Without downloading any installation media

Sometimes you might need to quickly spin up a VM for some testing or safe experiments. The typical way to do this is to download the installation media (usually some ISO image), attach it to the VM instance, and start the installation process. However, there is a much simpler solution to bootstrap Debian/Ubuntu installation in QEMU over the network without downloading a single ISO.

When it comes to installation media Debian (and its derivative distribution Ubuntu) provides various installation media types for different needs:

  • full installation CD and DVD images
  • CD images for network install
  • even smaller CD images for…

Introducing a simple tool, which helps pasting passwords into online forms with blocked paste functionality

Image for post
Image for post

These days passwords have to be really strong to withstand all modern passwords attacks. Not only passwords have to be long and complex, with all the data breaches around the world it is also very critical not to reuse the same password on several websites. As a result there is no way a human can memorize all the strong passwords for all the online services they need to access.

This is where password managers come into play: instead of memorising all the passwords we only need to remember one strong password and the password manager will remember the rest for…


Originally published at https://blog.cloudflare.com on July 8, 2020.

Modern Linux operating systems provide many tools to run code more securely. There are namespaces (the basic building blocks for containers), Linux Security Modules, Integrity Measurement Architecture etc.

In this post we will review Linux seccomp and learn how to sandbox any (even a proprietary) application without writing a single line of code.

linux-sandbox-1
linux-sandbox-1

Tux by Iwan Gabovitch, GPL Sandbox, Simplified Pixabay License

System calls (syscalls) is a well-defined interface between userspace applications and the operating system (OS) kernel. On modern operating systems most applications provide only application-specific logic as code. Applications do…


Or my first web app in 10 years: what could go wrong?

Originally published at https://pqsec.org on May 25, 2020.

TL;DR: if you’re just looking for the tool itself, it is here

Image for post
Image for post

I write my personal posts on my own blog, but to reach a wider audience I followed the advice on the Internet to cross-post my posts on popular publishing platforms. In the end I couldn’t select between Medium and dev.to, so decided to use both.

My own blog is hosted on GitHub Pages, so I write my posts in Markdown. Luckily, dev.to supports Markdown natively as well, so I can just copy-paste posts there.


Originally published at https://blog.cloudflare.com on March 25, 2020.

Data encryption at rest is a must-have for any modern Internet company. Many companies, however, don’t encrypt their disks, because they fear the potential performance penalty caused by encryption overhead.

Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers!

When it comes to encrypting data at rest there are several ways it can be implemented…


Originally published at https://pqsec.org on April 13, 2020.

Why crypto becomes weak

No one designs weak cryptographic algorithms on purpose. Well, almost no one — sometimes state intelligence agencies try to backdoor crypto for their own purposes, but hopefully this is an exception and in general people have best intentions in mind.

So, why does some crypto suddenly become weak? All practical cryptographic algorithms are designed around some hard computational problems. That is, it is practically hard (but not impossible!) to efficiently execute the algorithm without knowing some secret information (the key). The basic assumptions of strong crypto are:

  • an efficient algorithm, which allows…


Originally published at https://pqsec.org on August 19, 2016.

[U]SB/IP [B]uffer [O]verflow [AT]tack

UBOAT is a vulnerability in USB over IP framework, which is part of Linux kernel code. This framework was originally developed by USB/IP project and merged into mainline Linux kernel since version 3.17 and allows hardware to share connected USB devices over IP network: devices, connected to USB/IP server, appear on the client as if they were plugged in locally.

UBOAT allows an attacker to write arbitrary data to Linux kernel memory heap on USB/IP client, possibly causing denial of service (DoS) or arbitrary code execution at privileged levels.

How it works? (or fails..)

The project website

Ignat

Technology, programming, security, stuff. https://pqsec.org/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store