-
I’m not sure I like this article. It raises a good point (use -o) but it’s obviously being misread.
-
-
This essential is the argument that you shouldn’t encrypt keys because people are probably re-using them elsewhere. Maybe they should take into account how most people use SSH in large deployments: SSH auth, LDAP integration, with sudo access being tied to the user without a password (yes it’s horrible, but that’s what most people do in my pentest experience). That means that the SSH key is the only thing that mattered in most of my tests, rarely the actual password. Plus I never go after the keys themselves, almost always the underlying ssh-agent process, why crack when I get everything in plaintext?
Side note, stop reusing passwords and just use a password manager for everything. Their postulation that no one uses a password manager with SSH keys is just wrong, I train my whole org on the importance of this.
-
I’m a Penetration Tester and before that was a UNIX Sys Admin, one of the best things people have done is start to use bastion hosts. They are not perfect at all, but if you think it’s worse than what people have been doing than you have no idea how disjointed things are in large software deployments. Let’s break down this a little bit so maybe it will help other people:
- Use a firewall instead of a bastion: Use both. But, really if you are actually monitoring your logs have you ever gotten more useful data from a firewall or detailed logging from SSH? Did they make a full handshake or stop after the available authentication types? These matter for a couple reasons, if they do get in because someone leaked keys on GitHub will your firewall logs tell you which keys?
- Bastions aren’t easier to keep hardened, because you should be doing the same thing on all machines: I sort of agree with the fact that you should be running hardening scripts everywhere, but if you have any sort of mixed environment or if you have temporal machines (Docker hype) the scripts may not even be applicable.
- Zero days work on all servers running SSH: I agree with this and I don’t think any sane person would have made this argument.
- You use the same SSH keys for internal and external: I wish they was wrong, but I’ve never seen anyone do it any other way. You shouldn’t be using the same keys. But what they totally failed to get is that SSH has support for user/group matching, I can apply restrictions based on the host and prevent/log more heavily. For example, when Grsecurity was still around (I suppose you could do it with SELinux as well), we used to apply policies based on the user connecting in and additionally changed logging and access control based on that. Good luck with granular rules on all app servers.
- Any non trivial tool will be able to quickly port scan the local subnets and jump along, so they don’t slow attackers: Maybe you should have talked to an attacker before writing this. I almost never port scan unless it’s my last resort. ARP tables, routes, configuration files, and connected ssh-agents are the name of the game. A proper bastion shouldn’t be giving these access parameters, seriously prevent shell access, chroot, and like vbernat said use the ProxyJump command and an ssh_config.
Rant over. There are some almost okay arguments and ideas in here, but they are not good for people to get in the habit of in the real world. One of the worst ideas in here is a common theme I see in the dev ops world, vendor lock-in and non-portable configurations. I think that AWS tools should be an augmentation to good security practice and all your security policies should be able to be dropped into any other platform and still do their due diligence.
-
Zero days work on all servers running SSH: I agree with this and I don’t think any sane person would have made this argument.
They run on all servers running vanilla SSH when the vulnerability isn’t the protocol itself. The difference between the two may be a lot of avoided hacks. I’m a big fan of obfuscations on top of good, security practices. :)
-
As much as I am totally okay with obfuscation on top of good security (I used to advocate very heavily for knockknock from Moxie Marlinspike) I do think there are incremental problems from obfuscation. I’ve had to pass off what I considered “hardened” infrastructure to new people as I was off-boarding and it was a nightmare to explain to them everything that existed and why, even with what at the time I considered “good” documentation. I think that it’s harder to maintain custom infrastructure and for the amount of technical debt to security pay-offs it may not always be worth it. I’d rather people use a bastion server that someone else can maintain. I think there are situations where I know people are capable of working together and running systems, and I say go for it, but they seem to be getting more rare.
-
That makes a lot of sense. Depending on company or team, it’s probably a good idea to be selective about what obfuscations one uses. I’d say at least some thing on how hosts or networks connect. Maybe well-maintained, unusual OS or apps for key services. Things there’s not lots of vulnerabilities for in the black hat markets. These by themselves block the majority of opportunists.
Someone really, really has to want a specific company taken down before those become useless. Those companies are usually toast anyway at that point if small to mid-size. The asymmetry between attacker and defender motivation/resources is just too high in attacker’s favor.
-
Real world perspective here, I do those threat simulations, and I often do them with insane deadlines. I have run into orgs that were actually truly prepared for a targeted attack maybe ~5 times. The thing that is missing here too is that 5 SSH servers mean that now I have 5 endpoints to spray against. Why do vuln research when 99% of all groups have weak password policies that we can use simple psychology, web scraping, and OSINT. So in the end I’d rather have 2FA and a bastion server and get that first engrained in peoples head as a standard.
-
Oh yeah, I’m with you on giving them straight-forward, quick stuff to establish a baseline. You could say I was just adding some high-security perspective for people who might find the methods useful or at least interesting. Some Lobsters like reading about it. So, I keep adding that stuff to threads.
-
-
-
-
-
I can’t sing enough praise for WireGuard. I’ve set up IPSec (strongswan and OpenIKED), OpenVPN, tinc, and pretty much every VPN software under the sun, nothing holds a candle to WireGuard. The adoption of formal methods, the smart cryptographic choices, and the code quality have made me a daily user.
-
This doesn’t worry you? I’ve lost so many hours fighting IPsec, and dream about using WireGuard, but…
WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We’re working toward a stable 1.0 release, but that time has not yet come.
-
For my own person infastructure not a bit, it’s beta software, I know the risks and accounted for them when setting things up. I have been following WireGuard from it’s very early stages and it’s code quality already far exceed that of almost every other VPN software. I am not suggesting people rely on it until 1.0, but it is something you should play with, because it made me fine with dealing with it’s beta state instead of fighting IPSec/OpenVPN.
-
-
-
I was hoping this would be a guest-to-host proof of concept, am I wrong in seeing this just as running the other PoC on a Kubernetes host? Because that seems like it should have been assumed…
-
Thanks for posting this. It takes courage to be introspective like this in a public forum.
-
Admitting you might be wrong is one of the hardest things, and add to the fact that now it is essentially permanent when posted on the internet, and it can be almost impossible to have open introspection. It’s easy to succumb to blowback and continuously brush people off because of their tone, but this gives me a lot more respect for someones opinions. It takes a lot of courage, I want to see more of this.
-
-
I know this post will sound really bad no matter how I say it, but I wonder how much of sexism, in the present (unlikely) or future (more likely) will be more fear than misogyny.
Womens are becoming a touchy subjects and, in today’s world where a trial is decided by the public before it goes to court, a false rape accusation does more damage than the trial itself (at least imo). If I were an employer I’d be worried of female employees, not out of hatred or anything, but because they would hold so much power to screw me over.
I personally don’t care what gender you are or religion or species.. I even like talking to assholes as long as they have something interesting to say. (Sadly I tend to be a bit of an asshole myself) But I would still be scared of talking to random women in a context like a conference because I might say something that puts me in a really bad place. It feels like I would be talking to someone with a loaded gun in my face.
I think the best friends I have are those who made me notice my mistakes instead of assuming the worst of me, while the tech scene today seems more like a witch-hunting marathon to me.
On that subject, why does the world have to work with cues and aggressive stances? Why can’t we be honest with each other? I see it every day, someone above me expects everyone to catch on her cues, if they don’t, they’re the bad guys, without even letting the other end knowing anything.
Most angry tweets and blog posts about this topic are from people who just kept everything in or bursted out in anger at them and they got defensive or responded just as aggressively (kinda to be expected, honestly). I would love to see examples of people who were made aware of their behavior and everything went fine after that.
-
a false rape accusation does more damage than the trial itself (at least imo).
A genuine rape accusation also does more damage than the trial itself. In both cases, the victim is affected. It’s only how we perceive it that’s different.
I think somewhere along the line communities started to encourage angry reactions as a way of maximising engagement. Somewhere along the line, we forgot to be kind by default, in a way we weren’t offline. I meet people who spend a lot of time in online communities, and you can see (amongst some people) that their online behaviour leaks into their personal offline behaviour, but rarely the other way.
I think the recent furore over Equifax’s CSO having a music degree is a good example of this. Nobody should care about someone’s degree, but a marketwatch piece designed to provoke angry responses, provoked angry responses on the Internet. The Twitter algorithms designed to increase engagement increased engagement and the Internet went twitter crazy.
There has to be a way to use a combo of the tools we use for engagement to promote de-escalation and de-engagement. Deprioritising inflammatory content to make the world a better place is not losing out. It’s winning.
That’s what I really love about lobsters. People may have issues misinterpreting context and social cues here, but generally people are kind to each other.
-
-
[Note: Before reading this, readers should probably know I have PTSD from a head injury. The side effects of nervous eyes, mumbly voice, and shaky hands apparently make me look like an easy target for male and female predators alike. I’m like a magnet for assholes who I usually deal with patiently, dismiss, or stand ground. Mostly ignore them. This issue required special treatment, though, since I was always treated very differently when it as something like this.]
Far as scenario you’re worried about, it’s a real thing that’s happened to me multiple times. Not rape claims fortunately but sexual harassment or discrimination. I think I was getting false claims to managers two or three times a year with dozens making them to me directly as a warning or rebuke but not to my bosses. They just wanted me to worry that they could or would destroy me. Aside from the random ones, it was usually women who wanted a discount on something, wanted to be served ahead of other customers, or (with employees) not wanting to do the task they were given since it was beneath them or “man’s work.” Saying no to any of that was all it took…
However, I was in a service position dealing with thousands of people plus dozens of workers due to high turnover. With all those people, just a few claims a year plus dozens of threats shows how rare this specific kind of bully is. Those that will fully push a false, gender-oriented claim are rare but highly damaging: each claim led people [that didn’t know me well] to assume I was guilty by default since I was male, interrogations by multiple supervisors or managers, and a waiting period for final results where I wondered if I’d loose my job and house with no work reference. Employment gaps on resumes make it harder to get new jobs in the U.S.. I got through those thanks to what I think were coworker’s testimony (mostly women) and managers’ judgment that the good and bad of me they’ve seen versus straight-up evil stuff a tiny number of women were claiming didn’t match up.
Quick example: As a team supervisor, I always gave jobs to people in a semi-random way to try to be equal in what people had to do. Some supervisors seemed to cave in if a worker claimed the work was better for another gender, esp labor vs clerical vs people-focused work. When giving an assignment, the most shocking reply I got was from a beautiful, racially-mixed woman who had been a model and so on. A typically-good, funny worker who had a big ego. She said the specific task was a man’s job. I told her “I enforce equality like in the 19th Amendment here: women get equal rights, equal responsibilities.” She gave me a snobby look then said “I didn’t ask for that Amendment. Keep it, get rid of it, I don’t care. (Smirked and gestured about her appearance) I don’t need it. And I’m not doing man’s work.” I was a little stunned but kept insisting. She grudgingly did the job but poorly on purpose to disrupt our workflow. I had to correct that bias in my head where I assumed no woman would ever counter law’s or policies giving them equality outside maybe the religious. I was wrong…
Back to false claims. That they defaulted against males, including other men who got hit with this, maybe for image reasons or just gender bias led me to change my behavior. Like I do in INFOSEC, I systematically looked for all the types of false claims people made esp what gave them believability. I then came up with mitigations even down to how I walk past attractive women on camera or go around them if off-camera. The specific words to use or avoid is important, esp consistency. I was pretty paranoid but supporting a house of five people when lots of layoffs were happening. The methods worked with a huge drop in threats and claims. Maybe the bullies had less superficial actions to use as leverage. So, I kept at it.
This problem is one reason I work on teams with at least two people who are minorities that won’t lie for me. The latter ensures their credibility as witnesses. Main reason I like mixed teams is I like meeting and learning from new kinds of people. :) It’s a nice side benefit, though, that false claims dropped or ceased entirely when I’m on them for whatever reason. I’m still not sure given I don’t have enough data on that one. I also push for no-nonsense women, especially older with plenty of experience, to get management roles (a) since I’ve always promoted women in the workplace on principle and because mixed teams are more interesting; (b) side benefit that a woman whose dealt with and countered bullshit for years will be more likely to dismiss a false claim by a woman. When I finally got a female boss, esp who fought sexism to get there, the false claims that took serious investigation were handled usually in minutes by her. There was just one problem while she was there with a Hispanic woman… highly attractive with excellent ability to work crowds… that wanted my position launching a smear campaign. It almost worked but she had previously tried something on same manager she needed to convince. Her ego was so strong she didn’t think it would matter because she’d win her over too. Unbelievable lol. She left in a few months.
So, yeah, I’d not go to one of these conferences at all probably. If I do, I’m bringing at least two women, one non-white, who barely like me but support the cause. If they leave me, I’m either going outside or doing something on my computer/phone against a wall or something. I’m not going to be in there alone at all given this specific type of bully or claim will likely win by default in such a place. Normally, though, I don’t mind being alone with women if there’s witnesses around that’s a mixed crowd, I’ve gotten to know them (trust them), or they’re one of the personalities that never pull stuff like this. I’ve gotten good at spotting those thanks to the jobs I did working with strangers all day. I get to relax more than you’d think from this comment, though, since vast majority of females on my team, other teams, and customers’ like me or at least neutral. The risk reducing behaviors are so habitual after years of doing them I barely notice I’m doing them until I see a post like this.
Not funny note: There was also real sexism and harassment against women, esp from younger crowd. We had to deal with that, too. On rare events, some physical assault and stalkers that required police and other actions to deal with. One of the problems in many organizations is people will say the woman is making it up. Then, justice won’t happen. Our women were honest enough and male assholes brazen enough that we usually knew who was lying. Similarly when the women were bullshitting about harassment. In many other places or in trials, the defense was the woman might have been making it all up to spite the male. The reason that defense often works is because of the kind of bullies and lies I describe above. I get so pissed about false claims not just since they impacted me but because a steady stream of them in the media is used to prevent justice for real victims. That combination is why I write longer and fight harder on this issue.
-
a false rape accusation does more damage than the trial itself (at least imo)
In our society, a woman reporting a rape has to deal with a lot of shit from a lot of different people. Stuff like victim blaming, “What did you wear?”, “Oh you must’ve been reckless” make it already very hard for women to report rape when it happens. If anything we should be more concerned with women not reporting rape cases rather than false reports – especially since the latter is very small compared to the former. Sorry for not providing any sources, I’m on mobile right now.
-
I know this post will sound really bad no matter how I say it,
It does sound really bad. My favorite part is when you use the phrase “witch hunting” to somehow excuse the fear of women being around.
but I wonder how much of sexism, in the present (unlikely) or future (more likely) will be more fear than misogyny.
Oh so very little. Do not fear for mysoginy, it will be around forever.
-
My favorite part is when you use the phrase “witch hunting” to somehow excuse the fear of women being around.
I could not find a gender-neutral term that carried a similar meaning. This is definitely a fault on my part (my english dictionary is not that rich) but I was referring to the act of persecution by one or more individuals to the intended result of ruining someone’s life, humiliating them etc.
Oh so very little. Do not fear for mysoginy, it will be around forever.
What little hope for humanity and its self-improvement you seem to have. I understand the feeling.
My point was not whether misogyny will go away (it won’t), but how much of the perceived misogyny will be out of outright hatred rather than fear of consequences. Someone who doesn’t interact with women will be perceived as misogynous, but maybe he might just want to stay safe from ending up in a really bad situation? My “gun pointed at your head” analogy still stands. It feels uncomfortable and you can’t expect people to behave normally in those situations.
You seem to be the exact type of person I’m talking about, all going on the aggressive thinking I’m your worst enemy, not giving me the benefit of the doubt. I personally find it really hard to express my thoughts (it’s not just a language barrier, sadly), and getting attacked like that makes me really demoralized and demotivated to even talk. When I am not allowed to talk my mind without people instantly getting so aggressive at me, how am I supposed to not fear doing it?
-
I personally find it really hard to express my thoughts (it’s not just a language barrier, sadly), and getting attacked like that makes me really demoralized and demotivated to even talk. When I am not allowed to talk my mind without people instantly getting so aggressive at me, how am I supposed to not fear doing it?
Thanks for saying this.
-
I’m sorry that I sounded aggressive, because I was not trying to. I’m still not angry, nor replying out of spite or hate. :) I’m not a native english speaker (either?), so it can be that. Oh, and I also never thought of you as my worst enemy.
I could probably hug your right now, seriously, although I’m a little unsure how to understand your analogy that interacting with women is like having a gun pointed at your head.
As far as I can tell, we agree that misogyny will not go away – try to destroy an idea… – but we kinda disagree about how we should deal with it. I am not in a position to lecture anyone on the topic, and deeply nested threads tend to go off-topic easily, so I’ll happily reply to your emails if you’d like to.
-
Thank you for your kind words, I’m sorry I misinterpreted your reply then!
I hate to link to it but I think that what best describes my analogy is a scenario like what ESR described. With no proof (even though the source claimed there had been attempts already) either back then or now, that was ruled as “unlikely” at best, but the fact that it doesn’t sound completely ridiculous and could be actually be put to action by a malicious group worries me.
I honestly don’t think most women are like that at all, and as you said, this is going a bit off topic.
About “how to deal with it”, I’m not proposing a solution, I do wonder if being more straightforward with people and less “I’ll totally blogpost this unacceptable behavior” would make anything easier though.
For example, the author quotes Berry’s paragraph about not giving anything for granted, yet instantly assumes that assuming that females are less technical is a big drag for women in tech. What about a little understanding? With so many women in sales and PR positions, the guy might be just tired as hell of having to deal with marketers (although the CTO title should have spoken for itself.)
Not denying that some people are just sexist jerks, though.
-
-
-
-
-
The witches arrested during the Salem Witch Trials (in 1692-3, around 150 being arrested) and killed (24, 20 executed, 4 died in jail) weren’t all women. A cursory scan of the accused show plenty of male names (although it does seem to bias towards women).
-
-
-
[Comment removed by author]
-
-
“US American” here, 2 things you have wrong:
- Witches weren’t only women: http://www.strangehistory.net/2012/06/21/all-hail-the-male-witch/ (witch was the term for being accused of witchcraft, not a term for women accused of witchcraft which is at best a modern reinterpretation of history)
- And we most definitely do get told about the systematic persecution and killing of witches.
And one thing not often known by Americans of their own witchcraft shenanigans, of the 21 executed Salem witches, 8 were men. https://en.wikipedia.org/wiki/List_of_people_of_the_Salem_witch_trials#Convicted_and_executed
As to witches again being even predominately women, only in certain areas, in Iceland iirc it was as high as 92% of witches were men. If we’re going to get angry at the use of witch to refer to women, lets at least get facts straight about the historical context.
-
-
I dated two. They were awesome. Too bad our family moved around a lot. One actually taught me a little about the religion: Wicca. It involved men and women who (my interpretation) were basically nature worshipers. They usually didn’t cause harm because they believed the good or evil they did “came back times three.” When being deliberate rather than spontaneous, they were moderate in actions due to their Law of Extremes saying taking anything to the extreme of left or right makes it identical. That’s incorrect in the general case but there was truth in it where extremists are usually a problem regardless of the topic.
So, they tended to be friendly, non-conformist people that didn’t cause trouble unless provoked where they would warn then fight if necessary. Much like the Satanists I met as their rules similarly require not harming people or animals except in self-defense. For animals, also allowed to kill for food. Only common denominator among them that might inspire the religious choices were they had a lot of outcasts and rebels. The witches I knew were usually intuitive, artistic types whereas the Satanists were often intellectual with mix of artists and non-artists. I don’t know if the artist mix is just my data sample but the intellectual part makes sense given the greatest sin for Satanists is ignorance. They’re expected to pursue knowledge and call bullshit.
By the data, I’d have not worried about witches or Satanists. The majority of religious persecutors and violent offenders are Christian. They also push faith in authority over reason. They’re the most dangerous in the U.S. if I had to go by religion. In reality, all this stuff varies area to area, family to family, and person to person. I accept all groups so long as they’re not causing harm. Live and let live.
-
While I’m admittedly not an expert, I suspect the witches of the early US have little to do with Wicca, which was first introduced to the public in 1954.
-
Possibly true. In that case, my experiences with witches wouldnt apply to those. I also suspect there’s a lot of different belief systems and groups using the word witch. Its meaning probably varies by group.
-
-
-
-
-
The post content here is a man relating his experience of seeing his cofounder get talked over and ignored because she is a woman, so you immediately comment about… how bothersome it is that a woman might one day accuse you of sexual assault?
What the actual fuck is wrong with you? You should be thoroughly ashamed of yourself. Delete your account.
-
What the actual fuck is wrong with you? You should be thoroughly ashamed of yourself. Delete your account.
I generally avoid these topics like the plague, but this is the exact reason why. It’s absolutely appalling to me that anyone thinks this is a good response to any comment ever. If you are trying to persuade people or this person, then you have completely failed in backing up your comments with anything but insults. If you aren’t trying to persuade anyone, then you are just a troll who enjoys yelling at someone who is clearly (based on the other comments in this thread) is trying to genuinely learn. You took a teaching moment and made it a display of hatred.
-
If you are trying to persuade people or this person, then you have completely failed in backing up your comments with anything but insults
This assertion is completely absurd. I’ve been this asshole, been told off and/or beaten up, and learned better. Violent complaint is precisely how signalling to people that their behavior is utterly abhorrent works in society.
-
How should I signal to you that your behavior here, in this thread, is utterly abhorrent? Should I threaten to beat you up? Tell you to delete your account? Scream aggressive obscenities at you?
Whatever it is you think you need to hear to stop behaving this way, pretend that I said it.
-
I’ve been this asshole, been told off and/or beaten up, and learned better.
I’ll just say that I find this comment immensely more helpful than your previous comment. If you’d like to expound on how specifically you’ve “been this asshole” in the past, and what you’ve learned from the experience I’d wager that’s much more likely to convince Hamcha (and the rest of us) to change their mind and behavior.
-
-
-
I questioned the reason she was ignored and proposed a motivation for which people might fear dealing with women. I also questioned what would have happened if the guy would have put any effort in making the issue clear to the people he’s talking shit about other than vague clues before making accusations with circumstantial evidence.
What is there to be ashamed of?
-
Normal people can have conversions with members of the opposite or same gender without constantly panicking about rape allegations. Do you specifically avoid female waiters at restaurants or cashiers at supermarkets? Is this somehow different to taking to a woman in a nontechnical role? If not, why do you think it is reasonable to pretend a woman who codes is any different? Hell, how on earth can you pretend the possibility of rape allegations is a valid reason to pretend that a person does not exist while in a meeting with multiple participants?
Your regurgitation of sexist crap is shameful. Your lack of thought about it is bewildering. Delete your account.
-
-
-
Some beliefs are horrendously evil. Your freedom to believe harmful crap does not constitute immunity from being yelled at for spouting it in public.
-
-
-
-
Look, here’s the thing. If you’re holding 30 million dollars in 250 lines of code that you haven’t audited, then it’s on you. Seriously. It takes any half-decent appsec guy less than one man-day to fleece those 250 lines. At most, that would cost them a few thousands of dollars. They didn’t do it because they wanted it all for free. They didn’t do it because they’re greedy and cheap. They absolutely deserve this.
I kinda agree with this, honestly. :-\
-
I kinda agree with this, honestly. :-\
That’s because, as your post history on Lobsters has established, you need to get you some ethics and morals.
I kinda agree with the top comment in the article:
“ Look, here’s the thing. If you’re holding 30 million dollars in 250 lines of code that you haven’t audited, then it’s on you.”
Look here’s the thing. If you’ve parked your car on the street like a pleb instead of buying a house with a garage, then its on you.
Look here’s the thing. If you’re holding a PC and a TV and a washing machine in a house with single glazing on the rear windows, then it’s on you.
Whilst this was an extremely interesting read and I’m sure awesome fun to pull off, theft is theft. The rule of law is the rule of law. You know that these ETH belong to other people and you have taken them for yourself. That’s theft, and I hope the law catches up with you.
-
But the entire point of “smart” contracts is that the code IS the contract, right? Your analogy is flawed. It’s not like stealing a car, it’s like finding a loophole in an agreement (or “dumb” contract) and exploiting it in the courts. That happens literally every day, and it is perfectly legal.
The difference is that when you have actual humans making the decisions instead of computers you can make more subtle arguments about what was intended instead of being beholden to the most pedantic possible interpretation of the contract.
-
This is the correct interpretation. The “smart contract” hype is built around the concept that the blockchain is the judge and the jury: it’s all built on the assumption that the blockchain is incorruptible and perfect. To quote from Gavin Wood’s paper “Ethereum: A Secure Decentralised Generalised Transaction Ledger:”
[Ethereum has attributes] not often found in the real world. The incorruptibility of judgment, often difficult to find, comes naturally from a disinterested algorithmic interpreter.
Further:
…natural language is necessarily vague, information is often lacking, and plain old prejudices are difficult to shake.
Most ominously, perhaps:
…the future of law would be heavily affected by [smart contract] systems… Ethereum may be seen as a general implementation of such a crypto-law system.
Based on these concepts, the idea that they’re building a perfect replacement for law, they implemented a Turing-complete language with no concept of or provision for proofs, and run it on a distributed VM from which no malicious programs can be purged. Brilliant!
-
Is it brilliant? I’m not so sure: what sovereign citizens and computer geeks alike seem to believe is that the law is a sequence of perfectly defined rules - which is why the former loves to look for the magical series of words that exempts them from it.
But in reality the law is often about intent and judgment. If I found a bank that let me put my name on everyone’s account and I did with the purpose of withdrawing their savings, the court would hold a dim view of me saying “but they let me do it!”
-
-
-
-
But the entire point of “smart” contracts is that the code IS the contract
Agreed. The analogies given above were ridiculous:
Look here’s the thing. If you’ve parked your car on the street like a pleb instead of buying a house with a garage, then its on you.
This is not a comparison. Try this instead:
Look here’s the thing. If you’ve parked your limited edition McLaren F1 on the street instead of in your garage, then yeah that was dumb
But this is still a rubbish analogy because in Ethereum: Code is Law.
-
-
-
That’s because, as your post history on Lobsters has established, you need to get you some ethics and morals.
Says the guy who posted 9/11 truther conspiracies from his blog. Angersock has ethics and morals, and I’m a little disheartened that your ad hominem attack got upvoted.
-
There are a few certain types of stories regarding politics and cryptocurrencies that seem to bring out a group of extremely angry and aggressive posters that don’t seem to want to have anything but traditional internet yelling. “Get morals” has been yelled at me any time the US government is brought up and always seems heavily upvoted.
-
Says the guy who posted 9/11 truther conspiracies from his blog
And what is wrong with that?
9/11 Truthers are called 9/11 Truthers because they aren’t 9/11 Frauds.
EDIT: BTW, those downvoting this as “
off-topic” might want to downvote @ngoldbaum’s post instead. I didn’t bring up 9/11, he did. I’ll defend myself if called and, and so to quote from elsewhere: It’s been 16 years now and over $300k in research by multiple teams have refuted NIST multiple times — enough is enough.and I’m a little disheartened
That’s too bad.
It’s what happens to people who don’t understand basic physics.
Have fun with the paid sock puppets though.
-
-
me too! #sockpuppet
-
-
-
-
I know that this is futile and I’m shouting into the void, but why would you assume that everyone who disagrees with you is a sock puppet? These aren’t fake votes I think people are disagreeing with your aggressiveness, there is no reason for this to be a psy-ops campaign just to mess with you.
-
but why would you assume that everyone who disagrees with you is a sock puppet?
See my response to your sock puppet friend’s identical question.
But, tell me (since now with the fake downvotes nobody can see your response), how much do you get paid to write this stuff?
Are you an American? If so, is it enough to sleep at night, knowing that you’re supporting the terrorists who attacked this country on 9/11?
-
-
-
-
-
-
-
-
-
-
It blows me away how common that XXE is in the Java corporate world, I have tested my fair share of services that use the Java XML parsers that all seem to enable the external entity behaviour by default. I really have no idea who thought that this was a useful idea, but it is the example I use when I teach about using libraries without understanding how they work. I’d say that in-house Java developed software I’ve tested is about 80% vulnerable to XXE, and some XXE’s can be worse than just arbitrary read primitives, matters are often made worse because of how often Java applications seem to be running as root or SYSTEM.
-
Honestly I wish that people talking about crypto topics would stop using the “grains of sand” and such visualizations. I think it doesn’t necessarily reflect the concepts of scale very well as it doesn’t take into account how much of that “sand” we can process. It doesn’t really matter if there are more “pieces of sand than in the whole world” if I have buckets that can move all that “sand” in a month. I see no mention of Shor’s in here either, and ignoring the quantum situation seems like a mistake, and I highly suggest reading up on Post-quantum RSA.
-
-
Reminds me of the classic https://github.com/Droogans/unmaintainable-code
Some companies have a strict policy of no numeric literals; you must use named constants. It is fairly easy to foil the intent of this policy. For example, one clever C++ programmer wrote:
#define K_ONE 1 #define K_TWO 2 #define K_THOUSAND 999-
Never underestimate the power of a bored college student and a preprocessor: https://github.com/Hashdump/Goodbye-World/blob/master/hello_random.c I still go back to that and disgust myself with what I created.
-
-
-
That’s a great, in-depth post. Another person messages me about getting Go to call SPARK Ada functions. Between the two, it seems Go is ready for or close to the capability to have important features done in safe, GC-less languages. Additionally, it might help my Brute-Force Assurance concept for rewriting code in equivalent form in several languages to leverage each’s safety analysis. In this scenario, SPARK would prove absence of almost every low-level error with Rust catching temporal or concurrency errors.
-
For those curious here is the post I wrote that nick is referring too (it was hastily written to show off as a PoC so sorry about that). Unfortunately my example does use cgo and thus all of it’s pitfalls, but this blog post clarifies some things I was bashing my head against when originally writing this to avoid cgo. I will definitely be taking this persons awesome write up to a similar place with SPARK and I will post a part 2.
-
I look forward to that. :)
-
-
-
Glad they’re progressing and improving UX. This…
“based on the “Security by Compartmentalization” principle”
…is remarketing of security terms. What they’ve actually built is a tiny subset of a Compartmented Mode Workstation (CMW) on top of the Multiple Independent Levels of Security (MILS) model w/ low-medium-assurance implementation. These are well-known concepts with tons of research into them and many commercial products. No need to reinvent terms. Interestingly, though, we saw the separation kernels certified as MILS rise around 2005, do great in pentesting, and ultimately be withdrawn as a central concept by NSA after isolation-only approaches didn’t prove out on Intel-style hardware that broke the model too much. Too many leaks and bypasses. Plus, you still have to have an extra component guarding information flows between security levels to enforce end-to-end security policy. Worked nicely in embedded systems, though.
In any case, such a design can at least isolate untrustworthy code from many types of attacks if the TCB is high-assurance. The CMW’s were also good at preventing accidental leaks of secrets by casual users since they checked labels. Here’s examples of both for those curious.
http://web.ornl.gov/~romeja/doecmw.pdf
https://www.ghs.com/products/safety_critical/integrity-do-178b.html
http://www.dtic.mil/get-tr-doc/pdf?AD=ADA480033
Note: Notice the colorful windows of CMW’s with bottom-stripe to make them unspoofable. Privilege architecture also tries to stop things like password grabbing. Stuff on bottom-right of INTEGRITY-178B gives a glance at all the kinds of stuff one might have to look into to create a secure TCB for MILS system. The DTIC document is likely the formal verification of it since it was only one done through Common Criteria w/ formal proof in those years.
-
I don’t think that the Qubes team has ever heard of SELinux. MILS is integrated into the sVirt solution specifically for isolating VM’s, but for some reason they absolutely refused to use KVM for almost that reason. The paravirtualization was always super off-putting to me, but the complete lack of doing prior-research bothers me far far more.
-
I blasted them on the mailing list about not leveraging results of prior work. In that conversation, she didnt know about trusted paths, disagreed on Xen being security risk, didnt know benefits of user-mode drivers, and didn’t know about any of the competition that predated Qubes. She also countered my proposal to build on a security-focused microkernel saying Mac OS microkernel isnt secure. (Huh?)
So, yeah, no confidence in that solution’s security. She later added trusted path and griped at Xen folks about their insecurity. No credit of course. ;) I relegated it to maybe a Linux hardening scheme with good usability. Still benefits to that for lay users.
Note: Far as VMM’s, look up Nova microhypervisor’s design in the dissertation if you want to see the right kind of architecture for TCB reduction. Karger’s VAX VMM for security (esp layering).
-
These are really great insights, Nick. Thank-you. I was looking forward to Qubes OS 4.0, but you’ve got me thinking deeper.
Is Qubes OS providing a false sense of security, or does it still provide a genuine improvement over – say – running a standard Linux distribution with browsers in Firejail containers?
-
-
I think in general you are accepting a certain degree of false sense of security when you are using Linux in general, it is not a high assurance operating system. I think Nick might agree that Linux is not a solution to the VMM layer and a better step might be to actually have an alternative that has formal methods for proofs or at the very least the VMM layer has formal methods. It was recently brought to my attention by Nick (thanks by the way) that the Xenon project exists just for the use case with Xen. I think if Qubes was dedicated to using Xen they would go after the Xenon project and attempt to get help from them to improve their stature instead of relying on solutions that have no strong guarentees.
As for firejail I will point out that firejail is no more formally verifiable than Xen, in fact here is them fixing CVE-2016-7545. In my opinion it’s just a more fancy chroot, that doesn’t provide any leaps and bounds ahead in security improvements.
Also as another piece of fuel for the fire just read this piece of documentation from the CubesOS team. Yes that is them actually suggesting to run everything as passwordless root sudo.
In Qubes VMs there is no point in isolating the root account from the user account
-
Re that last part: what’s actually wrong with letting an attacker have root in a VM where all interesting data is user-owned and fs changes aren’t persistent?
-
Due to memory loss, I can’t answer that question in detail for this use case. What I do remember is I’d never give anything root in a UNIX-based deployment due to the Principle of Least Privilege or Authority. That’s a security pattern that says every component gets as little access and ability as possible to do its job. This is especially important if specific privileges (i.e. root) have led to privilege escalations in the past due to sloppy coding, sloppy configuration, or complex interactions between components nobody saw coming. Matter of fact, one of main reasons for POLA is to block attacks you don’t see coming or increase odds of detection mid-attack as they try to pivot through the system.
So, it’s a bad idea in general. Anyone explaining why it’s safe when they give attackers a ladder toward the higher-hanging fruit is probably doing the wrong thing. Only time it’s sensible is when users demanded extra performance, features, integrations, or so on that made it absolutely necessary to add risk. Even then, better have a recovery strategy.
Fun version of Saltzer and Shroeder’s security principles:
http://emergentchaos.com/the-security-principles-of-saltzer-and-schroeder
-
-
-
Xen w/ Dom0 is a smaller attack surface than the average Linux distro. Clean separation of activities into VM’s with that attack surface is an improvement over other designs. That’s why I recommend it as a hardening technique. The better options are unfortunately going to be commercial and pricey if they’ll even pick up the phone. Those use a tiny kernel at the bottom that’s designed for security with minimal components and attack surface. Alternatively, you might use an OS such as OpenBSD that at least does a lot of code review and mitigations. There’s Linux solutions like grsecurity or SELinux to provide extra protections but people tend to find lots of bugs in the privileged code of stuff like Linux.
I always used and still recommend physical separation with controlled sharing. I used cheap, embedded computers behind a KVM. Each one was a different security level with at least one air-gapped with no way to communicate with other stuff. There’s a lot of manual, technical work in such a setup. Yet, the virtualized stuff usually had problems or was unaffordable to me. (shrugs)
-
-
-
-
-
It should be enough by salting the password with a site secret before hashing the password, right? Or Am I missing something
-
He is not sharing compromised hashes. The list is full of passwords that were associated with one or more account in plaintext or otherwise cracked. The reason he gives out the information as SHA1 hashes is to increase the effort required to have the full list of passwords in plaintext. This allows people knowing their own passwords to hash them and see if the hash is in the gigantic file but someone else wanting to use this ie. as his john the ripper seed would need to spend significant time on brute-forcing all of those first.
-
I don’t honestly see much difference than just releasing the passwords, I know people in the competitive password cracking scene will chew through the vast vast majority of these in days time. I actually use the hashes.org leaked list on penetration tests, and they have a wonderful % cracked statistic for each of the password lists as well as the plaintext download. I predict that it’ll be 95% cracked by the end of the weak.
-
-
Troy said some passwords reveal personal information. I can only imagine what could potentially be around behind those hashes.
I predict that it’ll be 95% cracked by the end of the weak.
It at least gives the general public a week to check if their re-used password is there, with an easy web interface to test that. People who know what they are doing are not really impacted by that release… but it can serve as a nice way to make some less technical people more aware.
-
Passwords that “normal users” use almost exclusively have personally identifying info (pets, family, street addresses, phone numbers, job titles, etc). I feel like this is just casting FUD about whether accounts are compromised, the effect of showing someone a hash vs showing their passwords in plaintext is surprisingly psychological in my experience. Plus, if I have learned anything since things like the linkedin dumps, no one actually checks to a degree that attackers normally care.
HIBP has been around for ages, this isn’t just a week thing, and it hasn’t changed much in my experience. I always like HIBP because Troy didn’t release it, it always made the barrier to attack having to first find the user information, enter it into the API, check if the list for a match of compromised account with public wordlist, actually match the account. This is essentially releasing it without a couple percent of passwords.
-
-
-
Thanks, i missed that part
-
-
-
I’ll be going this year, my first ever Def Con and I’m super excited.
If anyone has tips for getting the most out of it I’d love to hear it.
-
This thread on twitter is good: https://twitter.com/tarah/status/886323500419436544
In my experience: say hello to randos that look bored/lonely, do contests, save the talks for when they show up on youtube, drink lots of water (not booze, not soda, not coffee, yes water), and don’t forget to eat, shower, and sleep.
-
The talks are important and make sure to hit the ones that interest you the most, but the social aspect is the part that sets security cons apart. Over the years I’ve ended up going to less and less of the talks and instead watching them when I get back from the con. Talk to people! I wonder if there is enough interest to have an impromptu meetup for lobsters at DefCon/BSidesLV.
-
-
In addition to this, one thing I’d love for penetration test shops to stop singling specific people wherever possible. I’ve noticed that if the testers point out that the Mary user was compromised which led to a big chain of events, Mary will often get a portion of the blame when really it was only a factor. I always give a big final list of compromised accounts and machines, which makes it less likely for a single person to take a fall when it was an organizational failure.
-
I know of a situation where a Red Team member broke an engineer’s car window to steal their laptop.
Jesus Christ. Are pentesters not legally liable for stuff like this? The article describes this as a grey area, but this seems downright criminal.
In one of those cases, the pentester did this repeatedly (about a half-dozen times), to the point that the staffer thought she was being stalked and called the police. She later quit; the company’s lucky she didn’t sue.
For fuck’s sake. Again, this behavior isn’t inappropriate: it’s illegal (or at the very least borderline so).
These are just useless and uninteresting results. I don’t have to pay for a pentest to know that my organization is vulnerable to phishing attacks, because all organizations are vulnerable to phishing attacks. And if “employees can be phished” is the finding I’m trying to remediate, well, that’s not a risk that can really be effectively addressed.
This is wonderfully put.
(As a bonus, this technique also simulates insider threats, and the remediation you’ll do helps protect against them, too.)
Didn’t even think about that. This article is fascinating.
-
yeah you could just telllll the business, “Hey I saw the laptop in the car, someone could break a window and grab the laptop”
-
They are fully liable unless the legal framework was set (which in no way happened in the window breaking case), and often times the clients don’t really understand what they are signing up for nor do they actually seem to care until the bad things start to happen. I’m not defending that shitty pentest group, because they should be shamed, but sometimes I’ve had clients not understand what they adamantly declare that they need for a pentest. For example, I had a client sysadmin who wanted an external and internal pentest, but only gave me the info for the external hosts. After stepping him through the ROE and making him understand clearly that he was keeping the scope for internal infrastructure fully open and what that would mean we got the ball rolling. After cracking the perimeter it was a massacre. We stepped him through our process with updates along the way and he was enraged when we got domain admin. It’s not the first time I’ve seen the “they won’t be able to get in, so I’ll just make this ROE draft easy on myself and doing it as lazily as possible”. Some people just don’t take it seriously.
-
-
-
Super clear and complete! I would just have liked some links or tips to harden this a bit, if the author has some references, would be great!
-
-
-
-
While it’s a decent configuration, doing IKEv2 with the
chacha20-poly1305ciphers as described here is more secure in my opinion. That being said it won’t work for clients that don’t have the cipher baked in as it violates the RFC (in fact I think only OpenIKED has support). -
-
-
-
In the old days there used to be a a username/password combo you could use to log in to basically any site. A globally ‘shared’ account for those in the know. I’ve forgotten the credentials by now, but I recall the password would not work anywhere with significant password requirements. If that account still exists, this password could be suitable for places with significant password requirements. Globally documented, but only useful to those in the know.
-
If it’s the same low-tech predecessor to http://bugmenot.com/ I’m thinking of, it was cypherpunk / cypherpunk
-
-
-
-
People still do this. And thankfully as a pentester, this helps keep food on my table. Seriously don’t do this unless absolutely 100% necessary. Also
but only useful to those in the know
Is rarely true, so many times I get access to undocumented features that have less rigorous testing because “developers only” and it leads to unexpected things.
-
“ in a world where I can rent a machine that tries billions of MD5 calls per second.” wouldnt the test for a successful hash operation involve using the hash to decrypt the data on each try? This would make MD5 cracking prohibitively expensive.
Would it really be prohibitive? AES is really fast, especially with hardware instructions… and you probably only have to try the first block to check for the private key’s header?
This is exactly what JtR does: https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/src/opencl/ssh_kernel.cl#L225 Theoretically you could probably pipeline the AES into GPU processing too, which does slow the “raw” crack rate, but not all that much.