stacksmashing

This profile might be incomplete.
Open on infosec.exchange

stacksmashing

YouTube:

https://youtube.com/stacksmashing

Personal info

About:

I'm an IT security researcher, and sometimes I make videos about that!

Contact: contact@stacksmashing.net

Wall 2 posts

Stop. Truncating. Hashes.

https://www.phoronix.com/news/OpenWrt-Compromised-ASU-Builds

2. **Truncated SHA-256 Hash Collisions**: The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users.

Like 8 Dec 2024 at 16:41 | Open on infosec.exchange

Show previous comments

We run this security-sensitive service but only keep the logs for 7 days😔

Obviously hindsight is 20/20, but a good example on why at companies I always want as much log retention as possible.

The good news is that it's believed no official images from downloads.openwrt.org were affected nor any custom images from the 21.10.0-rc2 release. OpenWrt developers were only able to verify the build logs for the past seven days due to automatic clean-up of older build logs. Users are thus encouraged to carry out in-place upgrades to the same version to eliminate any possibility of being affected.

8 Dec 2024 at 16:47 | Open on infosec.exchange

nytpu ‮

@stacksmashing I like to link people this if they think it's too difficult to brute-force a short hash prefix lol https://github.com/zegl/extremely-linear

8 Dec 2024 at 18:46 | Open on tilde.zone

none gender with left politics

@stacksmashing @Lyude isn't finding truncated SHA-256 hash collisions literally how bitcoin mining works

8 Dec 2024 at 21:20 | Open on beach.city

In german we don’t say “security researcher”, instead we say “Hacker-Heinis”😂

Like 6 Jan 2024 at 20:31 | Open on infosec.exchange

Show previous comments

Siguza

@stacksmashing this deserves a German reply that cannot be accurately translated: "Heul doch!"

7 Jan 2024 at 0:56 | Open on infosec.exchange

Benjamin Schröter

@stacksmashing @leyrer ... and l think it's beautiful

7 Jan 2024 at 10:04 | Open on chaos.social

Nicro

@stacksmashing that Apple-mentality: “They didn’t advertise that as a feature, it must be impossible”. I’m joking, but it is kinda what you get. A product that does everything it’s meant to do well (As long as support lasts), but nothing extra.

7 Jan 2024 at 11:05 | Open on fedi.absturztau.be