Posts by Outer mongolian custard monster from outer space (honest)

*Sigh*, I tested this as soon as THN broke it on twitter, its just for libraries.

Untarring and unzipping as root is dumb (I did it on a throwaway vm so you don't have to...) but linux command line zip and tar are both patched in the shell anyway, since the 1990's for tar and somewhere around 2006 for zip. I didn't even bother testing the other variants. It really is the old 2006 path recursive attack that some libraries were never fixed for still in use, except it has a logo, and people running round twitter trying to make a "name" for themselves in the security community to get hired.

root@testbox:/home/testuser/zip-slip-vulnerability/archives# tar -xvf zip-slip.tar

good.txt

tar: Removing leading `../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../' from member names

tar: ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt: Member name contains '..'

tar: Exiting with failure status due to previous errors

root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -la *evil*

ls: cannot access '*evil*': No such file or directory

root@testbox:/home/testuser/zip-slip-vulnerability/archives#

root@testbox:/home/testuser/zip-slip-vulnerability/archives# unzip zip-slip.zip

Archive: zip-slip.zip

extracting: good.txt

warning: skipped "../" path component(s) in ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../tmp/evil.txt

extracting: tmp/evil.txt

root@testbox:/home/testuser/zip-slip-vulnerability/archives# ls -lR tmp

tmp:

total 4

-rw-r--r-- 1 root root 20 Apr 15 22:04 evil.txt

root@testbox:/home/testuser/zip-slip-vulnerability/archives#

Chris, you know your mac address is a software config right? You want to base your home security and not letting in strangers on the basis that they also don't know this fact?

I use the 6600 as a vm host using vmware/virtual box and use a completely different machine for browsing with a kvm for when doing research, as er, it can end up in some less salubrious places quite often so that's even more critical to stay on top of & I'll have to uplift that because its running a ivybridge 2127U but that's not a big loss, any cheap box will do for that, its just a glorified web browser + vpn client host. I'm still a bit annoyed that the 6600 needs isolating and its instances not allowed to route out as a fix though as to upgrade to something more modern but capable takes what I consider a not insignificant* sum of money.

But, yeah, hands up, I'm being super grouchy, I have to make some investment in new kit because of someone else's mess. I know the nuances and I'm just going to have to suck it up and pass this cost onto my clients. But when it comes to SME's, you try telling 9/10ths of the world they need to landfill their devices because there's a unpatched flaw in the cpu they use on the machine and they absolutely must be able to use facebook and twitter while at their desk. And are all the affected machines going to go to landfill or end up in corporate disposal for the next decade?

I personally think intel should have ate the extra dev + test costs as a goodwill gesture and supported the mess they made, rather than apparently trying to turn it into a profit op to drive new cpu purchases to replace the ones they already sold you. Even if they prioritized the newer arches first it would have kept more options open longer term. At the end of the day, they made this mess with their product, washing their hands isn't going to take all of the compromised product out of the second user ecosystem for years.

*i.e. its mine and I've got short arms and deep pockets

Re: Plenty of venom still

MonkeyCee, upvoted also. Summarises the situation precisely for me also.

I come on here, comment on security stuff because that's my speciality, yet when the words "brexit" or it seems a article by Kieran arrives, there's this big flood of new usernames and anon posters. And the usual names who only ever comment on brexit stuff (Phil O, Leadswinger etc).

I should just not bother reading anything brexit related on el reg, which Ive decided to do hereon (though I'm going to hit submit for one last time). Easier to just move on I guess, and thats my entire attitude to brexit now, when they accept my citizenship application that puts me beyond expecting some politicians to do the right thing I'll be able to do that.

Re: In 2018?

But Jack, in 2018 its preposterous to imagine a professional vendor doing this* and you must be an idiot to suggest otherwise.

*Source some middle managers pretending to be technical on El Reg's forums.

Re: No password reset

No, that implies that THAT device has a unique password.

So if you push the "oh poo make everything default button", it should revert its firmware to that unique password stored somewhere as a backup.

Perhaps we could then retain access to that backup with something high tech, like having it printed on the case somewhere out of sight requiring physical access and interaction to view should we loose it?

Also strikes me that install of the backup recovery firmware defaulting to a generic could be acceptable as long as thats not the out of the box firmware applied.

The bit I do not agree with is that all devices should update automatically as a mandatory thing. No, I don't want to give manufacturers carte blanche to push new unwanted features at me and delete functionality they decide was a bit too generous in future. I'm ok if its a feature I can disable deliberately knowing this however.

Re: "If the user tries to stop the process, the computer system reboots."

Please dont wish that onto linux Pascal. We need windows as a buffer zone against average idiocy.

Some might say that process of improving the user experience at the expense of unixifcation has already started of late...

Re: I still use mine

"

I still use mine

It's in the loft, controlling my central heating. Needs to be started up again whenever there's a power outage but other than that, it's been fine for over thirty years (so far).

"

You sir win the internets. And to think I still feel guilty when I go to my old house and see the underfloor heating controller running on a pentium 90 powered toshiba laptop with a broken screen, running some years out of date version of redhat linux (hedwig I think was the last time it got upgraded, relax its now totally airgapped for some years now, although at one point it was the NAT and fax gateway for the house via a modem at the same time :p ). When I power it up and hear that brick being dragged round on a slate roof from the tiny hard disk and marvel that apache still manages to come up clean and present a working gui, until that bit works parts of my nether anatomy tighten slightly while I worry if I can rebuild it and redeploy all the source to something newer assuming I can find something with the right hardware ports to interface to my homemade controller while wondering if its finally time I swapped it for a atmel based pic system I made a few years back as contingency.

I bet you have a couple of spare zx81's stashed as DR too...

Re: Safe enough - IF no third party code

"If there is a "secret" engineering backdoor then this is a much significnat problem than spectre or meltdown."

Go down and watch the team commissioning all your new hardware, discreetly shoulder surf them, if it has in life failure, see how the vendor's engineer recovers it. It can be very very enlightening.

These are our industries dirty secrets tucked away and not spoken of openly much because they make the life of people running the hardware easier on a day to day basis. Trot out the DC and pull that chassis and recover it back to base as per official procedure to get it back vs get a coffee sit at your desk and use the "shortcut" to make life easier. I know what the majority of (human) people would do.

People leave teams, move companies, talk to other people inappropriately occasionally, find things independently when they shouldn't and other shenanigans. Yes its been our role if its discovered to have that removed or controlled when it becomes known but then you are into asking for vendor fixes for issues on a black box appliance. Are you suggesting this simply does not happen?

Its a much broader topic I agree, but its why I have difficulties taking at face values any statements from PR releases that something is a black box system therefore does not require any attention to the insides. Ever.

Last post in this thread.

Re: Down with this sort of thing...

Code review? insert jaundiced cackle...

It seems not , neither did everyone else.

https://thehackernews.com/2018/01/western-digital-mycloud.html

Re: facebook eventually imploding.

RE el reg as social media. Apparently only if you use your actual name :-)

If anyone is curious, my current username stems from demonstrating to a co-worker who insisted that el reg usernames were all genuine and vetted that he knew even less about user validation than he did about network security.

Re: WTF is wrong with this world?

But Kiwi, this is exactly the issue. A few years ago, there would be a small thread in a forum or on a wiki etc, and you'd view it, and there'd be some photo's showing you what a good valve seat looks like, what a bad one is, how to check if a valve is pocketed, another couple of shots showing pencil marks or however your tracking contact on the seats and the process, maybe a bit about making a lapping tool so it gave the correct reciprocating motion, or at least where to get one of the nasty plastic versions that last a few heads.

It was dead easy to grasp, because it was clear, concise and well, you could see.

Now, hardly anyone bothers to make pages like that, if I make up a static page detailing how I built something, there's immediately some dick saying "where's the youtube of it?" because they want spoon feeding or maybe they just fancy spaffing half a hour of their life away.

When in reality, what they were being given before was the pure information, and the chance to step up and learn a little, which when your doing simple stuff like lapping in a valve, will lead you to develop critical thinking, a eye for things and the ability to think a bit.

Throw into that mix that a staggering amount of yt engineering has massive glaring errors (look at the amount of yt "honing" videos using ball hones to try and correct out of round cylinders because the person doesn't know better) and you have the perfect crap storm forming. I realized that a few years ago when I watched some guy trying to turn his pistons for his engine undersize to fit a different block. Not only did he attempt it on a mini lathe (and fair play, you can turn out good work on even a mini lathe) but then he used a 3 jaw to chuck it in, and didnt dial the piston in. Even if he'd dialed it in correct, pistons are oval anyway to allow fo expansion around skirt near the pin bosses. The guy had thousands of likes on his video, and people posting up "oh great, I'll that too", but when I tried to mention the above was called all sorts.

so tl,dr; none of its curated, and its riddled with drivel, so you might pull off a complex job you couldnt tackle before, or you might fubar it up.

This is not a pop at people learning stuff. Everyone starts somewhere and not being a simple consumer is to be lauded. I just despair a bit at big content moneytising the niche stuff and turning it to shit with their policies.

I still watch yt, but for entertainment shows (roadkill etc). Yeah its just like switching on a tv, I know its going to be mindless scripted drivel but eyes wide open on that.

They did their best with Le Pen believe me (I work in network security and reside in France). There was a massive leak during the purdue prior to voting smearing macron and others with real emails chopped with fake ones, and all sorts of other stuff going on via twitter etc. Most of the twitter stuff however was in either english or very bad google translate french and the leak was widely seen but read with caveats due to the obviousness of its timing, so it missed the mark significantly.

And happily as a result, Le pencil brain got battered in the polls.

Re: Problems to overcome

This, lets see metal lab reports on samples showing the yield points and microscopic grain structure of the dendrites before we get too excited with how its going to sweep traditional machining away. How those dendrites form as the metal recrystalizes makes a massive difference to the final material properties.

Some parts do not require known qualities in these aspects and will be suited to it, but there's also the risk of people applying the "if all you have is a hammer, every problem is a nail" ethos expecting it to replace every other tool in the workshop, and there are things which rely on these material properties to not fail in service.

Another feather to your cap to have around, to complement a rapid proto shop, if it lives up to the hype.

No, not in my job description to crusade to fix universal stupid.

Re: Software testing is the key to knowing whether it works or not

Thats interesting but in short, it'll be transferring the primary source of bugs from the coder to the person who devises the unit test harness? So not much of a long term final answer to the issue at all really.

I see packages that are shipped when they pass a test harness each release, and every release new and interesting bugs are found that the test harness doesn't cover. Really a test harness will only detect things you already know about and fixed from popping back up into your code base.

See the commentard earlier who mentioned that some of the systems failing and killing people were working as designed, its just the initial design wasn't sufficient in scope or definition to catch the oopsie that lead to the accident.