Debian, Games, SUSE, and Mozilla

posted by Roy Schestowitz on Mar 07, 2023

• Valhalla's Things: Bookbinding: photo album

  When I paint postcards I tend to start with a draft (usually on lightweight (250 g/m²) watercolour paper, then trace¹ the drawing on blank postcards and paint it again.

  I keep the drafts for a number of reasons; for the views / architectural ones I’m using a landscape photo album that I bought many years ago, but lately I’ve also sent a few cards with my historical outfits to people who like to be kept updated on that, and I wanted a different book for those, both for better organization and to be able to keep them in the portrait direction.

  If you know me, you can easily guess that buying one wasn’t considered as an option.

• Jonathan Dowland: date warping in HLedger

  My credit card and bank account rarely agree on the date for when I pay it off¹. Since I added balance assertions for bank account transactions, I need the transaction in my ledger to match what the bank thinks, otherwise the balance assertions would start to fail.

  The skew is not normally more than a couple of days, and could be corrected by changing the date for just one of the two postings. But the skew is not very important, and altering the posting date could be used for something more useful.

  date warping credit card repayments

  My credit card bills land halfway through the month, so February's bill covers transactions between January 15th and February 14th. I pay off the bill in full each month using Direct Debit. The credit card company consider the bill paid immediately, but they don't actually draw it until the end of the month (Jan 31 in the running example). This means the payment transaction for a given month lands halfway through the period covered by the next month's bill.

• Vincent Bernat: DDoS detection and remediation with Akvorado and Flowspec

  Akvorado collects sFlow and IPFIX flows, stores them in a ClickHouse database, and presents them in a web console. Although it lacks built-in DDoS detection, it’s possible to create one by crafting custom ClickHouse queries.

  DDoS detection​

  Let’s assume we want to detect DDoS targeting our customers. As an example, we consider a DDoS attack as a collection of flows over one minute targeting a single customer IP address, from a single source port and matching one of these conditions:

  • an average bandwidth of 1 Gbps,
  • an average bandwidth of 200 Mbps when the protocol is UDP,
  • more than 20 source IP addresses and an average bandwidth of 100 Mbps, or
  • more than 10 source countries and an average bandwidth of 100 Mbps.

• Rise of Industry is Free Right Now on the Epic Games Store and works fine on Linux

  Every week, the Epic Games Store gives away a new game from their catalog.

• openSUSE Begins Enforcing Secure Boot Kernel Lockdown [Ed: Fake security and more about remote control over people's PCs]

  Linux distro openSUSE has begun enforcing Kernel Lockdown when Secure Boot is enabled, creating issues for many users.

  Kernel Lockdown was introduced in version 5.4 of the Linux kernel and is designed to help protect the kernel from tampering and unauthorized modification, and serves as an important security feature. It works together with Secure Boot, which is a system to ensure the bootloader process is running legitimate, trusted code signed by Microsoft-controlled master keys.

• Veraport: Inside Korea’s dysfunctional application management

  Note: This article is also available in Korean.

  As discussed before, South Korea’s banking websites demand installation of various so-called security applications. At the same time, we’ve seen that these applications like TouchEn nxKey and IPinside lack auto-update functionality. So even in case of security issues, it is almost impossible to deliver updates to users timely.

  And that’s only two applications. Korea’s banking websites typically expect around five applications, and it will be different applications for different websites. That’s a lot of applications to install and to keep up-to-date.

  Luckily, the Veraport application by Wizvera will take care of that. This application will automatically install everything necessary to use a particular website. And it will also install updates if deemed necessary.

  [...]

  Remaining issues

  Application signature validation was still broken in Veraport 3.8.6.4. Presumably, that’s still the case in Veraport 3.8.6.5, but verifying is complicated. This is no longer a significant issue since the connection integrity can be trusted now.

  While checkProcess is no longer available, the getPreDownInfo command is still accessible in the latest Veraport version. So any website can still see what security applications are installed. Merely the version numbers have been censored and are no longer usable.

  It seems that even Veraport 3.8.6.5 still uses the eight years old mongoose 5.5 library for its local web server, this one hasn’t been upgraded.

  None of the conceptual issues have been addressed of course, these are far more complicated to solve. Veraport customers still have the power to force installation of arbitrary applications, including outdated and malicious software. And they aren’t restricted to their own website but can sign a policy file for any website.

  A compromised signing certificate of a Veraport customer still cannot be revoked, and neither is it possible to revoke a known malicious policy. Finally, the outdated root certificate (1024 bits, MD5) is still present in the application.

• Expanding Mozilla’s boards in 2023

  As Mozilla reaches its 25th anniversary this year, we’re working hard to set up our 'next chapter' — thinking bigger and being bolder about how we can shape the coming era of the internet. We’re working to expand our product offerings, creating multiple options for consumers, audiences and business models.