http://stanleylieber.com:80/new/index.rss en-us Sun, 03 Jul 2022 17:33:19 -0400 http://stanleylieber.com:80/new/2022/07/03/0/ http://stanleylieber.com:80/new/2022/07/03/0/ Sun, 03 Jul 2022 17:10:06 -0400 <p><img src="http://img.stanleylieber.com/src/23306/img/small.1656881630.png" alt="star wars wallet, 1983" /></p> <p>I started kindergarten in the fall of 1983. For my birthday that year I received this Star Wars wallet. I carried it everywhere.</p> <p><img src="http://img.stanleylieber.com/src/23307/img/small.1656881648.png" alt="oberto beef jerky" /></p> <p>I stuffed a bunch of clippings inside, filling out my legend with various bits of pocket lint. I don&rsquo;t remember ever actually eating beef jerky while I was growing up, but according to my cover story I loved it.</p> <p><img src="http://img.stanleylieber.com/src/23308/img/small.1656881666.png" alt="cpr for citizens, narrated by orson welles" /></p> <p>The character I was portraying was also a big fan of Orson Welles.</p> <p><img src="http://img.stanleylieber.com/src/23309/img/small.1656881685.png" alt="military markings" /></p> <p>And, I insisted, a veteran (more on that in a minute).</p> <p><img src="http://img.stanleylieber.com/src/23310/img/small.1656881703.png" alt="i am" /></p> <p>&ldquo;I am that I am.&rdquo;</p> <p><img src="http://img.stanleylieber.com/src/23311/img/small.1656881722.png" alt="tattoo (removed)" /></p> <p>This is the tattoo I got during my tour in Vietnam. I had it removed before I came home, and I carried it around to remind me of everything I&rsquo;d been through. I may or may not have left a young family behind there, whom by this time, I would guess, are all grown up (just like me).</p> <p><img src="http://img.stanleylieber.com/src/23313/img/small.1656881764.png" alt="back of wallet" /></p> http://stanleylieber.com:80/new/2022/04/03/0/ http://stanleylieber.com:80/new/2022/04/03/0/ Fri, 29 Apr 2022 08:34:42 -0400 <p><img src="http://img.stanleylieber.com/src/23180/img/small.1648913845.png" alt="KEK, KEK, KEK!" /></p> <p>Around 1997 I used search engines to find poorly configured <a href="https://en.wikipedia.org/wiki/IRIX">IRIX</a> servers with <em>/etc/passwd</em> exposed to the Internet via classic <a href="https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include">directory traversal</a>. IRIX helpfully provided several accounts with <a href="https://www.passwordsdatabase.com/vendor/sgi">factory default passwords</a>, so these usernames were easy to search for, which was in turn an easy way to identify IRIX hosts. Unpatched <a href="https://insecure.org/sploits_irix.html">local root vulnerabilities</a> ensured that <a href="http://img.stanleylieber.com/src/23185/img/1649040788.jpg">&ldquo;Game over, man.&rdquo;</a></p> <p>9front includes a web server written in <a href="http://rc.cat-v.org">rc</a>, called <a href="http://man.9front.org/8/rc-httpd">rc-httpd</a>. It was written to run on a Mac, but early on I transplanted it into <a href="https://en.wikipedia.org/wiki/Plan_9_from_Bell_Labs">Plan 9</a> in order to serve <a href="http://9front.org">9front.org</a>, <a href="http://cat-v.org">cat-v.org</a>, and other sites. We&rsquo;ve made some refinements over the years, but it remains very simple. Most importantly, it works well for static or CGI pages, the latter of which is needed by <a href="http://werc.cat-v.org">werc</a>.</p> <p>Plan 9 makes erecting trivial sandboxes easy, but robust ones remain elusive if the quirky restrictions embodied in the special user <a href="http://fqa.9front.org/fqa7.html#7.3.3.1.1">none</a> are for some reason undesirable. For close to ten years I&rsquo;ve run all our sites on <em>rc-httpd</em> with no sandboxing at all. Since public websites and public mailing lists are all that have ever been stored on the machine, I&rsquo;ve never mustered the gumption to try and harden the environment further.</p> <p><img src="http://img.stanleylieber.com/src/23178/img/small.1648869982.png" alt="Tangle of fibers terminating in a Juniper MX960." /></p> <p>Late last month, <a href="https://4chan.org">4chan&rsquo;s</a> <a href="https://boards.4channel.org/g/">/g/</a> discovered a <a href="http://9front.org/press/4chan.org/g/2022.03.31.plan-99front-is-super-secure.html">directory traversal bug in <em>rc-httpd</em>.</a> It <strong>shouldn&rsquo;t</strong> have been much of a problem because the web files <strong>should</strong> have been sandboxed from the rest of the file system. It <strong>wasn&rsquo;t</strong> much of a problem because not much else was accessible via the file system. Still, it&rsquo;s true this class of bug in a web server program has been very well known dating back to the dawn of the World Wide Web, and it&rsquo;s pretty silly that it was present in <em>rc-httpd</em>. The 4chan thread was full of witty comments about the rookie mistakes in our homemade software. The solution of course is to run software too complex to be understood by humans, whose development is sponsored by, and for all practical purposes controlled by hostile corporations.</p> <p><img src="http://img.stanleylieber.com/src/23174/img/small.1648695221.png" alt="Corporate sponsored ABCs." /></p> <p>Based on my <a href="http://9front.org/press/4chan.org/g/2022.03.31.plan-99front-is-super-secure.sys-log-www.txt">logs</a> it is clear that two major leaks occurred as a result of this attack:</p> <ul> <li><p>The subscriber lists of all the public mailing lists hosted on the machine. (Less than critical because already more-or-less public information.)</p></li> <li><p>The passwords of all the users of the various <em>werc</em> websites hosted on the machine. (Less than critical because there have not been any users authenticating to any of these websites for several years.)</p></li> </ul> <p>No other private information was exfiltrated. No data on the server was modified. There was, however, considerable excitement surrounding the &ldquo;discovery&rdquo; of files on the server that were either part of the 9front distribution or otherwise linked from the websites served by the machine. In other words, data that was already publicly available even without unintended directory traversal.</p> <p>Because <em>rc-httpd&rsquo;s</em> <a href="http://git.9front.org/plan9front/plan9front/90a08cf1fda8eaf4afe98f74a7572fb36b7ef369/sys/lib/dist/rc/bin/rc-httpd/select-handler/f.html">configuration file</a> is also executable <em>rc</em>, I was able to close the hole on my server in a handful of minutes by manually rejecting requests containing the improper string. Because the code was simple <strong>in general,</strong> the program was <a href="http://git.9front.org/plan9front/plan9front/241667b933ff5bacb9a3974f6877fb8aad78bed3/commit.html">patched</a> fairly quickly. Because I have been mostly absent from 9front development since the importation of <a href="http://shithub.us/ori/git9/HEAD/info.html">git9</a>, I flubbed the initial commit, and later accidentally reverted the fix on my own server for several hours.</p> <p>Because I&rsquo;m an idiot, all of this happened in the first place.</p> <p>Computers are unsafe at any speed.</p> <p><img src="http://img.stanleylieber.com/src/23176/img/small.1648822994.png" alt="Virtual Reality user panhandles for food." /></p>