Language Selection

English French German Italian Portuguese Spanish

Security

Security: Zoom Holes, New Patches and etcd Project Security Committee

Filed under
Security
  • Zoombomber crashes court hearing on Twitter hack with Pornhub video
  • Security updates for Wednesday

    Security updates have been issued by Debian (net-snmp), Fedora (mingw-curl), openSUSE (firefox, ghostscript, and opera), Oracle (libvncserver and postgresql-jdbc), Scientific Linux (postgresql-jdbc), SUSE (firefox, kernel, libX11, xen, and xorg-x11-libX11), and Ubuntu (apport, grub2, grub2-signed, libssh, libvirt, mysql-8.0, ppp, tomcat8, and whoopsie).

  • The CNCF etcd project reaches a significant milestone with completion of security audit

    This week, a third-party security audit was published on etcd, the open source distributed key-value store that plays a crucial role in scaling Kubernetes in the cloud. For etcd, this audit was important in multiple ways. The audit validates the project’s maturity and sheds light on some areas where the project can improve. This sort of audit is required criteria for any project in the Cloud Native Computing Foundation (CNCF) to qualify for graduation from the CNCF.

    Read the CNCF blog post that I co-authored to learn more about the audit and what it uncovered. As one of the project maintainers and one of two members of the etcd Project Security Committee, I’d love to share a few reasons I’m hopeful for etcd’s future and why now is a great time to contribute to etcd’s open source community.

Security: Back Doors, EFF, Trump/Microsoft Blackmail and 1Password on GNU/Linux

Filed under
Security

  • Bill Barr Applauds FOSTA Sponsor's Clone Of Senate's Encryption-Breaking 'Lawful Access' Bill

    I guess those "rule of law" folks don't care if a law is any good or will do what it intends to do without causing significant collateral damage. All they care about is that it's a law and, as a law, everyone should just subject themselves to it with a minimum of complaining.

  • Supporting Digital Freedom at the (Virtual) Summer Security Conferences

    During a typical year, EFF staff members would be headed to Las Vegas to present our latest work to the world and ensure legal support for computer security researchers at the long-running hacker events BSidesLV, Black Hat, and DEF CON. These summer security conferences are a natural opportunity for the curious and the professional to geek out on tech. Hackers, tinkerers, and reverse engineers were among the first to embrace the excitement and potential of their own imaginations in digital space. They have been a core part of EFF and the online freedom community since the beginning, and we relish thanking them face to face.

    But this year, as we each grapple with a sobering pandemic, these conferences have had to undergo big changes and are all happening in virtual space. DEF CON is even free to attend. This pandemic, as well as far-reaching protests, have forced us to rethink much of our daily lives—and these questions can feel overwhelming.

  • TikTok Ban: A Seed of Genuine Security Concern Wrapped in a Thick Layer of Censorship

    It is ironic that, while purporting to protect America from China’s authoritarian government, President Trump is threatening to ban the TikTok app. Censorship of both speech and social media applications, after all, is one of the hallmarks of the Chinese Internet strategy.  While there is significant cause for concern with TikTok’s security, privacy, and its relationship with the Chinese government, we should resist a governmental power to ban a popular means of communication and expression.  

    As is too often the case with government pronouncements, the Trump administration has proposed a ban without specifying what the ban would actually be or what authority allows for it. Rather, the President has said broadly, “we’re banning them from the United States,” or most recently, “it's going to be out of business in the United States.” This could mean a ban on using the app, or perhaps a ban on distributing TikTok in app stores, or maybe something else. Any way you slice it, an effective ban of the scope suggested cannot be squared with the Constitution. 

  • ‘1Password’ App Coming To Linux, Initial Release Available For Download

    The user-friendly and cross-platform password manager app, 1Password, is finally coming for all Linux platforms with full-feature and native support. Currently, a development preview for Linux has been unveiled.

    This is the initial release for testing and validation purposes only. Hence, you should not use its Linux development preview for production or business environments.

    As planned, an official release with long-term support will be announced later this year after including new updates, features, and changes over the next few months. However, if you want a stable version of 1Password for Linux, you can use 1Password X in your browser.

    1Password is available for all devices, browsers, and operating systems such as Windows, macOS, iOS, Android, Chrome OS, Google Chrome, Brave, Edge, and Firefox. And now it is also going to be available for Linux desktop as well.

Security: Ransom, Patches and Back Doors

Filed under
Security

           

  • Dozens of NGOs hit by hack on US fundraising database

    A major ransomware attack has affected dozens of international NGOs and their records of private donations, but details of the hit on a US fundraising platform are scarce, and two weeks after being warned some aid groups are yet to notify their donors or the public.

    International aid groups – and their private donors – are among those whose data was hacked in a security breach at online service provider Blackbaud. Names, addresses, and records of individual donations were compromised by hackers, who were paid an undisclosed ransom to return the data and delete any copies. 

    World Vision, Save the Children, and Human Rights Watch are among the large nonprofits impacted by the breach, and media reports suggest at least 200 customers of US-based Blackbaud were involved, although the company has not provided a list of affected clients.

    Alan Bryce, an official at the Charity Commission – the legal regulator in England and Wales – told The New Humanitarian that, as of 4 August, 63 UK-based charities had notified them after being affected by the ransomware attack.

    Bryce suggested NGOs were likely to tighten up procedures following the incident, in which hackers gained control of client data on Blackbaud’s systems and locked the company out until payment was made. “Charities who have suffered cybercrime go on to revise their IT security, their training programmes, or their website security,” he said. “Do not wait until it is too late for your charity.”

  • The fixes to the Linux BootHole fixes are in

    The first release of patches to the Linux BootHole came with a show-stopping problem. The fixed machines wouldn't boot. For the most part, that problem has been solved.

  • GRUB2 Boot Failure Issues Fixed in Debian and Ubuntu, Update Now

    The recent GRUB2 updates that patched some serious security vulnerabilities also caused boot failure issues for some users, so fixes for these regressions have started appearing for some distros, including Debian and Ubuntu.

    Last week, I was reporting on the BootHole vulnerability (and some other seven flaws) found in the GRUB2 bootloader, which is used by almost all GNU/Linux distributions out there. The issues opened up systems using Secure Boot to attacks, allowing local attackers to bypass UEFI Secure Boot restrictions and execute arbitrary code.

    Due to a highly coordinated effort between the security researchers who discovered the vulnerability and Linux OS maintainers, most GNU/Linux distributions were able to provide patches for their users. However, for some, these patches broke the Secure Boot implementation and left people with unbootable systems.

  •        

  • IoT Security Vulnerabilities are Ubiquitous: How To Secure Your Router and Your Linux System Now

    Luckily, there are various measures that Linux users can take to secure their wireless routers and protect their systems - most notably, conducting a Linux firmware replacement. This article will explore the benefits of “flashing” your wireless router with alternative open-source firmware, and will introduce some great alternative firmwares and single-purpose OSes that you may wish to look into.

    [...]

    Recent security research has made it clear that router manufacturers are dropping the ball on security - a discouraging trend in the industry that needs to change. However, given this unfortunate reality, it is imperative that users assume responsibility for securing their wireless routers.

Security Leftovers

Filed under
Security

           

  • DNS configuration recommendations for IPFire users

    If you are familiar with IPFire, you might have noticed DNSSEC validation is mandatory, since it defeats entire classes of attacks. We receive questions like "where is the switch to turn off DNSSEC" on a regular basis, and to say it once and for all: There is none, and there will never be one. If you are running IPFire, you will be validating DNSSEC. Period.

    Another question frequently asked is why IPFire does not support filtering DNS replies for certain FQDNs, commonly referred to as a Response Policy Zone (RPZ). This is because an RPZ does what DNSSEC attempts to secure users against: Tamper with DNS responses. From the perspective of a DNSSEC-validating system, a RPZ will just look like an attacker (if the queried FQDN is DNSSEC-signed, which is what we strive for as much of them as possible), thus creating a considerable amount of background noise. Obviously, this makes detecting ongoing attacks very hard, most times even impossible - the haystack to search just becomes too big.

    Further, it does not cover direct connections to hardcoded IP addresses, which is what some devices and attackers usually do, as it does not rely on DNS to be operational and does not leave any traces. Using an RPZ will not make your network more secure, it just attempts to cover up the fact that certain devices within it cannot be trusted.

    Back to DNSSEC: In case the queried FQDNs are signed, forged DNS replies are detected since they do not match the RRSIG records retrieved for that domain. Instead of being transparently redirected to a fradulent web server, the client will only display a error message to its user, indicating a DNS lookup failure. Large-scale attacks by returning forged DNS replies are frequently observed in the wild (the DNSChanger trojan is a well-known example), which is why you want to benefit from validating DNSSEC and more and more domains being signed with it.

  • Security updates for Tuesday

    Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk). 

  •        

  • Official 1Password Linux App is Available for Testing

    An official 1Password Linux app is on the way, and brave testers are invited to try an early development preview.

    1Password is a user-friendly (and rather popular) cross-platform password manager. It provides mobile apps and browser extensions for Windows, macOS, Android, iOS, Google Chrome, Edge, Firefox — and now a dedicated desktop app for Linux, too.

  •        

  • FBI Warns of Increased DDoS Attacks

    The Federal Bureau of Investigation warned in a “private industry notification” last week that attackers are increasingly using amplification techniques in distributed denial-of-service attacks. There has been an uptick in attack attempts since February, the agency’s Cyber Division said in the alert.
    An amplification attack occurs when attackers send a small number of requests to a server and the server responds with numerous responses. The attackers spoof the IP address to make it look like the requests are coming from a specific victim, and the resulting responses overwhelms the victim’s network.

    “Cyber actors have exploited built-in network protocols, designed to reduce computation overhead of day-to-day system and operational functions to conduct larger and more destructive distributed denial-of-service amplification attacks against US networks,” the FBI alert said. Copies of the alert were posted online by several recipients, including threat intelligence company Bad Packets.

  • NSA issues BootHole mitigation guidance

    Following the disclosure of a widespread buffer-flow vulnerability that could affect potentially billions of Linux and Windows-based devices, the National Security Agency issued a follow-up cybersecurity advisory highlighting the bug and offering steps for mitigation.

    The vulnerability -- dubbed BootHole -- impacts devices and operating systems that use signed versions of the open-source GRUB2 bootloader software found in most Linux systems. It also affects any system or device using Secure Boot -- a root firmware interface responsible for validating the booting process -- with Microsoft's standard third party certificate authority. The vulnerability enables attackers to bypass Secure Boot to allow arbitrary code execution and “could be used to install persistent and stealthy bootkits,” NSA said in a press statement.

Security Leftovers

Filed under
Security

  • Security updates for Monday

    Security updates have been issued by Arch Linux (ffmpeg, libjcat, mbedtls, tcpreplay, and wireshark-cli), Debian (ark, evolution-data-server, libjpeg-turbo, libopenmpt, libpam-radius-auth, libphp-phpmailer, libssh, ruby-zip, thunderbird, and transmission), Fedora (chromium, clamav, claws-mail, evolution-data-server, freerdp, glibc, java-latest-openjdk, nspr, and nss), Gentoo (libsndfile, pycrypto, python, snmptt, thunderbird, and webkit-gtk), Mageia (botan2, chocolate-doom, cloud-init, dnsmasq, freerdp/remmina, gssdp/gupnp, java-1.8.0-openjdk, matio, microcode, nasm, openjpeg2, pcre2, php-phpmailer, redis, roundcubemail, ruby-rack, thunderbird, virtualbox, and xerces-c), openSUSE (claws-mail, ldb, and libraw), Oracle (firefox), Red Hat (bind, grub2, kernel-rt, libvncserver, nss and nspr, and qemu-kvm-rhev), Scientific Linux (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, and targetcli-fb).

  • The 9 Best Cross-Platform Password Managers

    Bitwarden open-source password manager comes at no cost and rated as the best password manager. It provides a multi device sync option and unlimited passwords. Its free version helps in saving identities, credit cards and notes.

  • Linux Foundation announces new initiative to secure open-source software

    The Linux Foundation said today it’s presiding over a new foundation that brings some of the world’s most important open-source security initiatives under a new umbrella.

    The newly launched Open Source Security Foundation will host security projects such as the Core Infrastructure Initiative, which was set up in response to the infamous Heartbleed vulnerability discovered in the Open SSL protocol in 2014, and the Open Source Security Coalition, founded by GitHub Inc.’s Security Lab in 2019.

  • Technology and Enterprise Leaders Combine Efforts to Improve Open Source Security

    The Linux Foundation, today announced the formation of the Open Source Security Foundation (OpenSSF). The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It combines efforts from the Core Infrastructure Initiative, GitHub’s Open Source Security Coalition and other open source security work from founding governing board members GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others. Additional founding members include ElevenPaths, GitLab, HackerOne, Intel, Okta, Purdue, SAFECode, StackHawk, Trail of Bits, Uber and VMware.

The Best Authenticator Apps for Linux Desktop

Filed under
GNU
Linux
Security

If you have ever used two-factor authentication before, then you have probably heard of tools like Google Authenticator. To make use of many of these services, you’ll have to have your phone near you. Luckily, there are desktop authenticator apps that can provide you with the secret key you need to log in to your account. Below are the best authenticator apps for the Linux desktop.

[...]

Yubico works with a hardware security token known as the Yubikey. You can store your credentials on this as opposed to on your device. This hardware security token can even be further secured by choosing to unlock it with either FaceID or TouchID.

With Yubico, you will also be able to easily transition between devices, even after upgrading. The Yubico app lets you generate multiple secrets across devices, making it simple for you to switch.

I have to admit that the security offered by a physical token like the Yubikey is great. However, users must bear in mind that they must have the key with them if they wish to use two-factor authentication. I know you may argue and say this is no better than having to carry a phone with you. However, you can’t put your phone on a keychain! Additionally, it’s tough to crack a hardware token. Someone would have to steal it from you if they wanted to access your data. Even after doing that, they still won’t know any of your passwords or anything else of the sort.

With Yubico Authenticator, you first have to insert your key before you can add services to the app. After inserting your key, you can then add a security token from a service you want to enable two-factor authentication for. This is an app more for a power user due to the steps that must be taken to get it set up.

Read more

Security and Some FUD/Alarmist Slant

Filed under
Security

           

  • Reproducible Builds (diffoscope): diffoscope 154 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 154. This version includes the following changes:

    [ Chris Lamb ]
    
    
    
    
    * Add support for F2FS filesystems.
      (Closes: reproducible-builds/diffoscope#207)
    * Allow "--profile" as a synonym for "--profile=-".
    * Add an add_comment helper method so don't mess with our _comments list
      directly.
    * Add missing bullet point in a previous changelog entry.
    * Use "human-readable" over unhyphenated version.
    * Add a bit more debugging around launching guestfs.
    * Profile the launch of guestfs filesystems.
    * Correct adding a comment when we cannot extract a filesystem due to missing
      guestfs module.
    
  • BootHole fixes causing boot problems across multiple Linux distros
  •        

  • Red Hat Security Update Renders Systems Unbootable

    Update, shared by PAjamian: Red Hat is now recommending that users do not apply grub2, fwupd, fwupdate or shim updates until new packages are available.

  • Red Hat and CentOS systems aren’t booting due to BootHole patches

    Early this morning, an urgent bug showed up at Red Hat's bugzilla bug tracker—a user discovered that the RHSA_2020:3216 grub2 security update and RHSA-2020:3218 kernel security update rendered an RHEL 8.2 system unbootable. The bug was reported as reproducible on any clean minimal install of Red Hat Enterprise Linux 8.2.

  • Bug in widely used bootloader opens Windows, Linux devices to persistent compromise

    CVE-2020-10713, named “BootHole” by the researchers who discovered it, can be used to install persistent and stealthy bootkits or malicious bootloaders that will operate even when the Secure Boot protection mechanism is enabled and functioning.

    “The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” the researchers explained.

    “In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.”

    The researchers have done a good job explaining in detail why the why, where and how of the vulnerability, and so did Kelly Shortridge, the VP of Product Management and Product Strategy at Capsule8. The problem effectively lies in the fact that a GRUB2 configuration file can be modified by attackers to make sure that their own malicious code runs before the OS is loaded.

  • Security updates for Friday

    Security updates have been issued by Debian (grub2 and mercurial), Fedora (chromium, firefox, and freerdp), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox, grub2, and kernel), and SUSE (ghostscript and targetcli-fb). 

  •  

  • Linux warning: TrickBot malware is now infecting your systems [Ed: "Linux warning" is alarmism because it does not do anything on its own, it's just exploiting already-compromised servers, e.g. weak password and misconfiguration]
  • Beware! TrickBot Malware Is Now Infecting Linux Devices

New Security Patches and New UEFI 'Secure' Boot Catastrophe

Filed under
Server
Security
  • Security updates for Thursday

    Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

  • Grub2 updates for Red Hat systems are making some unbootable

    As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

  • Servers at risk from “BootHole” bug – what you need to know

    That’s our tongue-in-cheek name for a cybersecurity vulnerability that not only gets assigned an identifier like CVE-2020-10713, but also acquires an impressive name plus a jaunty logo (and even, in one intriguing case, a theme tune).

    This month’s bug with an impressive name (see what we did there?) is called BootHole, and its logo rather cheekily shows a boot with a worm sticking out of a hole in the toecap.

    The bad news is that this bug affects the integrity of bootup process itself, meaning that it provides a way for attackers to insert code that will run next time you restart your device, but during the insecure period after you turn on the power but before the operating system starts up.

    The good news for most of us is that it relies on a bug in a bootloader program known as GRUB, short for Grand Unified Boot Loader, which is rarely found on Windows or Mac computers.

  • Why the GRUB2 Secure Boot Flaw Doesn’t Affect Purism Computers

    To understand why this flaw does not affect Purism computers, it helps to understand why UEFI Secure Boot exists to begin with, and how it and the security exploit works. Attacks on the boot process are particularly nasty as they occur before the system’s kernel gets loaded. Attackers who have this ability can then compromise the kernel before it runs, allowing their attack to persist through reboots while also hiding from detection. UEFI Secure Boot is a technology that aims to protect against these kinds of attacks by signing boot loaders like GRUB2 with private keys controlled ultimately by Microsoft. UEFI Firmware on the computer contains the public certificate counterparts for those private keys. At boot time UEFI Secure Boot checks the signatures of the current GRUB2 executable and if they don’t match, it won’t allow the executable to run.

    If you’d like to understand the GRUB2 vulnerability in more detail, security journalist Dan Goodin has a great write-up at Ars Technica. In summary, an attacker can trigger a buffer overflow in GRUB2 as it parses the grub.cfg configuration file (this file contains settings for the GRUB2 menu including which kernels to load and what kernel options to use). This buffer overflow allows the attacker to modify GRUB2 code in memory and execute malicious code of their choice, bypassing the protection UEFI Secure Boot normally would have to prevent such an attack.

    Unfortunately, UEFI Secure Boot doesn’t extend its signature checks into configuration files like grub.cfg. This means you can change grub.cfg without triggering Secure Boot and the attack exploited that limitation to modify grub.cfg in a way that would then exploit the running GRUB2 binary after it had passed the signature check.

    Further complicating the response to this vulnerability is the fact that it’s not enough to patch GRUB2. Because the vulnerable GRUB2 binaries have already been signed by Microsoft’s certificate, an attacker could simply replace a patched GRUB2 with the previous, vulnerable version. Patching against this vulnerability means updating your UEFI firmware (typically using reflashing tools and firmware provided by your vendor) so that it can add the vulnerable GRUB2 binary signatures to its overall list of revoked signatures.

IPFire 2.25 - Core Update 148 is available for testing

Filed under
GNU
Linux
Security

As we have already pre-announced some time ago this side-project inside the IPFire Project is finally ready for prime time.

It comes with a new implementation to build, organise and access a highly optimised database packages with loads of helpful data for our firewall engines, as well as our analytics to analyse where attacks against the firewall are originating from.

With it, IPFire can block attackers from certain countries, or do the opposite - only permit access to certain servers from certain places. Combining rules with the rate-limiting feature allows to limit connections from certain locations which is very helpful for DoS attacks.

No new features have been added, but those that we had have been massively improved. The database is now being updated once a week which makes it more accurate and we no longer require complicated scripts to convert it into different formats to be used in different parts of the operating system.

Instead the database can be opened and ready extremely quickly which allows access in realtime making pages on the web user interface load significantly faster.

We hope that many other projects choose to use our implementation as well, since we have chosen a truly open license for the data as well as the library that works behind it.

I will talk more about this in a later blog post and explain to you the advantages of libloc.

Read more

OPNsense® 20.7 "Legendary Lion" released

Filed under
Security
BSD

For five and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.7, nicknamed "Legendary Lion", is a major operating system jump forward on a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view, basic firewall API support (via plugin) and extended live log filtering amongst
others.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

Read more

Syndicate content

More in Tux Machines

5 tips for making documentation a priority in open source projects

Open source software is now mainstream; long gone are the days when open source projects attracted developers alone. Nowadays, users across numerous industries are active consumers of open source software, and you can't expect everyone to know how to use the software just by reading the code. Even for developers (including those with plenty of experience in other open source projects), good documentation serves as a valuable onboarding tool when people join a community. People who are interested in contributing to a project often start by working on documentation to get familiar with the project, the community, and the community workflow. Read more

5 reasons to run Kubernetes on your Raspberry Pi homelab

There's a saying about the cloud, and it goes something like this: The cloud is just somebody else's computer. While the cloud is actually more complex than that (it's a lot of computers), there's a lot of truth to the sentiment. When you move to the cloud, you're moving data and services and computing power to an entity you don't own or fully control. On the one hand, this frees you from having to perform administrative tasks you don't want to do, but, on the other hand, it could mean you no longer control your own computer. This is why the open source world likes to talk about an open hybrid cloud, a model that allows you to choose your own infrastructure, select your own OS, and orchestrate your workloads as you see fit. However, if you don't happen to have an open hybrid cloud available to you, you can create your own—either to help you learn how the cloud works or to serve your local network. Read more

today's howtos and leftovers

  • Linux commands for user management
  • CONSOOM All Your PODCASTS From Your Terminal With Castero
  • Install Blender 3D on Debian 10 (Buster)
  • Things To Do After Installing openSUSE Leap 15.2
  • GSoC Reports: Fuzzing Rumpkernel Syscalls, Part 2

    I have been working on Fuzzing Rumpkernel Syscalls. This blogpost details the work I have done during my second coding period.

  • Holger Levsen: DebConf7

    DebConf7 was also special because it had a very special night venue, which was in an ex-church in a rather normal building, operated as sort of community center or some such, while the old church interior was still very much visible as in everything new was build around the old stuff. And while the night venue was cool, it also ment we (video team) had no access to our machines over night (or for much of the evening), because we had to leave the university over night and the networking situation didn't allow remote access with the bandwidth needed to do anything video. The night venue had some very simple house rules, like don't rearrange stuff, don't break stuff, don't fix stuff and just a few little more and of course we broke them in the best possible way: Toresbe with the help of people I don't remember fixed the organ, which was broken for decades. And so the house sounded in some very nice new old tune and I think everybody was happy we broke that rule.

Programming Leftovers

  • Podcast: COBOL development on the mainframe

    Nic reached out when COBOL hit the news this spring to get some background on what COBOL is good for historically, and where it lives in the modern infrastructure stack. I was able to talk about the basics of COBOL and the COBOL standard, strengths today in concert with the latest mainframes, and how COBOL back-end code is now being integrated into front ends via intermediary databases and data-interchange formats like JSON, which COBOL natively supports.

  • What I learned while teaching C programming on YouTube

    The act of breaking something down in order to teach it to others can be a great way to reacquaint yourself with some old concepts and, in many cases, gain new insights. I have a YouTube channel where I demonstrate FreeDOS programs and show off classic DOS applications and games. The channel has a small following, so I tend to explore the topics directly suggested by my audience. When several subscribers asked if I could do more videos about programming, I decided to launch a new video series to teach C programming. I learned a lot from teaching C, and in the process, I came across some meaningful takeaways I think others will appreciate. Make a plan For my day job, I lead training and workshops to help new and emerging IT leaders develop new skills. Outside of regular work, I also enjoy teaching as an adjunct professor. So I'm very comfortable constructing a course outline and designing a curriculum. That's where I started. If you want to teach a subject effectively, you can't just wing it. Start by writing an outline of what topics you want to cover and figure out how each new topic will build on the previous ones. The "building block" method of adding new knowledge is key to an effective training program.

  • Google's Flutter 1.20 framework is out: VS Code extension and mobile autofill support
  • Google Engineers Propose "Machine Function Splitter" For Faster Performance

    Google engineers have been working on the Machine Function Splitter as their means of making binaries up to a few percent faster thanks to this compiler-based approach. They are now seeking to upstream the Machine Function Splitter into LLVM. The Machine Function Splitter is a code generation optimization pass for splitting code functions into hot and cold parts. They are doing this stemming from research that in roughly half of code functions that more than 50% of the code bytes are never executed but generally loaded into the CPU's data cache.

  • Modernize network function development with this Rust-based framework

    The world of networking has undergone monumental shifts over the past decade, particularly in the ongoing move from specialized hardware into software defined network functions (NFV) for data plane1 and packet processing. While the transition to software has fashioned the rise of SDN (Software-defined networking) and programmable networks, new challenges have arisen in making these functions flexible, efficient, easier to use, and fast (i.e. little to no performance overhead). Our team at Comcast wanted to both leverage what the network does best, especially with regards to its transport capacity and routing mechanisms, while also being able to develop network programs through a modern software lens—stressing testing, swift iteration, and deployment. So, with these goals in mind, we developed Capsule, a new framework for network function development, written in Rust, inspired by Berkeley's NetBricks research, and built-on Intel's Data Plane Development Kit (DPDK).

  • This Week in Rust 350
  • Firefox extended tracking protection

    This Mozilla Security Blog entry describes the new redirect-tracking protections soon to be provided by the Firefox browser.

  • Karl Dubost: Browser developer tools timeline

    I was reading In a Land Before Dev Tools by Amber, and I thought, Oh here missing in the history the beautifully chiseled Opera Dragonfly and F12 for Internet Explorer. So let's see what are all the things I myself didn't know.

  • Daniel Stenberg: Upcoming Webinar: curl: How to Make Your First Code Contribution

    Abstract: curl is a wildly popular and well-used open source tool and library, and is the result of more than 2,200 named contributors helping out. Over 800 individuals wrote at least one commit so far. In this presentation, curl’s lead developer Daniel Stenberg talks about how any developer can proceed in order to get their first code contribution submitted and ultimately landed in the curl git repository. Approach to code and commits, style, editing, pull-requests, using github etc. After you’ve seen this, you’ll know how to easily submit your improvement to curl and potentially end up running in ten billion installations world-wide.