jschauma

jschauma, 14 hours ago to random

On my way to #RIPE88 in Kraków. Sadly, im only attending on Tuesday, but that day I’m giving a talk (“Whose CIDR is it anyway?”, another one in my series on centralization of the internet infrastructure) — come say hi if you’re there!

jschauma, 3 days ago to ai

Cool, cool, #Slack now uses your workspace data to train its #AI. Gotta hoover up all that juicy data. Surely there's no copyrighted or otherwise sensitive content on any of the corporate instances, and leaking that is totally impossible, pinky-promise.

https://slack.com/intl/en-gb/trust/data-management/privacy-principles

(You still have the option to opt out. For now...)

jschauma, 6 days ago to debian

On the topic of "key rotation, it's not just for HTTPS", @hanno finds hundreds of DKIM keys apparently generated using the #Debian #OpenSSL predictable PRNG vulenrability from 2008 (CVE-2008-0166):

https://16years.secvuln.info/

(And yes, #BIMI is still stupid.)

jschauma, 14 days ago to random

Happy 50th Birthday, #TCP!

"A Protocol for Packet Network Intercommunication" by Vinton G. Cert and Robert E. Kahn

Published May 1974 in IEEE "Transactions on Communications" and including the definition of 16 bit port numbers, relative sequence numbers, buffering and retransmission based on window size and other flow control.

https://www.cs.princeton.edu/courses/archive/fall06/cos561/papers/cerf74.pdf

Via Patrik Fältström on internet-history@lists.isoc.org:
https://elists.isoc.org/pipermail/internet-history/2024-May/009758.html

jschauma, 18 days ago to random

OpenSSL is the latest major Open Source project moving distribution / development to GitHub:

https://openssl.org/blog/blog/2024/04/30/releases-distribution-changes/

Can't say I'm a fan of centralizing all our development, history, and releases of global, distributed, open source infrastructure pillars under one for-profit US company.

jschauma, 1 month ago to markdown

#markdown

jschauma, 1 month ago to random

Here's a thorough analysis of all the commits by "Jia Tan" from 2023-08 through 2024-03, showing the many legitimate code changes done before the introduction of the #xz #backdoor:

https://tukaani.org/xz-backdoor/review.html

jschauma, 1 month ago to random

Every so often, I need to chase down some aspect of email validation (#SPF, #DMKIM, #DMARC, ...). This involves a number of #DNS records and queries, but I may forget just which ones. So here's a quick #SMTP/DNS cheatsheet:

jschauma, 1 month ago to random

Today's Venn Diagram of Terrible Things

jschauma, 1 month ago to random

Wait, so nowadays Linux systems don't come with a syslog any more? Tried Fedora 39 and Debian 12 and neither has either of syslogd, rsyslogd, nor syslog-ng, so out of the box you can't remote log. sigh

jschauma, 1 month ago to random

This new HTTP/2 DoS vulnerability (CONTINUATION Flood) was just disclosed after several weeks of well coordinated disclosure across all the major HTTP implementations yielding multiple CVEs:

https://www.kb.cert.org/vuls/id/421644

Detailed write-up by Bartek Nowotarski, who discovered the issue:
https://nowotarski.info/http2-continuation-flood-technical-details/

#http2 #VU421644

jschauma, 1 month ago to random

Honestly, tho, GNU indirect functions (as abused by the #xz #backdoor) do sound like a malware developer's dream / syadmin's nightmare. And you thought LD_PRELOAD was a footgun...

https://sourceware.org/glibc/wiki/GNU_IFUNC

jschauma, 1 month ago to random

This is quite neat: an #xz #backdoor poc that patches liblzma to accept a different ed448 key so you can view the full attack in action, even if you can't use this for detection or exploitation.

https://github.com/amlweems/xzbot

jschauma, 1 month ago to random

For anybody cynically going "haha, 'given enough eyeballs, all bugs are shallow" my ass", I'm willing to argue that the reverse engineering of the #xz #backdoor actually validates this claim.

We just didn't have enough eyeballs on this particular dependency, nor is it possible to have every commit in your dependency graph investigated. But once the issue was found, the community's focus moved like the 👁️ of Sauron; few teams could have done that work (as quickly, thoroughly, or at all).

jschauma, 1 month ago to random

#NetBSD 10.0 has been released! This has been a long time coming, with recent security issues necessitating updates and delays.

NetBSD 10 includes POSIX.1e ACLs, experimental WireGuard support, and a range of performance improvements:

https://netbsd.org/releases/formal-10/NetBSD-10.0.html

(It's worth noting that NetBSD is not affected by the #xz #backdoor, both because that targets Linux/glibc/systemd and because the version of xz shipped with NetBSD predates the inclusion of the backdoor code.)

jschauma, 1 month ago to random

Regarding the #xz backdoor, I've seen statements like "if you're not running a publicly exposed sshd, you're safe". This is not the case and reflects a pretty outdated security mindset. You're still vulnerable, because you shouldn't assume internal connections are inherently trustworthy.

Yes, it limits exposure, but that's not the same - you still have a high-severit incident on your hands. Anyway, just here stating the obvious, as usual. ✌️

jschauma, 1 month ago to random

Motherfucking Apple again.

“This computer that you’ve been using for the last two years? Never seen that before, so I’m going to delete all your playlists on both your phone and that computer. Enjoy!”

jschauma, 4 months ago to sysadmin

Hey Fediverse! The Spring semester is about to start, and I'll be teaching System Administration again:

https://stevens.netmeister.org/615/

Topics covered include: basic operating system & filesystem concepts, software installation & package management, config management, automation, tools development, TCP/IP networking, common services, system security.

All lectures are online as free videos; if you'd like to follow along, here's the playlist for Week 1:

https://www.youtube.com/playlist?list=PLDadzdouM0VCV7tjurqM8FHY6APK9wvJl

#SysAdmin #SRE #DevOps