Thread replies: 37
Thread images: 7
Thread images: 7
File: Kyōko-Security-Tip.png (1MB, 1945x1080px) Image search:
[Google]
1MB, 1945x1080px
Kyōko Toshinō with a security tip.
CVE-2016-5696
"Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack."
To solve the issue update your kernel now. If you are unable to, here is a temporary fix for systemctl (botnet), based systems:
Append the following to /etc/sysctl.conf
net.ipv4.tcp_challenge_ack_limit = 999999999
sysctl -p to activate the new rule (As root)
Don't let the evil mitm maki spy on you. If you have the linux 3.6 kernel and above check your system now.
Some more info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5696
https://thehackernews.com/2016/08/linux-tcp-packet-hacking.html
Debian patch status:
https://security-tracker.debian.org/tracker/CVE-2016-5696
>>
This is the most autistic post I've ever seen on this board.
>>
>>56038274
well give him credit for making an image to go with it. it's hard work being that much of a weeb
>>
>>56038274
eh I'm guessing you are new here?
>>
>>56038260
>someone made that image
Anyways, it's not like it fucking matters since web sites you're connecting to are vulnerable.
>>
Thank you OP
>>
>Maki-in-the-middle attack
I think we should adopt this as standard for all security and crypto discussions on /g/
>>
>>56038260
upgraded over a week ago.
>>
>>56038260
>sid
>4.6.4
i thought sid was kept up to date, not only did 4.7 come out last month, it's not even the latest 4.6.x (which is 4.6.6)
>>
>>56038260
>before 4.7
>tfw my only Linux devices are stuck at 2.x and 3.18
>>
>>56038260
That's honestly one of the best images I've seen on /g/
>>
Hijacking isn't spying and if you encrypt shit all this does is fuck up your TCP session.
Dumbass.
>>
>>56039843
2.x is fine and 3.18 however is vulnerable if you don't raise that challenge ack limit
>>
Who /4.8.0-rc1+/ here?
>>
:^)
>>
>>56040021
still on 4.7 i don't like rebooting every week.
>>
>>56040058
>linux arch
kys and your stupid piece of shit distro
>>
File: 1445770978151.png (5KB, 699x16px) Image search:
[Google]
5KB, 699x16px
>>56040058
>>56040099
Goddamnit, the zen kernel hasn't updated yet.
>>
>>56038260
how do I know this site isn't hijacked? and all those links and commands will make things worse
>>
>>56038260
Lol Windows 7 forever
>>
>>56040213
>windows
Enjoy you're security vulnerabilites and viruses, cuck :^):^):^):^):^):^):^):^))))))))))))))))
>>
File: Screenshot_20160812_032611.png (79KB, 761x632px) Image search:
[Google]
79KB, 761x632px
ok.
>>
File: Screenshot_20160812_033226.png (8KB, 744x50px) Image search:
[Google]
8KB, 744x50px
>>56040448
>>
>>56039330
It's cuter than Mallory. I'm tempted, but if I don't stick to the standard terminology my papers will be even more confusing.
I don't have much input for the thread, except this is another bug in the TCP RFCs, not in Linux as such (but Linux is having to work around it and no-one else is, because no-one else even implemented this RFC).
I'm personally of the impression, having studied it for a while, that we should throw TCP into the fire and implement our (encrypted) connection layers over UDP, with hole punching, and use TCP wrapping only when absolutely unavoidable. Trying to secure connections in any way without an authentication layer and an encryption layer is ultimately doomed no matter which way you slice it.
We can learn from TCP's mistakes, and all the good things it brought us too, as it is often said those who disregard them are doomed to reimplement those mistakes. But there's no fixing it.
>CAPTCHA: select all images with tea
Excellent idea, botnet, thank you so much.
>>
Linux alarmpi 4.4.16-2-ARCH #1 SMP Wed Aug 10 20:12:45 MDT 2016 armv7l GNU/Linux
worry.jpg
>>
File: 1389852825473.jpg (25KB, 360x480px) Image search:
[Google]
25KB, 360x480px
>>56039829
>Debian
>Up to date
Funny joke.
>>
Akamai suggest a higher number for workaround.
https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html
Example (refer to your system(s)' *nix documentation for exact steps):
sysctl net.ipv4.tcp_challenge_ack_limit=1073741823; grep -q
tcp_challenge_ack_limit /etc/sysctl.conf || echo
"net.ipv4.tcp_challenge_ack_limit=1073741823" >> /etc/sysctl.conf
>Ahead of this announcement, Akamai began the process of removing rate-limiting on challenge ACK's across all of its potentially affected systems.
I've already raised the number but How can we remove rate-limiting OpenWrt?
>>
>>56038260
>Kyōko Toshinō
When will your weeb shitposters learn eastern name order?
Probably never, none of your trash even got it right.
>>
>>56040698
Well in his defense, it's common to reverse it to western order when writing in English, to avoid confusion.
>>
>>56040698
Same, it's annoying.
>>56040722
>instead of introducing people to a new culture we need to change theirs so it fits ours
Funny how the west propagades multi-racial societies but forces those little changes.
Hearing (for example) "Toshino Kyouko" and seeing "Kyouko Toshino" in the subs grates on my nerves.
>>
>>56040760
multi-cultural*
fuck
>>
>>56039936
That's still a problem.
>>
>>56040760
>>56040764
watch your language anon
you're going to attract /pol/ saying things like that
>>
Has there been any indication of how far off a Debian update for this is?
>>
I-its ok when Linux does it.
>>
>>56041486
>I-its ok when Linux does it.
Does what?
The RFC was broken, not the Linux implementation of it.
Thread posts: 37
Thread images: 7
Thread images: 7