Mastodawn

Martin Boller

@ryanc @AMS @chaos Neat, thanks.

Make

🍁1d ago

@ryanc @AMS @chaos I'm probably missing something, but yeah working with serial TTY's feels more clumsy than it should. I tend to just use `screen`, but it is a weird program.

Rudi (ryjelsum)1d ago

@pawv @ryanc i've found tio to be a wonderful and under-known program for doing serial stuff with more modern setups (i don't think this comes close to 'replacing' what OP made by any means though, layering SSH over it has some really compelling applications)

@pawv @ryanc @AMS @chaos also, GNU screen’s baudrate detection is indeed wonky.

If I know the baudrate, I tend to just run cu(1) in a normal screen tab. Has to get the size (80×24 usually) right, though…

chaos ΘΔ& (it/he)1d ago

@ryanc could this work for sftp as well?

@chaos Yes, it'll handle ssh/scp/port forwarding/rsync/git/etc.

Andrew 1d ago

@ryanc @AMS @chaos Awesome! this has always bothered me. now I only have to remember how to exit ssh

@cinebox @AMS @chaos ~ .

@ryanc @cinebox @AMS @chaos on a new line (perhaps press Enter+~+.).

If you’re already in an ssh connection, you need to escape it by doubling (tripling, …) the tilde.

Christian Berger DECT 2763 1d ago

@ryanc @AMS @chaos Fascinating, it's not something I'd ever have asked for, but thinking about it, it solves so many actual problems. It was one of those wonderful pieces that enable quite a lot of possibilities.

แอท-ทริด 1d ago

@ryanc oh delicious, i love this!

Irenes (many)1d ago

@ryanc @AMS @chaos huhhhhhhh. neat. if we did things that way we could use scp instead of our current workflow, which uses xmodem.

Irenes (many)1d ago

@ryanc @AMS @chaos (we don't trust our own LAN, so we have a workflow for bringing up new machines using the serial port)

แอท-ทริด 1d ago

@ireneista @ryanc "zero trust begins at home", interesting! i aspire to that ideal, sometimes.

Irenes (many)1d ago

@astrid @ryanc we figure if we don't learn how to do it ourselves, we can't teach anyone else to do it

0xC0DEC0DE07EA 19h ago

@ireneista @ryanc @AMS @chaos huh, could one write a UEFI boot loader that uses serial comms to get the kernel/initrd, etc.

Irenes (many)19h ago

@c0dec0dec0de @ryanc @AMS @chaos in principle, sure

0xC0DEC0DE07EA 9h ago

@ireneista
That is an interesting trust boundary. I’m curious what makes you draw the line that close
@ryanc @AMS @chaos

Irenes (many)9h ago

@c0dec0dec0de @ryanc @AMS @chaos well, because it's been clear to us for a long time that there's a lot of stuff on any home network that absolutely does not deserve trust. we feel like recent botnet-router stuff has validated this approach, but at the time we started doing this that was a purely theoretical concern... we just felt it was clearly an important one.

Irenes (many)9h ago

@c0dec0dec0de @ryanc @AMS @chaos plus, by doing things that way we learn where the sticking points are and how to get through them, which will help anyone else who comes later

Bitslingers-R-Us 7h ago

@ireneista @c0dec0dec0de @ryanc @AMS @chaos I like this. Even though I run my own NAT router / DNS / DHCP / et cetera, I don’t trust consumer devices on the same network. Corporations these days seem anti-security, which is to say they’re the ones actively doing evil things that we need to guard against.

0xC0DEC0DE07EA 7h ago

@AnachronistJohn
I wouldn’t trust the software on my smart TV, but I don’t see an alternative to trusting my router and switches to route packets properly. I can see only trusting point-to-point comms between devices to an extent, but at done point I feel like I’d be chasing an elusive root of trust. Do those devices need to be running chipsets that I understand? If so, I’m fucked. I’m not Bunny Huang.
Understand that I’m not trying to argue against whatever your threat model is, just say that I’ve considered not trusting the DHCP server and the string parameters it passes in an ostensibly closed system and the engineering team decided that if you got that kind of toehold on the network, you could take the machine because there wasn’t any point in putting further effort into securing against that threat.
@ireneista @chaos @AMS @ryanc

0xC0DEC0DE07EA 7h ago

@AnachronistJohn @ireneista @chaos @AMS @ryanc fuck, now I want to rearchitect this stupid boot setup we had with proper service units and maybe figure how to borrow the layering from container models instead of using a bare dm COW overlay and splatting a series of tarballs into it. Not that my employer wants this to be better or that I even work on that generation of the system or that that system image is anything but frozen for all time…

0xC0DEC0DE07EA 7h ago

@AnachronistJohn @ireneista @chaos @AMS @ryanc nerdsniping myself is the worst.

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc well, like, trusting them to route properly is a different thing from trusting them not to infect our other stuff

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc happily our personal infrastructure is a lot smaller than most corporate infrastructure. it's possible we're fooling ourselves that we think we can defend it; we won't know until too late. we do tend to think that there being less to defend is helpful.

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc also the toehold reasoning sounds like it might be assuming human attention from the attacker, and we don't think that's a valid assumption if so

0xC0DEC0DE07EA 6h ago

@ireneista physically separated network with very limited outside communication, most nodes booted from write-protected flash and got further instruction/software load from a central server. If you owned the server, there wasn’t a lot we could do on the nodes that we were comfortable doing. I mean, we could have converted it into an open problem of key management (probably the correct thing to do), but the organization was really not prepared to do that.
@AnachronistJohn @chaos @AMS @ryanc

0xC0DEC0DE07EA 6h ago

@ireneista so are you doing your initial software load completely offline with a point-to-point connection to a system you trust rather than committing the install media to storage?
@AnachronistJohn @chaos @AMS @ryanc

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc mm. that's the goal, we're only partway there though.

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc we have some devices that come with no firmware (common on SBCs); to bring those up without install media would require using a JTAG connection or something. we're unsure that that's worth it.

for devices that come with firmware, there are potential flows using net-boot features, but we don't have any productionized quite yet.

@c0dec0dec0de @AnachronistJohn @chaos @AMS @ryanc right now, it's more that we use the direct connection to make sure we've got the real host key, and that sort of thing

0xC0DEC0DE07EA 5h ago

@ireneista despite owning a few SBCs and previously owning the odd uboot device, I tend to forget that one can’t just PXE over the network for everything (if desired). Although that’s not exactly the most secure system from my recollection of the state of things.
@AnachronistJohn @chaos @AMS @ryanc

Bitslingers-R-Us 3h ago

@c0dec0dec0de @ireneista @chaos @AMS @ryanc I once stood up a DHCP server and PXE boot server on a network that already had them to show that it wasn’t just theoretical that someone could do something nefarious.

Some people, even those who really should know better, can’t think like that. Point out that it might not be an evil employee but might just be a compromised laptop, and suddenly it makes much more sense to them.

It’s amazing how often we have to show people examples because their imagination can’t easily get there from here.

Irenes (many)3h ago

@AnachronistJohn @chaos @c0dec0dec0de @AMS @ryanc yeah one of the best pieces of advice we ever heard about communicating with lawyers as a technical person is, come up with a concrete example

(applicable elsewhere too, of course)

@ryanc @AMS @chaos oh!

That’s also useful to ssh into a libvirt console, isn’t it?

I’ll have to play with this.

@ryanc @AMS @chaos mind that there are current attempts to reduce the network size of 127/8 and AFAIHH FreeBSD already implements this.

execing sshd in inetd mode instead of connecting to a running one could also be interesting…

@mirabilos @AMS @chaos Yeah, I considered sshd -i, but that would have required environment manipulation. setenv() needs malloc, which ugetty doesn't otherwise use. Handling the identification string also requires reading it to detect it, then replaying it to sshd. This could be done by forking, replaying the string, then replacing the file descriptors (I think), but the socket method feels cleaner.

@ryanc @AMS @chaos ah, that is annoying, of course.

Can you MSG_PEEK on a serial port? Then you could indeed just exec.

@mirabilos @AMS @chaos I don't believe so, as a serial port is not a socket.

@ryanc @AMS @chaos might still have 15 bytes buffered or so…

Rogan Dawes 23h ago

@ryanc @AMS @chaos this is excellent, thank you!

I wanted to run ssh over Bluetooth Serial Port Profile (I have a JDY-31 dongle wired to the serial console of my device), and couldn’t figure out how to bodge it together. This looks like it should do the trick!

22h ago

@RoganDawes @AMS @chaos Yup, should work. Though for something wireless, you may want to run SSH over PPP so that it doesn't die the first time a packet gets dropped.

Andrej Shadura 23h ago

@ryanc it should also watch for ESC-ESC and run a local BBS 🙂

@AMS @chaos

Tobias 20h ago

@ryanc @AMS @chaos This is nice.