
90 lines
4.8 KiB
Raw Normal View History

Hash: SHA512
I was pleased to be a participant in Powers of Tau, having served as the
Zcash Companys DevOps engineer during 2016-2017, and contributed some
suggestions to the original ceremony.
For the purposes of my report, the most important fact to disclose,
which I must stress seems unconnected to my participation in the
ceremony, is that I discovered I was hacked about a week beforehand. My
router was popped and being tunneled/VPNd into, and there was
unprivileged access to my desktop computer complete with the hijacking
of my DBUS user session enabling the attacker(s) to spy on my screen
with XRDP. This was the case for a period of about two weeks in
February, though its possible the targeting began earlier.
Even as this is the first time any equipment of mine had been
compromised in over a decade, and its somewhat embarrassing to admit
since I make my living by securing systems and being trusted, I can
reveal some of the methodology. At the time I was hacked, I was
experimenting with Tors DNSPort as my primary means of domain name
resolution, and I was running an open resolver which was exposed to the
internet. I had also enabled UPnP and the media/streaming services of my
router, and had set up SNMP to control the router. My best understanding
is that a malicious DNS server was used to obtain the privileges of the
loopback interface. Later, an unconfigured installation of FreeRADIUS on
my system (which has a client grant for localhost in its default
configuration) was exploited in order to give the attacker their own
user on my machine. In addition to the hijacking of my DBUS user session
and the remote viewing which occurred for days on end unbeknownst to me
at the time, I discovered several levels of compromise and daemons which
had been reconfigured, including MiniDLNA/minissdpd, PPD/pptpd, OpenVPN
and snmpd.
Needless to say, figuring this out prompted me to replace my router,
re-install my operating system, revoke keys and shift passwords, and led
to several sleepless nights spent investigating, yet ironically prepared
or positioned me in a way for the ceremony. The strangest part of the
whole episode is that I ended up having some conversation with one of
the people who was hacking me via IRC, and to this day it seems they
were just curious and nothing of value was taken. The lesson which I can
impart to others is to please disable UPnP, and be wary of defaults and
of keeping stuff installed which you dont need!
So… now for the computation, which occurred on March 9th. For a period
of days before the ceremony, I essentially “went dark”, e.g. stopped
posting on social media, and all traffic on my LAN was routed through
the Tor network. Working out of my apartment, I used a computer which I
have maintained for air-gap operations; which has never been connected
to the internet. I transferred the challenge and the Rust
code+dependencies via a USB stick. Both the compute node and my regular
computer ran the testing distribution of Debian Linux, and were fully
updated in all respects including firmware. In addition, those machines
had hardening applied to make things more secure. To be specific, I ran
the latest grsecurity kernel in the 4.4.x stable series. I firewalled
the machine(s) so that both incoming and outgoing packets had a default
'DROP' policy, and the few protocols which I wanted to use would be
explicitly added. I leveraged the AppArmor LSM with all available
profiles enforced and enabled, and I also kept auditd logs which
indicated no unusual activity or syscalls.
With that said, heres the b2sum of my response:
Lastly I want to note in advance that the key I'm using to sign my
attestation presently (which was on a smartcard, so I have no indication
it was stolen), 0xB604C32AD5D7C6D8, will nonetheless be revoked at the
end of March 2018.
Kevin Gallagher