Deleted tweet detection is currently running at reduced
capacity due to changes to the Twitter API. Some tweets that have been
deleted by the tweet author may not be labeled as deleted in the PolitiTweet
interface.
Showing page 114 of 151.
Joanna Rutkowska @rootkovska
@jessfraz @zmanian So, a malicious admin could just replace them, right? Especially: for a particular https request from a particular IP? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Wouldn't it become reproducible if you explicitly specify image version and packages versions? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian Are these official keys hardcoded in the docker software, or are they fetched from https://t.co/4KW3I2pBb4? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian Not the attack I have in mind. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian How does my docker client know the pubkeys of this omnipotent "1 person" from the docker team? (his/her name, BTW?) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian So, who can push an 'ubuntu' image that would be fetched e.g. by this Dockerfile: https://t.co/wLlw34iBcr — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian and what stops whoever from publishing an image named 'ubuntu' and uploading their own keys? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@jessfraz @zmanian And how do I explicitly specify the pubkey I wish to trust? — PolitiTweet.org
Joanna Rutkowska @rootkovska
Is there a way to enforce signature verification of the image used by docker for env bootsraping? e.g. Dockerfile: "FROM ubuntu:16.04"? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, are you sure that stating "FROM ubuntu:16.04" in your Dockerfile enforces signature verification of the downloaded image? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak So, how does firmware-docker-build.sh _enforce_ signature verification of the cloned repo? E.g. a compromised github case. — PolitiTweet.org
Joanna Rutkowska @rootkovska
Ah, this must be a tweet from 2006, maybe Twitter celebrates its 10th anniversary that way? https://t.co/9rXt72IhDs — PolitiTweet.org
Robᵉʳᵗ Graham @ErrataRob
Reason #8381 why I hate Linux: I can't figure out how to manually set the IP address.
Joanna Rutkowska @rootkovska
The #infosec's dominant theme in 2000s was apps bugs & (anti-)exploitation. Today's is: system & f/w bugd̶o̶o̶r̶s. https://t.co/Et7fWGXrBv — PolitiTweet.org
Dmytro Oleksiuk @d_olex
So, it means that not only Lenovo machines affected, some other vendors also has this old vulnerable code for sure
Joanna Rutkowska @rootkovska
RT @pavolrusnak: @rootkovska pushed signed deb/rpm packages to https://t.co/Fucif38RmE (files served from mytrezor wallet will be updated o… — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak (Trying to get your Trezor wallet running with Electrum, and I assume I need python-trezor, which is not available in Debian?) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, what about the python-trezor repo? Last commit not signed, other commits with other keys...? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Do you have an official page stating this is the official signing key for your code? Also can you paste the fpr here? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@NikolajSchlej VMs under Xen are not given access to the host ACPI, of course. — PolitiTweet.org
Joanna Rutkowska @rootkovska
BTW, as @QubesOS isolates apps, networking, USB, etc away from UEFI interfaces, this attack should not be a problem. https://t.co/RXxF7OpEGz — PolitiTweet.org
Joanna Rutkowska @rootkovska
OS->SMM->SPI Flash>Persistent malware and UEFI Secure Boot bypass. Nice. https://t.co/RaNqdnShcc
Joanna Rutkowska @rootkovska
OS->SMM->SPI Flash>Persistent malware and UEFI Secure Boot bypass. Nice. https://t.co/RaNqdnShcc — PolitiTweet.org
Dmytro Oleksiuk @d_olex
New article, “Exploring and exploiting Lenovo firmware secrets”: https://t.co/6ZYlifCNAC Code: https://t.co/lrSUKodQTP #ThinkPwn
Joanna Rutkowska @rootkovska
@d_olex Thanks for clarification and congrats :) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex (This is not to suggest I believe in UEFI Secure Boot - I don't - just wanted to understand your attack implications) — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex So, this is not really UEFI Secure Boot bypass, correct? Even if you do: OS->SMM->SPI? Because Boot Guard+UEFI would not execute? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Also, the *.deb package with trezor-bridge seems unisgned? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Ah right, I'm used to signed tags, not commits. Can you point me to where you announce your public key(s)? Also paste here? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@pavolrusnak Hey, it looks like Trezor sources on GitHub are not signed. Do you mind adding proper signatures to all the sources? Thx. — PolitiTweet.org
Joanna Rutkowska @rootkovska
@d_olex AFAIU, your ThinkPwn.efi can be loaded with UEFI SecureBoot enabled, correct? — PolitiTweet.org
Joanna Rutkowska @rootkovska
@hdevalence Elaborate? — PolitiTweet.org
Joanna Rutkowska @rootkovska
RT @QubesOS: Qubes OS 3.2 will use Xfce4 as the default GUI shell (KDE will be retired as optional): https://t.co/WbSYSYs98M https://t.co/q… — PolitiTweet.org
Joanna Rutkowska @rootkovska
Heh, I wonder how people imagine they could "notice a negative impact" from a weak RNG... https://t.co/SJsB4FmTPl — PolitiTweet.org
Torsten Jerzembeck 🇪🇺🌈 @to_je
@rootkovska I've been deploying it as part of my standard setup for quite some time now. No negative impact that I'd notice.
