Feed aggregator

Jonathan Dowland: What have I been up to?

Planet Debian - Sun, 28/09/2014 - 18:59

It's been a little while since I've written about what I've been up to. The truth is I've been busy with moving house - and I'll write a bit more about that at another time. But asides from that there have been some bits and bobs.

I use a little tool called archivemail to tidy up old listmail (my policy is to retain 30 days of listmail for most lists). If I unsubscribe to a list, then eventually I end up with an empty mail folder corresponding to that list. I decided it would be nice to extend archivemail to delete mailboxes if, after the archiving has taken place, the mailbox is empty. Doing this properly means adding delete routines to Python's "mailbox" library, which is part of the Python standard library. I've therefore started work on a patch for Python.

Since this is an enhancement, Python would only accept a patch for Python 3. Therefore, eventually, I would also have to port archivemail from Python 2 to 3. "archivemail" is basically abandonware at the moment, and the principal Debian maintainer is MIA. There was a release critical bug filed against it, so I joined the Debian Python team to co-maintain archivemail in Debian. I've worked around the RC bug but a proper fix is still to come.

In other Debian news, I've been mostly quiet. A small patch for squishyball to get it to build on Hurd, and a temporary fix patch for lhasa to get it to build on the build daemons for all architectures (problems with the test suite). All three of lhasa, squishyball and archivemail need a little bit of love to get them into shape before the jessie freeze.

I've had plans to write up some of the more interesting technical things I've been up to at work, but with the huge successes of the School we've been so busy I haven't had time. Hopefully you can soon look forward to some of our further adventures with puppet, including evaluating Shibboleth modules, some stuff about handling user directories, bind mounts and LVM volumes and actually publishing some of our more useful internal modules; I hope we will also (soon) have some useful data to go with our experiments with Linux LXC containers versus KVM-powered virtual machines in some of our use-cases. I've also got a few bits and pieces on Systemd to write up.

Fans raise cash to help phone phreaker John Draper, aka Cap‘n Crunch

Ars Technica - Sun, 28/09/2014 - 18:40
Aaron Getting

An online fundraiser for legendary phone phreaker John Draper, better known as Cap'n Crunch, has passed its target $5,000 in just three daysDraper himself doesn't even know who started the fundraiser, but the money is intended to help with his medical bills. According to a recent blog post, he suffers from both degenerative spine disease and C. Diff, an inflammation of the colon.

I want to thank with the bottom of my heart for an anonymous person for setting me up with qikfunder.... http://t.co/mwzDLLRpHH

— John Draper (@jdcrunchman) September 25, 2014

In conjunction with others in the late 1960s and early 1970s, Draper figured out that a toy whistle given out in boxes of Cap'n Crunch cereal emitted a tone at 2600 Hertz. By pure coincidence, that happened to be the tone AT&T used to reset its trunk lines. As a result, Draper became a legend in the nascent world of phone phreaking, a predecessor to early personal computer hacking.

Read 5 remaining paragraphs | Comments

After Consumer Reports flex test, new iPhones “not as bendy as believed”

Ars Technica - Sun, 28/09/2014 - 17:11
The iPhone 6 Plus has already become scarce. Megan Geuss

After reports began to surface that the iPhone 6 and 6 Plus are far more bendable than their predecessors, Consumer Reports promised it would put the new handsets to the test. As of Friday evening, the results are in: "Our tests show that both iPhones seem tougher than the Internet fracas implies."

How exactly did the magazine come to that conclusion? Using an Instron compression test machine, the researchers applied a "three-point flexural test... in which the phone is supported at two points on either end, then force is applied at a third point on the top." Consumer Reports tested a number of phones for comparison: an iPhone 6, iPhone 6 Plus, LG G3, Samsung Galaxy Note 3, HTC One (M8), and, for good measure, an iPhone 5.

According to The Verge, which visited Apple's secret test site near 1 Infinite Loop, the phone maker itself applied 25 kilograms (55.1 pounds) of force to test the flexibility of thousands of iPhone 6 and 6 Plus units. Consumer Reports says Apple's tests delivered "approximately the force required to break three pencils," but the magazine wanted to go even farther.

Read 2 remaining paragraphs | Comments

Over 30 Hikers Die During Ontake Eruption in Japan: What Happened?

Wired - Sun, 28/09/2014 - 16:17

After yesterday’s news about the unexpected eruption at Ontake, we are finally getting the full, grim picture of the extent of death at the Japanese volcano. Authorities in the area has said that over 30 people have been found on the volcano and mostly of them are likely dead from effects of the eruption. This […]

The post Over 30 Hikers Die During Ontake Eruption in Japan: What Happened? appeared first on WIRED.

Benjamin Mako Hill: Community Data Science Workshops Post-Mortem

Planet Debian - Sun, 28/09/2014 - 06:02

Earlier this year, I helped plan and run the Community Data Science Workshops: a series of three (and a half) day-long workshops designed to help people learn basic programming and tools for data science tools in order to ask and answer questions about online communities like Wikipedia and Twitter. You can read our initial announcement for more about the vision.

The workshops were organized by myself, Jonathan Morgan from the Wikimedia Foundation, long-time Software Carpentry teacher Tommy Guy, and a group of 15 volunteer “mentors” who taught project-based afternoon sessions and worked one-on-one with more than 50 participants. With overwhelming interest, we were ultimately constrained by the number of mentors who volunteered. Unfortunately, this meant that we had to turn away most of the people who applied. Although it was not emphasized in recruiting or used as a selection criteria, a majority of the participants were women.

The workshops were all free of charge and sponsored by the UW Department of Communication, who provided space, and the eScience Institute, who provided food.

The curriculum for all four session session is online:

The workshops were designed for people with no previous programming experience. Although most our participants were from the University of Washington, we had non-UW participants from as far away as Vancouver, BC.

Feedback we collected suggests that the sessions were a huge success, that participants learned enormously, and that the workshops filled a real need in the Seattle community. Between workshops, participants organized meet-ups to practice their programming skills.

Most excitingly, just as we based our curriculum for the first session on the Boston Python Workshop’s, others have been building off our curriculum. Elana Hashman, who was a mentor at the CDSW, is coordinating a set of Python Workshops for Beginners with a group at the University of Waterloo and with sponsorship from the Python Software Foundation using curriculum based on ours. I also know of two university classes that are tentatively being planned around the curriculum.

Because a growing number of groups have been contacting us about running their own events based on the CDSW — and because we are currently making plans to run another round of workshops in Seattle late this fall — I coordinated with a number of other mentors to go over participant feedback and to put together a long write-up of our reflections in the form of a post-mortem. Although our emphasis is on things we might do differently, we provide a broad range of information that might be useful to people running a CDSW (e.g., our budget). Please let me know if you are planning to run an event so we can coordinate going forward.

Android Auto developer docs show off more UI, detail 3rd-party apps

Ars Technica - Sun, 28/09/2014 - 05:43

An example of a generic interface that Google designs. Developers can customize the colors and icons.

7 more images in gallery

Google just released a set of Android Auto developer documents to developer.android.com, detailing more of Google's in-car platform and giving developers a better sense of the system's capabilities.

Android Auto "apps" aren't really apps; they're additional Android Auto-specific content that developers add to their existing Android apps. This is exactly the way Android Wear works. Developers don't have separate phone, watch, and car apps; they just include additional interface attributes in their regular apps for display on the other form factors.

Developers don't get to design interfaces in Android Auto, it's more of a "fill-in-the-blanks" style of development. Google makes the interface layout, and developers get to change the colors, button actions, and text of that interface. Apps also provide a content stream for playback, but that's pretty much it.

Read 6 remaining paragraphs | Comments

A boatload of weekend security updates

LWN.net - Sun, 28/09/2014 - 00:33

Debian has updated icedove (nss certificate forgery vulnerability), and libvirt (denial of service and data leakage).

Fedora has updated much of the distribution, mostly in response to CVE-2014-5033 (authentication bypass vulnerability in KDE): akonadi (F20: CVE-2014-5033), analitza (F20: CVE-2014-5033), amor (F20: CVE-2014-5033), ark (F20: CVE-2014-5033), audiocd-kio (F20: CVE-2014-5033), baloo (F20: CVE-2014-5033), baloo-widgets (F20: CVE-2014-5033), blinken (F20: CVE-2014-5033), calligra (F20: CVE-2014-5033), calligra-l10n (F20: CVE-2014-5033), cantor (F20: CVE-2014-5033), check-mk (F19, F20: three CVEs), digikam (F20: CVE-2014-5033), dragon (F20: CVE-2014-5033), filelight (F20: CVE-2014-5033), gwenview (F20: CVE-2014-5033), jovie (F20: CVE-2014-5033), juk (F20: CVE-2014-5033), kaccessible (F20: CVE-2014-5033), kalgebra (F20: CVE-2014-5033), kamera (F20: CVE-2014-5033), kalzium (F20: CVE-2014-5033), kanagram (F20: CVE-2014-5033), kate (F20: CVE-2014-5033), kbruch (F20: CVE-2014-5033), kcalc (F20: CVE-2014-5033), kcharselect (F20: CVE-2014-5033), kcolorchooser (F20: CVE-2014-5033), kcron (F20: CVE-2014-5033), kde-base-artwork (F20: CVE-2014-5033), kde-baseapps (F20: CVE-2014-5033), kde-l10n (F20: CVE-2014-5033), kde-print-manager (F20: CVE-2014-5033, kde-runtime (F20: CVE-2014-5033), kde-wallpapers (F20: CVE-2014-5033), kdeaccessibility (F20: CVE-2014-5033), kdeadmin (F20: CVE-2014-5033), kdeartwork (F20: CVE-2014-5033), kdebindings (F20: CVE-2014-5033), kdeedu (F20: CVE-2014-5033), kdegraphics (F20: CVE-2014-5033), kdegraphics-mobipocket (F20: CVE-2014-5033), kdegraphics-stringi-analyzer (F20: CVE-2014-5033), kdegraphics-thumbnailers (F20: CVE-2014-5033), kdelibs (F20: CVE-2014-5033), kdemultimedia (F20: CVE-2014-5033), kdenetwork (F20: CVE-2014-5033), kdenetwork-filesharing (F20: CVE-2014-5033), kdenetwork-strigi-analyzers (F20: CVE-2014-5033, kdepim (F20: CVE-2014-5033), kdepim-runtime (F20: CVE-2014-5033), kdepimlibs (F20: CVE-2014-5033), kdetoys (F20: CVE-2014-5033), kdeplasma-addons (F20: CVE-2014-5033), kdeutils (F20: CVE-2014-5033), kdf (F20: CVE-2014-5033), kdnssd (F20: CVE-2014-5033), kfilemetadata (F20: CVE-2014-5033), kfloppy (F20: CVE-2014-5033), kgamma (F20: CVE-2014-5033), kgeography (F20: CVE-2014-5033), kget (F20: CVE-2014-5033), kgpg (F20: CVE-2014-5033), khangman (F20: CVE-2014-5033), kig (F20: CVE-2014-5033), kimono (F20: CVE-2014-5033), kiten (F20: CVE-2014-5033), klettres (F20: CVE-2014-5033), kmag (F20: CVE-2014-5033), kmix (F20: CVE-2014-5033), kmousetool (F20: CVE-2014-5033), kmouth (F20: CVE-2014-5033), kmplot (F20: CVE-2014-5033), kolourpaint (F20: CVE-2014-5033), konsole (F20: CVE-2014-5033), kopete (F20: CVE-2014-5033), kphotoalbum (f20: CVE-2014-5033), kppp (F20: CVE-2014-5033), kqtquickcharts (F20: CVE-2014-5033), krdc (F20: CVE-2014-5033), kremotecontrol (F20: CVE-2014-5033), krfb (F20: CVE-2014-5033), kross-interpreters (F20: CVE-2014-5033), kruler (F20: CVE-2014-5033), ksaneplugin (F20: CVE-2014-5033), kscd (F20: CVE-2014-5033), ksnapshot (F20: CVE-2014-5033), kstars (F20: CVE-2014-5033), ksystemlog (F20: CVE-2014-5033), kteatime (F20: CVE-2014-5033), ktimer (F20: CVE-2014-5033), ktouch (F20: CVE-2014-5033), kturtle (F20: CVE-2014-5033), ktux (F20: CVE-2014-5033), kuser (F20: CVE-2014-5033), kwalletmanager (F20: CVE-2014-5033), kwordquiz (F20: CVE-2014-5033), libkcddb (F20: CVE-2014-5033), libkcompactdisc (F20: CVE-2014-5033), libkdcraw (F20: CVE-2014-5033), libkdeedu (F20: CVE-2014-5033), libkexiv (F20: CVE-2014-5033), libkgapi (F20: CVE-2014-5033), libkipi (F20: CVE-2014-5033), libkolab (F20: CVE-2014-5033), libksane (F20: CVE-2014-5033), marble (F20: CVE-2014-5033), nepomuk-core (F20: CVE-2014-5033), nepomuk-widgets (F20: CVE-2014-5033), okular (F20: CVE-2014-5033), oxygen-icon-theme (F20: CVE-2014-5033), pairs (F20: CVE-2014-5033), parley (F20: CVE-2014-5033), pykde (F20: CVE-2014-5033), qyoto (F20: CVE-2014-5033), rocs (F20: CVE-2014-5033), ruby-korundum (F20: CVE-2014-5033), ruby-qt (F20: CVE-2014-5033), smokegen (F20: CVE-2014-5033), smokekde (F20: CVE-2014-5033), smokeqt (F20: CVE-2014-5033), step (F20: CVE-2014-5033), subsurface (F20: CVE-2014-5033), superkaramba (F20: CVE-2014-5033), svgpart (F20: CVE-2014-5033), and sweeper (F20: CVE-2014-5033).

Mageia has updated perl-Email-Address (denial of service), perl-XML-DT (symbolic link vulnerability), and nss (certificate forgery).

Oracle has updated nss (OL5, OL6, OL7: certificate forgery) and bash (OL4: command injection).

Red Hat has updated bash (RHEL4-6 (command injection).

SUSE has updated mozilla-nss (certificate forgery), wireshark (10 CVE numbers), and bash (command injection).

Ubuntu has updated bash (command injection).

Google Glass “no safer” than phones for texting while driving

Ars Technica - Sat, 27/09/2014 - 23:30

Don't text and drive, kids, not even if you're using high-tech, hands-free goggles to do so.

Researchers at the University of Central Florida have concluded in a study that using Google Glass to text while driving is clearly a distraction. They also discovered, however, that Glass wearers were more capable of regaining control of their vehicles than smartphone users following traffic incidents.

The peer-reviewed study was the first to examine the impact of Glass on driving, and was conducted with the hope of finding new ways for technology to deliver information to drivers with minimal risk. "As destructive influences threaten to become more common and numerous in drivers' lives, we find the limited benefits provided by Glass a hopeful sign of technological solutions to come," said researcher Ben Sawyer.

Read 5 remaining paragraphs | Comments

Are we producing too few or too many science and technology grads?

Ars Technica - Sat, 27/09/2014 - 21:00
Public domain, via penbentley on Flickr

Earlier this week, the New York Academy of Sciences released a new report that focuses on what it terms the STEM paradox. STEM stands for science, technology, engineering, and math, and it's generally used to describe high-tech and research-oriented education and careers. If you talk to people looking for jobs in academia, you'll typically hear that we produce too many STEM graduates, leaving many struggling to find jobs. If you talk to people who represent companies like Google and Microsoft, we produce too few, and need to relax visa restrictions in order to bring in more from overseas.

This strange situation—a simultaneous glut and shortage—is what the NYAS report calls the "STEM paradox." Both problems are real, and they're the result of mismatched priorities. As Jeanne Dunn, vice president of Learning@Cisco put it when the report was introduced, when it comes to STEM graduates, "there's a huge imbalance of talent—where they are and the types of things they are skilled in."

So, even though our graduate schools may be producing highly qualified researchers, the research they're prepared for is often only appropriate in an academic setting; commercial entities end up looking for a different set of skills. Industry also ends up looking for more people at early stages of their careers—the bachelors and masters levels—but only if they have a relevant skill set. For the most part, undergraduate educations don't provide those. The result of these is part of the imbalance that Dunn mentioned.

Read 3 remaining paragraphs | Comments

DebConf team: Wrapping up DebConf14 (Posted by Paul Wise, Donald Norwood)

Planet Debian - Sat, 27/09/2014 - 20:40

The annual Debian developer meeting took place in Portland, Oregon, 23 to 31 August 2014. DebConf14 attendees participated in talks, discussions, workshops and programming sessions. Video teams captured a lot of the main talks and discussions for streaming for interactive attendees and for the Debian video archive.

Between the video, presentations, and handouts the coverage came from the attendees in blogs, posts, and project updates. We’ve gathered a few articles for your reading pleasure:

Gregor Herrmann and a few members of the Debian Perl group had an informal unofficial pkg-perl micro-sprint and were very productive.

Vincent Sanders shared an inspired gift in the form of a plaque given to Russ Allbery in thanks for his tireless work of keeping sanity in the Debian mailing lists. Pictures of the plaque and design scheme are linked in the post. Vincent also shared his experiences of the conference and hopes the organisers have recovered.

Noah Meyerhans’ adventuring to Debian by train, (Inter)netted some interesting IPv6 data for future road and railwarriors.

Hideki Yamane sent a gentle reminder for English speakers to speak more slowly.

Daniel Pocock posted of GSoC talks at DebConf14, highlights include the Java Project Dependency Builder and the WebRTC JSCommunicator.

Thomas Goirand gives us some insight into a working task list of accomplishments and projects he was able to complete at DebConf14, from the OpenStack discussion to tasksel talks, and completion of some things started last year at DebConf13.

Antonio Terceiro blogged about debci and the Debian Continuous Integration project, Ruby, Redmine, and Noosfero. His post also shares the atmosphere of being able to interact directly with peers once a year.

Stefano Zacchiroli blogged about a talk he did on debsources which now has its own HACKING file.

Juliana Louback penned: DebConf 2014 and How I Became a Debian Contributor.

Elizabeth Krumbach Joseph’s in-depth summary of DebConf14 is a great read. She discussed Debian Validation & CI, debci and the Continuous Integration project, Automated Validation in Debian using LAVA, and Outsourcing webapp maintenance.

Lucas Nussbaum by way of a blog post releases the very first version of Debian Trivia modelled after the TCP/IP Drinking Game.

François Marier’s shares additional information and further discussion on Outsourcing your webapp maintenance to Debian.

Joachim Breitner gave a talk on Haskell and Debian, created a new tool for binNMUs for Haskell packages which runs via cron job. The output is available for Haskell and for OCaml, and he still had a small amount of time to go dancing.

Jaldhar Harshad Vyas was not able to attend DebConf this year, but he did tune in to the videos made available by the video team and gives an insightful viewpoint to what was being seen.

Jérémy Bobbio posted about Reproducible builds in Debian in his recap of DebConf14. One of the topics at hand involved defining a canonical path where packages must be built and a BOF discussion on reproducible builds from where the conversation moved to discussions in both Octave and Groff. New helpers dh_fixmtimes and dh_genbuildinfo were added to BTS. The .buildinfo format has been specified on the wiki and reviewed. Lots of work is being done in the project, interested parties can help with the TODO list or join the new IRC channel #debian-reproducible on irc.debian.org.

Steve McIntyre posted a Summary from the d-i / debian-cd BoF at DC14, with some of the session video available online. Current jessie D-I needs some help with the testing on less common architectures and languages, and release scheduling could be improved. Future plans: Switching to a GUI by default for jessie, a default desktop and desktop choice, artwork, bug fixes and new architecture support. debian-cd: Things are working well. Improvement discussions are on selecting which images to make I.E. netinst, DVD, et al., debian-cd in progress with http download support, Regular live test builds, Other discussions and questions revolve around which ARM platforms to support, specially-designed images, multi-arch CDs, and cloud-init based images. There is also a call for help as the team needs help with testing, bug-handling, and translations.

Holger Levsen reports on feedback about the feedback from his LTS talk at DebConf14. LTS has been perceived well, fits a demand, and people are expecting it to continue; however, this is not without a few issues as Holger explains in greater detail the lacking gatekeeper mechanisms, and how contributions are needed from finance to uploads. In other news the security-tracker is now fixed to know about old stable. Time is short for that fix as once jessie is released the tracker will need to support stable, oldstable which will be wheezy, and oldoldstable.

Jonathan McDowell’s summary of DebConf14 includes a fair perspective of the host city and the benefits of planning of a good DebConf14 location. He also talks about the need for facetime in the Debian project as it correlates with and improves everyone’s ability to work together. DebConf14 also provided the chance to set up a hard time frame for removing older 1024 bit keys from Debian keyrings.

Steve McIntyre posted a Summary from the “State of the ARM” BoF at DebConf14 with updates on the 3 current ports armel, armhf and arm64. armel which targets the ARM EABI soft-float ARMv4t processor may eventually be going away, while armhf which targets the ARM EABI hard-float ARMv7 is doing well as the cross-distro standard. Debian is has moved to a single armmp kernel flavour using Device Tree Blobs and should be able to run on a large range of ARMv7 hardware. The arm64 port recently entered the main archive and it is hoped to release with jessie with 2 official builds hosted at ARM. There is talk of laptop development with an arm64 CPU. Buildds and hardware are mentioned with acknowledgements for donated new machines, Banana Pi boards, and software by way of ARM’s DS-5 Development Studio - free for all Debian Developers. Help is needed! Join #debian-arm on irc.debian.org and/or the debian-arm mailing list. There is an upcoming Mini-DebConf in November 2014 hosted by ARM in Cambridge, UK.

Tianon Gravi posted about the atmosphere and contrast between an average conference and a DebConf.

Joseph Bisch posted about meeting his GSOC mentors, attending and contributing to a keysigning event and did some work on debmetrics which is powering metrics.debian.net. Debmetrics provides a uniform interface for adding, updating, and viewing various metrics concerning Debian.

Harlan Lieberman-Berg’s DebConf Retrospective shared the feel of DebConf, and detailed some of the work on debugging a build failure, work with the pkg-perl team on a few uploads, and work on a javascript slowdown issue on codeeditor.

Ana Guerrero López reflected on Ten years contributing to Debian.

Should I follow the normal path or fail early?

Ars Technica - Sat, 27/09/2014 - 18:15
Stack Exchange

This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.

jao asks:

From the Code Complete book comes the following quote:

Read 21 remaining paragraphs | Comments

Hey There Little Electron, Why Won’t You Tell Me Where You Came From?

Wired - Sat, 27/09/2014 - 17:07

I want to tell you about one of the most beautiful ideas that I know. It’s a physics experiment, and it’s beautiful because in one elegant stroke, it expands our consciousness, forcing us to realize that objects can behave in ways that are impossible for us to picture (but remarkably, possible for us to calculate). It’s beautiful […]

The post Hey There Little Electron, Why Won’t You Tell Me Where You Came From? appeared first on WIRED.

New docs show drone landed on Lincoln head at Mount Rushmore in 2013

Ars Technica - Sat, 27/09/2014 - 15:05
Mount Rushmore near Keystone, South Dakota. Liz Lawley

Of all of the drone incidents reported at national parks across the United States over the last year, one stands out: a small aircraft spotted over the Mount Rushmore site in South Dakota in September 2013. Within hours, in the shadow of the famous four busts of American presidents, National Park Service (NPS) employees confronted a group of six individuals at a park ice cream shop and seized their passports, memory cards, and mobile phones.

Drones have become something of a scourge at various national parks. In June 2014, the NPS banned the use of drones in all of its parks, following an initial ban in Yosemite National Park in California the previous month. Since then, rangers have taken notable steps to enforce the ban.

Earlier this week, a German man was sentenced to a one year ban from Yellowstone and was ordered to pay a $1,600 fine after he crashed a drone into Yellowstone lake. A Dutch tourist was ordered to pay over $3,200 after he crashed his drone into the Grand Prismatic Hot Spring. One more case against an Oregon man remains pending in federal court in Wyoming.

Read 22 remaining paragraphs | Comments

Japan’s Ontake Erupts, Hikers Trapped and Injured

Wired - Sat, 27/09/2014 - 14:16

Today, Ontake (also known as Ontakesan) erupted unexpectedly trapping hundreds of people who were hiking on Japan’s second tallest volcano. The eruption appears to have been highly explosive, with pyroclastic flows and an ash column that topped over 5.5 kilometers (18,000 feet). You can see some stunning video of the pyroclastic flows roaring down the […]

The post Japan’s Ontake Erupts, Hikers Trapped and Injured appeared first on WIRED.

Can’t upgrade to iOS 8? Beware bugs in the system

Ars Technica - Sat, 27/09/2014 - 14:00

Despite Apple's recent missteps in patching iOS 8, iPhone and iPad users may want to upgrade to the Apple's latest available mobile operating system to fix some serious security issues.

Among the most critical is a vulnerability — CVE-2014-4377 — in how iOS processes PDF files as images. An attacker who exploits the flaw could use a malicious Web page viewed by the user in Safari to run code on the victim's device, according to a description of the problem posted this week by Argentinian security consultancy Binamuse.

A proof-of-concept attack is "a complete 100% reliable and portable exploit for MobileSafari on IOS7.1.x," Felipe Andres Manzano, principal consultant at Binamuse, stated in the company's analysis.

Read 7 remaining paragraphs | Comments

Futurama’s Resident Physics Nerd on Math Jokes and Richard Nixon

Wired - Sat, 27/09/2014 - 11:30

In this week's installment of Geek's Guide to the Galaxy, Futurama head writer David X. Cohen discusses the show's super-nerdy sci-fi and math jokes.

The post Futurama’s Resident Physics Nerd on Math Jokes and Richard Nixon appeared first on WIRED.

Ritesh Raj Sarraf: Laptop Mode Tools 1.66

Planet Debian - Sat, 27/09/2014 - 10:09

I am pleased to announce the release of Laptop Mode Tools at version 1.66.

This release fixes an important bug in the way Laptop Mode Tools is invoked. Users, now when disable it in the config file, the tool will be disabled. Thanks to bendlas@github for narrowing it down. The GUI configuration tool has been improved, thanks to Juan. And there is a new power saving module for users with ATI Radeon cards. Thanks to M. Ziebell for submitting the patch.

Laptop Mode Tools development can be tracked @ GitHub

AddThis:  Categories: Keywords: 

Niels Thykier: Lintian – Upcoming API making it easier to write correct and safe code

Planet Debian - Sat, 27/09/2014 - 08:08

The upcoming version of Lintian will feature a new set of API that attempts to promote safer code. It is hardly a “ground-breaking discovery”, just a much needed feature.

The primary reason for this API is that writing safe and correct code is simply too complicated that people get it wrong (including yours truly on occasion).   The second reason is that I feel it is a waste having to repeat myself when reviewing patches for Lintian.

Fortunately, the kind of issues this kind of mistake creates are usually minor information leaks, often with no chance of exploiting it remotely without the owner reviewing the output first[0].

Part of the complexity of writing correct code originates from the fact that Lintian must assume Debian packages to be hostile until otherwise proven[1]. Consider a simplified case where we want to read a file (e.g. the copyright file):

package Lintian::cpy_check; use strict; use warnings; use autodie; sub run { my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; # BAD: This is an example of doing it wrong open(my $fd, '<', $info->unpacked($filename)); ...; close($fd); return; }

This has two trivial vulnerabilities[2].

  1. Any part of the path (usr,usr/share, …) can be asymlink to “somewhere else” like /
    1. Problem: Access to potentially any file on the system with the credentials of the user running Lintian.  But even then, Lintian generally never write to those files and the user has to (usually manually) disclose the report before any information leak can be completed.
  2. The target path can point to a non-file.
    1. Problem: Minor inconvenience by DoS of Lintian.  Examples include a named pipe, where Lintian will get stuck until a signal kills it.

Of course, we can do this right[3]:

package Lintian::cpy_check; use strict; use warnings; use autodie; use Lintian::Util qw(is_ancestor_of); sub run { my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; my $root = $info->unpacked my $path = $info->unpacked($filename); if ( -f $path and is_ancestor_of($root, $path)) { open(my $fd, '<', $path); ...; close($fd); } return; }

Where “is_ancestor_of” is the only available utility to assist you currently.  It hides away some 10-12 lines of code to resolve the two paths and correctly asserting that $path is (an ancestor of) $root.  Prior to Lintian 2.5.12, you would have to do that ancestor check by hand in each and every check[4].

In the new version, the correct code would look something like this:

package Lintian::cpy_check; use strict; use warnings; use autodie; sub run { my ($pkg, undef, $info) = @_; my $filename = "usr/share/doc/$pkg/copyright"; my $path = $info->index_resolved_path($filename); if ($path and $path->is_open_ok) { my $fd = $path->open; ...; close($fd); } return; }

Now, you may wonder how that promotes safer code.  At first glance, the checking code is not a lot simpler than the previous “correct” example.  However, the new code has the advantage of being safer even if you forget the checks.  The reasons are:

  1. The return value is entirely based on the “file index” of the package (think: tar vtf data.tar.gz).  At no point does it use the file system to resolve the path.  Whether your malicious package trigger an undef warning based on the return value of index_resolved_index leaks nothing about the host machine.
    1. However, it does take safe symlinks into account and resolves them for you.  If you ask for ‘foo/bar’ and ‘foo’ is a symlink to ‘baz’ and ‘baz/bar’ exists in the package, you will get ‘baz/bar’.  If ‘baz/bar’ happens to be a symlink, then it is resolved as well.
    2. Bonus: You are much more likely to trigger the undef warning during regular testing, since it also happens if the file is simply missing.
  2. If you attempt to call “$path->open” without calling “$path->is_open_ok” first, Lintian can now validate the call for you and stop it on unsafe actions.

It also has the advantage of centralising the code for asserting safe access, so bugs in it only needs to be fixed in one place.  Of course, it is still possible to write unsafe code.  But at least, the new API is safer by default and (hopefully) more convenient to use.


[0] Lintian.debian.org being the primary exception here.

[1] This is in contrast to e.g. piuparts, which very much trusts its input packages by handing the package root access (albeit chroot’ed, but still).

[2] And also a bug.  Not all binary packages have a copyright – instead some while have a symlink to another package.

[3] The code is hand-typed into the blog without prior testing (not even compile testing it).  The code may be subject to typos, brown-paper-bag bugs etc. which are all disclaimed (of course).

[4] Fun fact, our documented example for doing it “correctly” prior to implementing is_ancestor_of was in fact not correct.  It used the root path in a regex (without quoting the root path) – fortunately, it just broke lintian when your TMPDIR / LINTIAN_LAB contained certain regex meta-characters (which is pretty rare).

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole

Ars Technica - Sat, 27/09/2014 - 04:00
It's now bash-a-mole. Sakura - flickr.com

Remember when we said that a new patch had fixed the problems with the last patch to fix the rated-highly-dangerous “Shellshock” bug in the GNU Bourne Again Shell (bash)? You know, that bug that could allow an attacker to remotely execute code on a Linux or Unix system running some configurations of Apache, or perhaps the Git software version control system, DHCP network configuration or any number of other pieces of software that use bash to interact with the underlying operating system? Well, the new patch may not be a complete fix—and there may be vulnerabilities all the way down in the bash code.

Here's how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell. And in the case of a web server, that's practically the same level of access as an administrator, giving the attacker a way to gain full control of the targeted system.

David A. Wheeler, a computer scientist who is an acknowledged expert in developing secure open-source code, posted a message to the Open Source Software Security (oss-sec) list this evening urging more changes to the bash code. And other developers have found that the current patch still has vulnerabilities similar to the original one, where an attacker could store malicious data in a variable named the same thing as frequently run commands.

Read 6 remaining paragraphs | Comments

Yahoo killing off Yahoo after 20 years of hierarchical organization

Ars Technica - Sat, 27/09/2014 - 00:55
Yahoo's homepage as it appeared in 1996 with the directory front and center.

As part of an ongoing effort to streamline and focus its business, Yahoo today announced that it was retiring its namesake product.

In January 1994, Jerry Yang and David Filo, graduate students at Stanford University, created a hierarchical directory of websites, "Jerry and David's Guide to the World Wide Web." In March of that year, they gave it the name "Yahoo!," for "Yet Another Hierarchical Officious Oracle."

In the early days of the Web, these categorized, human-curated Web listings were all the rage. Search engines existed, but rapidly became notorious for their poor result quality. On a Web that was substantially smaller than the one we enjoy today, directories were a useful alternative way of finding sites of interest.

Read 2 remaining paragraphs | Comments

Syndicate content