Board logo

標題: [Off Topic] Security Discussions in Ubuntu Forums [打印本頁]

作者: samiux    時間: 2012-12-28 01:04     標題: [Off Topic] Security Discussions in Ubuntu Forums

It is quite interesting that when someone is talking about the truth, nobody will believe and the one who said will be banned or executed.  It is not only common in Hong Kong but also in the international.  

If you have some time to waste, you can read this thread at "Security Discussions" in Ubuntu Forums.

I am pushing down (or demolishing) their well built fortress (concept but false) of security.

Samiux
作者: lazyfai    時間: 2012-12-28 09:50

Actually I think this is, sorry but true, your attitude issue when discussing.
Of course you can disagree this or give hundreds of reason to reject the statement but this is the real world with number of people > 1.
Anyway, contribution is more important than just talking.
作者: samiux    時間: 2012-12-28 11:36

Actually I think this is, sorry but true, your attitude issue when discussing.
Of course you can dis ...
lazyfai 發表於 2012-12-28 09:50


May be my attitude making the issue.  However, the result is the same as they do not believed that what they had learnt and did are wrong.

Even in Hong Kong, I remembered that I have discussed the similar matter here with the same feedback.

True is true and false is false.  They do not accept the fact.  

If I contribute to the wiki, I will delete the whole article completely as it is totally wrong that will also make another problem too.  So, what I will do is wrong.

Anyway, I will not tell anyone about his/her wrong security concept any more.  Let it be!

Samiux
作者: lazyfai    時間: 2012-12-28 12:05

How about you write your own wiki and teach people your own correct security concept? Just my suggestion.
作者: samiux    時間: 2012-12-28 12:18

本帖最後由 samiux 於 2012-12-28 12:19 編輯
How about you write your own wiki and teach people your own correct security concept? Just my sugges ...
lazyfai 發表於 2012-12-28 12:05


It is very hard to write an article to cover all about infosec.  If anyone interested in this area, s/he may consider to visit my blog or contact me at my channel.

Samiux

Update reason : fix typo
作者: lazyfai    時間: 2012-12-28 12:33

可以由淺入深一個一個 topic 慢慢寫,先學行再學走。
作者: samiux    時間: 2012-12-28 15:19

可以由淺入深一個一個 topic 慢慢寫,先學行再學走。
lazyfai 發表於 2012-12-28 12:33


I am not an expert in infosec field so I am not the good one to do it.

However, I prepared a video to show you all about my version.  

Here you are ....

Samiux
作者: samiux    時間: 2013-1-5 16:03

I have another discussion on anti-virus on Linux at here.

They said that the thread is closed for review.  Hope it will return a positive result.  

Samiux
作者: chancho    時間: 2013-1-5 17:19

thank you for pointing out something that may become a serious problem for some people. accept or not is not controlled by you. you did you parts. thanks again.
作者: samiux    時間: 2013-1-5 20:43

thank you for pointing out something that may become a serious problem for some people. accept or no ...
chancho 發表於 2013-1-5 17:19


Thank you for your understanding.

Samiux
作者: toylet    時間: 2013-1-6 21:49

提示: 作者被禁止或刪除 內容自動屏蔽
作者: aggregation    時間: 2013-1-8 00:32

syslogd真係 log 吾到?
咪玩la
作者: samiux    時間: 2013-1-8 00:34

syslogd真係 log 吾到?
咪玩la
aggregation 發表於 2013-1-8 00:32



Did you see my demo video?  It is 100% true.  Some of the attacks cannot be logged.

Samiux
作者: aggregation    時間: 2013-1-8 00:45

本帖最後由 aggregation 於 2013-1-8 00:48 編輯
Did you see my demo video?  It is 100% true.  Some of the attacks cannot be logged.

Samiux
samiux 發表於 2013-1-8 00:34


好多monitor application 都可以send 吾同 log level 嘅 message 入去syslogd
講多都嗮氣,算吧啦
作者: samiux    時間: 2013-1-8 00:49

好多mintor application 都可以send 吾同 log level 嘅 message 入去syslogd
講多都嗮氣,算吧啦 ...
aggregation 發表於 2013-1-8 00:45


From your answer, you do not know/understand what is exploit.  Fine, let's go your way and nobody will interfering you.  Be your SysAdmin!  Your level of security knowledge is far more behind me.

Samiux
作者: aggregation    時間: 2013-1-8 00:52

From your answer, you do not know/understand what is exploit.  Fine, let's go your way and nobody  ...
samiux 發表於 2013-1-8 00:49


你話我吾識咪吾識law
   
自悲同自大 係因果關係
作者: samiux    時間: 2013-1-8 00:55

你話我吾識咪吾識law
   
自悲同自大 係因果關係
aggregation 發表於 2013-1-8 00:52



Okay.  Can you perform an exploit and show that your monitoring application result in order to proof your version?  I have been proved in the way of video.  Now, it is your turn to proof.

Samiux
作者: aggregation    時間: 2013-1-8 01:00

Okay.  Can you perform an exploit and show that your monitoring application result in order to pr ...
samiux 發表於 2013-1-8 00:55



    我訓先,天早仲要開會,你慢慢係度證明自己喎
Bye bye
作者: samiux    時間: 2013-1-8 01:04

我訓先,天早仲要開會,你慢慢係度證明自己喎
Bye bye
aggregation 發表於 2013-1-8 01:00


No proof no talk (translated from cantonese )

Working hard ....  Otherwise, you will be fired!  

Samiux
作者: samiux    時間: 2013-1-8 01:46

There is a piece of small information about web server stress test and (D)DoS that you may interested in.

It is not a bible but it is a good reference.

Samiux
作者: muteki    時間: 2013-1-8 17:10

I think you are a bit extreme in your suggestion.  While syslog doesn't necessarily show all the warnings/errors, it is one of the common practices to check for errors.  Criticizing people using syslog is like laughing at people who use door lock and tell them the door lock is useless because the burglar will eventually break into your house no matter how secure the door lock is.

I suspect the exploit you showed in the video has been well identified and patched.  So, instead of telling people what they have written is a joke, you can kindly suggest them, or even better, edit the wiki yourself, to mention about the importance of updating software to the newest version periodically.
作者: muteki    時間: 2013-1-8 17:23

Actually, they already have a section about "security updates".

Unless you have identified some exploits that nobody knows and you are holding that information to yourself, I don't think what they are suggesting is flawed.
作者: lazyfai    時間: 2013-1-8 22:35

No proof no talk.

講得好, 好多人都只係識話人地寫啲嘢, 做啲嘢冇用, 自己又做唔到咩嘢出嚟幫到人.
作者: samiux    時間: 2013-1-9 00:14

本帖最後由 samiux 於 2013-1-9 00:58 編輯
I think you are a bit extreme in your suggestion.  While syslog doesn't necessarily show all the war ...
muteki 發表於 2013-1-8 17:10


I am not saying that reading logs is wrong or useless, but I pointed out that some exploits will not be logged.  I just said that the said wiki is just a joke that only asking you to read  logs but not mention about some of them will not be logged.  The information is incorrect and misleading.  It will mislead others that it should be logged.  

If you read all my messages, you will find out that.  I can do nothing on it since their COMMON SENSE/PROFESSIONAL telling them that I am wrong (may be including you).  In addition, the only thing I can do is to alert them even they do not or unwilling to listen.

In the real world, there are a very little number of exploit activities can be logged.  Even it is logged, the attackers can clean it out with a method that you will not notice or at least you are not very easy to note.

I think we are facing skilled attackers but not only script kiddies, do you agree?  So, why not we are being more professional?

Thank you for watching the demo video (seldom people do it, but I don't know why).  The said "vuln-server_static" is an exercise in which source code you can download it at here or here.  The code do nothing but only listening on a port and waiting for user's input and then echo back.  Basically, it is a vulnerability echo server, that's all.

You compile it and develop your exploit code and conduct the exploitation.  As a result, you will get a shell.  The demo video showing my developed exploit code namely "exploit.py".  If you are interested in or know how to do exploit writing, you can try yourself.

By the way, you cannot find the solution in the internet about this exercise at the moment.  However, it will be available soon when I release it.  I delay the release due to some personal matter.

If you understand what is an exploit and exploit writing, you will understand what I am saying.

Samiux

Update reason : fix the link
作者: samiux    時間: 2013-1-9 00:38

No proof no talk.

講得好, 好多人都只係識話人地寫啲嘢, 做啲嘢冇用, 自己又做唔到咩嘢出嚟幫到人. ...
lazyfai 發表於 2013-1-8 22:35


I don't think clever and eager to learn people are required to be fed.  A hint is enough.

Samiux
作者: muteki    時間: 2013-1-9 02:00

I just said that the said wiki is just a joke that only asking you to read  logs but not mention about some of them will not be logged.  The information is incorrect and misleading.


I don't get the idea they are telling people to only look for logs and do nothing else.  Indeed, they are pretty clear on the article where the guide complements the basic security measures outlined in the Basic Security Wiki.  And the basic security wiki makes it very clear in the very first paragraph -- they do not claim doing everything listed will reduce the risk of being compromised to zero.

I understand what you want to suggest, but I don't think what you have suggested is anything new.  It is pretty obvious one can never do enough for security.  It almost sounds like what you want them to do is to say something like:  Do A, but A cannot guarantee you from being hacked.  Do B, but B cannot guarantee you from being hacked.  Do C, but C cannot guarantee you from being hacked...

A simple disclaimer like what they did should suffice and I see nothing incorrect and misleading in doing so.
作者: samiux    時間: 2013-1-9 02:11

I don't get the idea they are telling people to only look for logs and do nothing else.  Indeed, t ...
muteki 發表於 2013-1-9 02:00


I am targeted to the wiki about the article "DidIJustGetOwned" but not the other articles at "BasicSecurity".  Please don't get me too far.

The title of "Did I Just Get Owned" is telling you to inspect your box to see if you have just been owned/compromised.  Is it clear?

Samiux
作者: muteki    時間: 2013-1-9 02:49

I am targeted to the wiki about the article "DidIJustGetOwned" but not the other articles at "BasicSecurity".  Please don't get me too far.


I understand what you are focusing on.  And that's why I quoted "This guide will complement the basic security measures outlined in the Basic Security Wiki", in the exact article you are talking about, hence leading to the simple disclaimer. If one didn't read both and try to judge the quality of one article, it sounds more like an user error to me.

The title of "Did I Just Get Owned" is telling you to inspect your box to see if you have just been owned/compromised.  Is it clear?


It's clear you have the logic wrong.  An inverse of a condition is not always true.  (i.e. If A then B doesn't imply if not A then not B)  They are telling you if you find something suspicious in the log, you _may_ get owned.  It doesn't tell you that if you don't see anything suspicious in logs, then you are not owned.  The contrapositive, however, _is_ always true.
作者: samiux    時間: 2013-1-9 11:12

本帖最後由 samiux 於 2013-1-9 11:36 編輯
I understand what you are focusing on.  And that's why I quoted "This guide will complement the ba ...
muteki 發表於 2013-1-9 02:49


What if you did not see my demo or message?  

If nobody see my message and demo, when they see there is no suspicious activities found in the log, what will they think and do?  They properly will think that their boxes are safe and they can go for coffee and relax.

The other articles in "BasicSecurity" are almost talking about how to hardening your Linux box only and nothing about how to identify if your box is compromised or not.  The "DidIJustGetOwned" is the only article that telling you all to identify if your box is compromised or not.

I am not logically wrong.  If I am logically wrong, I cannot found out the vulnerability of the said software and develop a logically exploit program to exploit it.  I just thinking in a very difference way that different than you all, that is, I am thinking like a criminal.  My quote - Think like a criminal and act as professional.

I have no more word to say but just say if no suspicious activities in the log does not indicate that your box is safe.  That's all.

It is my point of view, I accept others point of view.  We are seeing the thing in the different angles and targeted in the different scopes.  I think there is no room for us to argue further.  There is nothing new to argue or discuss further.
  
Samiux

Update reason : fix typo
作者: muteki    時間: 2013-1-9 15:15

What if you did not see my demo or message?

I have looked at your demo and downloaded the code.  It's simply a badly written c program with buffer overrun vulnerability.  (dest[] can be overrun)  Like I said, I understand you are trying to make a point about not every exploit results in logging activities.  But I think this is well understood and no one is suggesting the opposite.  (other than you keep claiming others do)

I just thinking in a very difference way that different than you all...

I don't know how "different" it requires to see that bug other than some experience in c programming and basic understanding on how to exploit buffer overrun bug.  (phrack.org comes to my mind if anyone wants great examples)

I have no more word to say but just say if no suspicious activities in the log does not indicate that your box is safe.  That's all.

I 100% agree with what you said.  And I don't think anyone is claiming "no suspicious logs = not being hacked" either.  I think this is the part you are failing to understand.  You keep asserting others are thinking it this way due to your incorrect logic.  Again, an inverse of a conditional statement is not always true.  Let me know if you have any difficulty in understanding this.

It is my point of view...

I am not trying to argue anything.  Indeed, it requires two different ideas to begin with in order to argue.  I am just trying to understand if I am missing any points from you.  But based on our conversation so far, you are clearly thinking you are the only one seeing things differently.  However, in my mind, you are just pointing out the obvious...  There aren't any conflicting ideas to argue about.
作者: samiux    時間: 2013-1-9 16:48

I have looked at your demo and downloaded the code.  It's simply a badly written c program with buf ...
muteki 發表於 2013-1-9 15:15


As I mentioned and the source code already commented, the source code is an exercise.  Therefore, it should be vulnerability.  Nothing surprise.  I just tell you that the "vuln-server_static" is not a real application as you think that it should be already patched long time ago.

The demo is just to demonstrate what I wanted to point it out.  Nothing special.  I don't know why so many people over-reacted.  The article is not completed and  something missing.  Newbies will treat this not completed article as bible.  That is what I want to point it out.  

I am not saying that I am the only one that thinking difference or seeing the situation.  I just saying that the captioned quote is my quote.  I am just an origin person and nothing special.  I have a lot of amazing things to learn.  There are many outstanding and amazing persons in the world.  The situation should be found by someone many years ago already, I am sure.  Here, I just pointed it out.   

Logical?  May be I am really not very logical so that I can develop an exploit code like this, don't know.

Samiux
作者: muteki    時間: 2013-1-9 17:13

You have successfully convinced me I have no hope of trying to communicate with you!  :)
作者: lazyfai    時間: 2013-1-9 17:42

你都算好有耐性㗎喇..
You have successfully convinced me I have no hope of trying to communicate with you!  :)
muteki 發表於 2013-1-9 17:13

作者: 有你便有我    時間: 2013-1-9 17:42

Logical?  May be I am really not very logical so that I can develop an exploit code like this, don't know.

samiux 發表於 2013-1-9 16:48


我都曾經操過buffer overflow, 想當年既kernel 2.4基本上有buffer overflow 都好容易inject 到shell code, 但宜家既kernel 會randomize memory address, 唔turn off 呢個feature既話都幾難搞......btw你上面個video 有無turn off到ASLR??
作者: cyrus_ho    時間: 2013-1-9 23:31

你的動機很無聊
為左要proof 去hack一個host可以bypass syslog std output? 咁部process overflow左當然output唔到落個log file度啦

比你proof 到咁又點, 只係proof到個programming logic就是這樣, 1)request, 2)response and then 3)write log. That's it!

如果你今時今日搵下d家用既或者搵下d cheap cheap smb仲擺隻web server俾你試下都仲有收獲既...
有無聽過Layered security /defense in depth, 咦家要做番你demo既效果又可以係一間well structured premises 上"不留痕跡"係罕見囉
你唔駛再proof啦呢d old news啦, 如果你要試不如玩下zero day啦, 不過你小心啦, 公開地方, 好多人睇住你架, 後生仔
作者: samiux    時間: 2013-1-9 23:59

我都曾經操過buffer overflow, 想當年既kernel 2.4基本上有buffer overflow 都好容易inject 到shell code ...
有你便有我 發表於 2013-1-9 17:42
  1. root@bt:~# ./checksec.sh --file vuln-server_static
  2. RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FILE
  3. No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   vuln-server_static
  4. root@bt:~# cat /proc/sys/kernel/randomize_va_space
  5. 2
複製代碼
For your reference.

Samiux
作者: samiux    時間: 2013-1-10 00:06

You have successfully convinced me I have no hope of trying to communicate with you!  :)
muteki 發表於 2013-1-9 17:13



I am very glad to communicate with you.  According to your messages, you should be an elite programmer, at least.

Samiux
作者: samiux    時間: 2013-1-10 00:08

本帖最後由 samiux 於 2013-1-10 00:20 編輯
你的動機很無聊
為左要proof 去hack一個host可以bypass syslog std output? 咁部process overflow左當然out ...
cyrus_ho 發表於 2013-1-9 23:31


Thank you for your concern.

Every thing is under control.  I did it in my laboratory.  Nothing is live.

By the way, I received formal training and certified.

Samiux
作者: samiux    時間: 2013-1-12 16:56

本帖最後由 samiux 於 2013-1-12 16:59 編輯

The Java vulnerability is mentioned at HKEPC today.  However, nobody will know what it is talking about and the effectiveness.  

I hereby attached the "Security Discussions" in Ubuntu Forums for your reference.

Samiux

Update reason : fix link
作者: muteki    時間: 2013-1-12 17:35

However, nobody will know what it is talking about and the effectiveness.

Here are the technical details for anyone interested...
http://www.kb.cert.org/vuls/id/625617
作者: snoopy11hk    時間: 2013-1-12 18:02

The Java vulnerability is mentioned at  today.  However, nobody will know what it is talking about a ...
samiux 發表於 2013-1-12 16:56



    they are not the same as yours, that vulnerability will just affect 1.7-1.7.9 jre, which of cuz includes linux machines
作者: muteki    時間: 2013-1-12 18:25

本帖最後由 muteki 於 2013-1-12 18:27 編輯
they are not the same as yours, that vulnerability will just affect 1.7-1.7.9 jre

Actually I don't think that's necessarily true.  What they are describing is the vulnerability demonstrated by Blackhole and Nuclear Pack which affects more than one specific version (Java 7 update 10 is included).  Feel free to look at the references links and the actual CVE (CVE-2013-0422), you will see lot more details there.
作者: samiux    時間: 2013-1-12 19:40

Actually I don't think that's necessarily true.  What they are describing is the vulnerability demo ...
muteki 發表於 2013-1-12 18:25


Thank you.

For further information, you can refer to this reference.

Samiux
作者: CamEL_    時間: 2013-1-14 04:25

本帖最後由 CamEL_ 於 2013-1-14 04:51 編輯

FYI, Oracle jre 1.7.0.11 released, but seem just raised applets security level from Normal to High
作者: samiux    時間: 2013-1-14 22:10

Please refer to my test result on Java 7 Update 11 at "Security Discussions" of Ubuntu Forums.

Please also refer to my test result on Java 7 Update 10 at "Security Discussions" of Ubuntu Forums.

Samiux
作者: samiux    時間: 2013-1-17 03:32

Further to my previous message about Java 7 Update 10 vulnerability.

Oracle has released the Java 7 Update 11 and claimed that the vulnerabilities have been fixed.  However, the 0day vulnerability has not been fixed according to some information.  Please read this link for more details : http://krebsonsecurity.com/2013/ ... hes-5000-per-buyer/

For Windows, Mac OSX and Linux users who has been updated to Java 7 Update 11 or not yet applied the patch, please disable the plugin from your browser.  If any website that requires the Java plugin, such as HK Government sites and some banking sites, you must disable the plugin after use.

For Ubuntu users who has been updated to Java 7 Update 11, you can apply the Apparmor to increase the security of the Firefox.  For the users that do not apply the patch, Firefox will disable the plugin by default.  For implement of Apparmor for Firefox, please read this link : http://samiux.blogspot.hk/2012/0 ... efox-on-ubuntu.html

Samiux
作者: samiux    時間: 2013-1-17 11:10

Hi all,

This link is my finding on the Java vulnerability plugin.

Samiux
作者: killerpub    時間: 2013-1-21 01:02

自己超過十年以上從來唔裝 java, 句號.

用唔到既野算。





歡迎光臨 電腦領域 HKEPC Hardware (https://h0.hkepc.com/forum/) Powered by Discuz! 7.2