DoktorCranium is fiddling around with Windows Server 2019 Insider Preview Build 17650 and Mimikatz, a security tool used by hackers e.g. for intruding the German parliament, the Bundestag in 2015/2016 . “Bypassing Windows Defender, Loading meterpreter, and executing the latest Mimikatz just for fun.” Why? Because he can. And Open Source rocks. I still find it hard to believe so many security-sensitive environments still use software from the shelf. And if you like Benjamin Delphy’s work, look at this video about Kekeo: https://www.youtube.com/watch?v=sROKCsXdVDg
“For any non-trivial property of partial functions, no general and effective method can decide whether an algorithm computes a partial function with that property.”
In his blogpost “30 years on, what’s next #ForTheWeb?” Tim Berners-Lee shows clear thoughts on the problems of the Web today and points to the “Contract for the Web”. He writes:
“To tackle any problem, we must clearly outline and understand it. I broadly see three sources of dysfunction affecting today’s web:
Deliberate, malicious intent, such as state-sponsored hacking and attacks, criminal behaviour, and online harassment.
System design that creates perverse incentives where user value is sacrificed, such as ad-based revenue models that commercially reward clickbait and the viral spread of misinformation.
Unintended negative consequences of benevolent design, such as the outraged and polarised tone and quality of online discourse.
(…)
At pivotal moments, generations before us have stepped up to work together for a better future. With the Universal Declaration of Human Rights, diverse groups of people have been able to agree on essential principles. With the Law of Sea and the Outer Space Treaty, we have preserved new frontiers for the common good. Now too, as the web reshapes our world, we have a responsibility to make sure it is recognised as a human right and built for the public good. This is why the Web Foundation is working with governments, companies and citizens to build a new Contract for the Web.”
“My generation knows that climate change will be the biggest problem we’ll have to face,” Villasenor said. “It’s upsetting that my generation has to push these leaders to take action. We aren’t going to stop striking until some more laws are passed.”
EU-Copyrightreform: Spontandemos gegen Artikel 13 und Abstimmungs-Vorverlegung – “Nie mehr CDU” Die Pläne für eine Vorverlegung der Abstimmung zur EU-Urheberrechtsreform trieb in fünf Städten spontan Tausende Menschen auf die Straße.
“This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.”
Honestly, I never spent much effort in automating my home network. No salt or containers involved, only three machines with desktops around. ATM they all run Open SUSE Tumbleweed, simply because I don’t want to re-install or do OS upgrades anymore and I want to have all the new stuff asap. With SUSE’s build service the quality of that “rolling release” Tumbleweed has become overwhelming to me, hardly do I see a problem that prevents me from working and/or stays longer that a few days.
Downside of that is: I get some hundreds of megabytes of updates each week. Event though I made good experience with auto-updates through YaST, I still sometimes feel better with launching the zypper command myself and watching what happens. So I did what my dear lady called “semiautomatic system management” … :-):
I like to play with shell tools, and that’s how I found pssh. I installed the tiny CLI tool that allows running a command on several machines at the same time, and added it to my local aliases. Are you confused already? Ok, here’s the five steps:
Step 1: Install Pssh, e.g. with “zypper in pssh”.
Step 2: Create a local file with the list of hosts that you want to update. It’s content should simply be one host(name) or IP per line, like my ~/.pssh: office sleepingroom livingroom Step 3: Copy your ssh key to the machines involved (“ssh-copy-id” is your friend) and test the login with ssh. Step 4 (optional): I prefer to have the output of my commands in a separate “log” folder (under ~/Temp) – and that needs to be created. Step 5: I added “alias zypdup=”pssh -h .pssh -l root -o ~/Temp/pssh ‘zypper dup -y -l –allow-vendor-change'” to my .bashrc file in my home directory. That way, the simple command “zypdup” will update the three machines at home, giving a yes to all answers, accept all licenses and allow vendor change from Packman/VLC and back to open SUSE repositories. To be precise, that “zypdup” will be recognized the next time the shell loads the aliases (like after a “. .bashrc”.
That’s it. But let’s have another quick look at the command: “pssh -h .pssh -l root -o ~/Temp/pssh ” takes the hosts from the file “.pssh”, logs in as “root” and writes its output to files in “~/Temp/pssh” – one file per host, named like the host.
Thus, in a perfect world, all my three systems are on the same patchlevel / upgrade status:
Disclaimer: I know that options like “-y … –allow-vendor-change” may cause trouble, but after five years of Tumbleweed, Build Service, Snapper and SUSE in general, I’ve become pretty daring – there were no problems so far. Your mileage may vary, though. If you’re unsure about the consequences, better don’t follow me. 🙂
UPDATE: After a few weeks I learned that I need to add “-t 0” (or another reasonable timeout value in seconds) to my alias. Updates with zypper usually take some time, and depend heavily on bandwidth and such, thus I can’t or couldn’t make up a reasonable value (yet). 🙂
“… this military-industrial complex has advanced into a new domain: If data is the new oil [3], then access to data is crucial for corporate and national prosperity…. There is a huge market of software developers, admins, hackers, and surveillance technology orbiting US military as well it’s affiliated industries “
I’m just digging in Tristan Harris’ Videos. There are some interesting ones that I’d like to spread to make people more aware about how much life quality they loose by the hours they spend online every day. “I don’t know a more urgent problem these days.”, he says. I may do, but this is really scary. “Sometimes the most important problems are right underneath our noses.”
“Tristan Harris, founder of the Center for Humane Technology and pioneer of the Time Well Spent movement, is here to address the controversial topic of how our minds are being swindled into rampant screen and social media addiction, and to expose the intelligent forces behind the scenes that have intentionally served up the internet’s most addictive drug in an effort to get rich.”
“A handful of people working at a handful of tech companies steer the thoughts of billions of people every day, says design thinker Tristan Harris. From Facebook notifications to Snapstreaks to YouTube autoplays, they’re all competing for one thing: your attention. Harris shares how these companies prey on our psychology for their own profit and calls for a design renaissance in which our tech instead encourages us to live out the timeline we want.”
“Tristan Harris, former Google design ethicist, discusses changing Silicon Valley’s culture and the fight against online extremism with Bloomberg’s Emily Chang on “Bloomberg Technology.””
Disclaimer: I’m still watching, I only came across his stuff this morning, but so far I really like it.
The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, have been patched in Android Open Source Project (AOSP) by Google as part of its February Android Security Updates.