Periodically this thing dies on me. It happened again, so here’s my notes.

Messages stopped coming in, I got an alert, and found this log:

2019-11-11 13:53:56,750 DEBUG pid=20951 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): reports.office365.com
2019-11-11 13:53:57,019 DEBUG pid=20951 tid=MainThread file=connectionpool.py:_make_request:400 | https://reports.office365.com:443 "GET /ecp/reportingwebservice/reporting.svc/MessageTrace?$filter=StartDate%20eq%20datetime'2019-10-22T02:53:08.114678Z'%20and%20EndDate%20eq%20datetime'2019-10-22T03:08:08.114678Z' HTTP/1.1" 200 216
2019-11-11 13:53:57,022 DEBUG pid=20951 tid=MainThread file=base_modinput.py:log_debug:286 | No messages returned.  Setting max date to 2019-10-22 02:54:08.114678

The “No messages returned.” bit was the kicker. Lies!

A fascinating look at the northernmost city in the world, touched by climate change in ways you wouldn’t expect.

This post on the facebook Engineering blog about scalable and secure access with SSH really makes me wonder how this’d be doable at-scale, without a fleet of developers to build your own system to do it.

The advice at the end is probably the most important information any AAA system team can take heed of:

A few parting words of advice: When you build your CA, be it a small script or a complex system, make sure you keep track of all certificates you issue. If you find yourself in the unfortunate situation of having a compromised certificate (and its respective private keys) and you don’t know how to revoke them, your last resort is to rotate the entire CA. If you end up having a programmatic CA, consider having short-lived certificates, e.g., 24 hours. This shortens the window of opportunity for an attack if you experience a compromise.

[Read More]

So I’m messing around with a DictWriter and was trying to use the typical “with” syntax I use with short-lived things in python… and got this error:

Error: DictWriter instance has no attribute '__exit__'

Turns out, that’s not really a thing, and I should have followed the example. Don’t judge me please for using Py2, Splunk hasn’t caught up (yet).

It’s been pretty smooth after upgrading to catalina, but I got this error when trying to run git this morning…

xcrun: error: invalid active developer path (/Library/Developer/CommandLineTools), missing xcrun at: /Library/Developer/CommandLineTools/usr/bin/xcrun

Easily fixed…

xcode-select --install

Let it do the thing and you’ll be back in business.

Updates:

• If you’re still getting the “bash is going away” prompt, add export BASH_SILENCE_DEPRECATION_WARNING=1 to ~/.bash_profile)
• terraform wouldn’t load because it’s not signed by something Apple likes, so here’s an article on how to fix terraform - tl;dr find the binary in the finder and right-click-open-allow it.

Awesome intro, out with the old, in with the new

Runa Sandvik, look ma we are here

@runasand

• Tor and secure drop contributor
• Hacked a sniper rifle
• Works at NYT
• the industry was “PoC or GTFO”
• narrator: but she didn’t
• and that’s ok
• if you believe there’s a gap and a skill set, you can create your own niche, job, industry
• what are you up to?

Peter firman - automotive security

• grab slides
• some of those aren’t even protocols, they’re vulnerabilities with wire formats
• exciting and safe… not how you expect
• “trust” is more like “forced on you” in the IT industry
• faults and errors are OK, they happen and can be mitigated - they have to escape mitigations to be a problem
• Dependability is key
• fault mitigation in crypto - it either works or just burns and you don’t know where you are
• Timing predictions can be filed in “fiction”
• you can restart a 1996 Toyota ECU at 180kph and you only see an ignition ping miss
• Restarting every day is valid mitigation, try that with a web server
• US allows self cert, no one else does
• Outside the US, you can’t change it once it’s approved
• Tesla OTA brake updates were… fun?
• new design: Linux. Buy a train pass?
• software security in the presence of faults talk
• why would hackers care? Where’s the money?
• autobahn firmware updates? Oh nose

endpoint security selection

Missed this one

Tesla cool guy

• Pretty fun, IGBT’s for control, export controls etc
• Hilarity ensues

finding a poisonous seed

• @negarshbb
• @noushinshbb
• trust and supply chain attacks on developers

malware examples

• induc
• Xcodeghost
• ShadowPad
• Something else? Tuned out
• ccleaner

first do no harm

• news stories
• Izzi, CertNZ
• everyone influences news, by advertising or providing stories and so forth
  • paid placements
  • Experts… “experts”
  • influence & influencers
• journalism has a critical role in society, considering things and context
• teach and learn, engage with the communicators. Media teams don’t know tech
• we need to engage in a way that doesn’t just show how smart we are, or how scary it is
• tell stories about cred dumps, not MFA and artisanal firewalls

level one

• become a critical reader of the media
  • who’s pushing it
  • Why now
  • Who’s on stage
• help people you like with things

level two

• engage with the Comms team
• Build relationships with them
• Use then to tell stories
• Broaden your influence, take every opportunity to drive change
• Myth bust rather than eye roll

level three

• talk to your boss before this!
• be a source of truth (answer questions, provide info)
• correct mistakes in public media stories
• Make yourself available to media
• hire Comms people

sparkle talks!

fingerprinting encrypted traffic

• enhanced security mode for RDP
• fingerprint all the things
• “scan this QR code, it’s totally safe, not a trap”
• https://medium.com/@0x4d31/rdp-client-fingerprinting-9e7ac219f7f4
• common fingerprints connect strange clusters
• identify actor through patterns in tool usage and “randomisation”

Uncrackable lockbox

• algomachines.com u/cryptocomicon
• Timelock custom encryption
• Posts ln reddit with challenges

1

The 87th annual purplecon was delightful and fun. Eschewing the typical black hoodies and replacing them with sparkles was an amazing choice and drove the friendly, welcoming feel of the entire con.

All talks were required to be:

• positive,
• defensive, and
• actionable.

Which means they’re not just stunt hacking or dropping 0-days - they’re designed to improve the state of the art. The “great archive” is going to be a text archive summary of the talks, so…

So… I kept getting a message like this every. single. time. I. used. sudo.

Subject: *** SECURITY information for server.domain.example.com ***
Message: server.domain.example.com : Oct 19 14:17:50 : yaleman : problem with defaults entries ; TTY=pts/0 ; PWD=/home/yaleman ; USER=root ;

Doing some searching, it turns out it’s some issue with local accounts and an interaction between sudo and sssd where defaults aren’t being presented to sssd from FreeIPA/LDAP. It’s more a warning than a bug, but it’s freaking annoying.

editing the bee logo http://goqr.me/#t=url https://editor.method.ac/#move_back

at the top of the SVG was this:

So we’ve got a 270x270 image, background is white. I want no background!

Change it to

Setting fill-opacity to 0

Next up was changing black to yellow

<g id="elements">
	<path style="fill:rgb(0, 0, 0)"
	
	change to 
	
		<g id="elements">
	<path style="fill:rgb(240,196,25)"

Thanks to stickermule for enabling the promotion of this silly project :)