posted Mar 5, 2016, 11:43 PM by Sami Lehtinen
updated Mar 5, 2016, 11:43 PM
- Daily fun. I researched one new software product and tried all kind of stuff with it's API and strange queries and boom. Then I found it. Actually three development servers were running using the buggy application as root. I did download whole file system just for fun. I got the password shadow files, servers and users ssh private keys, users private PGP keys and of course everything in /root and /home as well as found some interesting stuff from .bash_history files. It's not a good idea to run experimental software as a root. Really. It isn't. Yes, I did tell them about it as soon as I was sure I got the exploit repeatedly proven with a few servers. You can't be sure if the exploit works unless you escalate it. Now I can be sure, I can tell them what their passwords are and that they're using lame passwords. This is a good example how read only access still allows you to own a server. I didn't bother to investigate further, but it might have been possible to write to any file system location too. I used 4 hours for all this fun, and that's it. I'm done with it. Been there, done that. Did I login to the servers? Nope, I didn't. But with what I got, it would have been so trivial. Unfortunately I can't disclose exactly what the software is. But maybe later when fix has been released and nobody cares any more.
- It's funny because I also just yesterday started to follow Threatpost on Twitter. Luckily the product isn't yet widely used. On the other hand it would have been just so fun to write a small bot in few hours exploiting all the available systems. It would have been just so trivial.
- The backup stuff I wrote earlier about, worked flawlessly. Now I need to check other parts of the stack to locate the possible source of data integrity issues.
- Checked out Future Vertical Life
- Facebook’s Second European Data Center Is Coming To Ireland. Ok, so Finland didn't make the mark this time. Yet as said, Ireland is close to Central Europe than Finland. That shouldn't be an surprise to anyone. Ireland is also nicely connected to the submarine cables connected to that region, I guess it counts.
- More interesting coding. Added code to modify data produced by existing code. Why this way? Well, the task required was quite simple. But the code which produces the original data is really complex. So it was fast and reliable to make just add-on which modifies the data, instead of actually trying to understand & modify the existing code. As well as touching the complex existing code could have potentially easily caused horrible undetected issues. Like often happens when re-factoring. It seems that everything is ok, until you realize that now everything is totally and horribly messed up. And it will take 10x time to get it to work again what you were planning for. That's why some times doing the bad (?) thing, adding more code to modify existing code is just the best way of getting it done (hopefully) without dangerous side effects.
- Now one subsystem is using extensive heartbeats and Telegram notifications. So if heartbeats are missing, we can deliver immediate notifications over Telegram. Very nice. Of course this system is completely separate from the system being monitored. So hopefully there won't be classic cases where the monitoring system goes down with the main system and nobody notices a thing.
- One service provider had core router issues. It's so wonderful to be hit with network outage. This was perfect example why you shouldn't run everything in one data center. The main alarm system went also down. But the secondary monitoring systems alarmed that the main alarm system is down and therefore it was clear that system monitoring system was mostly down. Best part of that is that it didn't go unnoticed that there were serious issues. Of course the service provider itself also reported the issue being investigated shortly after. Never use single monitoring system, always use multiple alert methods as well as run monitoring using multiple completely separate service providers and out of band methods. Email, SMS, Telegram using multiple large network carriers and re-transmission attempts if notification delivery failed due to network issues or so.
- Worked with complex project, SOA and technical architecture. API descriptions. Just so much documentation. Aww. Yes, it's good that everything is documented. But I wonder if the people reading the documents actually need that all.
- Endless meetings about pricing models, funding options and models and profit margins, work estimates and so on. Business as usual.
- UpCloud published 2FA. Nice, but I would say 'finally'. Yet I don't know why it doesn't work with my TOTP App. Hmm, strange. Well, SMS authentication does work.
- Visualizing Concurrency and Parallelism in Go. Nice graphics and charts and visualizations. But any of my friends didn't really get the point. There wasn't anything new in that article as far as we could see. It's just the same stuff it has been for ages.
- Reminded my self about GS1-128 codes. kw: UCC-128, EAN-128 with Code 128 barcode.