Miscellaneous Tech News
-
@wrx7m said in Miscellaneous Tech News:
So many vulnerabilities.
This is why if it is online, I assume anybody can read it, lol.
-
Keyshot.com has let their SSL cert lapse apparently.
-
-
@DustinB3403 said in Miscellaneous Tech News:
Keyshot.com has let their SSL cert lapse apparently.
Let's Encrypt all things.
-
@dbeato said in Miscellaneous Tech News:
Let's Encrypt all things.
Exactly. . . it doesn't cost anything and it meets all of the security standards that exist today. . . so why wouldn't one use it?!
-
Bay Area: Join us 2/13 to discuss a new hope for tech activism
Leigh Honeywell will talk about tech workers challenging companies to be more ethical.
Over the past couple of years, we've seen a huge upsurge in activism within the technology community. From the walkouts at Google to labor organizing at Amazon, tech workers are starting to see a connection between their work and social issues. Engineer and entrepreneur Leigh Honeywell has been at the forefront of tech activism for many years, and at this month's Ars Technica Live on Wednesday, February 13, we'll be talking to her about activism in today's world and the politics of a life lived online.
-
Speaking of LE why doesn't ML use LE for their CA?
-
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
They are using Cloudflare DNS and HTTP Proxy (CDN). And using Cloudflare Universal SSL certs, not sure if they are using Full or Full (strict) or flexible.
-
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
-
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
-
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
-
@black3dynamite said in Miscellaneous Tech News:
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
Exactly.
They are called Origin Certificates.
-
Amazon acquires Eero, maker of mesh Wi-Fi routers
Eero's routers could help Amazon connect its various Echo and Alexa devices.
Bay Area-based Eero, named after Finnish industrial designer Eero Saarinen, has been in operation since early 2015. It has already shipped several products. Neither Amazon nor Eero revealed how much money the tech giant paid in the acquisition, but Eero had raised $90 million in venture capital since its founding.
-
@mlnews we were posting this at the same time
-
-
@EddieJennings said in Miscellaneous Tech News:
Saw this on Reddit
https://nakedsecurity.sophos.com/2019/02/12/russian-isps-plan-internet-disconnection-test-for-entire-country/BBC had that a few days ago.
-
-
@black3dynamite said in Miscellaneous Tech News:
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
Thanks for the heads up @black3dynamite, and for the extra details @JaredBusch
-
@black3dynamite said in Miscellaneous Tech News:
What if the container bursts open?
Unfortunately, a serious security flaw dubbed CVE-2019-5736 was found in runc.
This bug means that a program run with root privileges inside a guest container can make changes with root privilege outside that container.
Loosely put, a rogue guest could get sysadmin-level control on the host.
This control could allow the rogue to interfere with other guests, steal data from the host, modify the host, start new guests at will, map out the nearby network, scramble files, unscramble files…
…you name it, a crook could do it.
Precise details of the bug are being witheld for a further six days to give everyone time to patch, but the problem seems to stem from the fact that Linux presents the memory space of the current process as if it were a file called /proc/self/exe.
Thanks to CVE-2019-5736, accessing the memory image of the runc program that’s in charge of your guest app seems to give you a way to mess with running code in the host system itself.
In other words, by modifying your own process in some way, you can cause side-effects outside your container.
And if you can make those unauthorised changes as root, you’ve effectively just made yourself into a sysadmin with a root-level login on the host sever.
For what it’s worth, the runc patch that’s available includes the following new program code, intended to stop containers from messing indirectly with the host system’s running copy of runc, something like this...
-
Hackers keep trying to get malicious Windows file onto MacOS
Clever trick may be ham-fisted attempt bypass Gatekeeper protections built into macOS.
Malware pushers are experimenting with a novel way to infect Mac users that runs executable files that normally execute only on Windows computers.
Researchers from antivirus provider Trend Micro made that discovery after analyzing an app available on a Torrent site that promised to install Little Snitch, a firewall application for macOS. Stashed inside the DMG file was an EXE file that delivered a hidden payload. The researchers suspect the routine is designed to bypass Gatekeeper, a security feature built into macOS that requires apps to be code-signed before they can be installed. EXE files don’t undergo this verification, because Gatekeeper only inspects native macOS files.
“We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks, since it is an unsupported binary executable in Mac systems by design,” Trend Micro researchers Don Ladores and Luis Magisa wrote. “We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.”
