The only answer here is drm esque file signing. Any attempts at detecting fakes will only work while the tech is young. Ofc this requires a web of trust and verification techniques to be applied, since videos are often re encoded.
I was thinking more along the lines of hardware manufacturers implementing a secure enclave style of signing files as they're recorded. The sig could be tagged with location/date if available, but at least the video would be verifiable. The web of trust would have to exist for reprocessors and media outlets who like to edit footage.
Nope, it'll just give well-executed fakes a veneer of legitimacy. A state-level actor will have easy access to the signing keys. Non-state-level actors could potentially extract them from a device or bribe an engineer at a third-tier Chinese OEM. A reasonably competent hardware hacker could desolder the CCD from a signed device and feed whatever video signal they like into it.
I created a raid-Z zpool in 2010 on FreeBSD and those same bits, with two different drives, are still floating around intact 6 years later, across multiple different operating systems.
I don't think bash itself has been ported, it's simply running under a Linux subsystem. I imagine it's similar to the discontinued POSIX and UNIX[2] subsystems. In this case, bash probably believes that it's running in on Linux, not that it's been ported over to compile in Windows.
Well, in some areas, but it really depends on the market - the property taxes on my home in a University city of 200,000 are 1/3 of what I was paying in rent - with the interest on my mortgage the amount of "lost" money comes out to roughly the same amount for now.
As long as property taxes do not outstrip my interest rate, that ratio should stay in my favor going forward.
Absurdly high taxes (my parents pay half my tax on a non-rural property twice as big about 120 miles north of me), but still, owning a home is hardly a fiscally ruinous proposition around here.
My property taxes this year were ~$4200 on an average sized lot and home, or roughly $350/month.
My last apartment cost $1050/month for a small two bedroom condo rental.
This is similar to my situation. Renting a crappy 2BR apartment was $1700/month thanks to the tight rental market. Mortgage and taxes on a townhouse in a nicer part of town? $1200/month. And theoretically after 30 years I would have an asset I could sell, unlike the renters. Renting just didn't make sense unless you're highly itinerant and don't stick around any one area for more than a year or two.
"Renting a crappy 2BR apartment was $1700/month thanks to the tight rental market. Mortgage and taxes on a townhouse in a nicer part of town? $1200/month."
So you take a mortgage and you're happy and there is a chance that you'll stay happy because your present reckoning may remain as good in the future as it is now. But it also may not. By mortgaging you become a sitting duck against the change, and that rental business of $1700/month seems attractive enough to invite further involvement and development thus driving the prices much lower not only compared to its current figure but also with the praised rental figure. What would you do then if this happens? Refinance in order to stretch that mortgage for more than 30 years?
"paying in rent - with the interest on my mortgage the amount of «lost» money comes out to roughly the same amount for now"
But there is also the opportunity cost. Having a mortgage may be equivalent financially, but it's a liability when considering your freedom to change or to invest in something profitable that may pop up along the way.
SMEP would stop this particular exploit because it returns into usermode but SMEP is trivial to bypass on linux if there is no KASLR or other mitigation (apparently there are compiler plugins that remove popular stack pivot gadgets).
According the lwn comments it should be sufficient (and the post by perception-point suggests that it would at least make things more difficult), but I haven't the hardware to test for myself.
As a normal user, grepping these values I actually get 0000000000000000. I can't imagine these being the actual values. Is it possible that because I remount my /proc with the hidepid=2 option the values are not visible for normal non-root accounts?
No, it would seem (I'm not sure though) that this happens for you because your distro is smart enough to have a nice security setting be on by default. The setting / sysctl can be changed at:
/proc/sys/kernel/kptr_restrict
For me, this gave me 0, but if you cat this it should give you 1. So essentially it's a setting but I'd wager it's not related to you remounting /proc.
Just for curiosity's sake, from searching around it seems that this particular security feature (hide kernel pointers for unprivileged users) seems to have originated from this commit (which in itself implements a broader and more general security feature): http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g... - but it's often not enabled.
So it's not ASLR or anything to do with filesystem options (per se), but rather a custom "kptr_restrict" kernel vs. userspace security feature provided by the kernel:
"[...] The %pK format specifier is designed to hide exposed kernel pointers,
specifically via /proc interfaces. Exposing these pointers provides an
easy target for kernel write vulnerabilities, since they reveal the
locations of writable structures containing easily triggerable function
pointers." (Dan Rosenberg, 2011-01-13 - nice.) (Of course if there's no ASLR and one knows which distro is being targeted, it's possible to find those values on another machine and to just bake them into the exploit, as others have pointed out. Also, other channels exist for finding these addresses, etc.)
That only hides the pid directories of others users, and indeed on my system remounting /proc with hidepid=2 I'm still able to see the same values for kallsyms. Maybe your kernel is compiled without the CONFIG_KEYS=y option? (I'm spitballing here).
No, the bug is in the kernel keyring facility, so if I'm not mistaken compiling with CONFIG_KEYS=n option should protect you (I haven't tested though). As for the /proc/kallsyms, I honestly don't know how come you only get zeroes.
EDIT: The obvious question I should have asked is which distro you are running. Also, as others have pointed out, hoping that the attacker can't read kallsyms from the machine he's attacking is not really a good defense plan.
I'm running Ubuntu 14.04 which should be affected. I just hoped it would be harder without having the correct kallsyms version. It seems I will have no options except to reboot my cluster :)
make sure you have privileges to read that file. I ran grep without sudo and got that address on Ubuntu 15.10, but with sudo it will display an actual address.
The file /proc/kallsyms contains the addresses of various kernel functions: it's useful when you've already exploited a vulnerability in the kernel, and you want to do something useful with it, e.g. escalate your userspace process to root. In theory, since you're running code in kernelspace, you can do whatever; in practice it's much easier to start with known functions that can manipulate the data structures for you.
Think of it like the manual of a nuclear missile launcher. Obviously they don't want to give that out to everyone. But if you can break into the room with the launcher's control panel, you've still caused a major security breach even if you have no idea what to do next. Having the manual just makes your job easier, but the attack was that you broke in in the first place; they can't count on you being unable to figure out how to work the panel.
Also, if you're running a binary kernel (for instance, a kernel built by your Linux distro), the addresses in kallsyms are going to be constant for everyone running that distro. Hiding kallsyms for non-root users is primarily useful for people who build custom kernels.
Production-level malware often also has code that doesn't depend on having access to kallsyms and is more advanced (e.g., starting from the system call interrupt vector and disassembling it and seeing what addresses are jumped to). Using kallsyms is good for keeping a simple proof-of-concept exploit readable.
The /proc/kallsyms values are identical across identical kernel compilations.
Suppose you have a vulnerable CentOS 7 system that you want to exploit - you could get the proper addresses from your own CentOS 7 VM running the same kernel, apply those to a modified exploit compilation, and run that compilation on your target host.
Also, it is not bullet proof because apparently there are lots of info leaks in linux and I think linux also does not reboot after a panic (http://www.cyberciti.biz/tips/reboot-linux-box-after-a-kerne...) so if the entropy for KASLR is small enough you can retry very aggressively. Though in this particular instance if you have to wait 30 minutes between each try that would kill brute forcing.
I second that. I never had much interest in learning to play chess well. In my case I guess it's about when programming I work towards a specific outcome I find interesting for some reason. Winning/losing isn't an interesting outcome for me.
Yes they would. Tilapia fries would definitely eat mosquito larvae in the water. There were likely smaller species like guppies that would totally keep the mosquitos in check.
