[Rack] [Noisebridge-discuss] minotaur is down

Jonathan Lassoff jof at thejof.com
Wed Jul 10 08:21:49 UTC 2013


On Tue, Jul 9, 2013 at 3:47 AM, Josh Juran <jjuran at gmail.com> wrote:
> On Jul 8, 2013, at 11:10 PM, Jonathan Lassoff wrote:
>
>> Aww... bummer.
>> The only thing I changed was firewalling off the gateman daemon from
>> the outside world. That allowed any competent hacker to unlock the
>> gate with no code.
>> Now, a code would be required.
>
>
> I thought minotaur already wasn't public.  If it was, I'd have had Noisegate
> contact it directly instead of going through pony.

Well, there are a couple parts on minotaur. The HTTP API was locked
down to just access from the space (except for /spaceapi/), however,
there is a stupid-simple C daemon that talks UDP and unlocks the gate.
Previously, a crafter hacker could craft special UDP packets, toss 'em
at minotaur, and unlock the gate. I kinda liked that as a little
backdoor, which if someone can figure out, then I feel like they would
probably enjoy visiting Noisebridge, and I'd enjoy having around. I
have no idea if anyone used that.
I think that's a bad idea for security overall, so I shut it so that
only localhost-talking things on minotaur can reach the daemon to buzz
the gate.

>> Is there a link to the app or details about what it's trying to do
>> that's failing?
>
>
> https://github.com/jjuran/noisegate-android
>
> It sends a GET request to
> "http://pony.noisebridge.net/gate/unlock/?key=12345" or such.  The unlock
> script then sends a POST request to minotaur.

Aha! I forgot to test the Pony scripts -- I didn't realize there were
other layers built on top of the API.
I think the underlying error was that the api.noisebridge.net CGI runs
as www-data, while the codes file is only readable by root or group
"barons".
I added www-data to barons, and all seems well.
Test again?

>> On Mon, Jul 8, 2013 at 8:29 PM, daravinne <daravinne at gmail.com> wrote:
>>>
>>> the noisegate-debug app that Josh Juran made doesn't work anymore after
>>> the
>>> rebuild, it seems.  is that Josh's thing to fix or something on minotaur?
>
>
> The Android app is fine.  The unlock CGI script it calls might need to be
> changed to accommodate the changes on minotaur.
>
> Josh
>
>


More information about the Rack mailing list