[ / / / / / / / / / / / / / ] [ dir / agatha2 / baaa / choroy / dempart / mde / randamu / revel3 / vichan ]

/tech/ - Technology

Winner of the 77nd Attention-Hungry Games
/x/ - Paranormal Phenomena and The RCP Authority

April 2019 - 8chan Transparency Report
Comment *
Verification *
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Show oekaki applet
(replaces files and can be used instead)

Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf
Max filesize is 16 MB.
Max image dimensions are 15000 x 15000.
You may upload 3 per post.

File: b1788ce06ad6116⋯.png (105.14 KB, 883x1024, 883:1024, linuxpepe.png)


Some of you have probably noticed a security bulletin floating around. Basically you can send specially crafted packets to TCP port and gain remote code execution on Linux versions prior to 5.0.8

Compiling Linux 5.1.2. Easy enough.


wget https://lnkd.in/grP8_4M

unxz -v linux-5.1.2.tar.xz

wget https://lnkd.in/gN3Zmi5

gpg --verify linux-5.1.2.tar.sign

gpg --recv-keys 79BE3E4300411886

gpg --verify linux-5.1.2.tar.sign

tar xvf linux-5.1.2.tar

cd linux-5.1.2

cp -v /boot/config-$(uname -r) .config

apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev

make menuconfig

#if you need to make changes do so otherwise just exit.




Reported for CP.


>apt-get install

install gentoo



Gentoo doesn't have this problem, didn't even have rds module compiled.


You don't need to recompile the entire kernel to fix an issue with a single module, dumbass.



>make thread about security

>uses the blobbed version of linux

Good intentions but we can do better.




>race condition leading to a use-after-free

C/C++ strikes again!




That's a logical problem that will affect all languages. It is not a problem that's unique to C or C++.



Debian/Ubuntu users make up the majority of Linux users. I'd saying doing this in portage but Gentoo doesn't have this module compiled by default.




I had to look this. I've never just swapped out modules and I don't know that much about Linux kernel. Hence I'm building one. What better excuse could one have? Technically what your are saying is true. People are saying it might run or might have compatibility issues between new module and older kernel. Also technically major Linux distros probably already have this patched so running update through whichever package manager you have will get it done.

Has anyone benefited from this post or is everyone on tech an advanced user?

Oh don't forget.

make modules_install
make install


You actually did it didn't you faggotnigger. Don't you have better shit to do than report the Linux cp command as CP. Faggotniggers everywhere.


File: c06c8957aa87325⋯.jpg (7.95 KB, 400x400, 1:1, 1536725739761.jpg)


just hack me then if its so easy. i have old kernels and a win2000 machine thats connected to the internet and has some open ports too and the program that listens on that port runs as admin.



>race condition and use after free

>logical problem

Cnile spotted



You're right that this is a C/C++ problem. Weenies will once again find some way to blame the protocol and not the weenie "programmers" and piece of shit "language" it was written in, just like they blamed the finger protocol for the Morris worm caused by a buffer overflow because some weenie used gets() for network software.


There are languages that are completely immune to use-after-free bugs, and not just the ones with GC. There are also languages that prevent race conditions. This idea that computer networking is inherently dangerous is bullshit. It's not the packets that are the problem, it's shitty C code.

Date: Mon, 7 Jan 91 23:09:32 EST
Subject: What you once thought was a brain-dead misimplementation is now the protocol definition!
or, Unix Historical Revisionism At Work Again,
or, IETF-approved RFC1196

This whole thing is pretty sad, or pathetic, or depressing
or something.

Firstly, there's the rewriting of a protocol to conform
to a ubiquitous misimplementation -- the unix story over and

Then there's the growing Balkanisation (or
Multics-ification) of the net -- I remember laughing out
loud when I found that MIT-MULTICS refused finger service on
security grounds.

Then, or course, there's the pathetic implementational
warnings about how one should be very very careful in
implementing this sensitive and dangerous protocol -- as if
this perilous protocol somehow innately offered a direct way
to shove fingers up unix' sockets. Or something.



File: 29d5cc7a3d4636b⋯.png (6.48 KB, 529x22, 529:22, 2019-05-16T14_04_36.png)

[Laughs in Gentoo]


File: 3f2fe8878acf3fb⋯.png (68.38 KB, 529x466, 529:466, 1483182577323.png)


You're the best poster on /tech/, don't let newfags tell you otherwise.




>it's trying to encourage itself

This is pathetic







unbased and gay


File: 7e225efff0fda89⋯.png (52.25 KB, 248x209, 248:209, moron.png)


He's getting lazy these days. His posts grow less detailed and he's begun flat-out lying about basic stuff like static linking because no matter what he says, some faggot is going to call him based. Compared to his old posts and genuinely fascinating shit like the Multicians website, you're being fed slop and praising it because your chef wasn't always this lazy.

If you're actually interested in non-Unixy hardware and operating systems, there's a shitton of great websites out there and Youtube videos of eldery dudes demonstrating their old OSes in virtual machines. Why don't you check out those instead of waiting for some angry /tech/ boomer to dripfeed you trivia?



>implying I sit on /tech/ all day refreshing nonstop to see him post














lol all he did was point out unix braindamage and then act like lisp machines were the best thing ever. I'm nearly convinced he's the zoomer cnile poster and rust shill too.



At least captcha prevents low quality posts. Right? lmfao imagine /tech/ ends up as the most cucked board. hahaha



Nah m8. I'm the Cnile poster and the Rust shill. I'm also the LARPer poster. I'm not zoomer though, LOL.

unbased btw



only good mods could prevent that but they are very likely phoneposters too so its not going to happen



why would you download it from some random indian botnet site instead of kernel.org?



>gpg --verify linux-5.1.2.tar.sign



>everybody i don't like is the same person

get that checked, lad



Because it's not 1990 anymore.


File: 51e3728752b088c⋯.jpg (22.72 KB, 500x379, 500:379, 1990sadfrog.jpg)


How do I make vanilla kernel work with lvm?

I never could pass this part, distros are using some initrd hackery for that.

Is there a simplier way?

Slackware had worked without initrd just fine, is it still possible?

Can I build a kernel without TCP/IP or networking support (i.e without loop interface) for being truly offline?

How can I disable all drivers and modules which is not needed by my system?

Which scheduler should I choose?



I can't help you with LVM. You can easily disable the networking stack in the kernel configuration though if you want Unix sockets you may need to reenable some parts. Start with a minimal kernel (maybe something like Gentoo as a base) and go through the options; maybe try a live medium and check what modules are being used to quickly check what your hardware needs. The scheduler isn't really that important, but there is one that gives more priority to programs that are taking user input. Don't quite remember the name however.



update your 10 year old jpeg before you die of old age, anon


File: 01a47423e8e1ea8⋯.png (90.3 KB, 642x581, 642:581, countryfeels.png)

File: e8c2f3415d5d8a4⋯.png (117.97 KB, 1134x634, 567:317, pwn2000.png)

File: 2586ace7691765c⋯.png (118.42 KB, 1123x637, 1123:637, pwn2000a.png)


You must really trust your firewall br0. I can think about about 80 ways to get turtle> on Windows 2000 and that is just remote exploits that are publicly available. I mean why? You know any script kiddie with metasploit can own that machine with x86 meterpreter reverse hop http/https payload right? Why would you challenge motherfuckers to hack your Windows 2000 box?



It's because programming classes don't teach security and there a culture of defensive coding practices. I think the last time I read through a C++ book Security was Chapter 13 and I'm pretty sure they don't cover that in normal programming courses. I don't think security and hacking related subjects get taught until 400 level classes and higher. Me never went to college but I love code. I read Chapter 13. It's a good idea to read Bjarne Stroustrup's books on the version of C++ you intent to use. I think by C++ 17 most of this shit is fixed is fixed but people are still coding for C++03 or 11 because they have just been doing it forever.

Also a problem is faggot ass supervisors wanting devs to use legacy libraries that have known security issues. Devs "Ok, but don't say I didn't warn you."

But you are right C/C++ has issues and you actually have to think about defensive coding practices while coding. Nobody does. Fewer people actually pentest their shit or outside consultants or even a bug bounty program because people care about how easy it is for the end user. It's why MSSQL came configured insecurely. It's so there are less tech support calls. Microsoft even, "Fuck security" I mean was Window ever kinda secure before Windows 10. Can still get Turtle> on 10 though.


I did get it from kernel.org. Those links are not what I posted. Don't use that shit.





Yes this is directly related to some stuff that I am working on right now -- I am trying to do some things with ubuntu 18.04 with PCI-E performance and some features that were added recently (Back in 4.20 iirc).


File: ca20363f525b302⋯.jpg (2.25 KB, 125x125, 1:1, 1469035408232s.jpg)


>There are languages

like what?

>inb4 ada




I don't think Ada is completely immune, but it eliminates the vast majority of use cases for pointers in C by not being garbage.


>kernel updates every few days

>kernel is clearly getting worse with time

>muh security

lol fine how come my gpu doesn't work properly now? How come my audiocard didn't work for 6 months? oh yeah kernel updates due to unix braindamage



>unix braindamage


>How come my audiocard didn't work for 6 months?

Install PulseAudio



>There are languages that are completely immune to use-after-free bugs

If you're going to say Ada, then you're wrong.

The Ariane V Cluster rocket disaster was caused by faulty Ada code. Ada has proven to constantly fail at branch conditions and about as brain damaged as C.



No anon the kernel dropped support for the hardware. They probably fucked up something, (((by accident))), for the gpu since I should be a good nigger a buy a new computer every 5 years to fucking use xterm.



The Cluster explosion wasn't caused by a use after free you LARPer.



>blaming the Ariane V clusterfuck on Ada

No, that was just the rocket designers being retarded. tl;dr they reused code designed for an older and slower rocket which made assumptions about its maximum inertia, assumed anything higher was a sign of hardware failure, and disabled security features to increase performance. They skimped on basic tests to save money and, surprise surprise, the performance hacks didn't scale up to a faster rocket and led to both redundant computers shutting down mid-flight.

The software for the Inertial Reference System (IRS) on the Ariane 5 was identical to the
software used successfully on the Ariane 4 rocket. Basically, the developers took an "Off
The Shelf" part (the IRS) that consisted of hardware and software, the design of which was
used successfully on the Ariane 4 project, and bolted it onto the Ariane 5 rocket
completely untested. The Ariane 5 rocket had a substantially different flight profile than the
Ariane 4 was capable of. When the rocket started its flight, it moved at angles that were
substantially larger than the Ariane 4 flight path would generate. The inertial data exceeded
the range limits of the Ariane 4 software.

The system was designed with a dual-redundant computer (two processor boards that are
identical, running identical software.) One part of the software in question was performing
calculations on the inertial data and needed to do so repeatedly in a very small amount of
time. The original designers needed to speed up the software so they performed an
analysis of the incoming data and concluded that within the Ariane 4 flight profile, numbers
outside of a certain range would never occur. If such numbers *did* occur, it would be most
likely that a sensor had failed and was generating wildly out of range data. Hence, it was
safe to remove any error-handling code and instead design in Failure Detection and
Accommodation (FDA) logic.

The logic went something like this: "If a number comes in over a certain size, it will trigger
a hardware overflow condition. The hardware will trap to an Interrupt Service Routine (ISR)
for handling of that condition. The ISR presumes that if it was reached, then there must be
a hardware fault. In the event of a hardware fault, the software will shut down the computer
and transfer to the 'spare' ccomputer - which is why we have a 'spare' in the first place."
All of this makes sense because the flight path of the Ariane 4 would never generate
numbers large enough to cause an overflow - unless the hardware was broke. The whole
analysis and design was in place, tested and flew successfully for the Ariane 4 rocket.

Now comes the bad part: The design team for the Ariane 5 looked at the IRS for the Ariane
4 and figured that they had a reliable piece of hardware that would work fine for the Ariane 5
and they could save money by reusing an existing design. That's what they did. Only they
started to make unwarranted assumptions - that the unit would work on the Ariane 5 flight
trajectory and that it didn't need to be tested in any way against the flight path expected.
(Thus saving more money.) Had they run even the most rudimentary tests of the unit
against the expected flight path of the Ariane 5, they would have triggered the condition
and detected that they had a problem. They never did.

When the rocket flew for the first time, both dual-redundant computers detected the
overflow condition. Both presumed that the cause was a hardware failure. Both shut down in
an attempt to leave the other side in control. They did *exactly* what they were designed to
do and in that sense behaved flawlessly.

The fact that the computers in question were programmed in Ada had absolutely nothing to
do with the reasons for the crash. It had no more to do with the crash than the fact that both
computers were using a Mil-Std-1750a microprocessor - a computer that has been used
reliably in numerous space applications. The original software designers were not to blame
either. They designed their software logic for the problem at hand and had to work within the
CPU time limitations they were given. Their FDA logic was *perfect* for the Arriane 4 rocket.

The fault lay with the designers of the Ariane 5 and their failure to test their assumptions. It
would be analogous to taking a tire that was designed to work on a Corvette and "reusing"
it in the design of a Freightliner truck. It works *fine* when the only weight it has to support is
a Corvette sports car. What would it likely do trying to support the weight of a Freightliner


File: dff4b82327f814f⋯.png (273.19 KB, 680x419, 680:419, principal_skinner_pathetic.png)

>not cdn.kernel.org

[Return][Go to top][Catalog][Nerve Center][Cancer][Post a Reply]
Delete Post [ ]
[ / / / / / / / / / / / / / ] [ dir / agatha2 / baaa / choroy / dempart / mde / randamu / revel3 / vichan ]