Carlos Melero ❎ @carlosmelero@mastodon.social
Toots (if any) are not my own. Praise to our federated overlords.
For those who have not seen the context on this... https://mastodon.xyz/media/kQ9VdvFe6aUG2uSS-2c
@Pangoraw sorry.it's fake.i changed "/about/more" code. actually 1 user.
Firefox users need to go to about:config and set settingnetwork.IDN_show_punycode to true.
The phishing potential for this issue is huge.
Update on the the Linux UDP RCE. From what I've seen from ppl that do kernel exploiting... they can't really see a way to turn it into a useful exploit.
It looks like a vulnerability with the right scary characteristics, but practically not a major concern.
It is not (likely to be) a "one shot remote ring 0" exploit.
I've opened issues in Fedora and Debian to backport the nautilus patch that makes .desktop files more secure. I also reported a Tor Browser issue that will get introduced when the nautilus bug gets fixed.
https://bugzilla.redhat.com/show_bug.cgi?id=1442231
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268
https://trac.torproject.org/projects/tor/ticket/21939
/cc @rootkovska @gnome @federicomena
yall seen one of the japanese instances? courtesy: https://twitter.com/legumx/status/852551752742305792 https://mastodon.social/media/0w5aVg-BV6wgsk2KegM
About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
Also, the Subgraph reaction has been baffling. They:
1. Ignored Micah's report for 2 weeks (which he gave them to patch) & did nothing to resolve the problem,
2. Downplayed/denied the bug once it got published: https://twitter.com/bleidl/status/851849723002703873
https://twitter.com/subgraph/status/851843464115441664
3. Falsely implied that the bug affected QubesOS: https://twitter.com/bleidl/status/851851948710141952
4. Finally patched: https://twitter.com/subgraph/status/852000407253594114
CVE-2017-3881 Cisco Catalyst RCE Proof-Of-Concept
A "remote code execution exploit for Catalyst 2960 switch with latest suggested firmware" o___O
https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/
I've published a technical explanation of how to get unsandboxed arbitrary code execution in Subgraph OS, and how this attack compares with Qubes https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ cc @rootkovska
Here's a video demonstration of the exploit https://www.youtube.com/watch?v=SVsllZ7g7-I
The Shadow Brokers - don't read if you hold clearance Show more
So... deleting a toot may be as effective as recalling an email in Outlook?
if i ever get into a fatal accident involving road vehicle public transit i'd like to get a gravestone that says
+++ killed by SIGBUS +++
running a federated mastodon behind a .onion is like wearing green camo at the shopping mall
OK y'all! http://tooter.today is live and ready to help your friends find places to toot from! It provides scored instances in an easy-to-use fashion for new users and helps onboard them to tinier instances. Please help me load-test it by boosting it across the fediverse! :)
Next to come is a nice home page with explanations of the fediverse!
Source and hopeful-roadmap available: http://github.com/wayspurrchen/tooter.today
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
If you only use 140 characters like on Twitter, you will be able to sign those 140 char
messages with GPG (ECC keys) here on mastodon.social
-----BEGIN PGP SIGNATURE-----
iF4EARYIAAYFAljlAp4ACgkQmbnNRBSuRb2qBgEA/wWH3rjSfESf4tYzqQ1j15Cq
g+GdYA4XFehfXaVSlngBAJyx9iK0PLRLAGQhrLp/LwtbG0wbjaKh7mgEvUBTGFMG
=p/Hi
-----END PGP SIGNATURE-----
@jeremykleiman
-----BEGIN RSA PRIVATE KEY-----
hunter2
-----END RSA PRIVATE KEY-----
