POPULARITY
2 episodes with trusting trust
2 episodes with trusting trust
6 episodes with trusting trust
2 episodes with trusting trust
Ein neues Linux-Rootkit taucht plötzlich auf und wird gleich dreimal analysiert. Seine Besonderheit: Es kann über das UEFI Linuxsysteme infizieren - bis jetzt ging das nur unter Windows. Aber wer steckt dahinter und warum haben die Unbekannten das Bootkit gebastelt? Sylvester und Christopher gehen auf Spurensuche. Dieses Mal litten Christopher und Sylvester unter ausgeprägtem Hallo-Effekt, was zwischendurch zu unfreiwillig komischen Reinrede-Aktionen führte. - [Ken Thompson: Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf) - [BlackHat-Präsentation zu LogoFAIL](https://i.blackhat.com/EU-23/Presentations/EU-23-Pagani-LogoFAIL-Security-Implications-of-Image_REV2.pdf?_gl=1*18vnefe*_gcl_au*MTM5NTEwMjYzLjE3MzM4OTc5OTc.*_ga*MTY4Njg2MTc1MC4xNzMzODk3OTk3*_ga_K4JK67TFYV*MTczMzg5Nzk5Ny4xLjEuMTczMzg5ODAxNy4wLjAuMA..&_ga=2.47355111.1773935767.1733897998-1686861750.1733897997) - [ESET-Analyse](https://www.welivesecurity.com/en/eset-research/bootkitty-analyzing-first-uefi-bootkit-linux/) - [Humzak711' Analyse](https://humzak711.github.io/analyzing_IranuKit.html) - [Binarly-Analyse](https://www.binarly.io/blog/logofail-exploited-to-deploy-bootkitty-the-first-uefi-bootkit-for-linux)
Una puntata monografica e più sofferta del solito per raccontare della vicenda che ha tenuto tutto il mondo Linux col fiato sospeso e ha scatenato una serie interessantissima di discussioni intorno alla sostenibilità dell'Open Source e alla fiducia che riponiamo nel codice scritto da altri e che eseguiamo sulle nostre macchine. Links: A Microcosm of the interactions in Open Source projects - https://robmensching.com/blog/posts/2024/03/30/a-microcosm-of-the-interactions-in-open-source-projects/ Bullying in Open Source Software Is a Massive Security Vulnerability - https://www.404media.co/xz-backdoor-bullying-in-open-source-software-is-a-massive-security-vulnerability/ xz/liblzma: Bash-stage Obfuscation Explained - https://gynvael.coldwind.pl/?id=782&lang=en Everything I Know About the XZ Backdoor - https://boehs.org/node/everything-i-know-about-the-xz-backdoor Timeline of the xz open source attack - https://research.swtch.com/xz-timeline The xz attack shell script - https://research.swtch.com/xz-script Reflections on Trusting Trust - https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf 00:00 Intro 02:14 xs supply chain attack #xz #linux #supplychain #opensource #attack #security #cybersecurity === Podcast Spotify - https://open.spotify.com/show/4B2I1RTHTS5YkbCYfLCveU Apple Podcasts - https://podcasts.apple.com/us/podcast/buongiorno-da-edo/id1641061765 Amazon Music - https://music.amazon.it/podcasts/5f724c1e-f318-4c40-9c1b-34abfe2c9911/buongiorno-da-edo = RSS - https://anchor.fm/s/b1bf48a0/podcast/rss --- Send in a voice message: https://podcasters.spotify.com/pod/show/edodusi/message
Dan Lorenc is the Co-founder and CEO of Chainguard, the best way to secure your open source software. Dan and his co-founders Kim, Matt, and Ville started the company in 2021 after spending a decade working together at Google on all things open source and software security. They've since raised $116 million from investors including Spark (led Series B), Sequoia (led Series A), Amplify (led Seed), The Chainsmoker's Mantis VC, Banana Capital, and dozens of angels in the cyber security and open source communities. — Topics discussed: What is the “software supply chain”? How the SolarWinds breach created the software supply chain security market The history of open source software Why open source software makes software supply chains even less secure The moment Dan and his co-founders decided to start Chainguard Why they started selling consulting services before even building a product The reason their first two products solved completely different problems (top-down and bottoms-up), and why the one that didn't work at first is now their main business Why Chainguard decided to focus on a broad communications and marketing strategy so early on How Dan gets quoted in major media publications as an early stage startup founder Why Chainguard uses memes for marketing Why Dan thinks startups should “make content optimized for the group chat” How they raised their Seed round from Amplify a week after leaving Google Raising a Series A from Sequoia as the market started collapsing in Spring of 2022 Dan's advice for founders on dealing with investor inbound when not fundraising Why he wish he hired sales reps sooner Raising a Series B from Spark Capital to accelerate their enterprise sales process — Referenced: https://www.chainguard.dev https://www.sigstore.dev/ Battling the Trojan Horse in Open Source: https://www.sequoiacap.com/article/dan-lorenc-chainguard-spotlight/ Chainguard Series B Announcement: https://www.chainguard.dev/unchained/series-b-funding Dan's favorite open source project: https://github.com/jqlang/jq Reflections on Trusting Trust: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf — Where to find Dan: Twitter: https://twitter.com/lorenc_dan LinkedIn: https://www.linkedin.com/in/danlorenc — Where to find Turner: Newsletter: https://www.thespl.it Twitter: https://twitter.com/TurnerNovak Banana Capital: https://bananacapital.vc — Production and distribution by: https://www.supermix.io — Want to sponsor the show? https://docs.google.com/forms/d/e/1FAIpQLSebvhBlDDfHJyQdQWs8RwpFxWg-UbG0H-VFey05QSHvLxkZPQ/viewform
В этом выпуске: теплый-ламповый devzen не совсем обычным составом. Шоуноты: [00:03:46] Предыдущий выпуск с Сергеем [00:05:06] Чему мы научились за неделю https://www.youtube.com/c/r2auk [01:41:59] FeatureBase: A Deep Dive (Pat O’Keeffe) [01:56:03] Running the “Reflections on Trusting Trust” Compiler [01:59:00] #темы447 КДПВ откуда-то из интернетов. Лог чата в Telegram. Голоса выпуска: Света, Алекс, Сергей, Валера, Саша. Фоновая музыка: Plastic3… Читать далее →
Guests: John Speed Meyers, Security Data Scientist, Chainguard Todd Kulesza, User Experience Researcher, Google Topics: How did you get involved with this year's Accelerate State of DevOps Report (DORA report)? So what is DORA and why did you decide to focus on supply chain security for the 2022 report? What are the big learnings from this year's report? What's the difference between SLSA and SSDF? Is one spicy and the other savory? How're companies adopting these and how is adoption going? Are there other areas that DevOps can be a contributor in the overall security landscape? How can CISOs rope DevOps fully into their security gang? Operationally, how should security and developers and DevOps come together to keep vulnerabilities out in the first place? How should security and developers and DevOps come together to respond quickly to vulnerabilities when they're discovered? How do security and developers and DevOps come together to prove to their auditors and customers that they're doing a good job of the above? Resources: 2022 Accelerate State of DevOps Report "New insights for defending the software supply chain" blog (and new report) SLSA.dev site Secure Software Development Framework at NIST “Linking Up The Pieces: Software Supply Chain Security at Google and Beyond” (ep24) “Sharing The Mic In Cyber with STMIC Hosts Lauren and Christina: Representation, Psychological Safety, Security” (ep92) Go vulncheck tool “Reflections on Trusting Trust” paper (1984)
Joining the podcast this week is Eric Mill, Senior Advisor on Technology and Cybersecurity to the Federal CIO in the Office of Management and Budget (OMB). We discuss some of the latest and impactful security initiatives, policies and technologies in U.S. Government today – and highlights from some that OMB is helping to drive. We cover topics spanning the Executive Order on Improving the Nation's Cybersecurity, the Technology Modernization Fund, Zero Trust and what it has come to mean today, FIDO and PIV, and so much more! Eric also shares an interesting essay that is worth a read, “Reflections on Trusting Trust” by Ken Thompson. Read it here: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf. Eric Mill A leader in technology policy and cybersecurity, with a long background in public service. Eric currently serves in the Biden-Harris administration in the Office of Management and Budget as the Senior Advisor on Technology and Cybersecurity to the Federal Chief Information Officer, Clare Martorana. Prior to that, Eric was the Lead Product Manager for the security of the Chrome web browser at Google. In 2019, Eric worked for Senator Amy Klobuchar through the TechCongress program, with a focus on election security, vulnerability disclosure, and management of the .gov internet domain. Before that, Eric served in the 18F team at the U.S. General Services Administration, where he led the federal government's adoption of strong encryption for its online services. While at GSA, Eric oversaw Login.gov, which lets millions of people sign into U.S. public services securely and privately. Prior to 18F, Eric was a part of the Sunlight Foundation, a civil society group dedicated to government transparency. At Sunlight, Eric created open data services that helped the public follow government activity, advised Congress on its open data strategy, and provided expert guidance to anti-corruption NGOs around the world. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e207
Guest: John Stone, Chaos Coordinator @ Office of the CISO, Google Cloud Topics: So what is Autonomic Data Security, described in our just released paper? What are some notorious data security issues today? Perhaps common data security mistakes security leaders commit? What never worked in data security, like say manual data classification? How should organizations think about securing the data they migrated and the data that was created in the cloud? Do you really believe the cloud can make data security better than data security in traditional environments? Resources: “Modern Data Security: A path to autonomic data security” paper (NEW) “How autonomic data security can help define cloud's future” blog “Megatrends drive cloud adoption—and improve security for all” blog “Modernizing SOC ... Introducing Autonomic Security Operations” blog “Autonomic Security Operations: 10X Transformation of the Security Operations Center" paper “Zero Trust: Fast Forward from 2010 to 2021” (ep8) “Data Security in the Cloud” (ep2) and the resource. “Modern Data Security Approaches: Is Cloud More Secure?” (ep16) “Reflections on Trusting Trust” paper (1984).
Guix turns ten! We celebrate Guix's first decade by highlighting ten great things about Guix! Hear all about functional package management, time-traveling operating systems, and why "Composable DSLs" are great!Links:GuixStories about 10 years of Guix, from the Guix blogNixCool Guix features highlighted in this episode:Grafts (for security updates)guix challengeguix shell and guix environmentguix packNonguix (Proprietary! Nonfree! But sometimes some users need these things to get their computers to work...)Reproducible BuildsBootstrappable BuildsMes (see this video for an introduction)Reflections on Trusting Trust (aka the "Thompson Attack" described in the episode)virtualenv
When is it safe to run software? When is it safe to drink orange juice? Are we a better judge of one or the other? Santiago Torres-Arias is an Assistant Professor at Purdue University, the team lead of the in-toto project, and a contributor to The Update Framework. He joins Craig to talk security in both physical and software supply chains. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Don’t Forget The Lyrics Gettin’ Jiggy Wit It Explained on Genius Will Smith on Top Gear The Oscars thing (CW: violence, cuss words that Will Smith didn’t used to have to rap to sell records) He’s The Greatest Dancer by Sister Sledge; written by Bernard Edwards and Nile Rodgers of Chic News of the week New Cisco Intersight Kubernetes features Red Hat OpenShift v4.10 ChaosNative acquired by Harness Azure PlayFab launches Thundernetes Episode 26, with Cyril Tovena and Mark Mandel Hacker News commentary Weave GitOps v2022-03 Qumulo for Kubernetes SpectroCloud raises $40m Pinterest: 99% to 99.9% SLO, high performance control plane Uber: Avoiding CPU throttling in a containerized environment Links from the interview in-toto The Update Framework Purdue University Elmore Family School of Electrical and Computer Engineering Purdue Boilermakers Open Source Software Senior Design Projects NYU Tandon School of Engineering Justin Cappos PolyPasswordHasher Episode 155, with Priya Wadhwa apt-secure for Debian packages A keysigning and a signed PGP key Farm to table attestation Potato tracking An example of E. coli in lettuce in-toto record Project Trebuchet: How SolarWinds is Using Open Source to Secure Their Supply Chain in the Wake of the Sunburst Hack by Trevor Rosen, Solarwinds Reflections on Trusting Trust by Ken Thompson Secure Publication of Datadog Agent Integrations with TUF and in-toto US Executive Order on Improving the Nation’s Cybersecurity Readout of White House Meeting on Software Security sigstore in-toto is the second most used format for sigstore SPIFFE SLSA in-toto moves to incubation in the CNCF CFSSL Math rock Covet: “falkor” TTNG: +3 Awesomeness Repels Water Bird of the Year The kea Breaking a police car Santiago Torres-Arias on Twitter and at badhomb.re
It's Spook Month on Advent of Computing! Every October we cover the more spooky, scary, and frustrating side of computers. To kick off this year we are looking at viruses again, this time with a special eye to the first infections for IBM PCs and compatible systems. Besides the technical changes, this drops us into an interesting transitionary period. Up to this point viruses had been something of an in-joke amongst hackers and computer nerds, but with the creation of viruses like Brain and VirDem we see them start to enter public awareness. Selected Sources: https://dl.acm.org/doi/pdf/10.1145/358198.358210 - Reflections on Trusting Trust http://web.archive.org/web/20060427081139/http://www.brain.net.pk/aboutus.htm - Brain Computing on Brain Virus https://archive.org/details/computervirusesh0000burg - Computer Viruses: A High-Tech Disease
Hoy estamos poquitos en la tertulia y eso permite hablar a gente que nunca ha hablado antes: ¿Cómo puede aprender Python un novato? Python y seguridad https://podcast.jcea.es/python/23 Audio procesado con "rnnoise": https://jmvalin.ca/demo/rnnoise/. Participantes: Jesús Cea, email: jcea@jcea.es, twitter: @jcea, https://blog.jcea.es/, https://www.jcea.es/. Conectando desde Madrid. Jesús, conectando desde Ferrol. Víctor Ramírez, twitter: @virako, programador python y amante de vim, conectando desde Huelva. Gato, desde Chile. Audio editado por Pablo Gómez, twitter: @julebek. La música de la entrada y la salida es "Lightning Bugs", de Jason Shaw. Publicada en https://audionautix.com/ con licencia - Creative Commons Attribution 4.0 International License. [00:53] Hoy no se han conectado los habituales (Virako conectó un rato en medio de la sesión). Por suerte, Jesús, un oyente silencioso habitual, se apiadó de mí. ¿Cómo empezamos a programar en Python? Empezar con el tutorial: https://docs.python.org/es/3/tutorial/index.html. [05:43] Jesús Cea coleccionaba lenguajes de programación en su juventud. Forth: https://es.wikipedia.org/wiki/Forth. Ensamblador: https://es.wikipedia.org/wiki/Lenguaje_ensamblador. [06:23] "La mejor herramienta para cada trabajo" tiene un coste oculto. Especializarse. [07:23] Mercado laboral en España para trabajar en remoto. Los empleadores tienen exigencias poco realistas. [09:18] Hay mucho material para aprender. Saqueadores edición técnica: http://set-ezine.org/. [12:48] Formación formal. [14:03] Comunidades locales Python: Python Vigo: https://www.python-vigo.es/. Se intentaba montar algo en La Coruña. Makerspaces: A Industriosa https://aindustriosa.org/. [16:23] ¿Recursos que pueda usar un novato para aprender? Asociación Python España: https://www.es.python.org/. Lista de correo Python-es: https://mail.python.org/mailman/listinfo/python-es. Internet. [19:23] Raspberry PI https://www.raspberrypi.org/, ESP8266 https://es.wikipedia.org/wiki/ESP8266, ESP32 https://es.wikipedia.org/wiki/ESP32. [21:43] Puesta al día de la semana. [23:28] Encuesta mundial de programadores de Python: Python Developers Survey 2020 Results https://www.jetbrains.com/lp/python-developers-survey-2020/. [24:04] Ya estamos repasando las grabaciones, con vista a publicarlas. Las notas jugarán un papel importante en las grabaciones. Capítulos. [26:03] IPFS: https://es.wikipedia.org/wiki/IPFS. Peer 2 Peer: https://es.wikipedia.org/wiki/Peer-to-peer. webrtc: https://es.wikipedia.org/wiki/WebRTC. Contribuir compartiendo las fotos de Python España. BitTorrent: https://es.wikipedia.org/wiki/BitTorrent. [29:33] Métricas de calidad de código. Complejidad ciclomática: https://es.wikipedia.org/wiki/Complejidad_ciclom%C3%A1tica. Radon: https://pypi.org/project/radon/. Cobertura de test: Coverage https://pypi.org/project/coverage/. Cada pequeño paso ayuda. [35:08] Porcentaje de código nuevo y mantenimiento. [36:33] Se perdió parte de la grabación de la tertulia de la semana pasada. Explicaciones. Explicación de cómo se graban las tertulias. [41:13] Packt https://www.packtpub.com/. Muchos libros digitales sobre Python. Un libro gratis al día: https://www.packtpub.com/free-learning. Bot de telegram de notificaciones diarias: https://t.me/packtpubfreelearning. [44:33] Funciones que son malas prácticas en C. C++ 'strcpy' gives a Warning (C4996): https://stackoverflow.com/questions/4012222/c-strcpy-gives-a-warning-c4996 [46:23] Tema recurrente: ¿poner deberes? [48:08] ¿Progresos sobre Issue24676: Error in pickle using cProfile https://bugs.python.org/issue24676, visto en tertulias anteriores? Bug poco prioritario. Jesús Cea propone algunos rodeos al problema. runpy: https://docs.python.org/3/library/runpy.html. [52:09] Volvemos al tema de cómo un novato puede aprender desde cero. Hacer un proyecto pequeño. Intentar no extenderse mucho, no hacer "muchas cosas". Si no tiene base, el código del novato va a ser malo y con mucho más esfuerzo del necesario. Hace falta cierto tutelaje. Examinar un proceso ajeno "pequeño" y estudiarlo. Project Euler: https://projecteuler.net/. Kata: https://es.wikipedia.org/wiki/Kata. Ventajas de un libro: Aprendizaje estructurado, gradual y que prioriza lo importante. Aprende Python en un fin de semana || Libro – PDF – EPUB – Descargar https://elcientificodedatos.com/aprende-python-en-un-fin-de-semana/. Python España: Aprende Python https://www.es.python.org/pages/aprende-python.html. Comunidades locales. ¿Las charlas valen para algo? ¿Alguien que no sabe programar en absoluto entiende qué significa a = a + 1? Commodore VIC-20: https://en.wikipedia.org/wiki/Commodore_VIC-20. BASIC: https://es.wikipedia.org/wiki/BASIC. Escribir código a mano puede ayudar. [01:11:13] ¿Los emails de recordatorio a las listas de correo sirven para algo? ¿Son spam? [01:13:43] Python y seguridad. ¿Recomendaciones para novatos? OWASP: https://owasp.org/. OWASP Top Ten Web Application Security Risks: https://owasp.org/www-project-top-ten/. Listas de correo de seguridad. Desbordamiento de búfer: https://es.wikipedia.org/wiki/Desbordamiento_de_buffer. Podcast: Security Now https://twit.tv/shows/security-now. Hispasec: Noticias de seguridad diaria: Una al Día: https://unaaldia.hispasec.com/. The CERT C Secure Coding Standard https://www.amazon.com/CERT-Secure-Coding-Standard/dp/0321563212. Cada lenguaje tiene sus propios fallos de seguridad típicos, propios de las idiosincrasias o el estilo de ese lenguaje. [01:22:43] PEP 578 -- Python Runtime Audit Hooks https://www.python.org/dev/peps/pep-0578/ Audit events table: https://docs.python.org/3/library/audit_events.html. [01:24:43] Los "Framework" te protegen de fallos típicos conocidos https://es.wikipedia.org/wiki/Framework. Si el "framework" es popular y se le encuentra un bug, eres susceptible a un ataque masivo. Ejemplo: WordPress: https://es.wikipedia.org/wiki/WordPress. Hay que preocuparse de tenerlo actualizado. Django: https://www.djangoproject.com/. Ataque de cadena de suministro: https://es.wikipedia.org/wiki/Ataque_a_cadena_de_suministro. [01:28:53] DevOps: https://es.wikipedia.org/wiki/DevOps. Docker: https://www.docker.com/. ¿Quién se preocupa de actualizarlo? [01:31:53] Volvemos al tema OWASP https://owasp.org/. OWASP Top Ten Web Application Security Risks: https://owasp.org/www-project-top-ten/. [01:32:53] ¿En qué posición está Python respecto a la seguridad, respecto a otros lenguajes de programación? DB-API 2.0: PEP 249 -- Python Database API Specification v2.0 https://www.python.org/dev/peps/pep-0249/. sqlite3: https://docs.python.org/3/library/sqlite3.html. Aunque un lenguaje de programación sea razonablemente seguro, los programadores introducen fallos de seguridad en su código. Algunos ejemplos. pickle: https://docs.python.org/3/library/pickle.html. eval: https://docs.python.org/3/library/functions.html#eval. [01:36:43] Ataque de cadena de suministro: https://es.wikipedia.org/wiki/Ataque_a_cadena_de_suministro. Poison packages – “Supply Chain Risks” user hits Python community with 4000 fake modules: https://nakedsecurity.sophos.com/2021/03/07/poison-packages-supply-chain-risks-user-hits-python-community-with-4000-fake-modules/. Cualquiera puede subir un módulo nuevo a PYPI: https://pypi.org/. [01:40:53] Costes del código abierto. La reputación no basta. Trabajo ingrato. Depender del trabajo voluntario es un problema. [01:43:13] Auditoría automática de código. Hay una diferencia entre código con bugs y ataques maliciosos conscientes. Ejemplo, Antivirus. VirusTotal: https://www.virustotal.com/gui/, Hispasec https://hispasec.com/es/. Un clásico de 1984: "Reflections on Trusting Trust": https://users.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf. [01:46:08] Es un problema universal. Dependemos del trabajo de mucha gente que no cobra, que lo hace por amor al arte. Referencia obligada a XKCD https://xkcd.com/: Dependency https://xkcd.com/2347/. Wikipedia XKCD: https://es.wikipedia.org/wiki/Xkcd. OpenSSL https://es.wikipedia.org/wiki/OpenSSL: Heartbleed https://es.wikipedia.org/wiki/Heartbleed. WordPress: https://es.wikipedia.org/wiki/WordPress. [01:50:03] Empresas que dan soporte comercial a productos de código abierto. Red Hat: https://es.wikipedia.org/wiki/Red_Hat. Opinión de Jesús Cea: Se vende tranquilidad, no seguridad. Desplazas la responsabilidad a otro. Gestión de riesgo. Proteger su puesto de trabajo. "No han despedido nunca a nadie por comprar IBM": https://loscuenca.com/2010/04/nunca-han-despedido-a-nadie-por-contratar-a-______/ [01:55:23] Hoy ha sido un día raro en la tertulia, faltan (casi) todos los habituales y habla gente que no ha hablado nunca. Jesús Cea ya ha perdido el miedo a que no se conecte nadie a la tertulia semanal. [02:00:33] Falta la voz del "novato". Aprende Python en un fin de semana || Libro – PDF – EPUB – Descargar https://elcientificodedatos.com/aprende-python-en-un-fin-de-semana/. [02:09:03] Traducción de la documentación Python al español: Documentación Python en Español: https://docs.python.org/es/3/. Documentación oficial de Python en español https://pyar.discourse.group/t/documentacion-oficial-de-python-en-espanol/238/23. GitHub: https://github.com/python/python-docs-es/. Documentación oficial de Python en Español https://elblogdehumitos.com/posts/documentacion-oficial-de-python-en-espanol/. docs.python.org en Español https://elblogdehumitos.com/posts/docspythonorg-en-espanol/. [02:11:28] Final.
Kamil Potrec is a Senior Security Engineer at Snyk, working on security around Kubernetes and cloud platforms. He joins the show to discuss how to think about securing your infrastructure, the different arts (and colors) of offensive and defensive security, and what not to lose sleep over. Do you have something cool to share? Some questions? Let us know: web: kubernetespodcast.com mail: kubernetespodcast@google.com twitter: @kubernetespod Chatter of the week Episode 23, with Andrew Philips and Lars Wander A pile of mail and a bike News of the week Red Hat OpenShift 4.7 is GA Fairwinds Insights 3.0 Envoy zero-day patched Istio security bulletin Sysdig contributes Falco modules to the CNCF StorageOS raises $10m in Series B Platform9 raises $12.5m in Series D CNCF relaunches Kubernetes Community Day with KCD Africa and Bengaluru Links from the interview Offensive unit in American Football Hand-egg Red and blue teams Unreal Tournament Capture the flag Kubernetes secrets Design document Encrypting secrets at the application layer Antivirus software Tracer-tee SolarWinds attack Reflections on Trusting Trust by Ken Thompson left-pad deleted from NPM Snyk Open Source The open source parts Snyk vulnerability database MITRE CVE database Kubernetes security at Snyk Deploy only trusted containers to GKE Application threat modeling Kubernetes security best practices, including security context, AppArmor, gVisor etc CVE-2020-8554: man-in-the-middle attack using ExternalIP services CVE-2020-14386: packet socket vulnerability with user namespaces enabled Earlier related work: CVE-2017-7308 and CVE-2016-8655 Project Zero writeup Rewrite it in Rust! Kamil Potrec on LinkedIn
In this episode we're going to wrestle with the concept of trust. We realize that at times it's harmful, but we'll look at how it can help us do life better as well. Yea, no easy answers, here, but we never said that there were, did we? As always, our conversation will be rogueish, and we'll weave in our core values of seeking wisdom, applying the “why's” and, as always, we'll share a mystic MacNugget. Once again, “It's strap in time…” “Namaste, all of you beautifully, exotic cocktails… Manifesto points to consider: Together is Typically Better. Wisdom lets the wise, eternal self out of the cage. Because if you change your mind, you change your life. The Setup: Trust is what, exactly…? Confidence, assurance, reliance Trust vs. Faith. Faith is a noun(having). Trust is a verb(doing). Fiat currency. The irony of “In God We Trust” on our currency. “Backed by the full faith credit of The United States.” The Sirens. Lured by lack of discernment. How do we reverse the overall contemptuous attitude we have toward one another? The deep dive/takeways: Trust in: A Deity/Universe, and are they the same? Natural laws vs theological laws/truths Government/Social contract People Earned trustworthiness. Just do it! Biblical story of the invalid and his tribe. Ourselves Vulnerability Innate Conscience Intuition True self Can we trust our hearts? Learning to trust aids in decisiveness, maturity, and strength of character. MYSTIC MACNUGGET “Trust each moment to take you where you need to go.” -Tama Kieves Links to some of the stuff in the episode: https://www.indiewire.com/2020/08/connected-netflix-host-latif-nasser-radiolab-1234578155/#! (Connected. )The hidden science of everything. On Netflix. https://studios.vidangel.com/the-chosen (The Chosen). Great miniseries on Jesus as he calls his disciples. Great depiction of the invalid and his four friends.
There is a nice breakdown of the Solarigate attack here, but the most important thing to know is that just seeing the words BusinessLayer.dll is enough to make our eyes glaze over and our defenses go down.One interesting second order effect of this intrusion is that it will be difficult to know when all malicious code and access has really been removed. It brought to mind the classic Turing Award Lecture, Reflections on Trusting Trust by Ken Thompson. If you're trying to entertain kids over the holidays, Ben will be messing around with Roblox, which lets you create your own mini-games and has several hooks to deeper programming capabilities.Our Lifeboat badge winner this week is Chinito, who answered the question of how you can: Set style using pure JavaScript
There is a nice breakdown of the Solarigate attack here, but the most important thing to know is that just seeing the words BusinessLayer.dll is enough to make our eyes glaze over and our defenses go down.One interesting second order effect of this intrusion is that it will be difficult to know when all malicious code and access has really been removed. It brought to mind the classic Turing Award Lecture, Reflections on Trusting Trust by Ken Thompson. If you're trying to entertain kids over the holidays, Ben will be messing around with Roblox, which lets you create your own mini-games and has several hooks to deeper programming capabilities.Our Lifeboat badge winner this week is Chinito, who answered the question of how you can: Set style using pure JavaScript
פיתוח תוכנה כיום נשען הרבה על registries פומביים שזמינים ברשת שמאפשרים להוריד את שלל ספריות התוכנה שהקוד שלנו משתמש במגוון סטאקים טכנולוגיים כגון:Pypi, Npm, Maven, Docker Hub ועוד. השאלה העולה היא: עד כמה אנחנו סומכים על אותם האבים שמחזיקים ספריות תוכנה קריטיות שהקוד שלנו מתחבר איתן? מה קורה אם מה שיש בהאב הוא בעצם קוד זדוני?? תדמיינו שהספרייה שעוזרת לכם להוריד דאטה מהקלאוד הפרטי שלכם, מחליטה לעשות עוד משהו עם הדאטה או עם המפתח לדאטה.. נשמע כמו משהו שלא יכול לקרות נכון... שהרי ה registries הם קומפוננטה קריטית שכול העולם משתמש, ולכן יש אלפי עיניים ומנגנוני בטיחות שימנעו מדבר שכזה לקרות.. אז זהו שלא, וזה בדיוק מה שדיברנו עליו בפרק, דיברנו על מקרה נוסף שקרה בשפת התכנות פייתון, וספציפית ב registry הראשי PyPi שאנשים זדוניים דחפו בעזרת משחק מילים של שמות הספריות, ספרייה זדונית שגונבת מפתחות של SSH ו GPG, וכשתפסו אותה על חם כעבור כמה שבועות שהיא הייתה ב registry, נזכרו להסיר אותה אחרי שכבר היה בה מספר שימושים בעולם. Two malicious Python libraries caught stealing SSH and GPG keyshttps://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/Reflections on Trusting Trust https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
On this episode of Libre Lounge we get on Ludovic Courtès to talk about the Guix package manager and distribution, functional package management, reproducibility, and bootstrapping!Links:GNU GuixGNU MesReflections on Trusting Trust (the "Thompson Attack")Guix 1.0 released (May 2, 2019)
On this episode of Libre Lounge we get on Ludovic Courtès to talk about the Guix package manager and distribution, functional package management, reproducibility, and bootstrapping!Links:GNU GuixGNU MesReflections on Trusting Trust (the "Thompson Attack")Guix 1.0 released (May 2, 2019)
On this episode of Libre Lounge we get on Ludovic Courtès to talk about the Guix package manager and distribution, functional package management, reproducibility, and bootstrapping!Links:GNU GuixGNU MesReflections on Trusting Trust (the "Thompson Attack")Guix 1.0 released (May 2, 2019)
Sponsors Sentry use the code "devchat" for $100 credit Panel Charles Max Wood Josh Adams Mark Ericksen Joined by special guest Ben Schmeckpeper Episode Summary Charles would expressed how in this episode they had a good time learning about “SAX parsers and about some of the issues with migrating and sharing space between systems.” They discussed the benefits of using SAX (Simple API for XML). One of these benefits is that of being event based. Elixir and Ruby are also discussed, with a greater focus on Elixir. One benefits of using Elixir is that of pattern matching. Lots is also shared on “containers” and the pros and cons of these. Links Ben Schmeckpeper Twitter Ben Schmeckpeper blog https://photos.app.goo.gl/17v3dnxGoYsgkTvn6 https://photos.app.goo.gl/zH17oda67NKPr1rL9 xmerl XML parser Erlsom - Erlang library to parse XML documents BERT - Binary ERlang Term BERT and BERT-RPC 1.0 Specification Saxy - an XML SAX parser and encoder in Elixir Genstage Slax SAX - Wikipedia Picks Josh: Who gives an F*** about rails in 2019 Mark: Mental model for understanding Elixir GenServers Charles: Episode 400 of Ruby Rogues Villinous Disney Game Ben: The Soul of a New Machine Reflections on Trusting Trust The Rise of Worse is Better Flameshot
Sponsors Sentry use the code "devchat" for $100 credit Panel Charles Max Wood Josh Adams Mark Ericksen Joined by special guest Ben Schmeckpeper Episode Summary Charles would expressed how in this episode they had a good time learning about “SAX parsers and about some of the issues with migrating and sharing space between systems.” They discussed the benefits of using SAX (Simple API for XML). One of these benefits is that of being event based. Elixir and Ruby are also discussed, with a greater focus on Elixir. One benefits of using Elixir is that of pattern matching. Lots is also shared on “containers” and the pros and cons of these. Links Ben Schmeckpeper Twitter Ben Schmeckpeper blog https://photos.app.goo.gl/17v3dnxGoYsgkTvn6 https://photos.app.goo.gl/zH17oda67NKPr1rL9 xmerl XML parser Erlsom - Erlang library to parse XML documents BERT - Binary ERlang Term BERT and BERT-RPC 1.0 Specification Saxy - an XML SAX parser and encoder in Elixir Genstage Slax SAX - Wikipedia Picks Josh: Who gives an F*** about rails in 2019 Mark: Mental model for understanding Elixir GenServers Charles: Episode 400 of Ruby Rogues Villinous Disney Game Ben: The Soul of a New Machine Reflections on Trusting Trust The Rise of Worse is Better Flameshot
In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))
In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))
In their second episode, Serge and Chris return from Thanksgiving thinking about malware in Free Software, specifically the NPM bitcoin attack found in event-streamerShow links:Software Freedom Conservancy (conservancy)Backdoor in event-stream library dependency (hacker news)The event-stream bug report (github)Statement about the event-stream vulerability (bitpay)npm's statement on the event-stream incidentBug Report on ESLint (github)Malware in Linux kernel (lwn)Don't Download Software from Sourceforge (howtogeek.com)Let's Package jQuery: A Javascript Packaging Dystopian Novella (dustycloud.org)Reflections on Trusting Trust - aka the "Thompson attack" mentioned in the episode, a way of embedding malicious code in a compiler that embeds it into the next compiled version of the compilerZooko's Tweet (twitter)Linus's Law (wikipedia)Ka-Ping Yee's dissertation (zesty.ca) -Securing EcmaScript, presentation to Node Security (youtube)Mandatory Access Control (wikipedia)SE Linux Project (github)AppArmor (ubuntu)Docker For Development (medium)The Qubes Operating System (qubes)Android Application SandboxingChris's talk at Northeastern on December 5th - Chris gave the wrong date in the episode, it's on Wednesday... oops!Chris mentioned that they changed their org-mode configuration inspired by the chat from our first episode to incorporate a priorities-based workflow. Maybe you want to look at Chris's updated org-mode configuration! It looks like so:;; (c) 2018 by Christopher Lemmer Webber ;; Under GPLv3 or later as published by the FSF ;; We want the lowest and "default" priority to be D. That way ;; when we calculate the agenda, any task that isn't specifically ;; marked with a priority or SCHEDULED/DEADLINE won't show up. (setq org-default-priority ?D) (setq org-lowest-priority ?D) ;; Custom agenda dispatch commands which allow you to look at ;; priorities while still being able to see when deadlines, appointments ;; are coming up. Very often you'll just be looking at the A or B tasks, ;; and when you clear off enough of those or have some time you might ;; look also at the C tasks ;; ;; Hit "C-c a" then one of the following key sequences... ;; - a for the A priority items, plus the agenda below it ;; - b for A-B priority items, plus the agenda below it ;; - c for A-C priority items, plus the agenda below it ;; - A for just the agenda ;; - t for just the A-C priority TODOs (setq org-agenda-custom-commands '(("a" "Agenda plus A items" ((tags-todo "+PRIORITY="A"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("b" "Agenda plus A+B items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("c" "Agenda plus A+B+C items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down)))) (agenda ""))) ("A" "Agenda" ((agenda ""))) ("t" "Just TODO items" ((tags-todo "+PRIORITY="A"|+PRIORITY="B"|+PRIORITY="C"" ((org-agenda-sorting-strategy '(priority-down))))))))
Fork It 是一个针对区块链技术的中文播客节目,四位主播分别为 Terry (https://twitter.com/poshboytl) , Jan (https://twitter.com/janhxie) , Kevin (https://twitter.com/knwang) 和 Daniel (https://twitter.com/lgn21st)。他们还一起创办过中文技术播客节目 Teahour.FM (http://teahour.fm/)。这一次他们因为区块链技术再一次相聚,并创办了 Fork It. 从一线从业者眼中,了解区块链技术的方方面面和发展方向.... 本期节目四位主播欢聚一堂,聊聊这个节目本身,为什么要做这个节目?这个节目以后会聊啥?四位主播是怎么入坑的? 除了在泛用型播客客户端收听订阅《 Fork It 》,您还可以在喜马拉雅 (https://www.ximalaya.com/keji/19792413/) 和网易云音乐 (https://music.163.com/#/djradio?id=792240368)收听节目。 What are you waiting for? Let's Fork It! Show Notes Teahour.FM (http://teahour.fm/) 云币 (https://yunbi.com/) Peatio (https://github.com/peatio/peatio) imToken (https://token.im/) 邱亮 (https://twitter.com/hpyhacking) Ruby (https://www.ruby-lang.org/en/) 比特币白皮书 (https://bitcoin.org/bitcoin.pdf) BFT (https://en.wikipedia.org/wiki/Byzantine_fault_tolerance) R3 (https://www.r3.com/) Monax (https://monax.io/) Kenneth Thompson (https://en.wikipedia.org/wiki/Ken_Thompson) Reflections on Trusting Trust (https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf) 小米无线充电器(通用快充版) (https://item.mi.com/1183400004.html) Coding Horror (https://blog.codinghorror.com/) CODE Keyboard (https://codekeyboards.com/) Blockchain Economics (https://scholar.princeton.edu/sites/default/files/markus/files/blockchain_paper_v3g.pdf) Mastering Bitcoin 2nd Edition (https://github.com/bitcoinbook/bitcoinbook)
What was the first TED Talk you ever watched? Was it Do schools kill creativity? by Ken Robinson? Was it The power of vulnerability by Brené Brown? Whatever it is I bet you felt a bit like you stumbled onto an oasis. The Internet is junky! The whole thing feels like a pack of cougars just ran through a dollar store. Pop-up everything, ads screaming at you, and everything feels like a fish-hooks tugging at your eyeballs. TED is the opposite. TED doesn't beg for personal info, force you to open an account, quick-pick your wallet for your credit card, or do anything other than help spread ideas to shape, grow, and inspire your thoughts. It is beauty in the scat-filled dollar store. So, who's Ted? Who runs TED? Who's the 18-minute-or-less Emperor? It's Chris Anderson. The Pakistani-born, Oxford-educated, New York Times bestselling... Chris Anderson. In this Chapter, I fly down to New York City and sit with Chris in his office. We uncover his three most formative books and discuss developing willpower, tackling deeper issues, supporting ambitious spouses, and what being a dreamer really means... I hope you enjoy this conversation with Chris Anderson, Head of TED. WHAT YOU'LL LEARN: Which book taught Chris more in a weekend than his entire Oxford philosophy degree? What does Chris say is one of the chief criticisms of TED? What does Chris see as humanity's greatest superpower? Should you work with your spouse? What is Chris's view and why? What is the "shooting an asteroid out of space" view of intelligent life? How do we inspire others to feel wonder, awe, and optimism? What media tricks must we watch out for these days? How can we regain control over our attention? How do we become better dreamers? Leave us a voicemail! Your message may be included in a future episode: 1-833-READ-A-LOT You can find show notes and more information by clicking here: https://www.3books.co/chapters/12 Sign up to receive podcast updates here: https://www.3books.co/email-list/
Welcome to today’s edition of CTO Studio! Does your company have a code of conduct? Do you have a verbally understood code of conduct, or an actual written one that is in your workplace for everyone to see? Our guest today, Daniel Norman, explains why you need the latter and why it’s so important to the health and longevity of any company, including yours. Daniel is the current CTO of gudTech whose love for technology began when he was a kid with a Commodore 64! Today he shares how he went from playing with Commodores to his CTO role today. Join us to hear his journey on our latest episode of CTO Studio. In this episode you’ll hear: What is most impactful on the success of a company? Why did gudTech brand Retail Ops separately? Why does language in code of conducts matter? What happens in the absence of a code of conduct? Rust vs. Go: what are the pros and cons of each? And so much more! Daniel’s first exposure to technology came early on as a kid. He quickly moved from the Commodore 64, then to the 128 and on to working in a school district servicing their computers. His undergraduate work was in technology and he interned with several engineering firms and then was employed by QualComm for several years before finally landing with gudTech. When I asked Daniel to tell me more about the concept of codes of conduct and why they matter so much, he explained within our organizations we should be talking about them, formalizing them and making them a pillar of our business. They are not meant as boilerplates but are meant to be celebrated as part of the daily discourse and daily water cooler conversations within our companies. Codes of conduct should be official documents that outline the values of our companies. They can vary depending on the company but codes of conduct make it clear to everyone what are the values of the company. When these values are in bold print employees aren't surprised by them, everyone knows these are the values you uphold as an organization. In a nutshell, whatever your values don't just talk about them, write them. Also be aware of the subtleties of our everyday language, like using the term “guys†to refer to an abstract group of people. If you can name the group you are speaking to and they are all men then guys is appropriate. But there are so many disparities in gender and for various other protected groups that it behooves us to be conscientious of our language and our values in our organizations. Next we moved on to talking about Rust versus Go (two programming languages). I wanted to know if they have used Rust in their Retail Ops product. Daniel said they don't but they do have a good amount of Go. In fact, they are moving more towards Go for application programming on the server side and using Rust for systems programming. He explains why and how they use each. For example, Rust would be something to use to write a very high performance piece of your code like a database or a network stack. While Go has addressed a lot of their systems programming issues, and there have been databases written in Go that work pretty well, it isn’t as good as Rust. Go does a good job with certain types of problems as long as you are okay with the starting assumptions the language makes like you'll have a garbage collector and green threads in everything. He recommends using it on a case by case basis, you have to decide when it's okay and when it will be bothersome for your users. As far as Rust, safety from data races is the #1 reason to use it. Any time you are building mission critical code there are a host of subtle errors the programmer can make and inevitably will make, unless you have a language like Rust which enforces certain invariances. Rust is very strict. It’s so strict that Daniel says your first few weeks with Rust will involve a lot of swearing and you will hate the compiler! The compiler will be your enemy. But somewhere around week 2 or 3 something flips and you'll learn to love the compiler because when it does finally compile it will probably be right. There's a host of different problems your program will not have that it would most certainly have if you used another language other than Rust. After talking a bit more about Rust and its strictness regarding the key concepts of ownership and borrowing, we also touch on the San Diego Meetup group for Papers We Love before finishing up with some of Daniel’s biggest learning lessons as a CTO. Join us to hear the details on those topics and what Daniel is reading and listening to on today's CTO Studio. Episode Resources: gudTech web site Daniel Norman on LinkedIn Daniel Norman on Twitter Reflections on Trusting Trust article Bush Vannevar’s article in The Atlantic Papers We Love - San Diego Code of Conduct Generator
Intro / Outro Art Of Escapism - The Sands of Windhoek http://freemusicarchive.org/music/Artofescapism/Midnight_Caravan/The_Sands_of_Windhoek В связи с повышением количества атак на цепь поставок (Supply chain), в том числе и обновления, программного обеспечения, наши ведушие Андрей, Алиса, Алексей и Тарас решили разобраться что же это такое и с чем его едят, рассмотреть примеры и варианты, а так же возможные пути защиты и предотвращения. Supply chain https://en.wikipedia.org/wiki/Supply_chain What Is a 'Supply Chain Attack?' https://motherboard.vice.com/en_us/article/d3y48v/what-is-a-supply-chain-attack CCleanup: A Vast Number of Machines at Risk http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html Java security plagued by crappy docs, complex APIs, bad advice https://www.theregister.co.uk/2017/09/29/java_security_plagued_stack_overflow/ Apple Mac fans told: Something smells EFI in your firmware https://www.theregister.co.uk/2017/09/29/mac_firmware_insecurity/ Reflections on Trusting Trust https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Today on the show, we've got a look at running OpenBSD on a APU, some BSD in your Android, managing your own FreeBSD cloud service with ansible and much more. Keep it turned on your place to B...SD! This episode was brought to you by Headlines OpenBSD on PC Engines APU2 (https://github.com/elad/openbsd-apu2) A detailed walkthrough of building an OpenBSD firewall on a PC Engines APU2 It starts with a breakdown of the parts that were purchases, totally around $200 Then the reader is walked through configuring the serial console, flashing the ROM, and updating the BIOS The next step is actually creating a custom OpenBSD install image, and pre-configuring its serial console. Starting with OpenBSD 6.0, this step is done automatically by the installer Installation: Power off the APU2 Insert the bootable OpenBSD installer USB flash drive to one of the USB slots on the APU2 Power on the APU2, press F10 to get to the boot menu, and choose to boot from USB (usually option number 1) At the boot> prompt, remember the serial console settings (see above) Also at the boot> prompt, press Enter to start the installer Follow the installation instructions The driver used for wireless networking is athn(4). It might not work properly out of the box. Once OpenBSD is installed, run fw_update with no arguments. It will figure out which firmware updates are required and will download and install them. When it finishes, reboot. Where the rubber meets the road… (part one) (https://functionallyparanoid.com/2016/11/29/where-the-rubber-meets-the-road-part-one/) A user describes their adventures installing OpenBSD and Arch Linux on a new Lenovo X1 Carbon (4th gen, skylake) They also detail why they moved away from their beloved Macbook, which while long, does describe a journey away from Apple that we've heard elsewhere. The journey begins with getting a new Windows laptop, shrinking the partition and creating space for a triple-boot install, of Windows / Arch / OpenBSD Brian then details how he setup the partitioning and performed the initial Arch installation, getting it tuned to his specifications. Next up was OpenBSD though, and that went sideways initially due to a new NVMe drive that wasn't fully supported (yet) The article is split into two parts (we will bring you the next installment at a future date), but he leaves us with the plan of attack to build a custom OpenBSD kernel with corrected PCI device identifiers. We wish Brian luck, and look forward to the “rest of the story” soon. *** Howto setup a FreeBSD jail server using iocage and ansible. (https://github.com/JoergFiedler/freebsd-ansible-demo) Setting up a FreeBSD jail server can be a daunting task. However when a guide comes along which shows you how to do that, including not exposing a single (non-jailed) port to the outside world, you know we had a take a closer look. This guide comes to us from GitHub, courtesy of Joerg Fielder. The project goals seem notable: Ansible playbook that creates a FreeBSD server which hosts multiple jails. Travis is used to run/test the playbook. No service on the host is exposed externally. All external connections terminate within a jail. Roles can be reused using Ansible Galaxy. Combine any of those roles to create FreeBSD server, which perfectly suits you. To get started, you'll need a machine with Ansible, Vagrant and VirtualBox, and your credentials to AWS if you want it to automatically create / destroy EC2 instances. There's already an impressive list of Anisible roles created for you to start with: freebsd-build-server - Creates a FreeBSD poudriere build server freebsd-jail-host - FreeBSD Jail host freebsd-jailed - Provides a jail freebsd-jailed-nginx - Provides a jailed nginx server freebsd-jailed-php-fpm - Creates a php-fpm pool and a ZFS dataset which is used as web root by php-fpm freebsd-jailed-sftp - Installs a SFTP server freebsd-jailed-sshd - Provides a jailed sshd server. freebsd-jailed-syslogd - Provides a jailed syslogd freebsd-jailed-btsync - Provides a jailed btsync instance server freebsd-jailed-joomla - Installs Joomla freebsd-jailed-mariadb - Provides a jailed MariaDB server freebsd-jailed-wordpress - Provides a jailed Wordpress server. Since the machines have to be customized before starting, he mentions that cloud-init is used to do the following: activate pf firewall add a pass all keep state rule to pf to keep track of connection states, which in turn allows you to reload the pf service without losing the connection install the following packages: sudo bash python27 allow passwordless sudo for user ec2-user “ From there it is pretty straight-forward, just a couple commands to spin up the VM's either locally on your VirtualBox host, or in the cloud with AWS. Internally the VM's are auto-configured with iocage to create jails, where all your actual services run. A neat project, check it out today if you want a shake-n-bake type cloud + jail solution. Colin Percival's bsdiff helps reduce Android apk bandwidth usage by 6 petabytes per day (http://android-developers.blogspot.ca/2016/12/saving-data-reducing-the-size-of-app-updates-by-65-percent.html) A post on the official Android-Developers blog, talks about how they used bsdiff (and bspatch) to reduce the size of Android application updates by 65% bsdiff was developed by FreeBSD's Colin Percival Earlier this year, we announced that we started using the bsdiff algorithm (by Colin Percival). Using bsdiff, we were able to reduce the size of app updates on average by 47% compared to the full APK size. This post is actually about the second generation of the code. Today, we're excited to share a new approach that goes further — File-by-File patching. App Updates using File-by-File patching are, on average, 65% smaller than the full app, and in some cases more than 90% smaller. Android apps are packaged as APKs, which are ZIP files with special conventions. Most of the content within the ZIP files (and APKs) is compressed using a technology called Deflate. Deflate is really good at compressing data but it has a drawback: it makes identifying changes in the original (uncompressed) content really hard. Even a tiny change to the original content (like changing one word in a book) can make the compressed output of deflate look completely different. Describing the differences between the original content is easy, but describing the differences between the compressed content is so hard that it leads to inefficient patches. So in the second generation of the code, they use bsdiff on each individual file, then package that, rather than diffing the original and new archives bsdiff is used in a great many other places, including shrinking the updates for the Firefox and Chrome browsers You can find out more about bsdiff here: http://www.daemonology.net/bsdiff/ A far more sophisticated algorithm, which typically provides roughly 20% smaller patches, is described in my doctoral thesis (http://www.daemonology.net/papers/thesis.pdf). Considering the gains, it is interesting that no one has implemented Colin's more sophisticated algorithm Colin had an interesting observation (https://twitter.com/cperciva/status/806426180379230208) last night: “I just realized that bandwidth savings due to bsdiff are now roughly equal to what the total internet traffic was when I wrote it in 2003.” *** News Roundup Distrowatch does an in-depth review of NAS4Free (https://distrowatch.com/weekly.php?issue=20161114#nas4free) Jesse Smith over at DistroWatch has done a pretty in-depth review of Nas4Free. The review starts with mentioning that NAS4Free works on 3 platforms, ARM/i386/AMD64 and for the purposes of this review he would be using AMD64 builds. After going through the initial install (doing typical disk management operations, such as GPT/MBR, etc) he was ready to begin using the product. One concern originally observed was that the initial boot seemed rather slow. Investigation revealed this was due to it loading the entire OS image into memory, and the first (long) disk read did take some time, but once loaded was super responsive. The next steps involved doing the initial configuration, which meant creating a new ZFS storage pool. After this process was done, he did find one puzzling UI option called “VM” which indicated it can be linked to VirtualBox in some way, but the Docs didn't reveal its secrets of usage. Additionally covered were some of the various “Access” methods, including traditional UNIX permissions, AD and LDAP, and then various Sharing services which are typical to a NAS, Such as NFS / Samba and others. One neat feature was the built-in file-browser via the web-interface, which allows you another method of getting at your data when sometimes NFS / Samba or WebDav aren't enough. Jesse gives us a nice round-up conclusion as well Most of the NAS operating systems I have used in the past were built around useful features. Some focused on making storage easy to set up and manage, others focused on services, such as making files available over multiple protocols or managing torrents. Some strive to be very easy to set up. NAS4Free does pretty well in each of the above categories. It may not be the easiest platform to set up, but it's probably a close second. It may not have the prettiest interface for managing settings, but it is quite easy to navigate. NAS4Free may not have the most add-on services and access protocols, but I suspect there are more than enough of both for most people. Where NAS4Free does better than most other solutions I have looked at is security. I don't think the project's website or documentation particularly focuses on security as a feature, but there are plenty of little security features that I liked. NAS4Free makes it very easy to lock the text console, which is good because we do not all keep our NAS boxes behind locked doors. The system is fairly easy to upgrade and appears to publish regular security updates in the form of new firmware. NAS4Free makes it fairly easy to set up user accounts, handle permissions and manage home directories. It's also pretty straight forward to switch from HTTP to HTTPS and to block people not on the local network from accessing the NAS's web interface. All in all, I like NAS4Free. It's a good, general purpose NAS operating system. While I did not feel the project did anything really amazing in any one category, nor did I run into any serious issues. The NAS ran as expected, was fairly straight forward to set up and easy to manage. This strikes me as an especially good platform for home or small business users who want an easy set up, some basic security and a solid collection of features. Browsix: Unix in the browser tab (https://browsix.org/) Browsix is a research project from the PLASMA lab at the University of Massachusetts, Amherst. The goal: Run C, C++, Go and Node.js programs as processes in browsers, including LaTeX, GNU Make, Go HTTP servers, and POSIX shell scripts. “Processes are built on top of Web Workers, letting applications run in parallel and spawn subprocesses. System calls include fork, spawn, exec, and wait.” Pipes are supported with pipe(2) enabling developers to compose processes into pipelines. Sockets include support for TCP socket servers and clients, making it possible to run applications like databases and HTTP servers together with their clients in the browser. Browsix comprises two core parts: A kernel written in TypeScript that makes core Unix features (including pipes, concurrent processes, signals, sockets, and a shared file system) available to web applications. Extended JavaScript runtimes for C, C++, Go, and Node.js that support running programs written in these languages as processes in the browser. This seems like an interesting project, although I am not sure how it would be used as more than a toy *** Book Review: PAM Mastery (https://www.cyberciti.biz/reviews/book-review-pam-mastery/) nixCraft does a book review of Michael W. Lucas' “Pam Mastery” Linux, FreeBSD, and Unix-like systems are multi-user and need some way of authenticating individual users. Back in the old days, this was done in different ways. You need to change each Unix application to use different authentication scheme. Before PAM, if you wanted to use an SQL database to authenticate users, you had to write specific support for that into each of your applications. Same for LDAP, etc. So Open Group lead to the development of PAM for the Unix-like system. Today Linux, FreeBSD, MacOS X and many other Unix-like systems are configured to use a centralized authentication mechanism called Pluggable Authentication Modules (PAM). The book “PAM Mastery” deals with the black magic of PAM. Of course, each OS chose to implement PAM a little bit differently The book starts with the basic concepts about PAM and authentication. You learn about Multi-Factor Authentication and why use PAM instead of changing each program to authenticate the user. The author went into great details about why PAM is useful for developers and sysadmin for several reasons. The examples cover CentOS Linux (RHEL and clones), Debian Linux, and FreeBSD Unix system. I like the way the author described PAM Configuration Files and Common Modules that covers everyday scenarios for the sysadmin. PAM configuration file format and PAM Module Interfaces are discussed in easy to understand language. Control flags in PAM can be very confusing for new sysadmins. Modules can be stacked in a particular order, and the control flags determine how important the success or failure of a particular module. There is also a chapter about using one-time passwords (Google Authenticator) for your application. The final chapter is all about enforcing good password policies for users and apps using PAM. The sysadmin would find this book useful as it covers a common authentication scheme that can be used with a wide variety of applications on Unix. You will master PAM topics and take control over authentication for your organization IT infrastructure. If you are Linux or Unix sysadmin, I would highly recommend this book. Once again Michael W Lucas nailed it. The only book you may need for PAM deployment. get “PAM Mastery” (https://www.michaelwlucas.com/tools/pam) *** Reflections on Trusting Trust - Ken Thompson, co-author of UNIX (http://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html) Ken Thompson's "cc hack" - Presented in the journal, Communication of the ACM, Vol. 27, No. 8, August 1984, in a paper entitled "Reflections on Trusting Trust", Ken Thompson, co-author of UNIX, recounted a story of how he created a version of the C compiler that, when presented with the source code for the "login" program, would automatically compile in a backdoor to allow him entry to the system. This is only half the story, though. In order to hide this trojan horse, Ken also added to this version of "cc" the ability to recognize if it was recompiling itself to make sure that the newly compiled C compiler contained both the "login" backdoor, and the code to insert both trojans into a newly compiled C compiler. In this way, the source code for the C compiler would never show that these trojans existed. The article starts off by talking about a content to write a program that produces its own source code as output. Or rather, a C program, that writes a C program, that produces its own source code as output. The C compiler is written in C. What I am about to describe is one of many "chicken and egg" problems that arise when compilers are written in their own language. In this case, I will use a specific example from the C compiler. Suppose we wish to alter the C compiler to include the sequence "v" to represent the vertical tab character. The extension to Figure 2 is obvious and is presented in Figure 3. We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about "v," the source is not legal C. We must "train" the compiler. After it "knows" what "v" means, then our new change will become legal C. We look up on an ASCII chart that a vertical tab is decimal 11. We alter our source to look like Figure 4. Now the old compiler accepts the new source. We install the resulting binary as the new official C compiler and now we can write the portable version the way we had it in Figure 3. The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions. Next “simply add a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere. So now there is a trojan'd version of cc. If you compile a clean version of cc, using the bad cc, you will get a bad cc. If you use the bad cc to compile the login program, it will have a backdoor. The source code for both backdoors no longer exists on the system. You can audit the source code of cc and login all you want, they are trustworthy. The compiler you use to compile your new compiler, is the untrustworthy bit, but you have no way to know it is untrustworthy, and no way to make a new compiler, without using the bad compiler. The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. Acknowledgment: I first read of the possibility of such a Trojan horse in an Air Force critique of the security of an early implementation of Multics. I can- not find a more specific reference to this document. I would appreciate it if anyone who can supply this reference would let me know. Beastie Bits Custom made Beastie Stockings (https://www.etsy.com/listing/496638945/freebsd-beastie-christmas-stocking) Migrating ZFS from mirrored pool to raidz1 pool (http://ximalas.info/2016/12/06/migrating-zfs-from-mirrored-pool-to-raidz1-pool/) OpenBSD and you (https://home.nuug.no/~peter/blug2016/) Watson.org FreeBSD and Linux cross reference (http://fxr.watson.org/) OpenGrok (http://bxr.su/) FreeBSD SA-16:37: libc (https://www.freebsd.org/security/advisories/FreeBSD-SA-16:37.libc.asc) -- A 26+ year old bug found in BSD's libc, all BSDs likely affected -- A specially crafted argument can trigger a static buffer overflow in the library, with possibility to rewrite following static buffers that belong to other library functions. HardenedBSD issues correction for libc patch (https://github.com/HardenedBSD/hardenedBSD/commit/fb823297fbced336b6beeeb624e2dc65b67aa0eb) -- original patch improperly calculates how many bytes are remaining in the buffer. From December the 27th until the 30th there the 33rd Chaos Communication Congress[0] is going to take place in Hamburg, Germany. Think of it as the yearly gathering of the european hackerscene and their overseas friends. I am one of the persons organizing the "BSD assembly (https://events.ccc.de/congress/2016/wiki/Assembly:BSD)" as a gathering place for BSD enthusiasts and waving the flag amidst the all the other projects / communities. Feedback/Questions Chris - IPFW + Wifi (http://pastebin.com/WRiuW6nn) Jason - bhyve pci (http://pastebin.com/JgerqZZP) Al - pf errors (http://pastebin.com/3XY5MVca) Zach - Xorg settings (http://pastebin.com/Kty0qYXM) Bart - Wireless Support (http://pastebin.com/m3D81GBW) ***
本期我们继续讨论了 Apple Watch 和新版 MacBook,Meerkat,以及为什么 Rio 认为恐怖分子「赢了」。 每月三十元,支持李如一和 Rio 把《IT 公论》做成最好的科技播客。请访问 itgonglun.com/member。 从本周开始,除了每周一的会员通讯以外,我们会在每周五发送另一封邮件。周五邮件的内容是全新的,和《IT 公论》音频节目没有重合。虽然我们并不认为「干货」是什么了不得的东西,但这封新邮件应该算是某种意义上的干货,也不会在我们的网站上公开刊载。至于具体内容,本周五自有分晓。 上期关于 Apple Watch 和新版 MacBook 的节目紧跟着苹果三月九日发布会的后脚发出,在那之后的一周里,我们又从各处看到了各种评测和讨论。前《Macworld》主编 Jason Snell 对新 MacBook 触摸板的描述令人印象深刻:在第一次试用那种名为 Force Touch 的技术时,Snell 完全没有意识到这是新的触摸板!(说明苹果用软件控制的硬件模拟十分到位。)Force Touch 触摸板的目的是为了减少笔记本电脑上的运动部件,除了能把电脑做得更薄以外,减少运动部件本身就是功德一件——自己的触摸板已经坏掉,无法按压(只能轻触)的李如一深有体会。 很多朋友来信纠正了我们上期的错误:Apple Watch 被摘下来之后,下一次戴上就要重新配对,方可使用 Apple Pay 支付。考虑到 Apple Watch 每天晚上都要(摘下来)充电,而目前它又必须和 iPhone 配合使用,一个很自然的问题是在不配对的情况下,Apple Watch 上有哪些 / 有没有功能是可以用的?在已经推出的 iOS 8.2 里预装了名叫 Apple Watch 的软件,从中可以看到所谓「配对」实际上是一个类似扫二维码的过程。就算 Apple Pay 是唯一一个需要重新配对的功能,对于每天都需要它的用户而言,恐怕是又多了一件日课。 大家都说 Apple Watch Edition 是为中国市场而设。我想也没必要回避一件人们心照不宣的事:对于力所能及的人而言,18K 金的 Apple Watch 是绝好的送给二奶和情人的礼物。她们通常不是数码玩家,不会过于关注电子产品随时过期的问题。Apple Watch(尤其是 Edition)风头正健,虚荣心可以充分满足。此外,一万到一万七千美元的售价对于此类消费并不算超出常理的高。由此想来,这其实是一个高性价比的选择。不要忘记,Hermès 的 Plume 包包也要八千七百美元呢。 不管你是否把 Apple Watch Edition 视为奢侈品,也不管你对于奢侈品有什么样的看法,苹果在选材和做工上丝毫没有偷懒。产品设计师 Greg Koenig 写的这篇关于 Apple Watch 金属锻造工艺的文章给大家上了一堂科普课。它绝不易读,例如文中提到的「加工硬化」(Work hardening)指的是「金属材料在结晶温度以下塑性变形时强度和硬度升高,而塑性和韧性降低的现象」。但由于文章是对照苹果此次放出的几条金属加工视频写成,将视频和文章对照研读会有奇效。 本期节目最后,Rio 提出了「恐怖分子赢了」的理论。简单来说,美国政府以反恐为由扩张公权力,国家安全局(NSA)等机构大规模监控监听庶民通讯,民主之本遂被侵蚀。不过公权与民权的角力自古有之,而如今棱镜门一类的事之所以令人担忧,和技术对社会——尤其是平民社会——的迅速渗透不无关系。在今天,每个普通人每天有意或无意生产的数据总量比十年前不知多了多少。而当这些数据被默认放在云端时,何谓公开,何谓私有的问题就需要重新考虑。愤世嫉俗者会告诉你无论如何也逃不出公权力的监控,明哲保身才是硬道理。但那何尝不是一种旧世界的思考方式。大数据之大,不但在于数据总量,也在于它的渗透度,以及它和每个人的高度相关性。今天我们在网上能够找到的关于某个陌生人的信息很可能会令他尴尬,而这种信息的流散往往是在当事人无意识的情况下发生的。面对这个隐私正被重新定义的新世界,公权与民权实处在同一起跑线。我们能做的,就是尽量去除人们对科技的恐惧,保持警醒,保持头脑的机敏,主动地了解、学习技术,以及技术带来的社会效应。或许身为良民的你一辈子不需要担心 NSA,但有时我们面对的,是更加普通和貌似无害的对手。 我们最近在玩的 app Alto’s Adventure 最近我们读的一些文章 Ken Thompson: Reflections on Trusting Trust The Middle of Things: Advice for Young Writers 相关链接 苹果网站上对 Apple Watch 各场景电池续航力的说明 认知盈余 ATP 第 108 期 How the Apple Watch is Made No, You Can’t Manufacture That Like Apple Does 品质与价格(之一) 品质与价格(之二) Meerkat Xcode 沦陷? FISA 两步认证 本期标题的出处 Alto’s Adventure 人物简介 李如一:字节社创始人。 Rio: Apple4us 程序员。
Ridiculous ridiculousness Reflections on Trusting Trust (pdf)
Panel Rob Napier (twitter github blog) Andrew Madsen (twitter github blog) Jaim Zuber (twitter Sharp Five Software) Charles Max Wood (twitter github Teach Me To Code Rails Ramp Up) Discussion 00:38 - Rob Napier Introduction iOS 7 Programming Pushing the Limits by Rob Napier & Mugunth Kumar RNCryptor 01:30 - Apple and Security 04:21 - Security Concerns Passwords Personal Information 06:10 - Prevention SSL Verisign 09:50 - Generating Certificates Rob's Practical Security Talk, Slides and Sample Code from CocoaConf Rob Napier: Get Security and Privacy Right PBKDF2 13:05 - Initialization Vector AES Cipher Block Chaining (CBC) 16:06 - RNCryptor 17:34 - Formats OpenSSL HMAC AES Crypt 20:55 - Device Encryption 25:28 - Server Security and Storing Passwords Hashing Salting Shor's Algorithm 37:48 - Breaking Passwords Rainbow Table BitTorrent John the Ripper 41:47 - Keeping Passwords Safe 1Password LastPass Convenience and Security 47:35 - Obfuscation Picks Use Option as Meta Key in Mac OS X Terminal (Jaim) iTerm2 (Chuck) Duct Tape Marketing Revised & Updated: The World's Most Practical Small Business Marketing Guide by John Jantsch (Chuck) Security Now (Chuck) Reflections on Trusting Trust by Ken Thompson (Rob) Coursera: Cryptography I (Rob) Learn You a Haskell for Great Good: A Beginner's Guide by Miran Lipovača (Rob) Next Week AFNetworking with Kevin Harwood Transcript CHUCK: Hey everybody and welcome to episode 32 of iPhreaks. This week on our panel, we have Andrew Madsen. ANDREW: Hi from Salt Lake City. CHUCK: Jaim Zuber. JAIM: I'm still recovering from the Black Friday deals with the pawn shop. I waited in line for three hours to save $5 on an Xbox 360. Totally worth it. CHUCK: [Laughs] I'm Charles Max Wood from devchat.tv. And we have a special guest this week and that's Rob Napier. ROB: That's right. I'm here in Raleigh, North Carolina. CHUCK: So do you wanna introduce yourself really quickly for people who don't know who you are? ROB: Sure. I'm an iOS and Mac developer. I was a Mac developer before iOS come around in the iPhone. I write the book iOS Pushing The Limits. And I do a lot of work in the security world, so I keep a security cryptography package called RNCrytor, for simplifying cryptography. CHUCK: Oh, nice. Isn't that just a bunch of fancy math? ROB: It is just a lot of fancy math. But it's easy to do it wrong. CHUCK: [Chuckles] That's for sure. ROB: [Chuckles] ANDREW: Isn't that computers? Just fancy math? ROB: It's so true. We need more math. CHUCK: “So easy to do it wrong.” Don't tell Adobe that. ROB: [Chuckles] CHUCK: So, speaking with security with iOS, it seems like Apple does a lot of things to provide you with security. I mean, they have sandboxing and all the other stuff that they do. Do we really need to worry about security when we are programming for the iPhone? ROB: Oh certainly, yeah. Apple has done a really great job -- I feel -- in iOS. While over the years, there have been various problems; some of the earliest locks didn't really work well and early device encryption have trouble, but they've improved over the years. But iOS is really the first main stream operating system that came out with least privilege as the default, which was really brilliant, that they said day 1, “You are going to be locked in a little sandbox and you can't do anything,” which made it very hard to write malware against the iPhone. But it still doesn't get us off the hook of managing user information carefully. While we may not get infected with the virus, we still have lots of ways that we could leak our customer information. CHUCK: What are some of those ways? If it's just a self-contained app and it doesn't talk to anything else, is that still a risk? ROB: That's true.
Panel Rob Napier (twitter github blog) Andrew Madsen (twitter github blog) Jaim Zuber (twitter Sharp Five Software) Charles Max Wood (twitter github Teach Me To Code Rails Ramp Up) Discussion 00:38 - Rob Napier Introduction iOS 7 Programming Pushing the Limits by Rob Napier & Mugunth Kumar RNCryptor 01:30 - Apple and Security 04:21 - Security Concerns Passwords Personal Information 06:10 - Prevention SSL Verisign 09:50 - Generating Certificates Rob's Practical Security Talk, Slides and Sample Code from CocoaConf Rob Napier: Get Security and Privacy Right PBKDF2 13:05 - Initialization Vector AES Cipher Block Chaining (CBC) 16:06 - RNCryptor 17:34 - Formats OpenSSL HMAC AES Crypt 20:55 - Device Encryption 25:28 - Server Security and Storing Passwords Hashing Salting Shor’s Algorithm 37:48 - Breaking Passwords Rainbow Table BitTorrent John the Ripper 41:47 - Keeping Passwords Safe 1Password LastPass Convenience and Security 47:35 - Obfuscation Picks Use Option as Meta Key in Mac OS X Terminal (Jaim) iTerm2 (Chuck) Duct Tape Marketing Revised & Updated: The World's Most Practical Small Business Marketing Guide by John Jantsch (Chuck) Security Now (Chuck) Reflections on Trusting Trust by Ken Thompson (Rob) Coursera: Cryptography I (Rob) Learn You a Haskell for Great Good: A Beginner's Guide by Miran Lipovača (Rob) Next Week AFNetworking with Kevin Harwood Transcript CHUCK: Hey everybody and welcome to episode 32 of iPhreaks. This week on our panel, we have Andrew Madsen. ANDREW: Hi from Salt Lake City. CHUCK: Jaim Zuber. JAIM: I'm still recovering from the Black Friday deals with the pawn shop. I waited in line for three hours to save $5 on an Xbox 360. Totally worth it. CHUCK: [Laughs] I'm Charles Max Wood from devchat.tv. And we have a special guest this week and that’s Rob Napier. ROB: That's right. I'm here in Raleigh, North Carolina. CHUCK: So do you wanna introduce yourself really quickly for people who don’t know who you are? ROB: Sure. I'm an iOS and Mac developer. I was a Mac developer before iOS come around in the iPhone. I write the book iOS Pushing The Limits. And I do a lot of work in the security world, so I keep a security cryptography package called RNCrytor, for simplifying cryptography. CHUCK: Oh, nice. Isn’t that just a bunch of fancy math? ROB: It is just a lot of fancy math. But it’s easy to do it wrong. CHUCK: [Chuckles] That’s for sure. ROB: [Chuckles] ANDREW: Isn’t that computers? Just fancy math? ROB: It’s so true. We need more math. CHUCK: “So easy to do it wrong.” Don’t tell Adobe that. ROB: [Chuckles] CHUCK: So, speaking with security with iOS, it seems like Apple does a lot of things to provide you with security. I mean, they have sandboxing and all the other stuff that they do. Do we really need to worry about security when we are programming for the iPhone? ROB: Oh certainly, yeah. Apple has done a really great job -- I feel -- in iOS. While over the years, there have been various problems; some of the earliest locks didn’t really work well and early device encryption have trouble, but they’ve improved over the years. But iOS is really the first main stream operating system that came out with least privilege as the default, which was really brilliant, that they said day 1, “You are going to be locked in a little sandbox and you can't do anything,” which made it very hard to write malware against the iPhone. But it still doesn’t get us off the hook of managing user information carefully. While we may not get infected with the virus, we still have lots of ways that we could leak our customer information. CHUCK: What are some of those ways? If it’s just a self-contained app and it doesn’t talk to anything else, is that still a risk? ROB: That's true.
This week, Dave and Gunnar talk about Pudding ‘n Airplanes, Penguins ‘n Space, Parkinson’s ‘n Chickens, Printing ‘n 3D, and IMAP. Subscribe via RSS or iTunes. Lauren can’t stop watching Bohemian Gravity Lots of Twitter folks getting compromised. Do you have login verification enabled? HT Matt Micene: Court: Facebook ‘Like’ Is Protected By the First Amendment HT Mark Bohannon: Penguins in Space! Asteroid mining and Linux Travel hack of the week: Engineer earned 1.25M airline miles by buying $2,200 of pudding PT Anderson is vindicated Barry and Lavon are delighted Let’s talk about elastic demand curves A Spoon Full Of Sensors To Help Parkinson’s Patients Feed Themselves Chicken Head Tracking Vestibulo-ocular reflex Mercedes-Benz cars apparently handle like a chicken Chicken Powered Steadicam Cleveland Clinic deep brain stimulation SCI Run GitHub Adds 3D Modeling Features That Make It A Printer-Agnostic Choice For Object Sharing Gunnar likes Vehicle Forge Blackberry sold for $5B The decline of BlackBerry in one chart Outlook.com now has IMAP Save time by letting TripIt read your email Related: LinkedIn denies harvesting user email accounts without permission HT Phil Shapiro: Geek Gurl Diaries Use Scratch and a Makey Makey to play sounds through a Raspberry Pi using marshmallows Taste of Red Hat Training: Install, configure, and deploy in Red Hat Enterprise Linux OpenStack Platform Gunnar presenting at postponed NIST Cloud Computing and Mobility workshop Dave as panelist at Symantec Government Symposium on October 2 Gartner ITxpo on October 6-10 Lauren at Akron Mini Maker Faire on November 2 Red Hat Government Symposium on November 6 registration now open! OpenShift for Citizen Engagement Reproducible Builds for Fedora Bonus links: Trusting Trust from Dr. David A. Wheeler’s PhD thesis and video of him defending it How to run vulnerability scan on Red Hat Enterprise Linux using OVAL and OpenSCAP A partner we like: DotCloud Pivots And Wins Big With Docker, The Cloud Service Now Part Of Red Hat OpenShift Watch Australians Explain How to Do an Australian Accent The United States has more libraries than McDonalds and Starbucks What Did Barney Rubble Do for a Living? Cutting Room Floor Neil deGrasse Tyson is an extraordinary gift to all of us Ernest Hemingway’s Favorite Hamburger Recipe Stevie Wonder plays “Superstition” on Sesame Street in 1973 9 Muppets Kicked Off Sesame Street Unlocking an iPhone 5S with a cat’s paw Jaws text adventure Excel based Turing Machine 103 year old car phone Infovis: 92 Years of Bigfoot Sightings in the US and Canada NASA Will Pay $18,000 To Watch You Rest In Bed–Really How To Order A Drink When Your Bartender Is A Robot Lily Collins is McAfee’s Most Dangerous Celebrity™ for 2013 We Give Thanks A constitutionally protected tumbs up to Matt Micene Mark Bohannon for reminding us to consider open source software when doing asteroid mining Phil Shapiro for telling us about Geek Gurl Diaries The Akron Library for hosting the Akron Mini Maker Faire, writing a nice article about Lauren, and inspiring folks to be Makers!
FBI Worried as DoD Sold Counterfeit Networking GearUK to monitor and record every phone call, web page & emailBiometric Authentication System - An OverviewBlackBerry Giving Encryption Keys to Indian GovernmentLAST HOPEProtecting Users Against ThemselvesGoogle Health ServiceReflections on Trusting TrustHostsGene Naftulyev, CISSPDoug Drew, CISSP
![Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.](https://ivyfm.s3.amazonaws.com/i320/593910.jpg)
Black Hat Briefings, USA 2007 [Audio] Presentations from the security conference.
Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.
![Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.](https://ivyfm.s3.amazonaws.com/i320/593911.jpg)
Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.
Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.
© 2020-2025 Ivy Podcast Discovery LLC
