July 2020 - wlug - University of Waikato Mail Lists

by David McNab

Hi, Has anyone had experience with configuring Postfix to allow inbound client SMTP connections from NZ-based IP addresses that have been Policy Block Listed (PBL'ed) by their ISP? Spark have PBL'ed most or all of their home and small business fibre/*DSL connection IP addresses. 2degrees have PBL'ed most/all of their cellular data IP addresses. I'm trying to support a user to send email from their cellphone email client. Cheers David

1 week, 2 days

4
5
0 0

Bug In Grub2 Breaks Secure Boot (Yawn)

by Lawrence D'Oliveiro

Seems a vulnerability has been found in everyone’s favourite bootloader <https://arstechnica.com/information-technology/2020/07/new-flaw-neuters-sec…> which allows a bypass of the “Secure Boot” mechanism in modern UEFI-based machines. But given that so many other bypasses already exist, nobody seems especially worried about this. For example, the article references an attempt by Microsoft to revoke the certification of (an obsolete version of) a secure bootloader from Kaspersky Lab with a vulnerability in it; the revocation caused so many headaches for users that it had to be rolled back.

1 week, 4 days

1
0
0 0

NZ Govt Unveils “Algorithm Charter”

by Lawrence D'Oliveiro

The Charter <https://www.theregister.com/2020/07/28/new_zealand_algorithm_charter/> requires Government departments who sign on to it to “maintain transparency” about the algorithms they use, but does not make them reveal the actual details of these algorithms. Nor does it explain what it means by an “algorithm”.

1 week, 5 days

2
2
0 0

NoiseTorch

by Peter Reutemann

Hi everyone Angus mentioned NoiseTorch at last night's meeting as a way of avoiding noise from being recorded when using microphones: 'NoiseTorch is an easy to use open source application for Linux with PulseAudio. It creates a virtual microphone that suppresses noise, in any application. Use whichever conferencing or VOIP application you like and simply select the NoiseTorch Virtual Microphone as input to torch the sound of your mechanical keyboard, computer fans, trains and the likes.' -- source: https://github.com/lawl/NoiseTorch Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

1 week, 6 days

1
0
0 0

Hackers Stole GitHub and GitLab OAuth Tokens From Git Analytics Firm Waydev

by Peter Reutemann

'Waydev, an analytics platform used by software companies, has disclosed a security breach that occurred earlier this month. From a report: The company says that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from its internal database. Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers' work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores. When users install the app, Waydev receives an OAuth token that it can use to access its customers' GitHub or GitLab projects. Waydev stores this token in its database and uses it on a daily basis to generate analytical reports for its customers. Waydev CEO and co-founder Alex Circei told ZDNet today in a phone call that hackers used a blind SQL injection vulnerability to gain access to its database, from where they stole GitHub and GitLab OAuth tokens. The hackers then used some of these tokens to pivot to other companies' codebases and gain access to their source code projects.' -- source: https://tech.slashdot.org/story/20/07/27/1918237 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

1 week, 6 days

1
0
0 0

meeting suggestions?

by Peter Reutemann

Hi everyone For our first in-person meeting after the lockdown on July 27th, any ideas for topics? Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks

3
3
0 0

World’s Fastest Computer Is ARM

by Lawrence D'Oliveiro

Looking at the June Top500 list <https://top500.org/lists/top500/list/2020/06/>, the current number 1, Japan’s Fugaku, uses over 7 million A64FX cores and close to 5 petabytes of RAM. Numbers 2 and 3 are based on IBM’s POWER architecture, while number 4 is a Chinese RISC-based machine, which might have some resemblance to the DEC Alpha <https://en.wikipedia.org/wiki/Sunway_(processor)>, or MIPS, or not. It’s not until 5th place does x86 make an appearance.

2 weeks, 1 day

1
0
0 0

Popular Chinese-Made Drone Is Found To Have Security Weakness

by Peter Reutemann

'Cybersecurity researchers revealed on Thursday a newfound vulnerability in an app that controls the world's most popular consumer drones, threatening to intensify the growing tensions between China and the United States. From a report: In two reports, the researchers contended that an app on Google's Android operating system that powers drones made by China-based Da Jiang Innovations, or DJI, collects large amounts of personal information that could be exploited by the Beijing government. Hundreds of thousands of customers across the world use the app to pilot their rotor-powered, camera-mounted aircraft. The world's largest maker of commercial drones, DJI has found itself increasingly in the cross hairs of the United States government, as have other successful Chinese companies. The Pentagon has banned the use of its drones, and in January the Interior Department decided to continue grounding its fleet of the company's drones over security fears. DJI said the decision was about politics, not software vulnerabilities. For months, U.S. government officials have stepped up warnings about the Chinese government's potentially exploiting weaknesses in tech products to force companies there to give up information about American users. Chinese companies must comply with any government request to turn over data, according to American officials. "Every Chinese technology company is required by Chinese law to provide information they obtain, or information stored on their networks, to Chinese authorities if requested to do so," said William R. Evanina, director of the National Counterintelligence and Security Center. "All Americans should be concerned that their images, biometrics, locational and other data stored on Chinese apps must be turned over to China's state security apparatus." The drone vulnerability, said American officials, is the kind of security hole that worries Washington.' -- source: https://it.slashdot.org/story/20/07/23/1437214 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 3 days

1
0
0 0

Fawkes: Protecting Privacy against Unauthorized Deep Learning Models

by Lawrence D'Oliveiro

This paper <http://people.cs.uchicago.edu/%7Eravenben/publications/abstracts/fawkes-use…>, presented at USENIX Security 2020, discusses techniques for allowing you to continue to share images of yourself online while making them resistant to automated exploitation by “deep-learning” facial-recognition software. The researchers found that they could make subtle distortions to facial images, imperceptible to the human eye, that would severely confuse recognition services from major providers like Microsoft and Amazon. (Found from Bruce Schneier <https://www.schneier.com/blog/archives/2020/07/fawkes_digital_.html>.)

2 weeks, 4 days

1
0
0 0

We test Mozilla’s new Wireguard-based $5/mo VPN service

by Peter Reutemann

'Mozilla, the open source company best known for the Firefox Web browser, made its VPN service generally available in the United States this month. The cross-platform VPN is based on Wireguard and delivered in partnership with well-known and especially techie-friendly VPN provider Mullvad. Mullvad itself was, to the best of our knowledge, the first publicly available VPN provider to offer Wireguard support back in 2017. The Mozilla VPN service costs $4.95 per month and offers server endpoints in 30-plus countries. It currently has VPN clients available for Windows 10, Android, and iOS—but users of other operating systems, such as MacOS and Linux, are going to have to wait. Mozilla says that support for MacOS and Linux is coming soon—but unfortunately, even if you're an advanced user who understands Wireguard configs, you can't just roll your own connection now. The service authenticates via Firefox cloud account. When you sign up for a Mozilla VPN subscription, you'll be asked to create a Firefox account if you don't already have one. The Firefox account is an SSO (Single Sign On) service which uses oauth2, much like a Google account—but it's not tied to a Google account, so even if you sign up using a Gmail address tied to an Android device, that device won't be automatically logged in. Aside from the Firefox-based oauth2 integration, Mozilla's VPN appears to effectively be a Mullvad VPN, with a different client application and different billing entity. It is a bit less expensive through Mozilla, though—Mullvad costs €5 per month. This makes Mozilla's offering about $0.80 per month cheaper, at current exchange rates.' -- source: https://arstechnica.com/gadgets/2020/07/we-test-mozillas-new-wireguard-base… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 weeks, 4 days

1
0
0 0

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

wlug July 2020