Stephan Bridger
@hexagr.bsky.social
Researcher, hacker, person with many interests. https://mastodon.social/@hexagr
When you update all of your software and it doesn't break any of your workflows. Very suspicious.
July 13, 2024 at 10:54 AM
When you update all of your software and it doesn't break any of your workflows. Very suspicious.
Reposted by Stephan Bridger
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
This might be the best executed supply chain attack we've seen described in the open, and it's a nightmare scenario: malicious, competent, authorized upstream in a widely used library.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Looks like this got caught by chance. Wonder how long it would have taken otherwise.
Woah. Backdoor in liblzma targeting ssh servers.
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
www.openwall.com/lists/oss-se...
It has everything: malicious upstream, masterful obfuscation, detection due to performance degradation, inclusion in OpenSSH via distro patches for systemd support…
Now I’m curious what it does in RSA_public_decrypt
March 30, 2024 at 5:13 PM
I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
Imagine referring to the current moment as the "present." Boy are you going to look silly in a few nanoseconds.
March 16, 2024 at 9:10 PM
Imagine referring to the current moment as the "present." Boy are you going to look silly in a few nanoseconds.
Don't worry; you have nothing to fear but the foolish things you do when you believe you have nothing to fear.
March 16, 2024 at 7:49 PM
Don't worry; you have nothing to fear but the foolish things you do when you believe you have nothing to fear.
The people who can’t remember things. The people who can’t forget things.
February 11, 2024 at 12:19 AM
The people who can’t remember things. The people who can’t forget things.
We must take a stand and confront the truth: that frozen spinach is superior to canned spinach.
February 5, 2024 at 12:38 AM
We must take a stand and confront the truth: that frozen spinach is superior to canned spinach.
Cats are intelligent and seem to defy physics. But the real reason they manage to get around problems is that they literally approach them from different angles, which few other animals do.
January 31, 2024 at 1:30 AM
Cats are intelligent and seem to defy physics. But the real reason they manage to get around problems is that they literally approach them from different angles, which few other animals do.
If time is the most valuable currency, the theft of others’ time is a particular act of cruelty—one that perhaps can never be atoned for. It’s just not something you can give back.
January 31, 2024 at 12:36 AM
If time is the most valuable currency, the theft of others’ time is a particular act of cruelty—one that perhaps can never be atoned for. It’s just not something you can give back.
Normalize saying “Hmm, not exactly” when you mean no. For comedic purposes.
January 27, 2024 at 4:20 AM
Normalize saying “Hmm, not exactly” when you mean no. For comedic purposes.
When the sun burns out, I just use a pea and the Banach-Tarski paradox to construct a new one. Why, what do you do, sir?
January 25, 2024 at 5:40 PM
When the sun burns out, I just use a pea and the Banach-Tarski paradox to construct a new one. Why, what do you do, sir?
They say that 90% of people with ADHD or OCD give up right before they’re about to achieve the cultivation of morally correct desires. Never stop grinding.
January 20, 2024 at 5:43 PM
They say that 90% of people with ADHD or OCD give up right before they’re about to achieve the cultivation of morally correct desires. Never stop grinding.
Me: “Don’t you see? Hell is other people.”
Them: “So, you’re telling me I get to be other people’s hell?”
Me: “Yes, that’s the spirit.”
Them: “So, you’re telling me I get to be other people’s hell?”
Me: “Yes, that’s the spirit.”
January 20, 2024 at 5:14 PM
Me: “Don’t you see? Hell is other people.”
Them: “So, you’re telling me I get to be other people’s hell?”
Me: “Yes, that’s the spirit.”
Them: “So, you’re telling me I get to be other people’s hell?”
Me: “Yes, that’s the spirit.”
Have you tried solving the problem by spoon-feeding it basic, fundamental truths so it can rearrange its world model and solve itself?
January 20, 2024 at 4:47 PM
Have you tried solving the problem by spoon-feeding it basic, fundamental truths so it can rearrange its world model and solve itself?
All dogs eat. Therefore all dogs bite. Therefore “my dog doesn’t bite” is a universally false claim.
January 20, 2024 at 3:18 PM
All dogs eat. Therefore all dogs bite. Therefore “my dog doesn’t bite” is a universally false claim.
Reposted by Stephan Bridger
The 2008 Debian OpenSSL entropy bug [1] was introduced solely by deleting code
[1] www.schneier.com/blog/archive...
[1] www.schneier.com/blog/archive...
i’m a perfect programmer these days, have introduced zero bugs in the past year.
(by writing zero code)
(by writing zero code)
January 19, 2024 at 4:30 AM
The 2008 Debian OpenSSL entropy bug [1] was introduced solely by deleting code
[1] www.schneier.com/blog/archive...
[1] www.schneier.com/blog/archive...
Time machines don’t exist. So, if past you did something that has inevitably imprisoned present you, I’m not sure how to help. But maybe just noticing this out loud will help future people.
January 18, 2024 at 11:46 PM
Time machines don’t exist. So, if past you did something that has inevitably imprisoned present you, I’m not sure how to help. But maybe just noticing this out loud will help future people.
*Looks at you and then my notes*: Ah, I see. You’re haunted.
January 18, 2024 at 11:02 PM
*Looks at you and then my notes*: Ah, I see. You’re haunted.
An executioner who doesn't kill anyone. Instead, it’s just a guy who's really good at planning and commitment.
January 18, 2024 at 9:00 PM
An executioner who doesn't kill anyone. Instead, it’s just a guy who's really good at planning and commitment.
A lot of people think that time is a river, an ocean, or that it's made out of some derivative of hydrogen. But it's actually made of stone.
January 18, 2024 at 5:31 PM
A lot of people think that time is a river, an ocean, or that it's made out of some derivative of hydrogen. But it's actually made of stone.
The ability to feel pain and regret is actually related to the protection reflex.
The inability to feel pain or regret is related to the self-destruction reflex.
The inability to feel pain or regret is related to the self-destruction reflex.
January 18, 2024 at 5:23 PM
The ability to feel pain and regret is actually related to the protection reflex.
The inability to feel pain or regret is related to the self-destruction reflex.
The inability to feel pain or regret is related to the self-destruction reflex.
Tonight I opened a physical book instead of a PDF or blog post, and it was like remembering some ancient sacred experience I’d almost forgotten about.
January 17, 2024 at 5:01 AM
Tonight I opened a physical book instead of a PDF or blog post, and it was like remembering some ancient sacred experience I’d almost forgotten about.
Babe, would you still love me if I worked as a software engineer at Google?
January 15, 2024 at 10:47 PM
Babe, would you still love me if I worked as a software engineer at Google?
Voluntary and involuntary have opposite meanings. But flammable and inflammable both mean flammable. Language is unapologetically inconsistent.
January 15, 2024 at 9:31 PM
Voluntary and involuntary have opposite meanings. But flammable and inflammable both mean flammable. Language is unapologetically inconsistent.
An alternate universe with a podcast called the Joe Organ Experience.
It’s a livestream of a guy harvesting baboon organs.
It’s a livestream of a guy harvesting baboon organs.
January 15, 2024 at 8:22 PM
An alternate universe with a podcast called the Joe Organ Experience.
It’s a livestream of a guy harvesting baboon organs.
It’s a livestream of a guy harvesting baboon organs.
There exist concepts that are so important, so subtle, yet so incredibly obvious—that if you ever find yourself explaining them aloud verbatim, you can safely assume that something has gone terribly wrong.
January 15, 2024 at 6:28 PM
There exist concepts that are so important, so subtle, yet so incredibly obvious—that if you ever find yourself explaining them aloud verbatim, you can safely assume that something has gone terribly wrong.