Kind of worried to be honest, two in like a week? Pretty scary.
I’m very dumb about Linux technical stuff but I feel like root access is way too easy to be accessed.
Is there any way to make it harder? I mean let’s say similar to Android, you need to unlock the boot loader first, flash a recovery and flash Magisk or something, that’s a good layer before root access.
At least for Linux Desktop, maybe make it so we can get root access only via a bootable USB with a correct password? Just for sporadic system changes.
Setups like Android or those new fancy ummutable distros don’t actually make anything more secure. If the underlying OS is drectly exploited they don’t protect you. Not having a mechanism included to get you root permissions regularly, doesn’t help you against exploits achieving the same in unplanned ways. In fact -allthough that’s a minor issue- you can probably specifically target the latter distros even after a patch: After all we are talking about direct changes to binary code here. On that level you could get ideas about manipulating the overlay to access the unpatched files.
In the end the most effective way to be more secure is not a mass produced thing like Android that locks out everyone (and not even being that good at it because there are masses working to circumvent it to get control over their device back), but to minimise you attack surface: Don’t have stuff activated you don’t need. Have a kernel compiled for your device with only exactly the components you really need. Or whitelist all kernel modules you need and nothing more. Explicitly declare what a user can do and access actively (see: SELinux, AppArmor with strict policies) instead of relying on the underlying passive permission system.
This exploit appears to be inspired by the copy fail.
Should you be worried? Nah, You should not be installing untrusted software on your device. This isnt even the type of exploit that scares me. Your device gas to already be compromised for this exploit to succeed.
As a former OS security pro, this is the right answer. Not because of the exploit itself, but because young (unmentored) coders readily trust some really bad patterns of pulling in random junk from the web and running it. THIS is how the LPE becomes essentially an RCE-level problem.
With AI enabled bug hunting, you’re likely to see a blitz of vulnerabilities, followed by a significant reduction in vulnerabilities.
Yes, malicious folks are usin em – heck, Kali’s had AI integrations for a while on a bunch of its tools even, for pen testing. But devs writing code get em too, and those are the people we need to see using these sorts of workflows as it lets them clip a bunch of zero days.
I think Mozilla, as an example, had a recent patch that cleaned up something like 271 zero days? Anthropic taking their Mythos stuff to banks/govt was largely just a publicity thing to try and shut people up who were mocking claudes code, but also potentially because it’d found govt-placed backdoors that they wanted the gov to know were about to be exposed / patched. The USA’s alleged ability to “shut off” tech assets during raids in Venezuela and Iran, gets trickier if AI is exposing their back doors. Likely also why the US Administration is now saying they want to review AIs before they get released. Mythos definitely isn’t the only game in town for this sort of stuff – but the general idea that the dev teams will be shifting to using these tools for QA / writing more secure apps in the near future, is fairly valid. So I wouldn’t go too tinfoil hat-y on that front… though it is a period where we’ll see a need to patch aggressively, and to double check security configs etc.
If you refer to physical access I wouldn’t say that, I’ve encrypted partition.
But if you’re saying just access to my main user inside the OS, then I’d really like if you could elaborate with real examples how can user access do any harm to my system without root access. Real examples please not speculation or theory. Something I can run here right away to see by myself.
Your user account can run applications and read and write to a lot of locations on the disk.
So it can be used to run malware (cryptominers, ransomware, RATs etc.) Exfiltrate the data your account has access to, download or plant malicious or illegal data, use your internet connection to attack other systems with DOS or similar, use any logged in social media accounts to attack or spam your contacts, steal saved passwords and credentials from your web browsers, use your peripherals or connected devices (printers cameras microphone speakers), pivot to access other services on your local network (smart devices, IoT, TVs, home lab) etc.
There are comparatively few things an attacker wants on a desktop that actually require root access. It’s mostly just system files, package management and settings changes that require root to mess with. Eg. You would need root to dump a shadow file or stuff like luks encryption keys from kernel memory, but if an attacker has your logged in user account, the disk is already decrypted and account is already logged in.
Most systems also use single user, you normally give yourself docker group access (I use docker for work) and that alone is equivalent to root access. It’s not the 90s anymore where universities gave user access to all students, priv escalation was a big security threat, now it almost doesn’t mean anything, nobody shares the same machine anymore the way they used to do.
Yes kinda? It depends a lot on the system. It’s still pretty common, even with containers like docker, for different services to run with different accounts and permissions. Eg. If you have a webapp with a small database or something, the web server will be www-data or whatever and the db will be a different user account like a postgres user or something. Even a fresh Linux install will have a separate user account for things like ntp (or systemd-timesync) etc.
Users aren’t usually people, they’re daemons with limited scope and rule of least privilege.
Even if it’s all docker containers and you deploy them with the same docker account on the host, there are almost certainly a bunch of different accounts inside.
That way if there’s some vulnerability in ntp or something, an attacker might have permission to mess with the time but can’t, in theory, take over the whole container.
I think there is a trend towards caring less about that aspect of defence in depth if each service is in its own container and just rely on isolation. People are deploying services running as root with ansible or even just in dockerfiles, and not caring about it because there’s nothing else on the box for an attacker anyway. If they compromise the service, they’ve already got what they want.
I get the thought process but it still doesn’t feel good to me. If some docker bug shows up that allows a container user with root to break isolation and use the shared kernel to pivot to the host or other containers, then that one dodgy webapp that’s not running as a restricted user can become a part of a larger kill chain. It’s really easy to develop systems with least privilege in mind and there’s not much downside to doing it. It’s a good habit to to create different accounts for different services (even if there’s one admin/docker/ansible/whatever account for deployment).
I’m telling you what is in the news. I’m sorry you are in denial. The vulnerability was uncovered by an AI tool and we can expect a lot more of them to be found. So, in answering the original question, “that’s what’s up with all the vulnerabilities.”
Nope, not in denial. You just read the inital, overhyped, marketing coverage. Maybe do some research before repeating dumb, uninformed headlines. Here’s an article that can better inform you.
Maybe you didn’t read it, but the article expresses that LLMs are being used to find vulnerabilities in software.
The only real argument it makes that Mythos isn’t special is that other LLMs and human security researchers can also find vulnerabilities. This is true, but I find it funny because in the same section they note that it found 271 vulnerabilities in Firefox. I don’t think this article is the gotcha that you think it is.
You strike me as just another Lemmy drone that downvoted and hates everything AI. And the energy and negativity with which you’re attacking me when all I was doing was answering a comment about why so many vulnerabilities are being found these days with an actual true statement is just weird man. Save your AI anger for somewhere else.
Except that it is? There’s nothing particularly special about mythos and it’s not “too dangerous” to release. LLMs make it easier for people to find potential vulnerabilities, true. But they cannot actually confirm that they’re real wothout an actual person verifying it. Lots of reports are bogus.
Do I hate AI? Of course I do. It literally has nothing positive unless you’re an ai company’s ceo. It’s being sold at a heavily subsidized price that is literally unmaintainable. All models will have to use token based pricing and that’s wgen you’ll see what it actually costs (spoiler alert, it’s a fuckton of money). This awfyl technology is also why a lot of tech is getting increasingly expensive.
Not to mention that for these models to exist, all of these companies stole unfathomable amounts of data and caused chaos in the job market. Aaron Swartz’s life was turned into hell for much less.
You’re literally defending a product that’s enshitifying your life. It’s absolutely moronic.
What’s up with all these vulnerabilities?
Kind of worried to be honest, two in like a week? Pretty scary.
I’m very dumb about Linux technical stuff but I feel like root access is way too easy to be accessed.
Is there any way to make it harder? I mean let’s say similar to Android, you need to unlock the boot loader first, flash a recovery and flash Magisk or something, that’s a good layer before root access.
At least for Linux Desktop, maybe make it so we can get root access only via a bootable USB with a correct password? Just for sporadic system changes.
Is there anything like that?
Setups like Android or those new fancy ummutable distros don’t actually make anything more secure. If the underlying OS is drectly exploited they don’t protect you. Not having a mechanism included to get you root permissions regularly, doesn’t help you against exploits achieving the same in unplanned ways. In fact -allthough that’s a minor issue- you can probably specifically target the latter distros even after a patch: After all we are talking about direct changes to binary code here. On that level you could get ideas about manipulating the overlay to access the unpatched files.
In the end the most effective way to be more secure is not a mass produced thing like Android that locks out everyone (and not even being that good at it because there are masses working to circumvent it to get control over their device back), but to minimise you attack surface: Don’t have stuff activated you don’t need. Have a kernel compiled for your device with only exactly the components you really need. Or whitelist all kernel modules you need and nothing more. Explicitly declare what a user can do and access actively (see: SELinux, AppArmor with strict policies) instead of relying on the underlying passive permission system.
It’s a positive thing, don’t be worried.
These vulns already existed. It’s possible the bad guys were already using them. This gets them out in the open and on their way to being resolved.
Just keep patches up to date with any modern and maintained distro and you’ll be grand.
This exploit appears to be inspired by the copy fail.
Should you be worried? Nah, You should not be installing untrusted software on your device. This isnt even the type of exploit that scares me. Your device gas to already be compromised for this exploit to succeed.
Supply chain attacks are what scare me.
As a former OS security pro, this is the right answer. Not because of the exploit itself, but because young (unmentored) coders readily trust some really bad patterns of pulling in random junk from the web and running it. THIS is how the LPE becomes essentially an RCE-level problem.
There are two types of users: those who run untrusted software, and those who are way too trusting.
With AI enabled bug hunting, you’re likely to see a blitz of vulnerabilities, followed by a significant reduction in vulnerabilities.
Yes, malicious folks are usin em – heck, Kali’s had AI integrations for a while on a bunch of its tools even, for pen testing. But devs writing code get em too, and those are the people we need to see using these sorts of workflows as it lets them clip a bunch of zero days.
I think Mozilla, as an example, had a recent patch that cleaned up something like 271 zero days? Anthropic taking their Mythos stuff to banks/govt was largely just a publicity thing to try and shut people up who were mocking claudes code, but also potentially because it’d found govt-placed backdoors that they wanted the gov to know were about to be exposed / patched. The USA’s alleged ability to “shut off” tech assets during raids in Venezuela and Iran, gets trickier if AI is exposing their back doors. Likely also why the US Administration is now saying they want to review AIs before they get released. Mythos definitely isn’t the only game in town for this sort of stuff – but the general idea that the dev teams will be shifting to using these tools for QA / writing more secure apps in the near future, is fairly valid. So I wouldn’t go too tinfoil hat-y on that front… though it is a period where we’ll see a need to patch aggressively, and to double check security configs etc.
The Mozilla numbers are wildly inflated. They were effectively just advertising for Anthropic’s mediocre LLM with that blog post.
Eh, fair enough – doesn’t really change the underlying concept though.
if somebody has user access to your computer, they are already 95% there, so I am not worried about these priv escalation part of the last 5%
If they can already read/write all of your user’s files, then an attacker doesn’t even care about root access anyway most of the time anyway.
It’s really only relevant for things like web servers.
If you refer to physical access I wouldn’t say that, I’ve encrypted partition.
But if you’re saying just access to my main user inside the OS, then I’d really like if you could elaborate with real examples how can user access do any harm to my system without root access. Real examples please not speculation or theory. Something I can run here right away to see by myself.
Your user account can run applications and read and write to a lot of locations on the disk.
So it can be used to run malware (cryptominers, ransomware, RATs etc.) Exfiltrate the data your account has access to, download or plant malicious or illegal data, use your internet connection to attack other systems with DOS or similar, use any logged in social media accounts to attack or spam your contacts, steal saved passwords and credentials from your web browsers, use your peripherals or connected devices (printers cameras microphone speakers), pivot to access other services on your local network (smart devices, IoT, TVs, home lab) etc.
There are comparatively few things an attacker wants on a desktop that actually require root access. It’s mostly just system files, package management and settings changes that require root to mess with. Eg. You would need root to dump a shadow file or stuff like luks encryption keys from kernel memory, but if an attacker has your logged in user account, the disk is already decrypted and account is already logged in.
Most systems also use single user, you normally give yourself docker group access (I use docker for work) and that alone is equivalent to root access. It’s not the 90s anymore where universities gave user access to all students, priv escalation was a big security threat, now it almost doesn’t mean anything, nobody shares the same machine anymore the way they used to do.
Yes kinda? It depends a lot on the system. It’s still pretty common, even with containers like docker, for different services to run with different accounts and permissions. Eg. If you have a webapp with a small database or something, the web server will be
www-dataor whatever and the db will be a different user account like apostgresuser or something. Even a fresh Linux install will have a separate user account for things likentp(orsystemd-timesync) etc. Users aren’t usually people, they’re daemons with limited scope and rule of least privilege.Even if it’s all docker containers and you deploy them with the same docker account on the host, there are almost certainly a bunch of different accounts inside.
That way if there’s some vulnerability in ntp or something, an attacker might have permission to mess with the time but can’t, in theory, take over the whole container.
I think there is a trend towards caring less about that aspect of defence in depth if each service is in its own container and just rely on isolation. People are deploying services running as root with ansible or even just in dockerfiles, and not caring about it because there’s nothing else on the box for an attacker anyway. If they compromise the service, they’ve already got what they want.
I get the thought process but it still doesn’t feel good to me. If some docker bug shows up that allows a container user with root to break isolation and use the shared kernel to pivot to the host or other containers, then that one dodgy webapp that’s not running as a restricted user can become a part of a larger kill chain. It’s really easy to develop systems with least privilege in mind and there’s not much downside to doing it. It’s a good habit to to create different accounts for different services (even if there’s one admin/docker/ansible/whatever account for deployment).
For me the scariest thing someone could do on my pc is exfiltrate all the data from my home directory which is readable by my user account.
Maybe I’m misunderstanding you, but that’s harm to me without root access.
There is an LLM called mythos from Anthropic that is very good at finding vulnerabilities.
Drinking the kool-aid, are we?
I’m telling you what is in the news. I’m sorry you are in denial. The vulnerability was uncovered by an AI tool and we can expect a lot more of them to be found. So, in answering the original question, “that’s what’s up with all the vulnerabilities.”
https://www.theverge.com/ai-artificial-intelligence/908114/anthropic-project-glasswing-cybersecurity
Nope, not in denial. You just read the inital, overhyped, marketing coverage. Maybe do some research before repeating dumb, uninformed headlines. Here’s an article that can better inform you.
Maybe you didn’t read it, but the article expresses that LLMs are being used to find vulnerabilities in software.
The only real argument it makes that Mythos isn’t special is that other LLMs and human security researchers can also find vulnerabilities. This is true, but I find it funny because in the same section they note that it found 271 vulnerabilities in Firefox. I don’t think this article is the gotcha that you think it is.
You strike me as just another Lemmy drone that downvoted and hates everything AI. And the energy and negativity with which you’re attacking me when all I was doing was answering a comment about why so many vulnerabilities are being found these days with an actual true statement is just weird man. Save your AI anger for somewhere else.
Except that it is? There’s nothing particularly special about mythos and it’s not “too dangerous” to release. LLMs make it easier for people to find potential vulnerabilities, true. But they cannot actually confirm that they’re real wothout an actual person verifying it. Lots of reports are bogus.
Do I hate AI? Of course I do. It literally has nothing positive unless you’re an ai company’s ceo. It’s being sold at a heavily subsidized price that is literally unmaintainable. All models will have to use token based pricing and that’s wgen you’ll see what it actually costs (spoiler alert, it’s a fuckton of money). This awfyl technology is also why a lot of tech is getting increasingly expensive.
Not to mention that for these models to exist, all of these companies stole unfathomable amounts of data and caused chaos in the job market. Aaron Swartz’s life was turned into hell for much less.
You’re literally defending a product that’s enshitifying your life. It’s absolutely moronic.