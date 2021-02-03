Language Selection

  • Decrypting GSM SMS traffic

    In this post, I’ll go over how to decrypt your own 2G GSM SMS messages by pulling encryption keys off your SIM card and processing the data with gr-gsm.

    In a previous post, I looked at how to decode and start analyzing GSM traffic. If you haven’t read that yet, I suggest you start there. I’m going to assume you have your environment set up to that point.

  • An Interactive Guide to CSS Transitions

    The world of web animations has become a sprawling jungle of tools and technologies. Libraries like GSAP and Framer Motion and React Spring have sprung up to help us add motion to the DOM.

    The most fundamental and critical piece, though, is the humble CSS transition. It's the first animation tool that most front-end devs learn, and it's a workhorse. Even the most grizzled, weathered animation veterans still reach for this tool often.

    There's a surprising amount of depth to this topic. In this tutorial, we'll dig in and learn a bit more about CSS transitions, and how we can use them to create lush, polished animations.

  • SSH Certificates Security

    SSH certificates, when deployed properly, improve security. A half-baked access system using certs is more vulnerable than a public-key-based one if a user or host gets [cracked].

  • cut & tr

    This is not tutorial but here’s an example of where I used these two today. I have a bunch of docker volumes I want to list just the names of. The default output is thus: [...]

  • Attributes of configuration languages

    Software, particularly server software or the software running on network equipment, frequently requires configuration, often provided in the form of a configuration file. No particular standard for a configuration language has ever come to dominate, so the number of configuration file formats is almost as large as the number of pieces of software needing configuration.

    Many of these configuration formats lack a formal specification of their syntax or semantics and are implemented as ad-hoc parsers inside the software that consumes them. Many of these formats also appear similar to other formats but with slight differences, as inspiration for how to design configuration languages flows from one influential piece of software to another. For example, no formal specification exists for INI files, but many applications have adopted an INI-like syntax, sometimes with notable application-specific variations. The BIND nameserver's configuration format seems also to have influenced many configuration formats now used by *nix server software, again with much subtle variation.

    Herein, I attempt to analyse a large number of configuration languages and discern the properties and patterns that seem to pervade all of them. Rather than focusing on syntax, which is ultimately superficial, I will focus on the semantics and data model of a given language.

  • It’s now easy to bypass MediaTek’s SP Flash Tool authentication

    If you remember, MediaTek chipsets were previously found to be susceptible to a dangerous rootkit nearly a year ago, and it was actively exploited by hackers to gain root access. Considering that, it is unknown why the Taiwanese chip design company still hasn’t patched the flaw in its chipsets that allows defeating the chain of trust while flashing. Although we have only seen the good side of the situation, it is even worse from a security perspective when you consider the hundreds of lesser-known device models using these MediaTek chips.

    There is another aspect of the situation from the standpoint of the custom development community, whose interests we represent. A majority of MediaTek devices find themselves in an unsustainable combination of easy-to-brick and difficult-to-revive. On top of that, the forced authorization requirement really limits the potential of aftermarket development on them. The bypass method is nothing but a glimmer of hope for MediaTek device owners, who just want to take the hassle related to unbricking out of the modding scene.

  • How To Install Ultimate PI – Raspberry PI OS with The Cinnamon Desktop – Raspberry PI User

    Ultimate PI is a re-spin of the Raspberry PI OS with the Cinnamon desktop environment as the desktop environment.

    You will find a complete set of desktop applications including the Chromium web browser, Evolution email client, Rhythmbox audio player, VLC media player, Shotwell photo manager, LibreOffice office suite and the GIMP image editor.

    This guide shows how to install Ultimate PI to an SD Card.

  • Ultimate PI – Raspberry PI OS With Cinnamon Desktop – Raspberry PI User

    Raspberry PI OS is the best operating system for the Raspberry PI because it was built specifically for the Raspberry PI.

    I have created a number of guides on this site showing how to make the Raspberry PI OS more useful for every day daily tasks.

    For instance this guide shows how to view Netflix and Amazon Prime using Raspberry PI OS and this guide shows how to customise the Raspberry PI desktop.

  • How to verify your Linux Mint ISO image file - Real Linux User

    Security and being conscious about your actions and decisions that could hamper or strengthen your Linux environment to be secure, is becoming more and more important. When you download a Linux ISO image file to create a bootable live environment to test a Linux distribution and eventually installing it on your production machine, it is important to be sure about its authenticity and integrity. In this article, as part of my Linux Mint tutorial series, I want to explain how to verify your Linux Mint ISO image file to start your secure Linux journey.

  • How To Install Docker on Manjaro 20 - idroot

    In this tutorial, we will show you how to install Docker on Manjaro 20. For those of you who didn’t know, Docker is an open-source project that automates the deployment of the application inside the software container. The container allows the developer to package up all project resources such as libraries, dependencies, assets, etc. Docker is written in a Go Programming language and is developed by Dot cloud. It is basically a container engine that uses the Linux Kernel features like namespaces and control groups to create containers on top of an operating system and automates the application deployment on the container.

    This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of Docker on a Manjaro 20 (Nibia).

  • Format your USB drive with GParted - PragmaticLinux

    USB drives typically come preformatted as FAT32 or NTFS file systems. Although Linux can handle this, the EXT4 file system offers advantage: EXT4 gives you far better control over file permissions and ownership. As whip-cream on top, you can stop worrying about data fragmentation as well. In this article you learn how to format your USB drive with the help of GParted. GParted is a graphical user interface program, available on pretty much all popular Linux distributions.

  • How to fix unzip error "End-of-central-directory signature not found"

    If you are unable to extract files from a zip file and instead getting the error "End-of-central-directory signature not found", here is what you can do.

    Foremost, you want to check that the archive is indeed a zip file, not generated by other similar archive programs such as gzip. So try uncompressing it with gunzip to eliminate this possibility.

    If this does not help, changes are that the zip file was incompletely downloaded or got corrupted on your disk somehow. In the rest of the tutorial, let's find out how to fix, or at least get round, the unzip error when a zip file is corrupted or end of the file is truncated.

  • How to Add Ubuntu Host to Nagios Server using NRPE Plugin

    In our previous guide, we touched base on how to install the Nagios Monitoring Server on Ubuntu 20.04. For this second part, we will show you how to add a Ubuntu host to Nagios server for monitoring using NRPE plugin.

    NRPE, short for Nagios Remote Plugin Executor, is an agent that allows remote execution of scripts located on the remote host. It allows the gathering of metrics such as system load, disk utilization, and uptime, etc.

    NRPE Server (agent) and Plugins are installed on the remote host. The agent will wait for check_nrpe request from Nagios Core Server. Once the agent receives the check request it will execute a plugin on the remote host and send back the request to Nagios server.

  • How to Reverse Lines in a File Character-Wise in Linux

    There are some string manipulation or alternation tasks that can be programmed in scripting or a programming language quite easily. For example, changing the case of a text in a file.

    There are some tasks that are very commonly required when it comes to text manipulation. One such task is reversing lines in a file. When we say reversing the lines, it can mean two things: reversing the order of lines in a file or reversing each line in the file character-wise.

    In this article, we will learn about the command ‘rev’ which deals with reversing lines in a file character-wise in place.

  • Enable Conda-forge Channel For Conda Package Manager - OSTechNix

    This guide explains what is conda-forge channel, how to install packages from conda-forge and finally how to permanently enable conda-forge channel for conda package manager from commandline as well as from Anaconda Navigator GUI in Linux.

  • Attempt to reproduce "Django 3 Tutorial & CRUD Example with MySQL and Bootstrap" on Fedora 33 KVM Guest
  • Run your favorite Windows applications on Linux | Opensource.com

    In 2021, there are more reasons why people love Linux than ever before. In this series, I'll share 21 different reasons to use Linux. Here's how switching from Windows to Linux can be made seamless with WINE.

    Do you have an application that only runs on Windows? Is that one application the one and only thing holding you back from switching to Linux? If so, you'll be happy to know about WINE, an open source project that has all but reinvented key Windows libraries so that applications compiled for Windows can run on Linux.

    WINE stands for "Wine Is Not an Emulator," which references the code driving this technology. Open source developers have worked since 1993 to translate any incoming Windows API calls an application makes to POSIX calls.

Security/Proprietary Issues

  • 10 years of Chromebooks and people still don’t know what they’re capable of

    They’ve been around for a decade and have always focused on speed, simplicity, and security. Plus, Chromebooks have continuously improved from a basic browser-only device to something far more capable than many people realize.

  • Google might have quietly teased the OS that will replace Android

    We’ve been talking about Fuchsia for years now, and Google has confirmed its existence without revealing what it can do or when it’ll be here. Fuchsia would run on any device, no matter its size or display type — it would also run on gadgets that don’t have screens. Fuchsia would support instant software updates just like iOS and macOS, as well as better privacy and security protections, again, like what’s available on iPhone and Mac. And Fuchsia will still run all of the existing Android apps so that transitioning from Android (and Chrome) to Fuchsia shouldn’t be a hassle. That’s the gist of Fuchsia rumors, although it’s unclear what Google’s vision is for Fuchsia.

  • Margaret Mitchell: Google fires AI ethics founder

    Google has fired the founder and co-head of its artificial intelligence ethics unit, claiming she violated the company's code of conduct.

    In a statement, Google said an investigation found Margaret Mitchell had moved files outside the company.

  • IBM is said to consider sale of Watson Health amid cloud focus

    Deliberations are at a very early stage and the company may opt not to pursue a deal, said the person, who asked not to be identified discussing private talks. IBM is exploring a range of alternatives, from a sale to a private equity firm or a merger with a blank-check company, according to The Wall Street Journal, which earlier Thursday reported the possibility of a deal.

    IBM has been trying to boost its share of revenue from hybrid-cloud software and services, which lets customers store data in private servers and on multiple public clouds, including those of rivals Amazon.com Inc. and Microsoft Corp. IBM bought RedHat for $34 billion in 2018 to boost this effort.

  • Mexican Politician Removed Over Alleged Ties to Romanian ATM Skimmer Gang

    The leader of Mexico’s Green Party has been removed from office following allegations that he received money from a Romanian ATM skimmer gang that stole hundreds of millions of dollars from tourists visiting Mexico’s top tourist destinations over the past five years. The scandal is the latest fallout stemming from a three-part investigation into the organized crime group by KrebsOnSecurity in 2015.

  • How secure boot and trusted boot can be owner-controlled

    Implementing owner-controlled secure boot. Moreover, it should also be noted that you don't actually need to use keyfusing to implement (1). For example, the “secure boot” functionality on x86 PCs allows users to change their own trust roots at any time. The way this is implemented is by having a region of a nonvolatile storage device reserved for boot firmware and trust configuration, which can be locked against mutation after boot. The only way to make this region writeable again is by resetting the system, restoring execution to said boot firmware.3 Thus, absent physical intervention, any mutation to the boot firmware or configuration must be approved by said boot firmware.

    Although most SoC vendors design their SoCs to support keyfusing as their officially supported means of “secure boot”, it is actually possible to implement this owner-controlled secure boot design on most SoCs via only a small amount of additional board components. This takes advantage of the fact that

    1. SoC-class devices almost never have onboard flash, and instead boot from an external flash device;
    2. external flash devices usually have a “Write Protect” pin; and
    3. many classes of flash device allow the “Write Protect” pin to be configured to write-protect some, but not all, of the device's memory.

  • Exploit Details Emerge for Unpatched Microsoft Bug

    New details have emerged about an unpatched security vulnerability in Microsoft’s Internet Explorer that was recently used in a complex campaign against security researchers. A fresh analysis from 0patch offers further insight into where the bug exists and how it can be triggered in real-world attacks — notably, by just visiting a website.

    In early February, cybersecurity researchers at South Korean consultancy ENKI identified a zero-day exploit that it said was used in the researcher attack. The vulnerability in question exists in Microsoft Internet Explorer, and at the time of writing remains unpatched, though Microsoft said it was looking into the bug report.

  • Masslogger Swipes Microsoft Outlook, Google Chrome Credentials

    Masslogger is a spyware program, which is written in .NET and steals browser, email and instant-messaging credentials. The trojan was released in April and has since been sold on underground forums.

    “Masslogger is a commodity malware that has been in development and circulation for almost a year now,” Svajcer told Threatpost. “It is sold on underground forums for relatively modest amount of money and it can be used by any malicious actor. We wanted to emphasize that these campaigns with these particular spreading techniques can likely be linked to a single actor, based on the exfiltration server domain used in all campaign for exfiltrating credentials.”

  • Serving up zero-knowledge proofs

    Zero-knowledge (ZK) proofs are gaining popularity, and exciting new applications for this technology are emerging, particularly in the blockchain space. So we’d like to shine a spotlight on an interesting source of implementation bugs that we’ve seen—the Fiat Shamir transformation.

    A ZK proof can be either interactive, where the prover and verifier communicate via challenges in a multi-step process, or non-interactive, where a prover computes a proof once and sends it to the verifier. The non-interactive ZK proof is preferred over the multi-step interactive process, but most ZK schemes are interactive by default.

    Enter the Fiat-Shamir transformation. It transforms interactive ZK proofs into non-interactive ones. Easier said than done. This can be a tricky implementation and has led to several bugs, including one discovered in a Swiss voting system.

  • Update your computer!

    Security updates patch vulnerabilities in your computer. They protect you from local attacks (people with physical access to your computer and people who have an account on it) but also remote ones (attackers targeting your computer through your Internet connection). Other than directed attacks security updates also protect you from malicious software. When you ask your computer to execute external content (software you downloaded, email attachments, a link you click or even just a webpage you visit in your Web browser) you also take the risk to open a door into your computer and invite attackers in. When a vulnerability is found developers fix it as soon as possible and distributions ship it as an update so you can apply it in a timely fashion. These vulnerabilities then become public and known by potential attackers. This means an outdated system isn’t just vulnerable, it is known to be vulnerable.

  • Linux Mint Finds Many Of Its Users Are Running Behind On Security Updates - Phoronix

    The issue of having a beginner/easy-to-use focused desktop Linux distribution but not installing new security updates by default without user intervention is that for many users they fall behind in applying often important security fixes. The Linux Mint blog posted a notice today encouraging its users to install security updates as they are "very important" while the internal statistics indicate significant numbers of users are not doing so. "Apply updates right now!" the notice reads and also warning users to not run end-of-life (EOL) versions of the Ubuntu/Debian-based distribution.

  • The modern packager’s security nightmare

    One of the most important tasks of the distribution packager is to ensure that the software shipped to our users is free of security vulnerabilities. While finding and fixing the vulnerable code is usually considered upstream’s responsibility, the packager needs to ensure that all these fixes reach the end users ASAP. With the aid of central package management and dynamic linking, the Linux distributions have pretty much perfected the deployment of security fixes. Ideally, fixing a vulnerable dependency is as simple as patching a single shared library via the distribution’s automated update system. Of course, this works only if the package in question is actually following good security practices. Over the years, many Linux distributions (at the very least, Debian, Fedora and Gentoo) have been fighting these bad practices with some success. However, today the times have changed. Today, for every 10 packages fixed, a completely new ecosystem emerges with the bad security practices at its central point. Go, Rust and to some extent Python are just a few examples of programming languages that have integrated the bad security practices into the very fabric of their existence, and recreated the same old problems in entirely new ways. The root issue of bundling dependencies has been discussed many times before. The Gentoo Wiki explains why you should not bundle dependencies, and links to more material about it. I would like to take a bit wider approach, and discuss not only bundling (or vendoring) dependencies but also two closely relevant problems: static linking and pinning dependencies. [...] Now, for the worst of all — one that combines all the aforementioned issues, and adds even more. Bundling (often called vendoring in newspeak) means including the dependencies of your program along with it. The exact consequences of bundling vary depending on the method used. In open source software, bundling usually means either including the sources of your dependencies along with your program or making the build system fetch them automatically, and then building them along with the program. In closed source software, it usually means linking the program to its dependencies statically or including the dependency libraries along with the program. The baseline problem is the same as with pinned dependencies — if one of them turns out to be buggy or vulnerable, the users need to wait for a new release to update the bundled dependency. In open source software or closed source software using dynamic libraries, the packager has at least a reasonable chance of replacing the problematic dependency or unbundling it entirely (i.e. forcing the system library). In statically linked closed source software, it is often impossible to even reliably determine what libraries were actually used, not to mention their exact versions. Your distribution can no longer reliably monitor security vulnerabilities; the trust is shifted to software vendors. However, modern software sometimes takes a step further — and vendor modified dependencies. The horror of it! Now not only the packager needs to work to replace the library but often has to actually figure out what was changed compared to the original version, and rebase the changes. In worst cases, the code becomes disconnected from upstream to the point that the program author is no longer capable of updating the vendored dependency properly.

Linux 5.12: Perf and Sound

  • Linux 5.12 Adds Instruction Latency Reporting To Perf - Phoronix

    An exciting new capability with perf in Linux 5.12 is the ability to collect instruction latency metrics as part of the performance reports, but relies on hardware capabilities for now only found in next-generation Intel Xeon "Sapphire Rapids" processors. Linux 5.12 adds the ability to support instruction latency metrics as part of perf report collections. The instruction latency metrics paired with the memory latency data can help developers understand expensive instructions and the time being spent in the different CPU stages. It will be fun when this ability is more widespread across processors and interesting if it can end up being used for helping to generate more accurate cost tables for compiler targets among other use-cases.

  • Sound Updates For Linux 5.12 Include Intel Alder Lake P, Other New Hardware - Phoronix

    The sound subsystem changes were submitted on Friday by maintainer Takashi Iwai of SUSE for the in-development Linux 5.12 kernel. The sound/audio highlights for the Linux 5.12 kernel include: - Support for software jack injection for testing/debugging purposes.

Android Leftovers

MX Linux Fluxbox Respin Officially Released for Raspberry Pi

Initially announced in January 2021, the MX-Fluxbox Raspberry Pi respin is MX Linux’s first release for the tiny Raspberry Pi devices. As its name suggests, it uses the ultra-lightweight Fluxbox window manager by default and, just like MX Linux, it’s based on the stable Debian GNU/Linux 10 “Buster” software repositories. The Fluxbox environment is includes elements from the GNOME, Xfce and LXDE desktop environments, and comes pre-loaded with some popular apps like the Palemoon web browser, Claws Mail email client, VLC media player, Thunar file manager, FeatherPad text editor, as well as Geany and Thonny IDEs. Read more

