You are here

Agreguesi i feed

Matthew Palmer: First Step with Clojure: Terror

Planet Debian - Enj, 24/07/2014 - 2:30pd
$ sudo apt-get install -y leiningen [...] $ lein new scratch [...] $ cd scratch $ lein repl Downloading: org/clojure/clojure/1.3.0/clojure-1.3.0.pom from repository central at http://repo1.maven.org/maven2 Transferring 5K from central Downloading: org/sonatype/oss/oss-parent/5/oss-parent-5.pom from repository central at http://repo1.maven.org/maven2 Transferring 4K from central Downloading: org/clojure/clojure/1.3.0/clojure-1.3.0.jar from repository central at http://repo1.maven.org/maven2 Transferring 3311K from central [...]

Wait… what? lein downloads some random JARs from a website over HTTP1, with, as far as far I can tell, no verification that what I’m asking for is what I’m getting (has nobody ever heard of Man-in-the-Middle attacks in Maven land?). It downloads a .sha1 file to (presumably) do integrity checking, but that’s no safety net – if I can serve you a dodgy .jar, I can serve you an equally-dodgy .sha1 file, too (also, SHA256 is where all the cool kids are at these days). Finally, jarsigner tells me that there’s no signature on the .jar itself, either.

It gets better, though. The repo1.maven.org site is served by the fastly.net2 pseudo-CDN3, which adds another set of points in the chain which can be subverted to hijack and spoof traffic. More routers, more DNS zones, and more servers.

I’ve seen Debian take a kicking more than once because packages aren’t individually signed, or because packages aren’t served over HTTPS. But at least Debian’s packages can be verified by chaining to a signature made by a well-known, widely-distributed key, signed by two Debian Developers with very well-connected keys.

This repository, on the other hand… oy gevalt. There are OpenPGP (GPG) signatures available for each package (tack .asc onto the end of the .jar URL), but no attempt was made to download the signatures for the .jar I downloaded. Even if the signature was downloaded and checked, there’s no way for me (or anyone) to trust the signature – the signature was made by a key that’s signed by one other key, which itself has no signatures. If I were an attacker, it wouldn’t be hard for me to replace that key chain with one of my own devising.

Even ignoring everyone living behind a government- or company-run intercepting proxy, and everyone using public wifi, it’s pretty well common knowledge by now (thanks to Edward Snowden) that playing silly-buggers with Internet traffic isn’t hard to do, and there’s no shortage of evidence that it is, in fact, done on a routine basis by all manner of people. Serving up executable code to a large number of people, in that threat environment, with no way for them to have any reasonable assurance that code is trustworthy, is very disappointing.

Please, for the good of the Internet, improve your act, Maven. Putting HTTPS on your distribution would be a bare minimum. There are attacks on SSL, sure, but they’re a lot harder to pull off than sitting on public wifi hijacking TCP connections. Far better would be to start mandating signatures, requiring signature checks to pass, and having all signatures chain to a well-known, widely-trusted, and properly secured trust root. Signing all keys that are allowed to upload to maven.org with a “maven.org distribution root” key (itself kept in hardware and only used offline), and then verifying that all signatures chain to that key, wouldn’t be insanely difficult, and would greatly improve the security of the software supply chain. Sure, it wouldn’t be perfect, but don’t make the perfect the enemy of the good. Cost-effective improvements are possible here.

Yes, security is hard. But you don’t get to ignore it just because of that, when you’re creating an attractive nuisance for anyone who wants to own up a whole passel of machines by slipping some dodgy code into a widely-used package.

  1. To add insult to injury, it appears to ignore my http_proxy environment variable, and the repo1.maven.org server returns plain-text error responses with Content-Type: text/xml. But at this point, that’s just icing on the shit cake.

  2. At one point in the past, my then-employer (a hosting provider) blocked Fastly’s caching servers from their network because they took down a customer site with a massive number of requests to a single resource, and the incoming request traffic was indistinguishable from a botnet-sourced DDoS attack. The requests were coming from IP space registered to a number of different ISPs, with no distinguishing rDNS (184-106-82-243.static.cloud-ips.com doesn’t help me to distinguish between “I’m a professionally-run distributed proxy” and “I’m a pwned box here to hammer your site into the ground”).

  3. Pretty much all of the new breed of so-called CDNs aren’t actually pro-actively distributing content, they’re just proxies. That isn’t a bad thing, per se, but I rather dislike the far-too-common practice of installing varnish (and perhaps mod_pagespeed, if they’re providing “advanced” capabilities) on a couple of AWS instances, and hanging out your shingle as a CDN. I prefer a bit of truth in my advertising.

Microsoft's CEO Says He Wants to Unify Windows

Slashdot.org - Enj, 24/07/2014 - 1:48pd
Deathspawner writes A lot of people have never been able to understand the logic behind Microsoft's Windows RT, with many urging the company to kill it off so that it can focus on more important products, like the mainline Windows. Well, this is probably not going to come as a huge surprise, especially in light of mass layoffs announced last week, but Microsoft CEO Satya Nadella has said that his company will be working to combine all Windows versions into a unified release by next year.

Read more of this story at Slashdot.








Raspberry Pi Gameboy

Slashdot.org - Enj, 24/07/2014 - 1:00pd
An anonymous reader writes: An enterprising hacker took on a project to rebuild a broken Gameboy using emulation software, a Raspberry Pi, and a few other easily-obtainable parts. The result: success! The hacker has posted a detailed walkthrough explaining all of the challenges and how they were solved. "Using a Dremel, I cut out a most of the battery compartment as well as some posts that on the case for the LCD that would no longer be needed. Doing so, the Pi sits flush with the back of the DMG case. ... The screen was the first challenge. The screen runs off 12V out of the box which wouldn't work with the USB battery pack. The USB battery pack is rated at 5V, 1000mAH so the goal was go modify the screen to allow it to run at 5V. ... I finally got it to work by removing the power converter chip as well as soldering a jumper between the + power in and the resister on the top right."

Read more of this story at Slashdot.








Russ Allbery: WebAuth 4.6.1

Planet Debian - Enj, 24/07/2014 - 12:59pd

This is a bug-fix release of the WebAuth site-wide web authentication system. As is typical, I accumulated a variety of minor bug fixes and improvements that I wanted to get into a release before starting larger work (in this case, adding JSON support for the user information service protocol).

The most severe bug fix is something that only folks at Stanford would notice: support for AuthType StanfordAuth was broken in the 4.6.0 release. This is for legacy compatibility with WebAuth 2.5. It has been fixed in this release.

In other, more minor bug fixes, build issues when remctl support is disabled have been fixed, expiring password warnings are shown in WebLogin after any POST-based authentication, the confirmation page is forced if authorization identity switching is available, the username field is verified before multifactor authentication to avoid subsequent warnings, newlines and tabs are allowed in the XML sent from the WebKDC for user messages, empty RT and ST parameters are correctly diagnosed, and there are some documentation improvements.

The main new feature in this release is support for using FAST armor during password authentication in mod_webkdc. A new WebKdcFastArmorCache directive can be set to point at a Kerberos ticket cache to use for FAST armor. If set, FAST is required, so the KDC must support it as well. This provides better wire security for the initial password authentication to protect against brute-force dictionary attacks against the password by a passive eavesdropper.

This release also adds a couple of new factor types, mp (mobile push) and v (voice), that Stanford will use as part of its Duo Security integration.

Note that, for the FAST armor feature, there is also an SONAME bump in the shared library in this release. Normally, I wouldn't bump the SONAME in a minor release, but in this case the feature was fairly minor and most people will not notice the change, so it didn't feel like it warranted a major release. I'm still of two minds about that, but oh well, it's done and built now. (At least I noticed that the SONAME bump was required prior to the release.)

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

VP Biden Briefs US Governors On H-1B Visas, IT, and Coding

Slashdot.org - Enj, 24/07/2014 - 12:19pd
theodp writes: Back in 2012, Computerworld blasted Vice President Joe Biden for his ignorance of the H-1B temporary work visa program. But Joe's got his H-1B story and he's sticking to it, characterizing the visa program earlier this month in a speech to the National Governors Association as "apprenticeships" of sorts that companies provide to foreign workers to expand the Information Technology industry only after proving there are no qualified Americans to fill the jobs. Biden said he also learned from his talks with tech's top CEOs that 200,000 of the jobs that companies provide each year to highly-skilled H-1B visa holders could in fact be done by Americans with no more than a two-year community college degree.

Read more of this story at Slashdot.








Finding Life In Space By Looking For Extraterrestrial Pollution

Slashdot.org - Mër, 23/07/2014 - 11:37md
coondoggie writes: If what we know as advanced life exists anywhere other than Earth, then perhaps they are dirtying their atmosphere as much as we are. We could use such pollution components to perhaps more easily spot such planets. That's the basis of new research published this week by researchers at the Harvard-Smithsonian Center for Astrophysics. They say that if we could spot the fingerprints of certain pollutants under ideal conditions (PDF), it would offer a new approach in the search for extraterrestrial intelligence."

Read more of this story at Slashdot.








Lior Kaplan: Testing PHPNG on Debian/Ubuntu

Planet Debian - Mër, 23/07/2014 - 11:01md

We (at Zend) want to help people get more involved in testing PHPNG (PHP next generation), so we’re started to provide binaries for it, although it’s still a branch on top of PHP’s master branch. See more details about PHPNG on Zeev Suraski’s blog post.

The binaries (64bit) are compatible with Debian testing/unstable and Ubuntu Trusty (14.04) and up. The mod_php is built for Apache 2.4 which all three flavors have.

The repository is at http://repos.zend.com/zend-server/early-access/phpng/

Installation instructions:

# wget http://repos.zend.com/zend.key -O- 2> /dev/null | apt-key add -
# echo “deb http://repos.zend.com/zend-server/early-access/phpng/ trusty zend” > /etc/apt/sources.list.d/phpng.list
# apt-get update
# apt-get install php5

For the task of providing these binaries, I had a pleasure of combining my experience as a member of the Debian PHP team and a Debian Developer with stuff more internal to the PHP development process. Using the already existing Debian packaging enabled me to test more builds scenarios easily (and report problems accoredingly). Hopefully this could also be translated back into providing more experimental packages for Debian and making sure Debian packages are ready for the PHP released after PHP 5.6.


Filed under: Debian GNU/Linux, PHP

Michael Meeks: 2014-07-23: Wednesday

Planet GNOME - Mër, 23/07/2014 - 10:59md
  • Mail chew, thrilled to see that the UK Cabinet Office have done the right thing and announced the choice of ODF for sharing and/or collaborating on Government Documents bringing choice of office productivity software, as well as improved market access for UK based SMEs. One great ODF solution from a UK based SME is of course LibreOffice from Collabora via one of our great Partners. Checkout the Sharing or Collaborating with Government Documents policy paper. The default format for saving government documents must be Open Document Format (ODF). Information should be shared in ODF version 1.2 (or later).
  • Out to a local farm with the babes, enjoyed the sun, some minor water fights, and back for lunch; applied slugging in the afternoon.

The Secret Government Rulebook For Labeling You a Terrorist

Slashdot.org - Mër, 23/07/2014 - 10:55md
Advocatus Diaboli sends this report: The Obama administration has quietly approved a substantial expansion of the terrorist watchlist system, authorizing a secret process that requires neither "concrete facts" nor "irrefutable evidence" to designate an American or foreigner as a terrorist, according to a key government document obtained by The Intercept. ...The heart of the document revolves around the rules for placing individuals on a watchlist. "All executive departments and agencies," the document says, are responsible for collecting and sharing information on terrorist suspects with the National Counterterrorism Center. It sets a low standard—"reasonable suspicion"—for placing names on the watchlists, and offers a multitude of vague, confusing, or contradictory instructions for gauging it. In the chapter on "Minimum Substantive Derogatory Criteria"—even the title is hard to digest—the key sentence on reasonable suspicion offers little clarity.

Read more of this story at Slashdot.








Petter Reinholdtsen: 98.6 percent done with the Norwegian draft translation of Free Culture

Planet Debian - Mër, 23/07/2014 - 10:40md

This summer I finally had time to continue working on the Norwegian docbook version of the 2004 book Free Culture by Lawrence Lessig, to get a Norwegian text explaining the problems with todays copyright law. Yesterday, I finally completed translated the book text. There are still some foot/end notes left to translate, the colophon page need to be rewritten, and a few words and phrases still need to be translated, but the Norwegian text is ready for the first proof reading. :) More spell checking is needed, and several illustrations need to be cleaned up. The work stopped up because I had to give priority to other projects the last year, and the progress graph of the translation show this very well:

If you want to read the result, check out the github project pages and the PDF, EPUB and HTML version available in the archive directory.

Please report typos, bugs and improvements to the github project if you find any.

Michael Prokop: Book Review: The Docker Book

Planet Debian - Mër, 23/07/2014 - 10:16md

Docker is an open-source project that automates the deployment of applications inside software containers. I’m responsible for a docker setup with Jenkins integration and a private docker-registry setup at a customer and pre-ordered James Turnbull’s “The Docker Book” a few months ago.

Recently James – he’s working for Docker Inc – released the first version of the book and thanks to being on holidays I already had a few hours to read it AND blog about it. (Note: I’ve read the Kindle version 1.0.0 and all the issues I found and reported to James have been fixed in the current version already, jey.)

The book is very well written and covers all the basics to get familiar with Docker and in my opinion it does a better job at that than the official user guide because of the way the book is structured. The book is also a more approachable way for learning some best practices and commonly used command lines than going through the official reference (but reading the reference after reading the book is still worth it).

I like James’ approach with “ENV REFRESHED_AT $TIMESTAMP” for better controlling the cache behaviour and definitely consider using this in my own setups as well. What I wasn’t aware is that you can directly invoke “docker build $git_repos_url” and further noted a few command line switches I should get more comfortable with. I also plan to check out the Automated Builds on Docker Hub.

There are some references to further online resources, which is relevant especially for the more advanced use cases, so I’d recommend to have network access available while reading the book.

What I’m missing in the book are best practices for running a private docker-registry in a production environment (high availability, scaling options,…). The provided Jenkins use cases are also very basic and nothing I personally would use. I’d also love to see how other folks are using the Docker plugin, the Docker build step plugin or the Docker build publish plugin in production (the plugins aren’t covered in the book at all). But I’m aware that this are fast moving parts and specialised used cases – upcoming versions of the book are already supposed to cover orchestration with libswarm, developing Docker plugins and more advanced topics, so I’m looking forward to further updates of the book (which you get for free as existing customer, being another plus).

Conclusion: I enjoyed reading the Docker book and can recommend it, especially if you’re either new to Docker or want to get further ideas and inspirations what folks from Docker Inc consider best practices.

'Just Let Me Code!'

Slashdot.org - Mër, 23/07/2014 - 10:14md
An anonymous reader writes: Andrew Binstock has an article about the ever-increasing complexity required to write code. He says, "I got into programming because I like creating stuff. Not just any stuff, but stuff other people find useful. I like the constant problem solving, the use of abstractions that exist for long periods nowhere but in my imagination, and I like seeing the transformation into a living presence. ... The simple programs of a few hundred lines of C++ long ago disappeared from my experience. What was the experience of riding a bicycle has become the equivalent of traveling by jumbo jet; replete with the delays, inspections, limitations on personal choices, and sudden, unexplained cancellations — all at a significantly higher cost. ... Project overhead, even for simple projects, is so heavy that it's a wonder anyone can find the time to code, much less derive joy from it. Software development has become a mostly operational activity, rather than a creative one. The fundamental problem here is not the complexity of apps, but the complexity of tools. Tools have gone rather haywire during the last decade chasing shibboleths of scalability, comprehensiveness, performance. Everything except simplicity."

Read more of this story at Slashdot.








Intel Launches Self-Encrypting SSD

Slashdot.org - Mër, 23/07/2014 - 9:32md
MojoKid writes: Intel just launched their new SSD 2500 Pro series solid state drive, the follow-up to last year's SSD 1500 Pro series, which targets corporate and small-business clients. The drive shares much of its DNA with some of Intel's consumer-class drives, but the Pro series cranks things up a few notches with support for advanced security and management features, low power states, and an extended management toolset. In terms of performance, the Intel SSD 2500 Pro isn't class-leading in light of many enthusiast-class drives but it's no slouch either. Intel differentiates the 2500 Pro series by adding support for vPro remote-management and hardware-based self-encryption. The 2500 Pro series supports TCG (Trusted Computing Group) Opal 2.0 features and is Microsoft eDrive capable as well. Intel also offers an administration tool for easy management of the drive. With the Intel administration tool, users can reset the PSID (physical presence security ID), though the contents of the drive will be wiped. Sequential reads are rated at up to 540MB/s, sequential writes at up to 480MB/s, with 45K – 80K random read / write IOps.

Read more of this story at Slashdot.








'Optical Fiber' Made Out of Thin Air

Slashdot.org - Mër, 23/07/2014 - 8:50md
Dave Knott writes: Scientists from the University of Maryland say they have turned thin air into an "optical fiber" that can transmit and amplify light signals without the need for any cables. As described in the research, this was accomplished by generating a laser with its light split into a ring of multiple beams forming a pipe. Very short and powerful pulses from the laser are used to heat the air molecules along the beam extremely quickly. Such rapid heating produces sound waves that take about a microsecond to converge to the center of the pipe, creating a high-density area surrounded by a low-density area left behind in the wake of the laser beams. The lower density region of air surrounding the center of the air waveguide has a lower refractive index, keeping the light focused, and allowing the higher-density region (with its correspondingly higher index of refraction) to act like an optical fiber. The findings, reported in the journal Optica, have applications in long range laser communications, high-resolution topographic mapping, air pollution and climate change research, and could also be used by the military to make laser weapons.

Read more of this story at Slashdot.








The Department of Homeland Security Needs Its Own Edward Snowden

Slashdot.org - Mër, 23/07/2014 - 8:07md
blottsie writes: Out of all the U.S. government agencies, the Department of Homeland Security is one of the least transparent. As such, the number of Freedom of Information Act requests it receives have doubled since 2008. But the DHS has only become more adamant about blocking FOIA requests over the years. The problem has become so severe that nothing short of an Edward Snowden-style leak may be needed to increase transparency at the DHS.

Read more of this story at Slashdot.








Matthew Helmke: Open Source Resources Sale

Planet UBUNTU - Mër, 23/07/2014 - 7:40md

I don’t usually post sales links, but this sale by InformIT involves my two Ubuntu books along with several others that I know my friends in the open source world would be interested in.

Save 40% on recommend titles in the InformIT OpenSource Resource Center. The sale ends August 8th.

Autonomous Sea-Robot Survives Massive Typhoon

Slashdot.org - Mër, 23/07/2014 - 7:25md
jfruh (300774) writes Liquid Robotics and its Wave Glider line of autonomous seafaring robots became famous when Java inventor James Gosling left Google to join the company. Now one of its robots has passed an impressive real-world test, shrugging off a monster typhoon in the South China Sea that inflicted hundreds of millions of dollars of damage on the region.

Read more of this story at Slashdot.








Researchers Print Electronic Memory On Paper

Slashdot.org - Mër, 23/07/2014 - 6:45md
MTorrice (2611475) writes Electronics printed on paper promise to be cheap, flexible, and recyclable, and could lead to applications such as smart labels on foods and pharmaceuticals or as wearable medical sensors. Many engineers have managed to print transistors and solar cells on paper, but one key component of a smart device has been missing—memory. Now a group of researchers has developed a method that uses ink-jet technology to print resistive random access memory on an ordinary letter sized piece of paper. The memory is robust: Engineers could bend the device 1,000 times without any loss of performance. The memory is not yet very dense, but could be: "Each silver dot they printed was approximately 50 microns across and separated from its neighbor by 25 microns, so each bit of memory is 100 microns on a side. At that size, a standard 8.5- by 11-inch piece of paper can hold 1 MB of memory. Der-Hsien Lien, the paper's lead author, says existing ultrafine ink-jet technology can produce dots less than 1 micron across, which would allow the same piece of paper to hold 1 gigabyte. Reading and writing the bits takes 100 to 200 microseconds"

Read more of this story at Slashdot.








SpaceX Releases Video of Falcon Rocket's Splashdown

Slashdot.org - Mër, 23/07/2014 - 6:25md
First time accepted submitter cowdung (702933) writes In spite of Elon Musk's characterization of the landing as a KABOOM event. Judging by this video SpaceX has managed to land the first stage rocket booster nicely on the ocean after their Orbcomm launch on July 14th. It seems we're one step closer to a landing on dry land. Both this and the previous landing seem to have gone well. Hopefully the next landing test camera has something to deice the camera lens.

Read more of this story at Slashdot.








Microsoft FY2014 Q4 Earnings: Revenues Up, Profits Down Slightly

Slashdot.org - Mër, 23/07/2014 - 6:06md
Microsoft has released their latest earnings report, and it's not as bleak as last week's news might have you suspect. Quoting Forbes: Microsoft reported $23.38 billion of revenue for the fourth quarter, up 17.5% from the same period last year. Net income, however, came in at $4.6 billion, down from last year and behind Wall Street analysts' consensus estimate, both about $5 billion. At 55 cents earnings per share were down 4 cents and a nickel short of the Street’s call. For the full year, revenue clocked in at $86.8 billion an 11.5% increase from a year earlier. Net income was $22.1 billion and earnings per share were $2.63. They took a hit from finalizing the acquisition of Nokia's handset division (not unexpected). The cloud services side of the business appears to be growing, while traditional software sales have stagnated. The layoffs will cost Microsoft between $1.1 and $1.6 billion over the first half of next year.

Read more of this story at Slashdot.








Faqet

Subscribe to AlbLinux agreguesi