os211

Top 10 List of Week 02

Disclaimer: This list is of no particular orderning, neither of importance nor chronological. It is written in the order in which I remembered them as I was writing this.

  1. Reflections on Trusting Trust by Ken Thompson
    I have to admit, even I feel like I’m cheating by putting this one at the top, but there is absolutely no way a person could put together the terms “C Language” and “Security” and not cause me to instantly think of this classic paper. To say that it’s merely interesting would be an incredibly unfair understatement to Ken Thompson himself, not to mention one hell of a high horse to stand on considering the feat described here. I’ve to admit I still am not entirely sure that I understand the entire process described by this paper even now, almost 2 years after first getting exposed to it.
  2. Common C Vulns + Mitigations
    As much as I would like to pretend that I’m smart enough to be confident writing C code after dropping that first link into this top 10 list, I don’t like to lie. And it would be a lie to say that I have the slightest clue about writing C, let alone writing safe C. This short article really just stands in here for the sea of warnings that are up online to people learning C on its vulnerabilities, which I think is interesting in how its ubiquity and infamy still works in tandem with how actually dangerous it is. Curiously though the vast majority of mitigation attempts like these are summarized quite simply as the two rules of “Don’t use functions for any input that doesn’t respect buffer sizes,” and “Don’t forget to free memory.” Related to this as a short example is this.
  3. half of curl’s vulnerabilities are C mistakes
    Moving along with the theme of C and security, this one article is one thread of many strings of articles and posts I had read a couple of weeks ago on the topic of C’s role in generating vulnerability inside of curl. It is evidently obvious that I’m not nearly smart enough to opine on the issue–as I myself don’t actually know that much about the curl project beyond using it every now and then–but I do find it somewhat interesting, as it poses a question that many on one side of the discourse would really love to be able to definitively answer: does language specification actually have that big of an effect on program safety? To some level it’s even more fascinating because the debate would spiral a step below the technical details of C itself and begin to step into the realm of attempted psychoanalysis between parties, considering the stake that the opposing side–that is, those who use this as a point to propagate Rust–actually have in the situation, beyond curl itself. I’ve also seen this phenomenon prop up in matters of security beyond PL implementation; where the choice boils down from a question of technicalities and a question of psychology.

  4. Stop using VPNs for privacy
    This is an example of what I mentioned in the above statement in regards to how security/privacy can often times be a more psychological issue than a technical one, particularly in this incredibly salient quote:

    A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

    In particular also the model of a VPN service itself is one that rings a lot of bells against the principle of least privilege noted in OSC10 chapter 16 p. 761. The fact that VPN services are given privilege to identifying elements that they could advertise themselves to “not keep logs” as if it’s normal to be able to keep any logs at all is fascinating to me, particularly because clearly the target audiences for these services aren’t actually people who are well-versed in matters of security, yet somehow at the same time operates as a potential honeypot for people who are, or at least appear to be.

  5. The title for this one is too funny for me to write out myself
    This link isn’t actually the interesting part but it is in keeping with the topic of the psychology of security that I keep coming across when I attempt to remember topics related to security here. In particular this was interesting because I distinctly remember being around when these things were unfolding, that is, when I was also using TOR for one specific purpose: browsing Endchan. I distinctly remember a post that now has likely been lost to time detailing a vast conspiracy theory on how the FBI had managed to operate eavesdropping on TOR nodes on a constant basis, and that this was how TOR itself had become a honeypot. One context that need be remembered during this time is the fact that this was also during the time that rumors of Julian Assange’s death and subsequent dead man switch was floating around in the web, along with the entire circus that was the 2016 US elections. It’s interesting how despite this turn of events having already happened half a decade ago, the same type of people who would be perceived as “privacy-minded” (for lack of a better term than other schizophrenic) still regularly use these services. That is not to say that TOR is a honeypot, but that despite being believed to be so, those same people still use it.
  6. The Kali Linux Review You Must Read Before You Start Using it
    Putting together the equation of “GNU/Linux” and “security” to conclude to something along the lines of Kali is likely as simple as the equation 2+2=5, and millions of would-be script kiddies run headfirst into this very wonky conclusion on a daily basis. I remembered this particular topic and came across this post while browsing around topics of W02 in part due to a conversation with a friend of mine, a theoretical physics student, who had went and installed Kali for basically no reason at all; the guy wasn’t even into neither pentesting nor security, and instead just began using it as a desktop OS. But I digress; the main reason I find this somewhat interesting and used that small anecdote of my encounter with my friend who did install Kali for “security reasons” is because, despite the fact that the concept of “security” and “threat” are diametrically opposed, they’re more often than not conflated for very little understood reasons; after all, no one mistakes a construction crew for a demolition crew, and vice versa. Yet it bears repeating time and time again: Kali Linux is not a distro tailored around security, it is a distro tailored around penetration testing.
  7. danooct1
    danooct1 is a YouTube channel focused entirely on exploring malware/viruses and just unleashing them on machines to observe their behavior. The channel is almost entirely non-technical in its presentation, features very little standard pentesting/typically “programmer”-oriented content of the security kind like actually discussing it in ghidra or such and such. As a whole it’s mostly just a nostalgia trip to the times when software virus infection was actually something that most workstation PC owners actively worried about, but from a completely non-analytic lens. As such it’s not entirely something that one might consider “interesting” but it is definitely entertaining at least.
  8. The GNU Privacy Handbook
    This one is really more useful than interesting, it’s essentially a beginner-friendly user manual for GPG, very dry but very useful for people who are new into the concept of manually doing cryptography (at least, manually to the extent of having to type the commands on one’s own rather than having, say, a browser take care of it in the background via secure protocols). It is somewhat interesting to me though that I had gone approximately 10 hours of googling before actually stumbling upon it, which is incredible considering how actually solid it is as a reference manual.
  9. Bad Opsec - How Tor Users Got Caught
    This is a companion piece to number 5, outlining some obvious privacy mistakes that one could commit while surfing online in real cases that has happened before. The companion piece to that companion piece would be this, a very comprehensive outlining of various practices one can take to ensure privacy while online, at least to a degree higher than the average user. Taken together these make a solid beginner’s plan to constructing privacy where it would be most vulnerable, that is, the internet.
  10. lainchan.org/sec/ - Security
    Lainchan is a cyberpunk-themed imageboard based around the cyberpunk-surrealist Japanese animated series Serial Experiments Lain. /sec/ is its security-focused board, particularly but not limited strictly to cybersecurity. It’s a relatively slow board and not as “opsec”-oriented as other cyberpunk subcultures in other boards such as /cyb/+/sec/ over on 4chan’s /g/ or the myriad of schizophrenics over on 8kun, but I suppose that’s why it’s interesting. Comparatively, it’s not aggressive; it’s very slow and soft much like lainchan in general–a nice contrast to most cyberpunk-ideated communities centered around security, a lot of which tend to feel like ketamine trips with drum and bass playing constantly in the background. Another reason I wanted to include it in this list is because of a related zine, lainzine. It doesn’t have the most active publishing rate and isn’t exactly that useful for learning about security, but it does release interesting articles from time to time related to the topic.