--- Log opened Tue Jul 21 00:00:00 2015
00:07 -!- v4mp [~v4mp@unaffiliated/v4mp] has joined #se2600
00:10 -!- v4mp|2 [~v4mp@108-69-89-150.lightspeed.tukrga.sbcglobal.net] has quit [Ping timeout: 256 seconds]
01:08 -!- hobbes615 [~hobbes@unaffiliated/hobbes615] has joined #se2600
01:34 -!- hobbes615 [~hobbes@unaffiliated/hobbes615] has quit [Quit: Leaving]
03:07 -!- fie_ [~fie@ip72-204-90-17.fv.ks.cox.net] has quit [Ping timeout: 255 seconds]
03:42 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has quit [Ping timeout: 260 seconds]
05:47 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has joined #se2600
05:47 -!- mode/#se2600 [+o Catonic] by ChanServ
06:03 -!- rattle [~rattleXx@pool-108-20-163-136.bstnma.fios.verizon.net] has joined #se2600
06:03 -!- rattle [~rattleXx@pool-108-20-163-136.bstnma.fios.verizon.net] has quit [Changing host]
06:03 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
06:03 -!- mode/#se2600 [+o rattle] by ChanServ
06:28 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Quit: This computer has gone to sleep]
06:43 -!- rattle [~rattleXx@pool-108-20-163-136.bstnma.fios.verizon.net] has joined #se2600
06:43 -!- rattle [~rattleXx@pool-108-20-163-136.bstnma.fios.verizon.net] has quit [Changing host]
06:43 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
06:43 -!- mode/#se2600 [+o rattle] by ChanServ
07:03 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Quit: This computer has gone to sleep]
07:37 < v4mp> lol @ that many PTRs... w.t.f.
07:37 < v4mp> _NSAKEY: anything specific that irritates you wrt centos?
08:16 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
08:16 -!- mode/#se2600 [+o rattle] by ChanServ
08:46 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Read error: Connection reset by peer]
08:46 -!- rattle [~rattleXx@192.170.136.170] has joined #se2600
08:47 -!- rattle [~rattleXx@192.170.136.170] has quit [Changing host]
08:47 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
08:47 -!- mode/#se2600 [+o rattle] by ChanServ
09:01 < aestetix> fucking germans
09:18 < aestetix> http://www.exberliner.com/blogs/the-blog/germanys-greedy-churches/
09:18 < PigBot`> Title: Seymour Gris: Germany's greedy churches - EXBERLINER.com (at www.exberliner.com)
09:20 < aestetix> This is something that legally could never happen in the US.
09:56 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Read error: Connection reset by peer]
09:57 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
09:57 -!- mode/#se2600 [+o rattle] by ChanServ
10:32 -!- rattleX [~rattleXx@192.170.136.170] has joined #se2600
10:32 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Read error: Connection reset by peer]
10:40 -!- rattleX [~rattleXx@192.170.136.170] has quit [Ping timeout: 250 seconds]
10:40 -!- rattle [~rattleXx@192.170.136.170] has joined #se2600
10:40 -!- rattle [~rattleXx@192.170.136.170] has quit [Changing host]
10:40 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
10:41 -!- mode/#se2600 [+o rattle] by ChanServ
11:03 < _NSAKEY> v4mp: I cut my teeth on Debian-based distros. While I can tolerate a RedHat distro, I'd much rather not have to deal with it at all.
11:04 < v4mp> _NSAKEY: ahh, gotcha
11:05 < _NSAKEY> I have a CentOS VM solely for testing things like scripts that are supposed to be portable.
11:05 < _NSAKEY> That's just to keep any Debian-specific stuff out of them, unless the script explicitly supports one distro.
11:06  * v4mp nods
11:07 < _NSAKEY> An example is that ssh hardening project. Things like "apt-get install" obviously aren't going to work on CentOS.
11:07 < v4mp> speaking of which, assuming you got the final rev of happy dance working properly?
11:07 < v4mp> yea
11:08 < _NSAKEY> Yeah. That project is considered done until distros start packaging newer versions of openssh, and then the config will get modified.
11:08 < v4mp> : )
11:08 < _NSAKEY> I had to fix my tor bridge project last night. Turns out, some changes I made to it locally didn't get committed, and that lead to some confusion.
11:09 < _NSAKEY> It worked better on FreeBSD than Debian.
11:09  * v4mp checks commit log
11:09 < _NSAKEY> If I was just using a random bundled pluggable transport to obfuscate the traffic, it would be whatever.
11:09 < v4mp> haha, I like your old commits :  "Ironically enough, using this setup as a client is too hardcore for github.com,"
11:10 -!- Netsplit *.net <-> *.split quits: @benthemeek
11:10 < _NSAKEY> But I specificially wanted to use obfs4, since it can do IPv6 at the same time and even the Chinese haven't gotten around to censoring IPv6 yet.
11:11 < _NSAKEY> obfs4 was written in go because the guy decided he felt like learning it and wanted to do something cooler than "hello world" (Those are almost his exact words), but at this stage it's just easier to git clone all the dependencies and "go build" it.
11:12 < v4mp> I do recall reading about that
11:12 < v4mp> and why he chose go for it.. still weird...
11:12 < _NSAKEY> As for that commit message, that was true.
11:12 < _NSAKEY> Using happy-dance with the client flag would break pushing to github.
11:12 < _NSAKEY> Had to switch to http.
11:12 < v4mp> ugh
11:12 < _NSAKEY> They did finally fix it.
11:13 < v4mp> and wait.. hm
11:14 < v4mp> didn't china switch to ipv6 quicker than the wets
11:14 < v4mp> *west
11:14 < v4mp> their backbone is ipv6
11:14 < _NSAKEY> At the last state of the onion talk, Dingledine actually said that they've not observed any IPv6 censorship.
11:15 < _NSAKEY> I inquired about it again recently.
11:15 < v4mp> interesting.... not so sure about that...
11:15 < v4mp> I mean, I haven't seen the talk
11:15 < v4mp> and unsure of the censorship part, not your account of it
11:15 < v4mp> their address space is so huge
11:15 < _NSAKEY> Yeah, it does sound wild.
11:15 < v4mp> and afaicr, a few years back, people were complaining about how much more sluggish the rest of the world was
11:15 < v4mp> as china was rapidly switching its backbone
11:15 -!- Netsplit over, joins: benthemeek
11:15 -!- mode/#se2600 [+o benthemeek] by ChanServ
11:15 < _NSAKEY> I asked a different person and they said that was still true.
11:16 < v4mp> weird
11:17 < v4mp> maybe because it's easier to poison dns caches on ipv4
11:17 < v4mp> which is what gfw's blanket mechanism uses
11:17 < v4mp> although they do have deeper packet inspection capabilities
11:17 <@oddball> I'm guessing more "pfft. who uses IPc6 anyways?"
11:17 < v4mp> so wonder why they don't just filter ipv6 addresses
11:17 <@oddball> er IPv6
11:18 < v4mp> seems like a relatively easy thing to add to their firewall
11:19 < v4mp> especially as they've been taking increased effort in going against public vpns
11:20 < v4mp> but that's interesting -- thanks for the info
11:20 < v4mp> and haha.. mm.. idk.. I like ipv6 >_>
11:20 < v4mp> oh, anyone see the interesting tidbit in ars recently
11:21 < v4mp> someone pointed out how it's interesting that even within dprk's intranet, they're still using 10.x.x.x addresses
11:22 < v4mp> http://cdn.arstechnica.net/wp-content/uploads/2015/07/150705-intranet-aram-pan.png
11:23 -!- Synx|hm [~Synx@unaffiliated/synx-hm/x-1623004] has joined #se2600
11:25 < v4mp> also, I remember in the past, back when gfw was a lot less developed
11:25 < v4mp> you could subvert it by spamming dns requests
11:25 < v4mp> but that has long since been corrected
11:27 <@opticron> they're also using 172 and 192 addresses
11:27 < v4mp> yea, for a few servicesw
11:27 < v4mp> *services
11:29 < v4mp> so all rfc1918
11:30 < v4mp> _NSAKEY: decided to look for more up-to-date paper on gfw architecture --> https://www.usenix.org/system/files/conference/foci14/foci14-anonymous.pdf  decent read
11:32 < _NSAKEY> The IPv6 comment is buried somewhere in this video: https://www.youtube.com/watch?v=pRrFWwA-47U
11:32 < v4mp> opticron: yea had to recheck my memory on the 172 space that's for private only, and it's 172.16.0.0/12, so those addresses do fall within private
11:33 < v4mp> thanks !
11:33 < _NSAKEY> I'm just going to leave it playing in the background until that comes up.
11:34 < _NSAKEY> There are a couple other things in this video that I want to cite for an NLUG talk, so this needs to happen anyway.
11:34 < v4mp> : )
11:35 < _NSAKEY> TIL: Jacob Applebaum doesn't know his left from his right.
11:36 < v4mp> [ wow someone cited 30% packet loss when using dprk's intranet haha ]
11:38 < v4mp> wow, apparently china telecom tested ipv6 on their lte network last year
11:39 < v4mp> in one area
11:39 < v4mp> altho i guess that's existed in thes tates for a while
11:39 < v4mp> *states
11:40 < aestetix> _NSAKEY: there are a lot of other things Jake doesn't know ;)
11:40 < Synx|hm> can somebody explain to me why i would pay for amazon glacier or google nearline when i could use amazon cloud drive unlimited? cloud drive rides on s3 and is redundantly stored on multipul aws data centers and once you go above 500gb glacier becomes more expensive that $60 a year unlimited for cloud drive
11:40 < Synx|hm> and you pay out the ass for data xfer with nearline or glacier
11:42 < _NSAKEY> aestetix: I've seen some of the criticisms and accusations.
11:48 <@rattle> http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
11:48 < PigBot`> Title: Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED (at www.wired.com)
11:48 <@rattle> Values and Miller are so fucking pimp.
11:48 <@rattle> Valasek rather..  Damn spell correct.
11:53 <@opticron> rattle, that's kind of terrifying
11:53 <@opticron> though not entirely unexpected
11:53 <@opticron> it's one of the reasons I really don't ever want an integrated nav system
11:55 <@oddball> opticron: Give it time, and you're going to be fucked.  All GM vehicles have had OnStar for over a decade, I think all Fords are shipping with their Sync system, and other companies are following suit.
11:56 <@oddball> The problem could be easily fixed by not having their nifty comms system hooked up to the engine's computer.
11:57 <@opticron> yep
11:57 <@oddball> Or, at least, have some fucking sense in the way things are connected, and seriously restrict the amount of communication between the two systems.
11:57 <@opticron> I read that they had started doing that shit in the high-end cars 5+ years ago and wanted no part of it
11:57 <@rattle> I remember when I first heard that Chris and Charlie were focusing on car hacking, my first thought was that I should buy a bicycle.
11:58 < k3ymkr> Isn't this the same conversation we've been having forever?  They're going to keep doing it.
11:59 < k3ymkr> Next thing they'll have an app for your phone that can control your car and all your car data will be in the cloud for easy access
11:59 <@oddball> opticron: My 2003 Caddy has an OnStar system, and I don't think it was the first generation.  Although, it was before bluetooth became standard in everything, so if I want to use the car as a phone, I have to pay for OnStar's satalite phone feature.
11:59 < aestetix> aaand I broke my enter key
12:00 <@oddball> k3ymkr: Already done.  At least to an extent.
12:00 < aestetix> I guess I press it too hard
12:00 < k3ymkr> Sorry, I'm behind
12:02 <@oddball> OnStar released a phone app that will let you unlock/lock the doors, remote start, and check some of the conditions of the car.  I don't know if it goes all the way back on all OnStar equiped vehicles, but my mom has it for her 2010 Buick.
12:02 <@oddball> I'm guessing it wouldn't be too difficult to send other commands once you've got the credentials.
12:06 < k3ymkr> Well, this was done via a vuln that they're going to disclose at BH.  I think the big telling factor will be how Chrystler deals with it.
12:06 < k3ymkr> I saw a patch already, so I assume they've been informed
12:08 <@rattle> Yeah, they've been working with the car manufacturers.
12:08 <@oddball> Maybe the car manufacturers will actually wake up.
12:08 <@rattle> The big problem is that most of the cars can't update their software OTA.  It's a manual process.  You can hear Dan Geer crying off in the distance..
12:08 < k3ymkr> http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
12:08 < PigBot`> Title: Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED (at www.wired.com)
12:09 <@oddball> Of course, getting folks to bring their cars in for a recall is always "fun."
12:09 < k3ymkr> Oh sorry
12:09 < k3ymkr> https://twitter.com/matthew_d_green/status/623473855802294273
12:09 < PigBot`> Title: Matthew Green on Twitter: "Chrysler will release a patch for @0xcharlie & @nudehaberdashers remote exploit. A few people may even install it. http://t.co/gh8q2IJyfk" (at twitter.com)
12:10 <@oddball> heh
12:14 < v4mp> | The big problem is that most of the cars can't update their software OTA.   --> I think that's a feature
12:14 < k3ymkr> v4mp: Yeah.  I kind of don't want my car on a botnet
12:14 < v4mp> because then a malicious firmware update to all vehicles OTA would be massively destructive
12:15 < v4mp> especially one that would prevent patching of the vulnerability aside from doing a full-on reflash
12:15 < v4mp> so you go into dealership or make your USB key
12:15 < v4mp> then "update" the car
12:15 < v4mp> it says "updated !" and you're happy
12:15 < v4mp> little do you know that it was already exploited before you "patched" it
12:15 < v4mp> via OTA
12:17 < k3ymkr> Think of the fun though.  You could make every car stop and honk in unison.  Something like the best "We will rock you" ever.
12:17 <@rattle> In any circumstance, on any platform, be it a mobile phone or a car, a malicious update could be destructive.  The point is moot.  Putting _anything_ into service without a means of remotely conducting maintenance is far more dangerous.
12:17 <@rattle> That's the hole we're in with many SCADA systems.  Too much stuff out there that's not field upgradable.
12:17 < k3ymkr> @rattle: For the masses
12:17 < PigBot`> k3ymkr: Error: "rattle:" is not a valid command.
12:18 < k3ymkr> For me, I'd take a manual update.
12:19 <@rattle> The general trend is taking updates out of the hands of consumers.  Windows 10 is going to force updates.  Within the next few years, most mobile phones.  Eventually, just about everything.
12:19 < v4mp> which is terrifying
12:19 < v4mp> look at Flame
12:19 < v4mp> where windows update was essentially compromised
12:19 <@rattle> Nod.  NSA is quite good at what it does..
12:20 < k3ymkr> v4mp: rattle is comparing that to when we never updated windows
12:20 < k3ymkr> Say all the windows XP machines out there.
12:20 < k3ymkr> Which is worse?
12:20 < v4mp> personally, the OTA, in my opinion
12:20 <@rattle> If given the choice of potential compromise by a very sophisticated actor, versus very high likelihood of compromise by a non-sophisticated actor..  I'll pick the latter.
12:20 < v4mp> because if I pull a machine from the network
12:21 <@rattle> Plus, just because update is manual doesn't mean your manual update isn't susceptible to the same risks as an automatic update.
12:21 < v4mp> I know that malicious code hasn't been forced onto it through a /trusted/ entity
12:21 < v4mp> well, "know"
12:21 < k3ymkr> ratlle: I hope you meant the former
12:21 <@rattle> Rather, got that backwards..  Former.  Heh
12:21 <@rattle> But you get the idea.
12:21 < v4mp> yea, difference of personal opinion : )
12:22 <@rattle> I see less risk being posed overall by forcing updates with as little human intervention as possible, then the threat surface exposed by not forcing updates.
12:22 <@oddball> rattle: Hell, legally speaking, most phones have been there for years.
12:22 < v4mp> and look at where that's gotten us
12:22 < v4mp> recently at&t and some other major carriers
12:22 <@rattle> I'd argue it's worked out pretty good.
12:22 < v4mp> had to backpedal on an essentially "forced" OTA update
12:23 < v4mp> that nuked the battery life of the majority of their GS4+ phones
12:23 <@oddball> And there's the problem that "unauthorized" updates to the car OBD2 computer on your car makes your car no longer road legal.
12:23 <@rattle> The stats on compromise rates of non-jailbroken devices that automatically force updates, versus systems that require human action to update, is sorta stark and in your face..
12:24 <@oddball> v4mp: And I don't think I've ever had an OTA update from ATT actually sucessfully install.
12:24 < v4mp> well that's a risk that the consumer should be able to weigh, and does weight with how they decide to spend their money
12:24 < v4mp> you want products that force updates, etc., which is fine
12:25 < v4mp> I don't want code being automatically pushed to pseudo-mission critical devices, like a vehicle or cellular
12:25 <@rattle> When public safety comes into the equation, consumer choice starts to wean, imho..
12:25 < _NSAKEY> Automatic updates only have two downsides: Those rare times when they mess up a device somehow, or when the entity forcing the updates pulls a Sony and removes functionality.
12:25 < _NSAKEY> Otherwise, what's the problem?
12:25 <@oddball> Oh, and since ATT and others are getting rid of the deeply discounted phones if you lock into a contract model, I should be able to buy a phone that doesn't go through my carrier for software updates.
12:26 < v4mp> if these devices weren't on a cellular network in the first place, this problem would not exist for remote disabling at great distances
12:26 <@oddball> right
12:26 < v4mp> and the old model of vehicle recalls and bringing them into shops would occur
12:26 <@oddball> well, or satalite, in the case of GM.
12:26 < k3ymkr> Yes, but we're going to keep going there for IoT
12:26 < k3ymkr> It's going to get worse, not better
12:26 < v4mp> so adding OTA opens more worms, in my opinion, than it solves
12:28 < k3ymkr> I want my milk to tell my fridge to build my grocery list.
12:28 < k3ymkr> Then we have spoiled milk as the fridge was set by a guy in China to have a 102 temp.
12:28 <@oddball> heh
12:29 < v4mp> if he detects that your car is driving toward a store that sells ice, he'll also turn your vehicle around
12:29 < v4mp> *s/he
12:30  * oddball is still trying to figure out why cars are going to complete drive by wire.
12:30 < v4mp> but, yes, rattle, I see you and _NSAKEY's points ; and I know it's a different issue wrt whether the systems should be interconnected in the first place, vs. whether they should have OTA capabilities
12:30 < v4mp> I think that critical systems such as vehicles should not be connected in the first place
12:31 < v4mp> as to whether or not that opens the discussion we've been having about OTA, that exercise is left ot the reader I suppose
12:31 < v4mp> but OTA does have issues, although I do appreciate that some of the windows update features have done some good, such as preventing worm propagations in the 90s and early 2000s
12:31 -!- v4mp [~v4mp@unaffiliated/v4mp] has quit [Quit: Changing server...]
12:32 -!- v4mp [~v4mp@unaffiliated/v4mp] has joined #se2600
12:33 < v4mp> whoops misplaced a slash
12:33 < v4mp> s/preventing/mitigating/
12:34 < v4mp> still, seeing as some of these corporations have less than stellar track records with their 1.) original software implementations  as well as 2.) shitty vetting and testing of OTA updates
12:34 < v4mp> I would rather not have OTA
12:34 < v4mp> and if those are the only vehicles on the market in the future, it will be one of the first chips I attempt to rip out of my vehicle
12:34 <@rattle> If a system is interconnected at all, it should be field upgradable.  Period.  I side strongly with Dan Geer on this one..
12:35 <@rattle> The clusterfuck that is most SCADA networks these days sorta proves that out.
12:35 -!- sasquatc4 [~sasquatc4@c-73-181-12-187.hsd1.co.comcast.net] has quit [Read error: Connection reset by peer]
12:35 -!- sasquatc4 [~sasquatc4@c-73-181-12-187.hsd1.co.comcast.net] has joined #se2600
12:35 -!- mode/#se2600 [+o sasquatc4] by ChanServ
12:35 <@rattle> As time goes on, more and more systems are going to get interconnected.  That trend is clear.  So we can't repeat the past mistakes of making these things black boxes and assuming they will never have flaws.
12:36 < v4mp> then as soon as vulnerability is disclosed, what's to prevent a malicious actor from firing up shodan and pushing a malicious update OTA to all the scada systems
12:36 < v4mp> I think we should assume that all systems have flaws, and the software loaded onto these systems also can have flaws
12:37 <@rattle> The same sort of controls in everything from your windows box to mobile phone.  While no controls are 100% effective, code signing and whatnot does work.
12:37 < v4mp> the OTA model is predicated on the fact that updates are flawless
12:37 < v4mp> which I think is dangerous
12:37 <@rattle> It's far more dangerous to have something out there that can't be field serviced.  It's been proven over and over..
12:37 <@rattle> Nothing is flawless.  All prevention eventually fails.  The counter is to be agile and aggressive about finding flaws and patching them..  Not to try and make the technologies black box.
12:38 < v4mp> so, what is the issue with having humans update the software manually?
12:38 < v4mp> wouldn't that be "field service"?
12:38  * opticron assumes that skynet doesn't have OTA capabilities
12:38 <@rattle> Simply, that the vast majority of users don't.
12:40 <@rattle> There's one report I'd like to reference, but I'm having trouble finding the link to it..  Comparison of vulnerabilities found in Internet wide scans before and after automatic updates became the default in windows..  Short of it is, if you make automatic updates the norm, overall threat surface decreases dramatically.
12:40 <@rattle> Only makes sense to take the next step and force the updates.
12:40 < v4mp> you state that code signing works, although I'm not sure it's the best model -- better than nothing, but not entirely "working"
12:40 <@rattle> MS is going to be doing it.  Apple too I believe.
12:41 <@rattle> Stolen certs and whatnot are always a potential issue..  But, it's better than the alternative, which is basically doing nothing.
12:42 <@rattle> It's a case where perfect is the enemy of good or better..
12:43 <@rattle> Many environments require manual planning for updates..  But most consumer technology should be forced somehow..  Make the person keep hitting the "snooze" button on updates.  Don't give them the option of simply refusing.
12:46 < _NSAKEY> rattle: Is that paper you mentioned linked here? http://www.memestreams.net/users/decius/blogid10602269/
12:46 < PigBot`> Title: MemeStreams | Comments on the Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (at www.memestreams.net)
12:46 <@rattle> No..  It came out around 2010-11..  I can't remember from where though.  Good stats.
12:47 <@rattle> That said, Tom's Wassenaar write-up is awesome.
12:47 < _NSAKEY> Your comment about the paper made me think of that.
12:47 < _NSAKEY> He linked two different papers.
12:49 <@rattle> I might be combining two reports in my head..
12:49 < _NSAKEY> It just seemed likely that you were referring to one of the papers he linked.
12:49 <@rattle> But anyway, I strongly believe that forcing updates makes a big difference in the big scheme of things, and poses less risk than not forcing updates.
12:50 <@rattle> How many soccer moms out there are going to download a patch to a USB stick and apply it to their cars.  Zero.
12:51 < _NSAKEY> I agree. The only time it sucks is when whoever's pushing the update pushes one that breaks something, which happens rarely enough to make it worth it. That can also be tested around.
12:51 < _NSAKEY> That, and when a Sony/OtherOS stunt occurs.
12:53 < _NSAKEY> There's also the doomsday scenario of "The update servers got compromised and malicious updates got pushed out," which I think is what v4mp was driving at. That's noisy though.
12:53 < v4mp> I appreciate your opinion, but, sadly do not agree; I think cars and scada type systems should not be on these types of networks in the first place, and that updates to controls should be handled as they always have been through recalls, or, in the case of scada, physically cleared employees updating software via CD or some such
12:54 <@rattle> The consumer has spoken..  They want streaming music, hands free calling, etc..  There connected.  Game over.
12:54 < v4mp> I doubt we will agree on it, but that's alright
12:54 < v4mp> so, if the consumer wants those features
12:54 < v4mp> why not have them be opt-in ?
12:54 <@rattle> And manually updating scada isn't practical.
12:54 < v4mp> but updating scada OTA is more practical?
12:55 < v4mp> over the clearnet?
12:55 <@rattle> The energy sector in particular scares the fuck out of me.  A few years ago I was invited to participate as a delegate to the API telecommunications security subcommittee.  The lack of clue was astounding.  All that stuff is crunch outside, chewy inside..  And there is no way to update any of it in any practical manor.
12:56 <@rattle> And to make matters worse, architected in a way where the phone company is completely trusted in terms of communication integrity.
12:56 < v4mp> but that didn't make you wish that they systems were not connected to these telco systems?
12:56 < v4mp> *that these
12:56 < v4mp> **that these scada systems were not connected to these telco systems
12:57 <@rattle> We've got pipelines and shit run by 15 year old code filled with flaws, one hack away from blowing up..
12:57 <@rattle> If they are going to be connected at all, it's going to be over telco infrastructure.  Nothing else is practical.
12:58 <@rattle> Issue is, they trust MPLS and FrameRelay as the only means of securing the network..  And in most cases, record no network telemetry..  If someone was poking around on the inside, in most cases they wouldn't detect it.
12:58 <@rattle> Some utilities are vastly better than others..  But there's a lot of really badly architected networks out there.
12:59 <@rattle> It's not like it's hard to put a $150 fw/router at every pop, run shit over ipsec, beam home netflow, etc..  Buy controllers that can be updated OOB/OTA, etc.. They just don't do it in many cases..
13:00 <@rattle> MPLS is great and all..  Wonderful way to run a OOB control network..  Just don't trust it as the only level of network security.
13:01 < v4mp> interesting
13:06 <@rattle> Similar thing with the cars.  The fact those guys can just outright connect to the things is pathetic.  It's not like there are no crypto technologies (hell, basic ipsec) that can be used to facilitate communication with whatever they need to fetch info from while mitigating the ability to directly connect to the systems..
13:08 < v4mp> I don't follow the reasoning, >_<
13:09 <@rattle> In short, defense-in-depth.
13:10 < v4mp> so, these entities, be it energy, car manuf, etc., which have horrible track records, by your admission, should somehow be trusted with connecting devices still?
13:12 <@rattle> Arguing that things shouldn't be connected at all is futile.  The focus should be on making it work safely.
13:12 <@rattle> You can't run a power grid manually..  It's not practical.  There needs to be a control system.  It just needs to be architected properly.
13:13 <@rattle> And there is no reason that smart cars can't be designed securely either.
13:14 <@rattle> There's no stopping the trend of interconnectivity.
13:15 < aestetix> aaaand I just went on a twitter rant that will likely lose me followers.
13:20 <@rattle> aestetix: Every time you say the word fuck, a kitten does somewhere.  You know that, right?
13:21 < aestetix> a kitten fucks somewhere?
13:22 < k3ymkr> rattle may have broken the internet.  Beastiality, pedophilia, kitten!
13:24 < Synx|hm> is it possible to get a cert from a default trusted root by which i can issue sub certs for non routable local domains on my LAN?
13:29 <@rattle> Nope
13:30 <@rattle> Making your own CA and pushing out the pub key to the trusted key repo on all your systems is the only option.
13:31 <@rattle> However, if you are going to use the same domain for everything..  Like, *.something.local..  You can get a wildcard cert for the local domain.  Costs like $600/yr though usually.
13:31 < aestetix> uhhhhh
13:31 <@rattle> And it's the same key on all systems, so a tad bit easy to compromise.
13:31 < aestetix> why not self sign? and create your own ca?
13:32 <@rattle> That was the first option I presented.
13:32 < aestetix> provideed all the systems on your LAN have the CA
13:32 < aestetix> ah ok I fail at scrollback
13:32 <@rattle> You fail at LIFE!  :)
13:32 -!- fie [~fie@ip72-204-90-17.fv.ks.cox.net] has joined #se2600
13:33 < aestetix> maybe I should do another talk at harvard and just spend the whole hour saying fuck
13:33 -!- K4k [~K4k@unaffiliated/k4k] has joined #se2600
13:33 <@rattle> I'd buy that for a dollar!
13:34 <@rattle> Sitting watching you repeatedly drop the f-bomb at Harvard was truly entertaining.
13:34 < aestetix> lol
13:34 < aestetix> You think it made them uncomfortable?
13:34 < aestetix> I mean, I *did* ask beforehand, and they said it was fine.
13:35 < aestetix> I have a non-profanity mode I use for things like the radio.
13:35 <@rattle> No, it was just amusing.
13:36 < _NSAKEY> aestetix: How do I not follow you on Twitter? Fixed.
13:36 < aestetix> _NSAKEY: good sense? prudent judgement?
13:36 < _NSAKEY> I follow worse people than you, so that's no excuse.
13:44 < Synx|hm> rattle / aestetix : ya im doing self signed certs right now, though the wildcard would work provided they allow signing of sub certs on my own, though im guessing thats where the expense comes instead of the cheap/free certs avail
13:45 <@rattle> With wildcard certs, you just install the same cert everywhere.
13:46 <@rattle> It's convenient, but not the most secure thing in the world in that if you compromise the private key anywhere, you've compromised it everywhere.
13:52 < Synx|hm> ahh
13:52 < Synx|hm> makes sense now
13:55 < Synx|hm> any of you peeps using duo security for say domain logon or shell logon?
13:55 < Synx|hm> im curious what happens during a WAN outage
13:58 < Synx|hm> disregard they have a fail setting
14:03 < k3ymkr> I just use google auth for shell
14:03 < k3ymkr> I have duo for a site, but not what you asked :)
14:04 < Synx|hm> k3ymkr: what happens when your WAN is down? does it fall back to normal?
14:05 < k3ymkr> Google auth is just oauth
14:05 < k3ymkr> It doesn't reach out to google
14:05 < k3ymkr> It does HMAC on a preshared key + time
14:07 < Synx|hm> oh
14:16 < Synx|hm> the "new" (have not deployed in a long ass time) centos gui installer is fancy
14:27 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Ping timeout: 240 seconds]
14:28 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
14:28 -!- mode/#se2600 [+o rattle] by ChanServ
14:55 -!- v4mp [~v4mp@unaffiliated/v4mp] has quit [Quit: 再见]
15:32 -!- v4mp [~v4mp@unaffiliated/v4mp] has joined #se2600
15:33 -!- rattleX [~rattleXx@192.170.136.170] has joined #se2600
15:33 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Read error: Connection reset by peer]
15:40 -!- rattleX is now known as rattle
15:40 -!- rattle [~rattleXx@192.170.136.170] has quit [Changing host]
15:40 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
15:40 -!- mode/#se2600 [+o rattle] by ChanServ
15:42 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has quit [Ping timeout: 255 seconds]
15:49 -!- CRasH180 [~Kevin@99-2-136-47.lightspeed.nsvltn.sbcglobal.net] has joined #se2600
15:49 -!- CRasH180 [~Kevin@99-2-136-47.lightspeed.nsvltn.sbcglobal.net] has quit [Changing host]
15:49 -!- CRasH180 [~Kevin@pdpc/supporter/silver/CRasH180] has joined #se2600
15:49 -!- mode/#se2600 [+o CRasH180] by ChanServ
15:52 -!- Synx|hm [~Synx@unaffiliated/synx-hm/x-1623004] has quit [Quit: leaving]
15:55 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Ping timeout: 244 seconds]
15:58 < k3ymkr> rattle: Can I ask how you're on tor?  If I go to #freenode, they say the tor-sasl is down with no ETA
15:59 < k3ymkr> and ever time I try to connect, I get a connection refused.
15:59 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
15:59 -!- mode/#se2600 [+o rattle] by ChanServ
16:00 < k3ymkr> rattle: Are you on tor connecting to freenode?
16:01 <@rattle> Actually, no..  My host mask is just hard coded.  Back in the day I was sorta active in the tor community.
16:01 < k3ymkr> Ah
16:01 <@rattle> Some funny stories there..  I ran a top20 exit node at one point.
16:01 < k3ymkr> I was confused as their tor gateway seems to be dead.
16:01 <@rattle> Yeah, I just connect directly these days.
16:02 <@rattle> I think they killed the Tor gateway because of spam bots.
16:02 < k3ymkr> Cool
16:19 < v4mp> https://freenode.net/irc_servers.shtml#tor
16:19 < PigBot`> Title: About freenode: IRC Servers (at freenode.net)
16:19 < v4mp> [sic] *** PLEASE NOTE THAT THE tor HIDDEN SERVICE IS CURRENTLY UNAVAILABLE AND THERE IS NO SET DATE FOR ITS RETURN ***
16:19 < v4mp> = (
16:20 <@CRasH180> DOH!
16:23 < v4mp> rattle: probably
16:24 < v4mp> although maybe they could have done something wherein if you were a user with a mask or something which had to be verified in the first place, then you could connect through the tor service
16:24 <@rattle> Then the spam bots just register user accounts and the whack-a-mole continues..
16:25 < v4mp> oh, I mean with the masks though
16:25 < v4mp> I thought it wasn't automated
16:25 <@CRasH180> It wasn't last time I heard
16:25 < v4mp> afaicr... I had to message an admin
16:25 < v4mp> and talk to them for a bit
16:26 < v4mp> i.e. something a bit more complicated than automated nickserv registration
16:26 <@CRasH180> Though, that has been some time ago, as in several years
16:26 < v4mp> same
16:34 -!- k3ymkr [~KeyMaker@ec2-52-6-16-39.compute-1.amazonaws.com] has quit [Quit: leaving]
16:36 < v4mp> also, rattle, that's really cool about running a top20 exit node
16:37 <@rattle> It wasn't for very long.
16:39 <@rattle> When I was at CAP, while the Iranian student riots were going on, I was in the middle of a network build out..  I had one fat pipe that wasn't yet provisioned for BGP that I was using strictly as a backup..  I got Podesta to sign-off on me using our secondary stuff for Tor, since that's what the Iranians were using at the time to get past the net filtering..
16:40 <@rattle> I just grabbed an old decommed server and setup an exit node on that fat pipe with a throwaway IP block..
16:41 <@rattle> I got a few people really pissed off at me though, because I stuck a demo PaloAlto box I had sitting in the corner in front of it and did statistical analysis on Tor traffic..  Hehe..
16:43 < v4mp> : D
16:43 < v4mp> anything of note in the analysis?
16:44 -!- k3ymkr [~KeyMaker@ec2-52-6-16-39.compute-1.amazonaws.com] has joined #se2600
16:44 <@rattle> Yes.  About 90% of Tor traffic is people viewing porn in countries that filter Internet.
16:44 < k3ymkr> Think how many lives that must save.
16:45 <@rattle> I did a little scripting fun to rank the most popular sites by keyboard character set in browser headers.
16:45 <@rattle> A large percentage of Chinese porn viewers are into blond white girls.
16:46 <@rattle> A scary large percentage of middle-eastern porn viewers are really into trannys, rape sex, and bondage.
16:48 < v4mp> wait.. so... people were using tor without https?
16:48 < k3ymkr> I have no response to that.
16:48 < k3ymkr> v4mp is funny
16:48 <@rattle> Yep.  I saw way less https then you would think.
16:48 < v4mp> or did you have a MITM set up
16:48 < v4mp> to access their traffic
16:48 < v4mp> ahhh
16:48 <@rattle> I was running it through a PAN.
16:48 < v4mp> that's actually the most interesting part
16:48 < v4mp> that people are using tor, without encrypting traffic over tor
16:49 < k3ymkr> If he did, they'd have gotten a lot of SSL errors (Unless it was like SSL strip)
16:49 <@rattle> I wasn't doing any sort of MITM or anything malicious.  Just statistical analysis.
16:49 <@rattle> No attempts to identify people or anything like that.
16:49 -!- K4k [~K4k@unaffiliated/k4k] has quit [Quit: WeeChat 1.2]
16:49 <@rattle> But boy-o-boy did that piss some people off.
16:50 <@rattle> I could identify what https sites people were going to via seeing the certs fly past, but not look into the traffic, obviously.
16:50 < k3ymkr> I can see the Chinese thing.  White blonds would be pretty exotic
16:50 < v4mp> right
16:50 < v4mp> but in the https headers
16:50 < v4mp> there's character set information?
16:50 <@rattle> The non-porn/non-attack traffic on Tor was like, a very small percentage of the traffic.
16:51 <@rattle> Na, can't see that with https.
16:51 <@rattle> Only http.
16:51 < v4mp> OK, gotcha
16:51 < v4mp> so, I have a followup question
16:51 < v4mp> when running an exit node, you only know the previous hop on the network, right?
16:51 < v4mp> which isn't necessarily the origin machine
16:52 <@rattle> Never the origin machine, actually.
16:52 < v4mp> or, rather, often isn't the origin
16:52 < v4mp> yea OK
16:52 < v4mp> cool
16:52 <@rattle> That's sorta central to Tor's whole design..
16:52 < v4mp> yea
16:52 < v4mp> was just making sure
16:52 < v4mp> haven't looked at the source in a while
16:53 < v4mp> and I'm still baffled about the http traffic hahaha
16:53 < v4mp> did you see people using DNSSEC over tor?
16:53 <@rattle> I'm sure it would be different now..
16:53 <@rattle> I don't recall if I looked at that.
16:54 < k3ymkr> I am surprised from a sanity point of view, but really not from an average human intelligence point of view.
16:54 <@rattle> Lots of horizontal scanning and brute force attacks..
16:54 < v4mp> interesting
16:55 < v4mp> k3ymkr: would people of average security threat knowledge be using tor?  that's the surprising part to me
16:55 < v4mp> but I believe it
16:55 < k3ymkr> DNSSEC would just make sure they had the right IP.  Would still be very possible to MITM them if you're running the exit node
16:55 < _NSAKEY> rattle: How long ago was that?
16:56 < _NSAKEY> 2009-2010?
16:56 <@rattle> 2011'ish I think..
16:56 < k3ymkr> And it's easy to use tor and not be too technical...or it was last I checked (Tails or torbrowser)
16:56 <@rattle> 2010 maybe..
16:56 < v4mp> yea, I figured most tor users would use DNSSEC + DNSCrypt + https
16:56 < v4mp> just as a given
16:56 <@rattle> You'd think wrong.  :)
16:56 < _NSAKEY> Yeah, you're really overestimating people v4mp.
16:56 < v4mp> : P
16:56 < k3ymkr> I bet your average use doesn't know what any of those things are.
16:57 <@rattle> Or at least it's a drop in the bucket compared to the number of people using it simply to look at porn.
16:57 < k3ymkr> They may know the lock if you asked about it
16:57 < k3ymkr> They know they want porn or whatever they joined tor to do.
16:59 < v4mp> ahhh
16:59 < v4mp> I suppose yea, people download the browser bundle, and just run it
17:00 < v4mp> afaicr, they even removed the vidalia control panel thing a few years back
17:00 < v4mp> maybe didn't want people accidentally clicking a few buttons and turning themselves into an exit node themselves
17:02 < k3ymkr> You also have to consider that most porn sites simply aren't on https.
17:02 < k3ymkr> Or at least that's my recollection
17:03 < v4mp> probably true
17:07 < v4mp> all that server load, caching, etc. (people probably skip around a lot..)
17:14 -!- opticron [~opticron@75.76.45.103] has quit [Ping timeout: 264 seconds]
17:15 < v4mp> https://trac.torproject.org/projects/tor/ticket/8657
17:15 < PigBot`> Title: #8657 (Bad russian exit node attacks connections to Wikipedia) – Tor Bug Tracker & Wiki (at trac.torproject.org)
17:16 < v4mp> cool
17:31 -!- rattle [~rattleXx@tor/regular/rattle] has quit [Quit: This computer has gone to sleep]
17:48 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has joined #se2600
17:48 -!- mode/#se2600 [+o Catonic] by ChanServ
18:00 <@Evilpig> fuckin' at&t is some weird broken shit
18:26 <@eryc> i got fi now
18:26 <@eryc> my carrier is so meta
18:37 -!- opticron [~opticron@75.76.45.103] has joined #se2600
18:37 -!- mode/#se2600 [+o opticron] by ChanServ
19:19 -!- klixa [~kubuntu@unaffiliated/klixa] has joined #se2600
19:19 -!- mode/#se2600 [+o klixa] by ChanServ
19:58 -!- v4mp [~v4mp@unaffiliated/v4mp] has quit [Quit: 再见]
20:03 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has quit [Ping timeout: 256 seconds]
20:13 -!- v4mp [~v4mp@unaffiliated/v4mp] has joined #se2600
20:42 -!- ladymerlin [ladymerlin@mail.bbis.us] has joined #se2600
20:42 -!- mode/#se2600 [+o ladymerlin] by ChanServ
20:58 -!- v4mp [~v4mp@unaffiliated/v4mp] has quit [Quit: 再见]
21:00 -!- rattle [~rattleXx@tor/regular/rattle] has joined #se2600
21:00 -!- mode/#se2600 [+o rattle] by ChanServ
21:20 <@oddball> Hmm... this window is acting weird.  Be right back
21:20 -!- oddball [~oddball@c-76-22-246-47.hsd1.tn.comcast.net] has quit [Quit: leaving]
21:21 -!- oddball [~oddball@c-76-22-246-47.hsd1.tn.comcast.net] has joined #se2600
21:21 -!- mode/#se2600 [+o oddball] by ChanServ
21:25 <@oddball> Ok... that's better
21:53 -!- klixa [~kubuntu@unaffiliated/klixa] has quit [Ping timeout: 246 seconds]
22:09 -!- Catonic [~catonic@adsl-98-83-45-20.bhm.bellsouth.net] has joined #se2600
22:09 -!- mode/#se2600 [+o Catonic] by ChanServ
22:22 < _NSAKEY> https://www.reddit.com/r/sysadmin/comments/3e3y8t/never_trust_a_subcontractor/
22:22 < PigBot`> Title: Never trust a subcontractor : sysadmin (at www.reddit.com)
22:40 <@jb7od> Evilpig: What's the scoop with the att line? Just curious what weird shit they plugged in... lol
22:43 <@Catonic> hrm
22:57 -!- fie [~fie@ip72-204-90-17.fv.ks.cox.net] has quit [Ping timeout: 255 seconds]
23:16 <@Dagmar> oddball: I'm probably going to wind up hospitalizing another Ingress player before the summer is out
23:39 <@oddball> Oh dear
23:41 <@oddball> Oh, similar note: I'm enjoying having gone from "sometimes my phone won't make the day" to "recharge? meh... I'm good for another couple days."
--- Log closed Wed Jul 22 00:00:01 2015