Skip to main content
Recent Posts
92
VPN / Re: Inferring and hijacking VPN-tunneled TCP connections
Last post by Admin -
You are not allowed to view links. Register or Login

Pretty sure its something that needs patched in Linux kernel, not necessarily a fault in OpenVPN or WireGuard.

You are not allowed to view links. Register or Login

Quote
It seems like this attack requires the attacker to be in control of an upstream device within the same subnet, like an access point, and using it to try to open a TCP connection to every possible address in the private address space, hoping that the Linux device will respond to one of the packets with a RST packet, even though that is the wrong interface for that IP address. Linux devices implementing a weak IP model may allow responding to packets destined for a different IP than what is on that interface as long as the IP is on some interface. I believe that pf implements a strong IP model requiring IP packets to come in on the correct interface, so that might defeat this, but I'm not sure. It seems like the most vulnerable target would be someone running a recent version of Linux on their laptop, who is also using a VPN to protect themselves while using a sketchy/untrusted WiFi network. To attack a pfSense router, the packets would need to come from inside your ISP's subnet, but I think that most ISPs would not forward RFC1918 packets from one subscriber to another, so the packets would probably have to be coming from your ISP itself. I guess the equivalent to the create_ap component would be the CPE. pfSense blocks RFC1918 traffic by default, although you can change this in your settings. However, I'd say that if your ISP is injecting bogus traffic to try to hack your pfSense VPN via the provided cable modem, maybe you have bigger problems, and should consider ending your contract with them. File this issue under "meh."

Seems like it would be a difficult attack to pull off too, I don't think its as detrimental as some people are acting...Hopefully a kernel patch or something can fix it and put the whole thing to rest,
93
VPN / Inferring and hijacking VPN-tunneled TCP connections
Last post by water_bear -
Has anyone else been following this bulletin that was published on seclists earlier this December?

You are not allowed to view links. Register or Login

So far, it seems like this vuln might not be the end of the world, but I was just wondering what perspective the posters here might have regarding this?
94
VPN / Re: SnugVPN - 6 Months Free For Beta Testers
Last post by water_bear -
I'm fairly skeptical of free vpn offers, but I like to test drive them for curiosities sake. I've seen some that seem to be secure, others that are obviously misconfigured. I've noticed some that inject scripts into the users web browser for one reason or another and some that have really odd implementations of domain fronting going on. Anyway, I signed up for the beta test at snug. FWIW, after having been approved, I noticed that it seemed as if the only way to connect was by downloading an app. This I consider to be a red flag. I tried contacting their customer support, explaining that my operating system was not supported by the suggested apps, in hopes that maybe they would reply with some information regarding how one could connect by way of something like openvpn. Perhaps they could provide an .opvn file? Some necessary configuration details? Anyway, I never heard back from them. Let me be clear, I'm just mentioning this FWIW and I don't want to dis snug unjustly. I'm just putting it out there. Does anyone else that may have signed up for this beta test have a review to offer? I might try and stand up a virtual Windows machine and check out the app, but I'd have to set time aside to do that carefully. In the meantime, I'm curious if anyone has any opinions on snug.
96
Interesting Links / Re: Fun Sites With Old School ASCII Asthetic
Last post by water_bear -
314n.org is an interesting concept for a textboard/chan. The in browser experience simulates a terminal. The board is navigated by a command line interface. It is not very practical for the average user, but I suppose that can be seen as a feature or a bug depending on the crowd that one wishes to attract. It should be noted that it seems to be a dead board and most of the posts are in the Russian language. All that being said, I find 314n.org interesting as a concept.
98
Tech News / At long last, WireGuard VPN is on its way into Linux
Last post by Admin -
You are not allowed to view links. Register or Login

At long last, WireGuard VPN is on its way into Linux

For years, developers have been working on this new take on the virtual private network, and now it's finally ready to go.

Quote
How much are people looking forward to WireGuard, the new in-kernel Linux virtual private network (VPN)? Well, Linus Torvalds said, "Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art."

If that sounds like damning with faint praise, you don't know Torvalds. For him, this is high praise. WireGuard has now been committed to the mainline Linux kernel. While there are still tests to be made and hoops to be jumped through, it should be released in the next major Linux kernel release, 5.6, in the first or second quarter of 2020.

WireGuard has been in development for some time. It is a layer 3 secure VPN. Unlike its older rivals, which it's meant to replace, its code is much cleaner and simple. The result is a fast, easy-to-deploy VPN. While it started as a Linux project, WireGuard code is now cross-platform, and its code is now available on Windows, macOS, BSD, iOS, and Android.

It took longer to arrive than many wished because WireGuard's principal designer, Jason Donenfeld, disliked Linux's built-in cryptographic subsystem on the grounds its application programming interface (API) was too complex and difficult. He suggested it be supplemented with a new cryptographic subsystem: His own Zinc library. Many developers didn't like this. They saw this as wasting time reinventing the cryptographic well.

But Donenfeld had an important ally.

Torvalds wrote, "I'm 1000% with Jason on this. The crypto/ model is hard to use, inefficient, and completely pointless when you know what your cipher or hash algorithm is, and your CPU just does it well directly."

In the end, Donenfeld compromised. "WireGuard will get ported to the existing crypto API. So it's probably better that we just fully embrace it, and afterward work evolutionarily to get Zinc into Linux piecemeal." That's exactly what happened. Some Zine elements have been imported into the legacy crypto code in the forthcoming Linux 5.5 kernel. This laid the foundation for WireGuard to finally ship in Linux early next year.

WireGuard works by securely encapsulates IP packets over UDP. It's authentication and interface design has more to do with Secure Shell (SSH) than other VPNs. You simply configure the WireGuard interface with your private key and your peers' public keys, and you're ready to securely talk.

When it arrives, I expect WireGuard to quickly become the new standard for Linux VPNs. With its tiny code-size, high-speed cryptographic primitives, and in-kernel design, it should be faster than all other existing VPN technologies. WireGuard's not just fast, it's secure as well, with its support of state-of-the-art cryptography technologies such as the Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, and HKD.

All this is why some companies -- like Mullvad VPN -- adopted WireGuard long before it was incorporated into Linux. As Mullvad co-founder Fredrik Strömberg wrote two-years ago, "We find WireGuard beneficial for a number of reasons. Its simplistic design in few lines of code makes it easier for sysadmins and developers to integrate it correctly -- and harder for them to get it wrong." Thus, "WireGuard will move the world one step closer to our own vision -- of making mass surveillance ineffective."

So, say hi to the future of the VPN. Its name is WireGuard.
99
Tech News / Re: WinRAR Nukes Pirate Keygen But is a “Good Guy” Towards Regular Users
Last post by Admin -
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login
You are not allowed to view links. Register or Login