November 10, 2016
The Rowhammer exploit is at least known since 2014 but only in the last months it seems that this exploit may be found out in the wild.
Row hammer (also written as rowhammer) is an unintended side effect in dynamic random-access memory (DRAM) that causes memory cells to leak their charges and interact electrically between themselves, possibly altering the contents of nearby memory rows that were not addressed in the original memory access. This circumvention of the isolation between DRAM memory cells results from the high cell density in modern DRAM, and can be triggered by specially crafted memory access patterns that rapidly activate the same memory rows numerous times.
Memory protection, as a way of preventing processes from accessing memory that has not been assigned to each of them, is one of the concepts behind most modern operating systems. By using memory protection in combination with other security-related mechanisms such as protection rings, it is possible to achieve privilege separation between processes, in which programs and computer systems in general are divided into parts limited to the specific privileges they require to perform a particular task. Using privilege separation can also reduce the extent of potential damage caused by computer security attacks by restricting their effects to specific parts of the system. [wikipedia]
In other words: Switching to another operating system or patching it may not solve the problem, because the root of the problem lies in the memory chips every which computer contain. An article on wired.com describes it like this
Both of those new attacks use a technique Google researchers first demonstrated last March called “Rowhammer.” The trick works by running a program on the target computer, which repeatedly overwrites a certain row of transistors in its DRAM flash memory, “hammering” it until a rare glitch occurs: Electric charge leaks from the hammered row of transistors into an adjacent row. The leaked charge then causes a certain bit in that adjacent row of the computer’s memory to flip from one to zero or vice versa. That bit flip gives you access to a privileged level of the computer’s operating system.
lwn.net is reporting that linux kernel developers are trying to mitigate the exploit.
An intriguing alternative turned up on the linux-kernel list, though its nature wasn’t immediately clear. Pavel Machek asked a question that raised some eyebrows: “I’d like to get an interrupt every million cache misses… to do a printk() or something like that.” Developers naturally wondered what he was up to. The answer turns out to be an in-kernel Rowhammer defense.
September 27, 2016
Infoq.com has a nice little intro and tutorial to reactive programming in Java with the RxJava library.
- Reactive programming is a specification for dealing with asynchronous streams of data
- Reactive provides tools for transforming and combining streams and for managing flow-control
- Marble diagrams provide an interactive canvas for visualizing reactive constructs
- Resembles Java Streams API but the resemblance is purely superficial
- Attach to hot streams to attenuate and process asynchronous data feeds
Also you should checkout the RxMarbles website which interactivly visualizes the reactive functions.
September 8, 2016
Mozilla has an interesting project called flyweb. If you want to know what it is about and why you should have a look at it watch this video.
This specification aims to allow web applications to connect with and communicate to each other over local-area transport protocols. In particular, this specification aims to bring the web’s client/server application model to inter-device communication. The web’s application architecture enables an application running on a server to dynamically and incrementally send application state and logic to an intermittently connected client. This model enables a powerful multi-homed application architecture.
July 12, 2016
Matthew Garrett blogged about how the review system on amazon can be exploited by companies via free or discounted products.
It’s hard to avoid the conclusion that Amazon’s review model is broken, but it’s not obvious how to fix it. When search ranking is tied to reviews, companies have a strong incentive to do whatever it takes to obtain positive reviews. What we’re left with for now is having to laboriously click through a number of products to see whether their rankings come from thoughtful and detailed reviews or are just a mass of 5 star one liners.
The whole blog article contains a lot of interesting details.
April 12, 2016
The articles touches everything from:
- What’s a framework? Do I need to use trendy.js?
- How do I use other people’s code?
- Do I need Node.js?
- What are my build tools?
- How do I test my code?
- So how do I get started?
April 2, 2016
Today I want to document how I enabled https on a website on a server run by debian jessie using the letsencrypt project.
The first step is, obviously, to install the letsencrypt package. Obviously enough a search for the package (i.e. apt-cache search letsencrypt) shows that this package is not available in the debian jessie distribution. But thanks to the official Debian Backports project, we can get package anyway. Just follow the instructions on the website and then a simple command (apt-get -t jessie-backports install letsencrypt) installs our beloved letsencrypt package.
If you are using apache like me, you should also install the apache plugin for letsencrypt (apt-get -t jessie-backports install python-letsencrypt-apache) and the libaugeas0 (apt-get install libaugeas0) library.
After this, changing your http website to https is easily done via: letsencrypt –apache -d subdomain.example.net . This command asks you some questions and after that, voila, everything is done. No need for any additional configuration.
More information how to use the letsencrypt client or how to install it on other systems can be found in this PDF documentation.
Beware: I don’t know if the renewal of the certificates is now done automatically. If they expire and I have to renew them, I will update this article how to do this.
P.S.: If you are using owncloud and you are battling with trying to tell your linux owncloud-client to use now https instead of http: Don’t wrestle with the graphical interface, it won’t allow you this. Just edit the owncloud config file /home/<YOURUSER>/.local/share/data/ownCloud/owncloud.cfg by changing the url from http to https.
P.P.S.: You can use the online SSL Server Test Service to validate your https Website and get information about how it is configured and if it is vulnerable.
March 30, 2016
Today I stumbled upon a CSS attribute selector which made me think.
The interesting thing here is the [class] part of the CSS. If I understand correctly, this means, that elements should be selected which have the class attribute. I understand why someone might be interested to style all images with alt-tags differently: img[alt]. But is there any legitimate use of [class]? Cause this only says: select elements which have a class assigned… It does not even check WHICH class, it selects just all classes. And it gets weirder when it is combined with a specific class like fooClass in this example. Has anybody an idea what this means?
March 26, 2016
In this blog post I want to summarize my investigations about problems concerning suspend with my lenovo t460 notebook. (Note: This problem seems to also exists with the lenovo T460s notebooks. More information about debian on the t460 can be found here.)
(The informations here are verified with a debian testing installation with kernel version 4.4. The problems is reported by people using other distributions too.)
What is the problem and how can you reproduce it?
- If the device is on the AC, closing the lid causes the notebook to suspend. This works perfectly – in other words: The notebook wakes up after opening the lid and is usable.
- If the notebook is on battery, closing the lid causes the notebook to freeze. In other words: If I open the lid again, everything is frozen. Not only the UI but I’m also not able to change to TTY1, 2, ..
- Interestingly enough, manually suspending with systemctl suspend works without a glitch.
I reported this problem on the debian forums and the thinkpad subreddit.
There is an entry in the kernel bug tracker Bug 113551 – intel_pstate=no_hwp else Thinkpad T460s freezes on lid close on battery power. The bug entry indicates that the problem is also to be found kernel versions up to 4.5.0-rc6. It also looks like the source of the problem is found, patches are being tested. I also filed a debian bug entry for this problem as was suggested to my when asking in the debian IRC channel.
So it seems that newer kernel versions won’t have this problem. There is a workaround till this happens. You can add the intel_pstate=no_hwp parameter to the GRUB_CMDLINE_LINUX_DEFAULT section of the /etc/default/grub file. Attention: Don’t forget to run update-grub after every change to this file. Also: This may cause your notebook to use more power – the battery may empty itself faster.
I will try to update this blog post after more information, changes in the status of this problem occur. I maybe even try to patch the debian kernel with a patch and test if this helps to fix the suspend problem.
Update 2016-04-28: After upgrading to the Debian 4.5.1-1 (2016-04-14) x86_64 GNU/Linux kernel version, the suspend problem is gone. I can close the lid while being on batteries and the notebook is going into suspend and leaves it correctly.
March 25, 2016
In this InfoQ.com video presentation called “Functional Programming You Already Know” Kevlin Henney is trying to reveal functional programming pattern where you would not expect it (i.e. in excel as the world most popular used function programming language). The presentation starts a little bit slow but it’s worth your time.