the stream

• Blog Actions
• RSS

Fragmentation Needed - Cisco: Not Serious About Network Programmability.

IDG News: Inside the Russian hack of Yahoo.



(Via RISKS Digest.)

This has been fixed, obviously. Stephen Sclafani describes how he managed to steal messenger.com sessions, which then could be used to access the corresponding Facebook account.



(Via tedu.)

In response to a critic, Michael has written a long post about why the Pyra pocket computer project is where it is right now, and has attached a couple of pictures of one of the dev units (scroll to the end of the post), running the latest OS image.


I really hope they're going to sell enough of the things to make it possible to produce the redesigned case he mentioned - shaving a couple of millimetres off the height would be great...

I didn't know there's a World Consumer Rights Day...

"My Data. Your Business." on the ISOC blog worries that consumers might lose trust in online businesses over data privacy issues, and calls for a definition of acceptable business ethics.

Julia Evans writes about her blogging principles. Worth remembering those.

The APNIC blog has a guest post that explains quite a few operational details about the inner workings of the Mirai botnet components.



Maybe having an IDS is not such a bad idea...



I remember that one puzzling quite a few people when they first noticed that kind of traffic...

INQ reports that the Microsoft Edge browser doesn't disable it's disk cache when using the "InPrivate" browsing mode. Therefore, cached objects from (supposedly) private browsing sessions are recoverable from disk, which kinda breaks at least some of the expectations for such a function...

netzpolitik.org weist heute im Hinblick auf die anstehenden Wahlen darauf hin, dass man der Weitergabe von Adressdaten aus dem Melderegister an Parteien wiedersprechen kann. Dazu stellen sie "gemeinsam mit der Plattform selbstauskunft.net" ein entsprechendes Wiederspruchsformular zur Verfügung.

Zumindest in Freiburg kann man das noch einfacher haben: Auf der Webseite der Stadt ist ein Formular zum Widerspruch nach dem Bundesmeldegesetz verlinkt (Quelle hier, unter "Meldewesen"), das man online ausfüllen und direkt abschicken kann.

Marc Solomon: Defense-in-Depth has Failed Us. Now What?

Wow, there's so much wrong with this article that I don't even know where to start... Defense in depth does not mean, as the author seems to think, to heap "disparate" "point products" onto one another in the hopes that one will probably catch an attack attempt. Defense in depth means to understand both the threat landscape and the environment you're trying to defend, tailor solutions to make an attacker's job as hard as possible, and find the right points to place meaningful alarms. (Which rarely anyone ever does, but that's a different topic.)

Oh, I do get that threat intelligence services are the current hot stuff in the security industry (and the author wants to help sell his own), but when a defender doesn't get the basics of IT security design, heaping another "point product" on top won't help a whole lot.

A long post about how to "optimize" a network daemon for fuzzing with American Fuzzy Lop, using OpenSSH as an example: vegard - Fuzzing the OpenSSH daemon using AFL

It's not just all drag and drop.

What are all those things in the Linux storage subsystem? Thomas Krenn has diagrams for various kernel versions in their wiki.

(Via Firmware Security.)

CVE-2017-3881

Ouch:



The security notice also has a few interesting hints about IOS configurations that don't actually disable telnet...

Adrian Colyer sumarizes a research paper published on the NDSS Symposium 2017, Deconstructing Xen:



The design mitigates about 2/3rds of the vulnerabilities that have been discovered in the Xen hypervisor over the past years.

(Via tedu.)

Lame hackers guide has a short guide on weaponizing PostScript (cache), with two script examples (reading and writing arbitrary files).

(Via tedu.)

Woah, either the KEXP audio engineers had a really, really bad day, or Clem Creevy has been completely done in by the drugs by now. KEXP has released a new set with Cherry Glazerr a couple of days ago. Clem's voice already seemed weak on their new record, but there's barely anything left in this recording (couldn't bear to listen for more than a couple of minutes, maybe it gets better later on).

Compare to their KEXP session two years ago.

Lawrence Livermore National Laboratory is working on digitizing thousands of films with high-speed footage from 1950s nuclear tests (before doing them above ground was banned). There's a playlist of 64 short videos on Youtube.

Tales From the Xenix Crypt analyzes the inner workings of the Xenix copy protection scheme.



OS/2 Museum now also is a new feed in my RSS reader...

(Via Ted Unangst.)

I'm trying to switch back from the Vivaldi web browser to Pale Moon (a Firefox fork that aims to keep supporting XUL and may other technologies that Mozilla has abandoned) - mostly to get back a working bookmarks / history sync between my various browser installations. Pale Moon still supports the old Weave sync protocol, and works fine with the old weave minimal server (I should probably switch to FSyncMS, but I'm lazy)...

Anyway - I used to be using the Self Destructing Cookies addon to automatically get rid of unused objects from closed tabs, and it turns out not to work anymore in Pale Moon 27... A discussion on the Pale Moon forums pointed to Cookies Exterminator as an alternative. So far, I've not seen any problems. The author is active on the PM forums, too.

Ok, probably not a surprise when you have read all the documentation...

Ivan Pepelnjak recently mentioned that Cisco IOS XE still doesn't have candidate configuration or commit capabilities, at least when using NETCONF automation.

One of the comments then has this hint:

Photos taken today.

acmetool (GitHub: hlandau/acme) seems to bring a couple of interesting options for serving acme http challenges, and a hook for external programs to handle the DNS challenge method. Configuration through simple files in a predefined directory structure. Looks like a workable compromise between the rather heavyweight official client and the various shell scripts.

That was a most welcome surprise for tonight... Five songs from the new album and a half-hour interview in this "full performance" video on the KEXP channel on YouTube.

The interview part is just as excellent as the music, and starts at 18:18 in the video. Lots of information about her life and her songwriting. Just listen to the three minutes from 47:37 for a strong reminder that these are not the times to stay depressed over.

The Trapper and the Furrier nicely shows off some of the flexibility of her voice.

I'll spoil the fun from Florian Haas' question on G+ right away - the resulting info seems useful:

Florian Haas wrote:

OK people, try to guess (without googling) what this does:

( printf "\x1f\x8b\x08\x00\x00\x00\x00\x00" ; tail -c +25 oldfile ) > newfile

Clue: head→desk, seriously.

Obviously, this replaces the header of a file. But why?

The packagecloud people (which I didn't know about until Ted Unangst linked to one of their recent sycall performance blog posts) have a debian-howto category on their blog with some posts that seem rather useful.

Nothing that can't be found elsewhere (like the official Debian documentation), but the descriptions of package creation workflows, for example, are condensed down to the essentials quite well:

• Building debian packages with debuild
• Using dh-make to prepare debian packages
• HOWTO: Build debian packages for simple shell scripts
• Building Debian and Ubuntu packages with pbuilder