#golang PSA: If you are shipping binaries built with Go 1.21.1 or newer to Linux systems with Transparent Huge Pages (THP) enabled (default in many cases), you either need to tweak the system THP settings via SysFS or upgrade to Go 1.21.6 AND set the workaround GODEBUG=disablethp environment variable.

If you don't, it can lead to what looks like a slow memory leak and eventually an out-of-memory condition. The issue doesn't affect every application (it depends on your memory use patterns), but when it does trigger, it's a pain to debug.

Go docs on THP: https://go.dev/doc/gc-guide#Linux_transparent_huge_pages

Github issue: https://github.com/golang/go/issues/64561

Original Linux kernel issue: https://bugzilla.kernel.org/show_bug.cgi?id=93111

Huge thanks to @TomSellers for tracking this down. The latest @runZeroInc build (4.0.240109.0) includes the fix for self-hosted customers.

Piping /dev/urandom into the USB HID keyboard stream[1] of a Windows 11 host logon screen makes for some funny videos.

Semi-related, you can do silly things with the "Microsoft OS Descriptor" USB parameters (properties get mapped to registry keys/values), but it looks generally safe, since not much happens automatically with those properties, especially outside of the Explorer view for Mass Storage/MTP/PTP devices.

1. Pi Zero W 2 in OTG mode, setup as a composite device via ConfigFS, and literally mashing random bytes into /dev/hidg0

#usb

Hot takes for 2024:

* Is the project part of the Apache Foundation and something you have never heard of as a defender? Expect to see in-the-wild exploitation.

* Seeing a ton of lower-case error messages? It's Go. It's all Go now. Go ate Java, it's coming for .NET next. Rust folks (aka C++ refugees) are welcome to hang out in the basement and drink Bailey's from a boot (or at least, work on bootloaders) while everyone else moves to Go.

Happy new year!

Not a great start to 2024: `The fee is now $%!f(*float64=0xc1f673a2e0)`

As a long-time Chrom(e|ium) user, switching to Firefox this week was painless (+uBlock Origin to match Brave-like defaults).

@roy makes a good case for switching going into 2024:
https://roytanck.com/2023/12/23/in-2024-please-switch-to-firefox/

There was one snag that folks should be aware of: Firefox "suggestions" send your URL bar input to Mozilla and/or your configured search engine. It was easy to disable, but felt shady given that it leaks your search input to two external parties by default.

If anyone is wondering why I stopped writing exploits, this graphic from @dangoodin's article on the Triangulation exploit chain sums it up: https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/

Even the most difficult exploits I worked on rarely took more than a week. Modern exploit development is a different beast altogether.

Happy holidays from a chilly Austin, Texas!

Happy Halloween!

A mini-rant on the use of murmur3 32-bit hashes for favicon.ico fingerprinting:

1) The canonical implementation is @shodan which uses the Python mmh3 module, so far so good...

2) The Murmur3 hashing algorithms are generally architecture-dependent. Python mmh3 uses the C implementation, which produces different hashes based on architecture and possibly endian-ness.

3) The Go implementations cover 32/64/128 variants, but they also lean on unsafe pointer usage for some silly reason, and although they support byte swap for big endian, it looks fragile.

4) This Shodan hash isn't of the binary data, but rather the base64 of the data.

5) And it's actually more specific. It depends on the variant with 76-character line wrap, using "\n" (but not "\r\n") line wraps, and a trailing "\n", with the base64 `=` padding.

6) If you want to calculate the Shodan compatible Favicon hash without relying on a C compiler, the native build architecture, or the base64 implementation, use this: https://gist.github.com/hdm/1552cdfad14b32a2d2f44a64468558c5#file-mmh3-go-L78

TL;DR: If you generate some sort of hash or fingerprint, it helps if the generation process isn't defined by build architecture or a stack of implementation-specific defaults.

""?! ANSI Terminal security in 2023 and finding 10 CVEs: https://dgl.cx/2023/09/ansi-terminal-security - awesome research by @dgl