FWIW, N=1: I'm Dutch and don't recall the word "uitwaaien" being commonly used like this throughout society. It's only used in informal settings, e.g. between friends/family/colleague (AFAIK), and has little to no meaning outside specific contexts. It is, for instance, also used when joshing a person (with either teaseful or unpleasant intent) by proposing they should leave (the room or building): the phrase "ga jij maar even uitwaaien" means "(you should) go outside". When a cyclist informs a partner/friend/colleague about their intent to leave for (outdoor) cycling by saying "ik ga even uitwaaien". Hence I too am a bit surprised about this article.
"We’ve developed a method to assess whether a neural network classifier can reliably defend against adversarial attacks not seen during training [such as Elastic, Fog, Gabor, and Snow]. Our method yields a new metric, UAR (Unforeseen Attack Robustness), which evaluates the robustness of a single model against an unanticipated attack, and highlights the need to measure performance across a more diverse range of unforeseen attacks."
If anyone w/relevant expertise is willing to share thoughts on this: please do.
For further reading: this just in -> "Robust Machine Learning Algorithms and Systems for Detection and Mitigation of Adversarial Attacks and Anomalies: Proceedings of a Workshop" (2019) an open-access publication from the National Academies of Sciences, Engineering, and Medicine: https://doi.org/10.17226/25534.
...and apparently the same issue exists in Dropbear up until current version (2018.76 / Feb 2018), which has an entirely different code base. A comment on /r/blackhat [0] led a colleague and me to look at Dropbear's sources, and it happens to have logic that is sufficiently similar [1] for the same PoC to work; tests against v2018.76 and a couple of earlier versions (e.g. v2013.58) are successful.
Shodan shows some 66k services identifying as SSH-2.0-dropbear [2], as opposed to some 15k identifying as SSH-2.0-OpenSSH [3].
Yes. Large corporate networks often still have (some) production systems that allow password-based authentication. I don't know how widespread it still is, but I still encounter it frequently at clients (which may be a skewed sample).
Just to be sure: PasswordAuthentication does not need to be enabled for the PoC to work, and username testing can also be used for software enumeration by testing for common/default non-SSH users, .g. "_tor", "debian-tor", etc. (I apologize for repeating here what I also stated in other comments in this thread, but this aspect should not be overlooked.)
+1. But just to be sure: that does not prevent testing for usernames and hence enumerating software by testing for known/common service account usernames (e.g. "_tor" on OpenBSD and "debian-tor" on Debian-based OSs). (No claim was made to the contrary; just mentioning this to prevent anyone from thinking otherwise.)
Exactly - it also works for non-SSH accounts, thus allowing software enumeration by testing for default/common/known default service users.
For instance, an OpenBSD box running Tor may have a user "_tor", a Debian-based box (e.g. Ubuntu) may have a user "debian-tor", and so on (depending on how Tor was installed, in my case via pkg_add & apt-get; usernames might vary for different OS/repo versions). I have tested this using the PoC against some of my own systems (the ones that have PasswordAuthentication still enabled) and it works for those.
The 10-part series 'How to get Smarter: A guide to critical thinking, cognitive biases, and logical fallacies' published between in Jan-Apr 2018 at Life Lessons is also quite comprehensive. Covers 50 topics, 5 per post. I apologize for the length of what follows, but I believe this resource it worth it:
- Part 2: http://lifelessons.co/personal-development/howtogetsmarterpa...
45. Be a truth seeker
44. Be a realist
43. Open your mind
42. Don’t fall in love with your beliefs or your philosophy
41. Listen to your opponents and people who disagree with you
- Part 3: http://lifelessons.co/personal-development/howtogetsmarterpa...
40. Don’t dismiss things you don’t understand
39. Don’t assume you’re smarter than the stranger you’re speaking with
38. Don’t confuse your perspective for objective reality
37. Don’t confuse feelings with facts
36. Don’t believe every thought that passes through your head
- Part 4: http://lifelessons.co/personal-development/howtogetsmarterpa...
35. Beware of black and white thinking
34. Beware of the Dunning-Kruger effect
33. Uncertainty > The illusion of knowledge
32. Stand on the shoulders of giants
31. Have lots of gurus
- Part 5: http://lifelessons.co/personal-development/howtogetsmarterpa...
30. Don’t attack straw men (don’t misrepresent your opponents argument)
29. Beware of circular logic and reasoning
28. Watch out for red herrings
27. The genetic fallacy (examine the statement – not the speaker)
26. The fallacy fallacy (don’t confuse a bad argument with a false conclusion)
- Part 9: http://lifelessons.co/personal-development/howtogetsmarterpa...
10. Why you should try to prove yourself wrong – instead of right
9. Probability neglect & the relativity of wrong
8. Why you can’t trust statistics
7. Cognitive Dissonance
6. Sacred Cows