Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
mathstodon.xyz is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for maths people. We have LaTeX rendering in the web interface!

Administered by:

Server stats:

2.8K
active users

mathstodon.xyz: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#bgp

4 posts3 participants0 posts today
Public *
ティージェーグレェ
I submitted a Pull Request to update MacPorts' rpki-client to 9.5 here:

https://github.com/macports/macports-ports/pull/28128

GitHub Continuous Integration checks passed!

Update: Or at least I thought they did?

Now seeing this error:

"Creating port index in /Users/runner/work/macports-ports1597/macports-ports1597/ports
Adding port net/rpki-client
signal interp lost
ports/.github/workflows/bootstrap.sh: line 150: 2047 Abort trap: 6 portindex -e
Error: Process completed with exit code 134."

o.O

From: https://github.com/artkiver/macports-ports1597/actions/runs/14437970476

Even though previously in the GitHub UI, it showed all three checks as green. wtfh? I mean, I hate GitHub and have less than no reason to trust it, but that's a new one, even for me.

If I check: https://github.com/macports/macports-ports/pull/28128/checks

All is green there too. I am so confused.

Regardless, it's up to someone else with commit access to merge it.

Meanwhile, still no assistance regarding my request for help on the MacPorts' patches for OpenSSH 10.0p1/2 for ssh-agent.c and sshd-session.c, but someone else did open another Trac issue regarding OpenSSH's logging (or lack thereof) here:

https://trac.macports.org/ticket/72345

Though, they also observe the same behavior with the Apple shipped version, so they pontificate if it may be an issue upstream?

Ya think?

Sometimes, I think folks vastly overestimate what "maintainer" means or how much I might be using some of this software or what they expect me to do about it just because it is "assigned" to me.

For example: I basically do not run sshd on any macOS systems, since I only have Apple laptops which sleep a lot and are absolutely awful as anything that should be a server running daemonized software.

Did these folks not notice that Apple themselves discontinued their XServe hardware line circa 2004? Or that even their "OS X Server" product was discontinued from the App Store in 2022?

I guess they missed the memos, couldn't read the room or writing on the wall?

But then, they observed this in macOS Monterey, which itself is from 2021, so maybe they just prefer livin in the past? I have no idea.

I am not even sure how to meaningfully reply to that Trac issue.

#RPKI #rpkiーclient #MacPorts #macOS #BGP #OpenBGPD #OpenSource
Description Type(s) bugfix enhancement security fix Tested on macOS 15.4 24E248 arm64 Command Line Tools 16.3.0.0.1.1742442376 Verification Have you followed our Commit Message Guideline...
GitHubrpki-client: update to 9.5 by artkiver · Pull Request #28128 · macports/macports-portsBy artkiver
Replied in thread
Public *
Erik van Straten

@fleaz : it's not MultiMultiFactorAuthentication but 1FA max.

Assuming that you don't use those hardware keys to generate TOTP codes (which are pointless when confronted with the likes of #Evilginx2), but use WebAuthn instead (FIDO2 passkeys in hardware keys), everything depends on one factor: the domain name of the website.

1️⃣ DV-CERTS SUCK
It is not very common that certificates are issued to malicious parties, but it *does* happen now and then (infosec.exchange/@ErikvanStrat).

2️⃣ SUBDOMAINS
Furthermore, sometimes organizations have "dangling" subdomain names. For example,

test.example.com

may point to the IP-adress of some cloud server no longer used by example.com. Anyone with write access to that server may install a fake "test.example.com" website and phish you to it. It *may* be used to phish your WebAuthm credentials *if* "example.com" does not explicitly *DENY* WebAuthn from "test.example.com".

See github.com/w3ctag/design-revie for how Google prevents "sites.google.com" from authenticating to "google.com".

3️⃣ DNS HACKED
It may not be neccessary to execute BGP-hijacks to redirect network traffic to an impostor: it also all depends on how reliable DNS records are protected against unauthorized access. If the dude in charge for DNS uses a stupid password only, or the DNS provider is easily fooled into believing "I forgot my creds", it's game over. The crooks will obtain a DV-cert in no time, no questions asked, for free.

4️⃣ All the bells and whistless are moot if there's an alternative way to log in (such as by using a 1FA rescue code) and the user is fooled into providing it (after they've been lied to that their WebAithn public key on the server became corrupted or was lost otherwise).

5️⃣ Cloudflare MitM's https connections (it's not a secret: blog.cloudflare.com/password-r). The same applies to any server you log in to, which is accessible by untrustworthy personnel. They can steal your session cookie.

6️⃣ In the end MFA/2FA is a hoax anyway, because the session cookie (or JWT or whatever) is 1FA anyway.

Did I mention the risks of account lockout with hardware keys that cannot be backupped? And the mess it is to keep at least one other hardware key synchronized if it's in a vault? And the limitation of, for example, 25 WebAuthn accounts max? And (unpatcheable) vulnerabilities found in hardware keys? And their price? And how easy it is to forget or loose them?

@odr_k4tana

Infosec ExchangeErik van Straten (@ErikvanStraten@infosec.exchange)🌘DV-CERT MIS-ISSUANCE INCIDENTS🌒 🧵#3/3 Note: this list (in reverse chronological order) is probably incomplete; please respond if you know of additional incidents! 2024-07-31 "Sitting Ducks" attacks/DNS hijacks: mis-issued certificates for possibly more than 35.000 domains by Let’s Encrypt and DigiCert: https://blogs.infoblox.com/threat-intelligence/who-knew-domain-hijacking-is-so-easy/ (src: https://www.bleepingcomputer.com/news/security/sitting-ducks-dns-attacks-let-hackers-hijack-over-35-000-domains/) 2024-07-23 Let's Encrypt mis-issued 34 certificates,revokes 27 for dydx.exchange: see 🧵#2/3 in this series of toots 2023-11-03 jabber.ru MitMed/AitMed in German hosting center https://notes.valdikss.org.ru/jabber.ru-mitm/ 2023-11-01 KlaySwap en Celer Bridge BGP-hijacks described https://www.certik.com/resources/blog/1NHvPnvZ8EUjVVs4KZ4L8h-bgp-hijacking-how-hackers-circumvent-internet-routing-security-to-tear-the 2023-09-01 Biggest BGP Incidents/BGP-hijacks/BGP hijacks https://blog.lacnic.net/en/routing/a-brief-history-of-the-internets-biggest-bgp-incidents 2022-09-22 BGP-hijack mis-issued GoGetSSL DV certificate https://arstechnica.com/information-technology/2022/09/how-3-hours-of-inaction-from-amazon-cost-cryptocurrency-holders-235000/ 2022-09-09 Celer Bridge incident analysis https://www.coinbase.com/en-nl/blog/celer-bridge-incident-analysis 2022-02-16 Crypto Exchange KLAYswap Loses $1.9M After BGP Hijack https://www.bankinfosecurity.com/crypto-exchange-klayswap-loses-19m-after-bgp-hijack-a-18518 🌘BACKGROUND INFO🌒 2024-08-01 "Cloudflare once again comes under pressure for enabling abusive sites (Dan Goodin - Aug 1, 2024) https://arstechnica.com/security/2024/07/cloudflare-once-again-comes-under-pressure-for-enabling-abusive-sites/ 2018-08-15 Usenix-18: "Bamboozling Certificate Authorities with BGP" https://www.usenix.org/conference/usenixsecurity18/presentation/birge-lee Edited 2024-09-05 14:19 UTC: corrected the link for the "jabber.ru" incident. #DV #LE #LetsEncrypt #Certificates #Certs #Misissuance #Mis_issuance #Revocation #Revoked #Weaknessess #WeakCertificates #WeakAuthentication #Authentication #Impersonation #Identification #Infosec #DNS #DNSHijacks #SquareSpace #Authorization #UnauthorizedChanges #UnauthorizedModifications #DeFi #dydx_exchange #CryptoCoins
#1FA#2FA#MFA
Public
Stéphane Bortzmeyer

Association entre adresse IP et AS

Dans les discussions au sujet du réseau Internet, on voit souvent passer des demandes sur l'AS associé à une adresse IP ou bien le contraire. Mais les questions simples du genre « de quel AS dépend une adresse IP ? » sont… trop simples.

bortzmeyer.org/association-as-

www.bortzmeyer.orgBlog Stéphane Bortzmeyer: Association entre adresse IP et AS
#BGP#whois#RDAP
Public
BGPKIT

🚀 The latest version of bgpkit-broker, v0.7.10, is out now! This update includes support for the route-views8 collector and introduces a new feature to dynamically verify missing collectors. We also resolved an issue that might lead to API crashes and tidied up the library dependencies. #BGP buff.ly/g6swlDr

Highlights add route-views8 collector add /missing_collectors endpoint to check for collectors that have not been added yet remove /docs and utopia dependency to remove clutter freshen up dependen...
GitHubRelease v0.7.10 · bgpkit/bgpkit-brokerHighlights add route-views8 collector add /missing_collectors endpoint to check for collectors that have not been added yet remove /docs and utopia dependency to remove clutter freshen up dependen...
SearchLive feeds
About