Thursday, 15 March 2018

Terminus - A Web Technology Based Modern Terminal

ostechnix: Terminus - A cross-platform, open source, web technology based Terminal for modern age, inspired from Hyper.

Read the full article here by Linux Today

Wednesday, 14 March 2018

Raspberry Pi Gets Faster CPU and Better Networking in the New Model 3 B+

Google and Ubisoft Are Teaming Up To Improve Online Multi-Player Video Games

Google and Ubisoft announced on Tuesday they have a new project intended to improve the performance of fast-paced, online multi-player video games. From a report: The search giant said it teamed with Ubisoft -- the publisher of popular video games like Assassin's Creed and Far Cry -- to create a gaming developer framework intended for coders that work on online video games. The project is called Agones, which is Greek for "contest" or "gathering," and it will be available in open-source, meaning developers can use it for free and also contribute to the underlying technology. Google pitches Agones as a more cutting-edge way for developers to build multi-player games that don't crash or stutter when thousands of video gamers play at the same time. Each time people want to play their favorite first-person shooter or other computer resource-heavy online video game with others, the underlying infrastructure that powers the online video game must create a special gaming server that hosts the players. The Agones framework was designed to more efficiently distribute the computing resources necessary to support each online gaming match, thus reducing the complexity of creating each special server while helping coders better track how the computing resources are being used.
Share on Google+

Read more of this story at Slashdot.

Read the full article here by Slashdot

DragonFFI Lets You Call C Functions From Any Language

DragonFFI is a foreign function interface (FFI) built using the LLVM and Clang compiler stack to provide a library calling C functions and C data structures that can be used from any other programming language.

At this stage DragonFFI supports Python 2 and Python 3 from Linux/macOS and Python 3 on Windows. The DragonFFI implementation is designed to overcome shortcomings of other FFI implementations like libffi and cffi by its use of LLVM/Clang. This work also includes supporting on-the-fly compilation of C functions.

Moving forward they are looking at adding another foreign language interface with JavaScript and Ruby being two of the mentioned contenders. The lead developer also talks of possibly JIT'ing code from the final language to native function code in the future too.

Those wanting to learn more about DragonFFI can do so via

this LLVM blog post

. The code to DragonFFI is currently hosted on



Read the full article here by Phoronix

Let’s Encrypt takes free “wildcard” certificates live

Tuesday, 13 March 2018

13 Major Vulnerabilities Discovered in AMD Zen Architecture, Including Backdoors

Security researchers with Israel-based CTS-Labs, have discovered a staggering thirteen critical security vulnerabilities for AMD's "Zen" CPU microarchitecture, which are as damning as the recent "Meltdown" and "Spectre" vulnerabilities that affect various CPU manufacturers at varying degrees (Intel, AMD, and ARM). The thirteen new CVEs are broadly classified into four groups based on the similarity in function of the processor that they exploit: "Ryzenfall," "Masterkey," "Fallout," and "Chimera."

The researchers "believe that networks that contain AMD computers are at a considerable risk," and that malware can "survive computer reboots and re-installations of the operating system, while remaining virtually undetectable by most endpoint security solutions," such as antivirus software. They also mention that in their opinion, "the basic nature of some of these vulnerabilities amounts to complete disregard of fundamental security principles. This raises concerning questions regarding security practices, auditing, and quality controls at AMD."

1. "Masterkey": This is an exploit of the Secure Boot feature, which checks if nothing has been tampered with on your machine while it was powered down (i.e. changes in firmware, hardware, or the last software state before shutdown). The Masterkey vulnerability gets around this environment integrity check by using an infected system BIOS, which can be flashed even from within Windows (with administrative privileges). Theoretically, Secure Boot should validate the integrity of the BIOS, but apparently this can be bypassed, exploiting bugs in the Secure Processor's metadata parsing. Once the BIOS signature is out of the way, you can put pretty much any ARM Cortex A5 compatible code into the modified BIOS, which will then execute inside the ARM-based Secure Processor - undetectable to any antivirus software running on the main CPU, because the antivirus software running on the CPU has no way to scan inside the Secure Processor.

2. "Ryzenfall" is a class of vulnerabilities targeting Secure Processor, which lets a well-designed malware stash its code into the Secure Processor of a running system, to get executed for the remainder of the system's up-time. Again, this attack requires administrative privileges on the host machine, but can be performed in real-time, on the running system, without modifying the firmware. Secure Processor uses system RAM, in addition to its own in-silicon memory on the processor's die. While this part of memory is fenced off from access by the CPU, bugs exist that can punch holes into that protection. Code running on the Secure Processor has complete access to the system; Microsoft Virtualization-based Security (VBS) can be bypassed and additional malware can be placed into system management storage, where it can't be detected by traditional antivirus software. Windows Defender Credentials Guard, a component that stores and authenticates passwords and other secure functions on the machine, can also be bypassed and the malware can spread over the network to other machines, or the firmware can be modified to exploit "Masterkey", which persists through reboots, undetectable.

3. "Fallout": This class of vulnerabilities affects only AMD EPYC servers. It requires admin privileges like the other exploits, and has similar effects. It enables an attacker to gain access to memory regions like Windows Isolated User Mode / Kernel Mode (VTL1) and Secure Management RAM of the CPU (which are not accessible, even with administrative privileges). Risks are the same as "Ryzenfall", the attack vector is just different.

4. "Chimera": This class of vulnerabilities is an exploitation of the motherboard chipset (e.g. X370 also known as Promontory). AMD outsourced design of their Ryzen chipsets to Taiwanese ASMedia, which is a subsidiary of ASUS. You might know the company from the third-party USB 3.0 and legacy PCI chips on many motherboards. The company has been fined for lax security practices in the past, and numerous issues were found in their earlier controller chips. For the AMD chipset, it looks like they just copy-pasted a lot of code and design, including vulnerabilities. The chipset runs its own code that tells it what to do, and here's the problem: Apparently a backdoor has been implemented that gives any attacker knowing the right passcode full access to the chipset, including arbitrary code execution inside the chipset. This code can now use the system's DMA (direct memory access) engine to read/write system memory, which allows malware injection into the OS. To exploit this attack vector, administrative privileges are required. Whether DMA can access the fenced off memory portions of the Secure Processor, to additionally attack the Secure Processor through this vulnerability, is not fully confirmed, however, the researchers verified it works on a small number of desktop boards. Your keyboard, mouse, network controllers, wired or wireless, are all connected to the chipset, which opens up various other attack mechanisms like keyloggers (that send off their logs by directly accessing the network controller without the CPU/OS ever knowing about these packets), or logging all interesting network traffic, even if its destination is another machine on the same Ethernet segment. As far as we know, the tiny 8-pin serial ROM chip is connected to the CPU on AMD Ryzen platform, not to the chipset or LPCIO controller, so infecting the firmware might not be possible with this approach. A second backdoor was found that is implemented in the physical chip design, so it can't be mitigated by a software update, and the researchers hint at the requirement for a recall.

AMD's Vega GPUs use an implementation of the Secure Processor, too, so it is very likely that Vega is affected in a similar way. An attacker could infect the GPU, and then use DMA to access the rest of the system through the attacks mentioned above.

The researchers have set up the website

to chronicle these findings, and to publish detailed whitepapers in the near future.

AMD provided us with the following statement: "At AMD, security is a top priority and we are continually working to ensure the safety of our users as new risks arise. We are investigating this report, which we just received, to understand the methodology and merit of the findings."

Source: Many Thanks to Earthdog for the tip

Read the full article here by techPowerUp!

F1 Live OTT platform to feature 24 live streams – “Pretty Insane”

More details have emerged about the new F1 Live OTT platform, as outlined by F1’s head of marketing Ellie Norman, who describes the boldness of the project as ‘pretty insane’.

Typing the words ‘F1’s head of marketing’ still feels slightly strange, seeing as for decades it was the only global Tier 1 sport that did not even have a marketing department, let alone a head.

Bernie Ecclestone used to rely on manufacturers, race promoters and sponsors to market the sport of Formula 1 for him. This kept the overheads down on the F1 Management side, while Ecclestone gleefully whipped up regular media attention by lobbing in regular hand grenades, which the newspapers gratefully jumped on.

Now it’s all rather different, although the infrastructure to make the new F1 Live OTT platform was all put in place by Ecclestone. He just chose not to use it for that, as he was all about protecting the rights of his broadcast partners.

Norman was previously at cable TV supplier Virgin Media and believes that the nature of the modern consumer who has a passion point is “… that passion tends to overrule the rational side of things; it is not uncommon if you have a pay TV bundle that you will have one or two of the top subscriptions. I think that with consumer behaviour and the desire to buy things you love, consumers are making that choice. If you are interested you will pay.”

That is the calculation; that of the potential audience for F1, identified at 500 million sports fans around the world, even if 1% of them paid their $8 a month for the OTT service, that would yield $40m a month, or almost half a billion dollars a year.

There is also the opportunity to upsell the packages in future; a Lewis Hamilton fan in Delhi could access more rich content about Hamilton and he could take a revenue share. There is also great value to F1 and its partners from the data that would be gathered about the consumers.

But for now it’s all about going direct to the fans and to make the fans’ access to F1 as frictionless as possible.

“Everyone is offering fans more direct access, we are incredibly fortunate with the access that we have through our sport,” Norman (above) said in an interview with digital media title The Drum. “We are going direct to the fan so we are then able to give them the best experience possible,” she told The Drum. There is nowhere else out there with 24 livestreams coming into the app and that is pretty insane – I don’t think that has been done before.”

“It is a very strategic sport and for that hardcore fan, they really understand the excitement but the strategic elements, having the ability to personalise how you watch it and being able to select favourite drivers and view that side by side, these are all elements where we can better serve our fans.”

The F1 OTT service will be rolled out in about two dozen countries, including USA, France, Germany and some Latin American markets – those where F1 has not ceded the digital rights to TV broadcast partners. That is the case in UK and Italy where Sky has the rights. F1 is talking to Sky about bundling the OTT rights.

What do you think of the F1 OTT platform and if you live in an eligible country, will you buy it? Leave your comments below

Read the full article here by James Allen on F1 - The official website

Tuesday, 6 March 2018

A few things I've learned about computer networking

Somebody asked a few months ago “hey, what’s the best way to understand computer networking?”. I don’t really know how to answer this question – I’ve learned a lot of the things I know at work, and I think picking up new things when I need them has been fine.

But I thought it could maybe be useful to list a bunch of concrete skills and concepts I’ve learned along the way. Like anything else, “computer networking” involves a large number of different concepts and skills and tools and I’ve learned them all one at a time. I picked most of these things up over the last 4 years.

  • How to set up an Apache web server by copying and pasting things from the internet. (pre-2010)
  • What a http request looks like (GET, POST, etc). How to use curl to send GET and POST requests. (2010?)
  • How to send a http request by hand with netcat (2013)
  • how to do ARP spoofing (and what ARP is)
  • What a MAC address is and how packets are addressed to a MAC address on a local network
  • How traceroute works (which involves learning the basics of how the the IP protocol works and what a TTL is)
  • What a network packet is, how to look at a networking packet with Wireshark
  • The basics of how TCP works (for example by looking at an http request with wireshark, and by building a tcp stack in Python). Key things: what’s a SYN packet?
  • how DNS works (like, what’s an A record, what’s a CNAME record, what does a DNS query look like – wireshark is good here too).
  • More HTTP (like cache headers and how they interact with CDNs). More about what CDNs are for
  • MTU exists and can cause networking issues
  • Having badly tuned TCP connection settings (like TCP_NODELAY) can cause noticeable networking performanace issues (why you should understand (a little) about TCP) (2015)
  • HTTP security headers like CORS
  • What “SNI” means
  • how to use tcpdump to debug firewall issues (2016)
  • how to capture packets with tcpdump in somewhat weird ways (for instance “only this very specific kind of DNS response”)
  • “can reliably use tcpdump without reading the man page”
  • SSL/TLS: what’s a SSL cert? how do I get one issued? how is a SSL cert put together? (tools: openssl x509). here’s a blog post about TLS
  • more advanced HTTP+SSL stuff, like the Strict-Transport-Security header
  • very basic understanding of what BGP is and how packets get routed on the internet
  • slightly more advanced DNS (what’s an authoritative dns server, what’s a recursive dns server)
  • a vague understanding of how the linux networking stack handles packets, like – do packets get sent to tcpdump before or after routing? (after!)
  • how to slow down my internet on purpose with tc
  • how to set up NAT rules with iptables
  • how to inspect a route table with iproute2
  • container/docker networking (network namespaces, route tables) (2017)

tools I’ve found useful

Per this tweet:

  • ping (are these computer connected??)
  • whois (is this domain registered)
  • ssh
  • curl (for making HTTP requests)
  • tcpdump (record packets! check for traffic on a port!)
  • dig/nslookup (debugging DNS issues)
  • netstat/ss (is that port being used?)
  • ifconfig (what’s my IP address?)
  • iproute2 (that is, the ip command. replacement for ifconfig. very useful.)
  • wireshark (look at packets with a GUI)
  • ngrep (grep for your network)
  • iptables
  • socat (connect a unix domain socket to a tcp socket)
  • nsenter for debugging container networking problems

learning takes a lot of time

I spend a fair amount of time trying to learn new computer things. I’ve found it really useful to take it one step at a time – my learning process with a lot of this stuff is basically

  • identify something small I don’t know (how to, from the command line, check the expiration date on's TLS certificate)
  • figure it out (sometimes with help from my great coworkers)
  • repeat

That’s all! It’s really fun to see how learning a bunch of tiny things adds up over time. Like today I feel like I can handle most things about computer networking that I run into in my job, and I don’t feel like there are that many Big New Ideas about networking I don’t know about. (though, well, wifi is still a mystery to me :) )

Read the full article here by Julia Evans

Monday, 5 March 2018

Namespace Land Rush

You can also just mash the keyboard at random, but you might end up with a gibberish name no one can pronounce.

Read the full article here by

Intel MKTME Support Being Prepped For The Linux Kernel: Total Memory Encryption

Intel developers are working on bringing transparent memory encryption support to the Linux kernel that works in conjunction with upcoming Intel platforms.

AMD's current EPYC and Ryzen Pro processors feature Secure Memory Encryption (SME) while upcoming Intel CPUs are working on a roughly similar feature with Total Memory Encryption (TME) along with MKTME, or Multikey Total Memory Encryption.

MKTME is built on top of TME. TME allows encryption of the entirety of system memory using a single key. MKTME allows to have multiple encryption domains, each having own key -- different memory pages can be encrypted with different keys.

Key design points of Intel MKTME:

- Initial HW implementation would support upto 63 keys (plus one default TME key). But the number of keys may be as low as 3, depending to SKU and BIOS settings.

Kirill Shutemov of Intel Finland today sent out

the initial kernel patches

for this TME/MKTME kernel support code. In its present form is just over 500 lines of code to take advantage of this hardware-based transparent memory encryption for future Intel CPUs.

Read the full article here by Phoronix

Sunday, 4 March 2018

Chrome's WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack

There's no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as "unphishable," a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico's last bastion of login protection.

Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google's Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.

With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim's Yubikey, using the response it provides to unlock that person's account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)

Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn't demonstrate a flaw in Yubico's products so much as a very unintended byproduct of Chrome's WebUSB feature, which the browser added just last year. "U2F is technically not broken, but it’s still phishable, which many people thought was impossible," says Vervier. "It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable."

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers' attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. "We are always appreciative of researchers’ work to help protect our users," Brand wrote in a statement. "We will have a short term mitigation in place in the upcoming version of Chrome, and we're working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited."

Beware WebUSB

Let's be clear: Vervier and Orrù's findings don't change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it's your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.

'They put in another feature that subverts all the security they'd put in place.'

Joern Schneeweisz, Recurity Labs

But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it's designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.

That could enable, the researchers warn, a "man-in-the-middle" attack. If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google's request for the user's U2F token and collects the Yubikey's unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim's account.

"The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer," says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù's findings. "And then they put in another feature that subverts all the security they'd put in place."

A Sophisticated Phish

The attack Vervier and Orrù imagine isn't exactly easy to pull off, and would likely only be used by sophisticated hackers targeting high-value accounts. Aside from first requiring that a phishing site trick a victim into typing in their username and password as usual, the phishing site would also have to ask the user's permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key. But all of that could be achieved by phishers who trick users with a prompt requiring them to "update" their U2F token, or some other scam. After all, the only change from the usual login process would be that one added permissions prompt. "You could come up with a pretty plausible pretext," says Orrù. "The user only has to click once."

Vervier and Orrù note that their technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn't vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers, offering another avenue of exploitation, but the Yubikey Nano, 4 Series, and the original, cheaper Yubikey aren't vulnerable, they say—nor, based on their testing, were the Feitian keys recommended by Google for its locked-down Advanced Protection setting.

"This sounds like an assumption was made by Chrome that all U2F is HID, which doesn't hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly," explains Jonathan Rudenberg, an independent security researcher who has focused on U2F implementations in the past. The combination of those two assumptions adds up to a significant security vulnerability.

A Larger Problem

A long-term fix could take the form of tweaks to Chrome to block WebUSB connections to certain devices like the Yubikey Neo. But the problem could go much further than Yubikeys alone, potentially exposing a whole new class of devices to unexpected interactions with websites. Vervier and Orrù say they believe smartcard authentication systems could also be vulnerable, for instance, though they haven't yet tested them.

"Google should have never shipped WebUSB in its current form," says Rudenberg. "Users cannot be expected to understand the security implications of exposing their USB devices to potentially malicious code...I don’t think this is the last time that we’ll see WebUSB used to break things." Rudenberg went so far as to quickly code a Chrome extension that disables WebUSB, which he recommends everyone install and use until they have a reason to enable the feature. Rudenberg says there's no other easy way to disable the feature.

'Google should have never shipped WebUSB in its current form.

Security Researcher Jonathan Rudenberg

When WIRED reached out to Yubico for comment, spokesperson Ronnie Manning essentially placed the blame on Google's browser. "Per the U2F protocol, the security key is not responsible for doing that verification" of the origin of authentication requests, Manning said in a statement. "In fact, they cannot do so effectively as they would have to rely on data passed by the browser, and if the browser is not trustworthy, neither is the data."

Manning also noted that Chrome could give users the option to turn off WebUSB, or blacklist vulnerable devices like the Yubikey Neo. But he adds that "unless such a blacklist is complete and perfect, issues like this are possible with the current WebUSB implementation."

As for Vervier and Orrù themselves, they say concerned Yubikey users should disable WebUSB, and that IT administrators should even consider setting a policy blocking it for all their employees. And they suggest a simpler solution, too: That users remain wary online, and think twice about where they enter their passwords. Despite Yubico's "unphishable" marketing, it's no substitute for some healthy skepticism.

Phishing License

Read the full article here by Wired Top Stories

Microsoft details steps being taken to address Spectre and Meltdown vulnerabilities

The Spectre and Meltdown vulnerabilities affected millions of processors around the world, and the "fixes" that followed compounded the problems with reports of the patches bricking AMD PCs, and Ubuntu systems, and causing major slowdowns. Intel even told customers to stop installing the patches due to 'unpredictable' reboot issues. In a new blog post, Microsoft provides an update on the state of the situation, and has some good news for Windows 1o users. SEE ALSO: This is the easiest way to check if your Windows PC is vulnerable to Spectre and Meltdown John Cable, Director of Program Management, Windows Servicing… [Continue Reading]

Read the full article here by Betanews

GitHub survives massive DDoS attack relatively unscathed

GitHub, a web-based code distribution and version control service, survived a massive denial of service attack on Wednesday. According to a report at Wired, a staggering 1.35 terabits per second (Tbps) of traffic hit the site at once. Within 10 minutes the company called for help from a DDoS mitigation service similar to Google's Project Shield, Akamai's Prolexic, which took over to filter and weed out malicious traffic packets. The attack, says Wired, ended after eight minutes. This may have been the largest DDoS attack ever; Wired notes the attack on domain name server Dyn in late 2016 reached 1.2 Tbps of traffic.

The attack was apparently conducted via a non-bot technique called an amplification attack. These use memcached database systems, says Wired, that can be queried by anyone. Attackers spoof the IP of their target and send small requests to the memcached databases, which then send a massive amount of traffic to the target system, like GitHub in this case. The answer to shutting down attacks like these is twofold, says Wired. Mitigation services like Prolexic can add filters to automatically block this sort of traffic, and owners of memcached databases can remove them from public access.

Source: Wired

Read the full article here by Engadget

A Slack client for your terminal

Honestly, if it can be described as "a #{beloved_service} client for your terminal", I'm gonna log it.

Read the full article here by Changelog

Shiori – a simple, self-hosted bookmarks manager

This is a simplified clone of Pocket, written in Go. It can be used as a command-line app, or from the web. It's distributed as a single binary, which means installs are easy, peasy.

Read the full article here by Changelog

How GDPR will change the way you develop

I was clueless about this until I saw the Smashing Mag headline in my feedbin:

Europe’s imminent privacy overhaul means that we all have to become more diligent about what data we collect, how we collect it, and what we do with it.

Read through and be aware of the implications. These changes become enforceable in May of 2018.

Read the full article here by Changelog