security.traumschule.org
Open in
urlscan Pro
2a01:4f8:271:19d3:2:1746:0:1570
Public Scan
Submitted URL: https://www.security.traumschule.org/
Effective URL: https://security.traumschule.org/
Submission: On August 19 via automatic, source certstream-suspicious
Effective URL: https://security.traumschule.org/
Submission: On August 19 via automatic, source certstream-suspicious
Form analysis 0 forms found in the DOM
Text Content
SOFTWARE & SECURITY
JANUARY 25, 2020
ACCOMMODATION & TRANSPORT
@how wrote:
> Hey, the FOSDEM season comes with numerous requests for hosting,
> accommodation, and transportation pooling from many friends converging to
> Brussels.
>
> This topic is to exchange such information and maximize your chances to find
> cheap accommodation or a ride from and to Brussels to attend OFFDEM. Next post
> is a wiki, feel free…
Posts: 2
Participants: 1
Read full topic
by @how hellekin at January 25, 2020 11:52 AM
JANUARY 24, 2020
BRUCE SCHNEIER
FRIDAY SQUID BLOGGING: MORE ON THE GIANT SQUID'S DNA
Following on from last week's post, here's more information on sequencing the
DNA of the giant squid.
As usual, you can also use this squid post to talk about the security stories in
the news that I haven't covered.
Read my blog posting guidelines here.
by Bruce Schneier at January 24, 2020 10:18 PM
PLANET GNU
FSF BLOGS: TELL MICROSOFT TO UPCYCLE WINDOWS 7. SET IT FREE!
It was just last week that Windows 7 crossed into the afterlife. While we can't
say we've been in mourning, we have spent that time thinking back on Windows 7's
legacy of abusing users, and reflecting on Microsoft's change in tone over the
last few years. For one, they now state clearly that Microsoft "loves open
source" (sic).
But things were not always this way, and we can thank software activists around
the world for making the message of software freedom too loud to ignore. In the
headlines we've seen many stories of people feeling burned by the support
cutoff, and justifiably angry by being forced to upgrade. Microsoft is leaving
its users high and dry, but they don't have to. There is another option.
Microsoft has taken a few steps in the right direction, such as releasing some
small but important components of Windows as free software. We want to push them
to go further. We need Microsoft to prove to the world that their "love" of free
software isn't just an ad campaign, and that they aren't just reaping the
benefits of free software in order to exploit users.
They can do this by releasing Windows 7 under a free software license. The
history of free software has shown us that software doesn't have to expire, and
can even be written to last fifty years. And now that this version of their
operating system has reached its "end-of-life," they have no good reason not to.
We need your help to urge Microsoft to give Windows 7 to the community. It is
our aim to get 7,777 supporters to take a stand for user freedom. Sign the
petition here.
In addition to signing, you can:
* Share the #UpcycleWindows7 image to show your support of the campaign.
* Share on social media that you've signed the petition. Write your own
message, or feel free to use ours:
Microsoft's support of Windows 7 is over, but its life doesn't have to end.
Join me in calling on Microsoft to #UpcycleWindows7 by signing
https://u.fsf.org/upcycle
January 24, 2020 07:55 PM
INTERESTING PEOPLE
RE: I NEED SOCIAL TRAFFIC FAST
Posted by Ericka Eames on Jan 24
hi
lists-ip-jhof
here it is, social website traffic:
http://www.mgdots.co/detail.php?id=113
Full details attached
Regards
Ericka Eames Â
Unsubscribe option is available on the footer of our website
January 24, 2020 06:59 PM
FULL DISCLOSURE
MULTIPLE VULNERABILITIES IN TOTOLINK AND OTHER REALTEK SDK BASED ROUTERS
Posted by Błażej Adamczyk on Jan 24
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
MULTIPLE VULNERABILITIES IN SEVERAL SERIES OF
REALTEK SDK BASED ROUTERS (TOTOLINK AND MANY
OTHER)
Blazej Adamczyk (br0x)
blazej.adamczyk () gmail com...
January 24, 2020 06:11 PM
[UPDATED - POC] NEOWISE CARBONFTP V1.4 / INSECURE PROPRIETARY PASSWORD
ENCRYPTION / CVE-2020-6857
Posted by hyp3rlinx on Jan 24
Updated, exploit PoC had a check for an unused module was testing and
removed, had two versions but previously sent the wrong one.
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.neowise.com
[Product]
CarbonFTP v1.4
CarbonFTP is a...
January 24, 2020 06:10 PM
CVE-2019-19363 - LOCAL PRIVILEGE ESCALATION IN MANY RICOH PRINTER DRIVERS FOR
WINDOWS
Posted by Pentagrid AG on Jan 24
Local Privilege Escalation in many Ricoh Printer Drivers for Windows
(CVE-2019-19363)
======================================================================
Summary
--------
Pentagrid has been asked to manage the coordinated disclosure process
for a vulnerability that affects several Windows printer drivers for a
wide range of printers by the printer manufacture Ricoh. Due to
improperly set file permissions of file system entries...
January 24, 2020 06:10 PM
OPEN SOURCE SECURITY
RE: [CVE-2019-17570] XMLRPC-COMMON UNTRUSTED DESERIALIZATION
Posted by cert.cc on Jan 24
Hello,
A PoC is now available for this vulnerability.
For more information, see
https://github.com/orangecertcc/xmlrpc-common-deserialization
Regards,
-----Message d&aposorigine-----
De : ZZZ CERT CC
Envoyé : jeudi 16 janvier 2020 10:00
À : &apososs-security () lists openwall com&apos
Objet : [CVE-2019-17570] xmlrpc-common untrusted deserialization
Description
===========
Java untrusted deserialization in faultCause when...
January 24, 2020 04:49 PM
RE: PLONE SECURITY HOTFIX 20200121
Posted by Maurits van Rees on Jan 24
We have received CVE numbers from mitre.org. Thanks. See inline below.
CVE-2020-7938
CVE-2020-7936
CVE-2020-7940
CVE-2020-7941
CVE-2020-7939
CVE-2020-7937
January 24, 2020 04:47 PM
KREBS ON SECURITY
DOES YOUR DOMAIN HAVE A REGISTRY LOCK?
If you’re running a business online, few things can be as disruptive or
destructive to your brand as someone stealing your company’s domain name and
doing whatever they wish with it. Even so, most major Web site owners aren’t
taking full advantage of the security tools available to protect their domains
from being hijacked. Here’s the story of one recent victim who was doing almost
everything possible to avoid such a situation and still had a key domain stolen
by scammers.
On December 23, 2019, unknown attackers began contacting customer support people
at OpenProvider, a popular domain name registrar based in The Netherlands. The
scammers told the customer representatives they had just purchased from the
original owner the domain e-hawk.net — which is part of a service that helps Web
sites detect and block fraud — and that they were having trouble transferring
the domain from OpenProvider to a different registrar.
The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and
entrepreneur who has spent much of his career making life harder for cybercrooks
and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected
their domain with a “registrar lock,” a service that requires the registrar to
confirm any requested changes with the domain owner via whatever communications
method is specified by the registrant.
In the case of e-hawk.net, however, the scammers managed to trick an
OpenProvider customer service rep into transferring the domain to another
registrar with a fairly lame social engineering ruse — and without triggering
any verification to the real owners of the domain.
Specifically, the thieves contacted OpenProvider via WhatsApp, said they were
now the rightful owners of the domain, and shared a short screen grab video
showing the registrar’s automated system blocking the domain transfer (see video
below).
“The support agent helpfully tried to verify if what the [scammers] were saying
was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if
that works’,” Dijkxhoorn said. “But a registrar should not act on instructions
coming from a random email address or other account that is not even connected
to the domain in question.”
Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23,
2019, the e-hawk.net domain was transferred to a reseller account within
OpenProvider. Just three days later, that reseller account moved e-hawk.net to
another registrar — Public Domain Registry (PDR).
“Due to the previously silent move to another reseller account within
OpenProvider, we were not notified by the registrar about any changes,”
Dijkxhoorn said. “This fraudulent move was possible due to successful social
engineering towards the OpenProvider support team. We have now learned that
after the move to the other OpenProvider account, the fraudsters could silently
remove the registrar lock and move the domain to PDR.”
REGISTRY LOCK
Dijkxhoorn said one security precaution his company had not taken with their
domain prior to the fraudulent transfer was a “registry lock,” a more stringent,
manual (and sometimes offline) process that effectively neutralizes any attempts
by fraudsters to social engineer your domain registrar.
With a registry lock in place, your registrar cannot move your domain to another
registrar on its own. Doing so requires manual contact verification by the
appropriate domain registry, such as Verisign — which is the authoritative
registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and
.jobs. Other registries handle locks for specific top-level or country-code
domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains),
CNNIC for (for .cn) domains, and so on.
According to data provided by digital brand protection firm CSC, while domains
created in the top three most registered top-level domains (.com, .jp and .cn)
are eligible for registry locks, just 22 percent of domain names tracked in
Forbes’ list of the World’s Largest Public Companies have secured registry
locks.
Unfortunately, not all registrars support registry locks (a list of top-level
domains that do allow registry locks is here, courtesy of CSC). But as we’ll see
in a moment, there are other security precautions that can and do help if your
domain somehow ends up getting hijacked.
Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020,
which was the date the fraudsters got around to changing the domain name system
(DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had
previously built in-house that continually monitor their stable of domains for
any DNS changes.
By the way, this continuous monitoring of one’s DNS settings is a powerful
approach to help blunt attacks on your domains and DNS infrastructure. Anyone
curious about why this might be a good approach should have a look at this
deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an
Iranian group that has successfully stolen countless passwords and VPN
credentials from major companies via DNS-based attacks.
DNSSEC
Shortly after pointing e-hawk.net’s DNS settings to a server they controlled,
the attackers were able to obtain at least one encryption certificate for the
domain, which could have allowed them to intercept and read encrypted Web and
email communications tied to e-hawk.net.
But that effort failed because E-HAWK’s owners also had enabled DNSSEC for their
domains (a.k.a. “DNS Security Extensions”), which protects applications from
using forged or manipulated DNS data by requiring that all DNS queries for a
given domain or set of domains be digitally signed.
With DNSSEC properly enabled, if a name server determines that the address
record for a given domain has not been modified in transit, it resolves the
domain and lets the user visit the site. If, however, that record has been
modified in some way or doesn’t match the domain requested, the name server
blocks the user from reaching the fraudulent address.
While fraudsters who have hijacked your domain and/or co-opted access to your
domain registrar can and usually will try to remove any DNSSEC records
associated with the hijacked domain, it generally takes a few days for these
updated records to be noticed and obeyed by the rest of the Internet.
As a result, having DNSSEC enabled for its domains bought E-HAWK an additional
48 hours or so with which to regain control over its domain before any encrypted
traffic to and from e-hawk.net could have been intercepted.
In the end, E-HAWK was able to wrest back its hijacked domain in less than 48
hours, but only because its owners are on a first-name basis with many of the
companies that manage the Internet’s global domain name system. Perhaps more
importantly, they happened to know key people at PDR — the registrar to which
the thieves moved the stolen domain.
Dijkxhoorn said without that industry access, E-HAWK probably would still be
waiting to re-assume control over its domain.
“This process is normally not that quick,” he said, noting that most domains
can’t be moved for at least 60 days after a successful transfer to another
registrar.
In an interview with KrebsOnSecurity, OpenProvider CEO and Founder Arno Vis said
said OpenProvider is reviewing its procedures and building systems to prevent
support employees from overriding security checks that come with a registrar
lock.
“We are building an extra layer of approval for things that support engineers
shouldn’t be doing in the first place,” Vis said. “As far as I know, this is the
first time something like this has happened to us.”
As in this case, crooks who specialize in stealing domains often pounce during
holidays, when many registrars are short on well-trained staff. But Vis said the
attack against E-HAWK targeted the company’s most senior support engineer.
“This is why social engineering is such a tricky thing, because in the end you
still have a person who has to make a decision about something and in some cases
they don’t make the right decision,” he said.
WHAT CAN YOU DO?
To recap, for maximum security on your domains, consider adopting some or all of
the following best practices:
-Use registration features like Registry Lock that can help protect domain name
records from being changed. Note that this may increase the amount of time it
takes going forward to make key changes to the locked domain (such as DNS
changes).
-Use DNSSEC (both signing zones and validating responses).
-Use access control lists for applications, Internet traffic and monitoring.
-Use 2-factor authentication, and require it to be used by all relevant users
and subcontractors.
-In cases where passwords are used, pick unique passwords and consider password
managers.
-Review the security of existing accounts with registrars and other providers,
and make sure you have multiple notifications in place when and if a domain you
own is about to expire.
-Monitor the issuance of new SSL certificates for your domains by monitoring,
for example, Certificate Transparency Logs.
by BrianKrebs at January 24, 2020 04:37 PM
DAILY DAVE
RE: "DEFENDING FORWARD" IN TIME
Posted by John Lampe on Jan 24
imo, it&aposs a general mentality that attackers have. I blogged about this 14
years ago and it seems still applicable today (
https://blogs.securiteam.com/index.php/archives/170 )
Indecision can stem from too little information or too much information.
The defender *should* have the ability to influence both of those...
John
January 24, 2020 04:08 PM
BREACHEXCHANGE
DATA LEAK STRIKES US CANNABIS USERS, SENSITIVE INFORMATION EXPOSED
Posted by Destry Winant on Jan 24
https://www.zdnet.com/article/data-leak-strikes-us-cannabis-users-sensitive-information-exposed/
Another day, another leaky database -- and this one has impacted
30,000 people connected to the medical and recreational marijuana
industry.
On Wednesday, the research team from VPNMentor, led by Noam Rotem and
Ran Locar, said that an unsecured Amazon S3 bucket uncovered online
without any authentication or security in place was the source of the...
January 24, 2020 03:56 PM
RANSOMWARE INFECTS MAIN SERVER OF LARGE INSURANCE COMPANY IN OMAN
Posted by Destry Winant on Jan 24
https://securityboulevard.com/2020/01/ransomware-infects-main-server-of-large-insurance-company-in-oman/
A ransomware attack has hit Oman United Insurance Company
SAOG, one of the largest insurers in Oman, but operations apparently remain
unaffected.
Finance is one of the sectors most targeted by hackers, including
banks, fintech firms, or insurance companies. One way to compromise a financial
organization is with ransomware, and this is...
January 24, 2020 03:56 PM
THE THREE TS OF HANDLING CONSUMER DATA
Posted by Destry Winant on Jan 24
https://www.strategy-business.com/blog/The-three-Ts-of-handling-consumer-data
When consumers get to the cash register or checkout screen, they are
increasingly asked to disclose personal information. Studies show that
even people who harbor privacy concerns are willing to provide
personal details to a company.
Indeed, most consumers realize they’re being tracked when they surf
corporate websites, research shows, believing it’s just a part...
January 24, 2020 03:56 PM
MICROSOFT SECURITY SHOCKER AS 250 MILLION CUSTOMER RECORDS EXPOSED ONLINE
Posted by Destry Winant on Jan 24
https://www.forbes.com/sites/daveywinder/2020/01/22/microsoft-security-shocker-as-250-million-customer-records-exposed-online/#514ce91a4d1b
A new report reveals that 250 million Microsoft customer records,
spanning 14 years, have been exposed online without password
protection.
Microsoft has been in the news for, mostly, the wrong reasons
recently. There is the Internet Explorer zero-day vulnerability that
Microsoft hasn&apost issued a patch...
January 24, 2020 03:55 PM
DAILY DAVE
"DEFENDING FORWARD" IN TIME
Posted by Dave Aitel on Jan 24
So I went to S4 this week, which is a good conference here in Miami Beach,
mostly about hacking/protecting utilities and other critical infrastructure
components. But I had the good fortune to run into a friend
<https://www.gocomics.com/calvinandhobbes/2018/01/16> I&aposd never met before.
Anyways, they were telling me about how some Android State surveillance
spyware installed at the border on everyone&aposs phone looked for some file...
January 24, 2020 03:28 PM
PLANET GNU
GARY BENSON: CONTAINER DEBUGGING MINIHINT
What’s in my container?
1. bash$ podman ps --ns
CONTAINER ID NAMES PID CGROUPNS IPC MNT NET PIDNS USERNS UTS
fe11359293e8 eloquent_austin 11090 4026532623 4026532621 4026532421 4026532624 4026531837 4026532622
2. bash$ sudo ls -l /proc/11090/root/
total 22628
lrwxrwxrwx. 1 root root 7 Jul 25 2019 bin -> usr/bin
dr-xr-xr-x. 2 root root 6 Jul 25 2019 boot
drwxr-xr-x. 5 root root 360 Jan 24 12:03 dev
drwxr-xr-x. 1 root root 183 Jan 23 16:43 etc
...
Thank you.
January 24, 2020 03:01 PM
BRUCE SCHNEIER
TECHNICAL REPORT OF THE BEZOS PHONE HACK
Motherboard obtained and published the technical report on the hack of Jeff
Bezos's phone, which is being attributed to Saudi Arabia, specifically to Crown
Prince Mohammed bin Salman.
> ...investigators set up a secure lab to examine the phone and its artifacts
> and spent two days poring over the device but were unable to find any malware
> on it. Instead, they only found a suspicious video file sent to Bezos on May
> 1, 2018 that "appears to be an Arabic language promotional film about
> telecommunications."
>
> That file shows an image of the Saudi Arabian flag and Swedish flags and
> arrived with an encrypted downloader. Because the downloader was encrypted
> this delayed or further prevented "study of the code delivered along with the
> video."
>
> Investigators determined the video or downloader were suspicious only because
> Bezos' phone subsequently began transmitting large amounts of data. "[W]ithin
> hours of the encrypted downloader being received, a massive and unauthorized
> exfiltration of data from Bezos' phone began, continuing and escalating for
> months thereafter," the report states.
>
> "The amount of data being transmitted out of Bezos' phone changed dramatically
> after receiving the WhatsApp video file and never returned to baseline.
> Following execution of the encrypted downloader sent from MBS' account, egress
> on the device immediately jumped by approximately 29,000 percent," it notes.
> "Forensic artifacts show that in the six (6) months prior to receiving the
> WhatsApp video, Bezos' phone had an average of 430KB of egress per day, fairly
> typical of an iPhone. Within hours of the WhatsApp video, egress jumped to
> 126MB. The phone maintained an unusually high average of 101MB of egress data
> per day for months thereafter, including many massive and highly atypical
> spikes of egress data."
The Motherboard article also quotes forensic experts on the report:
> A mobile forensic expert told Motherboard that the investigation as depicted
> in the report is significantly incomplete and would only have provided the
> investigators with about 50 percent of what they needed, especially if this is
> a nation-state attack. She says the iTunes backup and other extractions they
> did would get them only messages, photo files, contacts and other files that
> the user is interested in saving from their applications, but not the core
> files.
>
> "They would need to use a tool like Graykey or Cellebrite Premium or do a
> jailbreak to get a look at the full file system. That's where that
> state-sponsored malware is going to be found. Good state-sponsored malware
> should never show up in a backup," said Sarah Edwards, an author and teacher
> of mobile forensics for the SANS Institute.
>
> "The full file system is getting into the device and getting every single file
> on there -- the whole operating system, the application data, the databases
> that will not be backed up. So really the in-depth analysis should be done on
> that full file system, for this level of investigation anyway. I would have
> insisted on that right from the start."
>
> The investigators do note on the last page of their report that they need to
> jailbreak Bezos's phone to examine the root file system. Edwards said this
> would indeed get them everything they would need to search for persistent
> spyware like the kind created and sold by the NSO Group. But the report
> doesn't indicate if that did get done.
by Bruce Schneier at January 24, 2020 02:34 PM
PLANET GNU
GNU GUIX: GUILE 3 & GUIX
Version 3.0 of GNU Guile, an implementation of the Scheme programming language,
was released just last week. This is a major milestone for Guile, which gets
compiler improvements and just-in-time (JIT) native code generation, leading to
significant performance improvements over 2.2. It’s also great news for all the
users of Guile, and in particular for Guix!
This post discusses what it means for Guix to migrate to Guile 3 and how that
migration is already taking place.
GUILE IN GUIX
Most users interact with Guix through its command-line interface, and we work
hard to make it as approachable as possible. As any user quickly notices, Guix
uses the Scheme programming language uniformly for its configuration—from
channels to manifests and operating systems—and anyone who starts packaging
software knows that package definitions are in fact Scheme code as well.
This is a significant departure from many other, and in particular from Nix.
While Nix defines several domain-specific languages (DSLs) for these aspects—the
Nix language but also specific configuration languages—Guix chooses Scheme as
the single language for all this, together with the definition of high-level
embedded domain-specific languages (EDSLs).
It goes beyond that: in Guix System, all the things traditionally implemented in
C or as a set of Perl or shell scripts are implemented in Scheme. That includes
the init system, package builds, the initial RAM disk (initrd), system tests,
and more. Because this leads to several layers of Scheme code, executed at
different points in time, Guix includes a code staging mechanism built upon the
nice properties of Scheme.
Why do that? The arguments, right from the start, were twofold: using a
general-purpose language allows us to benefit from its implementation tooling,
and having interfaces for “everything” in Scheme makes it easy for users to
navigate their distro or OS code and to reuse code to build new features or
applications. Guix developers benefit from the ease of code reuse every day;
demonstrative examples include the use of Guix container facilities in the init
system, the development of many tools providing facilities around packages, the
implementation of additional user interfaces, and work on applications that use
Guix as a library such as the Guix Workflow Language and Guix-Jupyter.
As for the benefits of the host general-purpose language, these are rather
obvious: Guix developers benefit from an expressive language, an optimizing
compiler, a debugger, a powerful read-eval-print loop (REPL), an interactive
development environment, and all sorts of libraries. Moving to Guile 3 should
add to that better performance, essentially for free. To be comprehensive,
Guile 3 may well come with a set of brand new bugs too, but so far we seem to be
doing OK!
MIGRATING TO GUILE 3
What does it mean for Guix to migrate to Guile 3? We’ve seen above different
ways in which Guix relies on Guile. In short, we can say that migration is
threefold:
1. Guix is a distro that ships Guile-related packages. Like any other distro,
it will have to upgrade its guile package to 3.0 and to ensure packages that
depend on it and updated as well.
2. Guix is a program written in Guile. As such, we need to make sure that all
its dependencies (half a dozen of Guile libraries) work with Guile 3 and
that Guix itself runs fine with Guile 3.
3. Guix ties together operating system components. In particular, the init
system (the Shepherd) and other boot-time facilities will also migrate.
THE PACKAGES
Updating the distro is the boring part, but it’s best to get it right. Guix
makes it possible to have unrelated versions of variants of packages in
different environments or different profiles, which is very nice. We’ll have
performed a smooth transition if users and tools see that the packages named
guile and guile-ssh (say) transparently move from Guile 2.2 to 3.0, in lockstep.
Put differently, most of the upgrade work upon a programming language version
bump deals with conventions, and in particular package names. Currently, guile
corresponds to the 2.2 stable series and all the guile-* packages are built
against it. In the meantime, the package for Guile 3 is named guile-next and
packages built against it are called guile3.0-*. Over the last few weeks we
created guile3.0- variants for most Guile packages, something that’s easily
achieved with Guix.
The big switch will consist in renaming all current guile-* packages to
guile2.2-* packages, for use with the legacy 2.2 series, and renaming all the
guile3.0-* packages to guile-*. We will switch soon, but before getting there,
we’re making sure important packages are available for 3.0.
GUIX-THE-PROGRAM
A more interesting part is “porting” Guix itself from Guile 2.2 to Guile 3. It
seems that developers have become wary of 2-to-3 transitions for programming
languages. Fear not! Switching from Guile 2 to Guile 3 turned out to be an easy
task. In fact, very little changed in the language itself; what did change—e.g.,
semantics on fine points of the module system, support for structured
exceptions—is either optional or backwards-compatible.
As Guile 2.9 pre-releases trickled in, we started testing all the Guile
libraries Guix relies on against 2.9. For the vast majority of them, all we had
to do was to update their configure.ac to allow builds with 3.0.
Guix itself was a bit more work, mostly because it’s a rather large code base
with a picky test suite. The bit that required most work has to do with the
introduction of declarative modules, an optional semantic change in modules to
support more compiler optimizations. We had several “white-box tests” where
tests would happily peek at private module bindings through the magical-evil @@
operator. Because we chose to enable declarative modules, we also had to adjust
our tests to no longer do that. And well, that’s about it!
At that point, we were able to create a guile3.0-guix package variant, primarily
for testing purposes. Soon after, we told guix pull to build Guix with 3.0
instead of 2.2. Thus, Guix users who upgrade will transparently find themselves
running Guix on Guile 3.0.
The main benefit is improved performance. Guile 3 is known to be up to 32 times
faster than Guile 2.2 on some micro-benchmarks. Assessing the performance gains
on a “real-world” application like Guix is the real test. What would be a
relevant benchmark? At its core, Guix is essentially a compiler from high-level
descriptions of packages, operating systems, and the like, to low-level build
instructions (derivations). Thus, a good benchmark is a command that exercises
little more than this compilation step:
guix build libreoffice ghc-pandoc guix --dry-run --derivation
or:
guix system build config.scm --dry-run --derivation
On x86_64, the guix build command above on Guile 3 is 7% faster than on
Guile 2.2, and guix system build, which is more computing-intensive, is 10%
faster (heap usage is ~5% higher). This is lower than the skyrocketing speedups
observed on some microbenchmarks, but it’s probably no surprise: these guix
commands are short-lived (a couple of seconds) and they’re rather I/O- and
GC-intensive—something JIT compilation cannot help with.
On 32-bit ARM, we temporarily disabled JIT due to a bug; there we observe a
slight slowdown compared to 2.2. This can be explained by the fact that virtual
machine (VM) instructions in 3.0 are lower-level than in 2.2 and will hopefully
be more than compensated for when JIT is re-enabled.
GLUING IT ALL TOGETHER
The last part of the Guile 3 migration has to do with how Guix, and in
particular Guix System, glues things together. As explained above, Guix
manipulates several stages of Scheme code that will run a different points in
time.
Firstly, the code that runs package builds, such as the one that runs
./configure && make && make install, is Guile code. Currently that code runs on
Guile 2.2, but on the next major rebuild-the-world upgrade, we will switch to
Guile_3.
Additionally, Guix produces Scheme code consumed by the Shepherd, by GNU mcron,
and for the graphical installer. These will soon switch to Guile 3 as well. This
kind of change is made easy by the fact that both the package definitions and
the staged code that depends on those packages live in the same repository.
LONG LIVE, GUILE 3!
Migrating Guix to Guile 3 is a bit of work because of the many ways Guix
interacts with Guile and because of the sheer size of the code base. For a
“2-to-3” transition though, it was easy. And fundamentally, it remains a cheap
transition compared to what it brings: better performance and new features.
That’s another benefit of using a general-purpose language.
Thumbs up to everyone involved in its development, and long live Guile 3!
ABOUT GNU GUIX
GNU Guix is a transactional package manager and an advanced distribution of the
GNU system that respects user freedom. Guix can be used on top of any system
running the kernel Linux, or it can be used as a standalone operating system
distribution for i686, x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supports transactional
upgrades and roll-backs, unprivileged package management, per-user profiles, and
garbage collection. When used as a standalone GNU/Linux distribution, Guix
offers a declarative, stateless approach to operating system configuration
management. Guix is highly customizable and hackable through Guile programming
interfaces and extensions to the Scheme language.
January 24, 2020 02:02 PM
BUGTRAQ
WEBKITGTK AND WPE WEBKIT SECURITY ADVISORY WSA-2020-0001
Posted by Carlos Alberto Lopez Perez on Jan 23
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001
------------------------------------------------------------------------
Date reported : January 23, 2020
Advisory ID : WSA-2020-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0001.html
WPE WebKit Advisory URL :...
January 24, 2020 04:02 AM
[SECURITY] [DSA 4609-1] PYTHON-APT SECURITY UPDATE
Posted by Moritz Muehlenhoff on Jan 23
-------------------------------------------------------------------------
Debian Security Advisory DSA-4609-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 23, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : python-apt
CVE ID : CVE-2019-15795 CVE-2019-15796...
January 24, 2020 03:58 AM
JANUARY 23, 2020
PLANET GNU
CHRISTOPHER ALLAN WEBBER: TIME TRAVEL DEBUGGING IN SPRITELY GOBLINS, PREVIEWED
THROUGH TERMINAL PHASE
Okay, by now pretty much everyone is probably sick of hearing about Terminal
Phase. Terminal Phase this, and Terminal Phase that! Weren't you getting back to
other hacking on Spritely Goblins, Chris? And in fact I am, I just decided it
was a good idea to demo one of the things that makes Goblins interesting.
What you're seeing above is from the experimental tt-debugger branch of Terminal
Phase (not committed yet because it's a proof-of-concept, and not as clean as
I'd like it to be, and also you need the "dev" branch of Goblins currently).
When the user presses the "t" key, they are presented with a menu by which they
can travel backwards and forwards in time. The player can select a previous
state of the game from every two seconds and switch to that.
Here's the cool part: I didn't change a single line of game code to make this
occur. I just added some code around the game loop that snapshotted the state as
it currently existed and exposed it to the programmer.
What kind of time sorcery is this?
Well, we're less the time-lord kind, more the functional programmer kind.
Except, quasi-functional.
If you watched the part of the recent Terminal Phase video I made that shows off
Goblins you'll remember that the way that objects work is that a reference to a
Goblins object/actor is actually a reference that indirectly refers to a
procedure for handling immediate calls and asynchronous messages. Relative to
themselves (and in true actor fashion), objects specify first their initial
version of themselves, and later can use a special "become" capability to
specify a future version of themselves. From the perspective of the actor, this
looks very functional. But from the perspective of one object/actor performing a
call against another object/actor, it appears that things change.
Here is the simplest example of such an object, a cell that holds a single
value:
;; Constructor for a cell. Takes an optional initial value, defaults
;; to false.
(define (^cell bcom [val #f])
(case-lambda
;; Called with no arguments; return the current value
[() val]
;; Called with one argument, we become a version of ourselves
;; with this new value
[(new-val)
(bcom (^cell bcom new-val))]))
If you can't read Racket/Scheme, not a big deal; I'll just tell you that this
cell can be called with no arguments to get the current value, and with one
argument to set a value. But you'll see that in the former case, the value we
would like to return to the caller is returned; in the latter case, we return
the handler we would like to be for handling future messages (wrapped up in that
bcom capability). In both cases, we aren't performing side effects, just
returning something.. but in the latter case the kernel observes this and
updates the current transaction's delta reflecting that this is the "new us".
(Not shown here but supported: both becoming a new handler and returning a
value.)
Without going into details, this makes it extremely easy to accomplish several
things in Goblins:
* Transactionality: Each "turn" of an event loop in Goblins is transactional.
Rather than being applied immediately, a transaction is returned. Whether we
choose to commit this or not is up to us; we will probably not, for instance,
if an exception occurs, but we can record the exception (a default event loop
is provided that does the default right-thing for you).
* Snapshotting time: We can, as shown above, snapshot history and actually run
code against previous state (assuming, again, that state is updated through
the usual Goblins actor "become" means).
* Time-travel debugging: Yeah, not just for Elm! I haven't built a nice
interface for it in the demo above, but it's absolutely possible to expose a
REPL at each snapshot in time in the game to "play around with" what's
happening to debug difficult problems.
This is only a small portion of what makes Spritely Goblins interesting. The
really cool stuff will come soon in the distributed programming stuff. But I
realized that this is one of the more obviously cool aspects of Spritely
Goblins, and before I start showing off a bunch of other interesting new things,
I should show off a cool feature that exists in the code we already have!
Anyway, that's it... I hope I gave you a good sense that I'm up to interesting
things. If you're excited by this stuff and you aren't already, consider
donating to keep this work advancing.
Whew! I guess it's time I start writing some docs for Goblins, eh?
January 23, 2020 08:55 PM
IN COMMON SESSION
@natacha wrote:
> Take a moment to discuss modalities for cartography of the commons, in
> preparation of an intermapping meeting.
> IN COMMON brings together different actors developing different project for
> the cartography of the commons, to discuss issues of models and
> interoperabilty, and advance the project of a decentralized API for this
> purpose.
>
>
> IN COMMON – 14 Jan 20
>
>
> OFFDEM
>
> IN COMMON @ OFFdem Horaire - Schedule 13:00 (UTC) ➡ 16:00 (UTC) Lieu - Place:
> 47 rue fritz toussaint, 1050 Ixelles Participant·e·s Merci d’utiliser le
> bouton à côté de la date de l’événement en haut de ce sujet si vous désirez
> indiquer votre...
Posts: 1
Participants: 1
Read full topic
by @natacha at January 23, 2020 06:44 PM
OPEN SOURCE SECURITY
CVE-2020-1711 QEMU: BLOCK: ISCSI: OOB HEAP ACCESS VIA AN UNEXPECTED RESPONSE OF
ISCSI SERVER
Posted by P J P on Jan 23
Hello,
An out-of-bounds heap buffer access issue was found in the way iSCSI Block
driver in QEMU handled response coming from an iSCSI server, while checking
status of a Logical Address Block (LBA) in iscsi_co_block_status() routine.
A remote user could use this flaw to crash the QEMU process resulting in DoS
OR potentially execute arbitrary code with privileges of the QEMU process on
the host.
Upstream patch:
---------------
->...
January 23, 2020 05:56 PM
JEU VIDE-A @ OFFDEM
@natacha wrote:
> We are inviting you for a conversation about what could be feminist video
> games and their realisation. Jau vide-a has launched a series of workshop and
> projects about feminist gaming principles in different contexts:
>
>
>
> Jeu vide-a: une exploration intersectionelle jeu vide-a
>
> > Exploring collectively, feministand intersectional possibilities of vide-a
> > game by learning Godot Engine software [banniere-nov] French above These
> > workshops will take place around 2 axes, a reflection on contemporary
> > languages on contemporary video games from a feminist perspective, and the
> > learning of video game programming by the free software Godot Engine. Since
> > the episode of “Gamergate” a few years ago, and partly thanks to the work of
> > feminist academics such as: Anita Sarkeesian (fe…
>
>
>
> We have also engaged in different productions exploring the possibilities of
> godot engine for this purpose.
>
> We would like to engage this conversation with you, what are the qualities of
> a feminist video game, and how can those possibilities be implemented.
> @frankiezafe @Amelie_Dumont would you like to join this.
Posts: 2
Participants: 2
Read full topic
by @natacha at January 23, 2020 05:37 PM
WEBKITGTK AND WPE WEBKIT SECURITY ADVISORY WSA-2020-0001
Posted by Carlos Alberto Lopez Perez on Jan 23
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001
------------------------------------------------------------------------
Date reported : January 23, 2020
Advisory ID : WSA-2020-0001
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0001.html
WPE WebKit Advisory URL :...
January 23, 2020 05:28 PM
PLANET GNU
FSF BLOGS: CIVICRM MEETUP LOOKING FOR NEW ORGANIZER
The Free Software Foundation's (FSF) CiviCRM meetup in Boston is looking for
community members who are interested in taking over and reviving this meetup.
At one point, this meetup had about twelve people every month, but in the last
two or three years it has gone down to one to three. We know there are people in
the Boston area working at nonprofits, and who are using or considering using
CiviCRM as an important part of their work. We would love for them to get
together, but we don't have the time to organize the meetup anymore.
The FSF is willing to host the event in our office. If anyone wishes to take
over meetings, our mailing list, meetup.com page (which predated our involvement
-- we'd like the group to move away from this), and gettogether.community page
are open to moderation by the new organizers.
If you're interested in organizing the group, or know someone who would, please
contact us at this mailing list:
https://lists.libreplanet.org/mailman/listinfo/civicrm-boston
January 23, 2020 04:38 PM
OPEN SOURCE SECURITY
RE: CVE-2020-7040: STOREBACKUP: DENIAL OF SERVICE AND SYMLINK ATTACK VECTOR VIA
FIXED LOCKFILE PATH /TMP/STOREBACKUP.LOCK
Posted by Nick Boyce on Jan 23
[...]
[...]
Thanks Matthias for the clarification.
Nick
January 23, 2020 04:07 PM
BREACHEXCHANGE
WHY DPOS AND CISOS MUST WORK CLOSELY TOGETHER
Posted by Destry Winant on Jan 23
https://www.darkreading.com/attacks-breaches/why-dpos-and-cisos-must-work-closely-together/a/d-id/1336840
Recent data protection laws mean that the data protection officer and
CISO must work in tandem to make sure users&apos data is protected.
With strict data protection laws in place around the world (including
GDPR and CCPA), it&aposs vital that the data protection officer (DPO) and
CISO work closely together. Although part of the...
January 23, 2020 03:15 PM
ADULT WEBCAM MODELS' PRIVATE AND SEXUAL DATA COMPROMISED!
Posted by Destry Winant on Jan 23
https://www.ehackingnews.com/2020/01/adult-webcam-models-private-and-sexual.html
Undoubtedly, being an "Adult Webcam Model" means living a "revealing"
life "out in the open". But to an extent where "Personal" and "Sexual"
details are laid out on the table? Not what most would think.
PussyCash, an infamous “live webcam porn network” suffered a data
breach and threw in the face of the internet...
January 23, 2020 03:15 PM
COLUMBUS LIBRARY DATA BREACH MAY HAVE BEEN CAUSED BY PHISHING LINK
Posted by Destry Winant on Jan 23
https://www.dispatch.com/news/20200117/columbus-library-data-breach-may-have-been-caused-by-phishing-link
Columbus Metropolitan Library employees whose identities were stolen
may have been victims of a phishing scam that a former library
official fell for in 2018.
The marketing director of the Columbus Metropolitan Library says he
has no idea how the identities of more than 75 librarians and other
staffers were stolen.
But other library...
January 23, 2020 03:15 PM
CRACK SHACK WARNS OF POSSIBLE DATA BREACH
Posted by Destry Winant on Jan 23
https://www.restaurant-hospitality.com/technology/crack-shack-warns-possible-data-breach
The Crack Shack Enterprises LLC restaurant in Encinitas, Calif., may
have suffered a data breach between Aug. 19 and Sept. 23, the company
has warned.
The San Diego, Calif.-based fast-casual brand said malware on a server
may have accessed payment card information at the location, including
customers’ names, card numbers, expirations dates and card...
January 23, 2020 03:15 PM
BUGTRAQ
SEC CONSULT SA-20200123-0 :: CROSS-SITE REQUEST FORGERY (CSRF) IN UMBRACO CMS
Posted by SEC Consult Vulnerability Lab on Jan 23
SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
=======================================================================
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019...
January 23, 2020 02:42 PM
FULL DISCLOSURE
SEC CONSULT SA-20200123-0 :: CROSS-SITE REQUEST FORGERY (CSRF) IN UMBRACO CMS
Posted by SEC Consult Vulnerability Lab on Jan 23
SEC Consult Vulnerability Lab Security Advisory < 20200123-0 >
=======================================================================
title: Cross-Site Request Forgery (CSRF)
product: Umbraco CMS
vulnerable version: version 8.2.2
fixed version: version 8.5
CVE number: CVE-2020-7210
impact: medium
homepage: https://umbraco.com/
found: October 2019...
January 23, 2020 02:32 PM
BRUCE SCHNEIER
APPLE ABANDONED PLANS FOR ENCRYPTED ICLOUD BACKUP AFTER FBI COMPLAINED
This is new from Reuters:
> More than two years ago, Apple told the FBI that it planned to offer users
> end-to-end encryption when storing their phone data on iCloud, according to
> one current and three former FBI officials and one current and one former
> Apple employee.
>
> Under that plan, primarily designed to thwart hackers, Apple would no longer
> have a key to unlock the encrypted data, meaning it would not be able to turn
> material over to authorities in a readable form even under court order.
>
> In private talks with Apple soon after, representatives of the FBI's cyber
> crime agents and its operational technology division objected to the plan,
> arguing it would deny them the most effective means for gaining evidence
> against iPhone-using suspects, the government sources said.
>
> When Apple spoke privately to the FBI about its work on phone security the
> following year, the end-to-end encryption plan had been dropped, according to
> the six sources. Reuters could not determine why exactly Apple dropped the
> plan.
by Bruce Schneier at January 23, 2020 12:10 PM
CLEARVIEW AI AND FACIAL RECOGNITION
The New York Times has a long story about Clearview AI, a small company that
scrapes identified photos of people from pretty much everywhere, and then uses
unstated magical AI technology to identify people in other photos.
> His tiny company, Clearview AI, devised a groundbreaking facial recognition
> app. You take a picture of a person, upload it and get to see public photos of
> that person, along with links to where those photos appeared. The system --
> whose backbone is a database of more than three billion images that Clearview
> claims to have scraped from Facebook, YouTube, Venmo and millions of other
> websites -- goes far beyond anything ever constructed by the United States
> government or Silicon Valley giants.
>
> Federal and state law enforcement officers said that while they had only
> limited knowledge of how Clearview works and who is behind it, they had used
> its app to help solve shoplifting, identity theft, credit card fraud, murder
> and child sexual exploitation cases.
>
> [...]
>
> But without public scrutiny, more than 600 law enforcement agencies have
> started using Clearview in the past year, according to the company, which
> declined to provide a list. The computer code underlying its app, analyzed by
> The New York Times, includes programming language to pair it with
> augmented-reality glasses; users would potentially be able to identify every
> person they saw. The tool could identify activists at a protest or an
> attractive stranger on the subway, revealing not just their names but where
> they lived, what they did and whom they knew.
>
> And it's not just law enforcement: Clearview has also licensed the app to at
> least a handful of companies for security purposes.
Another article.
EDITED TO ADD (1/23): Twitter told the company to stop scraping its photos.
by Bruce Schneier at January 23, 2020 08:33 AM
TOR PROJECT
NEW ALPHA RELEASE: TOR 0.4.3.1-ALPHA
New Alpha Release: Tor 0.4.3.1-alpha
nickm January 22, 2020
There's a new alpha release available for download. If you build Tor from
source, you can download the source code for 0.4.3.1-alpha from the usual place
on the website. Packages should be available over the coming weeks, with a new
alpha Tor Browser release by mid-February.
Remember, this is an alpha release: you should only run this if you'd like to
find and report more bugs than usual.
This is the first alpha release in the 0.4.3.x series. It includes improved
support for application integration of onion services, support for building in a
client-only mode, and newly improved internal documentation (online at
https://src-ref.docs.torproject.org/tor/). It also has numerous other small
bugfixes and features, as well as improvements to our code's internal
organization that should help us write better code in the future.
CHANGES IN VERSION 0.4.3.1-ALPHA - 2020-01-22
* New system requirements:
* When building Tor, you now need to have Python 3 in order to run the
integration tests. (Python 2 is officially unsupported upstream, as of 1
Jan 2020.) Closes ticket 32608.
* Major features (build system):
* The relay code can now be disabled using the --disable-module-relay
configure option. When this option is set, we also disable the dirauth
module. Closes ticket 32123.
* When Tor is compiled --disable-module-relay, we also omit the code used to
act as a directory cache. Closes ticket 32487.
* Major features (directory authority, ed25519):
* Add support for banning a relay's ed25519 keys in the approved- routers
file. This will help us migrate away from RSA keys in the future.
Previously, only RSA keys could be banned in approved- routers. Resolves
ticket 22029. Patch by Neel Chauhan.
* Major features (onion service, controller):
* New control port commands to manage client-side onion service authorization
credentials. The ONION_CLIENT_AUTH_ADD command adds a credential,
ONION_CLIENT_AUTH_REMOVE deletes a credential, and ONION_CLIENT_AUTH_VIEW
lists the credentials. Closes ticket 30381.
* Major features (onion service, SOCKS5):
* Introduce a new SocksPort flag, ExtendedErrors, to support more detailed
error codes in information for applications that support them. Closes
ticket 30382; implements proposal 304.
* Major features (proxy):
* In addition to its current supported proxy types (HTTP CONNECT, SOCKS4, and
SOCKS5), Tor can now make its OR connections through a HAProxy server. A
new torrc option was added to specify the address/port of the server:
TCPProxy :. Currently the only supported protocol for the option is
haproxy. Closes ticket 31518. Patch done by Suphanat Chunhapanya (haxxpop).
* Major bugfixes (linux seccomp sandbox):
* Correct how we use libseccomp. Particularly, stop assuming that rules are
applied in a particular order or that more rules are processed after the
first match. Neither is the case! In libseccomp <2.4.0 this lead to some
rules having no effect. libseccomp 2.4.0 changed how rules are generated,
leading to a different ordering, which in turn led to a fatal crash during
startup. Fixes bug 29819; bugfix on 0.2.5.1-alpha. Patch by Peter Gerber.
* Fix crash when reloading logging configuration while the experimental
sandbox is enabled. Fixes bug 32841; bugfix on 0.4.1.7. Patch by Peter
Gerber.
* Major bugfixes (networking):
* Correctly handle IPv6 addresses in SOCKS5 RESOLVE_PTR requests, and accept
strings as well as binary addresses. Fixes bug 32315; bugfix on
0.3.5.1-alpha.
* Major bugfixes (onion service):
* Report HS circuit failure back into the HS subsystem so we take appropriate
action with regards to the client introduction point failure cache. This
improves reachability of onion services, since now clients notice failing
introduction circuits properly. Fixes bug 32020; bugfix on 0.3.2.1-alpha.
* Minor feature (configure, build system):
* Output a list of enabled/disabled features at the end of the configure
process in a pleasing way. Closes ticket 31373.
* Minor feature (heartbeat, onion service):
* Add the DoS INTRODUCE2 defenses counter to the heartbeat DoS message.
Closes ticket 31371.
* Minor features (configuration validation):
* Configuration validation can now be done by per-module callbacks, rather
than a global validation function. This will let us reduce the size of
config.c and some of its more cumbersome functions. Closes ticket 31241.
* Minor features (configuration):
* If a configured hardware crypto accelerator in AccelName is prefixed with
"!", Tor now exits when it cannot be found. Closes ticket 32406.
* We now use flag-driven logic to warn about obsolete configuration fields,
so that we can include their names. In 0.4.2, we used a special type, which
prevented us from generating good warnings. Implements ticket 32404.
* Minor features (controller):
* Add stream isolation data to STREAM event. Closes ticket 19859.
* Implement a new GETINFO command to fetch microdescriptor consensus. Closes
ticket 31684.
* Minor features (debugging, directory system):
* Don't crash when we find a non-guard with a guard-fraction value set.
Instead, log a bug warning, in an attempt to figure out how this happened.
Diagnostic for ticket 32868.
* Minor features (defense in depth):
* Add additional checks around tor_vasprintf() usage, in case the function
returns an error. Patch by Tobias Stoeckmann. Fixes ticket 31147.
* Minor features (developer tooling):
* Remove the 0.2.9.x series branches from git scripts (git-merge- forward.sh,
git-pull-all.sh, git-push-all.sh, git-setup-dirs.sh). Closes ticket 32772.
* Minor features (developer tools):
* Add a check_cocci_parse.sh script that checks that new code is parseable by
Coccinelle. Add an exceptions file for unparseable files, and run the
script from travis CI. Closes ticket 31919.
* Call the check_cocci_parse.sh script from a 'check-cocci' Makefile target.
Closes ticket 31919.
* Add a rename_c_identifiers.py tool to rename a bunch of C identifiers at
once, and generate a well-formed commit message describing the change. This
should help with refactoring. Closes ticket 32237.
* Add some scripts in "scripts/coccinelle" to invoke the Coccinelle semantic
patching tool with the correct flags. These flags are fairly easy to
forget, and these scripts should help us use Coccinelle more effectively in
the future. Closes ticket 31705.
* Minor features (Doxygen):
* Update Doxygen configuration file to a more recent template (from 1.8.15).
Closes ticket 32110.
* "make doxygen" now works with out-of-tree builds. Closes ticket 32113.
* Make sure that doxygen outputs documentation for all of our C files.
Previously, some were missing @file declarations, causing them to be
ignored. Closes ticket 32307.
* Our "make doxygen" target now respects --enable-fatal-warnings by default,
and does not warn about items that are missing documentation. To warn about
missing documentation, run configure with the
"--enable-missing-doc-warnings" flag: doing so suspends fatal warnings for
doxygen. Closes ticket 32385.
* Minor features (git scripts):
* Add TOR_EXTRA_CLONE_ARGS to git-setup-dirs.sh for git clone customisation.
Closes ticket 32347.
* Add git-setup-dirs.sh, which sets up an upstream git repository and
worktrees for tor maintainers. Closes ticket 29603.
* Add TOR_EXTRA_REMOTE_* to git-setup-dirs.sh for a custom extra remote.
Closes ticket 32347.
* Call the check_cocci_parse.sh script from the git commit and push hooks.
Closes ticket 31919.
* Make git-push-all.sh skip unchanged branches when pushing to upstream. The
script already skipped unchanged test branches. Closes ticket 32216.
* Make git-setup-dirs.sh create a master symlink in the worktree directory.
Closes ticket 32347.
* Skip unmodified source files when doing some existing git hook checks.
Related to ticket 31919.
* Minor features (IPv6, client):
* Make Tor clients tell dual-stack exits that they prefer IPv6 connections.
This change is equivalent to setting the PreferIPv6 flag on SOCKSPorts (and
most other listener ports). Tor Browser has been setting this flag for some
time, and we want to remove a client distinguisher at exits. Closes ticket
32637.
* Minor features (portability, android):
* When building for Android, disable some tests that depend on $HOME and/or
pwdb, which Android doesn't have. Closes ticket 32825. Patch from
Hans-Christoph Steiner.
* Minor features (relay modularity):
* Split the relay and server pluggable transport config code into separate
files in the relay module. Disable this code when the relay module is
disabled. Closes part of ticket 32213.
* When the relay module is disabled, reject attempts to set the ORPort,
DirPort, DirCache, BridgeRelay, ExtORPort, or ServerTransport* options,
rather than ignoring the values of these options. Closes part of ticket
32213.
* Minor features (relay):
* When the relay module is disabled, change the default config so that
DirCache is 0, and ClientOnly is 1. Closes ticket 32410.
* Minor features (release tools):
* Port our ChangeLog formatting and sorting tools to Python 3. Closes ticket
32704.
* Minor features (testing):
* Detect some common failure cases for test_parseconf.sh in
src/test/conf_failures. Closes ticket 32451.
* Allow test_parseconf.sh to test expected log outputs for successful
configs, as well as failed configs. Closes ticket 32451.
* The test_parseconf.sh script now supports result variants for any
combination of the optional libraries lzma, nss, and zstd. Closes ticket
32397.
* Minor features (tests, Android):
* When running the unit tests on Android, create temporary files in a
subdirectory of /data/local/tmp. Closes ticket 32172. Based on a patch from
Hans-Christoph Steiner.
* Minor bugfixes (bridges):
* Lowercase the configured value of BridgeDistribution before adding it to
the descriptor. Fixes bug 32753; bugfix on 0.3.2.3-alpha.
* Minor bugfixes (build system):
* Fix "make autostyle" for out-of-tree builds. Fixes bug 32370; bugfix on
0.4.1.2-alpha.
* Minor bugfixes (configuration handling):
* Make control_event_conf_changed() take in a config_line_t instead of a
smartlist of alternating key/value entries. Fixes bug 31531; bugfix on
0.2.3.3-alpha. Patch by Neel Chauhan.
* Minor bugfixes (configuration):
* Check for multiplication overflow when parsing memory units inside
configuration. Fixes bug 30920; bugfix on 0.0.9rc1.
* When dumping the configuration, stop adding a trailing space after the
option name when there is no option value. This issue only affects options
that accept an empty value or list. (Most options reject empty values, or
delete the entire line from the dumped options.) Fixes bug 32352; bugfix on
0.0.9pre6.
* Avoid changing the user's value of HardwareAccel as stored by SAVECONF,
when AccelName is set but HardwareAccel is not. Fixes bug 32382; bugfix on
0.2.2.1-alpha.
* When creating a KeyDirectory with the same location as the DataDirectory
(not recommended), respect the DataDirectory's group-readable setting if
one has not been set for the KeyDirectory. Fixes bug 27992; bugfix on
0.3.3.1-alpha.
* Minor bugfixes (controller):
* In routerstatus_has_changed(), check all the fields that are output over
the control port. Fixes bug 20218; bugfix on 0.1.1.11-alpha
* Minor bugfixes (correctness checks):
* Use GCC/Clang's printf-checking feature to make sure that tor_assertf()
arguments are correctly typed. Fixes bug 32765; bugfix on 0.4.1.1-alpha.
* Minor bugfixes (developer tools):
* Allow paths starting with ./ in scripts/add_c_file.py. Fixes bug 31336;
bugfix on 0.4.1.2-alpha.
* Minor bugfixes (dirauth module):
* Split the dirauth config code into a separate file in the dirauth module.
Disable this code when the dirauth module is disabled. Closes ticket 32213.
* When the dirauth module is disabled, reject attempts to set the
AuthoritativeDir option, rather than ignoring the value of the option.
Fixes bug 32213; bugfix on 0.3.4.1-alpha.
* Minor bugfixes (embedded Tor):
* When starting Tor any time after the first time in a process, register the
thread in which it is running as the main thread. Previously, we only did
this on Windows, which could lead to bugs like 23081 on non-Windows
platforms. Fixes bug 32884; bugfix on 0.3.3.1-alpha.
* Minor bugfixes (git scripts):
* Avoid sleeping before the last push in git-push-all.sh. Closes ticket
32216.
* Forward all unrecognised arguments in git-push-all.sh to git push. Closes
ticket 32216.
* Minor bugfixes (hidden service v3):
* Do not rely on a "circuit established" flag for intro circuits but instead
always query the HS circuit map. This is to avoid sync issue with that flag
and the map. Fixes bug 32094; bugfix on 0.3.2.1-alpha.
* Minor bugfixes (logging, crash):
* Avoid a possible crash when trying to log a (fatal) assertion failure about
mismatched magic numbers in configuration objects. Fixes bug 32771; bugfix
on 0.4.2.1-alpha.
* Minor bugfixes (onion service v2):
* When sending the INTRO cell for a v2 Onion Service, look at the failure
cache alongside timeout values to check if the intro point is marked as
failed. Previously, we only looked at the relay timeout values. Fixes bug
25568; bugfix on 0.2.7.3-rc. Patch by Neel Chauhan.
* Minor bugfixes (onion services v3, client):
* Properly handle the client rendezvous circuit timeout. Previously Tor would
sometimes timeout a rendezvous circuit awaiting the introduction ACK, and
find itself unable to re-establish all circuits because the rendezvous
circuit timed out too early. Fixes bug 32021; bugfix on 0.3.2.1-alpha.
* Minor bugfixes (onion services):
* In cancel_descriptor_fetches(), use connection_list_by_type_purpose()
instead of connection_list_by_type_state(). Fixes bug 32639; bugfix on
0.3.2.1-alpha. Patch by Neel Chauhan.
* Minor bugfixes (scripts):
* Fix update_versions.py for out-of-tree builds. Fixes bug 32371; bugfix on
0.4.0.1-alpha.
* Minor bugfixes (test):
* Use the same code to find the tor binary in all of our test scripts. This
change makes sure we are always using the coverage binary when coverage is
enabled. Fixes bug 32368; bugfix on 0.2.7.3-rc.
* Minor bugfixes (testing):
* Stop ignoring "tor --dump-config" errors in test_parseconf.sh. Fixes bug
32468; bugfix on 0.4.2.1-alpha.
* When TOR_DISABLE_PRACTRACKER is set, do not apply it to the
test_practracker.sh script. Doing so caused a test failure. Fixes bug
32705; bugfix on 0.4.2.1-alpha.
* When TOR_DISABLE_PRACTRACKER is set, log a notice to stderr when skipping
practracker checks. Fixes bug 32705; bugfix on 0.4.2.1-alpha.
* Minor bugfixes (tests):
* Our option-validation tests no longer depend on specially configured
non-default, non-passing sets of options. Previously, the tests had been
written to assume that options would _not_ be set to their defaults, which
led to needless complexity and verbosity. Fixes bug 32175; bugfix on
0.2.8.1-alpha.
* Minor bugfixes (windows service):
* Initialize the publish/subscribe system when running as a windows service.
Fixes bug 32778; bugfix on 0.4.1.1-alpha.
* Deprecated features:
* Deprecate the ClientAutoIPv6ORPort option. This option was not true "Happy
Eyeballs", and often failed on connections that weren't reliably
dual-stack. Closes ticket 32942. Patch by Neel Chauhan.
* Documentation:
* Provide a quickstart guide for a Circuit Padding Framework, and
documentation for researchers to implement and study circuit padding
machines. Closes ticket 28804.
* Add documentation in 'HelpfulTools.md' to describe how to build a tag file.
Closes ticket 32779.
* Create a high-level description of the long-term software architecture
goals. Closes ticket 32206.
* Describe the --dump-config command in the manual page. Closes ticket 32467.
* Unite coding advice from this_not_that.md in torguts repo into our coding
standards document. Resolves ticket 31853.
* Removed features:
* Our Doxygen configuration no longer generates LaTeX output. The reference
manual produced by doing this was over 4000 pages long, and generally
unusable. Closes ticket 32099.
* The option "TestingEstimatedDescriptorPropagationTime" is now marked as
obsolete. It has had no effect since 0.3.0.7, when clients stopped
rejecting consensuses "from the future". Closes ticket 32807.
* We no longer support consensus methods before method 28; these methods were
only used by authorities running versions of Tor that are now at
end-of-life. In effect, this means that clients, relays, and authorities
now assume that authorities will be running version 0.3.5.x or later.
Closes ticket 32695.
* Testing:
* Add more test cases for tor's UTF-8 validation function. Also, check the
arguments passed to the function for consistency. Closes ticket 32845.
* Improve test coverage for relay and dirauth config code, focusing on option
validation and normalization. Closes ticket 32213.
* Improve the consistency of test_parseconf.sh output, and run all the tests,
even if one fails. Closes ticket 32213.
* Re-enable the Travis CI macOS Chutney build, but don't let it prevent the
Travis job from finishing. (The Travis macOS jobs are slow, so we don't
want to have it delay the whole CI process.) Closes ticket 32629.
* Run the practracker unit tests in the pre-commit git hook. Closes ticket
32609.
* Turn off Tor's Sandbox in Chutney jobs, and run those jobs on Ubuntu
Bionic. Turning off the Sandbox is a work-around, until we fix the sandbox
errors in 32722. Closes ticket 32240.
* Code simplification and refactoring (channel):
* Channel layer had a variable length cell handler that was not used and thus
removed. Closes ticket 32892.
* Code simplification and refactoring (configuration):
* Immutability is now implemented as a flag on individual configuration
options rather than as part of the option-transition checking code. Closes
ticket 32344.
* Instead of keeping a list of configuration options to check for relative
paths, check all the options whose type is "FILENAME". Solves part of
ticket 32339.
* Our default log (which ordinarily sends NOTICE-level messages to standard
output) is now handled in a more logical manner. Previously, we replaced
the configured log options if they were empty. Now, we interpret an empty
set of log options as meaning "use the default log". Closes ticket 31999.
* Remove some unused arguments from the options_validate() function, to
simplify our code and tests. Closes ticket 32187.
* Simplify the options_validate() code so that it looks at the default
options directly, rather than taking default options as an argument. This
change lets us simplify its interface. Closes ticket 32185.
* Use our new configuration architecture to move most authority- related
options to the directory authority module. Closes ticket 32806.
* When parsing the command line, handle options that determine our "quiet
level" and our mode of operation (e.g., --dump-config and so on) all in one
table. Closes ticket 32003.
* Code simplification and refactoring (controller):
* Create a new abstraction for formatting control protocol reply lines based
on key-value pairs. Refactor some existing control protocol code to take
advantage of this. Closes ticket 30984.
* Create a helper function that can fetch network status or microdesc
consensuses. Closes ticket 31684.
* Code simplification and refactoring (dirauth modularization):
* Remove the last remaining HAVE_MODULE_DIRAUTH inside a function. Closes
ticket 32163.
* Replace some confusing identifiers in process_descs.c. Closes ticket 29826.
* Simplify some relay and dirauth config code. Closes ticket 32213.
* Code simplification and refactoring (misc):
* Make all the structs we declare follow the same naming convention of ending
with "_t". Closes ticket 32415.
* Move and rename some configuration-related code for clarity. Closes ticket
32304.
* Our include.am files are now broken up by subdirectory. Previously,
src/core/include.am covered all of the subdirectories in "core", "feature",
and "app". Closes ticket 32137.
* Remove underused NS*() macros from test code: they make our tests more
confusing, especially for code-formatting tools. Closes ticket 32887.
* Code simplification and refactoring (relay modularization):
* Disable relay_periodic when the relay module is disabled. Closes ticket
32244.
* Disable relay_sys when the relay module is disabled. Closes ticket 32245.
* Code simplification and refactoring (tool support):
* Add numerous missing dependencies to our include files, so that they can be
included in different reasonable orders and still compile. Addresses part
of ticket 32764.
* Fix some parts of our code that were difficult for Coccinelle to parse.
Related to ticket 31705.
* Fix some small issues in our code that prevented automatic formatting tools
from working. Addresses part of ticket 32764.
* Documentation (manpage):
* Alphabetize the Client Options section of the tor manpage. Closes ticket
32846.
* Alphabetize the General Options section of the tor manpage. Closes ticket
32708.
* In the tor(1) manpage, reword and improve formatting of the COMMAND-LINE
OPTIONS and DESCRIPTION sections. Closes ticket 32277. Based on work by
Swati Thacker as part of Google Season of Docs.
* In the tor(1) manpage, reword and improve formatting of the FILES, SEE
ALSO, and BUGS sections. Closes ticket 32176. Based on work by Swati
Thacker as part of Google Season of Docs.
* Testing (circuit, EWMA):
* Add unit tests for circuitmux and EWMA subsystems. Closes ticket 32196.
* Testing (continuous integration):
* Use zstd in our Travis Linux builds. Closes ticket 32242.
by nickm at January 23, 2020 01:34 AM
DEBIAN SECURITY
DSA-4609 PYTHON-APT
security update
January 23, 2020 12:00 AM
JANUARY 22, 2020
KREBS ON SECURITY
APPLE ADDRESSES IPHONE 11 LOCATION PRIVACY CONCERN
Apple is rolling out a new update to its iOS operating system that addresses the
location privacy issue on iPhone 11 devices that was first detailed here last
month.
Beta versions of iOS 13.3.1 include a new setting that lets users disable the
“Ultra Wideband” feature, a short-range technology that lets iPhone 11 users
share files locally with other nearby phones that support this feature.
In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the
user’s location even when all applications and system services are individually
set never to request this data.
Apple initially said the company did not see any privacy concerns and that the
location tracking icon (a small, upward-facing arrow to the left of the battery
icon) appears for system services that do not have a switch in the iPhone’s
settings menu.
Apple later acknowledged the mysterious location requests were related to the
inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.
The company further explained that the location information indicator appears
because the device periodically checks to see whether it is being used in a
handful of countries for which Apple hasn’t yet received approval to deploy
Ultra Wideband.
Apple also stressed it doesn’t use the UWB feature to collect user location
data, and that this location checking resided “entirely on the device.” Still,
it’s nice that iPhone 11 users will now have a setting to disable the feature if
they want.
Spotted by journalist Brandon Butch and published on Twitter last week, the new
toggle switch to turn off UWB now exists in the “Networking & Wireless” settings
in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta
versions are released early to developers to help iron out kinks in the
software, and it’s not clear yet when 13.3.1 will be released to the general
public.
by BrianKrebs at January 22, 2020 11:14 PM
PLANET GNU
PARALLEL @ SAVANNAH: GNU PARALLEL 20200122 ('SOLEIMANI') RELEASED
GNU Parallel 20200122 ('Soleimani') has been released. It is available for
download at: http://ftpmirror.gnu.org/parallel/
GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to
a reception on Friday 2020-04-17.
See https://www.gnu.org/software/parallel/10-years-anniversary.html
Quote of the month:
GNU parallel is straight up incredible.
-- Ben Johnson @biobenkj@twtter
New in this release:
* --blocktimeout dur - Time out for reading block when using --pipe. If it
takes longer than dur to read a full block, use the partial block read so
far.
* Bug fixes and man page updates.
News about GNU Parallel:
* GNU Parallel course in Copenhagen
https://www.prosa.dk/nc/arrangementer/arrangement/gnu-parallel-med-ole-tange/
* GNU Parallel course in Århus
https://www.prosa.dk/nc/arrangementer/arrangement/gnu-parallel-og-parallelisering-i-unix-shellen/
* GNU Parallel pour accélérer vos process sous Linux
https://www.yvonh.com/gnu-parallel-pour-accelerer-vos-process-sous-linux/
* How to copy a file to multiple directories in Linux
https://net2.com/how-to-copy-a-file-to-multiple-directories-in-linux/
* Running linux commands in parallel
https://dev.to/voyeg3r/runing-linux-commands-in-parallel-4ff8
Get the book: GNU Parallel 2018
http://www.lulu.com/shop/ole-tange/gnu-parallel-2018/paperback/product-23558902.html
GNU Parallel - For people who live life in the parallel lane.
ABOUT GNU PARALLEL
GNU Parallel is a shell tool for executing jobs in parallel using one or more
computers. A job can be a single command or a small script that has to be run
for each of the lines in the input. The typical input is a list of files, a list
of hosts, a list of users, a list of URLs, or a list of tables. A job can also
be a command that reads from a pipe. GNU Parallel can then split the input and
pipe it into commands in parallel.
If you use xargs and tee today you will find GNU Parallel very easy to use as
GNU Parallel is written to have the same options as xargs. If you write loops in
shell, you will find GNU Parallel may be able to replace most of the loops and
make them run faster by running several jobs in parallel. GNU Parallel can even
replace nested loops.
GNU Parallel makes sure output from the commands is the same output as you would
get had you run the commands sequentially. This makes it possible to use output
from GNU Parallel as input for other programs.
For example you can run this to convert all jpeg files into png and gif files
and have a progress bar:
parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif
Or you can generate big, medium, and small thumbnails of all jpeg files in sub
dirs:
find . -name '*.jpg' |
parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200
You can find more about GNU Parallel at: http://www.gnu.org/s/parallel/
You can install GNU Parallel in just 10 seconds with:
$ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
fetch -o - http://pi.dk/3 ) > install.sh
$ sha1sum install.sh | grep 3374ec53bacb199b245af2dda86df6c9
12345678 3374ec53 bacb199b 245af2dd a86df6c9
$ md5sum install.sh | grep 029a9ac06e8b5bc6052eac57b2c3c9ca
029a9ac0 6e8b5bc6 052eac57 b2c3c9ca
$ sha512sum install.sh | grep f517006d9897747bed8a4694b1acba1b
40f53af6 9e20dae5 713ba06c f517006d 9897747b ed8a4694 b1acba1b 1464beb4
60055629 3f2356f3 3e9c4e3c 76e3f3af a9db4b32 bd33322b 975696fc e6b23cfb
$ bash install.sh
Watch the intro video on http://www.youtube.com/playlist?list=PL284C9FF2488BC6D1
Walk through the tutorial (man parallel_tutorial). Your command line will love
you for it.
When using programs that use GNU Parallel to process data for publication please
cite:
O. Tange (2018): GNU Parallel 2018, March 2018,
https://doi.org/10.5281/zenodo.1146014.
If you like GNU Parallel:
* Give a demo at your local user group/team/colleagues
* Post the intro videos on Reddit/Diaspora*/forums/blogs/
Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
* Get the merchandise https://gnuparallel.threadless.com/designs/gnu-parallel
* Request or write a review for your favourite blog or magazine
* Request or build a package for your favourite distribution (if it is not
already there)
* Invite me for your next conference
If you use programs that use GNU Parallel for research:
* Please cite GNU Parallel in you publications (use --citation)
If GNU Parallel saves you money:
* (Have your company) donate to FSF https://my.fsf.org/donate/
ABOUT GNU SQL
GNU sql aims to give a simple, unified interface for accessing databases through
all the different databases' command line clients. So far the focus has been on
giving a common way to specify login information (protocol, username, password,
hostname, and port number), size (database and table size), and running queries.
The database is addressed using a DBURL. If commands are left out you will get
that database's interactive shell.
When using GNU SQL for a publication please cite:
O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases
Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.
ABOUT GNU NICELOAD
GNU niceload slows down a program when the computer load average (or other
system activity) is above a certain limit. When the limit is reached the program
will be suspended for some time. If the limit is a soft limit the program will
be allowed to run for short amounts of time before being suspended again. If the
limit is a hard limit the program will only be allowed to run when the system is
below the limit.
January 22, 2020 05:57 PM
BREACHEXCHANGE
HANNA ANDERSSON DATA BREACH: HACKERS COMPROMISE WEBSITE OF CHILDREN'S CLOTHIER
Posted by Destry Winant on Jan 22
https://www.securityweek.com/hanna-andersson-data-breach-hackers-compromise-website-childrens-clothier
Portland, Oregon-based children&aposs clothing maker Hanna Andersson has
quietly disclosed a breach to affected customers. Very few details of
the breach have been made public.
The letter, obtained by SecurityWeek, has been sent via postal mail
and explains that a third party had gained unauthorized access to
customer information entered...
January 22, 2020 03:57 PM
MITSUBISHI ELECTRIC BLAMES ANTI-VIRUS BUG FOR DATA BREACH
Posted by Destry Winant on Jan 22
https://www.databreachtoday.com/mitsubishi-electric-blames-anti-virus-bug-for-data-breach-a-13628
Mitsubishi Electric says hackers exploited a zero-day vulnerability in
its anti-virus software, prior to the vendor patching the flaw, and
potentially stole trade secrets and employee data.
The Japanese multinational firm&aposs Monday announcement arrives more
than six months after the company says it first detected the breach on
June 28, 2019....
January 22, 2020 03:56 PM
TO FEND OFF ATTACKS, CISOS SHARE THREAT INFORMATION. EVEN WITH COMPETITORS
Posted by Destry Winant on Jan 22
https://www.ciodive.com/news/infosec-cybersecurity-threat-CISO/570594/
NEW YORK — After a data breach, companies have to clean up their mess,
pay settlements, and restore customers&apos trust.
But if a company is as popular as Target is, shoppers remain loyal.
Target&aposs 2013 data breach wasn&apost the first major data breach, but it
was "significant" because it introduced a new threat to retail, said
Rich Agostino, SVP and...
January 22, 2020 03:56 PM
REGUS SUFFERS STAFF DATA BREACH VIA THIRD PARTY
Posted by Destry Winant on Jan 22
https://www.scmagazineuk.com/regus-suffers-staff-data-breach-via-third-party/article/1671432
Serviced offices and co-working space provider Regus has suffered a
data breach that saw job performance data on more than 900 employees
of Regus owner IWG published online.
The incident occured after IWG commissioned mystery shopping business
Applause to audit sales staff performance using covert filming.
However, the results - listing names, work...
January 22, 2020 03:56 PM
OPEN SOURCE SECURITY
RE: CVE-2020-7040: STOREBACKUP: DENIAL OF SERVICE AND SYMLINK ATTACK VECTOR VIA
FIXED LOCKFILE PATH /TMP/STOREBACKUP.LOCK
Posted by Matthias Gerstner on Jan 22
Hello,
I have heard back from the author and he told me that storebackup.org
never was owned by him, but created by some user of storeBackup, and by
now is completely unrelated to the software. He wants to remove any
reference to the URL from his documentation.
The official upstream website is on GNU Savannah [1].
[1]: https://savannah.nongnu.org/projects/storebackup
Cheers
Matthias
January 22, 2020 01:24 PM
BUGTRAQ
SEC CONSULT SA-20200122-0 :: REFLECTED XSS IN ZOHO MANAGEENGINE SERVICEDESKPLUS
Posted by SEC Consult Vulnerability Lab on Jan 22
SEC Consult Vulnerability Lab Security Advisory < 20200122-0 >
=======================================================================
title: Reflected XSS
product: ZOHO ManageEngine ServiceDeskPlus
vulnerable version: <= 11.0 Build 11007
fixed version: 11.0 Build 11010
CVE number: CVE-2020-6843
impact: medium
homepage: https://www.manageengine.com/products/service-desk/...
January 22, 2020 01:12 PM
OPEN SOURCE SECURITY
RE: CVE-2020-7040: STOREBACKUP: DENIAL OF SERVICE AND SYMLINK ATTACK VECTOR VIA
FIXED LOCKFILE PATH /TMP/STOREBACKUP.LOCK
Posted by Matthias Gerstner on Jan 22
Hi Nick,
Hmm I never bothered to look deeper into the website but now that you&aposre
pointing to it, it looks strange. I can give the upstream author a hint,
to check up on his website.
This storeBackup project is near-dead anyways, sadly. There seem to be
some die hard fans out there that use it, but the author only manages to
send out one email roughly every week. There seems to be no code
repository for it so we&aposre getting tarballs -...
January 22, 2020 12:53 PM
BRUCE SCHNEIER
HALF A MILLION IOT DEVICE PASSWORDS PUBLISHED
It's a list of easy-to-guess passwords for IoT devices on the Internet as
recently as last October and November. Useful for anyone putting together a bot
network:
> A hacker has published this week a massive list of Telnet credentials for more
> than 515,000 servers, home routers, and IoT (Internet of Things) "smart"
> devices.
>
> The list, which was published on a popular hacking forum, includes each
> device's IP address, along with a username and password for the Telnet
> service, a remote access protocol that can be used to control devices over the
> internet.
>
> According to experts to who ZDNet spoke this week, and a statement from the
> leaker himself, the list was compiled by scanning the entire internet for
> devices that were exposing their Telnet port. The hacker than tried using (1)
> factory-set default usernames and passwords, or (2) custom, but easy-to-guess
> password combinations.
by Bruce Schneier at January 22, 2020 12:09 PM
FULL DISCLOSURE
SEC CONSULT SA-20200122-0 :: REFLECTED XSS IN ZOHO MANAGEENGINE SERVICEDESKPLUS
Posted by SEC Consult Vulnerability Lab on Jan 22
SEC Consult Vulnerability Lab Security Advisory < 20200122-0 >
=======================================================================
title: Reflected XSS
product: ZOHO ManageEngine ServiceDeskPlus
vulnerable version: <= 11.0 Build 11007
fixed version: 11.0 Build 11010
CVE number: CVE-2020-6843
impact: medium
homepage: https://www.manageengine.com/products/service-desk/...
January 22, 2020 11:09 AM
BUGTRAQ
[REVIVE-SA-2020-001] REVIVE ADSERVER VULNERABILITY
Posted by Matteo Beccati on Jan 21
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low...
January 22, 2020 07:10 AM
[SECURITY] [DSA 4608-1] TIFF SECURITY UPDATE
Posted by Moritz Muehlenhoff on Jan 21
-------------------------------------------------------------------------
Debian Security Advisory DSA-4608-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 21, 2020 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : tiff
CVE ID : CVE-2019-14973 CVE-2019-17546...
January 22, 2020 07:06 AM
OPEN SOURCE SECURITY
PLONE SECURITY HOTFIX 20200121
Posted by Maurits van Rees on Jan 21
A Plone security hotfix was released today.
CVE numbers: not yet issued. We will request them shortly from mitre.org.
Versions Affected: All supported Plone versions (4.3.15 and any earlier
4.x version, 5.2.1 and any earlier 5.x version). Previous versions could
be affected but have not been tested.
Versions Not Affected: None.
Nature of vulnerability:
The patch addresses several security issues:
- Privilege escalation when plone.restapi is...
January 22, 2020 05:28 AM
JANUARY 21, 2020
BRUCE SCHNEIER
BRAZIL CHARGES GLENN GREENWALD WITH CYBERCRIMES
Glenn Greenwald has been charged with cybercrimes in Brazil, stemming from
publishing information and documents that were embarrassing to the government.
The charges are that he actively helped the people who actually did the hacking:
> Citing intercepted messages between Mr. Greenwald and the hackers, prosecutors
> say the journalist played a "clear role in facilitating the commission of a
> crime."
>
> For instance, prosecutors contend that Mr. Greenwald encouraged the hackers to
> delete archives that had already been shared with The Intercept Brasil, in
> order to cover their tracks.
>
> Prosecutors also say that Mr. Greenwald was communicating with the hackers
> while they were actively monitoring private chats on Telegram, a messaging
> app. The complaint charged six other individuals, including four who were
> detained last year in connection with the cellphone hacking.
This isn't new, or unique to Brazil. Last year, Julian Assange was charged by
the US with doing essentially the same thing with Chelsea Manning:
> The indictment alleges that in March 2010, Assange engaged in a conspiracy
> with Chelsea Manning, a former intelligence analyst in the U.S. Army, to
> assist Manning in cracking a password stored on U.S. Department of Defense
> computers connected to the Secret Internet Protocol Network (SIPRNet), a U.S.
> government network used for classified documents and communications. Manning,
> who had access to the computers in connection with her duties as an
> intelligence analyst, was using the computers to download classified records
> to transmit to WikiLeaks. Cracking the password would have allowed Manning to
> log on to the computers under a username that did not belong to her. Such a
> deceptive measure would have made it more difficult for investigators to
> determine the source of the illegal disclosures.
>
> During the conspiracy, Manning and Assange engaged in real-time discussions
> regarding Manning's transmission of classified records to Assange. The
> discussions also reflect Assange actively encouraging Manning to provide more
> information. During an exchange, Manning told Assange that "after this upload,
> that's all I really have got left." To which Assange replied, "curious eyes
> never run dry in my experience."
Good commentary on the Assange case here.
It's too early for any commentary on the Greenwald case. Lots of news articles
are essentially saying the same thing. I'll post more news when there is some.
by Bruce Schneier at January 21, 2020 09:23 PM
OPEN SOURCE SECURITY
RE: CVE-2020-7040: STOREBACKUP: DENIAL OF SERVICE AND SYMLINK ATTACK VECTOR VIA
FIXED LOCKFILE PATH /TMP/STOREBACKUP.LOCK
Posted by Nick Boyce on Jan 21
[...]
Er ... when I looked just now, the page at that URL began :
and continued:
In "the world of IT" we are instantly wondering who exactly has
written this webpage about a backup utility .... Should we tell the
site owner his site may have been stolen ?
Matthias ?
Cheers,
Nick
January 21, 2020 09:18 PM
TOR PROJECT
TOR'S BUG SMASH FUND: PROGRESS SO FAR
Tor's Bug Smash Fund: Progress So Far
al January 21, 2020
At the beginning of August 2019, we asked you to help us build our very first
Bug Smash Fund. This fund will ensure that the Tor Project has a healthy reserve
earmarked for maintenance work and smashing the bugs necessary to keep Tor
Browser, the Tor network, and the many tools that rely on Tor strong, safe, and
running smoothly. Together we raised $86,081.
We want to share an update on some of the work the Bug Smash Fund has made
possible.
So far, we’ve marked 77 tickets with BugSmashFund. As of today, 56 of those
tickets have been closed, and 21 of them are still in progress. With this
reserve, we’ve been able to fix bugs and complete necessary maintenance on core
tor, bridgedb, Snowflake, and Metrics, as well as complete the Tor Browser ESR
68 migration. Roughly half of the Bug Smash Fund remains available for
allocation, and we will continue to tag relevant maintenance work and bug fixing
tickets that will be covered with this reserve. Thanks for supporting this work!
Below is a full list of the tickets we’ve closed so far.
TOR BROWSER – ESR MIGRATION
Tor Browser is built on the Firefox Extended Series Release. When a new ESR is
available, we migrate Tor Browser (both desktop and Android), which requires
significant attention from the Tor Browser team. The Bug Smash Fund covered the
following tickets associated with the ESR 68 migration completed in late 2019.
* 21549 Investigate wasm for linkability/fingerprintability/disk avoidance
issues
* 26345 Disable tracking protection UI in FF67-esr
* 28822 re-implement desktop onboarding for ESR 68
* 30304 Browser locale can be obtained via DTD strings
* 30429 Rebase Tor Browser patches for Firefox ESR 68
* 30460 Update TOPL Project to Use Android Toolchain (Firefox 68)
* 30463 Make sure telemetry reporting is disabled in Tor Browser 9
* 30504 Investigate if New Identity works properly after moving to ESR 68
* 30662 Make sure about:newtab is blank
* 30665 Get Firefox 68 ESR Working with latest android toolchain
* 30846 Audit activity-stream for network requests
* 31065 Set network.proxy.allow_hijacking_localhost to true
* 31192 TBA - Support x86_64 target
* 31286 Include bridge configuration into about:preferences
* 31308 Sync mozconfig files used in tor-browser over to tor-browser-build for
esr68
* 31448 gold and lld break linking 32bit Linux bundles we need to resort to
bfd
* 31450 Still use GCC for 64bit Linux debug builds after switch to 68 ESR
* 31457 disable per-installation profiles
* 31607 App menu items stop working
ANTI-CENSORSHIP
Bridges are Tor relays that help people circumvent censorship against the Tor
network. For several reasons, people may want to ask for a bridge via email, and
for these circumstances, we have the bridge@torproject.org distribution method.
When somebody emails bridges@torproject.org from a riseup or Gmail account, the
account replies with a bridge. The Bug Smash Fund helped fix bugs related to
this mechanism.
Snowflake is a new system to defeat censorship. The Bug Smash Fund also helped
us to work on a spec that will contribute to the process of collecting metrics
on Snowflake.
* 32105 bridges@torproject.org don't respond
* 31407 Create a broker spec for metrics collection
CORE TOR
The Bug Smash Fund has helped the Network team to fix many bugs—from circuit
padding to onion services to documentation—as well as backport many previous bug
fixes.
* 25568 hs: Lookup failure cache when introducing to an intro point
* 27992 config DataDirectoryGroupReadable 1 is overridden if you set KeyDir ==
DataDir
* 30344 conn_read_callback is called on connections that are marked for closed
* 30916 assert in dimap_add_entry()
* 31107 channel: channel_tls_handle_cell() CELL_VERSIONS code reached
* 31111 Properly support two padding machines per circuit
* 31189 potential docs update needed for GuardLifetime?
* 31408 torrc : ClientOnionAuthDir after include directives breaks client to
v2 services
* 31466 Consider demoting ".exit is disabled" log message to info
* 31570 INTERNAL ERROR: raw assertion failed (core dump) in termux
* 31571 Add the tor version and a newline to raw_assert()
* 31615 Reorder the early subsystems based on their dependencies
* 31657 Rephrase "missing descriptors" notice log to be less confusing
* 31687 FreeBSD compilation warns with Tor 0.4.1.5
* 31696 Assertion failure in map-anon.c:218
* 31734 Add accessor functions for cb_buf, which enforce locking and unlocking
* 31793 Bug: tor_addr_is_internal() called from
src/feature/dirauth/process_descs.c:447 with a non-IP address of type 0
* 31807 Update outdated documentation note for "bridge-distribution"
* 31825 Use the full name of optional modules, rather than an abbreviation
* 31837 Make test_rebind.py more robust
* 31841 test addr/parse takes a long time on master on some machines
* 31884 Define ExecuteBash in the Appveyor error block
* 31897 util/map_anon_nofork test fails on SunOS
* 31939 log spam: Bug: buffers_tls.c:73: buf_read_from_tls: Non-fatal
assertion !(buf->datalen >= INT_MAX - at_most) failed.
* 32058 mainloop: make periodic events restartable
* 32060 CID 1454761: wrong type passed to unlock_cb_buf()?
* 32108 tor can overrun its accountingmax if it enters soft hibernation first
* 32124 Interpret --disable-module-dirauth=no correctly
* 32191 when cross-compiling, lzma and zstd will be detected on build system
* 32196 cmux: Implement unit tests
* 32338 Warn about more relative file paths when validating options
* 32352 Stop adding a space when dumping an empty config value
* 32463 TypeError in practracker "includes.py" script
METRICS
This fund made it possible for the Metrics team to improve tooling, as well as
fix a bug in the Tor network data collecting service, CollecTor.
* 31398 Add all metrics master branches to GitLab's CI
* 31558 Process bridge pool assignments again
Thank you to everybody who made a contribution to the Bug Smash Fund. This work
is critical in helping us to provide safer tools for millions of people around
the world exercising their human rights to privacy and freedom online.
If you’d like to make a contribution to the Bug Smash Fund, you can do so by
making a gift at donate.torproject.org: just add “Bug Smash Fund” into the
comment field, and we’ll make sure it’s directed to the right place.
by al at January 21, 2020 06:53 PM
FULL DISCLOSURE
CAROLINACON CFP
Posted by CarolinaCon on Jan 21
CarolinaCon16 will be hosted in Charlotte, North Carolina at the Embassy
Suites, April 10th through the 11th. All interested in speaking in the
realm of hacking, technology, science, robotics or any other related
field are invited to submit a proposal to speak at the Con. A proposal
should include the following:
* Name or handle/alias
* Presentation name
* A brief abstract, 1-2 paragraphs
* An estimated time-length of your...
January 21, 2020 06:24 PM
[REVIVE-SA-2020-001] REVIVE ADSERVER VULNERABILITY
Posted by Matteo Beccati via Fulldisclosure on Jan 21
========================================================================
Revive Adserver Security Advisory REVIVE-SA-2020-001
------------------------------------------------------------------------
https://www.revive-adserver.com/security/revive-sa-2020-001
------------------------------------------------------------------------
CVE-IDs: t.b.a.
Date: 2020-01-21
Risk Level: Low...
January 21, 2020 06:23 PM
NEOWISE CARBONFTP V1.4 / INSECURE PROPRIETARY PASSWORD ENCRYPTION /
CVE-2020-6857
Posted by hyp3rlinx on Jan 21
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.neowise.com
[Product]
CarbonFTP v1.4
CarbonFTP is a file synchronization tool that enables you to synch local
files with a remote FTP server and vice versa.
It provides a step-by-step...
January 21, 2020 06:22 PM
OPEN SOURCE SECURITY
CVE-2019-20384: PORTAGE INSECURE TEMPORARY LOCATION
Posted by Michael Orlitzky on Jan 21
Product: Gentoo portage package manager
Versions-affected: 2.3.84 and earlier (all versions)
Author: Michael Orlitzky
Bug-report: https://bugs.gentoo.org/692492
== Summary ==
The Gentoo portage package manager builds packages in a temporary
location. By default, that temporary location is accessible to
unprivileged users even though the build essentially takes place as
root. In some common situations (during reinstalls, for example), this...
January 21, 2020 06:18 PM
BREACHEXCHANGE
TRAVELEX RANSOM DEMAND IS DOUBLED
Posted by Destry Winant on Jan 21
https://www.cybersecurityintelligence.com/blog/travelex-ransom-demand-is-doubled-4743.html
Malicious hackers are holding Travelex to ransom and the original
demand for payment of $3m to re-start the copmanies online systems
now been doubled to $6m. Two weeks after the enormous Travelex cyber
hack banks that use Travelex for their foreign exchange services still
cannot sell travel money. The affected banks include Lloyds,
Barclays, and RBS....
January 21, 2020 03:32 PM
SUBSCRIPTIONS
* BreachExchange
* Bruce Schneier
* Bugtraq
* Daily Dave
* Debian news
* Debian security
* Full Disclosure
* Interesting People
* Krebs on Security
* Nmap
* Open Source Security
* Open Source Security
* PaulDotCom
* Penetration Testing
* Planet GNU
* Planet Gentoo
* RISKS
* SecuringHardware.com
* Tor Project
* Web App Security
* bunnie | Andrew Huang
* dustri.org
* nostarch
Last updated:
January 26, 2020 03:47 PM
All times are UTC.
Powered by:
PLANETARIUM:
* Planet Apache
* Planet freedesktop.org
* Planet GNOME
* Planet Debian
* Planet Fedora
* Planet Sun
* more...