Netflix has identified several TCP networking vulnerabilities in FreeBSD and Linux kernels. The vulnerabilities specifically relate to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most serious, dubbed “SACK Panic,” allows a remotely-triggered kernel panic on recent Linux kernels. There are patches that address most of these vulnerabilities. If patches can not be applied, certain mitigations will be effective. We recommend that affected parties enact one of those described below, based on their environment.Source: https://www.openwall.com/lists/oss-security/2019/06/17/5
RAMBleed is a side-channel attack that enables an attacker to read out physical memory belonging to other processes. The implications of violating arbitrary privilege boundaries are numerous, and vary in severity based on the other software running on the target machine. As an example, in our paper we demonstrate an attack against OpenSSH in which we use RAMBleed to leak a 2048 bit RSA key. However, RAMBleed can be used for reading other data as well.RAMBleed
RAMBleed is based on a previous side channel called Rowhammer, which enables an attacker to flip bits in the memory space of other processes. We show in our paper that an attacker, by observing Rowhammer-induced bit flips in her own memory, can deduce the values in nearby DRAM rows. Thus, RAMBleed shifts Rowhammer from being a threat not only to integrity, but confidentiality as well. Furthermore, unlike Rowhammer, RAMBleed does not require persistent bit flips, and is thus effective against ECC memory commonly used by server computers.
Now imagine you put your stuff into the cloud ….
These automatisms in browsers are giving me a bad time. Who the hell came unmedicated to the conclusion to let browsers transform emoticons into emojis? Text has to remain text and images have to remain images.
Of course I could add the text presentation selector (︎) as suffix to every emoticon I write, but that’s not the point. Also the suffix gets removed upon editing, so I need to add it over and over again. Programmatically scanning all texts and adding the suffix automatically is overkill and results in a huge performance loss.
I found an add-on for Firefox which claims to do disable emojis. But it doesn’t work, and also I don’t want a separate add-on for that. Seems like no one thought of a simple CSS setting to disable this crap. I don’t want smileys, emojis, whatever. This is all so painful.
In case you use a Chromium based browser you’ll likely have noticed blurry fonts on this website. First I thought it’s related to font-smoothing, but I don’t use such CSS rules, because they are not part of the standard, yet. Also I checked if forcing the browser to disable font-smoothing changes the way the text is rendered. To my surprise it had no effect at all. So, it must be something else that breaks the font-rendering. In Firefox, Edge and IE the issue does not appear. To make a long story short, in Chrome 72 the text gets blurry if it’s positioned using
position: absolute; top: 50%; left: 50%; transform: translate(-50%,-50%);
That is quite annoying, because you use this rule to center content where the absolute width and height is unknown. If it’s known you could use negative margins instead.
In Opera the positioning using transform does not affect the font-rendering. However, and now things are getting really weird, the cause of the blurry text is the border-radius of the surrounding div element. Wtf!? Yes, the border-radius causes strange font-rendering. And it’s independent of the actual font. A simple
is just enough to make it ugly. Additionally the size of the browser window affects the rendering, too. So, if the browser window is resized by 1-2 pixels, the blurring disappears. Here are some screen shots to illustrate the issue:
Sometimes the top 96 pixels of a maximized window disappear and are no longer click-able. Instead the click is received and handled by the desktop. This happens randomly on my Windows 10 Pro (10.0.16299) machine, which is a dual-monitor system as you can see. The issue is independent of the applications used; it happens in any application, but it cannot be triggered by a special action or similar. I first noticed it in Excel. Later in Firefox’s development tools and now quite often in Opera. All software is the latest. When it happens in a browser toggling full-screen on/off by pressing F11 helps sometimes. Otherwise a reboot is required to make it work again, because restarting the application does not help. Very annoying. Here’s a screenshot how it looks like:
I believe this is an error related to the display driver (Intel HD 4600, version 184.108.40.20635), but prove me wrong. In case anyone has a suggestion what might be the cause, mail me.
Looks like the website of the beloved Gnome Connection Manager seems to be dead. I created a clone of the original code and will implement the fix mentioned here as soon as I find the code. It’s somewhere burried in a bunch of data on a pile of harddisks. What a mess!
I just experienced and issue where the height of the container of an HTML5 video (1080px, mp4) was calculated wrong. The respective stylesheet had set video width to 100% and no height (defaults to height:auto). The browser rendered the video container to a height of >6000px while maintaining the width of the surrounding div and the actual aspect-ratio of the video. Really strange behaviour. The issue seems to occur in Chrome 64 and Opera 51. Firefox and Edge are not affected by the issue.
Currently I experience password recovery emails from Pickaface not being received in GMX email accounts. Yet, I don’t know whose fault it is, and I cannot contact Pickaface using the registered GMX account, because GMX keeps telling me that the account is misused by spammers and therefore sending mails is temporarily disabled. Although, I revoked all authorizations, changed the password of the GMX account and waited about six hours now, but it still doesn’t allow me to send one single mail. Receiving mails works fine, except the ones from Pickaface. Yes, I also checked the spam folder. No luck there.
So, I got stuck here. Of course I could contact the Pickaface support team and request to reset the password of that account. But since my request won’t be sent by the email address associated to the account in question, they’ll likely ignore that request and file it under hacking attempt. On the other hand I could contact the GMX support team to have my email account unlocked. But they only provide a costly 0900-hotline and charge you € 3,99 per minute instead of providing proper ways to unlock your account by yourself.
The background story of all this is, that I currently try to move away from GMX and migrate all my accounts to another email service provider. In the more than 15 years now of being a GMX user, they managed to let me down several times, make using their products unnecessarily complicated and provide a constantly decreasing user experience. I’m really happy that I never used their services in a productive environment.
About two weeks ago I found a bug in Gnome Connection Manager 1.1.0 which allows you to recover saved passwords (e.g. in case you forgot them). To my mind this bug is kinda harmless as long as no one gains access to your gcm.conf file. I informed Renzo Bertuzzi, the author of GCM, and he immediately came up with a fix. Thanks for that! However, since no update is available, yet, I will disclose this bug to the public.
Read more …
For some time (three weeks, I guess) I’m experiencing issues with some Google services like their web-based mail client for example. After logging in I cannot open my account details or log out. I click on my account icon, but nothing happens. It used to show a drop-down menu, but that doesn’t appear any longer. I have to go to YouTube and log out there, or clear cookies in my browser in order to destroy my session. This issue occurs independently from whatever browser on whatever OS I use and it’s really annoying. Google!? Can you here me? Please fix this asap! >:(