Re: Does not appear to be (too) malicious ...

From: Marcelo Araujo <araujobsdport_at_gmail.com>
Date: Sun, 28 Nov 2021 12:11:57 UTC
you all have a lot of free time.

On Sun, Nov 28, 2021, 18:14 Mehmet Erol Sanliturk <m.e.sanliturk@gmail.com>
wrote:

> On Sun, Nov 28, 2021 at 12:17 PM Stefan Esser <se@freebsd.org> wrote:
>
> > Am 28.11.21 um 02:06 schrieb Mario Lobo:
> > > On Sat, Nov 27, 2021, 20:27 George Mitchell <george+freebsd@m5p.com>
> > wrote:
> > >
> > >> On 11/27/21 17:40, Obsto Clades via freebsd-hackers wrote:
> > >>> I hacked on the FreeBSD source code to produce a version of the OS
> that
> > >>> cannot be remotely hacked.  Before you tell me that is impossible, I
> > >>> have an answer to that response on my FAQ page.
> > >>>
> > >>> If you are interested in checking out my OS, you can find
> instructions
> > >>> on my site's home page:  https://obstoclades.tech/
> > >>>
> > >>> I invite you to check it out.
> > >>>
> > >>
> > >> Hmm, my mother told me never to click on links in strange emails ...
> > >> -- George
> > >>
> > >
> > > curl http://obstoclades.tech
> > [...]
> > >        <p class="red">Connection denied by Geolocation Setting.</p>
> > >        <p><b> Reason: </b> Blocked country: <font color="red">  </font>
> > </p>
> > >        <p>The connection was denied because this country is blocked in
> > the
> > > Geolocation settings.</p>
> > >        <p>Please contact your administrator for assistance.</p>
> > >      </div>
> > >      <div class="band">WatchGuard Technologies, Inc.</div>
> > >    </div>
> > >  </body>
> > > </html>
> >
> > $ fetch --no-verify-peer -v -o /tmp/obstoclades.html
> > https://obstoclades.tech
> > resolving server address: obstoclades.tech:443
> > SSL options: 82004854
> > Verify hostname
> > TLSv1.3 connection established using TLS_AES_256_GCM_SHA384
> > Certificate subject: /CN=obstoclades.tech
> > Certificate issuer: /C=US/O=Let's Encrypt/CN=R3
> > requesting https://obstoclades.tech/
> > fetch: https://obstoclades.tech: size of remote file is not known
> > local size / mtime: 34916 / 1638088913
> > /tmp/obstoclades.html                             34 kB  181 kBps    00s
> >
> > There is actual contents in this file, and it does not seem to contain
> any
> > malicious parts. It starts with:
> >
> > <!DOCTYPE html>
> > <!--
> >       File:  ObstoClades.html
> >       Copyright (c) 2021 Obsto Clades, LLC
> >  -->
> > <html lang="en">
> >   <head>
> >     <meta charset="UTF-8">
> >     <title>Security is a Joke</title>
> >     <meta name="description"
> >           content="This demonstrates a modified BSD Operating System
> > designed
> > to prevent remote hacking of single-purpose computer systems.">
> >     <link rel="stylesheet" type="text/css" href="/css/obstoclades.css"/>
> >     <link rel="icon" type="image/x-icon" href="/favicon.ico"/>
> >     <script
> > src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
> > "></script>
> >     <script src="js/obstoclades.js" defer="defer"></script>
> >   </head>
> >
> > And besides the jquery.min.js dowloaded from ajax.googleapis.com only
> the
> > following short and apparently benign script is downloaded as
> > obstoclades.js:
> >
> > /*
> >  * File:  obstoclades.js
> >  * Copyright (c) 2017 Obsto Clades, LLC
> >  */
> >
> > $(document).ready(function()
> > {
> >     var $content = $(".content").hide();
> >     $(".img").on("click", function (e)
> >     {
> >         $(this).parent().parent().toggleClass("expanded");
> >         var ttt = $(this).parent().children(".tooltiptext");
> >         if ($(this).parent().parent().hasClass("expanded"))
> >         {
> >                 ttt.replaceWith("<span class=\"tooltiptext\">Click to
> > close</span>");
> >         }
> >         else
> >         {
> >                 ttt.replaceWith("<span class=\"tooltiptext\">Click to
> > open</span>");
> >         }
> >         $(this).parent().parent().next().slideToggle();
> >     });
> >     var textHeight = $("#left-side-header-text").height();
> >     $("#old_english_sheepdog").height(textHeight).width(textHeight);
> >     $("#button").click(function()
> >     {
> >         $("#contactus-form").submit();
> >     })
> > });
> >
> > He invites to attack his server using a SSH login with provided
> > credentials,
> > and offers US$1000 for any successful modification of the test server.
> See
> > the following video, which shows that root on the consonle and root via
> su
> > in the SSH session get quite different environments:
> >
> > https://obstoclades.tech/video/demo-video.mp4
> >
> > This looks like a setup with lots of restrictions applied, probably
> noexec
> > mounts of temporary file systems and the like, possibly jails and/or MAC
> > restrictions.
> >
> > He thinks that an embedded system configured that way could not be
> > attacked,
> > but explains that his concept is limited to e.g. IoT use cases (what he
> > calls "single-purpose computer system").
> >
> > Anyway, I could not find any malicious content on the web server.
> Accessing
> > with a SSH session (obviously configured to not allow backwards
> tunneling)
> > should also not be too dangerous from a dumb terminal (but beware of
> escape
> > sequence attacks possible with ANSI terminals, e.g. reprogramming of
> > function
> > keys with "ESC[code;string;...p").
> >
> > It looks to me like kind of a honeypot setup gathering attack attempts to
> > see whether a throw-away system can withstand them. All attack attempts
> are
> > logged, either to learn how to perform them, or to actually improve the
> > security of his protection concept in case of a successful break-in.
> >
> > Regards, STefan
> >
>
>
> The message above is really a very good one because of its information
> content .
>
> As a response to my message in the following link
>
>
> https://lists.freebsd.org/archives/freebsd-hackers/2021-November/000515.html
>
> Obsto Clades asked me with a private message , approximately ,
>
> " I am connecting to the web site ... without any such message .
>
> Do you have more information ? " .
>
> I replied , "No ."
>
>
> When the following link ( please notice that  it is  http , not https )
>
>
> http://obstoclades.tech/
>
>
> the response of Firefox ( 57.0.1) is the following :
>
> --------------------------------------------------------
>
> Connection denied by Geolocation Setting.
>
> * Reason: * Blocked country:
>
> The connection was denied because this country is blocked in the
> Geolocation settings.
>
> Please contact your administrator for assistance.
> WatchGuard Technologies, Inc.
>
>
> --------------------------------------------------------
>
>
>
> When the following link ( please notice that  it is  https , not http )
>
>
> https://obstoclades.tech/video/demo-video.mp4
>
>
> the response of Firefox ( 57.0.1) is the following :
>
> --------------------------------------------------------
>
>
> Your connection is not secure
>
> The owner of obstoclades.tech has configured their website improperly. To
> protect your information from being stolen, Firefox has not connected to
> this website.
>
> Learn moreā€¦
>
> Report errors like this to help Mozilla identify and block malicious sites
>
>
>
> --------------------------------------------------------
>
>
> In "Learn more ..."
>
> the linked page is
>
>
> https://support.mozilla.org/en-US/kb/error-codes-secure-websites?as=u&utm_source=inproduct
> How to troubleshoot security error codes on secure websites
>
>
> There are 2 knobs not copyable :
>
> (1) Go back
>
> (2) Advanced
>
>
> When "Advanced" is clicked ( there is no linked page )  ,
>
> the following message is displayed :
>
>
>
>
> --------------------------------------------------------
>
>
> obstoclades.tech uses an invalid security certificate.
>
> The certificate is not trusted because it is self-signed.
> The certificate is not valid for the name obstoclades.tech.
>
> Error code: SEC_ERROR_UNKNOWN_ISSUER
>
>
> --------------------------------------------------------
>
>
>
> With a knob ( without any linked page ) as follows :
>
>
> "Add Exception ..."
>
>
> with an dialog pane display to add an exception for that page
>
> ( which I did not added because  website owner may correct her/his
> certificate
>
> or configuration of the website ) .
>
>
> With my best wishes for all ,
>
>
> Mehmet Erol Sanliturk
>