1. 1

    I’m writing a custom daemon to monitor HardenedBSD’s infrastructure, notifying me via Pushover whenever there’s an anomaly. As part of this, I plan to write a PAM (tangent: is it “PAM” or “PAM Module”?) to send a Pushover notification whenever a login attempt is made to any internal server. Thanks for writing this article, which I’m going to use as the base of where to start in my PAM development journey.

    1. 1

      Do let me know how it goes and if you run into any issues that need to be shored up in the article !

    1. 4

      The writing was on the wall with the first rebranding.

      1. 3

        I’ve deployed void-zones-tools across a few different networks, both corporate and personal. My firewall rules also disallow DNS egress, except for my authoritative DNS server(s).

        1. 9

          Wow, that issue reporter is a dick. Responsible disclosure is a thing.

            1. 6

              I believe it gets the point across researchers’ that either you disclose serious vulnerabilities carefully or you don’t get the recognition from disclosing them.

              Granted, I still find it a little childish and might cause researchers who don’t care about responsible disclosure to leave memcached unpatched (I’m split on whether I’d rather have vulns disclosed irresponsibly or never disclosed at all), but I guess normando was on the heat of the incident and trying to get this fixed ASAP.

              1. 2

                I’m totally OK with that minor slap back to be totally honest.

              2. 4

                As someone who’s been in the information security industry for decades, I’m always amazed by two things:

                1. Some people know about responsible disclosure but don’t practice it.
                2. Some vendors demand responsible disclosure, never respond or fix the problem, and then get upset when the vuln is publicly disclosed 30-90 days later (I’ve been threatened with lawsuits before for that sort of thing).

                I can forgive people who don’t know about responsible disclosure, but I’m still surprised by the people who doubt its merits.

                1. 2

                  Completely agree.

                2. 2

                  Unpopular opinion puffin meme: Full disclosure is the only form of “responsible” disclosure: https://git-01.md.hardenedbsd.org/shawn.webb/articles/src/branch/master/infosec/Vulnerabilities/2019-01-08_Disclosure/article.md

                  1. 2

                    Thank you for sharing this, I think it does make a strong argument for ‘full disclosure’ that I had never considered.

                  2. 1

                    Honestly I don’t find that helpful.

                    I personally think that responsible disclosure is preferrable to immediate disclosure. But looking at the bigger picture:Aany disclosure is better than no disclosure, yet people doing no disclosure never get that amount of criticism that people not following the procedures some people like get.

                  1. 1

                    So at this point we assume that there are more nasty bugs in OpenSMTPD and that people wearing various colours of hat are looking for them.

                    1. 5

                      I mean, I assume that about everything. From the machines that make my shoes to the laptop I’m typing on now. ;-P

                      Vein attempts at comedy aside, I really do think it’s safe to assume there’s many vulnerabilities in all complex systems (I would classify MTAs as complex). And if there truly is no vulnerability in <insert doohickey here>, there’s likely a vulnerability in <this other doohickey> deployed on the same server.

                      I’m a pessimistic realist who realizes we’re all human and prone to mistakes.

                      1. 2

                        Well this is one that’s getting some attention right now :)

                        What’s most disappointing is that OpenSMTPD doesn’t seem to do much in the way of privilege separation. There’s no reason for the MTA to be running as root or having world writable directories or any of that mess unless you’re trying to preserve the 90s UNIX desktop experience of your mbox in /var/spool/mail and procmail “cleverness”. I’m sure there’s an audience for that by why is that in OpenBSD’s default MTA?

                        Are they running fingerd and ytalk too? If we’re going for the retro experience over security let’s just use telnet! :)

                        1. 1

                          It is privsep’d to some degree:

                          $ ps axu | grep smtpd
                           2083 root      0:00 /usr/sbin/smtpd -F
                           2085 smtpd     0:00 smtpd: klondike
                           2086 smtpd     0:00 smtpd: control
                           2087 smtpd     0:15 smtpd: lookup
                           2088 smtpd     0:03 smtpd: pony expres
                           2089 smtpq     0:00 smtpd: queue
                           2090 smtpd     0:00 smtpd: scheduler
                          

                          I’m not familiar enough with OpenSMTPD to tell you why this specific code isn’t in one of the privsep’d parts.

                      2. 0

                        Anyone actually uses it outside of OpenBSD? I’d imagine noone really does, so, not that many people would be looking for these; OTOH, finding a bug in OpenBSD software always adds extra points to the rep, doesn’t it? (I guess it might not anymore if these reports are to continue.)

                        1. 3

                          On Linux, and on a forum there was a thread recently, and many reported in as moving to OpenSMTPD or have already moved to it from exim/postfix, as they found it easy to work with, and the security responses are impressively quick.

                          I guess there will be quite some secholes uncovered as nowadays OpenBSD and its sibling projects are getting more attention from security people (probably because they are an easy win as not utilizing as many mitigations/defense-in-depth methods used by other operating systems, and has having been neglected for their relatively small user base).

                          I’m also using it on a few machines, though only for mail forwarding (Linux and OpenBSD), but I plan to set up a complete mail infra based on it in the near future, to evaluate a complex setup.

                          1. 2

                            It’s available on pretty much all Linux distros as a package, so I’d say yes. I’ve been using it for years myself on FreeBSD and Linux.

                            1. 2

                              Yes, on Linux.

                              1. 2

                                I’m just a couple weeks away from deploying an OpenSMTPD installation for HardenedBSD’s build infrastructure. It’ll be an internal-only deployment, though, just to pass emails between systems to a centralized internal mbox.

                                1. 1

                                  I did use it for a while, but not on my main mail server. It was nice to work with, but I didn’t look at the code and I’m not really able to audit any c code, really.

                                1. 1

                                  I wonder when MPK will fall to CPU microarchitecture vulnerabilities. Or has it already?

                                  1. 2

                                    Very interesting stuff. I see you’re considering I2P, have you looked at other networks, i.e. Loopix?

                                    1. 3

                                      I’m always open to ideas! :)

                                      After I meet some really tight deadlines at work (freeing up spare time), I can investigate any ideas or suggestions to improve access to our infrastructure.

                                      1. 2

                                        You might also find Nym interesting to follow if you haven’t yet already heard about it: https://github.com/nymtech/nym

                                    1. 8

                                      This is gonna be one crazy, but awesome, week:

                                      1. Giving a lunch & learn presentation at ${DAYJOB} titled “Human Rights-Centered OS Development Supply Chain.”
                                      2. I’m hoping to catch up on all the administrative tasks I’m nearly a year behind on with respect to HardenedBSD. I need to get US-based donors their tax receipts.
                                      3. Reach out to a few potential sources of major funding for HardenedBSD to help fund a proper server for self-hosted Gitea of an enterprise OS.

                                      My job tends to be a “here’s a fire, there’s a fire, everywhere’s a fire” so it’s really hard to gauge what I can do right now. I’ve found myself in a position where I’m effectively the acting director of IT for a 200-person subsidiary (but without the pay of an executive. darn!) I’m hoping to stop clocking 12-16 hour days this week. I’m feeling pretty tired and burnt out, TBH.

                                      1. 8

                                        My job tends to be a “here’s a fire, there’s a fire, everywhere’s a fire” so it’s really hard to gauge what I can do right now. I’ve found myself in a position where I’m effectively the acting director of IT for a 200-person subsidiary (but without the pay of an executive. darn!) I’m hoping to stop clocking 12-16 hour days this week.

                                        Just saying, you can easily decide to stop this on your own :) I have seen countless cases of people working insane hours, and the few that decide “work is done at X o’clock”, they are much happier, and nothing changes in terms of urgency. There are still fires but they don’t get any larger or smaller.

                                        In most orgs, there is always “a fire”. This is just to get people to work in a panic in an effort to get more done.

                                        It just hurts me to see this when there’s no reason for it.

                                        1. 3

                                          I’ve learned this the hard way. Everything is burning all the time at my current job too (it’s pretty impressive actually), and I always leave at nearly the same hour even if something blew up (in that rare case I can work a bit from home). It’s important to differentiate the usual fire from an abnormal explosion, if you know what I mean.

                                          1. 4

                                            It’s important to differentiate the usual fire from an abnormal explosion

                                            Lol, this is gold… And hits what I was getting at - thanks :) I learned it hard too. Suffered a bad panic attack for the first time ever and thought my heart was going to stop. I’m 24 and workout daily.

                                          2. 1

                                            It doesn’t even need to be a scam to trick you into working more hours, often the “fire” status is just to push that particular thing to the top of the org’s priority queue, rather than being targeted at the implementers / fixers.

                                          3. 5

                                            “Human Rights-Centered OS Development Supply Chain.”

                                            I’d like to subscribe to your newsletter

                                            1. 4

                                              Haha. I’ll publish slides later this week. Want me to ping you when they’re available?

                                              1. 3

                                                Yes please!

                                                  1. 1

                                                    Thank you!

                                          1. 3

                                            I’ll be imaging Windows 10 onto new laptops for deployment at ${DAYJOB} on Monday. Having already clocked in 80 hours this week and being a salaried employee, I’m glad I get straight overtime pay for hours worked over 40.

                                            1. 1

                                              you can’t run an IPv6-only Tor node.

                                              The production HardenedBSD Tor Onion Service v3 nodes disagree with that statement. HardenedBSD’s Tor integration uses an IPv6-only network stack. I believe it’s not possible to run an IPv6-only relay, but it’s absolutely possible to run an IPv6-only client.

                                              1. 1

                                                You are of course right, but I think the author uses “node” for relay, e.g.

                                                Every tor daemon downloads the list of known public nodes and stores it locally while it is running.

                                                Re IPv6:

                                                but it’s absolutely possible to run an IPv6-only client.

                                                Tangentially, I suppose announcing that you are IPv6 only has consequences for your anonymity because it restricts your possible guard nodes.

                                                1. 2

                                                  It’s important to note that Tor includes more use cases than anonymity. The network these HardenedBSD Onion Service nodes is publicly known with static IP (V4+V6) addresses. It’d be somewhat foolish to attack Tor in this case, when the real juicy stuff (our build servers, for example) already has a publicly-routable IPv6 address. :)

                                                  1. 2

                                                    I agree, I was just pointing out that in general this might be something people want to avoid. The same is true for e.g. Tor’s own onion services for their website.

                                                    I’m glad that HardenedBSD is providing packages via a HS though, it’s much less wasteful for people who want the assurances of an onion service but without using up valuable exit bandwidth. I think it’s a shame more ‘distributions’ don’t do it.

                                                    1. 2

                                                      Yeah. In our case, our entire infrastructure is exposed via onion services. Not just packages, but builds, updates to the OS, and source code: effectively, the entire dev->prod pipeline and OS ecosystem. :)

                                              1. 3

                                                Idea: use this technique to implement a LOLCODE compiler.

                                                1. 3

                                                  If I can get some dedicated time, I’m planning to start implementing write support in this project: https://github.com/libyal/libpff

                                                  I need to be able to merge Outlook PST files in a programmatic fashion. libpff only supports reading PST files, not writing. This is part of a privacy tech tool I’m writing, horribly named The Migrationator.

                                                  1. 3

                                                    Thank you so much for this, especially the binaries! Due to the acquisition of my employer, my newly-assigned Win10 system forces the screensaver at five minutes at idle. Your simple, but elegant, solution should work just fine for me (I hope) and I appreciate the efforts. :)

                                                    1. 2

                                                      Bit off-topic, but: I understand that you suffer with such miserable OS, but the policies and measures like this one make some sense and you might be made responsible if you circumvent the policy and something happened. If I would be e.g. reading a documentation for a several minutes without moving mouse or pressing a button, I might use such utility, but I would not leave it turned on permanently. If someone misuses your computer, it would be your fault.

                                                      1. 2

                                                        Of course. But when I switch between several systems for different tasks in my locked office, it makes sense to use a tool like this, else I have to remember to flick the mouse myself every four minutes and fifty-nine seconds. It takes several minutes to login to these systems, too. :/

                                                        1. 2

                                                          Several minutes!?

                                                    1. 1

                                                      An interesting observation regarding using commit hash as version, as demonstrated in the command-line:

                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp $ git init test.git
                                                      Initialized empty Git repository in /usr/home/shawn/tmp/test.git/.git/
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp $ cd test.git
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ touch file1
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git add file1
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git commit -m "initial commit"
                                                      [master (root-commit) ff1c2c6] initial commit
                                                       1 file changed, 0 insertions(+), 0 deletions(-)
                                                       create mode 100644 file1
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git log|cat
                                                      commit ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
                                                      Author: Shawn Webb <shawn.webb@hardenedbsd.org>
                                                      Date:   Sat Dec 21 01:58:33 2019 -0500
                                                      
                                                          initial commit
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git tag -a ff1c2c64ed5aacf91c94c86ac058167d3729ddbd -m "ff1c2c64ed5aacf91c94c86ac058167d3729ddbd"
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git describe
                                                      ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git tag
                                                      ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ touch file2
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git add file2
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git commit -m "blargh"
                                                      [master f568378] blargh
                                                       1 file changed, 0 insertions(+), 0 deletions(-)
                                                       create mode 100644 file2
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git describe
                                                      ff1c2c64ed5aacf91c94c86ac058167d3729ddbd-1-gf568378
                                                      hbsd-dev-laptop[shawn]:/home/shawn/tmp/test.git $ git show ff1c2c64ed5aacf91c94c86ac058167d3729ddbd
                                                      warning: refname 'ff1c2c64ed5aacf91c94c86ac058167d3729ddbd' is ambiguous.
                                                      Git normally never creates a ref that ends with 40 hex characters
                                                      because it will be ignored when you just specify 40-hex. These refs
                                                      may be created by mistake. For example,
                                                      
                                                        git switch -c $br $(git rev-parse ...)
                                                      
                                                      where "$br" is somehow empty and a 40-hex ref is created. Please
                                                      examine these refs and maybe delete them. Turn this message off by
                                                      running "git config advice.objectNameWarning false"
                                                      commit ff1c2c64ed5aacf91c94c86ac058167d3729ddbd (tag: ff1c2c64ed5aacf91c94c86ac058167d3729ddbd)
                                                      Author: Shawn Webb <shawn.webb@hardenedbsd.org>
                                                      Date:   Sat Dec 21 01:58:33 2019 -0500
                                                      
                                                          initial commit
                                                      
                                                      diff --git a/file1 b/file1
                                                      new file mode 100644
                                                      index 0000000..e69de29
                                                      
                                                      1. 2

                                                        I’m now effectively the acting Director of IT for my business unit of around 200 peeps. This week will be comprised of:

                                                        1. Migrating our data out of Google into our own self-hosted services. Already a multi-week effort. Won’t complete it this week, but hoping to finish pulling down email. The tool I’m writing for this is open source
                                                        2. build-a-bsd
                                                        3. Internal tech support.
                                                        4. The usual pissing off of human rights violators.
                                                        1. 7

                                                          Would love to read it, but it requires a Google login.

                                                          1. 6

                                                            Turns out it all was an elaborate trolling scheme…

                                                            1. 2

                                                              Haha. I’m pretty sure you’re joking, but just in case:

                                                              My employer (G2, Inc) was acquired by Huntington Ingalls Industries (HII). G2 uses G Suite while HII uses self-hosted Exchange. I’m tasked with migrating the entirety of G2 away from all Google services to HII’s self-hosted versions. This poorly-named tool is what’s coming out of that work.

                                                          1. 2

                                                            Clever approach. I wonder if this can be (or already has) spread to other OS’s.

                                                            1. 4

                                                              After the ASLR so useful addition, next in the series of the buzzword-compliant checkboxes is the stack addresses randomization.

                                                              sigh

                                                              Considering the goal of randomizing the addresses of strings and main thread initial frame, moving the main stack area in the address space is not feasible.

                                                              Yet again, HardenedBSD proves this to be false. We’re the only BSD to truly randomize the top of the stack. By combining randomized stack top with a random stack gap, HardenedBSD is able to introduce 41 bits of entropy into the stack.

                                                              1. 3

                                                                I’ll be monitoring the first test run of an open source tool I’m writing at $DAYJOB. We’re de-Google-ifying our entire business.

                                                                I’m also working on helping OPNsense adopt HardenedBSD 12.1. I need to validate merge conflict resolutions.