This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

October 25, 2024 by Jonathan Bennett 12 Comments

Leading off the week is the controversy around the Linux kernel and an unexpected change in maintainership. The exact change was that over a dozen developers with ties to or employment by Russian entities were removed as maintainers. The unfortunate thing about this patch was that it was merged without any discussion or real explanation, other than being “due to various compliance requirements”. We eventually got more answers, that this was due to US sanctions against certain Russian businesses, and that the Linux Foundation lawyers gave guidance that:

If your company is on the U.S. OFAC SDN lists, subject to an OFAC sanctions program, or owned/controlled by a company on the list, our ability to collaborate with you will be subject to restrictions, and you cannot be in the MAINTAINERS file.

So that’s that. One might observe that it’s unfortunate that a single government has that much control over the kernel’s development process. There were some questions about why Russian entities were targeted and not sanctioned Chinese companies like Huawei. [Ted Ts’o] spoke to that, explaining that in the US there are exemptions and different rules for each country and business. This was all fairly standard compliance stuff, up until a very surprising statement from [James Bottomley], a very core Kernel maintainer:

We are hoping that this action alone will be sufficient to satisfy the US Treasury department in charge of sanctions and we won’t also have to remove any existing patches.

Continue reading “This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive” →

FLOSS Weekly Episode 806: Manyfold — The Dopamine Of Open Source

October 23, 2024 by Jonathan Bennett No comments

This week Jonathan Bennett and David Ruggles chat with James Smith about Manyfold, the self-hosted 3D print digital asset manager that’s on the Fediverse! Does it do live renders? Does it slice? Listen to find out!

Continue reading “FLOSS Weekly Episode 806: Manyfold — The Dopamine Of Open Source” →

This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets

October 18, 2024 by Jonathan Bennett 13 Comments

Depending on who you ask, the big news this week is that quantum computing researchers out of China have broken RSA. (Here’s the PDF of their paper.) And that’s true… sort of. There are multiple caveats, like the fact that this proof of concept is only factoring a 22-bit key. The minimum RSA size in use these days is 1024 bits. The other important note is that this wasn’t done on a general purpose quantum computer, but on a D-Wave quantum annealing machine.

First off, what is the difference between a general purpose and annealing quantum computer? Practically speaking, a quantum annealer can’t run Shor’s algorithm, the quantum algorithm that can factor large numbers into primes in a much shorter time than classical computers. While it’s pretty certain that this algorithm works from a mathematical perspective, it’s not at all clear that it will ever be possible to build effective quantum computers that can actually run it for the large numbers that are used in cryptography.

We’re going to vastly oversimplify the problem, and say that the challenge with general purpose quantum computing is that each q-bit is error prone, and the more q-bits a system has, the more errors it has. This error rate has proved to be a hard problem. The D-wave quantum annealing machine side-steps the issue by building a different sort of q-bits, that interact differently than in a general purpose quantum computer. The errors become much less of a problem, but you get a much less powerful primitive. And this is why annealing machines can’t run Shor’s algorithm.

The news this week is that researchers actually demonstrated a different technique on a D-wave machine that did actually factor an RSA key. From a research and engineering perspective, it is excellent work. But it doesn’t necessarily demonstrate the exponential speedup that would be required to break real-world RSA keys. To put it into perspective, you can literally crack a 22 bit RSA key by hand.

Continue reading “This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets” →

FLOSS Weekly Episode 805: Mastodon — Bring Your Own Algorithm

October 16, 2024 by Jonathan Bennett No comments

This week Jonathan Bennett and Jeff Massie chat with Andy Piper about Mastodon! There’s a new release of Mastodon, and plenty on the road map to keep everybody excited!

Continue reading “FLOSS Weekly Episode 805: Mastodon — Bring Your Own Algorithm” →

This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild

October 11, 2024 by Jonathan Bennett 7 Comments

The Internet Archive has been hacked. This is an ongoing story, but it looks like this started at least as early as September 28, while the site itself was showing a creative message on October 9th, telling visitors they should be watching for their email addresses to show up on Have I Been Pwnd.

Hi folks, yes, I'm aware of this. I've been in communication with the Internet Archive over the last few days re the data breach, didn't know the site was defaced until people started flagging it with me just now. More soon. https://t.co/uRROXX1CF9

— Troy Hunt (@troyhunt) October 9, 2024

There are questions still. The site defacement seems to have included either a subdomain takeover, or a long tail attack resulting from the polyfill takeover. So far my money is on something else as the initial vector, and the polyfill subdomain as essentially a red herring.

Troy Hunt has confirmed that he received 31 million records, loaded them into the HIBP database, and sent out notices to subscribers. The Internet Archive had email addresses, usernames, and bcrypt hashed passwords.

In addition, the Archive has been facing Distributed Denial of Service (DDoS) attacks off and on this week. It’s open question whether the same people are behind the breach, the message, and the DDoS. So far it looks like one group or individual is behind both the breach and vandalism, and another group, SN_BLACKMETA, is behind the DDoS.

Continue reading “This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild” →

FLOSS Weekly Episode 804: The AI Alliance — Asimov Was Right

October 9, 2024 by Jonathan Bennett 1 Comment

This week Jonathan Bennett and and Dan Lynch chat with Anthony Annunziata about Open Source AI and the AI Alliance. We get answers to our burning AI questions, and talk about the difficulty of defining what Open Source means for these large models.

Continue reading “FLOSS Weekly Episode 804: The AI Alliance — Asimov Was Right” →

This Week In Security: Zimbra, DNS Poisoning, And Perfctl

October 4, 2024 by Jonathan Bennett 6 Comments

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along. Continue reading “This Week In Security: Zimbra, DNS Poisoning, And Perfctl” →

Hackaday

Author: Jonathan Bennett

427 Articles

This Week In Security: The Geopolitical Kernel, Roundcube, And The Archive

FLOSS Weekly Episode 806: Manyfold — The Dopamine Of Open Source

This Week In Security: Quantum RSA Break, Out Of Scope, And Spoofing Packets

FLOSS Weekly Episode 805: Mastodon — Bring Your Own Algorithm

This Week In Security: The Internet Archive, Glitching With A Lighter, And Firefox In-the-wild

FLOSS Weekly Episode 804: The AI Alliance — Asimov Was Right

This Week In Security: Zimbra, DNS Poisoning, And Perfctl

New Tool Corner

Search

Never miss a hack

If you missed it

Boss Byproducts: Fulgurites Are Fossilized Lightning

FreeBSD At 30: The History And Future Of The Most Popular BSD-Based OS

Ham Radio In The Internet Age

Hacker Tactic: Building Blocks

Will .IO Domain Names Survive A Geopolitical Rearrangement?

Our Columns

Hackaday Links: October 27, 2024

Retrotechtacular: Making Enough Merlins To Win A War

Hackaday Podcast Episode 294: SAO Badge Reveal, Precision On A Shoestring, And The Saga Of Redbox