VPN Breaking Zero Day Effective Against Many *nix Systems Burned

RecentlyBurnedWorkandLivingVanA zero day that allows nearby network actors to detect and inject payloads into VPN tunnels has been revealed (archived). All VPN implementations appear to be affected including allegedly "hardened" ones like WireGuard and IKEv2/IPSec while the vulnerability hits numerous *nix TCP/IP stacks including those by Apple, Google, OpenBSD, and Linux. Linux appear to be most gravely affected when running versions of systemd published after November 28th, 2018 when the default "reverse ip path filtering" default was changed to more easily facilitate hijacking VPN sessions in this manner.

The original disclosures to the Openwall oss-security mailing lists are presented in full below: Continue reading

Some Key Stealing Libraries Found in Python Package Index

Two key stealing libraries were found in the PyPi Python Package Index (archived).  One mimicked the dateutil library by prepending a "python3-" so that suckers could stumble into python3-dateutil. The other, mimicked the jellyfish library but swapped a lowercase L for a capital i. Both were allegedly uploaded by the same user and exfiltrated data to the same destination. This is not the first time PyPi has had to remove malware mimicking popular packages, but they remain open to all comers and continue to exercise little actual control over the namespace they index.

New Zealand Court Refuses To Allow Access To Evidence In Kim Dotcom Case, Kim Dotcom Case Still Ongoing

New Zealand's Court of Appeal has denied Kim Dotcom and his legal team access to Dotcom's own communications captured by New Zealand's "Government Communications Security Bureau" (archived). The communications were illegally collected per New Zealand Law, and at some point the local courts may or may not get to determining what damages te GCSB owes Dotcom. As New Zealand inherited the "common law" insanity from its colonial parent, it remains impossible to tell whether litigation in the numerous cases surrounding Kim Dotcom's internet activities will end during his lifetime.

US FCC To Cut "Rural Internet" Funds As Half Assed Trade War Continues

The USG's FCC has decided to disallow new purchases of network gear made by Chinese firms Huawei and ZTE by recipients of "Universal Service Fund" subsidies though they have not yet made any firm decisions on whether recipients of these subsidies will be compelled to rip out any existing network gear (archived). The Universal Service fund was nominally established to encourage building telecom infrastructure in rural areas, but in practice it more frequently places ObamaPhones into the hands of the urban poor.

Efforts by the USG to engage in an actual trade war with China have been substantially hampered by US dependence on Chinese industry, particularly in propping up the illusion of the US having its own technology sector. So far the only major casualty on the Chinese side has been kidnapped Huawei CFO Meng Wanzhou.

Warranty Concerns And Contract Cruft Keep US Military Machine Shops Idle As Repairs Forced Through Contractors

A legacy publication this week ran a letter to their editor allegedly composed by Captain Elle Ekman, a US Marine Corps logistics officer (archived). The letter's author relates some illustrative anecdotes showing the USG's preference for complicating logistics and letting expensively bought tooling rot in order to maximize their payments to contractors. The letter opens with:

A few years ago, I was standing in a South Korean field, knee deep in mud, incredulously asking one of my maintenance Marines to tell me again why he couldn’t fix a broken generator. We needed the generator to support training with the United States Army and South Korean military, and I was generally unaccustomed to hearing anyone in the Marine Corps give excuses for not effectively getting a job done. I was stunned when his frustrated reply was, "Because of the warranty, ma’am."

After a brief, forgetable foray into her local Pantsuit politics to pass the legacy editorial gatekeepers, she returns to reporting on the USG's entirely chosen sadness:

Besides the broken generator in South Korea, I remembered working at a maintenance unit in Okinawa, Japan, watching as engines were packed up and shipped back to contractors in the United States for repairs because "that’s what the contract says." The process took months.

With every engine sent back, Marines lost the opportunity to practice the skills they might need one day on the battlefield, where contractor support is inordinately expensive, unreliable or nonexistent.

I also recalled how Marines have the ability to manufacture parts using water-jets, lathes and milling machines (as well as newer 3-D printers), but that these tools often sit idle in maintenance bays alongside broken-down military equipment. Although parts from the manufacturer aren’t available to repair the equipment, we aren’t allowed to make the parts ourselves "due to specifications."

How pervasive is this issue for the most powerful[sic] military in the world? And what does it mean for a military that is expected to operate in the most austere and hostile environments to not possess the experience, training or tools to fix its own very technical equipment?

All signs point to these issues being incredibly pervasive, and it means that they can't be expected to operate per their own allies' observations in the field.

More Epstein Drama: Lizzie Benches Duke Of York, Guards Hit With Charges For Conspiracy To Slack

Old Lizzie has decided to suspend Price Andrew's public duties following the Duke of York's poor optics in reponding to questions about his friendship with the late Jeffery Epstein (archived). The Duke's public fumblings occurred after he agreed to an interview by British state Broadcaster BBC without first getting permission from Liz.

Meanwhile two guards at the prison where Jeffery Epstein's life ended have been charged with conspiracy and forging records for carrying out their jobs with all the intensity that can be expected out of government charges sitting in undemanding sinecures. Albeit these particular sinecures happen to exist in an environment labeled "high security" per USG in universe conventions (archived).

As US "Higher Education" Bubble Bursts Doomed Schools Push To Hide Insolvency

With the US higher education bubble bursting, a group of small colleges have managed to bully a firm to abandon the release of a report damning their dismal situations (archived). The report was going to project how many years of operation are left across 946 private US colleges in order to assist parents and prospective students weight the risk of school closure in their higher education decisions.

The firm which calls itself "Edmit" offers an "online advising" tool, and they folded on their planned release of the data after allegedly receiving a note from a lawyer swearing anything suggesting the school he represents faces the prospect of near term closure is false. Never mind the increasingly poor alumni networks alienated by the insanity their alma maters sell combine to make any particular school's chance of pulling of a heroic fundraising effort very unlikely.

Denial will continue until closures actually happen.

Intel Continues Burning Former Selling Points As It Sets To Pull Old Firmware Downloads Offline

Intel has decided to burn its former "we support our products forever" marketing point by announcing they will pull firmware update downloads for "end of life" products from their website (archived). Their "being fast" selling point started to collapse back in January 2018. The reason why they lost their being fast selling point keeps them from presenting themselves as a "safe" choice. All they have left is their large existing install base of defective products.

US Court Hits DDoS For Hire Operator With Mere 13 Months Of Incarceration

Sergiy Usatyuk of Orland Park, Illinois was hit with 13 months in prison by a North Carolina based US Circuit Court for operating the "Exostresser" DDoS for hire service in partnership with a unknown "Canadian" (archived). The 21 year old plead guilty to running the service between August 2015 and November 2017. In addition to the 13 months of incarceration, Usatyuk will enjoy 3 years of supervised release and an order to forfeit 542,925 USD.

More Intel Data Leak Flaws Documented This Week Situation Particulary Grave

This week has seen a number of flaws in Intel chips that leak data, but two seem to dwarf others publicized so far (archived). The first, TPM-FAIL allows private keys stored with the "Intel Platform Trust Technology"(TM)(R) "trusted platform module" to be acquired via timing leakage. The ST33 by MTMicroelectronics was also shown to have a similar vulnerability.

The gravest reveal (archived) is a set of "Microarchitectural Data Sampling" attacks allowing any data passed through an Intel CPU to be leaked, in flight, whether the data has been stored in the CPU's cache or not. Many of these attacks abuse Intel's handling of speculative execution. Others take advantage of flaws introduced or made worse by efforts to patch Intel's previously documented speculative execution bugs.