-

2019-04-19 10:15:54

ivan zlax

zlax@ussr.win

News from the world of successful proprietary Linux distributions:
https://seclists.org/fulldisclosure/2019/Apr/24
Новости из мира успешных проприетарных дистрибутивов Linux:
http://seclists.org/fulldisclosure/2019/Apr/29

Just found an issue in Redhat/CentOS which according to RedHat security team is not an issue. I don't know, sounds weird to me.
If, for whatever reason, a user is able to write an ifcf-<whatever> script to /etc/sysconfig/network-scripts or it can adjust an existing one, then your system in pwned.

Только что обнаружена проблема в Redhat/CentOS, которая, по мнению команды безопасности RedHat, не является проблемой. Я не знаю, звучит странно для меня.
Если по какой-либо причине пользователь может написать сценарий ifcf-<what> в /etc/sysconfig/network-scripts или может изменить существующий, тогда ваша система уже не совсем ваша.

Также хотелось бы напомнить, что разработчиком модуля SELinux была именно корпорация RedHat. Похоже, безопасность доступа для АНБ является их специализацией.

I would also like to remind that the developer of the SELinux module was RedHat Corporation. It seems that access security for the NSA is their specialty.

#capitalism #ibm #infosec #network #opensource #property #software #technology

english russian

show all 22 comments

2019-04-19 11:19:38

Max Kostikov

kostikov@tiksi.net

Это, конечно, не баг и не закладка. И вообще не проблема.
Это обычные shell-скрипты для инициализации. Понятно, что туда можно написать, если есть права, что угодно.
Только вот прав таких быть не должно у кого попало.

2019-04-19 12:13:57

ivan zlax

zlax@ussr.win

@Max Kostikov

Только вот прав таких быть не должно у кого попало.

Да, это не баг, но уязвимость (если оставлена умышленно - можно сказать что закладка), которую возможно эксплуатировать через NetworkManager. Из этого следует, что права на изменение этих скриптов, помимо владельцев, есть также у мэйнтейнеров rpm-репозитория NetworkManager.

2019-04-19 12:46:04

Max Kostikov

kostikov@tiksi.net

но уязвимость

Нет. С каких пор возможность администратору править системные скрипты стала уязвимостью?
Вообще, о этот странный мир отмороженный ластоногих... :-)

2019-04-19 12:50:09

ivan zlax

zlax@ussr.win

@Max Kostikov уязвимость это от того, что эта возможность есть не только у администратора, но и у мэйнтейнеров.
Хотя если искренне доверять корпорации IBM, то выкупленные ими мэйнтейнеры корпорации RedHat наверняка никогда не допустят подобного.

2019-04-19 12:53:56

Max Kostikov

kostikov@tiksi.net

Нет у них такой возможности. Есть возможность у системного софта работающего с правами администратора.
В конце-концов не пользуйтесь их софтом, в чём дело то? Не верите никому - напишите свою ОС с блекджеком и шлюхами.
Резюмируя - паранояльный бред.

2019-04-19 13:01:11

ivan zlax

zlax@ussr.win

Есть возможность у системного софта работающего с правами администратора.

Эти скрипты поставляются и изменяются пакетом NetworkManager. В других дистрибутивах это же NetworkManager работает иначе.

В конце-концов не пользуйтесь их софтом, в чём дело то?

Так и не пользуемся.

Резюмируя - паранояльный бред.

Резюмируя? Подождите, вы перепутали, это мои сообщения параноидальны, ваши же - наоборот.

2019-04-19 14:20:25

Andreas Scherbaum

ads@pluspora.com

If, for whatever reason, a regular user can edit content under /etc, you are doomed.

Conclusion: don't let users edit anything under /etc, your network configuration is no exception to that.

2019-04-19 14:28:33

ivan zlax

zlax@ussr.win

@Andreas Scherbaum, also i wouldn’t trust the IBM maintainers. As i understand it, the US special services may ask them to make small changes in the package of NetworkManager and IBM will not have the right to refuse such a request.

2019-04-19 14:31:35

Andreas Scherbaum

ads@pluspora.com

@ivan zlax Do you have any proof for what you claim?

2019-04-19 14:54:02

ivan zlax

zlax@ussr.win

@Andreas Scherbaum
commercial aspect:
https://www.cnbc.com/2018/10/28/ibm-to-acquire-red-hat-in-deal-valued-at-34-billion.html
ideological aspect:
https://www-03.ibm.com/employment/us/veteran_talent/
right aspect:
https://en.wikipedia.org/wiki/IBM_during_World_War_II
public aspect:
https://www.theinquirer.net/inquirer/news/2334426/ibm-denies-nsa-involvement-and-prism-surveillance
bureaucratic aspect:
https://www-03.ibm.com/press/us/en/pressrelease/23460.wss
documental aspect:
http://cryptome.org/0001/nsa-meyer.htm
factical aspect:
https://www.themoscowtimes.com/2014/05/05/microsoft-oracle-likely-to-stop-working-with-russian-banks-over-sanctions-a35056
https://www.forbes.com/sites/kenrapoza/2017/07/04/hacker-fears-u-s-tech-companies-still-want-to-work-with-sanctioned-russian-spy-agencies/

it's enough?

2019-04-19 15:15:58

ivan zlax

zlax@ussr.win

@Andreas Scherbaum, actually, it's strange that you don't know all this and need proofs.
Probably, this promotional video is related to this:

ivan zlax wrote the following post Wed, 18 Mar 2009 18:25:00 +0300

Случайно наткнулся на старое и показательное:

26 апреля 2002 г. В своей речи г-н Гейтс раскритиковал поклонников программного обеспечения с открытым исходным кодом и саму модель "Open Source", а также использование такого ПО для нужд правительства.
"Мы говорим, что должна быть экосистема наподобие бесплатной формы UNIX - VSB (BSD), но без GPL... Правительство может финансировать работу по BFP (BSD), UNIX, и найдутся компании, которые будут создавать коммерческие продукты под эту систему". Тех, кто так не считает, Билл Гейтс сравнил с фермерами, которые в свободное от работы время по ночам пишут программы, чем вызвал смех аудитории.

Microsoft давно и не стесняясь объявила GPL "коммунистической и антиамериканской" чумой, заражающей все, чего она касается, своеобразной раковой опухолью. Лицензии софтверного гиганта запрещают использовать ПО от Microsoft в сочетании с "потенциально вирусным программным обеспечением" с открытым исходным кодом. При этом в категорию "вирусного ПО" отнесены наиболее распространенные лицензии, применяющиеся для публикации отрытых кодов, например, для ОС Linux.

Весьма так эти слова коррелируют с вот этим видео красношапочников:
https://www.youtube.com/watch?v=HSeImqbV30s
#property #opensource #software #infosec
original post@lj

But may be not.

2019-04-19 17:45:21

Andreas Scherbaum

ads@pluspora.com

@ivan zlax None of your links proof anything, and bringing a public denial as proof that IBM is involved is surreal.

But back to the topic: I asked what proof do you have that IBM / Red Hat somehow manipulate the network tools. Posting history from WWII as answer is just distraction. Get back to the topic, or leave it as it is.

2019-04-19 18:36:01

ivan zlax

zlax@ussr.win

@Andreas Scherbaum

I asked what proof do you have that IBM / Red Hat somehow manipulate the network tools

No, do not try to cheat me. Re-read what you wrote above. You asked me to provide proofs of this statement:

i wouldn’t trust the IBM maintainers. As i understand it, the US special services may ask them to make small changes in the package of NetworkManager and IBM will not have the right to refuse such a request.

I proved it. Such precedents have already been with the corporation IBM. There is no reason to trust them, to hope that they will not take advantage of this opportunity again, given their preferences, right and ideology.

Get back to the topic, or leave it as it is.

Your attempt at a sophistic reception hints that you are somehow interested in this topic. Please tell me, do you get any money from the US government or do you have any relation to the IBM corporation? Or are you a simple user of open products controlled by IBM?

2019-04-19 18:50:50

BR 549 ☎

urbanroman@diasp.org

a little common sense is called for here .. and of course, @Andreas Scherbaum's call for proof is a common discussion-stopper for any topic, for all time. but anyway --

concrete examples may (or may not) exist in the 90% of the Snowden archive deleted by The Intercept. Sadly, most of the publications cited by @ivan zlax have descended into political bullshit over the last couple of years, if not decade. (and isn't The Moscow Times a RFE/RL {the Pentagon propaganda arm} publication?)

as for the defect report itself, and as pointed out in the comments above, if an ordinary user can write into /etc, your Linux instance is about as secure as a Windows 98 instance. ordinary users cannot access /etc/sysconfig/network*, but the network manager daemon (and root) can.

proof, of course, absolute proof, could be provided by a proof-of-concept script. it may need to either employ an escalation of privilege from the user side, or to somehow control the network manager to accomplish this task.

as for SE Linux, there were some ideas in that version which were widely acknowledged to be good ones. one example is random program IDs. and as always in Linux, the real proof is in the source code...

2019-04-19 19:03:33

Andreas Scherbaum

ads@pluspora.com

Was not even pointing to the source code yet, which is available for any Linux distribution, and which gives you the ability to validate that no such code was included by IBM - or to proof that they did.

And as for the "proof" I asked for, I did not ask for a smoking gun. But surely if @ivan zlax can claim that someone can request such additions from IBM and they can't turn that request down, he should be able to somehow provide additional documentation beyond "he understands that is the situation".

2019-04-19 19:19:59

ivan zlax

zlax@ussr.win

@Andreas Scherbaum

Was not even pointing to the source code yet, which is available for any Linux distribution, and which gives you the ability to validate that no such code was included by IBM - or to proof that they did.

In case of attempting to exploit this vulnerability, it would be more practical to inject malicious code into binary files, but not into the source code.
That would be more professional. After all, IBM is known for its professionalism:
http://cryptome.org/isp-spy/ibm-coprocess-spy.pdf
http://cryptome.org/isp-spy/ibm-spy.pdf

And as for the "proof" I asked for, I did not ask for a smoking gun.

Do not try to cheat me. You ask:
Do you have any proof for what you claim?
I provided proof of what i am claiming.

But surely if @ivan zlax can claim that someone can request such additions from IBM and they can't turn that request down, he should be able to somehow provide additional documentation beyond "he understands that is the situation".

Please do not try to make sophisticated tricks. I provided links to official statements and leaking documents in support of my words. You avoid the questions that i ask you. I will repeat my questions to you:
Please tell me, do you get any money from the US government or do you have any relation to the IBM corporation? Or are you a simple user of open products controlled by IBM?
Please do not be irresponsible. Tell me about what i'm asking you.

2019-04-19 19:33:28

ivan zlax

zlax@ussr.win

@J R

concrete examples may (or may not) exist in the 90% of the Snowden archive deleted by The Intercept. Sadly, most of the publications cited by @ivan zlax have descended into political bullshit over the last couple of years, if not decade.

50 years ago, thanks to FOIA:
http://cryptome.org/0001/nsa-meyer.htm
- DOCID: 3417193
NSA worked closely with IBM to strengthen the algorithm against all except brute force attacks and to strengthen substitution tables, called S-boxes. Conversely, NSA tried to convince IBM to reduce the length of the key from 64 to 48 bits.
I do not think that the general principles of work of the US special services and the IBM corporation have changed alot since then.

(and isn't The Moscow Times a RFE/RL {the Pentagon propaganda arm} publication?)

This is an example of the fact that US corporate IT giants are subordinate to the US government.

proof, of course, absolute proof, could be provided by a proof-of-concept script. it may need to either employ an escalation of privilege from the user side, or to somehow control the network manager to accomplish this task.

It is enough to provide a compromised NetworkManager.rpm during the usual update. The IBM Corporation now has this opportunity after the transaction about buying Red Hat.

2019-04-19 19:37:56

Andreas Scherbaum

ads@pluspora.com

You must not confuse what I asked and what I did not ask.

But I see, you pull together historic documents and extrapolate your proof from there. Consider me convinced, I'm going to enjoy the weather outside instead.

2019-04-19 19:44:53

ivan zlax

zlax@ussr.win

@Andreas Scherbaum, i understand you, you demand proofs from me, you are not responsible for your own words and you leave from the answers to my questions. At the same time, you consider it worthy to so easily break off the dialogue that you started.

This is very typical for representatives of Western supremacy:

Mostly, the fact is not always that the ‘population in the West is brainwashed’. That would really be quite a good scenario: and something relatively easy to correct.

The problem is much greater: The inhabitants of the West do not want to know, because deep inside, they do not want the system to change. They don’t want the world order to be modified.

...

The conclusion that I am lately arriving at, is: they do not search, they do not compare and ‘they do not want to know’ because they are scared.

Scared of discovering reality, which would in turn force them to act; to at least shed some of the basic privileges the citizens of the colonizing countries, enjoy.

2019-04-19 21:20:40

Andreas Scherbaum

ads@pluspora.com

Somehow I can't hide this thread, Diaspora must be broken again sighSo here we are again, and before I write a mail filter just for you ... you stated:

As i understand it, the US special services may ask them to make small changes in the package of NetworkManager and IBM will not have the right to refuse such a request.

And yet, suddenly you claim that I must proof where your understanding of this is coming from ... and because I can't or won't proof what you post and what you think, it must be western supremacy. That is nonsense. You constantly try to revert and change arguments in this discussion.

I asked that you show where your understanding is coming from. Instead of any real proof to corroborate your statement you posted a dozen links from WWII and what else ... In your list is not a single piece of evidence showing that Red Hat today, or IBM today, must bring malicious code into an Open Source project. If you post it, show real evidence, not vague circumstantial links from another century.

So unless you can bring forward more than just PDFs from the 90s, or unrelated stuff, and unless you stop claiming supremacy BS, please spare me your unproven conspiracy theories.

2019-04-19 21:54:07

BR 549 ☎

urbanroman@diasp.org

let's see what we have so far: 1. a shell script can run other scripts 2. if it runs as root, it can run other scripts as root 3. root can make arbitrary changes to things in /etc 4. the NSA/CIA/etc, let's just call it Washington, has been the author of malicious software in the past. they have compromised the security of almost every computer on earth, with a possible exception of some Huawei devices. and Washington will undoubtedly continue to be the author of malicious software, as a leopard does not change its spots.

... so that's about it. the 'bug report' in the initial post is covered by (1), (2) and (3). so it's nothing, then.

2019-04-19 22:14:09

ivan zlax

zlax@thepirate.party

@Andreas Scherbaum

Somehow I can't hide this thread, Diaspora must be broken again sighSo here we are again, and before I write a mail filter just for you ...

It is funny: you write special filters just for me. But it is useless - if i wish it - you will still receive a notification by mail (like this time).

And yet, suddenly you claim that I must proof where your understanding of this is coming from

I did not ask you about it. Apparently you confused something.

In your list is not a single piece of evidence showing that Red Hat today, or IBM today, must bring malicious code into an Open Source project. If you post it, show real evidence, not vague circumstantial links from another century.

I provided proof that IBM was doing this in the past (DOCID: 3417193), i provided proof that IBM recently bought Red Hat. I also provided proof that US IT giants are subordinate to the US government today.

If you post it, show real evidence, not vague circumstantial links from another century.

I can not do it for you. I can only speculate like you. I can also substantiate my assumptions with references to documents, to precedents that form my opinion. You can't do that. You can't even answer the questions i asked you. Therefore, i will not satisfy your requests.

So unless you can bring forward more than just PDFs from the 90s, or unrelated stuff, and unless you stop claiming supremacy BS, please spare me your unproven conspiracy theories.

You can not answer my questions - i can not meet your requirements. It's simple. You are trying to hide information from those around you about your intentions in this discussion - i will also hide some information from you. It's simple.