Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

«‹›242 »

repiv: Aug 13, 2009

Cybernetic Vermin posted:

uh, didn't precisely this thing happen last year too?

yep, and after that incident they changed npm so unpublished packages couldn't have their names hijacked by another user

except these packages just fell out of the database entirely so the anti-hijacking system didn't know they ever existed and they got hijacked anyway

# ? Jan 6, 2018 21:41

Adbot: ADBOT LOVES YOU

# ? May 28, 2024 23:58

mrmcd: Feb 22, 2003; Pictured: The only good cop (a fictional one).

Can you imagine being the kind of person that builds a production system that completely explodes and then gets random malware installed on it every time some node person fat fingers an update, looks at it, and goes "this is a good design. If there's an outage I will angrily tweet at someone about it".

# ? Jan 6, 2018 21:48

aardvaard: Mar 4, 2013; you belong in the bog of eternal stench

you shouldn't be pulling from npm in production

# ? Jan 6, 2018 21:56

geonetix: Mar 6, 2011

lol just lol if you have to work with npm

# ? Jan 6, 2018 22:00

Cybernetic Vermin: Apr 18, 2005

CommunistPancake posted:

you shouldn't be pulling from npm in production

or in staging

or in development

# ? Jan 6, 2018 22:13

Agile Vector: May 21, 2007; scrum bored

SO DEMANDING posted:

I've got an older z77 based board and have to use AI suite 2 (as opposed to 3, the current version). I can't launch the program anymore but the background poo poo still functions including fan control. just have no way of changing it anymore lol. and fat loving chance asus will update the older program.

oh, is that why its suddenly and consistently crapping out? not that it ever updated the bios correctly when it worked, but at least everything else was fine. their site barely functioned to check firmware so it feels consistent at least

# ? Jan 6, 2018 22:19

Shame Boy: Mar 2, 2010

mrmcd posted:

Can you imagine being the kind of person that builds a production system that completely explodes and then gets random malware installed on it every time some node person fat fingers an update, looks at it, and goes "this is a good design. If there's an outage I will angrily tweet at someone about it".

its me

im that person

CommunistPancake posted:

you shouldn't be pulling from npm in production

no you pull from npm on the build server that then pushes to production which is much better :downs:

# ? Jan 6, 2018 22:20

Shame Boy: Mar 2, 2010

tbf i don't think it's a good design and wouldn't touch npm or build poo poo with it with a 10 foot pole if i wasn't being paid big buxx to do it :shrug:

# ? Jan 6, 2018 22:21

Farmer Crack-Ass: Jan 2, 2001; this is me posting irl

eschaton posted:

last I checked a few years ago they didn�t, and I think they still don�t

sucks

pretty sure they were still making them a few years ago, but they may have stopped recently

# ? Jan 6, 2018 22:32

Truga: May 4, 2014; Lipstick Apathy

speaking of npm

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

quote:

Lucky for me, we live in an age where people install npm packages like they�re popping pain killers.

So, npm was to be my distribution method. I would need to come up with some borderline-useful package that people would install without thinking � my Trojan horse.

People love pretty colours � it�s what separates us from dogs � so I wrote a package that lets you log to the console in a any colour.

# ? Jan 6, 2018 22:34

Trabisnikof: Dec 24, 2005

Truga posted:

speaking of npm

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

Love this bullsht "this is all fictional" at the end

# ? Jan 6, 2018 22:58

Truga: May 4, 2014; Lipstick Apathy

article probably is, but it's definitely happening somewhere in npm right now.

# ? Jan 6, 2018 23:06

Midjack: Dec 24, 2007

Trabisnikof posted:

Love this bullsht "this is all fictional" at the end

and at the beginning

# ? Jan 7, 2018 00:04

go play outside Skyler: Nov 7, 2005

Truga posted:

speaking of npm

https://hackernoon.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5

erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?

# ? Jan 7, 2018 01:19

Fiedler: Jun 29, 2002; I, for one, welcome our new mouse overlords.

go play outside Skyler posted:

erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?

Nothing except the good sense of non-JS communities to not add uncountably many random dependencies to their code.

# ? Jan 7, 2018 01:25

hobbesmaster: Jan 28, 2008

go play outside Skyler posted:

erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?

you usually don't pull down a dll from the author's website as part of an install

for some reason this is normal practice in production for javascript

# ? Jan 7, 2018 01:32

eschaton: Mar 7, 2007; Don't you just hate when you wind up in a store with people who are in a socioeconomic class that is pretty obviously about two levels lower than your own?

maybe they�re deleting the repositories because JavaScript is over

after all, everyone has it turned off in their browsers now, right? and nobody in their right mind uses it anywhere else.

# ? Jan 7, 2018 01:34

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

go play outside Skyler posted:

erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?

the people in charge of nuget and like every other public-facing repository on the internet learned a very long time ago that you just can't let new packages use the names of existing or deleted packages, but the javascript development ecosystem is full of very dumb people

it's apparently been resolved and here's a terse post about it https://status.npmjs.org/incidents/41zfb8qpvrdj

anthonypants fucked around with this message at 01:58 on Jan 7, 2018

# ? Jan 7, 2018 01:56

BobHoward: Feb 13, 2012; The only thing white people deserve is a bullet to their empty skull

Cybernetic Vermin posted:

motherboards are glorified connector breakout boards these days, as things (memory, disk and bus controllers, graphics, network etc. etc.) have moved into the processor

well, that is overstating things, but as long as you have capacitors that work and the connectors you like on the back there is not that much more to it

lol

just lol

things like pci express and especially dram need very careful pcb layout and decoupling to even work these days

but it's far worse than that. firmware needs all kinds of customization to get everything working together

the more reputable motherboard vendors (i'm thinking of supermicro here, not actually "reputable" but a distinct cut above the gamercrap) will tell you things like exactly which dimms they validated for proper operation in their motherboards. smart people stick to that list because lol relying on auto negotiation and training based on firmware reading the spd eeproms of random dimms is not anywhere near as reliable at generating a 100% stable system as it ought to be

what i'm saying in a roundabout way is that "intel provides all of it" isn't actually a thing. yes intel makes all the controllers but that doesn't mean the job's done. system integration to make a functioning motherboard still takes a ton of work, by somebody who is not intel, often working from guidelines and references supplied by intel, but still not intel

much of the end product of that system integration work is in the bios

so no, you can't just look at the list of ports on a motherboard and say "why yes this should work as well as anything else with the same ports". it doesn't work like that, at all. vendor a can in fact do a much better job at a zillion aspects of making a functioning pcie slot than vendor b, despite the fact that it's the same intel pcie controller both times.

# ? Jan 7, 2018 02:29

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now.

imo, the biggest differences you'll find between most board vendors will be firmware and power component quality.

and trust me, you can gently caress up plenty with just lovely UEFI

# ? Jan 7, 2018 04:02

AggressivelyStupid: Jan 9, 2012

https://twitter.com/0xMatt/status/949827175938637825

:vince:

# ? Jan 7, 2018 04:16

Elder Postsman: Aug 30, 2000; i used hot bot to search for "teens"

spankmeister posted:

Ken owns

yeah i just found his blog a few days ago and i love it

my favorite so far is where he wrote the bitcoin hash algorithm for a 1960s ibm mainframe, and it was like 80 seconds per hash.

# ? Jan 7, 2018 04:52

vOv: Feb 8, 2014

https://twitter.com/_MG_/status/949684949614907395

# ? Jan 7, 2018 04:55

BobHoward: Feb 13, 2012; The only thing white people deserve is a bullet to their empty skull

Elder Postsman posted:

yeah i just found his blog a few days ago and i love it

my favorite so far is where he wrote the bitcoin hash algorithm for a 1960s ibm mainframe, and it was like 80 seconds per hash.

the disappointing thing is that iirc from reading that bitcoin thing he actually takes bitcoin seriously and thinks it is worthwhile

# ? Jan 7, 2018 05:15

bob dobbs is dead: Oct 8, 2017; I love peeps; Nap Ghost

npm is venture backed and incorporated for-profit
that's everything you need to know about npm, lol

# ? Jan 7, 2018 05:37

Notorious b.s.d.: Jan 25, 2003; by Reene

infernal machines posted:

intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now.

istr the intel server platforms are rebranded tyan

# ? Jan 7, 2018 05:39

Truga: May 4, 2014; Lipstick Apathy

go play outside Skyler posted:

erm, so what's stopping someone from doing this in nuget? or any third party library distributed as a dll or whatever other shenanigans for that matter?

i dunno what nuget is, but most package manager are centrally controlled and curated and fuckups still sometimes happen

on the other hand, npm is "anyone can publish anything", and there's absolutely nothing stopping you from doing the thing described in there

e: imagine enabling rpmfusion on your production server. that's what npm is, lol

# ? Jan 7, 2018 05:42

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

AggressivelyStupid posted:

https://twitter.com/0xMatt/status/949827175938637825

https://twitter.com/taviso/status/949804775473737728 https://twitter.com/taviso/status/949823393989238785

# ? Jan 7, 2018 05:43

vOv: Feb 8, 2014

apparently the vulnerability is that it spins up an RPC server on localhost and it had an Access-Control-Allow-Origin header of * which means that any website could send rpcs to your wallet

# ? Jan 7, 2018 05:54

James Baud: May 24, 2015; by LITERALLY AN ADMIN

I got a kick out of the oss-security message the other day about a password generator that wasn't very good at its one job:

quote:

Hi folks,

"QtPass" is a separate project entirely from pass. It shares no code
with "pass", the project I maintain. But, "QtPass" does endeavor to be
compatible with pass. However, it is in fact a completely separate
project. Best practice is probably not to stray too far from my nest
to these third-party GUIs, given bugs like this one, CVE-2017-18021, a
way of trivially predicting all passwords ever generated with
"QtPass".

Bug report is here: https://github.com/IJHack/QtPass/issues/338
Fix landed in v1.2.1: https://github.com/IJHack/QtPass/releases/tag/v1.2.1

All passwords generated with "QtPass"'s built-in password generator
are possibly predictable and enumerable by hackers. The generator used
libc's random(), seeded with srand(msecs), where msecs is not the
msecs since 1970 (not that that'd be secure anyway), but rather the
msecs since the last second. This means there are only 1000 different
sequences of generated passwords. Disaster.

If you're using this software, now would be a good time to change all
your passwords and regenerate them using a secure utility such as pass
(what this mailing list is about), or update to the latest version of
this third party "QtPass" software and regenerate from there. All
distributions should update and remove vulnerable versions from their
package trees.

The fix I proposed to the "QtPass" developers involves using Qt 5.10's
built-in CSPRNG wrapper, or /dev/urandom for older Qt versions.

code:

Secondly, and more critically, here is the implementation of Util::rand:

...
  qsrand(static_cast<uint>(QTime::currentTime().msec()));
...
int Util::rand() {
#ifdef Q_OS_WIN
  quint32 ret = 0;
  if (FAILED(BCryptGenRandom(NULL, (PUCHAR)&ret, sizeof(ret),
                             BCRYPT_USE_SYSTEM_PREFERRED_RNG)))
    return qrand();
  return ret % RAND_MAX;
#else
  return qrand();
#endif
}

Where ".msec()" = 0-999.

Only now when I went to make this post did I discover that the "senior developer" who runs this project arrived at this state after receiving these previous bug reports:
- 2016 bug report: PRNG seeding is done totally wrong
- 2015 bug report: qrand always generating the same sequence of passwords

At a certain point you should just delete the project and pretend it never existed out of shame.

# ? Jan 7, 2018 06:22

Shame Boy: Mar 2, 2010

James Baud posted:

I got a kick out of the oss-security message the other day about a password generator that wasn't very good at its one job:
code:
Secondly, and more critically, here is the implementation of Util::rand:

...
  qsrand(static_cast<uint>(QTime::currentTime().msec()));
...
int Util::rand() {
#ifdef Q_OS_WIN
  quint32 ret = 0;
  if (FAILED(BCryptGenRandom(NULL, (PUCHAR)&ret, sizeof(ret),
                             BCRYPT_USE_SYSTEM_PREFERRED_RNG)))
    return qrand();
  return ret % RAND_MAX;
#else
  return qrand();
#endif
}
Where ".msec()" = 0-999.

Only now when I went to make this post did I discover that the "senior developer" who runs this project arrived at this state after receiving these previous bug reports:
- 2016 bug report: PRNG seeding is done totally wrong
- 2015 bug report: qrand always generating the same sequence of passwords

At a certain point you should just delete the project and pretend it never existed out of shame.

pass itself actually does this "right" (for the unix definition if "right") and defers to the pwgen program iirc, idk how you could copy it and gently caress that up but lol

# ? Jan 7, 2018 06:30

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

ate all the Oreos posted:

pass itself actually does this "right" (for the unix definition if "right") and defers to the pwgen program iirc, idk how you could copy it and gently caress that up but lol

because it's cross-platform and windows doesn't have pwgen so

# ? Jan 7, 2018 06:40

hobbesmaster: Jan 28, 2008

anthonypants posted:

because it's cross-platform and windows doesn't have pwgen so

cross platform C++ aka a long string of ifdefs

# ? Jan 7, 2018 07:00

James Baud: May 24, 2015; by LITERALLY AN ADMIN

James Baud posted:

Only now when I went to make this post did I discover that the "senior developer" who runs this project arrived at this state after receiving these previous bug reports:
- 2016 bug report: PRNG seeding is done totally wrong
- 2015 bug report: qrand always generating the same sequence of passwords

At a certain point you should just delete the project and pretend it never existed out of shame.

Also Jan 2017 bug report/pull request: Also use win32 crypt api for password generation on windows

Q: "[This] Could also be extended to use other apis on other platforms e.g. /dev/random on linux. Does this sound worthwhile or is it being work on elsewhere?"
A: "Thanks for this update @treat1, I'll look into the /dev/random and other implements later on

# ? Jan 7, 2018 07:03

cinci zoo sniper: Mar 15, 2013

anthonypants posted:

https://twitter.com/taviso/status/949804775473737728 https://twitter.com/taviso/status/949823393989238785

https://adam-roberts.co.uk/

# ? Jan 7, 2018 07:53

Phone: Jul 30, 2005; 親子丼をほしい。

cinci zoo sniper posted:

https://adam-roberts.co.uk/

i'm the broken image header

# ? Jan 7, 2018 08:08

eschaton: Mar 7, 2007; Don't you just hate when you wind up in a store with people who are in a socioeconomic class that is pretty obviously about two levels lower than your own?

infernal machines posted:

intel still makes top-to-bottom server platforms (motherboard included) if for some reason you're not buying from some other tier-1 OEM. i don't believe they make workstation boards any more, and they haven't made consumer motherboards for a few years now.

who even makes workstation and non-gamercrap consumer Intel-chipset motherboards these days?

# ? Jan 7, 2018 08:44

cinci zoo sniper: Mar 15, 2013

eschaton posted:

who even makes workstation and non-gamercrap consumer Intel-chipset motherboards these days?

everyone but no one if you'll be an old conservative over marketing

# ? Jan 7, 2018 08:48

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

depends on how you define workstation i guess. anything dual-socket will be legit, but there's not much of that. beyond that anything single socket that supports xeons and ecc should count, and gigabyte, asus, et al. have something it's just hard to find unless you go digging for it on their site.

# ? Jan 7, 2018 08:55

Adbot: ADBOT LOVES YOU

# ? May 28, 2024 23:58

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

there's a fairly major manufacturer of glass curtain-walls in north america that buys nothing but cad stations built around consumer grade motherboards and the 2fast2furious pcgaming videocard of the day, because it saves nearly 50% per workstation over whatever optiplex model and certified drivers don't mean poo poo in cad and solidworks these days

# ? Jan 7, 2018 08:59

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v14.1 - Hello, is this a delivery order?

«‹›242 »