A serious weakness has been found in proprietary encryption cipher TETRA (TErrestrial Trunked RAdio) standard, that is used by police and other organizations.
Researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels from Midnight Blue who discovered the issue, suggest it may be an intentional backdoor.
The description of CVE-2022-24402 is “The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.”.
I want to find all fonts that support Polish accented characters (ąćęłńóśżź).
First we will use printf to check the unicode number for a character:
printf "%x" \'ą
105Then use fc-list command with “charset” query:
fc-list ':charset=17a'
/usr/share/fonts/truetype/lato/Lato-Medium.ttf: Lato,Lato Medium:style=Medium,Regular
/usr/share/fonts/truetype/lato/Lato-SemiboldItalic.ttf: Lato,Lato Semibold:style=Semibold Italic,Italic
/usr/share/texmf/fonts/opentype/public/lm/lmmonolt10-oblique.otf: Latin Modern Mono Light,LM Mono Light 10:style=10 Oblique,Italic
/usr/share/fonts/truetype/dejavu/DejaVuSerif-Bold.ttf: DejaVu Serif:style=Bold
...To see how the font is rendered, you can use gnome-font-viewer:
gnome-font-viewer /usr/share/fonts/truetype/lato/Lato-Medium.ttfAn article on IEEE about project that decided to switch from microservice architecture to monolith.
#!/bin/bash
sudo cgdelete cpu:/testgroup
sudo cgcreate -g cpu:/testgroup
# Test with and without the line below
sudo cgset -r cpu.cfs_quota_us=50000 testgroup
# See how much time do we need to complete the operation
echo "Starting CPU intensive operations"
date
stress-ng --qsort 1 --qsort-ops 200 &
sleep 1
PID=$(pgrep stress-ng-qsort)
sudo cgclassify -g cpu:testgroup $PID
wait
echo "Finished"
dateThe results with cfs_quota_us=50000 are below. The top utility shows about 50% CPU usage.
➜ ./cpu_stress.sh
Starting CPU intensive operations
czw, 22 wrz 2022, 17:41:33 CEST
stress-ng: info: [3345901] defaulting to a 86400 second (1 day, 0.00 secs) run per stressor
stress-ng: info: [3345901] dispatching hogs: 1 qsort
stress-ng: info: [3345901] successful run completed in 33.05s
Finished
czw, 22 wrz 2022, 17:42:06 CESTIf the line is commented out (so no limitations apply), top shows 100% CPU usage and the output is:
➜ ./cpu_stress.sh
Starting CPU intensive operations
czw, 22 wrz 2022, 17:42:53 CEST
stress-ng: info: [3348203] defaulting to a 86400 second (1 day, 0.00 secs) run per stressor
stress-ng: info: [3348203] dispatching hogs: 1 qsort
stress-ng: info: [3348203] successful run completed in 15.98s
Finished
czw, 22 wrz 2022, 17:43:09 CESTThe corresponding file entries in sysfs:
$ cat /sys/fs/cgroup/cpu/testgroup/cpu.cfs_quota_us
50000
$ cat /sys/fs/cgroup/cpu/testgroup/tasks
3353629
Monitoring files and directories
How to change editor for “systemctl edit command”.
Add to .bashrc / .zshrc:
export SYSTEMD_EDITOR=vimAdd to /etc/sudoers:
Defaults env_keep += "SYSTEMD_EDITOR"Get / set default target when booting up:
$ systemctl get-default
$ systemctl set-default ...targetCreate a new service:
sudo systemctl edit --force --full new.serviceLimit CPU usage for user:
sudo systemctl set-property user-1001.slice CPUQuota=10%
sudo systemctl daemon-reloadLimit IO read rate to 1MB/sec for user:
sudo systemctl set-property user-1001.slice BlockIOReadBandwidth="/dev/sda 1M"
sudo systemctl daemon-reloadjournald log files:
journald log entries since last boot:
journalctl -bCreate new service with MemoryHigh and MemoryMax directives.
$ systemctl edit --force --full memory.service[Unit]
Description=Simple service to test memory limit.
[Service]
ExecStart=/root/memory.sh
MemoryHigh=1M
MemoryMax=2M
[Install]
WantedBy=multi-user.targetThe content of /root/memory.sh:
#!/bin/bash
echo $(date) > /tmp/test.log
a=()
for (( a=1; a<=10; a++ ))
do
echo Loop $a >> /tmp/test.log
for (( c=1; c<=600000; c++ ))
do
a+=( "abcdefghijklmnopqrstquvxyabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzzabcdefghijklmnopqrstquvxyabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzzabcdefghijklmnopqrstquvxyabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzabcdefghijklmnopqrstquvxyzz" )
done
done
sleep 10Start the service:
root@tuxedo:/etc/systemd/system# systemctl daemon-reload
root@tuxedo:/etc/systemd/system# systemctl enable --now memory
root@tuxedo:/etc/systemd/system# systemctl status memory
● memory.service - Simple service to test memory limit.
Loaded: loaded (/etc/systemd/system/memory.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-09-01 22:26:27 CEST; 9s ago
Main PID: 14675 (memory.sh)
Tasks: 1 (limit: 76224)
Memory: 1.9M (high: 1.0M max: 2.0M)
CGroup: /system.slice/_memory.service
└─14675 /bin/bash /root/memory.sh
wrz 01 22:26:27 tuxedo systemd[1]: Started Simple service to test memory limit..After a while
root@tuxedo:/etc/systemd/system# systemctl status memory
● memory.service - Simple service to test memory limit.
Loaded: loaded (/etc/systemd/system/memory.service; enabled; vendor preset: enabled)
Active: failed (Result: signal) since Thu 2022-09-01 22:27:31 CEST; 8s ago
Process: 14675 ExecStart=/root/memory.sh (code=killed, signal=KILL)
Main PID: 14675 (code=killed, signal=KILL)
wrz 01 22:26:27 tuxedo systemd[1]: Started Simple service to test memory limit..
wrz 01 22:27:31 tuxedo systemd[1]: memory.service: Main process exited, code=killed, status=9/KILL
wrz 01 22:27:31 tuxedo systemd[1]: memory.service: Failed with result 'signal'.And in the dmesg:
$ dmesg
[ 5679.682307] Tasks state (memory values in pages):
[ 5679.682308] [ pid ] uid tgid total_vm rss pgtables_bytes swapents oom_score_adj name
[ 5679.682310] [ 14675] 0 14675 202158 862 1646592 199134 0 memory.sh
[ 5679.682316] oom-kill:constraint=CONSTRAINT_MEMCG,nodemask=(null),cpuset=/,mems_allowed=0,oom_memcg=/system.slice/_memory.service,task_memcg=/system.slice/_memory.service,task=memory.sh,pid=14675,uid=0
[ 5679.682330] Memory cgroup out of memory: Killed process 14675 (memory.sh) total-vm:808632kB, anon-rss:0kB, file-rss:3448kB, shmem-rss:0kB, UID:0 pgtables:1608kB oom_score_adj:0Simplest possible service that runs /root/process.sh script:
root@tuxedo:/etc/systemd/system# cat process.service
[Unit]
Description=Simple service to test process limit.
[Service]
ExecStart=/root/process.sh
[Install]
WantedBy=multi-user.targetThe content of /root/process.sh:
#!/bin/bash
echo $(date) >> /tmp/test.log
for (( c=1; c<=10; c++ ))
do
sleep 10 &
done
sleep 20Start the service:
root@tuxedo:/etc/systemd/system# systemctl daemon-reload
root@tuxedo:/etc/systemd/system# systemctl enable --now process
root@tuxedo:/etc/systemd/system# systemctl status process
● process.service - Simple service to test process limit.
Loaded: loaded (/etc/systemd/system/process.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-08-30 22:59:03 CEST; 2s ago
Main PID: 18596 (process.sh)
Tasks: 12 (limit: 76224)
Memory: 2.3M
CGroup: /system.slice/process.service
├─18596 /bin/bash /root/process.sh
├─18598 sleep 10
├─18599 sleep 10
├─18600 sleep 10
├─18601 sleep 10
├─18602 sleep 10
├─18603 sleep 10
├─18604 sleep 10
├─18605 sleep 10
├─18606 sleep 10
├─18607 sleep 10
└─18608 sleep 20
sie 30 22:59:03 tuxedo systemd[1]: Started Simple service to test process limit..Now add TasksMax=5 into [Service] section:
[Unit]
Description=Simple service to test process limit.
[Service]
ExecStart=/root/process.sh
TasksMax=5
[Install]
WantedBy=multi-user.targetand restart the service:
root@tuxedo:/etc/systemd/system# systemctl daemon-reload
root@tuxedo:/etc/systemd/system# systemctl restart process
root@tuxedo:/etc/systemd/system# systemctl status process
● process.service - Simple service to test process limit.
Loaded: loaded (/etc/systemd/system/process.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-08-30 23:04:20 CEST; 9s ago
Main PID: 18961 (process.sh)
Tasks: 5 (limit: 5)
Memory: 1.0M
CGroup: /system.slice/process.service
├─18961 /bin/bash /root/process.sh
├─18963 sleep 10
├─18964 sleep 10
├─18965 sleep 10
└─18966 sleep 10
sie 30 23:04:20 tuxedo systemd[1]: Started Simple service to test process limit..
sie 30 23:04:20 tuxedo process.sh[18961]: /root/process.sh: fork: retry: Resource temporarily unavailab>
sie 30 23:04:21 tuxedo process.sh[18961]: /root/process.sh: fork: retry: Resource temporarily unavailab>
sie 30 23:04:23 tuxedo process.sh[18961]: /root/process.sh: fork: retry: Resource temporarily unavailab>
sie 30 23:04:27 tuxedo process.sh[18961]: /root/process.sh: fork: retry: Resource temporarily unavailab>
sie 30 23:04:30 tuxedo process.sh[18961]: /root/process.sh: fork: Interrupted system call
sie 30 23:04:30 tuxedo systemd[1]: process.service: Main process exited, code=exited, status=254/n/a
sie 30 23:04:30 tuxedo systemd[1]: process.service: Failed with result 'exit-code'.An interesting article on IEEE about Blockchain’s Carbon and Environmental Footprints.
According to https://digiconomist.net:
Roles defined in OAuth 2.0:
Which flow to use:
Do not use Implicit flow or Resource Owner Password Credentials flow at all.
Strategies that can be used to limit access for a specific access token:
To verify an access token:
Internal applications (first-party) are those owned byt the enterprise. It may be self-hosted of SaaS. No need for user’s consent.
External applications (third-party) should require user’s consent.
Possible architectures of an application we are securing:
Securing native and mobile applications. How to return authorization code to the application:
Example authorization strategies:
Keycloak cal act as a cenralized authorization service through a functionality called Authorization Services.
For production set up:
Keycloak uses Apache Freemaker for templates.
The example below is based on Moodle but similar will apply to any open OpenID Connect (OIDC) Relying Party. Moodle URL used here as example is https://test.pycert.org. Replace it with your installation URL.
Login to github and register new oauth app.
From the next page note:
Go to Moodle, login as admin. Under: Site administration -> Authentication -> Manage authentication (https://test.pycert.org/admin/settings.php?section=manageauths) enable OAuth2.
Go to Site administration -> Server -> OAuth 2 services and click on “Custom”.
After submit, on the admin/tool/oauth2/issuers.php page click “Configure endpoints” icon. Add following endpoints (Name, URL):
Logout (or use another browser i.e. in incognito mode) and try to login to your Moodle site using github account.
If you receive an error:
The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.
It means that your emails are kept private in github settings (setting “Keep my email addresses private”). The email is not passed from github to Moodle during the OAuth workflow. And since Moodle requires login & email address at the very least when creating the account, it fails. One way to fix it is to set “Keep my email addresses private” to false in github.
I ended up patching core Moodle and adding an extra call to https://api.github.com/user/emails to retrieve an email.