pf can't redirect outgoing traffic to localhost

2024-06-19 Thread whistlez
Hello,
I have sslsplit listening on 127.0.0.1 port 10443 and I want redirect
all my outgoing desktop web traffic  to sslsplit, then localhost port
10443. SSLSPLIT is just a kind of transparent proxy but cannot be used
as a conventional proxy (set up on the browser config).  Reading the
pf.conf man seems that there isn't a way to do that.
For example rdr-to does not support redirection to localhost. 
man:
rdr-to is usually applied inbound.  If applied outbound, rdr-to to a
local IP address is not supported.
Divert-to does not support outgoing traffic ("pass out" or "match out").
Also I tried to make an IF alias like this
ifconfig em0 inet 192.168.0.6 255.255.255.0
ifconfig em0 inet alias 192.168.0.7 255.255.255.0
my gw is 192.168.0.1
I put listening the sslsplit on 192.168.0.7 (the alias) port 10443 and I
make a pf rule like this:
pass out log on em0 proto tcp from 192.168.0.6 to port 443 rdr-to
192.168.0.7 port 10443
pass out log on em0 proto tcp from 192.168.0.6 to port 80  rdr-to
192.168.0.7 port 10080
even this does not work... I suspect that even 192.168.0.7 is local ip.
Any help ?



7.5 problems with browser video and audio, part 2

2024-04-10 Thread whistlez
Hello I write again about the following sent mail to misc:

https://marc.info/?l=openbsd-misc=171260331305047=2

I use the link to the archive because I deleted all the mailing list
mails then I can'f do a follow up.

Anyway I have some news. 
If I run sndiod as my user with the following:
$ sndiod -dd
the browsers audio (firefox, chromium, ungoogled-chromium and iridium)
works for about 10-15 seconds.
After that it stops to work.
The following are the logs:
snd0: rec hw xrun, rused = 6720/7680
snd0: play hw xrun, pused = 960/7680
snd0: watchdog timeout  
firefox0: detached at -7200 + 0/480
snd0: software master level control enabled
0/output.level=127 at 6 -> dev_master:0: added
0/output.level=127 at 6 -> dev_master:0: removed

The error seems:
snd0: watchdog timeout   

If I run sndiod as user like the following (with -m play):
$ sndiod -m play
 works very well. With ps aux | grep sndiod ti say that the process run
as my user.

If I run the rc script the process take the defaul user  permission:
_sndiop and _sndio
with these permessions the audio doesn't work neither for few seconds.
Other userful info:
# audioctl
name=auich0
mode=
pause=1
active=0
nblks=16
blksz=480
rate=48000
encoding=s16le
play.channels=2
play.bytes=0
play.errors=0
record.channels=2
record.bytes=0
record.errors=0
# ls -l /dev/audi*
crw-rw  1 root  wheel   42,   0 Apr 10 20:08 /dev/audio0
crw-rw  1 root  wheel   42,   1 Apr  7 17:34 /dev/audio1
crw-rw  1 root  wheel   42,   2 Apr  7 17:34 /dev/audio2
crw-rw  1 root  wheel   42,   3 Apr  7 17:34 /dev/audio3
crw-rw  1 root  wheel   42, 192 Apr  7 17:34 /dev/audioctl0
crw-rw  1 root  wheel   42, 193 Apr  7 17:34 /dev/audioctl1
crw-rw  1 root  wheel   42, 194 Apr  7 17:34 /dev/audioctl2
crw-rw  1 root  wheel   42, 195 Apr  7 17:34 /dev/audioctl3

Thus it seems a permission problem. But as I already said If I run "mpv
my_video.mp4" audio works even with the default permission but now with
browsers.
Hope this is useful.
Thanks all.
Have a nice day.
W.

  



7.5 problems with browser video and audio

2024-04-08 Thread whistlez
Hello, after upgrade to 7.5 (from 7.4) I have problems with all type of
videos on all chromium flavor (ungoogled-chromium and iridium). Going in
details the problem doesn't concern only youtube but all the videos in
all websites. But some videos work. For example youtube shorts. But on
all videos does not work.
I tried to uninstall and reinstall two or three dozen of packages linked
to the browser but I haven't  solved the problem. I have the same
problem with firefox. But if I play a video with "mpv video.mp4" it
works very well, also the audio works. So it seems something linked to
the browsers.
The following is the log if I run a chromium session and I play a random
video on yt:


[80102:471841344:0408/172622.858323:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172622.858491:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172622.858540:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172622.858617:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:1069694880:0408/172622.913110:ERROR:policy_logger.cc(157)]
:components/enterprise/browser/controller/chrome_browser_cloud_management_controller.cc(161)
Cloud management controller initialization aborted as CBCM is not
enabled. Please use the `--enable-chrome-browser-cloud-management`
command line flag to enable it if you are not using the official Google
Chrome build.
[80102:471841344:0408/172623.027251:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172623.027532:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:-403990976:0408/172623.202595:ERROR:bus.cc(407)] Failed to
connect to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172623.290231:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471841344:0408/172623.290334:ERROR:bus.cc(407)] Failed to connect
to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[53057:-337215584:0408/172623.654661:ERROR:viz_main_impl.cc(196)]
Exiting GPU process due to errors during initialization
[80102:1069694880:0408/172624.173294:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.DBus.NameHasOwner: object_path=
/org/freedesktop/DBus: unknown error type:
[80102:1569613376:0408/172624.173820:ERROR:bus.cc(407)] Failed to
connect to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:471835200:0408/172624.519144:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.DBus.Properties.Get: object_path=
/org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The
name org.freedesktop.UPower was not provided by any .service files
[80102:471835200:0408/172624.520532:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.UPower.GetDisplayDevice: object_path=
/org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The
name org.freedesktop.UPower was not provided by any .service files
[80102:471835200:0408/172624.522130:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.UPower.EnumerateDevices: object_path=
/org/freedesktop/UPower: org.freedesktop.DBus.Error.ServiceUnknown: The
name org.freedesktop.UPower was not provided by any .service files
[80102:1069694880:0408/172624.570929:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.DBus.NameHasOwner: object_path=
/org/freedesktop/DBus: unknown error type:
[80102:-403991488:0408/172624.571398:ERROR:bus.cc(407)] Failed to
connect to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:1069694880:0408/172624.638201:ERROR:object_proxy.cc(576)] Failed
to call method: org.freedesktop.DBus.NameHasOwner: object_path=
/org/freedesktop/DBus: unknown error type:
[80102:-403991488:0408/172624.638367:ERROR:bus.cc(407)] Failed to
connect to the bus: Could not parse server address: Unknown address type
(examples of valid types are "tcp" and on UNIX "unix")
[80102:1069694880:0408/172624.665200:ERROR:object_proxy.cc(576)] Failed
to call method: 

Re: TLS handshake failure at pkg_update

2024-04-08 Thread whistlez
Il 2024-04-08 09:14 Mizsei Zoltán ha scritto:
> Hi,

> vps$ doas pkg_add micro
> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.5/packages-stable/amd64/: 
> TLS handshake failure: handshake failed: error:02FFF00D:system 
> library:func(4095):Permission denied
> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.5/packages/amd64/: TLS 
> handshake failure: handshake failed: error:02FFF00D:system 
> library:func(4095):Permission denied
> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.5/packages/amd64/: empty
> Can't find micro

I had this problem in the past and usually means that your clock is not
synchronized.
Maybe you stopped ntpd ?



Re: volatility or something like that in the future ?

2023-08-21 Thread whistlez
> You asked for others to do things you want.  But we don't want the feature
> you want, because we consider it an anti-feature.
> 
> We do not want to expose the kernel address space contents like you
> want, because it contains secrets information which is used for a wide
> variety of attach surfaces.  Secrets does not mean passwords, it means
> contents and layout of objects an attacker will use.
> 

Thank you, this was the answer I was crying and stomping my feet for. 

> What you ask for is the opposite of what we would do.
> 
> We won't do it.  We don't want code that does it (not that you have any
> code which does it).
> 
> And that is the end of story.

ok, thanks.



Re: volatility or something like that in the future ?

2023-08-21 Thread whistlez


>> 
>> Thanks for your reply, but my emails didn't received the replies I
>> expected to have.
>> And to be honest I don't want to  plunge into arid controversy.
>> 
> 
> This is not hate, BUT you are acting like a baby.
> 
> 'Whaa wha you didn't do what I wanted'

Well, that's certainly an adult-like response. 
In fact, adults usually mimic children.



Re: volatility or something like that in the future ?

2023-08-21 Thread whistlez
> 
> You are spending a lot of time telling very skilled people that
> you are both ignorant on this topic AND how to do their jobs.
> 

I understand what you're saying, even though I'm not entirely sure
things are as you describe. However, it already seems important to me
that I managed to understand because, honestly, I didn't think I had
been offensive. My mindset was to contribute what I know to improve the
project. But you're absolutely right; being quite ignorant, my attempts
to contribute might come across as unpleasant or even offensive.
However, I usually don't respond in kind if someone offends me.
Furthermore, the underlying question of my message was, how do I check
the kernel's integrity? And my suggestions were a response to this
underlying question. Honestly, it doesn't seem offensive to me to ask a
question. But evidently, I'm mistaken. Perhaps someone believes that the
question is actually rhetorical and aimed at criticizing the entire
project. But as far as I'm concerned, it's not.

> You know what is offensive around here?
> * Telling developers how they should spend their efforts.
> * Being offended when someone suggests YOU demonstrate work.
> * Taking pride in your ignorance on how to do something but
>   assuming you have the right to tell others to utilize their
>   skill.
> * Suggesting that because Linux does something, OpenBSD should
>   do it without understanding how WRONG so much of Linux is (at
>   least in an OpenBSD mindset).
> 
> Linux has become Windows Reinvented Badly.  You seem to think
> OpenBSD should become Linux Reinvented Badly.  That's offensive.

These religious wars honestly seem prehistoric to me. Very much akin to
football fanatics or political squabbles, I found them tiresome in the
late '90s, and now I just can't stomach them. Moral judgments about
reality don't solve problems, because the problems remain despite how
much you might express that they are ugly and bad.
As for the rest, I apologize if I have been offensive. I didn't think I
was, but indeed my presumption can be unsettling. I understand that now.
I apologize.



Re: volatility or something like that in the future ?

2023-08-19 Thread whistlez


> 
> I don't see any hatred here.  I think they understood the question just fine. 
>  I think perhaps you might be asking in the wrong place for
> voulenteers to write software for Volatility -- this is an OpenBSD list.


Yes, probably I missed that point. I'm sorry I didnt' understand for
that question I'd ask elsewhere.
Thanks and I'm sorry.



Re: volatility or something like that in the future ?

2023-08-19 Thread whistlez


> I saw no hatred in the post you replied to.
> 
> OpenBSD developers are Makers, not Takers.  They code for OpenBSD for 
> themselves, not for the user community.  
> 
> The point is you should spend some time trying to contribute before you start 
> asking for some "feature".  
> 
> I've been a user for 25 years and really appreciate all the work the 
> developers have done during that time.  In that time I've also contributed a 
> very microscopic bit of bug fixes.
> 
> diana
>

Thanks for your reply, but my emails didn't received the replies I
expected to have.
And to be honest I don't want to  plunge into arid controversy.



Re: volatility or something like that in the future ?

2023-08-19 Thread whistlez
Il 2023-08-18 19:42 Mike Larkin ha scritto:
> On Fri, Aug 18, 2023 at 01:31:41PM +0000, whistlez wrote:
>> Il 2023-08-18 09:22 Omar Polo ha scritto:
>> > On 2023/08/18 02:06:11 +, whistlez  wrote:
>> >> Il 2023-08-18 02:20 Scott Cheloha ha scritto:

>>
>> 1. Volatility allows the detection of hidden kernel modules in a Linux
>> environment, including typical LKM rootkits.
>>
>> 2. There are multiple methods for RAM dumping, some of which cannot be
>> circumvented and do not require specific software or interfaces. For
>> example:
>> a. Through a 'cold boot attack,' it's possible to dump RAM from an
>> uncompromised operating system. (Reference:
>> https://en.wikipedia.org/wiki/Cold_boot_attack)
>> b. Through a DMA attack, leveraging FireWire or other hardware
>> interfaces, it's possible to dump RAM. I believe that, in this case, as
>> in the previous one, the kernel would be completely unaware. An example
>> of this kind of attack and dump is "inception"
>> (https://github.com/carmaa/inception).
>> c. In a virtualized environment such as VMM, VirtualBox, VMware,
>> etc. (we know OpenBSD can be virtualized), you can acquire RAM without
>> the operating system knowing.
> 
> Great, sounds like you've stumbled across 3 solutions for your problem.
> Looks like no diff is needed after all.
> 

I honestly don't understand this hatred. I call it that because I refuse
to accept that you didn't understand the question. Volatility has no
plugin to interpret a ram dump on openbsd and so having only the dump is
totally useless. If you really don't understand I'll paste the
volatility help to show you that there are no plugins for openbsd but
only for linux, windows and mac.

$ vol --help 
Volatility 3 Framework 1.0.0-beta.1
usage: volatility [-h] [-c CONFIG] [--parallelism
[{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS]
[-v] [-l LOG] [-o OUTPUT_DIR] [-q]
  [-r RENDERER] [-f FILE] [--write-config]
[--clear-cache] [--single-location SINGLE_LOCATION]
[--single-swap-locations SINGLE_SWAP_LOCATIONS]
  plugin ...

An open-source memory forensics framework

optional arguments:
  -h, --helpshow this help message and exit
  -c CONFIG, --config CONFIG
Load the configuration from a json file
  --parallelism [{processes,threads,off}]
Enables parallelism (defaults to processes if no
argument given)
  -e EXTEND, --extend EXTEND
Extend the configuration with a new (or changed)
setting
  -p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS
Semi-colon separated list of paths to find
plugins
  -s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS
Semi-colon separated list of paths to find
symbols
  -v, --verbosity   Increase output verbosity
  -l LOG, --log LOG Log output to a file as well as the console
  -o OUTPUT_DIR, --output-dir OUTPUT_DIR
Directory in which to output any generated files
  -q, --quiet   Remove progress feedback
  -r RENDERER, --renderer RENDERER
Determines how to render the output (quick, csv,
pretty, json, jsonl)
  -f FILE, --file FILE  Shorthand for --single-location=file:// if
single-location is not defined
  --write-configWrite configuration JSON file out to config.json
  --clear-cache Clears out all short-term cached items
  --single-location SINGLE_LOCATION
Specifies a base location on which to stack
  --single-swap-locations SINGLE_SWAP_LOCATIONS
Specifies a list of swap layer URIs for use with
single-location

Plugins:
  plugin
configwriter.ConfigWriter
Runs the automagics and both prints and outputs
configuration in the output directory.
frameworkinfo.FrameworkInfo
Plugin to list the various modular components of
Volatility
layerwriter.LayerWriter
Runs the automagics and writes out the primary
layer produced by the stacker.
linux.bash.Bash Recovers bash command history from memory.
linux.check_afinfo.Check_afinfo
Verifies the operation function pointers of
network protocols.
linux.check_syscall.Check_syscall
Check system call table for hooks.
linux.elfs.Elfs Lists all memory mapped ELF files for all
processes.
linux.lsmod.Lsmod   Lists loaded kernel modules.
linux.lsof.Lsof Lists all memory maps for all processes.
linux.malfind.Malfind
Lists process memory ranges that potentially
contain injected code.
linux.proc.Maps Lists all memory maps for all processes.
linux.pslist.PsList
Lists the processes pre

Re: volatility or something like that in the future ?

2023-08-18 Thread whistlez
Il 2023-08-18 09:22 Omar Polo ha scritto:
> On 2023/08/18 02:06:11 +0000, whistlez  wrote:
>> Il 2023-08-18 02:20 Scott Cheloha ha scritto:
>> >> On Aug 17, 2023, at 10:28, whistlez  wrote:
>> 
>> Furthermore, in my opinion - brace yourself, I might trigger an atomic
>> war with what I'm about to say - we should consider it certain that the
>> kernel could contain unknown vulnerabilities. Unauthorized code running
>> in the kernel is impossible to detect, clearly. I'm talking about code
>> that might not even reside on the disk but is injected remotely. Thus,
>> the only way is through inspecting the RAM dump, that is, a software
>> that can analyze the dump and determine its integrity.
> 
> Assuming that the kernel was compromised, how can you trust a tool to
> detect that?  The compromised kernel could return normal-looking data
> through /dev/{k,}mem (ignoring for a moment the perils of allowing
> random software to access these devices.)  You'd be asking a liar if
> they're telling the truth :)

Yes, I understand exactly what you're saying, and I partly agree, but
I'd like to share some thoughts. However, first and foremost, I want to
reiterate that I'm not a developer, and for this reason, my statements
might be based on entirely erroneous assumptions. But let's get to the
considerations.

1. Volatility allows the detection of hidden kernel modules in a Linux
environment, including typical LKM rootkits.

2. There are multiple methods for RAM dumping, some of which cannot be
circumvented and do not require specific software or interfaces. For
example:
a. Through a 'cold boot attack,' it's possible to dump RAM from an
uncompromised operating system. (Reference:
https://en.wikipedia.org/wiki/Cold_boot_attack)
b. Through a DMA attack, leveraging FireWire or other hardware
interfaces, it's possible to dump RAM. I believe that, in this case, as
in the previous one, the kernel would be completely unaware. An example
of this kind of attack and dump is "inception"
(https://github.com/carmaa/inception).
c. In a virtualized environment such as VMM, VirtualBox, VMware,
etc. (we know OpenBSD can be virtualized), you can acquire RAM without
the operating system knowing.

3. The third consideration relates to what you said – that it doesn't
make sense to ask a liar if he is lying. I think, similar to how the
police operate, you can ask a suspect a series of questions, and all
answers should exhibit a certain logical consistency. If you want to
make a neighborhood disappear from a city, you can't just dig a hole.
Because everyone will understand that it can't be true. Roads will
terminate at the hole and continue on the other side, and that doesn't
make sense. Moral of the story: the more you have to hide, the more code
you have to write to make your façade believable. And so, the more
questions you ask the suspect, the more they have to invent lies that
are consistent. The more lies there are, the greater the chances of
creating a discrepancy in the infrastructure. For instance, library,
memory, pointers must be reorganized coherently. You can't make a
pointer point to a memory area that is empty.

4. Another thing we can't ignore is that we all know there are no
definitive security solutions, only building bricks that add layers of
difficulty and complicate matters for an attacker. Keeping hidden code
within a kernel while simultaneously ensuring that code performs actions
is an additional layer of difficulty.



Re: volatility or something like that in the future ?

2023-08-17 Thread whistlez
Il 2023-08-18 02:20 Scott Cheloha ha scritto:
>> On Aug 17, 2023, at 10:28, whistlez  wrote:
>> 

>> https://github.com/volatilityfoundation/volatility3
> 
> What is the utility of this software?  How
> would supporting it benefit the project?
> 
> I read the summary on Github.  I am still
> more or less completely in the dark on
> why I or anyone would want to use it.

It seems rather important to me because it's not possible to be certain
about the invulnerability of the underlying operating system or the
kernel. Alternatively, an attacker might have a zero-day exploit on
Firefox or Chrome and inject code into the process, allowing data
exfiltration. Even though the attacker would be confined within the jail
created by the kernel, it doesn't seem acceptable to have unauthorized
code running on one's machine, especially in a critical process like a
browser. The same principle could be applied to another process more
focused on firewall solutions, such as Snort.

Furthermore, in my opinion - brace yourself, I might trigger an atomic
war with what I'm about to say - we should consider it certain that the
kernel could contain unknown vulnerabilities. Unauthorized code running
in the kernel is impossible to detect, clearly. I'm talking about code
that might not even reside on the disk but is injected remotely. Thus,
the only way is through inspecting the RAM dump, that is, a software
that can analyze the dump and determine its integrity.

Additionally, due to kernel relinking, we know that its hash changes
with every reboot, rendering classic integrity verification tools
unusable. To put it simply, without delving into sophisticated attacks,
a machine could be physically attacked, and unauthorized code could be
introduced into the kernel. Therefore, we might end up with a machine
compromised by a compromised kernel, and there might be no way (at least
as far as I know) to know about it. This assumes there are unintentional
vulnerabilities.

But what if deliberate vulnerabilities are introduced? I recall an old
piece of news, which I never understood if it was confirmed, that a
developer of the OpenBSD kernel might have introduced a backdoor under
instruction or through coercion by a security agency. Now, far be it
from me to discredit the OpenBSD development team, which has done an
enormous and exceptional job. It's clear that Theo has done, and is
doing, a wonderful job... nevertheless, one should account for any
eventuality.

I believe that a forensics memory analysis interface would make
persistence and invisibility of unauthorized code much harder to
achieve. Even a developer intending to hide something would find
themselves a bit more exposed.

And all of this without even considering hardware vulnerabilities, such
as those in CPUs or other aspects of the machine, like firmware.



volatility or something like that in the future ?

2023-08-17 Thread whistlez
Hello community, I would like to ask if it's possible to develop a tool
similar to Volatility in the future or a specific integration for
OpenBSD. Along with a tool that can perform RAM dumping. However, could
this potentially make the kernel vulnerable?

In my opinion, even though I'm not a developer, it would be desirable to
have a proper kernel interface for performing the dump. Something that
is maintained directly by the development team to prevent the software
team from constantly keeping up with changes in every new kernel
release. I believe we need to realize that, while the kernel is very
secure, zero-day vulnerabilities are always a lurking threat. 

For those that don't know what is volatility, this is github page
https://github.com/volatilityfoundation/volatility3

I hope Theo doesn't get angry, as I'm a very sensitive person, and if
someone offends me or makes fun of me, it really upsets me.

regards WhistleX



Re: iwm wifi driver errors

2020-03-15 Thread Whistlez ML
On Sun, Mar 15, 2020 at 02:15:36PM +, b...@0x1bi.net wrote:
> Have you installed the wireless firmware?
> http://firmware.openbsd.org/firmware/
> 

yeah of course without the firmware the interface doesn't work, and now I'm
using the wifi.



iwm wifi driver errors

2020-03-14 Thread whistlez-ml



Hi,
I found the following error in the logs about the wifi driver iwm:
iwm0: could not remove binding (error 35)
iwm0: fatal firmware error
iwm0: could not remove binding (error 35)
iwm0: could not remove binding (error 35)
iwm0: failed to update MAC
iwm0: could not add MAC context (error 35)
iwm0: could not abort background scan
iwm0: could not remove STA (error 35)
iwm0: could not remove STA (error 35)
iwm0: could not update PHY context (error 35)
iwm0: could not add binding (error 35)
iwm0: fatal firmware error

Anyone knows what means ?
thanks



Re: Hardening browser

2020-03-07 Thread whistlez-ml
On Thu, Mar 05, 2020 at 07:32:36AM -0700, Luke A. Call wrote:
> On 03-05 04:18, Tomasz Rola wrote:
> > On Wed, Mar 04, 2020 at 02:06:40AM +0100, whistlez...@riseup.net wrote:
> > > Hi,
> > > in the following message:
> > > https://marc.info/?l=openbsd-misc=158110613210895=2
> > > Theo discourages to use unveil instead of chroot.
> > > I asked if he suggests the same for the browser but he asked that chroot
> > > is onlye for *root*.
> > > Then what should I do to hardening the most exposed piece of code that
> > > we use everyday ?
> > > Now I'm using unveil+chrome...
> > > Thank you.
> > []
> > As of me, I use the trick with multiple users for different roles
> > (similar to other person who posted in this thread). I also employ
> > noscript in some of the roles. 
> 
> I just leave javascript off for usual browsing, with a tab sitting open
> in chromium or iridium to turn it on for the occasional temporary need,
> or added to the browser's exception list to allow permanently for
> certain sites.  This partly because it seems easy, and partly since I 
> probably won't know if a browser extension is sold to a malicious entity, or
> otherwise compromised (so, seems a smaller attack surface, but still usually
> convenient.)  

As I know many sites without js doesn't work. Anyway I don't understand
how switching off js defend you from 0day browser bug.
Maybe you mean that because many 0day concern javascript ?



Re: Hardening browser

2020-03-07 Thread whistlez-ml
On Wed, Mar 04, 2020 at 03:28:35PM +, Kevin Chadwick wrote:
> On 2020-03-04 11:38, Ottavio Caruso wrote:
> > Probably not what you were looking for but, back in the days when I
> > was ultra paranoid about my web browsing, I used to use stripped down
> > live usb installations of Linux distros (DSL was one of them that I
> > remember). I ignore if OpenBSD comes with such a solution out the box,
> > but I'm sure it wouldn't be difficult to make your own read-only
> > install. Then, you could either reboot from it or run it through an
> > emulator.
> 
> A live cd is read-only and is also something I did for a while in my teenage
> years. Knoppix, Insert were examples and STD was another aptly named one as it

a read only cd don't give you any defense againt uefi rootkit
> 
> However, considering OpenBSD replaces it's whole base every upgrade with 
> signed
> binaries, then you get all of that for free. You can even double check the 
> bios
> with flashrom (less so on laptops), bootloader, signing keys, packages etc., 
> if
> you want to.
>

if your kernel is infected with uefi rootkit most probably double check
uefi or bios with flashrom is absolutely not useful.

> If this effort is really worth it, then it probably makes more sense than
> trusting someone else to package up a usb linux distro or CD.
> 

the problem is not trusting people that make package, the problem is
the sites you visit. 



Re: Hardening browser

2020-03-05 Thread whistlez-ml
On Wed, Mar 04, 2020 at 11:38:40AM +, Ottavio Caruso wrote:
> On Wed, 4 Mar 2020 at 01:06,  wrote:
> >
> > Hi,
> > in the following message:
> > https://marc.info/?l=openbsd-misc=158110613210895=2
> > Theo discourages to use unveil instead of chroot.
> > I asked if he suggests the same for the browser but he asked that chroot
> 
> Probably not what you were looking for but, back in the days when I
> was ultra paranoid about my web browsing, I used to use stripped down
> live usb installations of Linux distros (DSL was one of them that I
> remember). I ignore if OpenBSD comes with such a solution out the box,
> but I'm sure it wouldn't be difficult to make your own read-only
> install. Then, you could either reboot from it or run it through an
> emulator.
> 

My opinion is that in the last 10 years the world of hackers groups was
deeply changed. Deface or big worms that make big damages are not in
fashion anymore. Today the hackers group want just only be as hidden as
they can. Then today the biggest problems are the uefi/bios malware, if
you use a read only live cd or usb don't stop someone infect your
firmwares. And when you reboot your machine you are hacked.
Maybe with an hypervisor that can isolate processes and kernels the job
is more hard. One of the biggest criticism I make to openbsd is that the
everyone processes are visible to everyone. So that if you use muliple
account for multiple application you don't stop an infected process to
see if you run a browser, a irc session and maybe what network
you are connected, if you opened pdf, if you used vim for code
and what code and so on. And the last but first for importance if you
are sniffing your traffic to search a covert channel.
If my browser is infected with a malware the first thing I do is try to
sniff the traffic to detect strange destinations, but if the infected
process can see if I'm running a sniffer all my investigations are
absolutely unuseful.
If a very skilled hacker exploit your browser, take the root and infect
your uefi, you must trash your laptop. And of course if you discover it,
because if someone infect your uefi most problably you will never know
it!






Hardening browser

2020-03-03 Thread whistlez-ml
Hi,
in the following message:
https://marc.info/?l=openbsd-misc=158110613210895=2
Theo discourages to use unveil instead of chroot.
I asked if he suggests the same for the browser but he asked that chroot
is onlye for *root*.
Then what should I do to hardening the most exposed piece of code that
we use everyday ?
Now I'm using unveil+chrome...
Thank you.




6.6, X and braswell

2020-03-02 Thread whistlez-ml
Hi,
I have the following bug:
https://marc.info/?t=15636262941=1=2
now I'm on 6.5 and it works, but maybe one month ago I tried to install
6.6 and I found the bug.
Anyone know if it was been resolved ?
Thanks 
Whistlez



ffs details

2020-02-25 Thread whistlez-ml
Hi, I need some details about ffs, I read the kernel source but my c
knowledge is very basic. I understood all about the superblock but my
problem is understand how the files are allocated on the disk.
Anyone could give me more details about files allocation ?
Thank you.



Re: strange dmesg

2020-02-10 Thread whistlez-ml
On Mon, Feb 10, 2020 at 09:45:06AM -, Stuart Henderson wrote:
> On 2020-02-10, Janne Johansson  wrote:
> > Den lör 8 feb. 2020 kl 11:31 skrev :
> >
> >> Hi,
> >> I have some strange output from dmesg, what could be ?
> >> At the follwoing link I've posted some screenshots:
> >> https://postimg.cc/gallery/1o4wsaw74/
> >>
> >
> > dmesg is contained in a memory buffer with (hopefully) room for more than
> > one dmesg, so you can get
> > previous versions listed when you run it. If the memory gets slightly
> > corrupted during reboots,
> > I guess the "other" dmesgs can come out as garbage, based on how memory
> > gets reused or
> > reallocated in the time between reboot and next boot when the OS isn't in
> > control of the
> > RAM.
> 
> From the contents, this one looks like it was probably overwritten with
> some UEFI code during boot.
> 

Could be a UEFI rootkit ? Or something that from UEFI try to inject code
in the kernel ?




strange dmesg

2020-02-08 Thread whistlez-ml
Hi,
I have some strange output from dmesg, what could be ?
At the follwoing link I've posted some screenshots:
https://postimg.cc/gallery/1o4wsaw74/
Thank you



Re: chroot vs unveil

2020-02-07 Thread whistlez-ml
On Thu, Feb 06, 2020 at 10:35:17AM -0700, Theo de Raadt wrote:
> Kevin Chadwick  wrote:
> 
> > I am considering replacing all chroot use with unveil in my processes even 
> > where
> > no filesystem access is required.
> 
> I am discouraging this.
> 
> unveil is a complicated mechanism, and we may still discover a bug in
> it.
> 
> Almost all the chroot in the tree are to empty unwriteable directories,
> in which case chroot is very secure and a very simple mechanism.
> 

you'd suggest the same for the browsers ?
thank you