Unrelated to the question or circumstance

No one reads hex as strings IRL.

Not necessarily. Turn this around. Let’s say I am working at somewhere like a chip foundry with tons of IP. I have no access to encryption tools, but I can easily shift characters to a hex range in bash and send emails.

These characters can use the control glyph, and so do not print or show up in any physical way except in hex.

This technique must be obfuscated at every serious organization from governments to industry.

I need to block a known threat actor already present on a system. Call it an exercise. I am interested in exploring and understanding it. This text obfuscation is a technique I discovered being used. This is a stage 3 threat model type of situation where every possible vector is in play.

This is not the theoretical, rtfm or read and trust the source situation.

It does not. It can be rendered as a control character.

It is non printing. It cannot be seen or scanned or highlighted. It looks like nothing, except the file size is large with more hex than should be in the binary.

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Removed by mod

Awesome. Now how would you strace/ptrace the active process correlated with the return packet?

This is way past my pay grade in the territory of edge-of-abstract – understanding.

See one of my problems is that the malicious software is running across Python, JavaScript, and a ton of dubious packages scattered throughout the machine. It is all interconnected and using unconventional operations. Right now I am just removing a package one and a time and seeing what breaks. I will likely miss how things are interconnected. I am not at all familiar with this type of thing, and learning as I go. The system used unshare, manually created no-label packets with all records obfuscated, used a hidden daemon function in systemd, and no-account to operate outside of namespaces.

Yeah, I could do it. The question is how to redirect a web address to do something useful locally. Like maybe setup an Apache server or something to capture and log any such attempts regardless of how the address is called.

I’m in the process of dismantling software I will never trust or update again and coming across all kinds of sketchy stuff. There is this Python program called Sentry_SDK that is very concerning. Along with several others. It appears to be packaged with most offline AI stuff and is some of the most authoritarian nonsense I have seen. I have air gapped the computer and do not have a package installed like prettier to maybe make the JavaScript readable, and it is enormous. There are many pages that are in the 10k lines plus range.

I already found a place in the back end that is trying to send packets with major obfuscation. The process is preloaded as listening, with every measure taken to prevent discovery of its origin. So that is fun too. I will likely reformat and start over after I have had my fun and saved what I wish to save.

Assuming it is a quoted string for simplicity.
..."http://foo.bar/"...
$ sed -i 's/\/.*\"/injection/g'

That is flawed in practicality, but gets the point across and will result in http:injection. It would take more convoluted escapes to replace the ‘//’.

I was thinking there has to be a way to use the address like a printf like situation. However someone tries to use an address, it just hits a local trip wire. Pass that to anything you don’t want to connect on the internet. It is super lazy and hacky, but I don’t really care. I use an external firewall device with DNS whitelist, so I block everything anyways. Flagging stuff just makes it easy to say something to others that might benefit.

Thanks for your reply. The point here is not about the merits of distrobox for security. This is a constraint that is not easily changed. It is only an element present, not an implementation of sandboxing.

I am looking for the best method that is hopefully less complicated than a systemwide SELinux policy plus Pam and Groups.

If anything, the distrobox is an added issue due to the nobody user.

Complex social hierarchy is a super important aspect to account for too. In the proprietary software realm, you infer confidence in the accumulated wealth hierarchy. In FOSS the hierarchy is not wealth, but reputation like in academia or the film industry. If some company in Oman makes some really great proprietary app, are you going to build your European startup over top of it? Likewise, if in FOSS someone with no reputation makes some killer app, the first question to ask is whether this is going to anchor or support a stellar reputation. Maybe they are just showing off skills to land a job. If that is the case, they are just like startups that are only looking to get bought up quickly by some bigger fish. We are all conditioned to think in terms of horded wealth as the only form of hierarchy, but that is primitive. If all the wealth was gone, humans are still fundamentally complex social animals, and will always establish a complex hierarchy. This is one of the spaces where it is different.

Thanks. This was helpful.

jake
Jake
j4ke
Jak3
j@k3
JAK€
jπ⸦kE
𝚥ᎪᏦ⋲
ꓙᏎ🅺Ꮛ
𞋕ꮜ𝈲𝈁
᜴ᚣᜩᗕ
It is not this, but same problem scope. Resolve all to “jake” for further processing. Also specifically looking for that ck.