It has long been known that timing analyses are a *theoretical* attack on Tor. By distributing the circuits across different jurisdictions, the goal was to make these attacks impractical to implement:
Only a "global adversary" should be able to break the anonymity by correlating the traffic from entry and exit nodes. Correlation becomes even easier if delays or content can be actively introduced into the traffic pattern.
Just as we could (theoretically) become a "global adversary" by renting enough servers, law enforcement agencies can (practically) achieve this through close cooperation, especially since Tor nodes are not evenly distributed across jurisdictions but tend to cluster in certain regions.
Western law enforcement agencies seem to have reached the "global adversary" level through collaboration (in isolated cases and certainly with significant effort). What is problematic for Tor is that other "law enforcement agencies," whose focus is on dissidents, whistleblowers, and journalists, could do the same.
So, it is finally time for cover traffic and random delays: nodes in the Tor network would introduce a random traffic background noise as well as random delays to make targeted correlations more difficult. This would make Tor even slower. This is probably why it has been avoided until now.
In conclusion, we would like to emphasize that there is no reason for regular users of the Tor browser to worry about their anonymity. These are highly targeted attacks on individual accounts of the messenger "Ricochet" over extended periods of time. Because the messenger, unlike a browser, is also reachable, it naturally has an increased attack surface for timing analyses.
https://www.tagesschau.de/investigativ/panorama/tor-netzwerk-100.html
GitLab security advisory: GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10
CVE-2024-45409 (perfect 10.0 critical 🥳 cc: @cR0w) SAML authentication bypass
GitLab doing me a heccin' concern because they're already talking about detecting unsuccessful and successful exploitation attempts. I can't definitively say if exploitation in the wild occurred based on the verbiage in this advisory.
The city of 's-Hertogenbosch is multiple examples of "falsehoods programmers believe about place names"
Android Virtualization Framework - runs the "host" (Android and Linux kernel) in a VM and launches isolated envs. (= pVMs). Based on KVM but offloads complex code to the host VM. pVM firmware is in Rust
- https://www.youtube.com/watch?v=K24dmA7QGLE
- https://source.android.com/docs/core/virtualization/security
- https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/tags/aml_con_341511080/pvmfw/
From the WTAF dept: 3 killed, > 1,000 wounded in Beirut by exploding pagers:
"BEIRUT, Sept 17 (Reuters) - At least three people were killed and more than 1,000 others including Hezbollah fighters, medics and Iran's envoy to Beirut were wounded on Tuesday when the pagers they use to communicate exploded across Lebanon, security sources told Reuters.
A Hezbollah official, speaking on condition of anonymity, said the detonation of the pagers was the "biggest security breach" the group had been subjected to in nearly a year of conflict with Israel."
via @dangoodin
The web Hackvertor now has all of the tags to conduct email parser discrepancies attacks.
Ok, my article on porting the SBCL common #lisp implementation to the nintendo #switch is now live:
https://reader.tymoon.eu/article/437
Boosts would be much appreciated! It's been a lot of work to get this far.
I'd like to share some of my projects that are hosted on @github. Let's start with my public #exploits that span more than two decades of #pwning.
https://github.com/0xdea/exploits
"You can't argue with a root shell." -- Felix "FX" Lindner
Probably the most known is raptor_udf.c that targets #MySQL (those of you who solved the @offsec #OSCP training labs should recognize it).
My favorite is still raptor_rlogin.c, a glorious #Solaris #RCE from the early 2000s. Take your pick!
On some level I think people become stronger engineers by running their own databases for a time. Pulling back the cover and seeing the hidden complexity can breed an understanding that serves folks well.
Obviously not a requirement--but something to consider.
CVE-2024-8190: Investigating CISA KEV Ivanti Cloud Service Appliance Command Injection Vulnerability https://www.horizon3.ai/attack-research/cisa-kev-cve-2024-8190-ivanti-csa-command-injection/
Oh shit the vDSO implementation of getrandom() landed in Linux 6.11.
Might remove one of the last performance objections ot using the kernel CSPRNG for everything, the syscall overhead.
I have a large CL chain for crypto/rand, might as well add support for that...