HUP cikkturkáló

Big-name websites leaked people's private session keys and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google researchers.
As we'll see, a single character – '>' rather than '=' – in Cloudflare's software source code sparked the security blunder.

This leak was triggered when webpages had a particular combination of unbalanced HTML tags, which confused Cloudflare's proxy servers and caused them to spit out data belonging to other people – even if that data was protected by HTTPS.

Még a végén kiderül, hogy mégsem olyan jó ötlet az internet 20%-át egy cégen keresztül kiszolgálni...

https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug…
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cl…

We have broken SHA-1 in practice.
This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, ranging credit card transactions, electronic documents, open-source software repositories and software updates.
It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.
For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.

https://shattered.it/
https://security.googleblog.com/2017/02/announcing-first-sha1-collision…

FreeBSD/pc98 - RIP

http://boilingsteam.com/linux-gaming-in-2016-the-good-the-bad-and-the-m…

On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we've listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.

Forras: https://www.theregister.co.uk/2017/02/01/gitlab_data_loss
Livedoc: https://docs.google.com/document/d/1GCK53YDcBWQveod9kfzW-VCxIABGiryG7_z…
GithubStatus: https://twitter.com/gitlabstatus

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852751

Free up your Sunday with a new ROM! Debloat by removing functionalities as you see fit with FreedomOS. https://t.co/EMe5VSd9QI pic.twitter.com/hT5DJokgZ6

— OnePlus (@oneplus) January 29, 2017

A tiltott fájltípusok listájához február 13-tól csatlakozni fog a .js (Javascript) is. A teljes lista ezzel a következő kiterjesztéseket tartalmazza:


.ADE, .ADP, .BAT, .CHM, .CMD, .COM, .CPL, .EXE, .HTA, .INS, .ISP, .JAR, .JS, .JSE, .LIB, .LNK, .MDE, .MSC, .MSP, .MST, .PIF, .SCR, .SCT, .SHB, .SYS, .VB, .VBE, .VBS, .VXD, .WSC, .WSF, .WSH


A blokkolás bejövő üzeneteknél is érvényes, azaz a Gmail visszadobja a levelet a küldő félnek, ha a levél blokkolt fájlkiterjesztésű csatolmányt tartalmaz.

Forrás: https://gsuiteupdates.googleblog.com/2017/01/gmail-will-restrict-js-fil…

It is not easy to evaluate a company I love as if they have failed. I have spent tens of thousands of dollars on Apple products, and devoted countless hours studying, admiring and defending the company. However, I started noticing too many uncharacteristic cracks, and I realised turning a blind eye would not help Apple. This brought to mind some sage advice from an old friend:

| The Apple community is making a mistake; they take what Apple does and then try to prove it’s good. Instead, they should judge it on its own merit — Apple’s customers have no problem doing that.

Ref: Apple Inc: A Pre-Mortem

Forrás: The Verge.