Oddbean new post about | logout
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag +1 
 Easy. Rubber Ducky. Wouldn’t necessarily meet the no logs requirement, but there’s a lot you can do to obscure the commands you run. Plus, almost no one has the skill required to go through logs and craft together what actually happened. 

https://shop.hak5.org/products/usb-rubber-ducky
TheGuySwann | 26 days ago (raw) | root | parent | reply | flag +2 
 In this case there are explicitly zero logs whatever for the time in which this would’ve occurred.
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag 
 I don’t see how that’s possible tbh. At some level SOME log has to exist for activities performed.
crypt0cranium | 26 days ago (raw) | root | parent | reply | flag 
 Does a MacOS filesystem log reads (mounted read only) if not natively booted? And does Mac BIOS setting for USB boot or an encrypted filesystem/storage remain an obstacle to a viable attack vector?  

I'm not a hacker or a Mac user since long ago. I'm an defender of opsec for self and those who value it.
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag +1 
 I think by default the filesystem is encrypted, so you wouldn’t be able to read if you booted from another drive. There are times where there are vulnerabilities in firmware that allow this sort of thing though.
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag 
 If you’re talking about a specific thing that’s happened, what likely happened is the attacker just deleted the logs of their activities.
TheGuySwann | 26 days ago (raw) | root | parent | reply | flag +1 
 How would they get root access to delete the logs? They wouldn’t be able to without it right?

The real question is about whether someone got into the computer at all, or if it wasn’t even touched. Because during the time span the logging has no records.

So either it was a sophisticated actor with merging I’m not aware of, or they could get root access. But then the question is how they could get root access to delete logs, and then also are there separate logs for deleting things from the file system? 🤔
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag 
 So ya I’d say that if there are ZERO logs of any kind at the exact time of attack, that’s definitely suspicious. MacOS is extremely verbose, so I can’t see that happening. 

As far as getting root, it’s possible they found a privilege escalation vulnerability. It’s not terribly uncommon, especially if you’ve heavily customized things or write a lot of code, which could inevitably give someone a way to root. 

As far as logs for deleting logs, it’s definitely possible but I’m not familiar enough with their logging structure to say off hand. 

Sucks dude, hope you figure out what happened. One thing you can do is hire a forensics firm, but that’s big money.
TheGuySwann | 26 days ago (raw) | root | parent | reply | flag 
 I tested it for 10 minutes while asleep just in this train ride. Zero logs whatever. It appears to be shockingly asleep when it is in fact asleep.

When I plug **anything** into any port however, for even the slightest amount of time, there are hundreds of logs.
CurrencyofDistrust | 26 days ago (raw) | root | parent | reply | flag +1 
 Hmm… this kinda makes me think you’re safe then tbh. Does it create those logs if you plug in while it’s asleep?