This Week In Security: F5, Novel Ransomware, Freta, And Database Woes

July 10, 2020 by 5 Comments

The big story of the last week is a problem in F5’s BIG-IP devices. A rather trivial path traversal vulnerability allows an unauthenticated user to call endpoints that are intended to be restricted to authenticated. That attack can apparently be as simple as:

'https://[F5 Host]/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+auth+user+admin'

A full exploit has been added to the metasploit framework. The timeline on this bug is frighteningly quick, as it’s apparently being actively exploited in the wild. F5 devices are used all over the world, and this vulnerability requires no special configuration, just access to the opened management port. Thankfully F5 devices don’t expose the vulnerable interface to the internet by default, but there are still plenty of ways this can be a problem.

Freta

Microsoft has made a new tool publicly available, Freta. This tool searches for rootkits in uploaded memory snapshots from a Linux VM. The name, appropriately, is taken from the street where Marie Curie was born.

The project’s namesake, Warsaw’s Freta Street, was the birthplace of Marie Curie, a pioneer of battlefield imaging.

The impetus behind the project is the realization that once a malicious actor has compromised a machine, it’s possible to compromise any security software running on that machine. If, instead, one could perform a security x-ray of sorts, then a more reliable conclusion could be reached. Freta takes advantage of the VM model, and the snapshot capability built into modern hypervisors.

Continue reading “This Week In Security: F5, Novel Ransomware, Freta, And Database Woes”

Debugging For Sed — No Kidding

April 24, 2020 by 13 Comments

If you do much Linux shell scripting, you’ve probably encountered sed — the stream editor — in an example. Maybe you’ve even used it yourself. If all you want to do is substitute text, it is easy and efficient. But if you try to do really elaborate editing, it is often difficult to get things right. The syntax is cryptic and the documentation is lacking. But thanks to [SoptikHa2] you can now debug sed scripts with a text-based GUI debugger. Seriously.

According to the author, the program has several notable features:

  • Preview variable values, both of them!
  • See how will a substitute command affect pattern space before it runs
  • Step through sed script – both forward and backward!
  • Place breakpoints and examine program state
  • Hot reload and see what changes as you edit source code
  • Its name is a palindrome

There’s only one word for that last feature: wow.

Continue reading “Debugging For Sed — No Kidding”

Windows 3.1 Screensavers, Now On Twitter

September 23, 2019 by 14 Comments

Back in the early dawn of the GUI age, cathode ray tubes were the dominant display technology for the personal computer. In order to avoid burn-in of static display elements, screensavers were devised to help prevent this problem. Out of love for the software of yesteryear, [Greg Kennedy] has put together a bot that posts Windows 3.1 screensavers on Twitter.

A Perl script runs the show in this case. Screensavers are packed into “units”, which are loaded by the script. A basic Windows 3.1 environment is then configured, and loaded into a specially patched DOSBOX that allows automated demo recording in a headless environment. Once up and running, video is recorded of the desktop and subsequent triggering of the screensaver. After a couple of minutes, the recording is stopped, and FFMPEG is used to transcode the video into a Twitter-suitable format. It’s then a simple job of Tweeting the video using the standard API.

It’s a fun project that makes sharing old screensavers easy. Be sure to check out the Twitter feed @dot_scr. If you’re addicted to the vintage aesthetic, try this Apple ][ screensaver hack on your Linux boxen. Video after the break.

Continue reading “Windows 3.1 Screensavers, Now On Twitter”

What’s In A Name? Tales Of Python, Perl, And The GIMP

September 18, 2019 by 58 Comments

In the older days of open source software, major projects tended to have their Benevolent Dictators For Life who made all the final decisions, and some mature projects still operate that way. Guido van Rossum famously called his language “Python” because he liked the British comics of the same name. That’s the sort of thing that only a single developer can get away with.

However, in these modern times of GitHub, GitLab, and other collaboration platforms, community-driven decision making has become a more and more common phenomenon, shifting software development towards democracy. People begin to think of themselves as “Python programmers” or “GIMP users” and the name of the project fuses irrevocably with their identity.

What happens when software projects fork, develop apart, or otherwise change significantly? Obviously, to prevent confusion, they get a new name, and all of those “Perl Monks” need to become “Raku Monks”.  Needless to say, what should be a trivial detail — what we’ve all decided to call this pile of ones and zeros or language constructs — can become a big deal. Don’t believe us? Here are the stories of renaming Python, Perl, and the GIMP.

Continue reading “What’s In A Name? Tales Of Python, Perl, And The GIMP”

C++20 Is Feature Complete; Here’s What Changes Are Coming

July 30, 2019 by 104 Comments

If you have an opinion about C++, chances are you either love it for its extensiveness and versatility, or you hate it for its bloated complexity and would rather stick to alternative languages on both sides of the spectrum. Either way, here’s your chance to form a new opinion about the language. The C++ standard committee has recently gathered to work on finalizing the language standard’s newest revision, C++20, deciding on all the new features that will come to C++’s next major release.

After C++17, this will be the sixth revision of the C++ standard, and the language has come a long way from its “being a superset of C” times. Frankly, when it comes to loving or hating the language, I haven’t fully made up my own mind about it yet. My biggest issue with it is that “programming in C++” can just mean so many different things nowadays, from a trivial “C with classes” style to writing code that will make Perl look like prose. C++ has become such a feature-rich and downright overwhelming language over all these years, and with all the additions coming with C++20, things won’t get easier. Although, they also won’t get harder. Well, at least not necessarily. I guess? Well, it’s complex, but that’s simply the nature of the language.

Anyway, the list of new features is long, combining all the specification proposals is even longer, and each and every one of these additions could fill its own, full-blown article. But to get a rough idea about what’s going to come to C++ next year, let’s have a condensed look at some of these major new features, changes, and additions that will await us in C++20. From better type checking and compiler errors messages to Python-like string handling and plans to replace the #include system, there’s a lot at play here!

Continue reading “C++20 Is Feature Complete; Here’s What Changes Are Coming”

3D Printering: The Past And Future Of Prusa’s Slicer

May 24, 2019 by 41 Comments

If you own a desktop 3D printer, you’re almost certainly familiar with Slic3r. Even if the name doesn’t ring a bell, there’s an excellent chance that a program you’ve used to convert STLs into the G-code your printer can understand was using Slic3r behind the scenes in some capacity. While there have been the occasional challengers, Slic3r has remained one of the most widely used open source slicers for the better part of a decade. While some might argue that proprietary slicers have pulled ahead in some respects, it’s hard to beat free.

So when Josef Prusa announced his team’s fork of Slic3r back in 2016, it wasn’t exactly a shock. The company wanted to offer a slicer optimized for their line of 3D printers, and being big proponents of open source, it made sense they would lean heavily on what was already available in the community. The result was the aptly named “Slic3r Prusa Edition”, or as it came to be known, Slic3r PE.

Ostensibly the fork enabled Prusa to fine tune print parameters for their particular machines and implement support for products such as their Multi-Material Upgrade, but it didn’t take long for Prusa’s developers to start fixing and improving core Slic3r functionality. As both projects were released under the GNU Affero General Public License v3.0, any and all of these improvements could be backported to the original Slic3r; but doing so would take considerable time and effort, something that’s always in short supply with community developed projects.

Since Slic3r PE still produced standard G-code that any 3D printer could use, soon people started using it with their non-Prusa printers simply because it had more features. But this served only to further blur the line between the two projects, especially for new users. When issues arose, it could be hard to determine who should take responsibility for it. All the while, the gap between the two projects continued to widen.

With a new release on the horizon that promised to bring massive changes to Slic3r PE, Josef Prusa decided things had reached a tipping point. In a recent blog post, he announced that as of version 2.0, their slicer would henceforth be known as PrusaSlicer. Let’s take a look at this new slicer, and find out what it took to finally separate these two projects.

Continue reading “3D Printering: The Past And Future Of Prusa’s Slicer”

Linux Fu: System Administration Made Easier

November 9, 2017 by 47 Comments

Linux can have a somewhat split personality. If you use it as a desktop OS, it has a lot of GUI tools, although sometimes you still need to access the command line. If you use it as a headless server, though, you probably ought to know your way around the command line pretty well. This is especially true if you don’t want to litter up your hard drive (and CPU) with X servers and other peculiarities of the graphical user interface.

Personally, I like the command line, but I am realistic enough to know that not everyone shares that feeling. I’ll also admit that for some tasks — especially those you don’t do very often — it is nice to have some helpful buttons and menus. There are several administration tools that you might be interested in using to handle administration tasks on your Linux machines. I’m going to look at two of them you might want to experiment with that both use a Web browser to provide their interface.

Continue reading “Linux Fu: System Administration Made Easier”