Buying an IBM Mainframe
> This post is about buying an IBM z114 mainframe (picture 1) but should translate well to any of the IBM mainframes from z9 to z14.
> Buying a mainframe takes time. I never spent so much time on a purchase before. In fact - I purchased my first apartment with probably less planning and research. Compared to buying an apartment you have no guard rails. You are left to your own devices to ensure the state of whatever thing you are buying as it likely is sold as-is. Unless you are buying refurbished the seller will likely have no idea of how to verify the item and might even lack the equipment to power it on.
Serenity Operating System
> Serenity is a love letter to ‘90s user interfaces, with a custom Unix-like core. It flatters with sincerity by stealing beautiful ideas from various other systems.
If you’re looking for gold, look in trees
> Prospecting for gold by looking for it in leaves has finally proved itself commercially in Australia
> The quantities are minuscule. In areas where there is no gold, leaves may have a background level of 0.15 parts per billion (ppb) of gold; on gold-rich sites that can rise to 4ppb.
Software-defined far memory in warehouse scale computers
SensorID Sensor Calibration Fingerprinting for Smartphones
> We have developed a new type of fingerprinting attack, the calibration fingerprinting attack. Our attack uses data gathered from the accelerometer, gyroscope and magnetometer sensors found in smartphones to construct a globally unique fingerprint.
> Font and date adjustments to accommodate the new Reiwa era in Japan
Mirrored Ceilings and Criss-Crossed Stairwells Give a Chinese Bookstore the Feeling of an M.C. Escher Woodcut
> Zhongshuge bookstores, designed by Shangai-based architecture firm X+Living, feature incredible rooms coveted by book and illusion lovers alike. Each location in this chain of Chinese bookstores has uniquely designed spaces with reflective elements that immerse guests in parallel environments. In the Chongqing branch, criss-crossing staircases and a mirrored ceiling double the room for an effect that seems straight out of an M.C. Escher woodcut or an infinite Indian stepwell.
Rain Much on Your Vacation? One Italian Island Offers Hotel Refunds
> But beginning this month, the Italian island of Elba, off the coast of Tuscany, started offering tourists an unexpected guarantee: Hotels will refund guests if it rains.
Alphabetical order in Korean
> Alphabetical order in Korean has an interesting twist I haven’t seen in any other language.
> In Korean, alphabetization is also done at the syllable level.
If each thread’s TEB is referenced by the fs selector, does that mean that the 80386 is limited to 1024 threads?
> No, it doesn’t, because nobody said that the distinct values had to be different simultaneously.
Using Ed25519 Signing Keys For Encryption
> First, we need to understand the difference between Ed25519 and X25519. For that I recommend Montgomery curves and their arithmetic by Craig Costello and Benjamin Smith, which is where I learned most of the underlying mechanics of Montgomery curves. The high level summary is that the twisted Edwards curve used by Ed25519 and the Montgomery curve used by X25519 are birationally equivalent: you can convert points from one to the other, and they behave the same way.
Looking inside the box
> This blog post talks about reverse engineering the Dropbox client, breaking its obfuscation mechanisms, de-compiling it to Python code as well as modifying the client in order to use debug features which are normally hidden from view. If you’re just interested in relevant code and notes please scroll to the end. As of this writing it is up to date with the current versions of Dropbox which are based on the CPython 3.6 interpreter.
But what about the opportunity cost?
My new favorite tool for looking at TLS things is certigo
> For a long time I’ve used the OpenSSL command line tools to do things like looking at certificates and chasing certificate chains (although OpenSSL is no longer what you want to use to make self-signed certificates). This works, and is in many ways the canonical and most complete way to do this sort of stuff, but if you’ve ever used the openssl command and its many sub-options you know that it’s kind of a pain in the rear. As a result of this, for some years now I’ve been using Square’s certigo command instead.
Stealing Downloads from Slack Users
> The vulnerability could have allowed a remote attacker to submit a masqueraded link in a slack channel, that “if clicked” by a victim, would silently change the download location setting of the slack client to an attacker owned SMB share. This could have allowed all future downloaded documents by the victim to end up being uploaded to an attacker owned file server until the setting is manually changed back by the victim.
Security Engineering: Third Edition
Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys
> Due to a misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols, it is possible for an attacker who is physically close to you at the moment you use your security key -- within approximately 30 feet -- to (a) communicate with your security key, or (b) communicate with the device to which your key is paired.
Bluetooth security is... challenging.
Understanding real-world concurrency bugs in Go
> We perform the first systematic study on concurrency bugs in real Go programs. We studied six popular Go software [projects] including Docker, Kubernetes, and gRPC. We analyzed 171 concurrency bugs in total, with more than half of them caused by non-traditional, Go-specific problems. Apart from root causes of these bugs, we also studied their fixes, performed experiments to reproduce them, and evaluated them with two publicly-available Go bug detectors.
Motorbikes in Taiwan. 3:27.
0day "In the Wild"
> Project Zero’s team mission is to “make zero-day hard“, i.e. to make it more costly to discover and exploit security vulnerabilities. We primarily achieve this by performing our own security research, but at times we also study external instances of zero-day exploits that were discovered “in the wild”. These cases provide an interesting glimpse into real-world attacker behavior and capabilities, in a way that nicely augments the insights we gain from our own research.
> Today, we’re sharing our tracking spreadsheet for publicly known cases of detected zero-day exploits, in the hope that this can be a useful community resource: