General April 2014

general@lists.hackerspace.pl

29 participants
16 discussions

OpenWTF
by rysiek 11 Apr '14

11 Apr '14

Cześć, ja to tu zostawię: W: http://article.gmane.org/gmane.os.openbsd.misc/211963 T: http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf F: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse Na zachętę: > No. OpenSSL has exploit mitigation countermeasures to make sure it's > exploitable. -- Pozdr rysiek

5 8

WP.pl o WiOO: "niebezpieczne, unikać" + "hakerzy"
by rysiek 09 Apr '14

09 Apr '14

Cześć, taka sytuacja: http://tech.wp.pl/kat,1009785,title,10-zasad-jak-bezpiecznie-korzystac-z-ro… taka odpowiedź: https://azazello.fwioo.pl/pad/p/wp-bezpieczenstwo-floss Generalnie fajnie by było, gdyby prócz FWiOO i (prawdopodobnie) PLUGu, jakiś HS się również podpisał. Tak, for good measure. ;) Chciałbym to posłać rano. -- Pozdr rysiek

8 11

Fwd: Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations
by rysiek 06 Apr '14

06 Apr '14

Może to kogoś zainteresuje. ---------- Treść przekazywanej wiadomości ---------- Temat: Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations Data: niedziela, 6 kwietnia 2014, 03:04:57 Do: cpunks <cypherpunks(a)cpunks.org> https://github.com/sumanj/frankencert Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations What are frankencerts? Frankencerts are specially crafted SSL certificates for testing certificate validation code in SSL/TLS implementations. The technique is described in detail in the 2014 IEEE Symposium on Security and Privacy (Oakland) paper - Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations by Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. Why is frankencert generator useful? Frankencert generator is essentially a smart fuzzer for testing SSL/TLS certificate validation code. If you are a developer who is implementing any sort of SSL/TLS certificate validation code (either as part of an SSL/TLS library or an application), you can use the frankencert generator to auto-generate different test certificates involving complex corner cases. We have successfully used frankencerts to find serious vulnerabilities in GnuTLS, PolarSSL, CyaSSL, and MatrixSSL as described in our Oakland 2014 paper. We also found several discrepancies between how different SSL/TLS implementations report errors back to the user. For example, when presented with an expired, self-signed certificate, NSS, Chrome on Linux, and Safari report that the certificate has expired but not that the issuer is invalid. How do frankencerts work? The basic idea of frankencerts is to take a bunch of certificates as seeds and use random mutations on different fields and extensions to create new test certificates (frankencerts). Using frankencerts as server-side inputs into an SSL/TLS handshake can help systematically test correctness of the certificate validation code. Installation and Usage Install OpenSSL libraries and utilities if you don't have them already. The frankencert generator needs a modified version of PyOpenSSL. We have included the source for our modified version of PyOpenSSL. You will need to install it in order to use the frankencert generator. First, uninstall any other version of PyOpenSSL that you may have installed on your computer. Go to the pyOpenSSL-0.13 directory and build/install PyOpenSSL by issuing sudo python setup.py install. Once you have the patched pyOpenSSL set up, to generate frankencerts, use the franken_generate.py script: python franken_generate.py seed_certs_dir ca_cert output_dir count [config_file]. The arguments are explained below. seed_certs_dir: Frankencert generator needs a set of seed certificates. Any SSL cert in PEM fromat can act as a seed cert. seed_certs_dir can be any directory containing the seed certs stored as PEM files. You can either use tools like ZMap (https://zmap.io/) to collect SSL seed certificates, or use some of the SSL certs available from https://www.eff.org/observatory. Please note that these are not our tools and repositories - you may want to contact their respective developers and maintainers to ensure that your usage of the certificates they collected is compatible with the intended purpose. You do not need access to the corresponding private keys to use the certs as seeds. For your convenience, we have included a tarball containing around 1000 seed certificates in utils/sample_seed_certs.tar.gz. ca_cert: You will also need to create a self-signed CA certificate to sign the frankencerts. You can either use the included sample CA certificate utils/rootCA_key_cert.pem or use the utils/create_new_ca.sh script to create your own root CA. For any root CA that you use for frankencert generation, make sure that your SSL certificate validation code treats its certificate as a trusted root certificate. VERY IMPORTANT: this root certificate should be trusted ONLY during testing. If you accidentally or intentionally deploy SSL/TLS with this certificate still among the trusted root certificates, your SSL/TLS connections may be vulnerable to server impersonation and man-in-the-middle attacks. Be sure to REMOVE this certificate from your trusted root certificates once the testing is finished. output_dir: It will contain the generated frankencerts. The frankencerts will be named as frankencert-<number>.pem. count: Number of frankencerts to be generated. config_file: An optional argument to tune the frankencert generation process. Take a look at the utils/sample_franken.conf for a sample config file. To test your SSL/TLS client with the generated frankencerts, you should use the utils/test_ssl_server.py script to set up an SSL server that can present the generated frankencerts as part of the SSL handshake. Project structure The frankengen directory contains the frankencert generator code Our patched version of pyOpenSSL is inside pyOpenSSL-0.13 directory Several useful tools are included in utils cert_print.py: a tool for printing frankencerts. It requires OpenSSL to be installed and present in the path. rootCA_key_cert.pem: private key and self-signed cert of a sample CA that can be used for signing frankencerts. create_new_ca.sh: a script for creating new CA with a self-signed cert. It creates the output cert and private key in rootCA.pem (requires OpenSSL). test_ssl_server.py: a sample SSL/TLS server for presenting frankencerts to SSL/TLS clients sample_seed_certs.tar.gz: Some sample certs that may be used as seeds for frankencert generation. sample_franken.conf: A sample config file that can be used to tune different parameters of the frankencert generation process. ----------------------------------------- -- Pozdr rysiek

1 0

Polskie tłumaczenie Diaspory
by rysiek 04 Apr '14

04 Apr '14

Cześć, Jest prośba o przejrzenie polskiego tłumaczenia Diaspory. Pomożecie? :) https://joindiaspora.com/posts/3868778 -- Pozdr rysiek

2 1

Szkolenie z etosu hakerskiego dla MON/COC
by rysiek 02 Apr '14

02 Apr '14

Cześć, Dostaliśmy propozycję przeprowadzenia szkolenia/warsztatów z etosu hakerskiego dla MON (i powstającego Centrum Operacji Cyfrowych). Miałoby toto odbyć się jakoś w kwietniu/maju, i obejmować historię ruchu hakerskiego, etos hakerski, responsible disclosure, i "tematy powiązane" (cokolwiek by to nie znaczyło -- próbuję ustalić). Plan obejmuje 3-4h jednego dnia, w "standardowych godzinach pracy", czyli gdzieś między 09:00 a 15:00 (tak, dość wcześnie pracownicy państwowi kończą pracę, kto miał do czynienia, ten wie...). Miejsce: Warszawa, zapewne na Nowowiejskiej. Uczestnikami będą osoby ogarniające COC i w nim zatrudnione, plus kilku pracowników MON, grupa ok. 20 osób (nie, nie ma to przełożenia na liczbę pracowników COC, info jest takie, że nie będziemy wiedzieli, kto jest z COC, a kto z MON, i kto się czym zajmuje). Mają być nawet jakieś pieniądze dla "trenerów" (tak, na dojazd też, w granicach rozsądku). Ja oczywiście chętnie i fołgle, ale też nie się nie będę pchał. ;) Proponuję, by ogarnął to zestaw 2-3 hakerów z różnych haesów, z podziałem zadań. Więc pierwsze pytanie: kto chętny? Jak sobie na nie odpowiemy, odpali się jakiegoś pada na spisanie podziału obowiązków/tematów. -- Pozdr rysiek

8 15

Sklepy z ogniwami li-po
by PB 02 Apr '14

02 Apr '14

Cześć, Czy ktoś z Was może kojarzy miejsca w których można kupić ogniwa lipo ~3.6V nie do zastosowań ASG albo RC? Strasznie ciężko cokolwiek znaleźć.

8 11

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

General April 2014