Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher

«‹›81 »

Shame Boy: Mar 2, 2010

didn't there used to be a laff at cpu architecture thread, what happened to that

# ? Jan 31, 2018 18:52

Adbot: ADBOT LOVES YOU

# ? Jun 7, 2024 21:55

Deep Dish Fuckfest: Sep 6, 2006; Advanced
Computer Touching; Toilet Rascal

i think it was laff at amd, technically

# ? Jan 31, 2018 19:10

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Notorious b.s.d. posted:

debian has tier 1 and tier 2 ports. critical bugs in the tier 2 ports won't block a release. it appears ia64 has already been downgraded to tier 2, so i assume it is broken as gently caress now. and god knows when/if it gets security updates

so in reality, your only realistic choices for running an OS on your ebay itanium are RHEL 5, or HP-UX.

gentoo imho

# ? Jan 31, 2018 19:33

atelier morgan: Mar 11, 2003; super-scientific, ultra-gay; Lipstick Apathy

Deep Dish Fuckfest posted:

who the hell is gonna bother writing exploits for itanium?

safest platform, i tell you!

somebody who wants to present at defcon ofc

# ? Jan 31, 2018 19:53

in a well actually: Jan 26, 2011; dude, you gotta end it on the rhyme

at a previous job we kept an old sgi itanium around for longer than it was productive because it was a good way to find whether your code was actually architecture agnostic or not

# ? Jan 31, 2018 21:38

Tankakern: Jul 25, 2007

anthonypants posted:

gentoo imho

yep, gentoo would be perfect to revive an itanium comp

# ? Feb 1, 2018 00:19

Notorious b.s.d.: Jan 25, 2003; by Reene

Tankakern posted:

yep, gentoo would be perfect to revive an itanium comp

only in that by using gentoo you have given up on security updates on day one

# ? Feb 1, 2018 00:39

atomicthumbs: Dec 26, 2010; We're in the business of extending man's senses.

Notorious b.s.d. posted:

this is almost certainly actually true, iapx 432 was amazing

unfortunately the only implementation was also about 1/4 the speed of a 1st gen 80286

And it had the world's worst Ada compiler to go with it

# ? Feb 1, 2018 00:46

Bulgogi Hoagie: Jun 1, 2012; We

some dude just released a tool that automatically queries shodan for vulnerable looking hosts and then blasts them with every metasploit exploit available, in case you weren�t certain the internet of poo poo is doomed

# ? Feb 1, 2018 00:50

ewiley: Jul 9, 2003; More trash for the trash fire

Notorious b.s.d. posted:

they're cheap on ebay. search for an zx6000 or rx2600. (be warned: you don't want to operate an rx2600 inside an inhabited space, they are relatively loud)

that said, red hat has abandoned itanium, so your OS choices are either hp-ux or debian

Lol, first listing on eBay seems a winner

# ? Feb 1, 2018 00:51

MiniFoo: Dec 25, 2006; ~~METH~~AMPHETAMINE

that's not how you boot a drive

# ? Feb 1, 2018 01:15

in a well actually: Jan 26, 2011; dude, you gotta end it on the rhyme

Tankakern posted:

yep, gentoo would be perfect to revive an itanium comp

perfect winter activity; emerge world would heat your house and take until spring

# ? Feb 1, 2018 01:29

anthonypants: May 6, 2007; by Nyc_Tattoo; Dinosaur Gum

Bulgogi Hoagie posted:

some dude just released a tool that automatically queries shodan for vulnerable looking hosts and then blasts them with every metasploit exploit available, in case you weren�t certain the internet of poo poo is doomed

how long have they been running it

# ? Feb 1, 2018 01:34

Deep Dish Fuckfest: Sep 6, 2006; Advanced
Computer Touching; Toilet Rascal

Bulgogi Hoagie posted:

some dude just released a tool that automatically queries shodan for vulnerable looking hosts and then blasts them with every metasploit exploit available, in case you weren�t certain the internet of poo poo is doomed

i dunno. considering how many vulnerable devices there are, the odds of one of those you own getting hit are probably pretty low, even if someone's using some fiber firehose to spray malicious packets all over the place

it's kind of like herd immunity or something

# ? Feb 1, 2018 01:36

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

Bulgogi Hoagie posted:

some dude just released a tool that automatically queries shodan for vulnerable looking hosts and then blasts them with every metasploit exploit available, in case you weren�t certain the internet of poo poo is doomed

good.

# ? Feb 1, 2018 02:00

fishmech: Jul 16, 2006; by VideoGames; Salad Prong

Notorious b.s.d. posted:

only in that by using gentoo you have given up on security updates on day one

can't get hacked when your system never finishes compiling itself

# ? Feb 1, 2018 02:00

Lutha Mahtin: Oct 10, 2010; Your brokebrain sin is absolved...go and shitpost no more!

the one time i tried installing Gentoo was right when an ABI-breaking update to GCC was being rolled out. once you got everything working you had to bootstrap to the new compiler and start over. or you could just wipe the disk and never touch Gentoo again

# ? Feb 1, 2018 02:37

Diva Cupcake: Aug 15, 2005

the script is more automated than just using the shodan metasploit module but not sure how this is any more evil than sqlmap for example.

https://twitter.com/Real__Vector/status/958412549044801536

# ? Feb 1, 2018 03:24

Potato Salad: Oct 23, 2014; nobody cares

Diva Cupcake posted:

the script is more automated than just using the shodan metasploit module but not sure how this is any more evil than sqlmap for example.

https://twitter.com/Real__Vector/status/958412549044801536

One hell of a low bar of entry to script kiddie fuckery

# ? Feb 1, 2018 04:12

BattleMaster: Aug 14, 2000

The secfuck was this site being down because of a security patch

# ? Feb 1, 2018 14:14

fins: May 31, 2011; Floss Finder

i'm the os.system call to shodan supplied data

# ? Feb 1, 2018 14:15

Soricidus: Oct 21, 2010; freedom-hating statist shill

BattleMaster posted:

The secfuck was this site being down because of a security patch

finally, spectre and meltdown contributed to society

# ? Feb 1, 2018 14:18

Shame Boy: Mar 2, 2010

im the hashtag #tool

# ? Feb 1, 2018 14:44

Doccykins: Feb 21, 2006

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

# ? Feb 1, 2018 17:05

ate shit on live tv: Feb 15, 2004; by Azathoth

PCjr sidecar posted:

at a previous job we kept an old sgi itanium around for longer than it was productive because it was a good way to find whether your code was actually architecture agnostic or not

Nice.

# ? Feb 1, 2018 17:24

Pile Of Garbage: May 28, 2007

Doccykins posted:

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

lol so that app download landing page has this as allow in robots.txt:

https://matt-hancock.disciplemedia.com/user/sign_in

fuckin why?

# ? Feb 1, 2018 17:27

flakeloaf: Feb 26, 2003; Still better than android clock

Doccykins posted:

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

That thread just keeps right on going doesn't it

# ? Feb 1, 2018 17:27

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

what a cock

# ? Feb 1, 2018 17:40

ChubbyThePhat: Dec 22, 2006; Who nico nico needs anyone else

Doccykins posted:

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

ahahahahahahaha

# ? Feb 1, 2018 17:43

post hole digger: Mar 21, 2011

Doccykins posted:

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

idg the second tweet. you "sign up" and accept the toc and the app doesnt do anything? is that it?

# ? Feb 1, 2018 17:45

Carthag Tuek: Oct 15, 2005; Tider skal komme,
tider skal henrulle,
sl�gt skal f�lge sl�gters gang

my bitter bi rival posted:

idg the second tweet. you "sign up" and accept the toc and the app doesnt do anything? is that it?

read the twitter thread, they list all the fuckups

# ? Feb 1, 2018 17:50

Farmer Crack-Ass: Jan 2, 2001; this is me posting irl

Notorious b.s.d. posted:

i once installed ssh on a mips r2000. 12 mhz of blazing risc power. it took about 15 minutes to do a key exchange. and this was with 1024 bit dsa back when that was an acceptable security posture

i think i probably have the record for slowest, shittiest device with ssh on it.

i actually do want someone to one-up me it would be rad

weren't there hardware expansion cards back then that took up encryption stuff? i thought i remember hearing something about that. maybe i'm not remembering correctly.

Cybernetic Vermin posted:

as called out above intel was under contract with hp to keep making the itanium until 2017, and presumably the contract spelled up some minimum for updating the thing, which intel minimally fulfilled with kittson

overall irrelevant enough business wrangling to not be terribly interesting

lol imagine working at intel and having to still work on itanium

# ? Feb 1, 2018 17:52

Shame Boy: Mar 2, 2010

Doccykins posted:

Whilst the forums were down Matt Hancock, the guy responsible for the Department of Digital, Culture, Media and Sport in the UK released his own social media platform called 'Matt Hancock MP' It is, of course, full of privacy issues

https://twitter.com/MattHancock/status/958988393748357121

https://twitter.com/PrivacyMatters/status/959016936494522369

im the Department of Digital

# ? Feb 1, 2018 18:01

Diva Cupcake: Aug 15, 2005

this is amazing

https://medium.com/@ebanisadr/how-800k-evaporated-from-the-powh-coin-ponzi-scheme-overnight-1b025c33b530
https://twitter.com/alt_kia/status/959080338235338754

# ? Feb 1, 2018 18:03

Shame Boy: Mar 2, 2010

Diva Cupcake posted:

this is amazing

https://medium.com/@ebanisadr/how-800k-evaporated-from-the-powh-coin-ponzi-scheme-overnight-1b025c33b530
https://twitter.com/alt_kia/status/959080338235338754

im noted and esteemed source of news 4chan

# ? Feb 1, 2018 18:22

Wiggly Wayne DDS: Sep 11, 2010

who else cares about smart contracts tbf, of course the primary demographic talks about it

# ? Feb 1, 2018 18:25

rjmccall: Sep 7, 2007; no worries friend; Fun Shoe

the fact that this custom programming language specifically intended for financial transactions and with built-in support for error propagation does not generate a trap on overflow is just hilarious

# ? Feb 1, 2018 19:25

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

rjmccall posted:

the fact that this custom programming language specifically intended for financial transactions and with built-in support for error propagation does not generate a trap on overflow is just hilarious

you've seen the breakdown of all the other problems with the language, right?

# ? Feb 1, 2018 19:34

rjmccall: Sep 7, 2007; no worries friend; Fun Shoe

i kindof remember seeing one, but it never hurts to re-post

# ? Feb 1, 2018 19:41

Adbot: ADBOT LOVES YOU

# ? Jun 7, 2024 21:55

infernal machines: Oct 11, 2012; we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.

"peoplewindow posted:

Solidity has far worse problems than not being an advanced research language. Just being a sanely designed normal language would be a big step up. Solidity is so riddled with bizarre design errors it makes PHP 4 look like a work of genius.

A small sampling of the issues:

Everything is 256 bits wide, including the "byte" type. This means that whilst byte[] is valid syntax, it will take up 32x more space than you expect. Storage space is extremely limited in Solidity programs. You should use "bytes" instead which is an actual byte array. The native 256-bit wide primitive type is called "bytes32" but the actual 8-bit wide byte type is called "int8".

Strings. What can we say about this. There is a string type. It is useless. There is no support for string manipulation at all. String concatenation must be done by hand after casting to a byte array. Basics like indexOf() must also be written by hand or implementations copied into your program. To even learn the length of a string you must cast it to a byte array, but see above. In some versions of the Solidity compiler passing an empty string to a function would cause all arguments after that string to be silently corrupted.

There is no garbage collector. Dead allocations are never reclaimed, despite the scarcity of available memory space. There is also no manual memory management.

Solidity looks superficially like an object oriented language. There is a "this" keyword. However there are actually security-critical differences between "this.setX()" and "setX()" that can cause wrong results: https://github.com/ethereum/solidity/issues/583

Numbers. Despite being intended for financial applications like insurance, floating point is not supported. Integer operations can overflow, despite the underlying operation being interpreted and not implemented in hardware. There is no way to do overflow-checked operations: you need constructs like "require((balanceOf[_to] + _value) >= balanceOf[_to]);"

You can return statically sized arrays from functions, but not variably sized arrays.

For loops are completely broken. Solidity is meant to look like JavaScript but the literal 0 type-infers to byte, not int. Therefore "for (var i = 0; i < a.length; i ++) { a[i] = i; }" will enter an infinite loop if a[] is longer than 255 elements, because it will wrap around back to zero. This is despite the underlying VM using 256 bits to store this byte. You are just supposed to know this and write "uint" instead of "var".

Arrays. Array access syntax looks like C or Java, but array declaration syntax is written backwards: int8[][5] creates 5 dynamic arrays of bytes. Dynamically sized arrays work, in theory, but you cannot create multi-dimensional dynamic arrays. Because "string" is a byte array, that means "string[]" does not work.

The compiler is riddled with mis-compilation bugs, many of them security critical. The documentation helpfully includes a list of these bugs .... in JSON. The actual contents of the JSON is of course just strings meant to be read by humans. Here are some summaries of miscompile bugs:

In some situations, the optimizer replaces certain numbers in the code with routines that compute different numbers

Types shorter than 32 bytes are packed together into the same 32 byte storage slot, but storage writes always write 32 bytes. For some types, the higher order bytes were not cleaned properly, which made it sometimes possible to overwrite a variable in storage when writing to another one.

Dynamic allocation of an empty memory array caused an infinite loop and thus an exception

Access to array elements for arrays of types with less than 32 bytes did not correctly clean the higher order bits, causing corruption in other array elements.

As you can see the decision to build a virtual machine with that is natively 256-bit wide led to a huge number of bugs whereby reads or writes randomly corrupt memory.

Solidity/EVM is by far the worst programming environment I have ever encountered. It would be impossible to write even toy programs correctly in this language, yet it is literally called "Solidity" and used to program a financial system that manages hundreds of millions of dollars.

"int_19h posted:

Just skimming through the Solidity docs, I see a lot of unwise decisions there aside from the weird visibility defaults.

All state is mutable by default (this includes struct fields, array elements, and locals). Functions can mutate state by default. Both are overridable by explicit specifiers, much like C++ "const", but you have to remember to do so. Even then, the current implementation doesn't enforce this for functions.

Integers are fixed-size and wrap around, so it's possible to have overflow and underflow bugs. Granted, with 256 bits of precision by default that's harder to do than usual... but still pretty easy if you e.g. do arithmetic on two inputs.

Operators have different semantics depending on whether the operands are literals or not. For example, 1/2 is 0.5, but x/y for x==1 and y==2 is 0. Precision of the operation is also determined in this manner - literals are arbitrary-precision, other values are constrained by their types.

Copy is by reference or by value depending on where the operands are stored. This is implicit - the operation looks exactly the same in code, so unless you look at declarations, you don't know what it actually does. Because mutability is pervasive, this can can have far-reaching effects.

Map data type doesn't throw on non-existing keys, it just returns the default value.

The language has suffixes for literals to denote various units (e.g. "10 seconds" or "1000 ether"). This is purely syntactic sugar, however, and is not reflected in the type system in any way, so "10 second + 1000 ether" is valid code.

Statements allow, but do not require, braces around bodies. This means that dangling "else" is potentially an issue, as is anything else from the same class of bugs (such as the infamous Apple "goto fail" bug).

Functions can be called recursively with no special effort, but the stack size is rather limited, and it looks like there are no tail calls. So there's the whole class of bugs where recursion depth is defined by contract inputs.

Order of evaluation is not defined for expressions. This in a language that has value-returning mutating operators like ++!

Scoping rules are inherited from JS, meaning that you can declare variables inside blocks, but their scope is always the enclosing function. This is more of an annoyance than a real problem, because they don't have closures, which is where JS makes it very easy to shoot yourself in the foot with this approach to scoping.

TL; DR: "Solidity is so riddled with bizarre design errors it makes PHP 4 look like a work of genius."

infernal machines fucked around with this message at 19:53 on Feb 1, 2018

# ? Feb 1, 2018 19:45

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > Security Fuckup Megathread - v15.1 - Stop!!! I Kill You Researcher

«‹›81 »