From nobody Sun Nov 28 12:11:57 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 0B13E18BE78C
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Sun, 28 Nov 2021 12:12:18 +0000 (UTC)
	(envelope-from araujobsdport@gmail.com)
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com [IPv6:2607:f8b0:4864:20::1029])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4J26md6bPWz4tb2;
	Sun, 28 Nov 2021 12:12:17 +0000 (UTC)
	(envelope-from araujobsdport@gmail.com)
Received: by mail-pj1-x1029.google.com with SMTP id j6-20020a17090a588600b001a78a5ce46aso13194176pji.0;
        Sun, 28 Nov 2021 04:12:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:reply-to:from:date:message-id
         :subject:to:cc;
        bh=KzMGLb4FC1dHNRuww501aUzqonTDCUwJeC7Q9Z2BRzU=;
        b=Qd1AJSEVxW3U4kHZ+20mSzzqdtTabJyc0amlV3CyEPatoF+at2ZhF6Frbt7eTaXZIS
         01fAk+CfCDfFEQjMAiMHT1JUqe/b+85cZWXlDmQN2CbnjjvVcRlmeWnt9vKli0FNr2qg
         DpCUtK+RTLCBq3EegXEupJ1zHTBRAt9zf0G6n4oOcc9sxs4d7CRK6PVpON4kyJ3HxJ2v
         JzhURKRQdSWDjCsWaMDvP8uJlMssiwouXcdGFjMmsKrNTs4pQ3svQXZGvXU1PMtKvRZr
         dOmCpgQW7rEvR+IsrT/Xh2KwFZtt4wFMNq+ORcWC0/dU1RE4UBgKRD5Wdv3vCPkhCwEy
         D/yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:reply-to
         :from:date:message-id:subject:to:cc;
        bh=KzMGLb4FC1dHNRuww501aUzqonTDCUwJeC7Q9Z2BRzU=;
        b=d3Wku4CxrdXq36KgmsuIVyrpNcunRkbrjljT/2WQS1RYDeQ3hb2Pdc8siwNB81O6X5
         nC6FWqIXAGXxXIej+73ykVNL27cZvP0Fmp+Jp5R71OzucXQwYE+JrNUlNWwGKkkZJi75
         MCB8dyrssdDtEM8uw0qRgejB8o/lv0QHg77272r3GLvI5TJ5M04TMNnY3byBXgx+FzYq
         vgh6sJ3AJD+/2gge17zhgfLPQYBpuaxGfUt1R1BqRmGCuCHPyO0vRM+A5m1sZA+RNayB
         U5Dmeg3BlEZMF9xvUcjsVJO5SXVR7rSTW6zj4EqTAVpGhNHmGkviJBCUm7VrGLlpvHw2
         sscg==
X-Gm-Message-State: AOAM532l7ZpKxSkP4700fo1wOZ3UeNK3ufms5XaabIHtK24jd0DooLGd
	8EpvKcFXCfW+t58wNi1RcwSV1iocyG05QWa//48O/fqf1Xc=
X-Google-Smtp-Source: ABdhPJz8GuSEs4iq5xkMgpTfCmHPw4kBft6kuVpigF08AzqlF04R0ypIjdCOkXUUZ/pBeysUsqc3oLKCe566BAQyR50=
X-Received: by 2002:a17:90b:4c4d:: with SMTP id np13mr31059565pjb.233.1638101530675;
 Sun, 28 Nov 2021 04:12:10 -0800 (PST)
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
References: <cd41bda5-6a14-c4e2-3d74-b0c5d52480ec@zohomail.com>
 <05580cd8-1bbf-8783-b190-40d9cdacade6@m5p.com> <CA+yoEx881o6frd-zy-rV55xR3vg+jugN0ZigdH8nAYGsB6_NfA@mail.gmail.com>
 <b66c39a4-1836-eab8-db9f-e839d14b13be@freebsd.org> <CAOgwaMspORHAcAKoXbgDEQ1ZFOjSHAJbpPYL67J1dVbYcPHgVA@mail.gmail.com>
In-Reply-To: <CAOgwaMspORHAcAKoXbgDEQ1ZFOjSHAJbpPYL67J1dVbYcPHgVA@mail.gmail.com>
Reply-To: araujo@freebsd.org
From: Marcelo Araujo <araujobsdport@gmail.com>
Date: Sun, 28 Nov 2021 20:11:57 +0800
Message-ID: <CAOfEmZh5tqb-e2vS6HNtiAWjZU3aYaJyJoQnrOQKHprdmLRMBQ@mail.gmail.com>
Subject: Re: Does not appear to be (too) malicious ...
To: Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com>
Cc: Stefan Esser <se@freebsd.org>, freebsd-hackers <freebsd-hackers@freebsd.org>
Content-Type: multipart/alternative; boundary="000000000000d78b7405d1d83b91"
X-Rspamd-Queue-Id: 4J26md6bPWz4tb2
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 TAGGED_RCPT(0.00)[];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: Y

--000000000000d78b7405d1d83b91
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

you all have a lot of free time.

On Sun, Nov 28, 2021, 18:14 Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com>
wrote:

> On Sun, Nov 28, 2021 at 12:17 PM Stefan Esser <se@freebsd.org> wrote:
>
> > Am 28.11.21 um 02:06 schrieb Mario Lobo:
> > > On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com>
> > wrote:
> > >
> > >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote:
> > >>> I hacked on the FreeBSD source code to produce a version of the OS
> that
> > >>> cannot be remotely hacked.  Before you tell me that is impossible, =
I
> > >>> have an answer to that response on my FAQ page.
> > >>>
> > >>> If you are interested in checking out my OS, you can find
> instructions
> > >>> on my site's home page:  https://obstoclades.tech/
> > >>>
> > >>> I invite you to check it out.
> > >>>
> > >>
> > >> Hmm, my mother told me never to click on links in strange emails ...
> > >> -- George
> > >>
> > >
> > > curl http://obstoclades.tech
> > [...]
> > >        <p class=3D"red">Connection denied by Geolocation Setting.</p>
> > >        <p><b> Reason: </b> Blocked country: <font color=3D"red">  </f=
ont>
> > </p>
> > >        <p>The connection was denied because this country is blocked i=
n
> > the
> > > Geolocation settings.</p>
> > >        <p>Please contact your administrator for assistance.</p>
> > >      </div>
> > >      <div class=3D"band">WatchGuard Technologies, Inc.</div>
> > >    </div>
> > >  </body>
> > > </html>
> >
> > $ fetch --no-verify-peer -v -o /tmp/obstoclades.html
> > https://obstoclades.tech
> > resolving server address: obstoclades.tech:443
> > SSL options: 82004854
> > Verify hostname
> > TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
> > Certificate subject: /CN=3Dobstoclades.tech
> > Certificate issuer: /C=3DUS/O=3DLet's Encrypt/CN=3DR3
> > requesting https://obstoclades.tech/
> > fetch: https://obstoclades.tech: size of remote file is not known
> > local size / mtime: 34916 / 1638088913
> > /tmp/obstoclades.html                             34 kB  181 kBps    00=
s
> >
> > There is actual contents in this file, and it does not seem to contain
> any
> > malicious parts. It starts with:
> >
> > <!DOCTYPE html>
> > <!--
> >       File:  ObstoClades.html
> >       Copyright (c) 2021 Obsto Clades, LLC
> >  -->
> > <html lang=3D"en">
> >   <head>
> >     <meta charset=3D"UTF-8">
> >     <title>Security is a Joke</title>
> >     <meta name=3D"description"
> >           content=3D"This demonstrates a modified BSD Operating System
> > designed
> > to prevent remote hacking of single-purpose computer systems.">
> >     <link rel=3D"stylesheet" type=3D"text/css" href=3D"/css/obstoclades=
.css"/>
> >     <link rel=3D"icon" type=3D"image/x-icon" href=3D"/favicon.ico"/>
> >     <script
> > src=3D"https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
> > "></script>
> >     <script src=3D"js/obstoclades.js" defer=3D"defer"></script>
> >   </head>
> >
> > And besides the jquery.min.js dowloaded from ajax.googleapis.com only
> the
> > following short and apparently benign script is downloaded as
> > obstoclades.js:
> >
> > /*
> >  * File:  obstoclades.js
> >  * Copyright (c) 2017 Obsto Clades, LLC
> >  */
> >
> > $(document).ready(function()
> > {
> >     var $content =3D $(".content").hide();
> >     $(".img").on("click", function (e)
> >     {
> >         $(this).parent().parent().toggleClass("expanded");
> >         var ttt =3D $(this).parent().children(".tooltiptext");
> >         if ($(this).parent().parent().hasClass("expanded"))
> >         {
> >                 ttt.replaceWith("<span class=3D\"tooltiptext\">Click to
> > close</span>");
> >         }
> >         else
> >         {
> >                 ttt.replaceWith("<span class=3D\"tooltiptext\">Click to
> > open</span>");
> >         }
> >         $(this).parent().parent().next().slideToggle();
> >     });
> >     var textHeight =3D $("#left-side-header-text").height();
> >     $("#old_english_sheepdog").height(textHeight).width(textHeight);
> >     $("#button").click(function()
> >     {
> >         $("#contactus-form").submit();
> >     })
> > });
> >
> > He invites to attack his server using a SSH login with provided
> > credentials,
> > and offers US$1000 for any successful modification of the test server.
> See
> > the following video, which shows that root on the consonle and root via
> su
> > in the SSH session get quite different environments:
> >
> > https://obstoclades.tech/video/demo-video.mp4
> >
> > This looks like a setup with lots of restrictions applied, probably
> noexec
> > mounts of temporary file systems and the like, possibly jails and/or MA=
C
> > restrictions.
> >
> > He thinks that an embedded system configured that way could not be
> > attacked,
> > but explains that his concept is limited to e.g. IoT use cases (what he
> > calls "single-purpose computer system").
> >
> > Anyway, I could not find any malicious content on the web server.
> Accessing
> > with a SSH session (obviously configured to not allow backwards
> tunneling)
> > should also not be too dangerous from a dumb terminal (but beware of
> escape
> > sequence attacks possible with ANSI terminals, e.g. reprogramming of
> > function
> > keys with "ESC[code;string;...p").
> >
> > It looks to me like kind of a honeypot setup gathering attack attempts =
to
> > see whether a throw-away system can withstand them. All attack attempts
> are
> > logged, either to learn how to perform them, or to actually improve the
> > security of his protection concept in case of a successful break-in.
> >
> > Regards, STefan
> >
>
>
> The message above is really a very good one because of its information
> content .
>
> As a response to my message in the following link
>
>
> https://lists.freebsd.org/archives/freebsd-hackers/2021-November/000515.h=
tml
>
> Obsto Clades asked me with a private message , approximately ,
>
> " I am connecting to the web site ... without any such message .
>
> Do you have more information ? " .
>
> I replied , "No ."
>
>
> When the following link ( please notice that  it is  http , not https )
>
>
> http://obstoclades.tech/
>
>
> the response of Firefox ( 57.0.1) is the following :
>
> --------------------------------------------------------
>
> Connection denied by Geolocation Setting.
>
> * Reason: * Blocked country:
>
> The connection was denied because this country is blocked in the
> Geolocation settings.
>
> Please contact your administrator for assistance.
> WatchGuard Technologies, Inc.
>
>
> --------------------------------------------------------
>
>
>
> When the following link ( please notice that  it is  https , not http )
>
>
> https://obstoclades.tech/video/demo-video.mp4
>
>
> the response of Firefox ( 57.0.1) is the following :
>
> --------------------------------------------------------
>
>
> Your connection is not secure
>
> The owner of obstoclades.tech has configured their website improperly. To
> protect your information from being stolen, Firefox has not connected to
> this website.
>
> Learn more=E2=80=A6
>
> Report errors like this to help Mozilla identify and block malicious site=
s
>
>
>
> --------------------------------------------------------
>
>
> In "Learn more ..."
>
> the linked page is
>
>
> https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=3Du&u=
tm_source=3Dinproduct
> How to troubleshoot security error codes on secure websites
>
>
> There are 2 knobs not copyable :
>
> (1) Go back
>
> (2) Advanced
>
>
> When "Advanced" is clicked ( there is no linked page )  ,
>
> the following message is displayed :
>
>
>
>
> --------------------------------------------------------
>
>
> obstoclades.tech uses an invalid security certificate.
>
> The certificate is not trusted because it is self-signed.
> The certificate is not valid for the name obstoclades.tech.
>
> Error code: SEC_ERROR_UNKNOWN_ISSUER
>
>
> --------------------------------------------------------
>
>
>
> With a knob ( without any linked page ) as follows :
>
>
> "Add Exception ..."
>
>
> with an dialog pane display to add an exception for that page
>
> ( which I did not added because  website owner may correct her/his
> certificate
>
> or configuration of the website ) .
>
>
> With my best wishes for all ,
>
>
> Mehmet Erol Sanliturk
>

--000000000000d78b7405d1d83b91--