Author: Jonathan Bennett

533 Articles

FLOSS Weekly Episode 770: 10% More Internet

February 14, 2024 by 7 Comments

This week, Jonathan Bennett and Doc Searls talk with David Taht about the state of the Internet and, specifically, IPv4 exhaustion. We’re running out of IPv4 addresses! But we’ve been running out for something like ten years now. What gives? And why are nearly 20% of the world’s IPv4 addresses sitting unused? David has a hack that would give the world 10% more Internet, but Amazon might have something to say about it.

There’s even more, like Kessler Syndrome, some musing on what the Interplanetary Internet will look like, the worth of real paper books, and a long-term bet for some IPv4 addresses to come to fruition in 2038.

Continue reading “FLOSS Weekly Episode 770: 10% More Internet”

This Week In Security: Broken Shims, LassPass, And Toothbrushes?

February 9, 2024 by 8 Comments

Linux has a shim problem. Which naturally leads to a reasonable question: What’s a shim, and why do we need it? The answer: Making Linux work wit Secure Boot, and an unintended quirk of the GPLv3.

Secure Boot is the verification scheme in modern machines that guarantees that only a trusted OS can boot. When Secure Boot was first introduced, many Linux fans suggested it was little more than an attempt to keep Linux distros off of consumer’s machines. That fear seems to have been unwarranted, as Microsoft has dutifully kept the Linux Shim signed, so we can all run Linux distros on our Secure Boot machines.

So the shim. It’s essentially a first-stage bootloader, that can boot a signed GRUB2 or other target. You might ask, why can’t we just ask Microsoft to sign GRUB2 directly? And that’s where the GPLv3 comes in. That license has an “anti-tivoization” section, which specifies “Installation Information” as part of what must be provided as part of GPLv3 compliance. And Microsoft’s legal team understands that requirement to apply to even this signing process. And it would totally defeat the point of Secure Boot to release the keys, so no GPLv3 code gets signed. Instead, we get the shim.

Now that we understand the shim, let’s cover how it’s broken. The most serious vulnerability is a buffer overflow in the HTTP file transfer code. The buffer is allocated based on the size in the HTTP header, but a malicious HTTP server can set that value incorrectly, and the shim code would happily write the real HTTP contents past the end of that buffer, leading to arbitrary code execution. You might ask, why in the world does the shim have HTTP code in it at all? The simple answer is to support UEFI HTTP Boot, a replacement for PXE boot.

The good news is that this vulnerability can only be triggered when using HTTP boot, and only by connecting to a malicious server or via a man-in-the-middle attack. With this in mind, it’s odd that this vulnerability is rated a 9.8. Specifically, it seems incorrect that this bug is rated low complexity, or a general network attack vector. In Red Hat’s own write-up of the vulnerability, they argue that the exploitation is high complexity, and is only possible from an adjacent network. There were a handful of lesser vulnerabilities found, and these were all fixed with shim 15.8. Continue reading “This Week In Security: Broken Shims, LassPass, And Toothbrushes?”

FLOSS Weekly Episode 769: OpenCost — We Spent How Much?

February 7, 2024 by 2 Comments

This week Jonathan Bennett and Katherine Druckman talk with Matt Ray about OpenCost. What exactly is Cloud Native? Why do we need a project just for tracking expenses? Doesn’t the cloud make everything cheaper? Is there a use case for the hobbyist?

The cloud is just a fancy way to talk about someone else’s servers — and what may surprise you is that they charge you money for the privilege of using those computers. But how much? And when you have multiple projects, which ones cost how much? That’s where OpenCost comes in. Not only does it help you track down costs in your cloud usage, it can also catch problems like compromised infrastructure sooner. Mining bitcoin in your Kubernetes Cluster makes a really noticeable spike in processor usage after all.
Continue reading “FLOSS Weekly Episode 769: OpenCost — We Spent How Much?”

This Week In Security: Glibc, Ivanti, Jenkins, And Runc

February 2, 2024 by 4 Comments

There’s a fun buffer overflow problem in the Glibc __vsyslog_internal() function. This one’s a real rollercoaster, because logging vulnerabilities are always scary, but at a first look, it seems nearly impossible to exploit. The vulnerability relies on a very long program name, which can overflow an internal buffer. No binaries are going to have a name longer than 1024 bytes, so there’s no problem, right?

Let’s talk about argv. That’s the list of arguments that gets passed into the main() function of every Linux binary when it launches. The first string in that list is the binary name — except that’s a convention, and not particularly enforced anywhere. What really happens is that the execve() system call sets that list of strings. The first argument can be anything, making this an attacker-controlled value. And it doesn’t matter what the program is trying to write to the log, because the vulnerability triggers simply by writing the process name to a buffer.

There is a one-liner to test for a vulnerable Glibc:

exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null

and the Qualys write-up indicates that it can be used for an escalation of privilege attack. The good news is this seems to be a local-only attack. And on top of that, a pair of other lesser severity issues were found and fixed in glibc while fixing this one.
Continue reading “This Week In Security: Glibc, Ivanti, Jenkins, And Runc”

FLOSS Weekly Episode 768: Open Source Radio

January 31, 2024 by 8 Comments

This week Jonathan Bennett and Doc Searls talk with Tony Zeoli about Netmix and the Radio Station WordPress plugin. The story starts with the Netmix startup, one of the first places doing Internet music in the 1990s. That business did well enough to get bought out just before the Dot Com bubble burst in 2000. Today, Tony runs the Radio Station plugin, which is all about putting a station’s show schedule on a WordPress site.

In the process, the trio covers Internet radio history, the licensing complications around radio and streaming, the state of local radio, and more. Is there a long term future for radio? Does Creative Commons solve the licensing mess? Is AI going to start eating radio, too? All this and more!

Continue reading “FLOSS Weekly Episode 768: Open Source Radio”

This Week In Security: MOAB, Microsoft, And Printers

January 26, 2024 by 15 Comments

This week, news has broken of the Mother of All Breaches, MOAB. It’s 12 terabytes and 26 billion records, averaging about 500 bytes each. Now note that a record here is likely not a discrete email address, but simply a piece of data — a row on the database.

Now before we all lose our minds over this, there’s an important detail to take note of: These aren’t new leaks. This is a compilation of leaks, and as far as researchers have checked, there aren’t any new leaks disclosed here. This was someone’s database of accumulated leak data, accidentally re-leaked via an unsecured database. [Troy Hunt] goes so far as to speculate that it could be from a breach search service, which sounds pretty plausible.

There was yet another release of credentials late last week that hasn’t attracted as much attention, but seems to represent a much bigger issue. The Naz.api data set isn’t a breach where a company was hacked, and their entire user database was stolen. Instead, this one is combination of a credential stuffing list and stealer logs.

Credential stuffing is basically a smarter brute force attack, where the credentials from one breach are tried on multiple other sites. Such a list is just the results where guesses were successful. The really interesting bit is that this dataset seems to include stealer logs. Put simply, that’s the results of malware that scrapes victim machines for credentials.

Naz.api has over 70 million unique email addresses, and it looks like about a third of them are new, at least according to the Haveibeenpwned dataset. Now that’s significant, though not really worthy of the MOAB title, either. Continue reading “This Week In Security: MOAB, Microsoft, And Printers”

FLOSS Weekly Episode 767: Owntracks, Are We There Yet?

January 24, 2024 by 2 Comments

This week Jonathan Bennett and Jeff Massie talk with JP Mens about Owntracks, the collection of programs that lets you take back control of your own location data. It’s built around the simple idea of taking position data from a mobile phone or other data source, sending it over MQTT to a central server, and logging that data to a simple data store.

From there, you can share it as trips, mark points of interest, play back your movement in a web browser, and more. And because it’s just JSON inside MQTT, it’s pretty trivial to make a connector to interface with other projects, like Home Assistant. We’ve even covered the process!

Continue reading “FLOSS Weekly Episode 767: Owntracks, Are We There Yet?”