Miscellaneous Tech News
-
-
@DustinB3403 said in Miscellaneous Tech News:
Keyshot.com has let their SSL cert lapse apparently.
Let's Encrypt all things.
-
@dbeato said in Miscellaneous Tech News:
Let's Encrypt all things.
Exactly. . . it doesn't cost anything and it meets all of the security standards that exist today. . . so why wouldn't one use it?!
-
Bay Area: Join us 2/13 to discuss a new hope for tech activism
Leigh Honeywell will talk about tech workers challenging companies to be more ethical.
Over the past couple of years, we've seen a huge upsurge in activism within the technology community. From the walkouts at Google to labor organizing at Amazon, tech workers are starting to see a connection between their work and social issues. Engineer and entrepreneur Leigh Honeywell has been at the forefront of tech activism for many years, and at this month's Ars Technica Live on Wednesday, February 13, we'll be talking to her about activism in today's world and the politics of a life lived online.
-
Speaking of LE why doesn't ML use LE for their CA?
-
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
They are using Cloudflare DNS and HTTP Proxy (CDN). And using Cloudflare Universal SSL certs, not sure if they are using Full or Full (strict) or flexible.
-
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
-
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
-
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
-
@black3dynamite said in Miscellaneous Tech News:
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
Exactly.
They are called Origin Certificates.
-
Amazon acquires Eero, maker of mesh Wi-Fi routers
Eero's routers could help Amazon connect its various Echo and Alexa devices.
Bay Area-based Eero, named after Finnish industrial designer Eero Saarinen, has been in operation since early 2015. It has already shipped several products. Neither Amazon nor Eero revealed how much money the tech giant paid in the acquisition, but Eero had raised $90 million in venture capital since its founding.
-
@mlnews we were posting this at the same time
-
-
@EddieJennings said in Miscellaneous Tech News:
Saw this on Reddit
https://nakedsecurity.sophos.com/2019/02/12/russian-isps-plan-internet-disconnection-test-for-entire-country/BBC had that a few days ago.
-
-
@black3dynamite said in Miscellaneous Tech News:
@dafyre said in Miscellaneous Tech News:
@scottalanmiller said in Miscellaneous Tech News:
@DustinB3403 said in Miscellaneous Tech News:
Speaking of LE why doesn't ML use LE for their CA?
Using CloudFlare's cert.
How is traffic encrypted between CloudFlare and ML? Self-Signed (or LE) Cert on ML?
In CloudFlare, you can actually create a free tls certificate for your server.
Thanks for the heads up @black3dynamite, and for the extra details @JaredBusch
-
@black3dynamite said in Miscellaneous Tech News:
What if the container bursts open?
Unfortunately, a serious security flaw dubbed CVE-2019-5736 was found in runc.
This bug means that a program run with root privileges inside a guest container can make changes with root privilege outside that container.
Loosely put, a rogue guest could get sysadmin-level control on the host.
This control could allow the rogue to interfere with other guests, steal data from the host, modify the host, start new guests at will, map out the nearby network, scramble files, unscramble filesâŚ
âŚyou name it, a crook could do it.
Precise details of the bug are being witheld for a further six days to give everyone time to patch, but the problem seems to stem from the fact that Linux presents the memory space of the current process as if it were a file called /proc/self/exe.
Thanks to CVE-2019-5736, accessing the memory image of the runc program thatâs in charge of your guest app seems to give you a way to mess with running code in the host system itself.
In other words, by modifying your own process in some way, you can cause side-effects outside your container.
And if you can make those unauthorised changes as root, youâve effectively just made yourself into a sysadmin with a root-level login on the host sever.
For what itâs worth, the runc patch thatâs available includes the following new program code, intended to stop containers from messing indirectly with the host systemâs running copy of runc, something like this...
-
Hackers keep trying to get malicious Windows file onto MacOS
Clever trick may be ham-fisted attempt bypass Gatekeeper protections built into macOS.
Malware pushers are experimenting with a novel way to infect Mac users that runs executable files that normally execute only on Windows computers.
Researchers from antivirus provider Trend Micro made that discovery after analyzing an app available on a Torrent site that promised to install Little Snitch, a firewall application for macOS. Stashed inside the DMG file was an EXE file that delivered a hidden payload. The researchers suspect the routine is designed to bypass Gatekeeper, a security feature built into macOS that requires apps to be code-signed before they can be installed. EXE files donât undergo this verification, because Gatekeeper only inspects native macOS files.
âWe suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks, since it is an unsupported binary executable in Mac systems by design,â Trend Micro researchers Don Ladores and Luis Magisa wrote. âWe think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine.â
-
Pantheon DE that Elementary OS uses will be available has a new spin when Fedora 30 is released.
https://fedoraproject.org/wiki/Changes/PantheonDesktop -
Microsoft patches 0-day vulnerabilities in IE and Exchange
IE info bug was under active exploit; exploit code for Exchange flaw was circulating.
Microsoftâs Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.
The IE vulnerability, Microsoft said, allows attackers to test whether one or more files are stored on disks of vulnerable PCs. Attackers first must lure targets to a malicious site. Microsoft, without elaborating, said it has detected active exploits against the vulnerability, which is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The flaw was discovered by members of Googleâs Project Zero vulnerability research team.
Microsoft also patched Exchange against a vulnerability that allowed remote attackers with little more than an unprivileged mailbox account to gain administrative control over the server. Dubbed PrivExchange, CVE-2019-0686 was publicly disclosed last month, along with proof-of-concept code that exploited it. In Tuesdayâs advisory, Microsoft officials said they havenât seen active exploits yet but that they were âlikely.â
