1. 7

    Similar in spirit to the old Solaris telnet vulnerability circa 2007. If you specified a username via the -l option and the username were in the form of -froot, the -froot would be passed as a flag to the login command and you’d get in pretty trivially.

    IIRC it actually predated Solaris. Might even go back to BSD…

    1. 2

      I remember this on AIX.

    1. 20

      TL;DR didn’t sanitize usernames which could contain “-“ making them parse as options to the authentication program. Exploiting this, username “-schallenge:passwd” allowed silent auth bypass because the passwd backend doesn’t require a challenge.

      Awesome find, great turnaround from Theo.

      1. 2

        Yikes.

        It’s a modern marvel that people end up using web frameworks with automatic user data parsing and escaping for their websites, because if not so many places would have these kind of “game over” scenarios.

        1. 5

          Usernames in web applications are not easy, nor is there wide awareness of the problems or deployment of solutions.

          If you’re interested in learning more, I’ve gone on about this at some length.

        2. 1

          If memory serves right, there was an old login bug (circa ’99) that was the same sort of thing:

          http://seclab.cs.ucdavis.edu/projects/testing/vulner/18.html

          Edit: https://lobste.rs/s/bufolq/authentication_vulnerabilities#c_jt9ckw

          Too slow I guess :)

          1. 1

            Is this specific to OpenWall users or is it applicable to OpenBSD in general?
            From title it looks like an authentication vulnerability in the OpenBSD core os.

            1. 1

              This is OpenBSD in general.

          1. 3

            Have a look at KeyPass as well. KeyPassX is a clone of KeyPass but the databases are fully compatible.

            1. 2

              you should use KeePassXC, which is the current rewrite and actively developed
              KeePassX is defacto dead
              also they implement the new keepass DB format and have a package in ubuntu 18

            1. 20

              Kinesis Advantage. I’ve been using them for almost twenty years, and other than some basic remapping, I don’t customize.

              1. 2

                Ditto, I’m at a solid decade. I cannot recommend them enough.

                1. 2

                  Also Kinesis Advantage for over a decade. On the hardware side I’ve only mapped ESC to where Caps Lock would be. On the OS side I’ve got a customized version of US Dvorak with scandinavian alphabet.

                  I’d like to try a maltron 3d keyboard with integrated trackball mouse. It’s got better function keys too, and a numpad in the middle where there’s nothing except leds on the kinesis.

                  1. 2

                    Me too. I remap a few keys like the largely useless caps-lock and otherwise I don’t program it at all. It made my wrist pain disappear within a couple weeks of usage though.

                    1. 2

                      My only “problem” with the Kinesis, and it’s not even my problem, was that the office complained about the volume of the kicks while I was on a call taking notes.

                      So I switch between the Kinesis and a Apple or Logitech BT keyboard for those occasions.

                      1. 1

                        You can turn the clicks off! I think the combo is Prgm-\

                        1. 2

                          Yeah, its not that click, it’ the other one from the switches :-)

                          I can be a heavy typer and for whatever reason, these keys stand out more than I expected to others behind the microphone.

                      2. 2

                        I prefer the kinesis freestyle2. I like the ability to move the two halves farther apart (broad shoulders) and the tilt has done wonders for my RSI issues.

                        1. 2

                          similar, largely I like that I can put the magic trackpad in between the two halves and have something that feels comparable to using the laptop keyboard. I got rid of my mouse years ago but I’m fairly biased on a trackpad’s potential.

                          I’ve sometimes thought about buying a microsoft folding keyboard and cutting/rewiring it to serve as a portable setup. Have also thought of making a modified version of the nyquist keyboard to be a bit less ‘minimal’ - https://twitter.com/vivekgani/status/939823701804982273

                      1. 1

                        Can I use this instead of Tower?

                        Edit: I mean, is it basically the same as tower?

                        1. 1

                          Yep. This is the code that the product “Tower” comes from.

                        1. 5

                          A couple of weeks ago I tried working on learning a few new languages for small projects… crash. burn. So this week I’m focusing on just one and I’m working through Chris and Julie’s haskell book.

                          At work I’m migrating one of my environments from Puppet over to Ansible as a thought experiment.

                          1. 1

                            Any book reviews yet? I’d be curious to hear.

                            1. 2

                              Maybe when I reach the end.. I can say this though, I’ve always found starting in on Haskell hard so I’m taking Chris & Julie’s advise on starting out with a beginners mind (harder than I thought it would be) so it’s slow going.

                              What I appreciate are the exercises along the way and the fact that the book is forcing me to think again (like when’s the last time I actually think about reducing problem until I couldn’t any more).

                              It’s also a fun read. I have not read too many other books about Haskell, however the ones I have always felt harder (maybe that’s the right word?) than I expect they were meant to be.

                              1. 1

                                The recent site update led to the addition of some reviews for the Haskell book

                                1. 1

                                  I’m a bit worried that, despite your best intentions, reviews you publish on the same site will be skewed towards the positive.

                                  1. 2

                                    If you’re so concerned, use Google and search the site URL/domain and the book’s title / “Haskell book”, or Julie and I’s names. You can plumb the entirety of what’s been written about us, including a nasty and misogynistic 4chan thread, in about 30 minutes.

                                    I’m not invested in specifically you learning Haskell. Do as thou wilt, but I’m no gatekeeper. I find this feedback via Twitter and Google search.

                            1. 2

                              Lesse here, not blocked on anything ;-)

                              Back to work for me and I’ll be diving into a bit of Rust, Swift and Haskell this week I think. Rust and Haskell will be mostly getting into with Swift the only thing that I’ve got an actual idea for on OSX.

                              1. 6

                                Wait, there is a weekly standup? :-)

                                $dayjob is full of meetings this week.

                                $personal projects involve Swift, Go, and a little bit of Rust, though I wish I had something to show for it.. looking forward to the holiday breaks to make some decent progress.