@rotopenguin@infosec.pub avatar

rotopenguin

@[email protected]

This profile is from a federated server and may be incomplete. Browse more on the original instance.

rotopenguin,
@rotopenguin@infosec.pub avatar

When I run virt-manager on Bookworm, all it does is tell me that “xen is not connected”. There is nothing to indicate that KVM is anything that virt-manager might support, or why it currently doesn’t.

The best I can do is to make a VM in gnome boxes, use “ps” to capture its command line to qemu, re-format that into something that I can put into a bash script, and edit in additional options that Boxes/libvirt absolutely refuse to support.

Most of the host integration features are better in Virtualbox. On the other hand, with qemu I don’t have to look at VB filling the journal with ubsan errors (and wonder if its crappy driver is corrupting shit). If VB supported KVM, I would go right back to it.

rotopenguin,
@rotopenguin@infosec.pub avatar

Aha, thank you! That’s just a weird enough concept to “attach to” a local QEMU user session (where virt-manager will be the guy spinning it off anyway) that I would never have seen it.

Every newbie article about virt-manager starts with a filled list of connections, so I was down to figuring that it’s cleverly detecting a missing dependency or permission and silently eliminating list entries for me.

rotopenguin,
@rotopenguin@infosec.pub avatar

The most addictive game is “getting more games”. Follow Wario64’s discord, check prices at isthereanydeal, get the Epic freebies, mix and match bundles at Fanatical.

rotopenguin,
@rotopenguin@infosec.pub avatar

Oh god, the design of classic game controllers were all war crimes lol

How do we know if there aren't a bunch of more undetected backdoors?

I have been thinking about self-hosting my personal photos on my linux server. After the recent backdoor was detected I’m more hesitant to do so especially because i’m no security expert and don’t have the time and knowledge to audit my server. All I’ve done so far is disabling password logins and changing the ssh port....

rotopenguin, (edited )
@rotopenguin@infosec.pub avatar

How do you know there isn’t a logic bug that spills server secrets through an uninitialized buffer? How do you know there isn’t an enterprise login token signing key that accidentally works for any account in-or-out of that enterprise (hard mode: logging costs more than your org makes all year)? How do you know that your processor doesn’t leak information across security contexts? How do you know that your NAS appliance doesn’t have a master login?

This was a really, really close one that was averted by two things. A total fucking nerd looked way too hard into a trivial performance problem, and saw something a bit hinky. And, just as importantly, the systemd devs had no idea that anything was going on, but somebody got an itchy feeling about the size of systemd’s dependencies and decided to clean it up. This completely blew up the attacker’s timetable. Jia Tan had to ship too fast, with code that wasn’t quite bulletproof (5.6.0 is what was detected, 5.6.1 would have gotten away with it).

https://infosec.pub/pictrs/image/4f3d0ee2-0e47-4454-9684-3afbd424f46a.png

rotopenguin,
@rotopenguin@infosec.pub avatar

In the coming weeks, you will know if this attacker recycled any techniques in other attacks. People have furiously ripped this attack apart, and are on the hunt for anything else like it out there. If Jia has other naughty projects out here and didn’t make them 100% from scratch, everything is going to get burned.

rotopenguin,
@rotopenguin@infosec.pub avatar

This is a sliver of one patch, there is a bug here that disabled a build tool that breaks the attack. Can you find it?

https://infosec.pub/pictrs/image/f55ead66-fbfd-445a-8d88-c10d0d9b5309.png

rotopenguin,
@rotopenguin@infosec.pub avatar

hintIt is one singular character. Everything else is fine.

rotopenguin, (edited )
@rotopenguin@infosec.pub avatar

I think the best assurance is - even spies have to obey certain realities about what they do. Developing this backdoor costs money and manpower (but we don’t care about the money, we can just print more lol). If you’re a spy, you want to know somebody else’s secrets. But what you really want, what makes those secrets really valuable, is if the other guy thinks that their secret is still a secret. You can use this tool too much, and at some point it’s going to “break”. It’s going to get caught in the act, or somebody is going to connect enough dots to realize that their software is acting wrong, or some other spying-operational failure. Unlike any other piece of software, this espionage software wears out. If you keep on using it until it “breaks”, you don’t just lose the ability to steal future secrets. Anybody that you already stole secrets from gets to find out that “their secrets are no longer secret”, too.

Anyways, I think that the “I know, and you don’t know that I know” aspect of espionage is one of those things that makes spooks, even when they have a God Exploit, be very cautious about where they use it. So, this isn’t the sort of thing that you’re likely to see.

What you will see is the “commercial” world of cyberattacks, which is just an endless deluge of cryptolockers until the end of time.

non-Euclidean filesystem

I noticed that I only had 5 GiB of free space left today. After quickly deleting some cached files, I tried to figure out what was causing this, but a lot was missing. Every tool gives a different amount of remaining storage space. System Monitor says I’m using 892.2 GiB/2.8 TiB (I don’t even have 2.8 TiB of storage...

rotopenguin,
@rotopenguin@infosec.pub avatar

compsize will give you an honest overview of what’s going on with btrfs.

rotopenguin,
@rotopenguin@infosec.pub avatar

You can do “zfs style raid things” with btrfs, but there are way too many reports of it ending badly for my tastes. Something-something about “write hole”.

rotopenguin,
@rotopenguin@infosec.pub avatar

There’s hardlink, and then below that there’s the COW/dedupe version called “reflink”. Two files can point to the same chunks of data (extents), and altering one does not alter the other. Two files can point to just some of the same chunks of data, too. I don’t think there is much indicator for when this is happening, besides the free space vs used space accounting looking crazy. If you “compsize” two reflinked files at once, it’ll show you the difference.

rotopenguin,
@rotopenguin@infosec.pub avatar

The more EA breaks their own shitty games, the more powerful Linux becomes

rotopenguin, (edited )
@rotopenguin@infosec.pub avatar

My $0.05 reading of it is that they want to hose down the build servers* and start clean, in case if the attacker escaped the sandboxing there.

  • (the computers that compile all of the new packages from source, not web servers that are handing out finished deb binaries to the public.)
rotopenguin,
@rotopenguin@infosec.pub avatar

That sounds a lot nicer than the jav ascript garbage colle ction nightmar e that is gnome-m utter / gjs

rotopenguin,
@rotopenguin@infosec.pub avatar

It can then go from a snap to a superior flatpak real quick.

rotopenguin,
@rotopenguin@infosec.pub avatar

Any app that can be sandboxed, should. Especially apps that are parsing random data from the internet.

rotopenguin,
@rotopenguin@infosec.pub avatar

I stand corrected. All programs should have access to anything, anywhere, and be linked to liblzma just in case if some arbitrary file is compressed. Thank you for setting me straight.

Will antivirus be more significant on Linux desktop after this xz-util backdoor?

I understand that no Operating System is 100% safe. Although this backdoor is likely only affects certain Linux desktop users, particularly those running unstable Debian or testing builds of Fedora (like versions 40 or 41), **Could this be a sign that antivirus software should be more widely used on Linux desktops? ** ( I know...

rotopenguin, (edited )
@rotopenguin@infosec.pub avatar

The xz attack was not a clown show. It’s a well orchestrated attack, with a lot of clever techniques to slip a payload into something that is supposed to be fully open and readable source code. Somebody recognized a difference between what people think ssh&systemd’s dependency graph looks like, and what it actually was. Fuckery went into disabling some technical defenses (a single dot was snuck into an autoconf file! Try to find it.) and SE went into disabling others. The best malware reversers in the world have been shooting caffeine into their eyeballs for 2 days, trying to make sense of latter-stage payloads.

This attack was damn good. They either got unlucky, or there is a small possibility that our spies out-spied them and dropped the dime. Another angle is that they were running out of time - systemd developers were getting nervous about their own surface area and were working to cut that back. The attacker took the chance on running their play before it was fully bulletproofed, because it was in greater danger of becoming an obsolete exploit.

rotopenguin,
@rotopenguin@infosec.pub avatar

As I heard it - the (naughty) build tooling looked for rpm and deb, and bailed out if they were absent.

rotopenguin,
@rotopenguin@infosec.pub avatar

“Oh, did I need to rebuild the initrd too? Shhheeeeit, can I do that in a chroot from a livedisk or something?”

rotopenguin,
@rotopenguin@infosec.pub avatar

apt info xz-utils

Your version is old as balls. Even if you were on Mantic, it would still be old as balls.

rotopenguin,
@rotopenguin@infosec.pub avatar

We are well into the age of “OEMs dgaf if S3 works”. Windows has not used it since sometime around 7, so it’s been bitrotting in every vendor’s firmware. With some models, you may have S3 working on day one, but a firmware update kills it and that’s too bad.

S0ix idle is actually quite nice when you get it working, but when it is not the tools to diagnose it are terrible. The terminology around sleep states are also terrible, (what’s a package or core or platform C state? Could one of them find a different letter?). I have gone over the arch wiki, and DELETED Intel documents so many times…

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • interstellar
  • tech
  • kbinEarth
  • testing
  • wanderlust
  • All magazines