current LKRG "main" branch. Something like Adam's in my opinion even more controversial LKRG "experimental" branch (in the same Bitbucket repo, feel free to explore), which implements what I call (in e-mails with Adam) BSD securelevel on steroids (oh and yes, I used securelevel 20 years ago too; gave up since), and which I find suitable only for a minority of users (sysadmins) who are able to configure that thing reasonably. Of course, it deals with further module (un)loading, and other "legitimate" ways that root could backdoor the kernel.

LKRG "main" as currently announced is for easier reasonable use on typical systems. It doesn't protect the kernel from root (authorized root, or root obtained via e.g. userspace exploits or, unfortunately, via a subset of kernel exploits that will bypass LKRG), but it detects some kernel vulnerability exploits (no, not only for known vulnerabilities - that's an error in the BleepingComputer & Slashdot story) and protects the kernel from those (as well as from other unauthorized changes, such as Rowhammer bitflips).

Your reference to April fools is spot on. This is our most controversial project ever (as the very first sentence of our announcement says), and on January 29 when we made the announcement I happened to say in a chat with Adam: "i wish it were closer to April 1, but that would have been too long a wait ;-)"

We're not delusional, and we try to do our best not to mislead the prospective users of LKRG (see also my other comments here, and the original announcement).

we had to pay to use the Datapac network at a crazy hourly rate

Then you should have used PC Pursuit , a (probably only US) based thing. For the low, low price of $20 monthly? they gave you nighttime access to their dial-up network. This let you dial into their network and get telnet access to an X.25 pad. There was a table mapping area codes to outgoing sites. You manually connected your local site to a remote site.

Then you were effectively sitting at a Hayes dial-up modem prompt. (Hell it might have BEEN an actual Hayes.) You issued ATD local phone number, waited for the CONNECT prompt (or BUSY, try try again.) and volah! You were magically connected to a remote BBS system. You could use it as much as you wanted over night hours (weekends and 9PM? to 6AM?) Any usage OUTSIDE of that and you'd be dinged for a standard hour charge, more than your monthly subscription.

A problem though was that BBSs were always busy and hard to get into. One guy figured out: connect to your target system and use it like normal. At 6AM, stop all traffic. Don't disconnect, but don't send ANYTHING. There were not keep-alive data prompts, the modems just sat there in their connected 300/1200 synced glory. At night he's use it again until the next sunrise period. Apparently kept a single line busy for two months that way.

And looking at the second link I pasted, if you had two lines you could "call yourself" and drop the real link while keeping the incoming call alive. You then finesse and start controlling the incoming pad as outgoing, upon where you could call most anyplace you wanted.

Learn something new every day.

The long-running zine has also hosted a number of notable articles, including the famed Hacker Manifesto and Smashing The Stack For Fun And Profit.

Not to mention an article from 1997 called "The Art of Port Scanning" in which Fyodor introduced a tool called nmap...

It can be done. In practical terms, it means you need to find more than one bug to exploit it and get around the protections.

The problem is how to encourage underrepresented demographics to participate without discouraging over represented demographics from participating

What if one of the causes of participation by the well represented ("over-represented", after all, implies a predetermined desirable level of representation) is the very fact of under-representation by other groups? i.e. what if geekdom is-or-was a "safe space" for an oppressed group?

It isn't an accident that the image of "computer nerds" from the 1980s was what it was, nor was it some grand plan of the patriarchy to enable their heirs to carry on the torch of Y chromosomal world dominance. It was because we were the people who couldn't get dates, who got bullied, who retreated into our imaginations and creativity because what we found outside was so ugly and off-putting and predatory to us. We're The Mentor, and these people are still trying to spoon feed us baby food.

And now that we've won, we've actually built the shining city on the hill that stands a good chance of no less than saving the whole world from darkness, here come the barbarians to demand their share. Well if you ask me, they can fuck right off back to their hellish world of head chopping, marketing, buying, and hating. We built this, and we don't have to share it with assholes.

Read Phrack instead. 2600 has always been and will always be an ankle-biter magazine. That said, their meet-ups are their biggest contribution to hacker dom. Back in the late 80's and early 90's that was the place to go to meet like minded kids, and get access to all the hacker BBS's.

http://phrack.org/

I would recommend rolling your own mini CTF style competition. Here at Evergreen some of the members have been creating chals for the rest of the team to solve as practice for the upcoming CSAW finals. They range from the very simple to somewhat complicated.
For some examples on what you can do, check out:
ctf.hackevergreen.com

We often use resources from websites like:
root-me.org
phrack magazine
(esp good one about stack smashing http://phrack.org/issues/49/14...)

Reminds me of this overflow bug which was fixed in sudo 1.6.3p6. It writes a single NUL byte past the end of a buffer, calls syslog(), and the restores the original overwritten byte. Seems unexploitable, right?

Wrong. Here's the detailed writeup of the exploit. It requires some jiggering with the parameters to get the exploit to work on a particular system, but you don't need a local root exploit to work every time, you just need it to work once and you own the system.

OK, unfortunately the video is not really informative.
Remote execution means that the attacker was able to tell the other system to run commands. One common method (stack overflow) works like this:
(In C) you have a local variable, for example to hold a string. Imagine it's 10 characters long, and you want to write 20 characters into it. It's obvious that you overwrite something. Since local variables are on the stack, you overwrite parts of it. The stack also stores the return address of the function call. If you overwrite this, you can make the function "jump back" to wherever you want... even to the string you just gave it. So instead of the function returning to the main program, it executes the machine code you gave it in your string.
The standard article on this is:
http://phrack.org/issues.html?issue=49&id=14#article

Sometimes particularly badly designed systems will even just take a command and execute it, but that is rare.

Heap Spraying is to get strings into the memory, for example to be executed by the stack overflow method. It's useful since on some systems the simple method doesn't work.

Arbitrary File Download means that the attacker was somehow able to tell the victim to arbitrarily download a file. This can be used to overwrite files (e.g. the screensaver, or configuration files) or to make life easier for the attacker.

Session hijacking means that you can take over a session, for example of a logged in user. So you are able to impersonate the logged in user.

http://www.phrack.org/issues.html?issue=7&id=3#article

The Conscience of a Hacker

Polymorphic Shellcode Engine Using Spectrum Analysis
http://www.phrack.org/issues.html?issue=61&id=9
Release date : 13/08/2003

Naturally I'm paranoid about what AVG and Comodo have not detected since then. NOD32 didn't say anything either about my normal use, but I'm actually glad the technique is becoming a threat that AV suppliers must address.

GPS signals are weak spread spectrum and so fairly easy to jam. I don't know the legalities but I'm sure they are illegal. However, if you are worth being monitored by the FBI then you probably aren't so concerned about that.

A quick search and here we go: http://www.phrack.org/issues.html?issue=60&id=13

You could probably spoof the signal as well, but that might be a lot more difficult to implement, but would be a much more elegant solution.

Yeah, it's a word.

Phrackers even have their own publication. Nice to see Phrack is still going strong just like 2600.

One of these would solve the problem I suspect-ECM against the govt tracking.

http://www.jammer-store.com/gps-blockers-jammers.html

But are jammers legal? Fox News has the article GPS Jammers Illegal, Dangerous, and Very Easy to Buy but in Are GPS Signal Jammers Legal? Bright Hub says the FCC has "only taken action against one individual who has sold GPS jamming devices."

For those who want a GPS jammer, and have the skills to build one, Phrack explains how.

Falcon

Another one:

http://www.phrack.org/

the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. http://www.phrack.org/issues.html?issue=7&id=3&page=2

Not for federal crimes they don't. There's no parole in the federal system for crimes committed since November of 1987 - you do every minute of your sentence unless you can get it reversed somehow or you can get a pardon.

According to Justin Petersen (who spent 41 months in federal prison - he should know), they have indeed abolished parole, but you still get 15% time off for good behavior.

this sounds like http://phrack.org/phr4ck [phr4ck megazine] hack your brain...

Second, every single security "problem" with chroot is based on the root user breaking out. Non-root users cannot break out of a chroot'ed environment. It therefore does add some additional security.

Surely you jest!
It is possible! Ever heard about local root exploits? Just ask the OpenBSD guys, they remember this one.

"I have connections to someone who accidentally hacked an airport in the 1990s. Back then, the thing that board teenagers did was run programs that would find phone numbers answered by modems"

What was the name of this airport and are their any reports on this incident. Usually, where you have dial-in access to a modem, the modem drops the connection and dials back a particular number. See Dialback Modem Security from a Phrack article of 1988

Shellcode polymorphism has been known for years. Here's a good article from Phrack on it.
Any AV vendor who isn't prepared for it by now has grossly failed their customers.

You don't necessarily need (and probably shouldn't) rely purely on GPS for weapon delivery. Even the US hardly does it (they rather use laser tagging for 'small' devices and for large devices it hardly matters but they use separate GPS channels and other navigational sources including aircraft-based guidance and the good-ol' compass) since GPS is easily jammed by a bigger version of this: http://www.phrack.org/archives/60/p60-0x0d.txt (and yes, I have all the Phrack articles, Anarchist Cookbook and Steal This Book on my keyring USB, eat that security in the airport) and is more difficult to acquire an accurate signal when you're flying long distances at high speed. The "GPS for terrorists" scare is just another scam being run by our government to make us scared of a better version of GPS technology.

Here's what they need.This one which is cached by Google here is from one of our anonymous friends.

Concrete Bollards set in the roadway wide enough for a car to pass through but too close together for lorry / truck would be the lo-tech solution.

Don't wait for the Local Govt. to get its arse into gear. Just Do It. There you go! Problem solved!

can I yEnc or uuencode my p0rn before posting it and be exempt from these tracking requirements?

... to actually make use of the Phrack article:
 
"Below is the schematic diagram (gps_jammer.ps) in an uuencoded gzipped
PostScript file. This is the native Xcircuit[12] format and is used for
ease of viewing, printing and modification."
 
How many FBI agents weaned on Windows will it take to get past the first
hurdle: uuencoded?
 
    [ So many that after 8 month we decided to help them out:
      http://www.phrack.org/dump/phrack_gps_jammer.png
          Or for the advanced agent:
 
      $ uudecode p60-0x0d.txt && gunzip -d gps_jammer.ps.gz && \
        gv gps_jammer.ps
    ]

So I guess I can link to the E911 document nowadays without getting .. BRBFBI

Volume 0x0b, Issue 0x3c, Phile #0x0d of 0x10
Low Cost and Portable GPS Jammer

I built one based on this information for an electronics class a while back. It indeed works, as I can cause my Garmin III+ to lose positioning. Range limit is based on antenna used and power output.

"Years ago it was hackers who were doing it for the bragging rights, now it's the criminals."Aleph One's "Smashing The Stack For Fun And Profit" http://www.phrack.org/archives/49/P49-14 is already a decade old, and I guarantee that "hackers" were using PBXs, ROLM systems, CNA, etc for profit well before then.

Check http://www.phrack.org/archives/57/p57-0x13 by Michal Zalewski from 2001

This was done years ago

"It's my favorite feature within Windows Vista, it's called ASLR (Address Space [Layout] Randomization) .. a smart guy here came up with a solution, so we put it in Windows Vista.", Jim Allchin.

A smart guy at MS never did come up with the solution it's been around on other systems at least five years before Vista and it isn't totally secure. Software can never provide total security. Such protections belong in hardware, in the memory management unit.

"in my opinion, it is the most secure system that's available", Jim Allchin.

I think he means the most secure version of Windows.

"We have .. found .. buffer overflow, and those have been removed in Windows XP", Jim Allchin Feb 2002

Static kernel, for *what* reasons of security? http://www.phrack.org/show.php?p=60&a=8 is ages old.

> Linux rather be Not Yet Ready for the desktop, rather than joining the Desktop bandwagon, and becoming yet another Patch --> Update --> Service Pack --> Antivirus --> Unstable kind of a desktop OS.

Funny, I thought it's already a continual patch->update cycle without even being reliable on the desktop already.

• http://www.phrack.org/phrack/35/P35-06
• http://www.phrack.org/phrack/32/P32-04

• http://www.phrack.org/phrack/35/P35-06
• http://www.phrack.org/phrack/32/P32-04

probable means this...

http://www.phrack.org/phrack/60/p60-0x0d.txt

Here

SealBeater

The patches come more than three months after former ISS researcher Michael Lynn quit his job to present the first-ever example of exploit shellcode in Cisco IOS (Internetwork Operating System), a presentation that landed him in legal hot water. Cisco's advisory effectively confirmed Lynn's summer warning that the flaw could be exploited by remote attackers to execute arbitrary commands or cause a denial-of-service on compromised routers."

How do you know ? Are you some sort of expert ?

http://www.eweek.com/article2/0,1895,1841266,00.as p

http://www.phrack.org/show.php?p=63&a=8

Like, SuckIt?

If you want to know more about the topic of rootkit detection, please see Phrack Volume 0x0b, Issue 0x3d, Phile #0x08 of 0x14. http://www.phrack.org/phrack/63/p63-0x08_Raising_T he_Bar_For_Windows_Rootkit_Detection.txt

He did not say anything about physically removing the drives for offline testing elsewhere, or about booting a different OS to take checksums. Even then, that's pretty much impossible in practice - kind of hard to take down say, an exchange server or and important DB server for a client in the middle of the day because you need to run some checks.

To see what's out there and to get some idea of detecting these things, I highly recommend the fine articles over at http://www.phrack.org/

I don't think that will work:
http://www.phrack.org/show.php?p=58&a=7
I suggest using that military grade stuff. ;-)

Phrack magazine awhile ago had an article about building a Low Cost and Portable GPS Jammer.

But you can write arbitrary code into another process's memory space and then (gasp!) execute it via CreateRemoteThread(). One of the Phrack's articles discusses inserting a piece of code into a trusted application (IE if I remember correctly), thus fooling ZoneAlarm into letting the outcoming traffic through. Here is the article:
http://www.phrack.org/phrack/62/p62-0x0d_Bypassing _Windows_personal_fw_with_process_infection.txt

I understand you were being funny though : )

Unfortunately due to bad language design, finding signed/unsigned problems is often a subtle problem in C.

Here is a phrack article on the topic.

Personally, I think the OpenBSD folks are doing things the hard way, by using an insecure language as the foundation of their work. That's the problem with C - you have to remember everything you learned over years of programming, all the time, or you risk making a mistake that can not only cause crashes, but ultimately compromise your entire machine, if not your entire network.

But having said that, I do use OpenSSH and occasionally OpenNTPd (on machines with interfaces that go up and down a lot). :)

Phrack 59

Defeating Forensic Analysis on Unix
by The grugq

http://www.phrack.org/phrack/59/p59-0x06.txt

Googling around this will show up some of his most recent stuff.

From buffer overflow to virus and trojan examples, it is all covered.

Plus these links have information of value as well:

Hacking Windows CE - Phrack 63 http://www.phrack.org/show.php?p=63&a=6

Pocket PC Phone Shellcode: http://www.mulliner.org/pocketpc/

Blackhat talk by Seth Fogie: http://www.airscanner.com/pubs/BlackHat2004.pdf

http://www.phrack.org/show.php?p=63&a=5 Apple has been notifed, apparently and is fixing.

Pitty it is not online at phrack.org yet!