There are many advantages to using a vendor-managed PostgreSQL (AWS Aurora), but the black box nature of diagnostics is not one of them. For anyone else fighting with index performance going suddenly sideways (10x slower queries) on Aurora PostgreSQL - the root cause seems to be that new reader replicas can sometimes have horrible index performance, but this only shows up when there are tons of concurrent requests, and running a full `reindex database concurrently <db>` resolves it. All of the standard diagnostics (looking for invalid indexes, trying manual queries on each endpoint with explain, checking seq scan stats, etc) pointed to everything being just fine.

Unrelated, but hilarious, it seems like that somebody is uploading sketchy AWS database snapshots and marking them public. Is this just a troll, or can a backdoored snapshot do anything interesting if you load it into a sensitive environment? (via extensions, triggers, etc).

In which Ian Carroll casually compromises a Turkish root CA trusted by most browsers: https://ian.sh/etugra

runZero 3.3 is live with support for pulling in users, groups, and assets from Google Workspace. This release also rolls up our TLS fingerprinting work (OpenSSL 3.x detection, along with SChannel, and GnuTLS, and others).

Still free (via Starter Edition) for folks with less than 256 assets.

https://www.runzero.com/blog/runzero-3.3/

This is probably an unpopular opinion, but I would love to see ActivityPub implementations not tied to a GPL/AGPL license. After poking at WriteFreely, the only thing stopping me from PRing a half-dozen improvements is the weird license choice.

AGPL/GPL is terrible if you want to write stuff that you can reuse for other projects (commercial or personal). Viral licenses tie the hands of the original authors as much as those of contributors. Folks tend to figure this out only when it is really difficult to fix (ie. getting (C) reassignment or CLAs in place for all past contributors).

You can work around it by putting code into freely licensed subpackages instead, but it forces weird design decisions. I get that some folks are concerned about being SaaSed, but the AGPL choice still has a cost.

Anywho, MIT/BSD licenses are your friend now, and a friend to your future self who needs to reuse that code for something else in a decade.

Big thanks to @todb for handling a private vulnerability disclosure to a pharmacy chain for me. It's great to see that their website no longer leaks PHI and it is even better that I didn't get sued, threatened, or arrested as part of getting it fixed.

It would be fantastic if organizations like HackerOne offered this as a service; their current rules require the researcher to contact the organization directly first, defeating the point of working through a less-suable intermediary :)

All the same, hurray for one less exposure!

Everyone loves https://canary.tools and I wholeheartedly recommend that you take a look (and adopt the free tokens if nothing else); but there is another amazing free+awesome toolkit that most companies would benefit from without a privacy audit requirement: https://healthchecks.io - they do exactly what they say, really well, and are both cost-conscious and nerd-savvy. This is almost the opposite of a canary - it reports things that didn't fire - you can find all kinds of creative ways to make this security relevant while staying super inexpensive.

Meet my two Windows arm64 devices for @runZeroInc – on the left we have the snazzy new Windows Dev Kit 2023 ($599 USD), on the right we have a Pi 400 ($100+ USD).

My company’s (@runZeroInc) first request for arm64 support on Windows was almost two years ago and the only reasonably priced hardware that could run Windows 10+ was the Raspberry Pi 400 (and Raspberry Pi 4 4GB+ models). Installing Windows on these Raspberry Pis required various backflips and dodgy drivers to use more than 3Gb of RAM. The result was a laggy desktop, but something that was technically functional, thanks to npcap support for arm64 from Insecure, LLC.

Fast forward to Q4 2022 – serious hardware for arm64! The Windows Dev Kit 2023 includes 32Gb of RAM, 512Gb of NVMe, and a solid processor. The desktop is at least better than most Celerons and the memory support makes this usable for development. The downside, currently, is price, and we hope that arm64 options for Windows will improve going forward. The dev kit is much less painful to use than the jenky Windows support for the Pis, but support for Windows 11 also highlights another interesting (and security-relevant) service: the Windows Device Portal.

The Windows Device Portal is an optional service available after enabling developer settings. The service provides a web interface for remote management, with optional authentication, and provides everything an attacker could ask for (including remote process dumps of lsass.exe).

This service runs on TCP 50080 (HTTP) and 50443 (HTTPS), and while you are only likely to find it on development systems, any Windows 11 administrator can enable it. The bad news: with optional authentication, this service is effectively unauthenticated remote system access, with the benefit of using signed binaries. The good news is that it should be rare, and even the lame static username and password configuration (unrelated to Windows authentication), can prevent casual network abuse. We plan to add support for detection of this service in the next build of runZero all the same.

Thanks for reading (and the warm welcome to Mastodon)!

Terminal emulation bugs are the best: https://www.openwall.com/lists/oss-security/2022/11/10/1

printf "\e]50;i\$(touch /tmp/hack-like-its-1999)\a\e]50;?\a" > cve-2022-45063

Yesterday's Grafana authentication bypass vulnerability (CVE-2022-39328) is really neat from the perspective of auditing Go code. Concurrent requests could accidentally share the same array slice of middleware handlers. Advisory at https://grafana.com/blog/2022/11/08/security-release-new-versions-of-grafana-with-critical-and-moderate-fixes-for-cve-2022-39328-cve-2022-39307-and-cve-2022-39306/ and actual patch diff at https://github.com/grafana/grafana/pull/58458/files

Some scary reporting from @joesephmenn@twitter.com via The Post: One of the powerful root certificate authorities trusted by big web browsers to vouch for websites operates from a UPS Store address and has ties to a U.S. intelligence contractor selling interception gear: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ #TrustCor #TLS