Profile picture
Mudge @dotMudge
, 5 tweets, 2 min read Read on Twitter
On ‘names are hard’, X509 Distinguished Names (DN) can be a downright minefield.

Consider military (gov) where rank is part of the distinguished name field.

So what happens when someone gets a pay raise (get’s promoted)?

Each time that happens the DN changes which means...
The old certificate needs to be revoked.

Onto the certificate revocation list it goes...

New digital certificates are issued, access cards re-provisioned, CAs updated (and eventually synchronized).

Life goes on...

But what happens to the certificate revocation list (CRL)?
According to Wikipedia there were over 17 million Common Access Cards issued by 2008.

That’s a decade ago and there are ~1.4 million people in the US military this year alone (according to Google). Don’t forget that we’re talking about a lot more than just military people...
Think about the sheer size of the revocation list over the years with every promotion and every person entering and leaving public service being an entry.

So what is the solution?

My understanding is that this motivated creation of the Online Certificate Status Protocol (OCSP).
That gets traced back to RFC 2560 from the PKIX working group in 1999.

Which implies the US Govt. figured out the hard way, pre 1999, that names are hard.

Especially when you use them as key components in large systems.

Won’t be the last time.

/HT @LeaKissner - thanks!
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Mudge
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @dotMudge see all

Profile picture
A few weeks back the non-profit group CITL, cyber-itl.org, released a comparative report of software hygiene in 28 home routers...

and vulnerabilities that affect all Linux MIPS systems (not just IoT).

Some thoughts and data...

(Thread 1/N)

cyber-itl.org/2018/12/07/a-l…
This thread intends to get past some security nihilism, use data to refute some assumptions put forward by people as “facts”, and point out the big picture... which the security community largely missed.

Something about not being able to see the forrest through the trees ;)

2/
Let’s look at the router paper first.

cyber-itl.org/assets/papers/…

It’s true that none of the routers did well in regards to basic software safety hygiene, but thinking there’s nothing consumers can do is security nihilism and misses the actionable information in the paper...
Read 16 tweets
Profile picture
Due to Floating Point emulation, Linux MIPS (Kernels 2.4.3.4 through 4.7 2001-2016) have executable stacks.

The patch, released in 2016 and still present - Kernel 4.8, introduces a universal DEP and ASLR bypass.

cyber-itl.org/2018/12/07/a-l…

cyber-itl.org/assets/papers/…
Think about this for a moment...

MIPS is the most common architecture for home routers (ubiquity, Netgear, Asus, linksys) and similar devices.

It is also found in telecom gear, next gen corporate firewalls, corporate switch fabric, etc. for control plane, data plane, or both.
What makes this particularly tough to remediate is that addressing the issue needs the Kernel fix and *also* updates to the compiler toolchains and *also* that vendors/developers adopt both of these and *also* turn on the needed settings if they aren’t default enabled...
Read 5 tweets
Profile picture
Unfortunately this is not a new revelation or disclosure.

Going back to 2009 there was an engagement that used a battle command system.

The opposing force in the exercise found the contractor, downloaded the user and training materials from a web and FTP site, exposed...

1/
to the public Internet, and found by scanning the IP range of the sub-contractor who did the work.

Then, they just logged in as privileged users to all the battle systems. You would think that would have been game over (it was a very simple default password).

2/
However, the defenders claimed foul (?!?).

While the OpFor (opposing force) was frustrated, they said ‘fine’.

They proceeded to essentially fuzz the input and found numerous ways to crash the system. Some of these were probably exploitable, but for the exercise, ...

3/
Read 8 tweets

Related threads

Profile picture
X : How do you do research?
Me : University or commercial?
X : Is there a difference?
Me : In academia, people tend to do the research before they submit the proposal to do the research in order to fit in with some sort of scheduled research delivery process / gantt chart ...
... i.e. they spend the time "researching" actually doing research on something else which once completed is submitted as the next research proposal so they guarantee milestones of when it'll be delivered (as it is already done). It's all about hitting KPIs etc.
X : What about commercial research?
Me : Well, a lot isn't actual research in the sense of creating a new field. It's more applied research. So there tends to be less uncertainty. Other areas, well you just have to embrace the chaos. Of course, people still want Gantt charts.
Read 6 tweets
Profile picture
X : Predictions for 2019?
Me : Not my thing.
X : Go on.
Me : What are you after?
X : Acquisitions.
Me : Hmmm, a bucketload of tech acquisitions around Kubernetes. Expect big juicy deals.
X : It's the future?
Me : No. Mostly cash rich past giants with no future being clueless.
X : No market for Kubernetes?
Me : Some very profitable niches. Savvy tech buyer will wait until hype dries up before swooping in for tasty acquisitions around 2021-2022. This year will mainly be the clueless with big chequebooks. Hoping some friends will make it big this year.
X : The market doesn't operate to make your friends rich.
Me : Are you sure? It has been doing a good job of it - Cloud, Big Data, Containers ... it's always the same.
X : So, where is the future?
Me : I thought you were interested in acquisitions? They are not the same.
Read 10 tweets
Profile picture
X : You're not very good at politics.
Me : Oh, enlighten me.
X : Centrists want to split Labour. They're more concerned over Corbyn than May.
Me : Hmmm, so you're arguing that some of Labour don't want Corbyn to win regardless?
X : Yes.
Me : That makes no sense.
X : You think centrists are concerned with the many? They're not. They are Conservatives but with a small 'c'.
Me : Corbyn is hardly a firebrand. His views are moderate.
X : They're still too left wing.
Me : Ah, so my choices are supposed to be Conservative but either with a big C or a little one?
X : Yes
Me : What about the many?
X : No-one really gives a shit.
Me : Hmmm, I don't agree and I'm not alone.
Read 8 tweets
Profile picture
X : Is brexit the only topic in UK politics?
Me : No. It's not even the most important. For me, a Lab Gov under Corbyn in power is more important.
X : But brexit will hit the poor hardest.
Me : Everything always hits the poor hardest. You only started caring about those left behind when they put a spanner in your cosy life. I certainly don't want to return to an environment where we ignore most of society.
X : I don't think that will happen.
Me : Well, bribe the poor. Have a 2nd referendum but make it clear that if we remain then £39bn + one off 10% wealth tax (inc property over £1M) + 5% increase to higher tax rate to be introduced to create a wealth fund to benefit the poorest.
Read 6 tweets
Profile picture
As a musician playing in night club bands long ago in Hawaii, I saw way more than my share of bar fights and there's nothing glamorous or exciting about them, trust me.
Apparently there's some right wing moron out there today saying "all men get in bar fights."

Fuck that asinine bullshit. Maybe all STUPID men get in bar fights.
Once you see what happens when someone gets a shot glass shoved into their eye, bar fights tend to lose their glamour.
Read 3 tweets
Profile picture
Someone labeled #QAnon a #conspiracytheory

It's not.

I can objectively show more than once what @realDonaldTrump was about to tweet before he did it and also show coordination between Q and the DOD, and Q and @JulianAssange.

Huge events are happening, it's time to awaken.
2) in addition, while it's still being uncovered, there are deeply coded messages within @realDonaldTrump tweets. The specific intentions behind all of this are many, but one vital one is to specifically prevent #conspiracytheories from being concocted.
3) Another reason disclosure is self evident, it's a public disclosure. It so happens that the disclosures are happening in a location where the user base is sufficiently #redpilled to accept the #truths -they are a bit tough to take for #normies
Read 24 tweets

Trending hashtags

#Indian #Antifa #UberWaymo #Iran #Senators #Aryan #JurisDoctor #cesspool #ancestors #AirForce #Institute #Battalion #ProjectMockingbird #IR #Military #Babylonians #General #neutrality #Michigan #Entrepreneur #Cassino #Ancient #Wenlian #Kurds #Dadong

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!