ruby nealon @_ruby Twitter profile | Pikagi

Pikagi

ruby nealon

@_ruby

2,499

Followers

530

Following

101

Media

346

Statuses

she/her. hacker in tokyo.

東京都

https://t.co/UDfGd7sjNW

Joined April 2015

Don't wanna be here? Send us removal request.

Pinned Tweet

@_ruby

ruby nealon

7 months

The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found trying to MVP it is way more interesting. 🧵 1/25

Tweet media one

15

266

1K

Last Seen Profiles

@stw_yang

@Dedee13_

@Killer_FNK

@EatHoneyPudding

@jo1_pei04

@midsumnightt

@josephsts22

@PlutoRockDog

@altnburi

@HendSabrifp

@TMK163

@Rmtgtshm

@wartitan2764

@stwmaniax

@stwmaniax

@HyperAlone

@Star4Thomas

@cakman62133565

@bokeplokalmalam

@cakman62133565

@divla_di

@bokeplokalmalam

@Mohamed38753331

@balluptop_

@lluviakalida

@BinorRaja

@navy_tshirt

@BinorRaja

@VannaNyanna

@menformen_

@BinorRaja

@bokeplokalmalam

@mame_game3

@kimmasuge

@PaulineAddy

@bokeplokalmalam

@_ruby

ruby nealon

8 years

when someone submits a video without a poc

21

59

233

@_ruby

ruby nealon

7 months

25/25 It feels very lucky that it was discovered at the stage it was. I hope with this attack on people's minds, other OSS projects in similar positions consider doing tabletop scenario exercises for this kind of attack and how they can prevent/detect it. Thanks for reading!

2

5

171

@_ruby

ruby nealon

4 years

Hope everyone is having a great day except whoever installed the cabling in my apartment building

Tweet media one

23

19

147

@_ruby

ruby nealon

3 years

Permanent residency in Japan approved 🇯🇵

10

0

118

@_ruby

ruby nealon

7 months

23/25 I wonder how many other high-effort "fake identities" are still in the infiltration stage, building trust with maintainers of other quiet or older projects that are a valuable target for attackers but aren't necessarily understood as one.

2

6

119

@_ruby

ruby nealon

7 months

24/25 If the injected code was more conservative selecting targets and didn't have a performance impact so significant that someone who (in their own words) "is not a security researcher/engineer" began to investigate, how long could this have gone undetected?

1

4

116

@_ruby

ruby nealon

7 months

7/25 I started manually auditing the xz repo. Another surprise was reading the test file README in xz: "Many of the files have been created by hand with a hex editor, thus there is no better "source code" than the files themselves." With hindsight of the test file backdoor... 😅

Tweet media one

1

7

109

@_ruby

ruby nealon

7 months

16/25 From 2022 though a focus on xz-utils, even representing it in other projects! In Google's oss-fuzz, they disabled the same compiler feature their backdoor uses to intercept execution. And then changed the primary contact, so any bugs it did manage to find went to them...🤔

Tweet media one

Tweet media two

1

8

109

@_ruby

ruby nealon

7 months

2/25 If you haven't, please read the full @Openwall mailing list disclosure. The first advisory summary a friend shared with me had such a high-level overview that I feel I initially grossly underestimated the level of sophistication of this attack.

1

1

103

@_ruby

ruby nealon

7 months

15/25 The other contributor has authored 76% of commits, incl. the first. So between them, 95% of all commits. But their GH account was created in 2021! Before working on xz, they ... tried to make libarchive auto-download combinations of dependencies that didn't make sense 🤔

Tweet media one

2

5

100

@_ruby

ruby nealon

7 months

5/25 Suddenly I had a lot of questions. Why did sshd/OpenSSH load xz-utils if OpenSSH doesn't depend on it? As I understand now, official OpenSSH does not but linux distro packages often patch it to support systemd, which does. (still not 100% - please correct me if I am wrong!)

2

2

90

@_ruby

ruby nealon

7 months

12/25 But as I was running my MVP script in the xz-utils repo, I realized that if this user was a 'fake identity' as suspected, the creator had been anything but lazy. This is by far the most work/time/persistence I've seen go into an attack that anyone can follow chronologically

1

3

85

@_ruby

ruby nealon

7 months

22/25 At the time of writing they are even still listed as co-maintainer on the sponsoring project's website too. My point isn't to goof on the project, but rather to highlight the level of trust and access they achieved while infiltrating the project.

Tweet media one

1

2

84

@_ruby

ruby nealon

7 months

8/25 When I looked for commits in other related projects adding new binary files, my first hit was a test fixture binary in zstd - also a compression lib too! The same commit also had automation to regenerate and detect the file changing.

Tweet card media

[bug-fix] Fix rare corruption bug affecting the block splitter · facebook/zstd@395a2c5

The block splitter confuses sequences with literal length == 65536 that use a repeat offset code. It interprets this as literal length == 0 when deciding the meaning of the repeat offset, and corru...

1

3

78

@_ruby

ruby nealon

7 months

9/25 I don't think this is by any means the single/most important factor that lead to the attack, but I did want to show them in contrast to at least highlight that there is a better way of doing this, and that CI/test infra hygiene is worth continuously reviewing and bettering.

1

0

77

@_ruby

ruby nealon

7 months

14/25 Since their first commit in Jan 2022, they have authored a total of 451 commits in xz-utils main banch. That's 19% of all main branch commits in just over 2 years. The project's first commit (when it migrated to git) was over 16 years ago!

1

1

78

@_ruby

ruby nealon

7 months

11/25 I spent way too much time keeping it as a one-liner, but I now had something to find each binary file in a repo, the commit author who last modified it and agg. git stats, recursive-extract binwalk / strings it, and print an (ugly) plaintext report.

Tweet card media

a starting point for investigating anomalous contributions in git repositories

a starting point for investigating anomalous contributions in git repositories - git_repo_binary_investigation_idea.zsh

gist.github.com

1

2

73

@_ruby

ruby nealon

7 months

3/25 Hackers tend to be lazy. When I heard "fake identity", I was thinking automation of "grammar fix" OSS contributions on many fake identities, farming activity on projects, and only after the identity met a threshold would an attacker even assess it for repetitional value.

1

1

73

@_ruby

ruby nealon

7 months

18/25 While that would prevent tools like binwalk from properly identifying the machine code it contained, they went so far as to make their scrambled backdoor test file have similar artifacts to others. Shown is a diff of the strings between the backdoor and another test file.

Tweet media one

1

2

72

@_ruby

ruby nealon

7 months

20/25 I wondered why risk adding 2 new test files that didn't even get used. The disclosure actually mentioned 5.6.0 and 5.6.1 being vulnerable with different payloads. This is how the original backdoor payloads were added... hiding in plain sight 🥲

Tweet media one

1

4

71

@_ruby

ruby nealon

7 months

17/25 I'll stop with all the 🤔 sorry 🙇‍♀️ Once they decided they were ready to launch their backdoor, they still checked every detail carefully. They injected their code by a mix of an unclear-but-uninteresting build script addition that descrambled the test files in the project.

1

2

71

@_ruby

ruby nealon

7 months

21/25 The repo is currently unavailable, but in an earlier PR I found on web archive they were merging their own changes without review as early as 2023. I unfortunately couldn't get the PRs for the backdoors, but I wonder if that PR had any review at all

Tweet media one

1

4

69

@_ruby

ruby nealon

7 months

13/25 Factoring in the lack of any other online web presence, as of now I would be incredibly surprised to learn this account was not created by the backdoor commit author, most likely with xz as a target to try to infiltrate. Regardless, they have had a very busy past few years!

1

0

65

@_ruby

ruby nealon

7 months

19/25 Last one! When I was skimming the binwalk outputs, I thought I ID'd another backdoor payload when it found an an xz-compressed x86 binary with a different name. Turns out this has been there since 2009, with the context explained in the git commit message.

Tweet media one

1

1

65

@_ruby

ruby nealon

7 months

6/25 My thought then was to audit other projects for anomalous contributor behavior - especially ones that may have been an "unclear" dependency. But I was still confident the agg. stats of the backdoor commit author's git contributions would have patterns of automation too.

1

1

66

@_ruby

ruby nealon

7 months

10/25 I'm now so emotionally invested I want to start script something. I iterated by auditing a few lower-level library projects, and adding new ideas as they came to me. I was also very eager to (and honestly, way, way too late...) start testing my script in the xz-utils repo!

1

0

64

@_ruby

ruby nealon

7 months

4/25 It still seemed unlikely to fool project maintainers though. Even with newer technologies like ChatGPT, I thought this would need to be done on a scale that would leave some identifiable patterns in activity.. Then I started to read the full original disclosure.

1

1

63

@_ruby

ruby nealon

7 months

I disagree with many of the "long-term, planned = state-sponsored attacker" takes on the #xzbackdoor . I once spent a few months becoming a Facebook subcontractor, just to poke around in their internal SRT review tool for bugs. (I explicitly asked their team first if I could try!)

Tweet media one

2

2

54

@_ruby

ruby nealon

6 years

Tweet media one

1

11

37

@_ruby

ruby nealon

6 years

🛫Moving to 日本. Crazy scared, but crazy excited! ☺️

Tweet media one

8

0

22

@_ruby

ruby nealon

6 years

did you know google analytics actually have an apt division that read your leaked password reset tokens in referrer header and hijack your users accounts

3

5

20

@_ruby

ruby nealon

7 months

It's possible further analysis of the backdoor payload might make attributing it possible. But I don't think creating a new identity, putting in work to build trust/reputation, and infiltrating a smaller OSS project is only something state-sponsored attackers are capable of.

0

0

15

@_ruby

ruby nealon

7 months

i have a new favorite meme template

Tweet media one

@NekoMichiUBC

NekoMichi

7 months

Tweet media one

41

979

9K

0

4

14

@_ruby

ruby nealon

1 year

@DeepinJapanPod the familymart i use asked me to stop after they were receiving DMCAs from our local river

0

1

14

@_ruby

ruby nealon

2 years

@sirdarckcat @samwcyo @Google My AML training tells me this is probably structuring 🤔

2

0

13

@_ruby

ruby nealon

7 months

I was mainly just curious and only found a couple IDORs in the end, but this isn't my only personal story like this. A lot of my researcher friends have many of their own. I wouldn't underestimate what an individual can do, especially if they had political/financial motivations.

1

0

12

@_ruby

ruby nealon

5 years

I talk so much in my sleep, it's basically information disclosure...

0

1

11

@_ruby

ruby nealon

7 months

I wish they made shirts that go this hard for other distros

Tweet media one

0

1

9

@_ruby

ruby nealon

3 years

@InsiderPhD From my last UK trip

Tweet media one

0

0

9

@_ruby

ruby nealon

2 years

I once reported a bug for a large airline where the example requests in the API docs for their frequent flyer program included had a valid “super admin” API key in the headers. Authentication for external APIs is really in need of a better (and still user-friendly) approach.

@cz_binance

CZ 🔶 BNB

2 years

Apparently, this exploit happened because the gov developer wrote a tech blog on CSDN and accidentally included the credentials. 1 billion records of private citizens' data. 😭

Tweet media one

621

1K

4K

1

0

9

@_ruby

ruby nealon

3 years

TIL “In the United Kingdom, if a gingerbread man has just two chocolate eyes, it is legally a biscuit (tax exempt). However, if that gingerbread man is also wearing chocolate pants or a shirt, it is now legally taxed at a standard rate of 20%”

Tweet card media

Building Stripe Tax

With Stripe Tax, we make it easier for businesses to calculate and collect the right sales tax, VAT, and GST without needing to know the intricacies of tax rules or rates.

0

1

9

@_ruby

ruby nealon

3 years

@zebpalmer Definitely not just their renewal! $20b should also probably cover the true-up for their overages last year 🤣

0

0

9

@_ruby

ruby nealon

8 years

If this wasn't a kids jacket I would 10/10 cop

Tweet media one

1

0

9

@_ruby

ruby nealon

4 years

I watched Kiki's Delivery Service for the first time since I was a kid (like 8 or 9) over the weekend, and only now realised that it's message is about burnout...

2

0

8

@_ruby

ruby nealon

3 years

After nearly 4 years in Japan I have finally witnessed the Phil Collins building with my own eyes.

Tweet media one

1

0

7

@_ruby

ruby nealon

4 years

@jobertabma I escalated the impact of a common misconfig I’ve been finding lately. Tool coming soon hopefully!

Tweet media one

0

0

8

@_ruby

ruby nealon

6 years

trippy sensory art thing in Tokyo~

Tweet media one

Tweet media two

Tweet media three

0

0

8

@_ruby

ruby nealon

5 years

@JetBrains were including valid Apple code-signing and Artifactory credentials in Windows PyCharm builds for a few months, due to their build process dumping env vars in to one of the included stub files. Great response from their team - credentials were rotated within hours 1/2

Tweet media one

1

4

7

@_ruby

ruby nealon

1 year

i have like 100% feedback on 160+ transactions on merukari (a Japanese buy/sell app) and i still get anxiety every time i finalize a transaction on it. i think if someone gave me negative feedback i wouldn't be emotionally prepared to handle it.

1

0

7

@_ruby

ruby nealon

7 years

true irony is broken HTTPS on the official website of a bug in OpenSSL

Tweet media one

1

3

7

@_ruby

ruby nealon

7 months

thinking about the fact that there was a point in my life where the majority of my day was writing what should have been an actual server app in varnish configuration language with embedded ruby to get around things like no for loops. i do not miss that.

0

0

5

@_ruby

ruby nealon

3 years

I’m helping @SarinaHyena with her stall this weekend at MCM London, please come say hi! 🐅

Tweet media one

0

1

6

@_ruby

ruby nealon

8 years

In a restaurant in china and I shit you not they have a fucking doge pillow

Tweet media one

0

1

6

@_ruby

ruby nealon

3 years

沖縄　2021年7月5日

Tweet media one

0

0

6

@_ruby

ruby nealon

4 years

password manager users giving their family their Netflix passwords

0

0

5

@_ruby

ruby nealon

6 years

I didn’t ask for this 😭

Tweet media one

0

0

5

@_ruby

ruby nealon

11 months

my hottest take

Tweet media one

0

0

6

@_ruby

ruby nealon

7 months

setting my slack notification schedule to mon-fri 9-5 Moon/Dark_Side

@JsonBasedman

json

7 months

Software engineers on their knees, crying, throwing up

Tweet media one

325

1K

19K

0

0

6

@_ruby

ruby nealon

6 years

焼肉😍😍😍

Tweet media one

1

0

5

@_ruby

ruby nealon

5 years

@TomNomNom @NahamSec It’s free, but you have to sign an NDA with VeriSign. I recall having to fax something to them as well.

1

0

5

@_ruby

ruby nealon

1 year

i made this in February and never shared it because I figured no one would find it funny except me but after seeing some similarly really specific memes im proud to share Joe Rogan and Ben Shapiro talking about how mongo is web scale

2

0

5

@_ruby

ruby nealon

2 years

@infosec_au @codingo_ @secretlabchairs +1, after visiting @infosec_au the first thing I did when I got back was order the same Leap with the headrest. Best chair ever zero regrets.

0

0

5

@_ruby

ruby nealon

8 months

beautiful traditional South Korean art in Gangnam station

Tweet media one

2

0

5

@_ruby

ruby nealon

7 years

the year is 2047, @nike will only sell shoes in raffles with limited quantities. because of this, shoes are considered a scarce luxury for the upper class. everyone else wears fake yeezys.

0

3

5

@_ruby

ruby nealon

4 years

Searching "<company/product name> 2ch" is the Japanese equivalent of searching "<company/product name> reddit" change my mind

1

0

5

@_ruby

ruby nealon

7 months

healing both literally and figuratively @ Seoul Forest! can’t believe I’ve never been here before

Tweet media one

Tweet media two

Tweet media three

Tweet media four

1

0

5

@_ruby

ruby nealon

3 years

Cat says mice out of reach of cats "least engaged with their jobs"

1

0

5

@_ruby

ruby nealon

4 years

@_wirepair Yes but the building is sharing a 1GB fiber (this is to the IDF), need to see if I can negotiate with the management company about pulling my own cable in :)

0

0

5

@_ruby

ruby nealon

5 months

woke up, got up and got myself out there to the persona live tour!!!!! w/ @KanjiColossus 🫶

Tweet media one

Tweet media two

3

0

5

@_ruby

ruby nealon

6 years

@NathOnSecurity @evanricafort @Bitquark actually many of my Japanese friends thought my primary income was from extortion until I showed them the explanation on bugbountyjp

1

0

4

@_ruby

ruby nealon

3 years

@mondomascots Really? Small world 🤣

0

0

4

@_ruby

ruby nealon

3 years

@zemnmez it’s the takes like this I follow you for

0

1

4

@_ruby

ruby nealon

2 years

@danielshi @patio11 They own/operate the mall and built one of the tower mansion complexes there too (City Tower Ariake Garden). They're trying the same thing at Haneda Airport minus the tower mansion, but with an... onsen? 🤔

Tweet media one

0

0

4

@_ruby

ruby nealon

2 years

@katakana_kurisu @Yetska I actually started writing a blog post a few weeks ago about names in Japan and where a lot of these issues come from - really should finish it 😅

0

0

4

@_ruby

ruby nealon

1 year

@TokyoFashion Kitaya park too in Shibuya! I remember when it used to be an actual park, and now it’s a blue bottle coffee and a rotation of food trucks :/

0

0

0

@_ruby

ruby nealon

1 year

@blastbots and @samwcyo going particularllllllly hard for my heart will go on 🙉

Tweet media one

1

0

4

@_ruby

ruby nealon

1 year

ruby @ rubykaigi !

Tweet media one

0

0

2

@_ruby

ruby nealon

3 years

@zemnmez Which up?

0

0

3

@_ruby

ruby nealon

2 years

@patio11 Please consider swapping APA Hotel out for another comparable hotel chain (JR Mets, Toyoko Inn, Dormy Inn etc). Their president has written a revisionist history book denying the Nanking Massacre and leaves copies of it in their rooms

Tweet card media

Despite calls for boycott, Apa hotel chain will keep books denying Nanking Massacre

The hotel operator refuses to remove books, written by its CEO and placed in its hotel rooms, that deny the Rape of Nanking.

www.japantimes.co.jp

0

0

3

@_ruby

ruby nealon

1 year

@infosec_au

Tweet media one

0

0

3