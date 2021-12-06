today's howtos
We (A&A) sell gigabit services, as both Ethernet and FTTP. We see other ISPs selling 950M or 900M, why? Will I get a gigabit?
Lslocks(8) is the Linux command that you usually use to list current file locks on a machine. Lslocks uses the kernel's /proc/locks to find out about locks, and so is subject to various limitations /proc/locks has. It adds some conveniences to the raw /proc/locks information, but also has some limitations of its own on what information it can present when.
Infrastructure-as-code (IaC) is often seen as a deployment tool. Write code to describe your infrastructure – either at a low level like Terraform or Cloudformation, or at a high level like the AWS Cloud Development Kit (CDK). But Infrastructure-as-code is naturally part of the continuous deployment (CD) process, but increasingly is finding its way into continuous integration (CI).
Infrastructure-as-code is becoming build-as-code.
In this how-to, we’ll look at the zip command, a useful utility that enables us to specify lists of files, set a level of data compression and create compressed archives.
Whilst you become accustomed to these commands it’s good to work with example test files and directories and you should take extra care to ensure you are carefully following the instructions.
A framework that is not as well known as others but is very versatile to use is Play Framework. Today we will talk about it and learn how to install it on Debian 11.
Siege is a free web server stressing tool to install on Linux operating systems such as Ubuntu 22.04 using a command terminal for HTTP load testing and benchmarking. We can use it for stress testing by defining single or multiple URLs for simulated users. The result of the load test gives complete details of the number of hits recorded, bytes transferred, response time, concurrency, and return status. Siege supports HTTP/1.0 and 1.1 protocols, the GET and POST directives, cookies, transaction logging, and basic authentication.
Today I found out that the debian security team handles oldstable releases only for a year or so, after which the LTS team takes over, which is arguably less secure.
Open Hardware/Modding: Pi Pico, Open Source Robotics Foundation, RISC-V
It is with a sense of inevitability that we can confirm somebody has managed to make Doom work on the diminutive RP2040-based Raspberry Pi Pico microcontroller board.
Running the '90s first-person shooter game on hardware ranging from ATMs to pregnancy testers is very much a badge of honor for hardcore tinkerers and the surprise is perhaps not so much that the RP2040 hardware is up to the job, but that it has taken so long for someone to do it. After all, it is just over a year since the board first arrived.
A quick glance at online stores shows that the Pico is currently not made of unobtainium and actually in stock at outlets.
Happy 10th Birthday to the Open Source Robotics Foundation OSRF founders discuss changes they’ve seen over the last decade
SiFive is pulling in nearly $400m in funding this year between a new investment round and the proceeds of a business sale with the ambitious mission of eclipsing rival Arm – and the x86 world of Intel and AMD – with processor designs for everything from smartphones to servers.
The Silicon Valley-based chip designer said Wednesday it had raised a $175m Series F financing round at a more than $2.5bn valuation, only two days after announcing it would sell its OpenFive connectivity business to Alphawave for $210m so that the startup could focus on its RISC-V CPU cores.
SiFive's total funding from investors, which includes SK Hynix as well as the venture arms of Intel, Qualcomm and Western Digital, now stands at more than $350m.
Hundreds of variations of open-source CPUs written in an HDL seem to float around the internet these days (and that’s a great thing). Many are RISC-V, an open-source instruction set (ISA), and are small toy processors useful for learning and small tasks. However, if you’re [Paul Campbell], you go for a high-end super-scalar, out-of-order, speculative, 8 IPC monster of a RISC-V CPU known as VRoom!.
RISC-V is an open, free ISA based on established Reduced Instruction Set Computing (RISC) principles. Members of the RISC-V Foundation have access to and participate in the development of the RISC-V ISA specifications and related hardware and software ecosystem.
The Timex Datalink was arguably the first usable smartwatch, and was worn by NASA astronauts as well as geek icons like Bill Gates. It could store alarms, reminders and phone numbers, and of course tell the time across a few dozen time zones. One of the Datalink’s main innovations was its ability to download information from your PC — either through flashing images on a CRT monitor or through a special adapter plugged into a serial port.
Programming Leftovers
In the early 1960s, Margaret Hamilton began her career as a pioneering programmer and systems designer. And when NASA launched a series of missions that led to the first astronauts on the moon, Hamilton was director of the Software Engineering Division at the Massachusetts Institute of Technology’s Instrumentation Laboratory, developing the mission’s onboard flight software.
That project included writing 40,000 lines of code for the moon-landing lunar module, and its “mothership,” the orbiting craft carrying the command and service modules.
Being a predominantly functional language, the fact that jq has a reduce function comes as no surprise. However, its structure and how it is wielded is a little different from what I was used to. I think this is partly due to how jq programs are constructed, as pipelines for JSON data to flow through.
I decided to write this post after reading an invocation of reduce in an answer to a Stack Overflow question, which had this really interesting approach to achieving what was desired: [...]
Arrays in Cobol are called tables, and they are a bit odd. For example the following code creates a 1D table with 5 elements in it, each of type x(5), or rather a “string” of 5 ascii characters.
A frequent complaint expressed on a certain website about Alpine is related to the deficiencies regarding the musl DNS resolver when querying large zones. In response, it is usually mentioned that applications which are expecting reliable DNS lookups should be using a dedicated DNS library for this task, not the getaddrinfo or gethostbyname APIs, but this is usually rebuffed by comments saying that these APIs are fine to use because they are allegedly reliable on GNU/Linux.
For a number of reasons, the assertion that DNS resolution via these APIs under glibc is more reliable is false, but to understand why, we must look at the history of why a libc is responsible for shipping these functions to begin with, and how these APIs evolved over the years. For instance, did you know that gethostbyname originally didn’t do DNS queries at all? And, the big question: why are these APIs blocking, when DNS is inherently an asynchronous protocol?
Before we get into this, it is important to again restate that if you are an application developer, and your application depends on reliable DNS performance, you must absolutely use a dedicated DNS resolver library designed for this task. There are many libraries available that are good for this purpose, such as c-ares, GNU adns, s6-dns and OpenBSD’s libasr. As should hopefully become obvious at the end of this article, the DNS clients included with libc are designed to provide basic functionality only, and there is no guarantee of portable behavior across client implementations.
JSON is a popular data storage format to exchange data between server and browser. It is derived from JavaScript and supported by many standard programming languages. It is a human-readable file format that anyone quickly understands if it prints with proper formatting. JSON data prints in a single line when no formatting is applied. But this type of output is not easier to understand. So, the formatted JSON data is very important in order for the reader to understand the structure of the data. Pretty print is used to format the JSON data. JSON data can be represented in a more readable form for humans by using pretty printing. There are many ways to apply pretty printing in JSON data. The ways to apply JSON pretty-printing using PHP are shown in this tutorial through various examples.
This week's Java roundup for March 14th, 2022, features news from OpenJDK, JDK 19, Spring Framework 6.0-M3 and 5.3.17, Spring Tools 4.14.0, Quarkus 2.7.5, Helidon 3.0-M1, March 2022 Payara Platform, Open Liberty 22.0.0.3 and 22.0.0.4-beta, Hibernate ORM 5.6.7, Hibernate Search 6.1.3 and 6.0.9, JobRunr 5.0-RC1, Apache Camel 3.11.6, Piranha 22.3.0, JReleaser update, and reasons why Java makes sense.
On a daily basis, I work on firmware for an embedded device that uses the Bridgetek FT800. It’s a nifty chip that takes commands over SPI/I2C and turns them into an image displayed on an LCD. It’s very useful for displaying user interfaces with simple microcontrollers. Bridgetek is actually a spinoff company from FTDI, and this kind of solution seems right up their alley — take something complicated like USB or a display controller, and create a simpler interface for dealing with it, such as UART/SPI/I2C.
A couple days ago the SD card on a Raspberry Pi lost its beady little mind, and I ended up rebuilding the system from scratch. I generally build my own Perl (also from scratch) and then install the modules I need. So that I can have a log file to rummage through in the event of a problem, I start by configuring the CPAN client interactively, and then doing
$ cpan YAML 2>&1 | tee YAML.log
$ cpan Bundle::CPAN 2>&1 | tee YAML.log
Proprietary Software, Security News, and DRM
I heard an electric discharge, a bit like a Jacob's ladder, immediately before a deafening crack of thunder. I'd never been so close to a lightning strike! All of the lights in the house went bright, then dimmed, then went back to normal. "Uh-oh," I thought, "I'm in trouble now." Everything in the house had been hit by a nasty surge and the oft-spoken aphorism that broadband services are now a utility to rank with water and electricity was suddenly very, very, real to me.
But it was electricity I worried about first. I use top of the line surge protectors so my most sensitive devices – computers and monitors, of which I have many – all seemed fine. But I'd overlooked two other connections that come into nearly every home: the antenna and the phone line.
-
The internet can be a dangerous place. Not a week goes by without a cyber attack taking place. Go H*ck Yourself: A Simple Introduction to Cyber Attacks and Defense by Bryson Payne shows you how many basic cyber attacks work, so you can learn to defend against them. Payne teaches how to perform a variety of hacks to show that they are easy to do.
The book’s eleven chapters begin with straightforward concepts, like using a browser’s inspect tool to make a password field display the password and gaining administrative access to a Windows or Mac using installation media. The third chapter explains how to use VirtualBox to create Kali Linux and Microsoft Windows virtual machines that will be used for the exercises in the following chapters.
The diffoscope maintainers are pleased to announce the release of diffoscope version 209. This version includes the following changes:
* Update R test fixture for R 4.2.x series. (Closes: #1008446)
* Update minimum version of Black to prevent test failure on Ubuntu jammy.
The call to bypass bug bounty firms came from American researcher Katie Moussouris, the founder of Luta Security, and a well-known figure in the infosec industry.
In a thread on Twitter, Moussouris said: "Technically [there is] nothing stopping all [crackers] who participate in bug bounties from refusing to submit bugs via bounty platforms except the threat of being kicked off said platforms (that refuse to employ them all yet use [crackers] as their sole income source) just sayin'. Email the bugs."
US federal agencies have warned of possible threats to American and international satellite communication (SATCOM) networks that could affect customers.
In a joint security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI "strongly encourage" critical infrastructure operators, along with SATCOM network providers and customers, to put in place a series of mitigation steps to shore up their networks.
It was about 11 p.m. when a restless software developer in Texas discovered that his hobby website, a free public records search engine, had been mentioned in a news story about a massive data breach.
To his horror, the article said the "shadowy website" judyrecords.com — his website — had published hundreds of thousands of the State Bar of California's confidential case files. The state bar declared that it had notified law enforcement.
The Lapsus$ extortion gang briefly alleged over the weekend it had compromised Microsoft.
The devil-may-care cyber-crime ring has previously boasted of breaking into Nvidia, Samsung, Ubisoft, and others. Its modus operandi is to infiltrate a big target's network, exfiltrate sensitive internal data, and then make demands to prevent the public release of this material – and perhaps just release some of it anyway.
"We are aware of the claims and are investigating," a Microsoft spokesperson told The Register on Monday.
On Saturday and Sunday, the crooks shared then deleted on Telegram screenshots suggesting they had broken into Microsoft's internal DevOps environment, as spotted by infosec bod Dominic Alvieri. The screenshot shows internal projects including Bing and Cortana's source code, and WebXT compliance engineering projects.
The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.
However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.
Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.
-
The bug — discovered by two Google employees, security researcher Tavis Ormandy and software engineer David Benjamin, and is being tracked under CVE-2022-0778 — affects the BN_mod_sqrt() function in OpenSSL, which is used to compute the modular square root and parses certificates that use elliptic curve public key encryption.
This process can be exploited if an attacker submits a certificate with broken curve parameters, thus triggering an infinite loop in the program and leading to a denial of service.
-
TAG initially detected Exotic Lily – which the researchers describe as a "resourceful, financially motivated threat actor" – in September 2021 exploiting a zero-day flaw in Microsoft MSHTML (tracked as CVE-2021-40444). Further investigation discovered that the group was acting as an IAB working with a Russian gang known as FIN12 by cybersecurity vendors Mandiant and FireEye, Wizard Spider by CrowdStrike, and DEV-0193 by Microsoft.
As Ukraine fights for survival against invading Russian forces, here's a taste of some of the malware the nation's Computer Emergency Response Team (CERT) is battling.
To start, the team earlier this month said miscreants had spammed out emails impersonating government agencies containing links to fake Windows antivirus updates. When these were downloaded and run by a victim, more malware was brought onto the machine, including Cobalt Strike Beacon, which can take over the PC with PowerShell scripts, log keystrokes, take screenshots, exfiltrate files, run other malicious code, attempt to traverse the network, and so on. Beacon is a legit tool developed by HelpSystems mainly for red-team professionals.
The advisory outlines various indicators of compromise (IoCs) that can help companies determine whether they have become AvosLocker victims, as well as a list of mitigation steps they can take. These range from developing a data recovery plan and implementing network segmentation to regularly backing up data, installing and updating antivirus software and installing updates and patches on operating systems.
Users of Western Digital's EdgeRover app for Windows and Mac are advised to download an updated version to avoid a security flaw that might allow an attacker unauthorized access to directories and files.
The flaw, which was given the CVE identification number CVE-2022-22988, carries a Common Vulnerability Scoring System (CVSS) severity rating of 9.1, making it a critical weakness. It has now been addressed, however, with a modification to the way EdgeRover handles file and directory permissions.
- [Ed: Mindless openwashing]
Another great day to be a Linux user.
A now-former Apple employee accused of causing the iGiant to lose more than $10m in a super-scam has been charged with conspiracy, laundering, and tax evasion.
Dhirendra Prasad, 52, of San Joaquin County, California, worked at Apple in the US from 2008 to 2018, spending most of his time as a procurer of components and services for his employer's products. It's claimed, among other things, he received bribes, put in parts orders for fake repairs, siphoned off components, and caused Apple to pay for stuff it never actually got, all while he profited on the side.
As prosecutors put it this month, Prasad allegedly exploited his position by "engaging in multiple different schemes to defraud Apple, including taking kickbacks, stealing parts, and causing Apple to pay for items and services it never received, resulting in a loss of more than $10,000,000." He allegedly evaded tax on these ill-gotten gains, which he also laundered [PDF] and helped in the evasion of tax.
-
A jury in Texas on Wednesday acquitted a former Boeing technical pilot, Mark A. Forkner, of defrauding two of the company’s customers, serving the federal government a defeat in its only criminal case against an individual connected to the troubled Boeing 737 Max jet.
Germany advises citizens to uninstall Kaspersky antivirus [Ed: All proprietary software should be removed, including American ones. They're using secrecy to do malicious things. Russia hasn't a monopoly on that.]
Germany's BSI federal cybersecurity agency has warned the country's citizens not to install Russian-owned Kaspersky antivirus, saying it has "doubts about the reliability of the manufacturer."
Russia-based Kaspersky has long been a target of suspicious rumors in the West over its ownership and allegiance to Russia's rulers.
In an advisory published today, the agency said: "The BSI recommends replacing applications from Kaspersky's virus protection software portfolio with alternative products."
It added: "A Russian IT manufacturer can carry out offensive operations itself, be forced to attack target systems against its will, or be spied on without its knowledge as a victim of a cyber operation, or be misused as a tool for attacks against its own customers."
