[Info-vax] Some of what I'm reading...
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Sat Jul 13 00:30:09 EDT 2019
On 2018-05-12 20:35:17 +0000, Stephen Hoffman said:
> FWIW... Some interesting topics, and some topics related to recent
> discussions here in the comp.os.vms newsgroup. Some relevant to
> OpenVMS. Some not.
RAMbleed:
https://rambleed.com
The most recent OpenSSH has taken some steps to mitigate against
RAMbleed, Spectre, and ilk, by keeping the private keys encrypted when
not in immediate use.
https://marc.info/?l=thn&m=156109087822676
Hacking into a hardware security module (HSM):
https://cryptosense.com/blog/how-ledger-hacked-an-hsm/
In some organizations, HSMs are used as vaults for sensitive
information such as private keys and passwords.
Yet another supply-chain attack, this time against some Android devices:
https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/
"The Influence of Organizational Structure on Software Quality: an
Empirical Case Study"
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2008-11.pdf
"the organizational metrics when applied to data from Windows Vista
were statistically significant predictors of failure-proneness."
x86 Rust-based OS paging intro—some background for how another
operating system implements virtual memory paging and memory protection
on x86, for those interested in details:
https://os.phil-opp.com/paging-introduction/
"Zanzibar: Google’s Consistent, Global Authorization System"
https://ai.google/research/pubs/pub48190
"Zanzibar scales to trillions of access control lists and millions of
authorization requests per second to support services used by billions
of people. It has maintained 95th-percentile latency of less than 10
milliseconds and availability of greater than 99.999% over 3 years of
production use."
Some cryptography source code programming examples:
http://www.herongyang.com/Cryptography/
C++11 and multi-threading, given a C++11 compiler implementation is
planned for VSI OpenVMS x86-64...
https://stackoverflow.com/questions/6319146/c11-introduced-a-standardized-memory-model-what-does-it-mean-and-how-is-it-g
KLEE, automated test coverage using LLVM compilers:
https://klee.github.io
"Netflix has identified several TCP networking vulnerabilities in
FreeBSD and Linux kernels."
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
There's no reproducer/test available quite yet, but that'll undoubtedly
be posted online (somewhere) fairly soon...
"TaxDC: A Taxonomy of Non-Deterministic Concurrency Bugs in Datacenter
Distributed Systems"
"We present TaxDC, the largest and most comprehensive taxonomy of
non-deterministic concurrency bugs in distributed systems..."
https://ucare.cs.uchicago.edu/pdf/asplos16-TaxDC.pdf
Wanna learn vim?
https://github.com/jmoon018/PacVim
In addition to the existing MiTM Proxy, there's now PolarProxy:
https://www.netresec.com/?page=PolarProxy
VSI OpenVMS with VAFS is incompatible with host-based volume shadowing
(host-based RAID-1):
"The new file system will support disks > 2TB. Shadowing doesn't, and
cannot without a lot of work."
https://groups.google.com/d/msg/comp.os.vms/Xgy7-vqgByc/v53aDpFhCAAJ
(The addressing limit here is technically 2 TiB, and not 2 TB.)
Cloud hosting for security-conscious customers is very big business.
This particular cloud-hosting contract process has been going for a
while for those that might have missed earlier discussions, too.
Oracle, Amazon AWS, Microsoft Azure, IBM, and US DoD contracts:
"Yesterday, I had a story taken down on Forbes for a post about Jedi DoD"
"Title: Modern Star Wars: JEDI, the Dark Side and the Fight for the
Future of the Military"
https://medium.com/@furrier/yesterday-i-had-a-story-taken-down-on-forbes-for-a-post-about-jedi-dod-33675fd89a01
Some other related reading:
https://www.lite1065.com/2019/06/19/amazon-pentagon-accused-of-swampy-dealings-over-10b-contract/
https://www.washingtonpost.com/business/2019/04/10/pentagon-cloud-contract-investigation-uncovers-potential-ethical-violations-narrows-competition-two/?utm_term=.d8115b7d3744
https://fcw.com/articles/2019/06/21/jedi-lawsuit-oracle-aws.aspx
ps: There's a nasty Firefox bug around, and one that's reportedly being
exploited in targeted attacks. Patch to current, if you're using
Firefox or Firefox ESR...
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list