Re: Does not appear to be (too) malicious ...
Date: Sun, 28 Nov 2021 12:11:57 UTC
you all have a lot of free time. On Sun, Nov 28, 2021, 18:14 Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com> wrote: > On Sun, Nov 28, 2021 at 12:17 PM Stefan Esser <se@freebsd.org> wrote: > > > Am 28.11.21 um 02:06 schrieb Mario Lobo: > > > On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com> > > wrote: > > > > > >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote: > > >>> I hacked on the FreeBSD source code to produce a version of the OS > that > > >>> cannot be remotely hacked. Before you tell me that is impossible, I > > >>> have an answer to that response on my FAQ page. > > >>> > > >>> If you are interested in checking out my OS, you can find > instructions > > >>> on my site's home page: https://obstoclades.tech/ > > >>> > > >>> I invite you to check it out. > > >>> > > >> > > >> Hmm, my mother told me never to click on links in strange emails ... > > >> -- George > > >> > > > > > > curl http://obstoclades.tech > > [...] > > > <p class="red">Connection denied by Geolocation Setting.</p> > > > <p><b> Reason: </b> Blocked country: <font color="red"> </font> > > </p> > > > <p>The connection was denied because this country is blocked in > > the > > > Geolocation settings.</p> > > > <p>Please contact your administrator for assistance.</p> > > > </div> > > > <div class="band">WatchGuard Technologies, Inc.</div> > > > </div> > > > </body> > > > </html> > > > > $ fetch --no-verify-peer -v -o /tmp/obstoclades.html > > https://obstoclades.tech > > resolving server address: obstoclades.tech:443 > > SSL options: 82004854 > > Verify hostname > > TLSv1.3 connection established using TLS_AES_256_GCM_SHA384 > > Certificate subject: /CN=obstoclades.tech > > Certificate issuer: /C=US/O=Let's Encrypt/CN=R3 > > requesting https://obstoclades.tech/ > > fetch: https://obstoclades.tech: size of remote file is not known > > local size / mtime: 34916 / 1638088913 > > /tmp/obstoclades.html 34 kB 181 kBps 00s > > > > There is actual contents in this file, and it does not seem to contain > any > > malicious parts. It starts with: > > > > <!DOCTYPE html> > > <!-- > > File: ObstoClades.html > > Copyright (c) 2021 Obsto Clades, LLC > > --> > > <html lang="en"> > > <head> > > <meta charset="UTF-8"> > > <title>Security is a Joke</title> > > <meta name="description" > > content="This demonstrates a modified BSD Operating System > > designed > > to prevent remote hacking of single-purpose computer systems."> > > <link rel="stylesheet" type="text/css" href="/css/obstoclades.css"/> > > <link rel="icon" type="image/x-icon" href="/favicon.ico"/> > > <script > > src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js > > "></script> > > <script src="js/obstoclades.js" defer="defer"></script> > > </head> > > > > And besides the jquery.min.js dowloaded from ajax.googleapis.com only > the > > following short and apparently benign script is downloaded as > > obstoclades.js: > > > > /* > > * File: obstoclades.js > > * Copyright (c) 2017 Obsto Clades, LLC > > */ > > > > $(document).ready(function() > > { > > var $content = $(".content").hide(); > > $(".img").on("click", function (e) > > { > > $(this).parent().parent().toggleClass("expanded"); > > var ttt = $(this).parent().children(".tooltiptext"); > > if ($(this).parent().parent().hasClass("expanded")) > > { > > ttt.replaceWith("<span class=\"tooltiptext\">Click to > > close</span>"); > > } > > else > > { > > ttt.replaceWith("<span class=\"tooltiptext\">Click to > > open</span>"); > > } > > $(this).parent().parent().next().slideToggle(); > > }); > > var textHeight = $("#left-side-header-text").height(); > > $("#old_english_sheepdog").height(textHeight).width(textHeight); > > $("#button").click(function() > > { > > $("#contactus-form").submit(); > > }) > > }); > > > > He invites to attack his server using a SSH login with provided > > credentials, > > and offers US$1000 for any successful modification of the test server. > See > > the following video, which shows that root on the consonle and root via > su > > in the SSH session get quite different environments: > > > > https://obstoclades.tech/video/demo-video.mp4 > > > > This looks like a setup with lots of restrictions applied, probably > noexec > > mounts of temporary file systems and the like, possibly jails and/or MAC > > restrictions. > > > > He thinks that an embedded system configured that way could not be > > attacked, > > but explains that his concept is limited to e.g. IoT use cases (what he > > calls "single-purpose computer system"). > > > > Anyway, I could not find any malicious content on the web server. > Accessing > > with a SSH session (obviously configured to not allow backwards > tunneling) > > should also not be too dangerous from a dumb terminal (but beware of > escape > > sequence attacks possible with ANSI terminals, e.g. reprogramming of > > function > > keys with "ESC[code;string;...p"). > > > > It looks to me like kind of a honeypot setup gathering attack attempts to > > see whether a throw-away system can withstand them. All attack attempts > are > > logged, either to learn how to perform them, or to actually improve the > > security of his protection concept in case of a successful break-in. > > > > Regards, STefan > > > > > The message above is really a very good one because of its information > content . > > As a response to my message in the following link > > > https://lists.freebsd.org/archives/freebsd-hackers/2021-November/000515.html > > Obsto Clades asked me with a private message , approximately , > > " I am connecting to the web site ... without any such message . > > Do you have more information ? " . > > I replied , "No ." > > > When the following link ( please notice that it is http , not https ) > > > http://obstoclades.tech/ > > > the response of Firefox ( 57.0.1) is the following : > > -------------------------------------------------------- > > Connection denied by Geolocation Setting. > > * Reason: * Blocked country: > > The connection was denied because this country is blocked in the > Geolocation settings. > > Please contact your administrator for assistance. > WatchGuard Technologies, Inc. > > > -------------------------------------------------------- > > > > When the following link ( please notice that it is https , not http ) > > > https://obstoclades.tech/video/demo-video.mp4 > > > the response of Firefox ( 57.0.1) is the following : > > -------------------------------------------------------- > > > Your connection is not secure > > The owner of obstoclades.tech has configured their website improperly. To > protect your information from being stolen, Firefox has not connected to > this website. > > Learn moreā¦ > > Report errors like this to help Mozilla identify and block malicious sites > > > > -------------------------------------------------------- > > > In "Learn more ..." > > the linked page is > > > https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=u&utm_source=inproduct > How to troubleshoot security error codes on secure websites > > > There are 2 knobs not copyable : > > (1) Go back > > (2) Advanced > > > When "Advanced" is clicked ( there is no linked page ) , > > the following message is displayed : > > > > > -------------------------------------------------------- > > > obstoclades.tech uses an invalid security certificate. > > The certificate is not trusted because it is self-signed. > The certificate is not valid for the name obstoclades.tech. > > Error code: SEC_ERROR_UNKNOWN_ISSUER > > > -------------------------------------------------------- > > > > With a knob ( without any linked page ) as follows : > > > "Add Exception ..." > > > with an dialog pane display to add an exception for that page > > ( which I did not added because website owner may correct her/his > certificate > > or configuration of the website ) . > > > With my best wishes for all , > > > Mehmet Erol Sanliturk >