Last Saturday, I attended the second day of Grazer Linuxtage, an event I had missed. It was great to see the conference vibe getting closer to what it used to be. The organizers did an excellent job, and I want to take this chance to express my appreciation to all the volunteers involved in the event.
The talks were organized into three parallel tracks, covering a wide range of topics related to Linux as well as other aspects of open source, open hardware, and free software. Each track took place in a separate building, with approximately a 5-minute walk between them. Sponsors were also conveniently located around the entrance of each venue.
Below, I provide a list of the talks I attended, along with my personal impressions of each session. Since some talks were in English and others in German, I have decided to retain the original title for each presentation:
Solar-Akku für Alle - Wie du einen 15 kWh Solar-Akku selber baust!
Video: https://media.ccc.de/v/glt23-338-solar-akku-fr-alle-wie-du-einen-15-kwh-solar-akku-selber-baust-
Fridolin Einböck from HTBLuVA provides a detailed guide on constructing a 15 kWh solar battery using LiFePO4 cells. He compares the cost-effectiveness of a DIY solution to commercial products, such as the Pylontech US5000, highlighting the significant savings you can achieve by building your own solar battery.
He also covers how to source affordable LiFePO4 cells from platforms like Alibaba and introduces allthe necessary components such as bus bars, a battery management system (BMS), fuses and circuit breakers.
Fridolin walks you through the assembly process, which includes parallel connecting and charging batteries, crimping cells, mounting bus bars, and installing fuses. He also shares 10 crucial tips to ensure a safe and efficient solar battery pack, touching on aspects like compression, thermal runaway, and maintaining quality electrical connections.
With a focus on the quality of LiFePO4 cells, proper maintenance, and avoiding potential issues like short circuits, this video offers a comprehensive and informative guide for those interested in building their own solar battery system, as long as they feel confident in their skills.
He also provides several useful YouTube channels: @Akkudoktor, MeineEnergiewende, @SchattenPV and @OffGridGarageAustralia
The Road to Secure Cryptography: Understanding and Preventing Common Misuses
In this talk Markus Schiffermüler discusses the common misuses and mistakes in cryptography. He emphasizes the importance of using established cryptographic algorithms rather than inventing one's own, as security by obscurity often leads to vulnerabilities, such as the case with MIFARE Classic's CRYPTO-1. He also warns against hard coding keys into applications, which is a frequent mistake made by inexperienced developers or those working under pressure. Instead, keys should be properly managed and never hard coded at any stage of development.
Another critical mistake in cryptography is the absence or misuse of nonces. In the talk he strongly advises against using ECB mode, reusing nonces, or relying on standard random nonces, as they can be predictable. He recommends using /dev/urandom as a more secure alternative.
Lastly, it's important to avoid using weak or outdated cryptographic algorithms, which is a common issue, particularly in Android applications. He suggests avoiding deprecated algorithms like SHA1, MD5, and DES, and selecting secure key sizes based on NIST guidelines. By addressing these common mistakes, developers can improve the security and robustness of their cryptographic implementations.
From Blog to Book: The Nerdy Way
Video: https://media.ccc.de/v/glt23-358-from-blog-to-book-the-nerdy-way
Niklas Hösl embarked on a project to create a book, primarily for his grandmother, which consists of content from his personal travel blog build with WordPress. After considering various options like MS Word and LaTeX, he found them unsuitable due to excessive copying, pasting, manual formatting, and complex setup requirements. Instead, he chose Kalin's PDF Creation Station, a WordPress plugin that enables exporting blog posts as a static website and collects images in a single folder.
Although the plugin facilitated the process, he still needed to make some adjustments to enhance the final product. These improvements included justifying the text, styling headings, adding page breaks in CSS, and manually realigning images. He created the table of contents manually, added page numbers with the help of iLovePDF, and designed the cover by drawing inspiration from story.one.
Making the Internet faster - QUIC und HTTP/3
Video: https://media.ccc.de/v/glt23-389-making-the-internet-faster-quic-und-http-3
The presentation of Franz Wimmer covers the history and development of the Hypertext Transfer Protocol (HTTP) from its inception to the latest iteration, HTTP/3.
Starting with HTTP/0.9 in 1991, which featured simple, single-line requests and HTML document responses, HTTP has gone through several significant updates. HTTP/1.0 introduced status codes and the use of request and response headers, while HTTP/1.1 added features such as reusable TCP connections, serial requests, and content type handling.
The introduction of SPDY provided a tunnel around HTTP/HTTPS, which allowed for compression and mandatory TLS without the need to change the application. HTTP/2 built upon this by ensuring compatibility with HTTP/1.1 and adding features like no Head of Line Blocking (HOL) and the ability to negotiate HTTP/1.1 and HTTP/2 requests.
QUIC and HTTP/3, the most recent developments in the protocol, utilize the User Datagram Protocol (UDP) and take functions from both TLS and TCP. This version of HTTP focuses on reducing the initial handshake and features individually encrypted packages. While still in development, some web servers and tools already offer support for HTTP/3 (notably HAProxy since version 2.7)
Further resources on HTTP/3: * *https://caniuse.com/http3 * http://http3.is/ * https://cloudflare-quic.com/.
2022's Top Cyber Threats: A Closer Look
Members of LosFuzzys are presenting some of the top security thread that happened in the past year. For this talk I would no available video.
Yuma Buchrieser
The presentation begins by illustrating how hackers stole 600 million USD from Axie Infinity's Ronin network. Although the network utilizes blockchain technology, it relies on just 9 nodes to validate transactions, in contrast to Bitcoin's 17,000 and Ethereum's over 500,000. To successfully execute such an attack, the hackers needed control of 5 nodes.
The company operating the game chose to outsource certain components, granting another company access to 4 of their machines. It is believed that the attackers acquired access to the keys after the outsourcing contract concluded, as the keys on the machines were not updated. The attackers then managed to gain access to a 5th node by leveraging their existing access, which allowed them to control the transaction validation process within the network.
Markus Ostermayer
pip, the package installer for python, offers the --index-url and --extra-index-url settings in the install command:
Package Index Options:
-i, --index-url <url> Base URL of the Python Package Index (default https://pypi.org/simple). This should point to a repository compliant with PEP 503 (the simple repository API) or a local directory
laid out in the same format.
--extra-index-url <url> Extra URLs of package indexes to use in addition to --index-url. Should follow the same rules as --index-url.
The --extra-index-url option is commonly used within organizations to install internal packages. This means that pip will first check the default index for a package, and if it's not available there, it will search the extra index. When both are defined, pip will prioritize the package with the greater version number.
This can be exploited by creating a malicious package and uploading it to pypi.org when the name of an internal package is known but not used on PyPI. The attacker may also assign the package a high version number (e.g., 99) to ensure that the package has a higher priority than the one in the --extra-index-url.
This issue was exploited in the PyTorch-nightly build: * https://pytorch.org/blog/compromised-nightly-dependency/ * https://www.wiz.io/blog/malicious-pytorch-dependency-torchtriton-on-pypi-everything-you-need-to-know
Markus offered some solutions:
* Register the name of private packages on pypi.org with a 0.0.0 release
* Use the --index-url instead and mirror the required packages in the internal index.
Markus Schiffermüller
He discussed Folina, a vulnerability in MS Word, also known as CVE-2022-30190. This security vulnerability allows an attacker to manipulate a file and execute remote code on the target machine.
.docx is an archive format, enabling an attacker to access the file responsible for managing relationships (e.g., external Excel files) and insert any URL. This URL can then inject JavaScript into MS Office, which will be executed. The Microsoft Support Diagnostic Tool (MSDT) can be invoked from the JavaScript code, and PowerShell commands can be executed directly.
Kevin Saiger
Kevin presented Acropalypse, a vulnerability in the Android screenshot app. Typically, users can take a screenshot and crop it afterward. However, the information from the cropped portion of the image is not removed from the file, but rather overwritten. This means that while certain parts of the cropped image are not displayed, they remain available in the file, posing a security risk. As a result, certain information or sections of images may be leaked, even if users believe they have removed those parts.
The root cause of this vulnerability is an undocumented behavior in Android. Up until Version 10, files could be opened in w mode, which truncates the file and completely overwrites it. Since Version 10, the wt mode was introduced to perform this task, while the w mode no longer truncates the file.
PostgreSQL: Performance Tipps, die man noch nie gesehen hat
Video: https://media.ccc.de/v/glt23-323-postgresql-performance-tipps-die-man-noch-nie-gesehen-hat
The final talk I attended was by Hans-Jürgen Schönig and focused on new tips for enhancing the performance of PostgreSQL:
- Connect to the database using a Unix socket instead of localhost. This simple trick can double the number of connections, as a connection over IP is not required.
- Sorting data by their type in a table can reduce the memory footprint. This is especially useful when dealing with tables containing billions of rows. Although it is often assumed that the database does this automatically, architectural limitations require it to be done manually.
- The memory footprint of an import can be significantly reduced when null values are added after the data is created. Similar to the second tip, this is particularly helpful for large tables.
- The size of indexes can be considerably reduced by using
hashtextonVARCHARfields, which can also help increase query speed. This is because the index can fit into the available memory instead of the disk (which is about 100 times slower than RAM). The only drawback is the SQL query required afterward to use the index.
# Standard
SELECT * from t_email
WHERE email = 'sample@example.test'
# With hashtext
SELECT * from t_email
WHERE hashtext(email) = hashtext('sample@example.test')
AND email = 'sample@example.test'
Conclusion
Overall, Grazer Linuxtage 2023 was a great experience, with informative talks covering a wide range of topics. The organizers did an excellent job, and the event had a great atmosphere. I particularly enjoyed the talks related to security and enhancing PostgreSQL.