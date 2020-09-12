Language Selection

Security Leftovers

Security
  • Mozilla Attack & Defense: Inspecting Just-in-Time Compiled JavaScript

    The security implications of Just-in-Time (JIT) Compilers in browsers have been getting attention for the past decade and the references to more recent resources is too great to enumerate. While it’s not the only class of flaw in a browser, it is a common one; and diving deeply into it has a higher barrier to entry than, say, UXSS injection in the UI. This post is about lowering that barrier to entry.

    If you want to understand what is happening under the hood in the JIT engine, you can read the source. But that’s kind of a tall order given that the folder js/ contains 500,000+ lines of code. Sometimes it’s easier to treat a target as a black box until you find something you want to dig into deeper. To aid in that endeavor, we’ve landed a feature in the js shell that allows you to get the assembly output of a Javascript function the JIT has processed. Disassembly is supported with the zydis disassembly library (our in-tree version).

    To use the new feature; you’ll need to run the js interpreter. You can download the jsshell for any Nightly version of Firefox from our FTP server – for example here’s the latest Linux x64 jsshell. Helpfully, these links always point to the latest version available, historical versions can also be downloaded.

  • Security updates for Tuesday

    Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).

  • Google Launches Confidential VMs, GKE Nodes, to Encrypt Data In-Use [Ed: The Linux Foundation is paying this publisher to participate in Google PR ploy, portraying servers controlled by Google as some sort of privacy magic]

    Google is hoping to make confidential computing — the encryption of data in-use — as easy as the click of a button for cloud native users. To this end, the company has released into general availability Confidential Virtual Machines (VMs), unveiled as a beta in July, as well as beta launched Google Kubernetes Engine (GKE) Confidential Nodes.

  • House approves bill to secure internet-connected federal devices against cyber threats

    The legislation would also require private sector groups providing devices to the federal government to notify agencies if the [Internet]-connected device has a vulnerability that could leave the government open to attacks.

    The bill is sponsored in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas) and more than two dozen others.

  • Microsoft ends support for Office 2010: What you can do

    If the whole Microsoft thing is getting too complicated or too expensive for your pocketbook, we've reviewed the major alternative programs to Office, including Google's online application, LibreOffice, FreeOffice and more. Because they're all free, there's little risk to trying them.

Debian Developers' Leftovers

  • Raphaël Hertzog: Freexian’s report about Debian Long Term Support, August 2020

    Like each month, here comes a report about the work of paid contributors to Debian LTS.

  • Molly de Blanc: “Actions, Inactions, and Consequences: Doctrine of Doing and Allowing” W. Quinn

    There are a lot of interesting and valid things to say about the philosophy and actual arguments of the “Actions, Inactions, and Consequences: Doctrine of Doing and Allowing” by Warren Quinn. Unfortunately for me, none of them are things I feel particularly inspired by. I’m much more attracted to the many things implied in this paper. Among them are the role of social responsibility in making moral decisions. [...] One of the things I maintain is that we cannot be the best versions of ourselves because we are not living in societies that value our best selves. We survive capitalism. We negotiate climate change. We make decisions to trade the ideal for the functional. For me, this frequently means I click through terms of service, agree to surveillance, and partake in the use and proliferation of oppressive technology. I also buy an iced coffee that comes in a single use plastic cup; I shop at the store with questionable labor practices; I use Facebook. But also, I don’t give money to panhandlers. I see suffering and I let it pass. I do not get involved or take action in many situations because I have a pass to not. These things make society work as it is, and it makes me work within society.

  • David Bremner: Debcamp activities 2018
  • Ciano

    There is a new application available for Sparkers: Ciano

Audiocasts/Shows: LINUX Unplugged, GNOME 3.38, Late Night Linux and More

  • Cabin Fever | LINUX Unplugged 371

    Friends join us to discuss Cabin, a proposal that encourages more Linux apps and fewer distros. Plus, we debate the value that the Ubuntu community brings to Canonical, and share a pick for audiobook fans.

  • GNOME 3.38 - Tour of the New Features, and a few thoughts

    It's that time of year again, where the new version of GNOME is upon us. Like every 6 months, this release includes a bunch of improvements to the desktop experience, and will be included in Ubuntu 20.10, Fedora 33, and will hit Arch and other rolling releases pretty quickly.

  • Late Night Linux – Episode 98

    How do we fix the broken Internet? We try to find solutions that don’t mean resorting to regulation. Plus Arm is sold again, Ubuntu community rumblings, a packed KDE Korner, and more.

  • Ripcord: Time To Uninstall The Official Discord Client

    I've been trying out a lot of these 3rd party discord clients lately like 6cord and Gtkcord and they're all missing something fundamental, but finally I've discord Ripcord which is an almost perfect client, basically the only thing that it's missing is video calls but I can always use the web client for that anyway.

  • Python Podcast: Simplified Data Extraction And Analysis For Current Events With Newspaper

    News media is an important source of information for understanding the context of the world. To make it easier to access and process the contents of news sites Lucas Ou-Yang built the Newspaper library that aids in automatic retrieval of articles and prepare it for analysis. In this episode he shares how the project got started, how it is implemented, and how you can get started with it today. He also discusses how recent improvements in the utility and ease of use of deep learning libraries open new possibilities for future iterations of the project.

Devices: Banana Pi, Firmware in Your Firmware, Amlogic/Arm and Arduino

  • Raspberry Pi: Banana Pi maker touts this new rival board with Amlogic chip and 4GB RAM

    Chinese SinoVoip has teased a Raspberry Pi-style single-board computer, the Banana Pi BPI-M5, with an Amlogic S905X3 four-core Cortex-A55 processor. The Raspberry Pi rival features a system on chip with 4GB of LPDDR4 RAM, 16GB of eMMC storage, four USB 3.0 ports, Gigabit Ethernet, an HDMI port, and just like its fruity rival, a 40-pin GPIO (general-purpose input/output) rack to connect other devices.

  • Putting The Firmware In Your Firmware

    Performing over-the-air updates of devices in the field can be a tricky business. Reliability and recovery is of course key, but even getting the right bits to the right storage sectors can be a challenge. Recently I’ve been working on a project which called for the design of a new pathway to update some small microcontrollers which were decidedly inconvenient. There are many pieces to a project like this; a bootloader to perform the actual updating, a robust communication protocol, recovery pathways, a file transfer mechanism, and more. What made these micros particularly inconvenient was that they weren’t network-connected themselves, but required a hop through another intermediate controller, which itself was also not connected to the network. Predictably, the otherwise simple “file transfer” step quickly ballooned out into a complex onion of tasks to complete before the rest of the project could continue. As they say, it’s micros all the way down.

  • Low-cost Amlogic S905L2 TV Boxes Show Up on Aliexpress for $20+

    Amlogic has plenty of variants to its S905 processors, and so far I had never heard about Amlogic S905L2 processor that can be found in some Android 9.0 TV boxes sold for a little over $20 including shipping. There are only two such TV boxes listed with the quad-core Cortex-A53 processor so far, and they are basically the same X7 model except for different storage and memory configuration.

  • Nvidia’s Arm Acquisition Raises Licensing Questions

    This could accelerate an industry shift away from Arm designs to RISC-V, according to a Reuters source.

  • Get ready to Explore IoT with Arduino Education

    This week we are launching our Arduino Explore IoT Kit, which allows high school and college students to take their first steps in building connected devices. Educators can make a complex subject simple – explore the Internet of Things right now with Arduino Education. Aimed at the beginner, there is a complete set of easy to follow online projects providing students with a gateway into the digital world of connected objects and how people work together.

