Add attestation from Kevin Gallagher (@ageis)
This commit is contained in:
parent
a39f55591f
commit
6f92c36e71
|
@ -1,5 +1,11 @@
|
|||
# Kevin Gallagher
|
||||
|
||||
* Former DevOps engineer for [Zcash Company](https://z.zcash)
|
||||
* Former sysadmin for [Freedom of the Press Foundation](https://freedom.press) and SRE at Cloudflare
|
||||
* Personal website: [cointel.pro](https://cointel.pro)
|
||||
* Mailing list post: <https://lists.z.cash.foundation/pipermail/zapps-wg/2018/000352.html>
|
||||
* See `./report.asc` for the signed attestation.
|
||||
|
||||
Response file:
|
||||
|
||||
* <https://powersoftau-transcript.s3-us-west-2.amazonaws.com/548c67a73e0e33cd8c8d00f23963870ba5bfb8637ebeacc6541ed607b5edc8e7db1593d22804688f3cc4c788a750f7f8ec57aa7f122f3fa6d86ff5bc11a26940>
|
||||
|
|
|
@ -0,0 +1,89 @@
|
|||
-----BEGIN PGP SIGNED MESSAGE-----
|
||||
Hash: SHA512
|
||||
|
||||
I was pleased to be a participant in Powers of Tau, having served as the
|
||||
Zcash Company’s DevOps engineer during 2016-2017, and contributed some
|
||||
suggestions to the original ceremony.
|
||||
|
||||
For the purposes of my report, the most important fact to disclose,
|
||||
which I must stress seems unconnected to my participation in the
|
||||
ceremony, is that I discovered I was hacked about a week beforehand. My
|
||||
router was popped and being tunneled/VPN’d into, and there was
|
||||
unprivileged access to my desktop computer complete with the hijacking
|
||||
of my DBUS user session enabling the attacker(s) to spy on my screen
|
||||
with XRDP. This was the case for a period of about two weeks in
|
||||
February, though it’s possible the targeting began earlier.
|
||||
|
||||
Even as this is the first time any equipment of mine had been
|
||||
compromised in over a decade, and it’s somewhat embarrassing to admit
|
||||
since I make my living by securing systems and being trusted, I can
|
||||
reveal some of the methodology. At the time I was hacked, I was
|
||||
experimenting with Tor’s DNSPort as my primary means of domain name
|
||||
resolution, and I was running an open resolver which was exposed to the
|
||||
internet. I had also enabled UPnP and the media/streaming services of my
|
||||
router, and had set up SNMP to control the router. My best understanding
|
||||
is that a malicious DNS server was used to obtain the privileges of the
|
||||
loopback interface. Later, an unconfigured installation of FreeRADIUS on
|
||||
my system (which has a client grant for localhost in its default
|
||||
configuration) was exploited in order to give the attacker their own
|
||||
user on my machine. In addition to the hijacking of my DBUS user session
|
||||
and the remote viewing which occurred for days on end unbeknownst to me
|
||||
at the time, I discovered several levels of compromise and daemons which
|
||||
had been reconfigured, including MiniDLNA/minissdpd, PPD/pptpd, OpenVPN
|
||||
and snmpd.
|
||||
|
||||
Needless to say, figuring this out prompted me to replace my router,
|
||||
re-install my operating system, revoke keys and shift passwords, and led
|
||||
to several sleepless nights spent investigating, yet ironically prepared
|
||||
or positioned me in a way for the ceremony. The strangest part of the
|
||||
whole episode is that I ended up having some conversation with one of
|
||||
the people who was hacking me via IRC, and to this day it seems they
|
||||
were just curious and nothing of value was taken. The lesson which I can
|
||||
impart to others is to please disable UPnP, and be wary of defaults and
|
||||
of keeping stuff installed which you don’t need!
|
||||
|
||||
So… now for the computation, which occurred on March 9th. For a period
|
||||
of days before the ceremony, I essentially “went dark”, e.g. stopped
|
||||
posting on social media, and all traffic on my LAN was routed through
|
||||
the Tor network. Working out of my apartment, I used a computer which I
|
||||
have maintained for air-gap operations; which has never been connected
|
||||
to the internet. I transferred the challenge and the Rust
|
||||
code+dependencies via a USB stick. Both the compute node and my regular
|
||||
computer ran the ‘testing’ distribution of Debian Linux, and were fully
|
||||
updated in all respects including firmware. In addition, those machines
|
||||
had hardening applied to make things more secure. To be specific, I ran
|
||||
the latest grsecurity kernel in the 4.4.x stable series. I firewalled
|
||||
the machine(s) so that both incoming and outgoing packets had a default
|
||||
'DROP' policy, and the few protocols which I wanted to use would be
|
||||
explicitly added. I leveraged the AppArmor LSM with all available
|
||||
profiles enforced and enabled, and I also kept auditd logs which
|
||||
indicated no unusual activity or syscalls.
|
||||
|
||||
With that said, here’s the b2sum of my response:
|
||||
|
||||
548c67a73e0e33cd8c8d00f23963870ba5bfb8637ebeacc6541ed607b5edc8e7db1593d22804688f3cc4c788a750f7f8ec57aa7f122f3fa6d86ff5bc11a26940
|
||||
|
||||
Lastly I want to note in advance that the key I'm using to sign my
|
||||
attestation presently (which was on a smartcard, so I have no indication
|
||||
it was stolen), 0xB604C32AD5D7C6D8, will nonetheless be revoked at the
|
||||
end of March 2018.
|
||||
|
||||
Regards,
|
||||
Kevin Gallagher
|
||||
@ageis
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAEBCgAdFiEEo/K1CkOGL+Ll5vJw+HWS81Mz1E8FAlq5jGMACgkQ+HWS81Mz
|
||||
1E9bkg/9EYMvFzfsRLEtAA2f3j0JuU7+9LPDxWQFu4bdefSs+kNiriAp96sBIpjc
|
||||
VaFAjMynSF6RIIT7n+DkXfiKY8V4ptkqMtV/rXVIqExX0Y+wWJAyPdx9DgeYotlZ
|
||||
ReyP3cyXowSlZyGelTR9pmUhsrFSaN4y9fdOrpUqMju8qzIEMfq4/Co2OlIsFrRu
|
||||
b2r7aC/6bmhFppobAkFZDDeuBypgtIvrTO6MZP0TRRUEtLXH7HIkDXeL4+dy3DS0
|
||||
r47/2hfhI77EJN+/TyQTM6Si6eT65yn1j0pMtAuXCZ3uDYMO1MN6b7Vt9M5EPqyh
|
||||
qC0GUneAAlBigMBODj6/9ZvWjf4FubBgptUydL1OOQHX+Cs/NZWcRPBarqsQS+tv
|
||||
IB63ibtrNrqdjt+yqw/Fb0zUxYlg87v+4aTmTQoXvnowB4Scox0vA3RYT2jN4s66
|
||||
MA/0dOLx06jkrPtHs1YP+GhmxgT9qTF40KcjtZQL93zQFQdwBbzyYswtRjrUYJRH
|
||||
/GrpOg2yyNaUo/OxC8sEScVRjT/LGKdfFaVtxscfv9nLjJKAmKSNpGlKzGpDNSHU
|
||||
om95geTf6/Sz/awEaA+lv4hJKiRi1CKiAiiTPjcYQK1ymzZ+t7oA0AZNQsDlm0lW
|
||||
edmLvRq62C6jbiaIYiFldyWcmyfJQ6Uf2NGU8MBOZiI2LTTIPbo=
|
||||
=C9TT
|
||||
-----END PGP SIGNATURE-----
|
Loading…
Reference in New Issue