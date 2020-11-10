Today security researchers from TU Graz have published a new side-channel information leak attack using power metering in modern Intel CPUs. With this side-channel attack on power consumption fluctuations it is possible to extract secret information on the same CPU, like for instance key material from SGX enclaves or the Linux kernel, or KASLR information to help other attacks.

As part of Intel's monthly security disclosures the company is today releasing forty new security advisories today. With these 40 security advisories for November 2020 they are addressing 95 vulnerabilities. There are security advisories relating to the Converged Security and Management Engine (CSME) as well as the Intel Wireless Bluetooth support -- including a "critical" vulnerability that could lead to escalation of privileges via the LAN. Also being disclosed today is "PLATYPUS" stemming from information leakage with the Intel Running Average Power Limit (RAPL) interface.

This kind of PLATYPUS is not a sweet and unusual mammal, this is a security problem recently announced that affect Intel across server, desktop and laptop CPUs. Along with a long list of other Intel issues that went public today (there's like 40 of them…), PLATYPUS is one that's gaining some attention and came with its own fancy website. PLATYPUS (Power Leakage Attacks: Targeting Your Protected User Secrets) is a way to exploit the unprivileged access to the Intel RAPL (Running Average Power Limit) interface exposing the processor's power consumption to infer data and extract cryptographic keys. Physical access is not required the researchers say, so it's quite a concerning one.

Released about three weeks ago, Ubuntu 20.10 is the latest version of the popular Linux-based operating system. It ships with the Linux 5.8 kernel series by default, which has now been patched against two recently discovered security vulnerabilities. The first security vulnerability addressed in this update is CVE-2020-27194, discovered by Simon Scannell in Linux kernel's bpf verifier, which could allow a local attacker to expose sensitive information (kernel memory) or gain administrative privileges.

Fedora and IBM/Red Hat Leftovers Daniel Pocock: Withdrawing my nomination for Fedora Council First of all, my email nominating myself on the Fedora Council list was delayed for approximately 14 hours. [...] This strikes me as a strong hint that I'm an independent candidate who is not afraid to ask the important questions. If I was to suggest the election was about to be rigged then I would risk looking like the world's biggest clown but nonetheless, messages delayed like that makes it feel like the playing field is not quite level. It is an all-too-familiar feeling in the free software world. This was an important revelation about transparency achieved without even getting to a vote. Secondly, there has been increased attention on the difference between real harassment as opposed to the counter-accusations that appear all too frequently from leaders covering up their own rogue behavior. Harvey Weinstein's lawyer publicly blamed his victims and the outgoing US president claimed to be a victim of lynching. Leaders of certain free software organizations cry the same crocodile tears. Let us remember the original words chosen by young women coming into our environment are the only genuine examples of harassment. With or without a vote, I remain committed to allocating a share of my time to courageous volunteers like this. Their willingness to speak up gives me hope that the leaders of tomorrow may be better than the office holders of yesterday. The ultimate achievement of my short campaign is to depart gracefully. I couldn't think of a better time to do so. This is what leadership looks like. Either you understand that or you don't.

Exploring OpenShift Source-to-Image using Git webhooks | Enable Sysadmin OpenShift is an enterprise application platform based on the Kubernetes orchestration tool. It can deploy applications from a number of sources, including prebuilt images as well as from source. In this article, I will talk about Source-to-Image (S2I) and how to automate the entire process using Git webhooks. You can follow along and try it out yourself for free at the OpenShift Interactive Learning Portal.

Call for Code Spot Challenge for Wildfires Nearly 3 billion animals were affected by Australia’s worst wildfire season that burned from July 2019 through March 2020 estimates Chris Dickman, a professor of ecology at the University of Sydney. We’re asking you to join data scientists to develop models focused on forecasting wildfires in Australia for the upcoming wildfire season, and enter the chance to win $5K USD. To get you started we’re releasing historical data sets extracted from the Weather Operations Center Geospatial Analytics component (PAIRS Geoscope)

The history of an API: GitLab Runner and Podman | Enable Sysadmin Here is one sysadmin's journey through Podman and GitLab Runner integration

From chemistry to coding: Changing careers to become a software developer Some people say that it doesn’t matter how you start, what matters is how you finish! And no truer words have been spoken, especially with regards to your career and professional life. Last year I graduated from college with a Bachelor of Science in Chemistry. Less than a year later I became a Systems Back End Software Engineer at IBM without a formal computer science degree. And today, I work at the Transaction Processing Facility in Poughkeepsie, where I develop and modernize an operations server console that handles transactions for several major credit card, hotels and airline companies. Most of my work is on the Java console for the z/TPF operating system. I also help process the linux build and package along with shipping code. (Note: According to the 2020 Stack Overflow developer survey, 4.4% of professional developers have a background in natural sciences.) My journey to becoming a software developer began when I took my first computer science class as a senior in college. After that one class I realized that being a developer was my true passion! But with a degree in an unrelated discipline I didn’t know how I could make the leap to becoming a professional developer. So, immediately after graduation, I completed an immersive software engineering boot camp at Flatiron School. While at that boot camp, I independently built scalable full-stack applications such as Facebook and Trello clones. I decided to attend a coding boot camp because I thought it would push me to learn as much as possible in the shortest period of time. After completing the boot camp, I applied for jobs and quickly accepted a position at IBM.

Automated golf highlights in a fanless environment Automating the creation of these videos dramatically reduced the time and effort required to produce this content. Quickly producing this content gave the Masters editorial team first mover advantage, coverage breadth across the entire field, and freed up critical video editing cycles to be used elsewhere. This automated system ingested video from every shot on every hole. The workflow that created the input content later went on to win the George Wensel Technical Achievement Emmy Award as well as many other accolades. As this content was ingested, it was evaluated for “highlight-worthiness” using a metric referred to internally by IBM as “excitement.” The excitement metrics were derived using artificial intelligence (AI) analysis of the content. These metrics were further enhanced by using IBM Watson® OpenScale to remove bias from the ranking. These excitement metrics, coupled with storytelling business rules, were used to select which golf scenes to include. These selections were then used to create a fully produced highlight video with broadcast interstitials and automated TV graphics minutes after the player completed their round. The work for the 2019 Masters was described in this IBM Developer blog.