# Linux Weekly 7: Security, Security, Security...

## Метаданные

- **Канал:** Level1Linux
- **YouTube:** https://www.youtube.com/watch?v=7ySErnrYvGs
- **Дата:** 01.05.2026
- **Длительность:** 29:31
- **Просмотры:** 30,688
- **Источник:** https://ekstraktznaniy.ru/video/49759

## Описание

It's been a heck of a week for Wendell, and maybe for you too. 

0:00 Intro
1:08 Security Updates
17:45 Project Updates

Links to Articles here: 
https://ringmast4r.substack.com/p/we-may-be-living-through-the-most

https://copy.fail/

https://www.rapid7.com/blog/post/etr-cve-2026-41940-cpanel-whm-authentication-bypass/

https://thehackernews.com/2026/04/cisa-adds-actively-exploited.html

https://www.rescana.com/post/fast16-malware-pre-stuxnet-cyber-sabotage-targeting-ls-dyna-pkpm-and-mohid-engineering-software-uncovered/

**********************************
Thanks for watching our videos! If you want more, check us out online at the following places:
+ Website: http://level1techs.com/
+ Forums: http://forum.level1techs.com/
+ Store: http://store.level1techs.com/
+ Patreon: https://www.patreon.com/level1
+ L1 Twitter: https://twitter.com/level1techs
+ Wendell Twitter: https://twitter.com/tekwendell

*IMPORTANT* Any email lacking “level1techs.com” should be ignored and immediately reporte

## Транскрипт

### Intro []

It's been one of those weeks for like a month. This week's theme is basically security and projects. I'll update you on some projects, but mostly it's about security, but it's going to be a little different. But also, like if you got a home lab, you should update uh yesterday all of your stuff. In fact, you maybe should like unplug it, take it offline for a while cuz uh Oh boy. It's dark out there and we may die. Now, you may be noticing I'm This is actually Falcon Northwest's Falcon Fuel coffee. I've got a 9950X 3D2 and it's from Falcon Northwest and we're doing a review, but I'm also going to give it away. So, stay tuned for that on the main channel. Look for that. Um, there's a couple gotchas there, but uh, the mission to acquire more 950 X3D2 CPUs for testing uh, was successful. I'm getting ahead of myself though. This is more project talk. Let's talk security. This older

### Security Updates [1:08]

article, look, this from April 12th. I'm behind the times. We may be living through the most consequential 100 days in cyber history. Almost nobody has noticed. Oh, this is just the beginning. It is about to get much worse. In fact, it has gotten much worse. This details all of this stuff. It's like the first four months of 2026 have produced a sequence of cyber incidents that if any one of them had landed in 2014 or 2017 would have dominated the news cycle for a week. I'm still talking about the OPM hack from a long time ago. And all of these things are kind of related, but I have to lay this out there because not a lot of people pick up on this and how incredibly important it is and how compromised our machines already are in ways that you might not realize. But let me come back to that. Copy fail. This is the one. 200 or 732 byt Python script roots every Linux distribution shipped since 2017. Doesn't have to be Python. Some people have done uh other code not in Python. This is real. This is uh legit bananas. This is like if it could be a 10. 1 or a 10. 5 on the severity scale, it should be a 10. 5. This has also caught a lot of distros flat-footed, meaning that there aren't patches or your only option is to reboot and update your kernel. But some dros don't even have an updated kernel, or at least they didn't have an updated kernel. So, it has been a mad dash since Wednesday of this week to try to deal with that. And to give you an idea of how insanely bad this is, like if you're using WordPress, I always pick on WordPress, uh, and somebody had access to your WordPress, like they can run things as a PHP script, you know, on your web hosting, and Python is usually available on basically all web hosting. Well, from this relatively innocent, oops, I've got a bad plugin in Python, they can root the entire box. Very bad. Very extra mega bad. Um there are some mitigations with SE Linux uh and it's not perfectly universal but it is substantially universal. This is a four alarm um fire. This is also it's a problem in the cryptographic routines. One of the cryptographic routines uh there there's some like you can disable it. It's like it's not going to affect Lux or IPSec or but it may affect um you know OpenSSL with the AFG algorithm enabled and like this kind of thing like I want you in the back of your mind anytime you see this kind of thing. This has endured since 2017. It's been there a long time. Very subtle bug. Crypto algorithms are a great place to hide deliberately added weaknesses. And you might think who would do that? There is a lot a prepoundonderance of evidence suggests that an intelligence service has been caught with their hand in the cookie jar to do with dual elliptic curve encryption which was the root cause IMH of the OPM hack so many years ago. You see, there are a lot of intelligence services out there. Ours, but also not ours. Uh, and also really not ours. And then like Frenemy's not ours. So there's a lot of players in this game. There a lot of really smart. Everybody goes crosseyed when you look at crypto code. It's like it takes a certain kind of mind that has been trained for a certain amount of time to really and so this is the perfect place for an intelligence service to introduce this kind of a weakness and it would go undetected for a very long time. Um we almost had this level of a severity uh issue introduced in with SSH you know that was only a couple years ago. Um, so this is this kind of issue can be a subtle issue, but then this is great for an intelligence service because they can escalate their access. They can remain undetected if your motive is not to deploy ransomware or just wreck everything. Uh this kind of an exploit is fantastic because you can lurk and be undetected for a very long time, especially if you've been able to compromise the networking gear uh a little bit through other means or even out of band access. Compromise out of band access through other means. This is fantastic. Uh but it's very bad for you and me. Um also uh C panel and WHM. Um, C panel is the most expensive and they keep just ratcheting the price up. CPanel is hosting software where like if you want to take a server and slice it up reasonably into a 100 slices and have all of the bookkeeping and accounting stuff handled for you in a nice guey and you can just like turnkey give somebody a little slice of that and still have reasonable security. Like cPanel does a lot of stuff. It gives you a lot of options for like jailing the file system and you know running quotas and making sure that one compromised WordPress host doesn't chew up all the CPU on the whole box. Like cpanel is gen genuinely useful software that has a long and storied history and uh it's trash. I'm sorry. I for the money that they charge it is astonishingly disappointing. Um there's the CVE is very bad. It's remote root. It's unauthenticated remote route. It is trivially exploitable. So if you have a C panel server and you haven't patched, chances are it's been compromised. Even if you have patched, it is probably no longer uh supportable or like it's probably like I I don't have any confidence that their um stuff works. They have a script on their website for indications of compromise. But for the session files that the that a patched version of cPanel writes, the indicators of compromise thing will tell you that you have been compromised when you have not. The session file exists, but that's just because the cPanel service is running and something connected to it. It is not actually an indication that cPanel was successfully compromised. It's just that someone was trying to run the successful exploit against you. The actual way to check if your C panel is secure is to actually run the exploit against it, which there is a GitHub repository and you can just go run it and see if your C panel, but like if you like you can also just turn off the cPanel services. Their uh article is also really annoying because it tells you that you need to clear the sessions. It doesn't tell you how to clear the sessions if you didn't already know, which is, you know, like everybody knows, but not really. Like that's a really like that is poorly written article. Um, the other thing with that is that um, uh, it doesn't tell you. It tells you how to stop the cPanel services in case you can't patch right now, but that is a temporary solution because there's another cPanel service that will auto restart services that are stopped. And it doesn't mention that or tell you how to do that. And so this has been extremely badly handled by C panel in my opinion. And it is probably because uh you know they had reports of it happening as early as February 23rd, 2026 uh prior to the vulnerabilities public disclosure um and Watchtower is the one that has published a technical analysis and a proof of concept exploit. So check out Watchtower's GitHub link and yeah, February 23rd, 2026 again is a giant uh vote with your wallet. C panel is dead to me because for the amount of money that they are generating, they should have the best of the best security team running this and they don't. I know why and we'll talk about that in a second, but uh there is also CISA adds active actively exploited connectwise and Windows flaws to KEV. So there are 8. 4 path traversal vulnerability in connectwise. A lot of people use ConnectWise uh protection mechanism failure invol in Windows shell that could allow an unauthorized attacker to perform spoofing over a network. Yeah, all this stuff is fixed in April 2026. So, Microsoft is also having a bad time. Uh there is also uh a critical authentication bypass vulnerability that multiple threat actors have used earlier this month that I think is mentioned in the other one, but it's also part of the storm 1175 attacks deploying ransomware. like this is this is just Carrington event level um security problems. Uh and because I mentioned the OPM hack um there's also this article is about fast 16 malware. This one's 16 years old. You don't have to worry about this one. But this is malware. The headline is pre-stuckset cyber sabotage targeting LS Dina PKPM and Mohead engineering software. So this is more like the first scenario that I mentioned where it's an intelligent services uh dream to have this kind of a thing and this kind of access. And so this was malware that was designed to sabotage your uh nuclear calculations. like if you're running certain pieces of software to just do nuclear simulation or like physics and um chemistry simulation that compiled with the Intel C or C++ compiler. Um this is designed to introduce very small subtle errors in your floatingoint calculations and it went undetected for like 15 or 16 years. This is uh if you're not familiar with what stuckset is, stuckset was um malware that got loaded onto the um physical enrichment like cyclrons or uh the equipment that Iran was using to enrich nuclear material. And the output of the sensors, what it was sending, machinery, what it was sending from like as if it was reading its sensors to the control system was wildly different than reality. uh which resulted in a catastrophic setback. So it's like woo Iran. But we should all be scared about this kind of thing because the faulty brittleleness that was used there um could be used by other folks that are clever and do things with like your technology can be co-opted against you in ways that you don't understand and in very subtle ways. And so that is what happened with this as well. Um, and some of this may be may stem from innocent bugs, but then you introduce like deliberate weaknesses. And this one is not really all that stealthy. Like somebody had actually updated uploaded this to Virus Total a million years ago and virus total didn't like what is this? What sort of malware is this? Uh, it's like the security implications of fast 16 are profoundly farreaching. The malware's ability to propagate across networks and in fact multiple systems means that even redundant verification of calculations can be compromised. Its stealth and it stealth and spec specificity allowed it to remain undetected for years as evidenced by it near zero detection rate on virus total even a decade after being uploaded. Yeah. Yeah. AI doomers are doing a victory lap right now because a lot of this it stems from uh AI tools finding vulnerabilities in software and bad people weaponizing the things that have been found more quickly than human beings can keep up. Now you come back to C panel. C Panel has a really amazing profit margin. It's incredible. It's incredible how much they've raised the prices over the last couple years. And because they're a dominant player in the market, the margins are good and the volume is good. They can afford to hire security people at the bleeding edge using the tool to do anything. Like I'm sure that if they called Anthropic and said, "Hey, can we get access to Mythos to help us? " Anthropic totally would help them do that. If you say that we must not build AI period to do this, I have some bad news for you. Because remember the other intelligence service and like the friendmy intelligence service, they're gonna do it. And so it's like ah the we should stick to bows and arrows because the flint musket is too powerful and it changes the balance of power. It's like yeah, I don't know. I I'm kind of I'm kind of with Teddy Roosevelt on this one. Walk softly and carry a big stick. like we all kind of need big sticks for this. Um, and I'm sure that some of you will try to form a coherent argument about, you know, why AI should not this is the worst of AI. The reality is that the number of software bugs here are finite. And building an IMHO, building an adversarial AI like it is within building a small AI for millions or tens of millions of dollars as opposed to the billions of dollars that are probably being spent by intelligence services to look for these weaknesses and counteract them is within the realm of possibility. Reasonable people, that's probably going to be you and me. Like this is it. It has to be this way. Uh are going to build the tooling to find these kinds of things. There are not an infinite number of software bugs. You know what is infinite? Human stupidity. These tools finding these bugs quickly. It is going to be a dark period. I hope the dark period doesn't send us back to the stone agent. It probably won't. By preponderance of evidence, it almost certainly won't. But these tools will help us find these bugs and harden against these kinds of things. Um, copy fail. Uh, the page is sort of doom and gloom, but there are, you know, we lucked out with layers of hardening in some scenarios like with SE Linux. It was not SE Linux did not do as I mean the mitigations including SE Linux uh were not comprehensive and not perfect, but not bad. Uh, I was also kind of surprised um in the like the kernel live patching thing. Like I was doing some experiments with kernel live patching and something went wrong and I ended up getting a kernel oops um trying to do a live patch. So I was probably just moving at the speed of light and breaking things. I really uh I'm really not sure. And so like if you look at the OPM hack thing, the dual elliptic curve encryption weakness in the context of having a tool that can help you lint your implementation of the cryptography in the same way that code linting is like you must follow these spacing rules and these padding rules and this kind of thing. uh a llinter to help you build tests, meaningful tests and run tests and say, "Hey, you're really you've literally implemented the reference imple implementation of dual elliptic curve without coming up with your own random numbers. We should not do that is possible um when you have an agent helping you do that. It's not that you turn your brain off and let the AI do things. Oh lord, no, that is going to end catastrophically. " like that is there's going to be the things that are happening where companies are doing that where it's like oh look one person can do the work of 10 developers those companies are not long for this world AI needs people like it's when you have one person trying to do that much work it is too much cognitive load for one person first second because they will end up deferring the cognition to the AI and it's going to produce very bad output but if you treat it like a helper that can do go do all the unfun things like building the unit tests to try to find these kinds of things and lint over your code to eliminate these issues. It is very good at that as evidenced by folks using tools that are available to them up to not necessarily including mythos to find all of these vulnerabilities. Responsible disclosure would be nice if it were a little better. uh you know the Linux kernel is shedding drivers for old hardware and this kind of thing to try to shore up some of the security but this is also why it is critically imperative that you post all of your stuff and I would also highly recommend taking your stuff off of the internet directly if you can directly access it over the internet and instead switch to something like tail scale or uh a zero trust reverse proxy I I think we we're

### Project Updates [17:45]

almost to a point this is we're transitioning now into projects I think we're almost to a point where I can actually do a web-based zero trust proxy. So, uh I think it's like it's called Pomeranium um is a reasonable implementation of what I have in mind, but I've always wanted to build a web landing page that is a very low surface area for attack. And you land at the web page and you log in and then you have access to resources behind the web page. Enterprises have been doing this for a long time. Cisco has some stuff for this. Cisco has some patents on stuff for this. Uh Juniper has some stuff also. So, Juniper fell into the aforementioned AI trap like just going to throw that out there. Um, and so that's existed in the enterprise for a long time. What I want to do is have the proxy forward authentication to services. So, like the F5 load balancer can do this. There's a lot of stuff that can do this. You have forward off type stuff in the enterprise where the gateway does the authentication and then it can pass an authentication token to things like jellyfin or Plex. Well, Plex is probably never going to support this, but we can hack it into Jellyfin. That's no problem. Or next cloud or anything else. So, you land on the low attack surface area secure web page and then over HTTPS TLS you can access internal services. Um, I was tempted to try to build something like this because we got all the pieces now, all the browser support to be able to do that. And then once you got a session, you've got a secure tunnel to all of your services. So you, it's like tail scale, but you don't even need the tail scale client, and it's not really truly naked on the internet. like you can have the little service that's naked on the internet, but you could host that on a $5 a month Lenode plan or your you know your um you know your local connection if you have an IP address or anything really. So there there's a thread on the forum that is asking what your ideal setup is like what you're running for home lab what you've tripped over and that sort of thing. U the other thing that I'm working on that is Jake remember Jake's on his own. Jake just bought a farm. Um, we are doing a buddy backup series with Jake. And this is really cool cuz we are both going to store encrypted data sets for the other, but the data set is encrypted in transmission and at rest. His system does not have my decryption key. My his decryption key. It's the magic of ZFS with a cameo uh of Alan Jude from Claraara Systems because Claraara are the ones that are Claraara and the folks on GitHub for ZFS are the ones doing the work to make this happen. Um there's a feature of ZFS called zoned. You can create a zoned volume. I think it's volume is the right terminology there. And this has been around for a while, but not all of the plumbing pieces were there to do it. There's still a couple of minor plumbing pieces to do that. We, you know, if you walk into engineering, um, Scotty's got a coiled cable running from the warp core over to a console and it's just laying on the floor and it's like, guys, isn't this a trip hazard? They just haven't put the conduit in the floor yet. But it is achievable and it is achievable running like a truness VM on Proxmox. That's what I'm doing on my end, but zoned storage is actually the better option. So, our how-to is going to have option A, nested ZFS storage, which is dumb and you shouldn't do that. And then, and but that's what we did in the video. And then option B is zoned, but the software plumbing is not quite there. So, we're going to have that hose draped across the uh engineering room floor. Uh, and tail scale is going to be the networking component of that, but it doesn't have to be the component of that. You can do, you know, all sorts of other stuff with that, and that's totally fine. Uh the other project update as I might have mentioned 9950X3D2 that's my system here. I'm looking for uh performance anomalies and I'm also looking for motherboards that have mur I've already put the motherboard that I have that has murdered a CPU is now hosting a 9950X3D2. So we'll go and see what happens there. Um, from that project, it turns out that AMD may have surreptitiously limited the speed at which ECC memory will run on 9,000 series CPUs. I have a separate video coming out on that. It's going to be in the main channel. You should check that out. But we may need to make some noise in order to ask for an option to turn that off because uh why I get why there was a rowhammer attack that allows you to flip bits in inside of SKH highix memory and that happens less when the memory runs at lower speed. Now I don't know that that's why they limited to 5200. That's just a guess. But the problem is that the same sort of AI tooling that will figure out the stuff will also figure out the hashing algorithm for the memory so that things like rowhammer are more possible because there's hardware mitigations for a Rowhammer style attack that depend on you not knowing exactly how the memory stores things. Um Lori Wire did a great video on this and you should check that out and it explains all of that in detail if you want to see that. Oh, and actually while I mention that, there is if you look at some of our really old videos, a long time ago, I said, "Man, I really wish I could do a video that does justice to this paper that one of the old Unix C guys wrote uh called Reflections on Trusting Trust. " She did the video on that not long ago, well, a little ways ago, and it is incredible. You should check that out because it ties in with the whole OPM dual elliptic curve. It's like how do you trust the output of the compiler? But watch that, expand your thinking, and then step back into the larger forest of all of the other stuff that's going on with that and tooling and that sort of stuff. Remember when we took a look at the Hygon CPUs? You know, AMD shared the Zen1 designs with High and then Hyon took Zen1 and modified it and then it was a lot of fun to side by side Zen 1 with the Hyggon CPUs because the Hygon CPUs uh completely gutted and replaced the random number generator and a lot of the math functions in their version of Zen 1. And so it was the Zen1 it was AMD Zen1 CPU for x86, but all of the math stuff was completely redone. And if you look at that with a lens of then it's like, oh yeah, their intelligence service knows. It's like, do we know that they know? I don't know. I don't know if we know that they know. But it was clear that it's like, oh, if we're going to trust and run these CPUs with state secrets, we got to be really careful with our floatingoint numbers and random number generation and blah blah. And the OPM hack was definitely hand in the cookie jar like we know we're letting you know that we know what you have done with this dual elliptic curve encryption and Cisco and everything else and a lot of innocent people were harmed in the crossfire. Reflections on trusting trust her video explains that very well and she did a really good job and it's amazing. See like I'm a lowly computer janitor like I'm out here like you wouldn't you you'd be surprised how the scale of janitoring uh that I'm up to. Like I don't really it's like oh you get all kinds of free hardware. I don't really like the enterprise hardware is fun. A lot of the time it's in the data center. I can't like lay hands on it but like one it's a lot of work. Two I do it because I genuinely enjoy it and like it and have lots have you know fun stuff but like behind closed doors I have to do all this like I have it's all the same stuff anyway. It's just usually they're not super comfortable with cameras there. a time or two I've gotten to bridge the gap uh in terms of like look at this cool giant enterprise project or look at this giant you know whatever but most of the time um and so I I'm doing janitorial level stuff and this she's doing this and actual real honest to god computer science which is genuinely impressive so you should go uh check out those things and see how those goes for you know for various projects but our 950 x3d2 stuff with the ECC thing was also a little bit of a surprise and I get why AMD is doing it if it's to do with row hammer and data integrity, but give us an option to turn it off because we've been running 5600 ECC without any issues in the lab here since time immemorial and I'm only just now starting to test that on the 950 X3D2 and like including corrected like you know getting a couple correcteds a month is completely reasonable IMHO um I think on the test system we've only ever had two uncorrecteds and that system dates back to the 7000 series CPUs, which is pretty good for a system that has 96 GB of memory. Like that's reasonable. That's a reasonable amount of uncorrected ECC errors in that amount of time at 5600 on a mere eight layer PCB. So yeah, that should be fine. Uh let's see what else what else. This weekend project we did the ECC bifurcation video where you can add a PCIe controller and get more PCIe lanes. I'm hopeful for you know Zen 6 that we'll have more PCIe lanes or at least take faster like maybe we'll get PCIe Gen 6 on Zen 6 and then maybe those PCIe gen 6 lanes can break out into more slower PCI gen 5 lanes. Like see this is a missed opportunity I think with PCA Gen 5 through the chipset. Connect the CPU to the chipset PCI Gen 5 and then double the lanes PCA Gen 4. But there's no bandwidth contention. Four lanes of Gen 5 into the chipset. Boom. Give me eight lanes of Gen 4. That makes sense to me, especially if you were talking about using AM5 as a server-ish board, like a small file server or something like that. You need PCI lanes to connect, you know, external disc shelf controller, fast networking or whatever. And an AM5 network where it's just taking data off of a spinning Rust hard drive and shoving it onto a 25 GB network adapter. AM5 CPU is perfectly reasonable for that. But it's a little bit tricky to do that with only about 24 lanes exposed on most motherboards. And most motherboards don't really give you a lot of slots either. Uh AMD uh there was uh the Asus X570 Pro I think which is X8 X8. That was almost the best server motherboard for the AM4 generation. I'm still running a 5950X on that board as a server as a backup server to just host a bunch of hard drives and connect to the network and it can do 2 and 12 gigabytes a second. So yay projects. Well, I think that's about enough rambling for this one. In case you can't tell, I basically slept at the office this week, uh, helping jockey the level of janitoring that was required because of this. Please don't make it worse. Nervous laughter. It's literally the Ralph meme. I'm in danger. All right, thanks for hanging out. Thanks for listening to me ramble. And, uh, you know, if you have any questions, engage in the forum. Let's talk. I missed the question. I missed some questions this week because the security stuff was just absolutely overwhelming. But I think when we get to the other side of this sneaking in this kind of chicainery, especially if we don't trust the cloud models to overlook this kind of chicainery, because I'm sure that somebody somewhere is trying to figure out how to convince a model to ignore certain kinds of bugs. Uh it's uh I'm hopeful for the future as long as folks that know what they're doing are fully motivated to use the tools to close these holes. And I am seeing a lot of that behind the scenes from security researchers and smart people. And it's very encouraging to see. Security researchers are usually super paranoid. like the ones that are like close to the heartbeat of this kind of stuff. They're employed in such a way that it's hard to get them to come on a video. Anyway, I'm one of those level one Linux. Uh participate in the forum, ask questions, whatever. I'm signing out and I'll see you there.