Sender | Message | Time |
---|---|---|
12 Apr 2024 | ||
Jan Kessler | Und es hängt an den BBB Paketen. | 07:33:19 |
danimo | Kann sein dass auf dem Weg zum bbb install server neuerdings irgendwo ICMP weggefirewalled wird. | 07:33:42 |
danimo | Wenn du dann aus der Uni aus irgend einem Grund (VPN?) nicht mit 1500 kommst, knallts. Kann auch auf dem Weg passieren. Aber eingrenzen würde erstmal helfen | 07:34:12 |
Jan Kessler | Ist ohne VPN | 07:34:41 |
Jan Kessler | * Ist ohne VPN. Aber könnte am Web-Proxy hängen... Jedenfalls danke für die Rückmeldung. | 07:38:16 |
15 Apr 2024 | ||
Daniel S. (Uni FFM) | wenn ich Audio- und Videoausfälle gemeldet bekomme, in welchem Log würde ich da fündig werden | 10:21:58 |
Daniel S. (Uni FFM) | Apr 15 12:06:52 bbb-18-2 systemd_start_frontend.sh[124923]: 2024-04-15T10:06:52.954Z frontend-2 [error] : Exception while invoking method userShareWebcam Error: Match error: Expected string, got undefined | 10:32:15 |
Daniel S. (Uni FFM) | das hab ich gefunden | 10:32:19 |
Timo Nogueira Brockmeyer | Gleich um 15 Uhr: Das deutschsprachige BBB Adopter's Meeting
| 12:23:25 |
defnull | You may want to wait before upgrading to Greenlight 3.3.3, the fix needs a fix. | 20:50:08 |
defnull | Maybe I was wrong this time, I'll check again tomorrow | 22:18:31 |
16 Apr 2024 | ||
defnull | Okay, so, here is some background: Some regulations require that all uploads to web applications must be checked for viruses before they are distributed to other users, and that malicious uploads are blocked immediately with an error message. The usual test case is uploading a EICAR test file and checking if the application returns an error message. If not, then you fail the compliance test. This has nothing to do with actual security, this is really just compliance and security theater. But Greenlight and BBB both added support for virus scans for user content (sponsored by people that are also here) because of this, and the GL-3.3.3 release seems to be part of that effort. The new GL-3.3.3 patch uploads the original image and checks it, but does not include a check for the downsized/cropped image (generated on the client) that is then actually persisted and used by GL. What I did not see: the virus scan for the final image was already there, deep down in the User model. It was enough for security (if you really think virus-scanning images improves security), but it did not tick the compliance checkbox because it would not generate an error message when uploading an EICAR test file. The browser would generate a new image (without any EICAR strings in its metadata) and upload that, and for the 'pen tester' that would look like a successful upload of a malicious file. So, the GL-3.3.3 release really fixes the issue, but the issue was not a security issue. Just a missing error message that normal users should never see in the first place. | 07:08:08 |
defnull | * Okay, so, here is some background: Some regulations require that all uploads to web applications must be checked for viruses before they are distributed to other users, and that malicious uploads are blocked immediately with an error message. The usual test case is uploading a EICAR test file and checking if the application returns an error message. If not, then you fail the compliance test. This has nothing to do with actual security, this is really just compliance and security theater. But Greenlight and BBB both added support for virus scans for user content (sponsored by people that are also here) because of this, and the GL-3.3.3 release seems to be part of that effort. The new GL-3.3.3 patch uploads the original image and checks it, but does not include a check for the downsized/cropped image (generated on the client) that is then actually persisted and used by GL. What I did not see: the virus scan for the final image was already there, deep down in the User model. It was enough for security (if you really think virus-scanning images improves security), but it did not tick the compliance checkbox because it would not generate an error message when uploading an EICAR test file. The browser would generate a new image (without any EICAR strings in its metadata) and upload that, and for the 'pen tester' that would look like a successful upload of a malicious file. So, the GL-3.3.3 release really fixes the issue, but the issue was not a security issue. Just a missing error message that normal users should never see in the first place. | 07:09:42 |
defnull | * Okay, so, here is some background: Some regulations require that all uploads to web applications must be checked for viruses before they are distributed to other users, and that malicious uploads are blocked immediately with an error message. The usual test case is uploading a EICAR test file and checking if the application returns an error message. If not, then you fail the compliance test. This has nothing to do with actual security, this is really just compliance and security theater. But Greenlight and BBB both added support for virus scans for user content (sponsored by people that are also here) because of this, and the GL-3.3.3 release seems to be part of that effort. The new GL-3.3.3 patch uploads the original image, checks it, and then throws it away. The patch does not include a check for the downsized/cropped/centered image (generated on the client) that is actually persisted and used by GL. What I did not see: the virus scan for the final image was already there, deep down in the User model. It was enough for security (if you really think virus-scanning images improves security), but it did not tick the compliance checkbox because it would not generate an error message when uploading an EICAR test file. The browser would generate a new image (without any EICAR strings in its metadata) and upload that, and for the 'pen tester' that would look like a successful upload of a malicious file. So, the GL-3.3.3 release really fixes the issue, but the issue was not a security issue. Just a missing error message that normal users should never see in the first place. | 07:12:26 |
defnull | I cannot stress enough how stupid this is. I mean the regulation and the way compliance is tested, not GL or BBB. They just do what is required by the regulation. Just to comply to some brain-dead pen-test, we now upload an additional file that we do not need or want, and that may actually be malicious (e.g. bad metadata, corrupted payload that triggers image library bugs), feed it to a a virus scanner that probably does not even scan for this kind of payload, and then throw it away. Just to generate an error message so the tester can check a checkbox. | 07:21:55 |
defnull | All this nonsense because those pen-tests do not test for actual security, they run a set of standard test cases against all input fields they can find, and that's it. Same with network scans. They run a port scan and let software generate a report. If you are lucky and did not hire the cheapest 'security' contractor on the market, an actual human looks over the results and filters out obvious false positives, but you still end up with tons of work to fix security issues that do not exists. Lots of money wasted for a simple nmap scan. | 07:30:47 |
defnull | </rant> | 07:30:54 |
@jbonk:chat.virtuos.uni-osnabrueck.de left the room. | 07:59:06 | |
17 Apr 2024 | ||
Daniel S. (Uni FFM) | In reply to @dschekli:matrix.server.uni-frankfurt.de ich habe hierzu noch folgendes gefunden, was genau auf die Ausfallzeit des Users passt:
weiß irgendjemand, wo das her kommt? | 13:37:00 |
defnull | Sieht nach massiven Verbindungsproblemen des Nutzers aus, wenn sogar die (tcp) WebSocket Verbindung stirbt. | 13:38:58 |
Daniel S. (Uni FFM) | also eher Netzwerkprobleme auf seiner/unserer Seite | 13:39:33 |
defnull | Im Zweifel ist das immer die Erklärung | 13:39:52 |
defnull | * Im Zweifel ist das immer die Erklärung, besonders wnen nur eine Person im Meeting die Probleme hat | 13:40:03 |
defnull | * Im Zweifel ist das immer die Erklärung, besonders wenn nur eine Person im Meeting die Probleme hat | 13:40:10 |
Daniel S. (Uni FFM) | er meinte es passiert mehreren | 13:40:18 |
Daniel S. (Uni FFM) | in die Zeit fällt auch ein
| 13:41:49 |
David Siegfried | Eine Frage zu Gl3: Wenn ich von 2 auf 3 gehen möchte und LDAP genutzt habe, dann kann ich die Migration doch vergessen oder? | 19:48:26 |
David Siegfried | Sprich Nutzer loggt sich über Keycloack an und hat seine altern Räume? | 19:48:57 |
David Siegfried | * Sprich Nutzer loggt sich über Keycloak an und hat seine altern Räume? | 19:49:09 |
Daniel S. (Uni FFM) | Authentifiziert ihr bei gl3 nicht mehr mit LDAP? | 19:55:23 |