the stream

This is old news (last fall), but I wasn't aware that the FBI and DHS run extensive aerial surveillance programs throughout the US (except on weekends). Buzzfeed has identified some of the planes involved, and tracked their flight paths on Flightradar24:



I wouldn't be surprised of some of this work is being moved to (unregistered) drones...

(Via FlowingData.)

dataviz.tools is "a curated guide to the best tools, resources and technologies for data visualization". Hey just like old Yahoo with their original concept... Looks like a useful shortcut to quickly find (software) options for data visualization projects.

(Via FlowingData.)

...which resolves a couple of denial of service vulnerabilities (CERT VU#633847).

ntp.org security notice.

The New Stack: Paving with Good Intentions: The Attempt to Rescue the Network Time Protocol



(Via Russ White).

For years, the SixXS project has been providing tunneling services for IPv6 internet access. SixXS will be shutting down in June '17 (cache).

Fragmentation Needed - Cisco: Not Serious About Network Programmability.

IDG News: Inside the Russian hack of Yahoo.



(Via RISKS Digest.)

This has been fixed, obviously. Stephen Sclafani describes how he managed to steal messenger.com sessions, which then could be used to access the corresponding Facebook account.



(Via tedu.)

In response to a critic, Michael has written a long post about why the Pyra pocket computer project is where it is right now, and has attached a couple of pictures of one of the dev units (scroll to the end of the post), running the latest OS image.


I really hope they're going to sell enough of the things to make it possible to produce the redesigned case he mentioned - shaving a couple of millimetres off the height would be great...

I didn't know there's a World Consumer Rights Day...

"My Data. Your Business." on the ISOC blog worries that consumers might lose trust in online businesses over data privacy issues, and calls for a definition of acceptable business ethics.

Julia Evans writes about her blogging principles. Worth remembering those.

The APNIC blog has a guest post that explains quite a few operational details about the inner workings of the Mirai botnet components.



Maybe having an IDS is not such a bad idea...



I remember that one puzzling quite a few people when they first noticed that kind of traffic...

INQ reports that the Microsoft Edge browser doesn't disable it's disk cache when using the "InPrivate" browsing mode. Therefore, cached objects from (supposedly) private browsing sessions are recoverable from disk, which kinda breaks at least some of the expectations for such a function...

netzpolitik.org weist heute im Hinblick auf die anstehenden Wahlen darauf hin, dass man der Weitergabe von Adressdaten aus dem Melderegister an Parteien wiedersprechen kann. Dazu stellen sie "gemeinsam mit der Plattform selbstauskunft.net" ein entsprechendes Wiederspruchsformular zur Verfügung.

Zumindest in Freiburg kann man das noch einfacher haben: Auf der Webseite der Stadt ist ein Formular zum Widerspruch nach dem Bundesmeldegesetz verlinkt (Quelle hier, unter "Meldewesen"), das man online ausfüllen und direkt abschicken kann.

Marc Solomon: Defense-in-Depth has Failed Us. Now What?

Wow, there's so much wrong with this article that I don't even know where to start... Defense in depth does not mean, as the author seems to think, to heap "disparate" "point products" onto one another in the hopes that one will probably catch an attack attempt. Defense in depth means to understand both the threat landscape and the environment you're trying to defend, tailor solutions to make an attacker's job as hard as possible, and find the right points to place meaningful alarms. (Which rarely anyone ever does, but that's a different topic.)

Oh, I do get that threat intelligence services are the current hot stuff in the security industry (and the author wants to help sell his own), but when a defender doesn't get the basics of IT security design, heaping another "point product" on top won't help a whole lot.

A long post about how to "optimize" a network daemon for fuzzing with American Fuzzy Lop, using OpenSSH as an example: vegard - Fuzzing the OpenSSH daemon using AFL

It's not just all drag and drop.

What are all those things in the Linux storage subsystem? Thomas Krenn has diagrams for various kernel versions in their wiki.

(Via Firmware Security.)

CVE-2017-3881

Ouch:



The security notice also has a few interesting hints about IOS configurations that don't actually disable telnet...

Adrian Colyer sumarizes a research paper published on the NDSS Symposium 2017, Deconstructing Xen:



The design mitigates about 2/3rds of the vulnerabilities that have been discovered in the Xen hypervisor over the past years.

(Via tedu.)

Lame hackers guide has a short guide on weaponizing PostScript (cache), with two script examples (reading and writing arbitrary files).

(Via tedu.)

Woah, either the KEXP audio engineers had a really, really bad day, or Clem Creevy has been completely done in by the drugs by now. KEXP has released a new set with Cherry Glazerr a couple of days ago. Clem's voice already seemed weak on their new record, but there's barely anything left in this recording (couldn't bear to listen for more than a couple of minutes, maybe it gets better later on).

Compare to their KEXP session two years ago.

Lawrence Livermore National Laboratory is working on digitizing thousands of films with high-speed footage from 1950s nuclear tests (before doing them above ground was banned). There's a playlist of 64 short videos on Youtube.

Tales From the Xenix Crypt analyzes the inner workings of the Xenix copy protection scheme.



OS/2 Museum now also is a new feed in my RSS reader...

(Via Ted Unangst.)

I'm trying to switch back from the Vivaldi web browser to Pale Moon (a Firefox fork that aims to keep supporting XUL and may other technologies that Mozilla has abandoned) - mostly to get back a working bookmarks / history sync between my various browser installations. Pale Moon still supports the old Weave sync protocol, and works fine with the old weave minimal server (I should probably switch to FSyncMS, but I'm lazy)...

Anyway - I used to be using the Self Destructing Cookies addon to automatically get rid of unused objects from closed tabs, and it turns out not to work anymore in Pale Moon 27... A discussion on the Pale Moon forums pointed to Cookies Exterminator as an alternative. So far, I've not seen any problems. The author is active on the PM forums, too.

Ok, probably not a surprise when you have read all the documentation...

Ivan Pepelnjak recently mentioned that Cisco IOS XE still doesn't have candidate configuration or commit capabilities, at least when using NETCONF automation.

One of the comments then has this hint: