Language Selection

English French German Italian Portuguese Spanish

Mac

Apple of 2019 is the Linux of 2000

Filed under
GNU
Linux
Mac

Last week the laptop I use for macOS development said that there is an XCode update available. I tried to install it but it said that there is not enough free space available to run the installer. So I deleted a bunch of files and tried again. Still the same complaint. Then I deleted some unused VM images. Those would free a few dozen gigabytes, so it should make things work. I even emptied the trash can to make sure nothing lingered around. But even this did not help, I still got the same complaint.

At this point it was time to get serious and launch the terminal. And, true enough, according to df the disk had only 8 gigabytes of free space even though I had just deleted over 40 gigabytes of files from it (using rm, not the GUI, so things really should have been gone). A lot of googling and poking later I discovered that all the deleted files had gone to "reserved space" on the file system. There was no way to access those files or delete them. According to documentation the operating system would delete those files "on demand as more space is needed". This was not very comforting because the system most definitely was not doing that and you'd think that Apple's own software would get this right.

After a ton more googling I managed to find a chat buried somewhere deep in Reddit which listed the magical indentation that purges reserved space. It consisted of running tmutil from the command line and giving it a bunch of command line arguments that did not seem to make sense or have any correlation to the thing that I wanted to do. But it did work and eventually I got XCode updated.

After my blood pressure dropped to healthier levels I got the strangest feeling of déjà vu. This felt exactly like using Linux in the early 2000s. Things break at random for reasons you can't understand and the only way to fix it is to find terminal commands from discussion forums, type them in and hope for the best. Then it hit me.

Read more

Critical Security Issue identified in iTerm2 as part of Mozilla Open Source Audit

Filed under
Mac
Moz/FF
Security

A security audit funded by the Mozilla Open Source Support Program (MOSS) has discovered a critical security vulnerability in the widely used macOS terminal emulator iTerm2. After finding the vulnerability, Mozilla, Radically Open Security (ROS, the firm that conducted the audit), and iTerm2’s developer George Nachman worked closely together to develop and release a patch to ensure users were no longer subject to this security threat. All users of iTerm2 should update immediately to the latest version (3.3.6) which has been published concurrent with this blog post.

Founded in 2015, MOSS broadens access, increases security, and empowers users by providing catalytic support to open source technologists. Track III of MOSS — created in the wake of the 2014 Heartbleed vulnerability — supports security audits for widely used open source technologies like iTerm2. Mozilla is an open source company, and the funding MOSS provides is one of the key ways that we continue to ensure the open source ecosystem is healthy and secure.

iTerm2 is one of the most popular terminal emulators in the world, and frequently used by developers. MOSS selected iTerm2 for a security audit because it processes untrusted data and it is widely used, including by high-risk targets (like developers and system administrators).

Read more

You can now use Apple Music on Linux without any hacks

Filed under
Linux
Mac

Apple Music is now available through a web browser, which means I’m pleased/obligated to report that you can now use the service on Linux!

Users on Ubuntu, Linux Mint and other distros just need to load beta.music.apple.com in a modern web browser (sorry Lynx) and, et voila: the ability to stream Apple Music on Linux.

Read more

Also: Here's How To Easily Use Apple Music From Any Linux Distribution

Proprietary Software Leftovers

Filed under
Microsoft
Software
Mac
Security
  • BuyDRM launches Linux support for DRM

    BuyDRM has announced Linux support for its MultiKey Server, a multi-DRM software platform specifically designed for deployments in remote or limited connectivity environments.

  • Some airlines are banning Apple’s MacBook Pros even if they weren’t recalled

    In June, Apple recalled the 2015 MacBook Pro with Retina Display, sold between September 2015 and February 2017, because the battery “may pose a fire safety risk,” and the FAA soon reminded airlines not to carry those laptops with defective batteries on board. But some airlines are now banning Apple laptops whether they’ve got a bad battery or not, as reported by Bloomberg.

  • More Airlines Ban MacBook Pros in Checked Luggage

    All 15-inch versions of Apple Inc.’s MacBook Pro must be carried in the cabin and switched off, Qantas said in a statement Wednesday. The rule went into effect Tuesday morning. Rival Virgin Australia Holdings Ltd. went further on Aug. 26, banning all Apple laptops from checked-in luggage.

  • Popular PDF app was quietly plonking malware onto Android phones

    The security smart folks note that the app itself doesn't appear to be a malicious one, but rather it contains a trojan that gathers spyware and other malware from a malicious server and then runs in on a victim's phone. This trojan, dubbed Necro.n appears to have been sneaked into the app through the use of a legit-looking advertising library package.

    As such, the developers of the app, which has received some 100 million downloads, might not even realise their software is causing their users a malware headache.

  • [Cracker] Claims He Can ‘Turn Off 25,000 Cars’ At The Push Of A Button

    Your car’s immobilizer is supposed to be used for good. If a crook steals your car, it's possible for you to connect to the immobilizer, which tracks the vehicle and allows you to stop anyone from turning on the engine. But with one particular immobilizer - the U.K.-made SmarTrack tool from Global Telemetrics - an easy-to-hack vulnerability meant it was simple for researchers at Pen Test Partners to turn on the immobilizer permanently, without the customer knowing a thing.

    To prove it was possible, the researchers from British cybersecurity company Pen Test Partners hacked the vehicle of one of their own employees, disabling his car whilst they were in the U.K. and he was in Greece, not long before he was due to head to a wedding.

  • French cyberpolice, Avast and FBI neutralise global 'botnet' [iophk: Windows TCO]

    French police have neutralised a [cracking] operation that had taken control of more than 850,000 computers, mainly in Latin America, while also managing to remove the malware from the infected devices.

    The agents went into action last spring after the Czech antivirus firm Avast alerted them to the software worm, called Retadup, that was being controlled by a server in the Paris region.

  • Putting an end to Retadup: A malicious worm that infected hundreds of thousands [iophk: Windows TCO]

    Retadup is a malicious worm affecting Windows machines throughout Latin America. Its objective is to achieve persistence on its victims’ computers, to spread itself far and wide and to install additional malware payloads on infected machines. In the vast majority of cases, the installed payload is a piece of malware mining cryptocurrency on the malware authors’ behalf. However, in some cases, we have also observed Retadup distributing the Stop ransomware and the Arkei password stealer.

  • Authorities free 850,000 machines from grasp of Retadup worm [iophk: Windows TCO]

    After gaining persistence, Retadup goes on to distribute secondary malware on infected machines. It most commonly delivers a Monero cryptomining program, but also has been observed spreading over malware programs including Stop ransomware and the Arkei password stealer, Avast reports.

    The vast majority of Retadup victims whose infections were neutralized in last month’s crackdown are based in Latin American countries. However, the law enforcement operation itself specifically targeted C2 infrastructure based in France and the U.S.

  • Report finds majority of 2019 ransomware attacks have targeted state and local governments [iophk: Windows TCO]

    The majority of ransomware attacks in the U.S. in 2019 have targeted state and local governments, a report published Wednesday by cybersecurity group Barracuda Networks found.

    The report counted a total of 55 ransomware attacks on U.S. state and local government entities between January and July of 2019. These attacks involve a malicious actor or group encrypting a network and asking for money, often in the form of bitcoin, to allow the user access.

  • Threat Spotlight: Government Ransomware Attacks [iophk: this is disinformation which fails to steer potential victims away from Windows and towards GNU/Linux or one of the BSDs]

    Barracuda researchers have identified more than 50 cities and towns attacked so far this year. The team’s recent analysis of hundreds of attacks across a broad set of targets revealed that government organizations are the intended victims of nearly two-thirds of all ransomware attacks. Local, county, and state governments have all been targets, including schools, libraries, courts, and other entities.

    Here’s a closer look at state and local government ransomware attacks and solutions to help detect, block, and recover from them.

Darling: macOS compatibility for Linux

Filed under
GNU
Linux
Mac

There is an increasingly active development effort, known as Darling, that is aiming to provide a translation layer for macOS software on Linux; it is inspired in part by Wine. While Darling isn't nearly as mature as Wine, contributors are continuing to build out capabilities that could make the project more useful to a wider group of users in the future.

[...]

Darling is licensed under GPLv3 and, according to the project home page, it does not violate Apple's End User License Agreement (EULA) since it only uses the parts of Darwin that have been released as free software. Darwin, however, is licensed under the Apple Public Source License (APSL), which is a free-software license, but is not compatible with the GPL according to the FSF.

Read more

Proprietary: Microsoft, Apple and Google

Filed under
Google
Microsoft
Mac
  • Netherlands warns government employees not to use Microsoft's online Office apps

    In one example, it was found that some 300,000 top tier Office users, with the ‘365 Pro Plus' package were being sent back to the US for storage - exactly the sort of behaviour that got Dutch backs up.

    In a wider sense, this is a small but public battle in a much larger war, with the EU still leaning heavily on Microsoft to put its post-GDPR house in order.

  • The iPhone now makes up less than half of Apple’s business

    Apple today reported its fiscal third quarter 2019 earnings, earning $53.8 billion in revenue and earnings per share of $2.18. That revenue is a 1 percent jump year over year. iPhone revenue was $25.99 billion compared to $29.47 billion a year ago. That means the iPhone represented under half of Apple’s revenue for the first time since 2012.

    The all-important services unit took in $11.46 billion in revenue. Wearables saw a big boost, likely thanks to Apple’s second-generation AirPods. CEO Tim Cook said that when the services and wearables / home / accessories divisions are combined, they approach the size of a Fortune 50 company. Revenue from Mac sales was $5.82 billion, and iPads were $5.023 billion, up from $4.634 billion last year at this time.

  • Apple Finds Life After the iPhone While Still Banking on the iPhone

    Combined, Apple’s two major independent product lines not attached to the iPhone -- Mac computers and iPads -- made up only 20% of revenue in the fiscal third quarter, despite gains from the period a year ago, the Cupertino, California-based company reported Tuesday. Apple’s also working on a mixed augmented and virtual reality headset for the coming years, but that, too, is likely to be iPhone-reliant.

  • Chrome 76 for Mac, Windows rolling out: Flash blocked by default, Incognito loophole closed, Settings tweak

    As a big HTML5 proponent for the past decade, Google encouraged sites to switch away from Flash for faster, safer, and more battery-efficient browsing. In late 2016 and early 2017, Chrome blocked background Flash elements and defaulted to HTML5, with users having to manually enable the Adobe plug-in on a site-by-site basis.

  • Google Chrome 76 Released for Linux, Windows, and Mac with 43 Security Fixes

    Google promoted today the Chrome 76 web browser to the stable channel for all supported platforms, including GNU/Linux, Windows, and macOS.

    Google Chrome 76.0.3809.87 is now available as the latest stable version of the popular and cross-platform web browser from Google, based on the open source Chromium project. It contains various bug fixes and improvements, as well as no less than 43 security fixes for the latest vulnerabilities.

Proprietary Software Insecurity

Filed under
Microsoft
Mac
  • Why recent hacks show Apple’s security strength, not its weakness [Ed: Spinning bug doors as a strength? Apple has its share of liars coming to the rescue of proprietary software (not the first such bug). Moving from Microsoft to Apple "for security" is like swapping vodka for rum to cure one's liver.]

    It might be tempting to follow that line of thinking in light of two recent stories of vulnerabilities affecting the Mac and the Apple Watch. In the first instance, the Zoom video-calling app could be abused to let someone spy on you through your webcam. In the second, a flaw in Apple’s Walkie Talkie app could let a hacker eavesdrop on your iPhone conversations. They’re both troubling security issues.

  • Eavesdropping Concerns Cause Apple Watch’s Walkie-Talkie App to Be Disabled

    Just like any other Internet of things device, it’s important to remember that smartwatches are still devices. And many cool features can also be used for unethical purposes. There is always another side of the coin.

    This is what Apple Watch users found this week when Apple disabled the Walkie-Talkie app when it was discovered that it allowed users to listen in on each other’s iPhone calls without the other person’s knowledge.

  • 250M Accounts Affected By ‘TrickBot’ Trojan’s New Cookie Stealing Ability

    Popular malware TrickBot is back and this time it has learned some new capabilities like stealing cookies. So far, it has infected around 250 million Gmail accounts.

    As per the research firm Deep Instinct, among the affected accounts, some belonging to the governments of the US, the UK, and Canada have also fallen victim to TrickBot.

  • TrickBooster – TrickBot’s Email-Based Infection Module - Deep Instinct

    Seeing a signed malware binary delivered to a customer environment prompted us to investigate further. We analyzed the malware sample and found swaths of PowerShell code in its memory. Analysis of this PowerShell code immediately led us to the conclusion that we are dealing with a mail-bot.

  • A better zip bomb

    This article shows how to construct a non-recursive zip bomb that achieves a high compression ratio by overlapping files inside the zip container. "Non-recursive" means that it does not rely on a decompressor's recursively unpacking zip files nested within zip files: it expands fully after a single round of decompression. The output size increases quadratically in the input size, reaching a compression ratio of over 28 million (10 MB → 281 TB) at the limits of the zip format. Even greater expansion is possible using 64-bit extensions. The construction uses only the most common compression algorithm, DEFLATE, and is compatible with most zip parsers.

Microsoft DRM, Security, and Apple's Combustion Threat

Filed under
Microsoft
Mac
Security
  • You Don't Own What You've Bought: Microsoft's Books 'Will Stop Working'

    The latest in our forever ongoing series, recognizing in the digital age how you often no longer own what you've bought, thanks to DRM and copyright: this week, people with Microsoft ebooks will discover they're dead.

  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (firefox, firefox-developer-edition, libarchive, and vlc), CentOS (firefox, thunderbird, and vim), Debian (firefox-esr, openssl, and python-django), Fedora (glpi and xen), Mageia (thunderbird), openSUSE (ImageMagick, irssi, libheimdal, and phpMyAdmin), Red Hat (libssh2 and qemu-kvm), Scientific Linux (firefox, thunderbird, and vim), SUSE (389-ds, cf-cli, curl, dbus-1, dnsmasq, evolution, glib2, gnutls, graphviz, java-1_8_0-openjdk, and libxslt), and Ubuntu (python-django).

  • Kali Linux in the DigitalOcean Cloud

    DigitalOcean is a cloud provider similar to AWS, Microsoft Azure, Google Cloud Platform, and many others. They offer instances, called “droplets”, with different Linux distributions such as Debian, Ubuntu, FreeBSD, etc. Similar to AWS, DigitalOcean has datacenters around the world and sometimes multiple datacenters in each country.

    However, one feature in particular sets them apart them from their competitors. A little while ago, they added support for custom images, which allows users to import virtual machine disks and use them as droplets. This is perfect for us as we can use our own version of Kali Linux in their cloud.

    While it might be possible to load the official Kali Linux virtual images, it wouldn’t be very efficient. Instead, we’ll build a lightweight Kali installation with the bare minimum to get it working.

  • Cybersecurity Experts Blocked 5 Million Attempted Hacks of IoT Cameras

    Trend Micro cybersecurity experts report that they blocked an astounding five-million hack attempts on IoT cameras. It’s quite frightening to think what may have happened if these experts weren’t hard at work.

  • Public Certificate Poisoning Can Break Some OpenPGP Implementations

    OpenPGP installations can grind to a halt and fail to verify the authenticity of downloaded packages as the keyserver network has been flooded with bogus extra signatures attesting ownership of a certificate.

    Vulnerabilities that allow this type of certificate spamming attack have been known for years and a timely fix or mitigation is nowhere in sight, neither from the keyserver network community nor the OpenPGP Working Group.

  • Report: Apple Discovers MacBook Air Logic Board Issue

                   

                     

    Not all 13-inch MacBook Air with Retina Display units from 2018 are believed to be affected by the logic board issue. The memo reportedly said that only units with certain serial numbers were affected; Apple plans to inform the owners of those devices via email. Affected units can be taken to Apple's retail stores or authorized repair shops until four years after their original purchase date, 9to5Mac said. 
     

                     

    It's not clear why Apple didn't publicly announce the replacement program.  

  •              

  • Apple finds issue w/ logic board in some 2018 MacBook Airs, offers free repair

                   

                     

    Apple has confirmed in an internal document to repair staff that it’s identified an issue with the main logic board in what it says is a “very small number” of MacBook Air models. Apple Stores and authorized repair staff have been informed to replace the main logic board in affected machines at no cost to customers, according to the document obtained by 9to5Mac.  

  •              

  • Apple Recalls 15-Inch MacBook Pro Laptop Computers Due to Fire Hazard

                   

                     

    The batteries in the recalled laptop computers can overheat, posing a fire hazard.  

  •              

  • Apple recalls 432,000 MacBook Pro laptops for fire and burn risks

                   

                     

    Manufactured in China, the recalled computers had a retail price of $2,000 and more, and were sold at Apple and electronics stores nationwide, as well as online, from September 2015 through February 2017.  

  •              

  • 2015 15" MacBook Pro Recall Applies to About 432,000 Units, Apple Received 26 Reports of Batteries Overheating

                   

                     

    Last week, Apple launched a worldwide recall and replacement program for select 2015 15-inch MacBook Pro units, sold primarily between September 2015 and February 2017, due to batteries that "may overheat and pose a fire safety risk." Apple will replace affected batteries free of charge.  

  •                  

  • 'Dangerous' Muslim Brotherhood fatwa app in Apple Store's top 100 downloads

                       

                         

    The Euro Fatwa app, which was launched in April, was created by the European Council for Fatwa and Research, a Dublin private foundation set up by Yusuf Al Qaradawi, spiritual leader of the Muslim Brotherhood.
     

                         

    Touted as a guide to help Muslims adhere to Islam, critics including Germany’s security service, say the app is a radicalisation tool.  

  •                  

  • Jony Ive found Tim Cook's disinterest in design 'dispiriting'

                       

                         

    But more damagingly, the WSJ highlights that Ive was left "dispirited" by Tim Cook, in stark contrast to his close relationship with Steve Jobs. Cook, apparently "showed little interest in the product development process" according to the paper's sources. Ive was also left frustrated by the makeup of Apple's board of directors, which was filled with people with backgrounds outside of Apple's core business (the pun is ours, and very much intended). 
     

                         

    As well as these reports, Ive's own words have come back to haunt the company. Back in 2014, he told The Times he'd leave Apple if it stopped innovating. Awkward.  

Audio With DeaDBeeF, Demise of Apple's "Pod" Empire, New Podcast About Go

Filed under
GNU
Linux
Mac
  • DeaDBeeF 1.8.1 Released! How to Install in Ubuntu 18.04 / Higher

    Deadbeef audio player 1.8.1 was released a few days ago with various bug-fixes and performance improvements for the 1.8 series.

  • Jony Ive ‘dispirited’ by Tim Cook’s lack of interest in product design: WSJ

    The WSJ report follows a similar piece published by Bloomberg last week. Both reports describe an Apple design team, led by Jony Ive, increasingly frustrated by his absence after the launch of the Apple Watch in 2015. They tell the story of a company that once put design at the forefront, progressively being led by operational concerns. Ive’s absence was “straining the cohesion central to product development,” according to the WSJ, causing several key design team members to leave Apple over the last few years.

  • Gabbing About Go | Coder Radio 364

    Mike and Wes burrow into the concurrent world of Go and debate where it makes sense and where it may not.

    Plus gradual typing for Ruby, a new solution for Python packaging, and the real story behind Jony Ive’s exit.

Darling Still Has A Goal Of Running macOS Apps On Linux

Filed under
GNU
Linux
Mac

Darling is the open-source project we first covered back in 2012 that aimed to be able to run macOS software (binaries) on Linux. It's what Wine is to running Windows programs on Linux but rather to be able to handle Apple/Mac software. While we haven't heard much from the project recently, they still are pursuing their goal.

Over the years Darling has made some project on handling Mac binaries on Linux albeit times that the project seemed on hiatus without any development work. The last time we covered Darling on Phoronix was in November of 2017 when they were still aiming for macOS apps on Linux.

Read more

Direct: Darling Progress Report Q1 2019

Syndicate content

More in Tux Machines

Debian and Ubuntu Leftovers

  • Ritesh Raj Sarraf: Bpfcc New Release

    bpfcc version 0.11.0 has been uploaded to Debian Unstable and should be accessible in the repositories by now. After the 0.8.0 release, this has been the next one uploaded to Debian.

  • Utkarsh Gupta: Joining Debian LTS!

    Back during the good days of DebConf19, I finally got a chance to meet Holger! As amazing and inspiring a person he is, it was an absolute pleasure meeting him and also, I got a chance to talk about Debian LTS in more detail. [...] I had almost no idea what to do next, so the next month I stayed silent, observing the workflow as people kept committing and announcing updates. And finally in September, I started triaging and fixing the CVEs for Jessie and Stretch (mostly the former). Thanks to Abhijith who explained the basics of what DLA is and how do we go about fixing bugs and then announcing them. With that, I could fix a couple of CVEs and thanks to Holger (again) for reviewing and sponsoring the uploads! :D

  • Ubucon Europe 2019 in local media

    News from the new Ubuntu distribution, the exploration of the several platforms and many “how to”, rule the 4-days agenda where the open source and open technologies are in the air. The Olga Cadaval Cultural centre in Sintra, is the main stage of a busy agenda filled with several talks and more technical sessions, but at Ubucon Europe there’s also room for networking and cultural visits, a curious fusion between spaces full of history, like the Pena Palace or the Quinta da Regaleira, and one of the youngest “players” in the world of software. For 4 days, the international Ubuntu Community gathers in Sintra for an event open to everyone, where the open source principles and open technology are dominating. The Ubucon Europe Conference begun Thursday, October 10th, and extends until Sunday, October 13th, keeping an open doors policy to everyone who wants to Afterall, what is the importance of Ubucon? The number of participants, which should be around 150, doesn’t tell the whole story of what you can learn during these days, as the SAPO TEK had the opportunity to check this morning. Organised by the Ubuntu Portugal Community, with the National Association for Open Software, the Ubuntu Europe Federation and the Sintra Municipality, the conference brings to Portugal some of the biggest open source specialists and shows that Ubuntu is indeed alive, even if not yet known by most people, and still far from the “world domain” aspired by some.

Devices/Embedded: Win Enterprises and Raspberry Pi 4

  • Win Enterprises unveils Atom-based LAN gateway and compact SBC

    Win Enterprises unveiled a fanless “PL-82000” networking gateway with 6x GbE and 2x SFP ports based on an Atom C3000. It also launched a Raspberry Pi sized “MB-5000” SBC that runs Ubuntu or Win 10 on Intel Apollo Lake. We tend to forget Win Enterprises because as its name suggests, the company typically sticks to Windows-supported products. Yet, they have increasingly produced barebones products without listed OS support, such as the new PL-82000 networking appliance, as well as Linux supported systems such as the MB-5000 SBC announced back in June. (In 2017, we covered an Intel Bay Trail based MB-80580 SBC and Win IoT-380 Gateway with Linux support.)

  • Raspberry Pi 4 PCI Express: It actually works! USB3, SATA… GPUs?

    Recently, Tomasz Mloduchowski posted a popular article on his blog detailing the steps he undertook to get access to the hidden PCIe interface of Raspberry Pi 4: the first Raspberry Pi to include PCIe in its design. After seeing his post, and realizing I was meaning to go buy a Raspberry Pi 4, it just seemed natural to try and replicate his results in the hope of taking it a bit further. I am known for Raspberry Pi Butchery, after all.

  • Raspberry Pi 4 B+ - PCI Express

    Why did I do it? Because I wanted to see if it can be done. Because Raspberry Pi 4 might be the cheapest device that is PCIe capable after a relatively minor modification (if I didn't lift the capacitors when desoldering the VL805, this is literally 12 soldering points). That, in turn, can be quite handy for developing own PCIe cores for various FPGA based experiments.

    I'm sharing it to allow people to learn from this - and to dispel the myth that PCIe is somehow out of reach of hobbyists due to some concerns over signal integrity or complexities. Stay tuned for more Pi4/PCIe experimentation!

OSS: Odoo, WordPress, MongoDB vs. MySQL

  • What's New in Odoo 13?

    Fast, Simple and Effective Business Management- this is the motto of Odoo, the leading open source ERP of the globe. And this is what makes Odoo the prominent and most favorite choice among business enterprises. With the release of Odoo 13, the open-source ERP has become all more fit and robust to meet the diversified needs of businesses. With Odoo 13 users can go along with better designs and customizations. With each version release, Odoo makes it a point to bring in major and minor improvements in the application, alongside a set of new features for improving the user interface and functionality of the user. The users worth 3.4 million is the evidence of Odoo being the finest application for business management.

  • Becoming Better Digital Citizens Through Open Source

    The WordPress Project is on a mission to democratize publishing. As WordPress empowers more people to participate in the digital space, we have the opportunity to make sure that everyone can participate safely and responsibly. Today marks the start of Digital Citizenship Week. We are going to share how open source can be used as a tool for learners (regardless of age) to practice and model the essential parts of being a good digital citizen. [...] Digital Citizenship is for all age groups. Anyone who uses the internet on a computer, mobile device or a TV is a digital citizen. You don’t have to be tech-savvy already, maybe you are taking your first steps with technology. Digital Citizenship Week is a chance to reflect together on our impact on the digital world. It can help us to make our consumption more considered and our interaction friendlier. It enables us to make a positive difference to those around us. All of us can strive (or learn) to become better digital citizens. It can be affected by the access those teaching have had to digital skills and good practice. Adult education classes and community tech hubs play a part in basic tech skill development. Unfortunately, these are not always accessible to those in less populated geographic locations.  Open source communities like WordPress already make a difference in encouraging the principles of digital citizenship, from sharing tech skills to improving security knowledge. They give people an opportunity to learn alongside their peers and many of the resources are available regardless of location, resources, or skills.

  • MongoDB vs. MySQL: How to choose

    During the dot-com bubble in the 1990s, one common software stack for web applications was LAMP, which originally stood for Linux (OS), Apache (web server), MySQL (relational database), and PHP (server programming language). MySQL was the preferred database mostly because it was free open source and had good read performance, which fit well with “Web 2.0” apps that dynamically generated sites from the database. Later the MEAN stack, which stood for MongoDB (document database), Express (web server), AngularJS (front-end framework), and Node.js (back-end JavaScript runtime), came to prominence. The MEAN stack was attractive, among other reasons, because the only language you needed to know was JavaScript. It also needed less RAM than an equivalent LAMP stack.

Security: XML External Entity (XXE) Example and the Latest Patches

  • XML External Entity (XXE) Example

    According to OWASP, an XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. If a parser accepts unsanitized XML, we can take advantage of that and send our own crafted external XML payload to exploit our target. This post won’t be long so let’s get into it.

  • Security updates for Monday

    Security updates have been issued by Arch Linux (chromium, sdl, and unbound), Debian (clamav, libdatetime-timezone-perl, openssl, tcpdump, and tzdata), Fedora (cutter-re, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-parent, libapreq2, ming, opendmarc, radare2, and thunderbird), openSUSE (chromium), Oracle (kernel), and SUSE (axis, jakarta-commons-fileupload, kernel, sles12sp3-docker-image, sles12sp4-image, system-user-root, and webkit2gtk3).