**** BEGIN LOGGING AT Tue Mar 25 02:59:58 2014 Mar 25 03:39:43 Snafu777: I run Gentoo on my N900 Mar 25 03:40:33 heh Mar 25 03:40:55 I'm running maemo, and the more I did into it, the more it seems I'm going to have to install openssl from source as well Mar 25 03:41:00 This is a frickin nightmare Mar 25 03:41:10 I didn't even have this much trouble with curl, and that was a bitch Mar 25 03:41:35 How can I find out where the openssl library headers are located at on the n900? Mar 25 03:45:06 I don't think headers are on the device, dev repo/packages were meant for scratchbox environment Mar 25 03:46:15 dpkg-query -L libssl-dev Mar 25 03:46:23 should list all files provided by libssl-dev Mar 25 03:48:26 There are definately header files under /usr/include/openssl Mar 25 03:48:38 hmm Mar 25 03:49:27 Learned a new command today thanks to u bef0rd =) Mar 25 03:49:30 dpkg-query -L Mar 25 03:49:33 handy Mar 25 03:49:40 normally - dpkg -x the file Mar 25 03:49:45 and view the contents Mar 25 03:54:17 So here is a question while I wait on configure to die or work Mar 25 03:54:25 Anyone ever considered using /etc/shadow on the n900? Mar 25 03:58:29 This is why people shouldn't make phone OSes. Mar 25 03:58:41 They should just make phone software that runs on normal OSes. Mar 25 03:58:48 =) Mar 25 03:59:17 No, this is why security should have been incorporated into the phone to begin with Mar 25 03:59:22 no /etc/shadow Mar 25 03:59:27 DES for the backend Mar 25 03:59:39 N900 is a wonder to behold Mar 25 03:59:47 The world's smallest handheld pentest device Mar 25 03:59:53 /etc/shadow is a file used by certain applications. Mar 25 04:00:01 Yet vulnerable in ways that should have been BYGONE long ago Mar 25 04:00:03 Agreed Mar 25 04:00:14 but they didn't incorporate shadowing into the os Mar 25 04:00:22 Do you know how easy it would be to pwn this phone ? Mar 25 04:00:36 Because they didn't include programs that needed it. Mar 25 04:00:37 Most of the .debs are outdated on it Mar 25 04:00:47 I love my n900, don't get me wrong Mar 25 04:00:58 Nods Mar 25 04:01:03 if you install the sshd from the repository it creates /etc/shadow Mar 25 04:01:17 They had security as an afterthought Mar 25 04:01:24 sshd from repo does not create /etc/shadow Mar 25 04:01:44 unless you are referring to another ssh daemon vs openssh Mar 25 04:01:52 No, openssh. Mar 25 04:02:01 maybe it's something special with the application manager then. Mar 25 04:02:16 I also have the user* programs installed somehow. Mar 25 04:02:22 Do you have maemo on your device Maxdamantus ? Mar 25 04:02:26 Yes. Mar 25 04:02:31 and you have /etc/shadow? Mar 25 04:02:58 Ah, no, only /etc/passwd Mar 25 04:03:05 it stores the password in there. Mar 25 04:03:07 . Mar 25 04:03:12 yes it does Mar 25 04:03:26 Like I said, vulnerable as hell Mar 25 04:03:31 Why? Mar 25 04:03:36 /etc/passwd? Mar 25 04:03:44 Because it uses DES Mar 25 04:03:48 Ah, because other people can use it. Mar 25 04:03:50 Let alone that it's world readable Mar 25 04:03:59 you should be able to use other encryptions .. it's up to libcrypt Mar 25 04:04:09 So how do we configure that? Mar 25 04:04:27 I don't need to compile pam support into openssh if i can do just that Mar 25 04:04:37 but i want to go with PAM to get around the DES issue Mar 25 04:05:35 just copy the password from another system. Mar 25 04:05:43 probably the easiest way. Mar 25 04:06:29 and get locked out of the system? Mar 25 04:06:32 (to use something other than DES) Mar 25 04:06:43 Wouldn't that snap /etc/passwd? Mar 25 04:06:53 I mean I guess i can try real quick Mar 25 04:06:55 one sec Mar 25 04:07:14 mm .. didn't work Mar 25 04:09:25 Definately did not work =9 Mar 25 04:11:44 Well, I'm going to grab openssl Mar 25 04:11:46 compile it Mar 25 04:11:53 grab the libraries Mar 25 04:12:17 drop them in a custom location on the OS Mar 25 04:12:24 see if i can perform a nasty hack Mar 25 04:13:24 * Snafu777 <--- wishes he knew more about c++ Mar 25 04:14:12 The thing to find out is if i compile it when the libraries exist, will it run when the libraries no longer are there Mar 25 04:14:22 that way i don't have extraneous files lying about Mar 25 04:16:27 Static libraries increase the overall size of the binary, but it means that you don't need to carry along a copy of the library that is being used. As the code is connected at compile time there are not any additional run-time loading costs. The code is simply there. Mar 25 04:16:36 And it shall work, and it shall be named George! Mar 25 04:17:46 Maxdamantus: Got sshd installed on your n900? Mar 25 04:18:18 Yes. Mar 25 04:18:23 openssh Mar 25 04:18:27 Want to see the vulnerability I speak of? Mar 25 04:18:44 ssh -l root 127.0.0.1 Mar 25 04:18:51 enter the first eight chars of your root pword Mar 25 04:18:55 p00f, you are in Mar 25 04:22:26 And did it work? Mar 25 04:24:59 (( no /etc/shadow [2014-03-25 05:00:22] Do you know how easy it would be to pwn this phone ?)) Nonsense. Maemo is basically a single-user OS. /etc/shadow is meant to defeat threats from legit users that have access to /etc/passwd. Evidently on maemo that makes no sense Mar 25 04:25:38 /etc/shadow is meant to defeat threats from non-legit users as well Mar 25 04:26:12 it's just as nonsensical as is the approach to obfuscate your email POP/IMAP passwords in your mail client's config files, to hide them from user Mar 25 04:26:13 tbh, it should be reasonably secure with a different encryption algorithm. Mar 25 04:26:23 Snafu777: that's bullshit Mar 25 04:26:25 it looks like libcrypt isn't the normal one used on Linux systems (which is part of glibc) Mar 25 04:26:54 DocScrutinizer05: Lets say I get a non privileged user account on a system I am not supposed to have access too Mar 25 04:27:10 Snafu777: you're no supposed to fileshare /etc/passwd to a ftp server Mar 25 04:27:15 I can snarf the contents of /etc/passwd Mar 25 04:27:21 But i cannot see /etc/shadow Mar 25 04:27:32 And windows is bulletproof Mar 25 04:27:38 let's say you say random stuff Mar 25 04:29:43 it supports md5 Mar 25 04:29:54 though that's considered broken Mar 25 04:30:06 when you make it onto a system that you're not supposed to have any access to, nothing warrants that you can access /etc/password but not /etc/shadow - you shouldn't have access to anything on that system, once you have access it's up to your skills while hacking the system what permissions you hacked for you Mar 25 04:30:08 I think it needs to be upgraded to support sha. Mar 25 04:30:21 DocScrutinizer05: I just think of things like an attacker would Mar 25 04:30:37 no, you think of things like a script kiddie would Mar 25 04:30:53 Okay, so do you have a sim card in your phone DocScrutinizer05 ? Mar 25 04:31:49 I'll assume yes Mar 25 04:32:01 Yeah, md5 works. Mar 25 04:32:30 Doesn't let me enter a partial password at least. Mar 25 04:32:34 On that thought, do you really trust cell phone companies to provide proper security posturing on their routers to prevent user a from attacking user b on the same subnet Mar 25 04:32:41 If you believe that Mar 25 04:33:06 wtf? Mar 25 04:33:17 not interested in that nonsense Mar 25 04:33:23 dig @ans2.o1.com o1.com axfr Mar 25 04:33:26 There u go Mar 25 04:33:28 a major ISP Mar 25 04:34:20 So yes, I do care if my phone can be bruteforced via ssh in 72^8 (average password characters of 72 character possibilities, a-z, 1-9 with a 8 char max) Mar 25 04:34:25 https://gist.githubusercontent.com/Maxdamantus/00aa3766f3d560e8637a/raw/d8ae9d08e27557f1e70c7c296f939a254b84063c/gistfile1.txt Mar 25 04:34:31 because the world SUCKS at cyber security Mar 25 04:34:31 can compile that with -lcrypt Mar 25 04:34:41 Cool Maxdamantus I shall check it out Mar 25 04:34:41 then don't enable sshd Mar 25 04:34:44 Snafu777: sorry, you have no decent idea of how to manage a system Mar 25 04:34:46 then: ./a.out \$1\$$(tr -dc a-zA-Z0-9./ < /dev/urandom | head -c 8) Mar 25 04:34:57 I'm not a sysadmin DocScrutinizer05 Mar 25 04:35:00 There's also a `crypt` command installed, but it doesn't hide the input. Mar 25 04:35:03 obviously Mar 25 04:35:04 I get paid to prevent others from breaking in Mar 25 04:35:18 OMG Mar 25 04:35:29 Cool Maxdamantus: Glad I at least got one person spun up on the security idea Mar 25 04:35:29 =) Mar 25 04:35:39 well, it's md5, so it's not really secure. Mar 25 04:35:42 Still Mar 25 04:35:45 but it's more secure than DES. Mar 25 04:35:46 prevents partial passwords right? Mar 25 04:35:51 Yes. Mar 25 04:35:57 i don't care about the bits and bytes Mar 25 04:36:06 just the lack of actually checking for my full password Mar 25 04:36:12 they want to bruteforce, go for it Mar 25 04:36:14 =) Mar 25 04:36:28 you don't want to allow password auth? fine! forbid it, only allow ssh publey auth Mar 25 04:36:28 You don't need to brute force if you can see the hash. Mar 25 04:36:38 pubkey even Mar 25 04:36:39 Well, you need to brute force a bit Mar 25 04:36:56 true, but my /etc/passwd isn't visible Mar 25 04:37:00 but you don't need to try every input: you can generate matches for given hashes in far less time. Mar 25 04:37:03 also, changing from DES to anything else will not prevent people from bruteforcing over ssh... Mar 25 04:37:11 I didn't say they would bef0rd Mar 25 04:37:18 I want to prevent a 72^8 attack Mar 25 04:37:31 That's it Mar 25 04:37:31 * DocScrutinizer05 headdesks Mar 25 04:37:56 72^8 = 722204136308736 Mar 25 04:38:09 yes it does Mar 25 04:38:17 however Mar 25 04:38:23 It's a phone Mar 25 04:38:28 odds are root password is not strong Mar 25 04:38:31 due to small keyboard Mar 25 04:38:34 Human nature Mar 25 04:38:37 etc... blah blah blah Mar 25 04:38:52 and most likely a left right or right left cascade Mar 25 04:38:55 >>blah blah blah<< first true statement Mar 25 04:39:14 DocScrutinizer05: I'm not trying to butt heads with ya man. U got skills that far surpass me in many respects Mar 25 04:39:38 maemo HAS NO root password, usually Mar 25 04:39:48 I'm just making a valid point about the in-security that is inherent on the n900 Mar 25 04:40:17 no, you jave no idea about how n900 aka fremantle works Mar 25 04:40:22 have* Mar 25 04:41:27 you're trying to find the bricks to close the window for good, while letting the door wide open, in your efforts to stop the flood Mar 25 04:41:43 I'm just going for the basics of a NIST checklist Mar 25 04:42:01 your checklist doesn't apply to maemo. Evidently Mar 25 04:42:12 Agreed, there is no Maemo specific checklist Mar 25 04:42:30 search for Hildon Application Manager on your list. Search for rootsh on your list Mar 25 04:42:43 yes i agree Mar 25 04:43:01 and i plan to harden my gui launched apps that require root later on Mar 25 04:43:03 not sure if i can Mar 25 04:43:08 but i read about it somewhere Mar 25 04:43:13 and ham i never use Mar 25 04:43:20 I hate guis when i can command line something Mar 25 04:43:29 I only like guis for stuff i dont want to command line Mar 25 04:43:33 you're giving a 3 (or more?) days live performance of ~xy here Mar 25 04:43:37 like launching an evil twin router attack Mar 25 04:43:45 I'm just me DocScrutinizer05 Mar 25 04:43:58 I'll always be me. And I'll always get paid to be me =) Mar 25 04:44:13 I have a job that I love very much and it allows me to play with a keyboard. Mar 25 04:44:17 How bad can it really be? Mar 25 04:44:24 we're not paid for attending this performance Mar 25 04:44:31 Sure you are Mar 25 04:44:37 I'm charging you $28 an hour Mar 25 04:45:22 sorry, dude. I have to take care about my logs not getting filled witj noise Mar 25 05:02:58 Welp, off to bed Mar 25 05:03:03 Goodnight world Mar 25 05:03:27 gotta get a goodnights sleep. Picking up a truckload of bricks tomorrow at home depot. Got a big window I'm building a frame around tomorrow Mar 25 05:07:19 my N900 have exactly one open port. While it's the ssh service running on that port, it's not port 22. So no matter where I'm roaming with my N900, the likelihood that somebody would find out about that open port and try a brute force attack on it is minimal. At home my N900 is behind my local NAT and thus not reachable from global internet anyway, only locally. When somebody actually would find out about that port where my sshd runs Mar 25 05:07:21 while I'm roaming on 3G and would start a brute force attack, I'd feel pretty pissed about my battery going flatline or my /var/log/syslog clogging rootfs and this bringing system to a grinding halt - whatever will happen first. Way before that brute force attack will notice that not a single of the usernames they come up with has a valid password auth to log in via ssh Mar 25 05:08:50 and nota bene standard default fremantle has no sshd running at all, so in the end it's *you, the user, who ruined security when you configure an insecure sshd and make it run all the time on your N900 Mar 25 05:18:17 and *all* of that becomes totally irrelevant anyway, as soon as you ignore all good advice and best practice and do a dozen things strictly deprecated on either any system (installing packages not meant for that platform) or particularly on that system (not using HAM and rather doing everything via dpkg. OMG). All perceived security flaws after doing such mayham to maemo are not worth a single line in IRC to discuss how to fix them, since Mar 25 05:18:19 they shouldn't be there to start with Mar 25 07:16:06 /clear/clear Mar 25 08:30:34 well. i guess there is a bug in lockscreen. it checks only first ten numbers Mar 25 08:31:12 first nine* Mar 25 08:46:00 oh. Mar 25 08:46:25 it's fucked up even more Mar 25 08:46:50 only a few first letters need to be true Mar 25 08:48:24 i'll investigate it at home :P Mar 25 09:03:32 D: Mar 25 10:20:15 I'd not be surprised to find the lockscreen password limited to 5 chars Mar 25 10:21:04 heck, my credit card password is limited to 4 Mar 25 10:26:20 I at least have 6.. Mar 25 10:26:54 or, uh, you mean the "Enter lock code" screen or something else? Mar 25 10:56:28 yes, enter lock code screen (which I never seen in my life so far ;-D ) Mar 25 10:57:11 default lockcode is "12345" Mar 25 10:58:00 I'd guess that's the fixed length this "password" has to be, according to the coder who built lockscreen Mar 25 11:39:41 DocScrutinizer05: It goes up to 8. (Or, rather, it accepts input up to 10, but only the first 8 digits are meaningful.) Mar 25 11:40:17 that's pretty in line with the hash/crypt() funtion used for passwd hashes Mar 25 13:47:42 * Snafu777 hugs DocScrutinizer05 Mar 25 13:47:51 chpassword -m Mar 25 13:47:55 user:password Mar 25 13:47:56 crtl+d Mar 25 13:48:03 problem fixed Mar 25 13:49:51 chpasswd rather Mar 25 13:49:53 not chpassword Mar 25 14:31:10 Snafu777: for scripts 'echo "user:password" | chpasswd' is very usefull :-) Mar 25 14:32:57 DocScrutinizer05: 5 numbers are enough to stop dumb friends from changing language to chinese :P Mar 25 14:35:44 silviof: interesting Mar 25 14:36:06 silviof: Main reason i threw that out there is that by default, maemo uses DES, and on ssh only 8 chars is needed for password Mar 25 14:36:10 a security risk i think Mar 25 14:38:14 What I would like to find out is: what file in the system controls des vs md5 for maemo for passwd Mar 25 14:38:27 and honestly that's all the devicelock been meant for Mar 25 14:39:09 Snafu777: yes, if it so that this is ugly. But you can set some nerv-parameters on sshd_config. like LoginGraceTime snd so Mar 25 14:39:43 Agreed, but i'm not trying to harden sshd Mar 25 14:39:50 I was trying to find a workaround for the des issue Mar 25 14:43:14 So does anyone know that specific file that maemo uses, or is this some hardcode by default thing? Mar 25 14:53:32 Snafu777: /etc/pam.d/common-password? Mar 25 14:56:00 password required pam_unix.so nullok obscure md5 Mar 25 15:05:10 warfare: hmm, on maemo? Mar 25 15:05:48 IroN900:~# ll /etc/pam* Mar 25 15:05:49 ls: Zugriff auf /etc/pam* nicht möglich: No such file or directory Mar 25 15:17:45 DocScrutinizer05: my n900 has them. Belongs to libpam-runtime. Mar 25 15:18:12 iirc optification came with PR1.2. Before that Nokia tried to cram *all* binaries into the 240MB rootfs, which probably made them a tad stingy regarding feature-richness of of the system Mar 25 15:18:28 weird Mar 25 15:19:53 IroN900:~# find /lib/ /usr/lib -name '*pam*';echo $? Mar 25 15:19:54 a little bit :) Mar 25 15:19:55 0 Mar 25 15:21:21 IroN900:~# apt-cache policy libpam-runtime Mar 25 15:21:22 libpam-runtime: Mar 25 15:21:24 Installed: (none) Mar 25 15:21:25 Candidate: 1.0.1-maemo3 Mar 25 15:21:27 Version table: Mar 25 15:21:28 1.0.1-maemo3 0 Mar 25 15:21:30 500 http://repository.maemo.org fremantle-1.3/free Packages Mar 25 15:22:35 I wonder what's the use of libpam when the executables don't use it Mar 25 15:23:34 IroN900:~# apt-cache policy passwd Mar 25 15:23:36 passwd: Mar 25 15:23:37 Installed: 1:4.0.18.1-7+etch1maemo1.m5 Mar 25 15:23:39 Candidate: 1:4.0.18.1-7+etch1maemo1.m5 Mar 25 15:23:40 Version table: Mar 25 15:23:42 *** 1:4.0.18.1-7+etch1maemo1.m5 0 Mar 25 15:23:43 500 https://downloads.maemo.nokia.com ./ Packages Mar 25 15:25:27 ah, libpam-runtime gets pulled in through cvs, which gets pulled in through git-cvs which is depended on by git. Mar 25 15:26:10 Well I'm glad I was able to spark something. Even if I have no idea what ya'll are discussing as I don't do linux security =) Mar 25 15:26:38 Snafu777: we were just wondering why some of us have /etc/pam.d and others don't. Mar 25 15:27:24 git-cvs depended on by git ? Mar 25 15:27:27 hmm Mar 25 16:06:12 hello, i found the widget desktop-cmd, which fullfills my needs. but if it's installed, there are tapping errors on the whole display widgets and icons. has anyone an alternative for me? Mar 25 16:09:13 moin :) Mar 25 16:11:28 Hi Mar 25 16:47:49 I'm not available for council meeting tonight Mar 25 16:49:44 theblackcrow1: queenbeecon Mar 25 16:50:03 theblackcrow1: though I never had problems with cmd execution widget Mar 25 16:51:14 theblackcrow1: while queenbeecon is overkill and a real pita to configure, thanks to a zillion options. Well, test it, you might love it Mar 25 16:53:17 talking about queenbeecon, does hildon-desktop properly handle desktop widgets with desktop refresh (as in queenbeecon for instance) and locked/inactive screen ? Mar 25 16:53:33 it feels like it just sucks battery Mar 25 16:54:09 and I suspect a few flows in hildon-desktop code regarding this part, though I'm not sure :) Mar 25 16:55:21 DocScrutinizer05: thanks, i'll try it :) Mar 25 17:11:11 DocScrutinizer05: thanks, queen-beecon works very nice (until now) and wow, much to configure! Mar 25 23:06:18 Does anyone know if Ruby1.9 has been ported for the n900 ? Mar 26 00:26:48 Snafu777: why would it need to be ported? Mar 26 00:27:30 Because it doesnt exist and building it from source must be done Mar 26 00:27:43 I guess I could rephrase with is it apt-gettable Mar 26 00:27:57 Point is, I'm working on creating it and adding the newest metasploit in =) Mar 26 02:36:51 One thing I love about the n9 and n900...moreso than any other device I've used that is capable of accepting a sim, they don't stop you from doing anything WITHOUT a sim except the stuff you can ONLY do WITH one. Mar 26 02:37:59 ...This comment was brought to you by random wanderings of thought processes subsequent to deciding to put my sim in my smartwatch for a while. Mar 26 02:51:52 smartwatch :-o **** ENDING LOGGING AT Wed Mar 26 02:59:59 2014