幹壞事是進步最大的原動力
在「Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries (tomshardware.com)」這邊看到的,原報導在「Wi-Fi jamming to knock out cameras suspected in nine Minnesota burglaries -- smart security systems vulnerable as tech becomes cheaper and easier to acquire」。
這個手法是把無線網路的頻寬塞爆 (或是放出干擾),這樣 security camera 就算拍到東西也不會有記錄:
這個應該是已知的問題?從以前 security camera 都是建議走有線 (以及 isolated VLAN),無線的主要還是娛樂用途,而不是 security camera...
以前還有印象有看過防 EMP 的型號,不過那個是軍用...
在 Hacker News 上看到 Maxim Dounin 決定分家到 freenginx 的消息:「Freenginx: Core Nginx developer announces fork (nginx.org)」,原文在 mailing list 上:「announcing freenginx.org」,這邊提到分家的原因:
Unfortunately, some new non-technical management at F5 recently decided that they know better how to run open source projects. In particular, they decided to interfere with security policy nginx uses for years, ignoring both the policy and developers’ position.
在 freenginx 的 mailing list 上有提到更多,在 2024-February/000007.html 這篇:
The most recent "security advisory" was released despite the fact that the particular bug in the experimental HTTP/3 code is expected to be fixed as a normal bug as per the existing security policy, and all the developers, including me, agree on this.
And, while the particular action isn't exactly very bad, the approach in general is quite problematic.
這邊提到的 security advisory 是「[nginx-announce] nginx security advisory (CVE-2024-24989, CVE-2024-24990)」這個,看起來是個沒有 enabled by default 的功能:
Two security issues were identified in nginx HTTP/3 implementation,
which might allow an attacker that uses a specially crafted QUIC session
to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or
might have potential other impact (CVE-2024-24990).The issues affect nginx compiled with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen" directive
is used in a configuration file.The issue affects nginx 1.25.0 - 1.25.3.
The issue is fixed in nginx 1.25.4.
在 id=39373804 這邊有些目前 nginx 組成的資訊可以讀,目前 nginx 的 core devs 應該就三位 (在 Insights/Contributors 這邊看起來只有兩位,這是因為 GitHub 上面的 mirror 看起來是從 Mercurial 同步過去的,而 Sergey Kandaurov 沒有 GitHub 帳號):
Worth noting that there are only two active "core" devs, Maxim Dounin (the OP) and Roman Arutyunyan. Maxim is the biggest contributor that is still active. Maxim and Roman account for basically 99% of current development.
So this is a pretty impactful fork. It's not like one of 8 core devs or something. This is 50% of the team.
Edit: Just noticed Sergey Kandaurov isn't listed on GitHub "contributors" because he doesn't have a GitHub account (my bad). So it's more like 33% of the team. Previous releases have been tagged by Maxim, but the latest (today's 1.25.4) was tagged by Sergey
現在就是單方面的說法,可以再讓子彈多飛一點時間... 看 F5 要不要回應,以及 F5 的說法 (如果要回應的話)。
看到「Rowhammer Resistant Coding in Sudo (github.com/sudo-project)」這邊的討論,提到了 sudo 專案 (變成 root 那個 sudo 軟體) 怎麼緩解 ROWHAMMER 攻擊的實作,原連結是去年九月時 GitHub 上的 commit:「Try to make sudo less vulnerable to ROWHAMMER attacks.」。
從 commit 裡面可以看到這個:
- #define AUTH_SUCCESS 0 - #define AUTH_FAILURE 1 - #define AUTH_INTR 2 - #define AUTH_ERROR 3 - #define AUTH_NONINTERACTIVE 4 + #define AUTH_SUCCESS 0x52a2925 /* 0101001010100010100100100101 */ + #define AUTH_FAILURE 0xad5d6da /* 1010110101011101011011011010 */ + #define AUTH_INTR 0x69d61fc8 /* 1101001110101100001111111001000 */ + #define AUTH_ERROR 0x1629e037 /* 0010110001010011110000000110111 */ + #define AUTH_NONINTERACTIVE 0x1fc8d3ac /* 11111110010001101001110101100 */
可以看到想法上是讓要攻擊時需要改變的 bit 數量大幅增加?尤其是對 AUTH_SUCCESS 的 hamming distance?
另外這段也是類似的設計:
+ /* Allowed by policy (rowhammer resistent). */ + #undef ALLOW + #define ALLOW 0x52a2925 /* 0101001010100010100100100101 */ + + /* Denied by policy (rowhammer resistent). */ + #undef DENY + #define DENY 0xad5d6da /* 1010110101011101011011011010 */
這邊 ALLOW 與 DENY 這邊也是把 hamming distance 設計到最大,兩個 XOR 後剛好是 0xffffffff。
會不會變成安全相關軟體實作上的 practice?
昨天科技圈最熱門的消息應該是 Apple 公開了在歐盟區開放 App Store 限制的計畫:「Apple announces changes to iOS, Safari, and the App Store in the European Union」,Hacker News 上的討論也很熱鬧,也提出了很多蘋果想盡辦法讓你不要換過去所設定的障礙:「Apple announces changes to iOS, Safari, and the App Store in the European Union (apple.com)」。
從文章可以看出 Apple 不斷的用 FUD 在擋,而且從文章裡面就可以看出來 Apple 極度不情願開放這塊肥肉。
除了文章的不情願態度外,Apple 也試著要建立各種機制讓 developer 無法轉移,其中目前最毒的是 Core Technology Fee 的設計,即使 app 後續會透過第三方的 app marketplace 下載,你仍然要付給 Apple 一筆很貴的費用:
Core Technology Fee — iOS apps distributed from the App Store and/or an alternative app marketplace will pay €0.50 for each first annual install per year over a 1 million threshold.
不確定現有的 DMA 是否有阻止的能力,但這個是目前已經看到的重點項目,歐盟應該會有動作...
另外看一些群組討論,Apple 很不願意放 App Store 出來,看起來這個功能是被鎖到 countryd 層級的,無法單純註冊歐盟 App Store 的帳號就能安裝。
反正先坐著等一兩個月看新聞消化...
這是在 Hacker News 上看到的:「Password may not contain: select, insert, update, delete, drop (uni-lj.si)」,原網站在「Password reset - ID portal」,熱鬧的地方在於原作者 (或是外包商?) 也在 Hacker News 上面回應...
禁止密碼裡面有某些字元還蠻常見的,但這次看到的很有趣 (然後被貼到 Hacker News 上):
Your password must also not contain the following character combinations: script, select, insert, update, delete, drop, --, ', /*, */.
從網域及英文版的介面可以查到這是盧比安納大學的系統,作者 (或是外包) 在 id=39079030 提到了這是上面的要求:
Oooh! I put that string there! It was a request by management, and I still don't know why. This site doesn't store any passwords, it's basically just a nice interface to external account management.
I heard a rumour that some legacy apps have weird validation on their login fields, so students wouldn't be able to log in with passwords containing certain strings. But I don't actually know of any examples.
就... 很好玩?
SourceHut 在 DDoS 後發表了報告:「SourceHut network outage post-mortem」。
這次的攻擊在 L3 層,直接塞爆 upstream bandwidth:
At around 06:00 UTC on January 10th, a layer 3 distributed denial-of-service (DDoS) attack began to target SourceHut’s PHL infrastructure.
上游 Cogent 選擇 null route 掉:
In response to the attack, Cogent announced null routes for our downstream AS, causing our PHL network to become unreachable both for SourceHut staff and the general public.
中間有試著問 Cloudflare 以及其他的方案,但依照他們的說法,費用上無法承受:
We initially researched a number of solutions, and spoke to Cloudflare in particular due to their ability to provide a rapid response to ongoing incidents. However, given our complex requirements, Cloudflare quoted us a figure which was not attainable within our financial means as a small company. Other options we researched (though we did not seek additional quotes) had similar economical constraints.
後來的解法是在 OVH 放 proxy server (搭配 OVH 的 DDoS 保護服務),然後導到沒有公開的 subnet:
However, we found that OVH’s anti-DDoS protections were likely suitable: they are effective, and their cost is amortized across all OVH users, and therefore of marginal cost to us. To this end the network solution we deployed involved setting up an OVH box to NAT traffic through OVH’s DDoS-resistant network and direct it to our (secret) production subnet in AMS; this met our needs for end-to-end encryption as well as service over arbitrary TCP protocols.
GitHub 在還沒被 Microsoft 併購前 (2018 年) 也有被打的記錄,2015 年的時候 Google 有放一些資料,當年有寫一篇記錄下來:「Google 對 GitHub 先前遭受 GFW 的 DDoS 攻擊的分析」,不過當年這波是 L7 的。
另外 2016 年的時候 GitHub 也有整理一篇關於 TCP SYN flood 的阻擋方式,這個看起來比較接近這次的攻擊:「GitHub 對抗 TCP SYN Flood 的方式:synsanity」。
前天在「使用 application password 的 Google 服務將在 2024/09/30 停止支援」這邊寫完後,yan12125 在文章留言的地方提到:
看起來這次只有停止支援 Less Secure Apps, application password 還是可以用的。公告中提到:
> If the app you are using does not support OAuth, you will need to switch to an app that offers OAuth or create an app password to access these apps.
回頭去翻了一下 LSA 是什麼 (出自「Limiting access to less secure apps to protect G Suite accounts」這篇):
A less secure app (LSA) is an app that connects to Google accounts using only username and password verification for access and not OAuth. Generally, you should only allow your users to use external apps that connect to Google accounts via OAuth, as LSAs make user accounts more vulnerable to hijacking.
看起來這邊指的是用原始的 Google 帳號與密碼登入,我一直以為這個方式早就被拔掉了,所以這次的公告以為是拔掉 application password,但看起來不是這樣。
Update:這篇內容是錯的 (感謝 yan12125),參考「LSAs 與 application password 不同...」這篇的說明。
Hacker News 上看到這個舊資料,Google 在去年九月的公告,將在 2024/09/30 停止支援 application password 的認證方式:「Beginning September 30, 2024: third-party apps that use only a password to access Google Accounts and Google Sync will no longer be supported」。
Google 讓不支援 OAuth 的程式可以用傳統的 username + password 的方式連線,產生一組 application password 讓這些程式使用,這個在 Google 的系統裡被稱作是 Less Secure Apps (LSAs),主要是 protocol-based 的方式:
This includes all third-party apps that require password-only access to Gmail, Google Calendar, Contacts via protocols such as CalDAV, CardDAV, IMAP, SMTP, and POP.
主要的安全性考量應該是在 application password 貼到對應的應用程式這段,會隨著不同的貼法而有資安疑慮。透過非 end-to-end encryption 的 IM 傳輸,那麼 IM 的系統裡面就會有這組 application password 了。
這個計畫在 2019 年宣佈的:「Turning off less secure app access to G Suite accounts」,當時規劃在 2021 年就要執行,不過中間因為 COVID-19 的關係往後延,現在的目標是 2024 年,看起來是差不多了...
ruffle 是一個 open source 的 Flash 模擬器,用 JavaScript (以及 WebAssembly) 讓使用者可以在瀏覽器裡面直接執行。
不過想到 Flash 的 crossdomain.xml 在技術上應該是沒辦法繞過瀏覽器對 CORS 的限制,所以找了一下目前的情況... 在「Ideas for getting arounds CORS restrictions #8972」這邊有提到兩個方法,另外 comment 提到了「Add setting to spoof URLs in network requests #1486」這個。
看起來這個問題還在「有點子,但沒解決」的情況。
不過找了一下當年有玩的小遊戲 Zookeeper,在「Zookeeper - Flash Games Archive | FlashArch」這邊可以玩,看起來功能都還算正常,讓人懷念啊...
Hacker News 前陣子似乎是因為被打而轉移到 Cloudflare 上:
;; ANSWER SECTION: news.ycombinator.com. 1 IN CNAME news.ycombinator.com.cdn.cloudflare.net. news.ycombinator.com.cdn.cloudflare.net. 300 IN A 172.67.5.232 news.ycombinator.com.cdn.cloudflare.net. 300 IN A 104.22.6.236 news.ycombinator.com.cdn.cloudflare.net. 300 IN A 104.22.7.236
另外可以參考「Site report for http://news.ycombinator.com」這邊的記錄,我另外備份一份放在 archive.today 上:「Site report for http://news.ycombinator.com」。
可以看到先前是指到 209.216.230.240,然後今年 (2024) 年初的時候似乎是因為 DDoS 的關係,在骨幹上被 blackhole 掉,後來就轉到 Cloudflare 上了。
一個比較意外的是看到報告說是 FreeBSD,等之後切回去再來研究看看?
Cloudflare 的 WAF 在科技類的網站容易誤判,像是「Ask HN: Does Cloudflare block HN comments if you have code blocks in a reply?」這邊就遇到了,可以在留言裡面看到大家在研究要怎麼繞 WAF XDDD
等到切回去應該就會恢復,不過還在 Cloudflare 上的這陣子應該會繼續看到抱怨...