9front - general discussion about 9front
 help / color / mirror / Atom feed
* [9front] 4chan hacked rc-httpd
@ 2022-03-31 18:10 sl
  2022-03-31 19:35 ` sirjofri
  2022-03-31 23:54 ` Avalon Williams
  0 siblings, 2 replies; 9+ messages in thread
From: sl @ 2022-03-31 18:10 UTC (permalink / raw)
  To: 9front

https://boards.4channel.org/g/thread/86286230/plan-99front-is-super-secure

mailing list subscriber lists were leaked.  i don't think any other
sensitive data was.

if you have an auth password on one of our servers, change it now,
just for good measure.

sl

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 18:10 [9front] 4chan hacked rc-httpd sl
@ 2022-03-31 19:35 ` sirjofri
  2022-03-31 20:17   ` Kurt H Maier
  2022-03-31 20:29   ` ori
  2022-03-31 23:54 ` Avalon Williams
  1 sibling, 2 replies; 9+ messages in thread
From: sirjofri @ 2022-03-31 19:35 UTC (permalink / raw)
  To: 9front

Hey,

doesn't rc-httpd bind /usr/web / like tcp80 and httpd does? At least, it 
could mkdir /usr/web/bin && bind /bin /usr/web/bin and then bind /usr/web 
/.

At least that's what I'd do.

I tested on my web server which runs tcp80 and I didn't have an issue 
like that.

sirjofri

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 19:35 ` sirjofri
@ 2022-03-31 20:17   ` Kurt H Maier
  2022-03-31 20:26     ` Stanley Lieber
  2022-03-31 20:29   ` ori
  1 sibling, 1 reply; 9+ messages in thread
From: Kurt H Maier @ 2022-03-31 20:17 UTC (permalink / raw)
  To: 9front

On Thu, Mar 31, 2022 at 07:35:37PM +0000, sirjofri wrote:
> Hey,
> 
> doesn't rc-httpd bind /usr/web / like tcp80 and httpd does? At least, it 
> could mkdir /usr/web/bin && bind /bin /usr/web/bin and then bind /usr/web 
> /.
> 
> At least that's what I'd do.
> 
> I tested on my web server which runs tcp80 and I didn't have an issue 
> like that.
> 
> sirjofri

Patches welcome -- currently we're just kicking out errors for requests
with this crap in the url.  

khm

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 20:17   ` Kurt H Maier
@ 2022-03-31 20:26     ` Stanley Lieber
  2022-04-03  3:26       ` sl
  0 siblings, 1 reply; 9+ messages in thread
From: Stanley Lieber @ 2022-03-31 20:26 UTC (permalink / raw)
  To: 9front

it’s a little more complex than just binding /bin because we serve cgi, but yes, some rudimentary sandboxing would be superior to what we’ve been doing for the past ten years.

sl


> On Mar 31, 2022, at 4:22 PM, Kurt H Maier <khm@sciops.net> wrote:
> 
> On Thu, Mar 31, 2022 at 07:35:37PM +0000, sirjofri wrote:
>> Hey,
>> 
>> doesn't rc-httpd bind /usr/web / like tcp80 and httpd does? At least, it 
>> could mkdir /usr/web/bin && bind /bin /usr/web/bin and then bind /usr/web 
>> /.
>> 
>> At least that's what I'd do.
>> 
>> I tested on my web server which runs tcp80 and I didn't have an issue 
>> like that.
>> 
>> sirjofri
> 
> Patches welcome -- currently we're just kicking out errors for requests
> with this crap in the url.  
> 
> khm
> 


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 19:35 ` sirjofri
  2022-03-31 20:17   ` Kurt H Maier
@ 2022-03-31 20:29   ` ori
  1 sibling, 0 replies; 9+ messages in thread
From: ori @ 2022-03-31 20:29 UTC (permalink / raw)
  To: 9front

Quoth sirjofri <sirjofri+ml-9front@sirjofri.de>:
> Hey,
> 
> doesn't rc-httpd bind /usr/web / like tcp80 and httpd does? At least, it 
> could mkdir /usr/web/bin && bind /bin /usr/web/bin and then bind /usr/web 
> /.
> 
> At least that's what I'd do.
> 
> I tested on my web server which runs tcp80 and I didn't have an issue 
> like that.
> 
> sirjofri


would be nice, though rc-httpd also needs to execute
things from /bin, in a way that tcp80 doesn't.

that said, we should be able to build a namespace
containing '/bin', '/env', and '/$ROOT' to house
rc-httpd.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 18:10 [9front] 4chan hacked rc-httpd sl
  2022-03-31 19:35 ` sirjofri
@ 2022-03-31 23:54 ` Avalon Williams
  2022-04-01  0:38   ` Kurt H Maier
  1 sibling, 1 reply; 9+ messages in thread
From: Avalon Williams @ 2022-03-31 23:54 UTC (permalink / raw)
  To: 9front

Another note to have with this is just to have better data security, in a modified version of werc I'm using I added a number of security features (though they were all designed to run on plan9port rather than on 9front itself and I never bothered porting them or contributing them because they relied on some Linux-specific commands), including a salted password hash storage system (I used sha-256 but was planning on moving it to use argos2 via a go utility).

Leaks are always going to happen, its better to make the data harder to access after the fact as well as trying to prevent them in the first place.

avnt
------- Original Message -------

On Thursday, March 31st, 2022 at 2:10 PM, <sl@stanleylieber.com> wrote:

> https://boards.4channel.org/g/thread/86286230/plan-99front-is-super-secure
>
> mailing list subscriber lists were leaked. i don't think any other
>
> sensitive data was.
>
> if you have an auth password on one of our servers, change it now,
>
> just for good measure.
>
> sl

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 23:54 ` Avalon Williams
@ 2022-04-01  0:38   ` Kurt H Maier
  0 siblings, 0 replies; 9+ messages in thread
From: Kurt H Maier @ 2022-04-01  0:38 UTC (permalink / raw)
  To: 9front

On Thu, Mar 31, 2022 at 11:54:22PM +0000, Avalon Williams wrote:
> Another note to have with this is just to have better data security, in a modified version of werc I'm using I added a number of security features (though they were all designed to run on plan9port rather than on 9front itself and I never bothered porting them or contributing them because they relied on some Linux-specific commands), including a salted password hash storage system (I used sha-256 but was planning on moving it to use argos2 via a go utility).
> 
> Leaks are always going to happen, its better to make the data harder to access after the fact as well as trying to prevent them in the first place.

You're doing the right thing, but I'd personally prefer to see werc not
have an in-house user system at all; there are better protocols to allow
folks access to the underlying directories werc serves.  Putting all
your content in a shared 9p-served filesystem, or even some kind of
dvcs, removes a huge attack surface from webshit.  

Even if you do need interactivity over http, werc can happily
operate by receiving a USER header from whatever is calling its CGI.
Short of that it really should be using hashed passwords etc, but we've
never really had enough use of the werc-auth stuff to motivate
development.

khm


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-03-31 20:26     ` Stanley Lieber
@ 2022-04-03  3:26       ` sl
  2022-04-03 18:05         ` adr
  0 siblings, 1 reply; 9+ messages in thread
From: sl @ 2022-04-03  3:26 UTC (permalink / raw)
  To: 9front

known 4chan coverage of 9front is archived here:

	http://9front.org/press/4chan.org/

now updated with latest thread, plus excerpts of logs captured during
the attack.

sl

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [9front] 4chan hacked rc-httpd
  2022-04-03  3:26       ` sl
@ 2022-04-03 18:05         ` adr
  0 siblings, 0 replies; 9+ messages in thread
From: adr @ 2022-04-03 18:05 UTC (permalink / raw)
  To: 9front

On Sat, 2 Apr 2022, sl@stanleylieber.com wrote:

> known 4chan coverage of 9front is archived here:
>
> 	http://9front.org/press/4chan.org/
>
> now updated with latest thread, plus excerpts of logs captured during
> the attack.
>
> sl

Oh man... I dont' know how I managed to arrive to the end of that
_thing_. It's been a day and my head still hurts. And tranny this
tranny that... when people are so obsessed with others' sexuality
I tell you, something is really wrong up|down there. But I have to
say, it surprissed me that you weren't using the features of the
os to sandbox the server, or that apparently your passwords were
in a plain text file.

Anyway if I were you I would post a really nice message expressing
your gratitude for all the work and time inverted in the "bug
report". Maybe you could offer an Antonio Banderas love doll for
all the angry repressed ones, maybe then they'll stop yelling to
the world.

adr

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2022-04-03 18:22 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-31 18:10 [9front] 4chan hacked rc-httpd sl
2022-03-31 19:35 ` sirjofri
2022-03-31 20:17   ` Kurt H Maier
2022-03-31 20:26     ` Stanley Lieber
2022-04-03  3:26       ` sl
2022-04-03 18:05         ` adr
2022-03-31 20:29   ` ori
2022-03-31 23:54 ` Avalon Williams
2022-04-01  0:38   ` Kurt H Maier

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).