ue

Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables

Posted by Xen . org security team on Nov 12

Xen Security Advisory CVE-2024-45819 / XSA-464
version 2

libxl leaks data to PVH guests via ACPI tables

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

PVH guests have their ACPI tables constructed by the toolstack. The
construction involves building the tables in local memory, which are
then copied into guest memory. While actually used...




ue

Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables

Posted by Andrew Cooper on Nov 12

Data are leaked into the PVShim guest, but it is the shim Xen
(exclusively) which has access to the ACPI tables.

The guest which has been shim'd can't architecturally access the leaked
data.

~Andrew




ue

Re: Xen Security Advisory 464 v2 (CVE-2024-45819) - libxl leaks data to PVH guests via ACPI tables

Posted by Demi Marie Obenour on Nov 12

Is this unconditional (perhaps because the relevant data gets zeroed out
by the shim), or does it only apply when the PV guest can't extract data
from the shim's memory? For instance, 32-bit PV guests aren't security
supported anymore, but the PV shim isn't supposed to rely on the
security of the shim itself, only of the rest of the system.




ue

Demand for Frequency Drives on the Uptick

AC drives are an essential part of the HVAC marketplace, and the growth of the market looks to be exceptional over the next few years. According to MarketsandMarkets, the market is expected to grow from an estimated $15.72 billion in 2016 to $22.07 billion by 2021.




ue

Bluetooth Technology, Battery Strength Earn ManTooth the Gold

The ManTooth™ Wireless Digital Pressure/Temperature Gauge from Yellow Jacket Products Division, Ritchie Engineering Co., is this year's gold winner in the Electronic Tools category.




ue

Re: Hi all! (and a snort sig question)

Posted by Al Lewis (allewi) via Snort-sigs on Oct 10

Wouldnt it be easier to just use the IP variable?

i.e replace the EXTERNAL_NET and use a variable or IP?

Albert Lewis

Email: allewi () cisco com<mailto:allewi () cisco com>

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Rob Vandenbrink via Snort-sigs <snort-sigs ()
lists snort org>
Sent: Thursday, October 10, 2024 12:12 PM
To: Snort User <snort.user () gmail com>...




ue

Questions about IPS-Policy

Posted by Bestell_E-Mail via Snort-sigs on Oct 22

Hello.

First of all, please excuse me if this question is asked a lot.

I am a beginner and currently using the IPS Policy with the Business License.

I am not sure if Personal or Business License is right for me. Are the IPS policies different in any way for these two
licenses?

Best regards

Waldemar Sager_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org...




ue

Distributor’s Gamble on VRF Technology Continues Paying Off 3 Decades Later

A visit to an ASHRAE event 30-plus years ago introduced David Heckler to VRF technology, and the distributor was won over. VRF systems now make up about half of his company’s business.




ue

High-End HVAC Systems Offer High Value

Customers looking for increased value out of their HVAC systems will find high-end features like connectivity, greater efficiency, and more intuitive controls attractive.




ue

HVAC Industry Fired Up Over Fossil Fuels

HVAC industry representatives are pushing back on a bid by more than two dozen public interest groups for an eventual ban on new fossil-fuel-burning heating appliances.




ue

DOE Issues 95% AFUE Rule For New Gas Furnaces

Manufacturers will have five years, from the date the rule is published in the Federal Register, to ensure that new gas furnaces comply with the new minimum.




ue

New Efficiency Rule Issued by DOE

The latest rule will require every mobile home gas furnace — and every new residential, non-weatherized gas furnace — to have a minimum annual fuel utilization efficiency (or AFUE) of 95% starting in late 2028.




ue

How to make a minimal HTTPS request with ncat --ssl with explicit HTTP content?

Posted by Ciro Santilli OurBigBook via dev on Sep 17

Hello, I was trying for fun to make an HTTPS request with explicit hand-written HTTP content.

Something analogous to:

printf 'GET / HTTP/1.1 Host: example.com ' | ncat example.com 80

but for HTTPS. After Googling one of the tools that I found that seemed it might do the job was ncat from the nmap
project, so I tried:

printf 'GET / HTTP/1.1 Host: example.com ' | ncat --ssl example.com 443

an that works...




ue

Hacking the Edges of Knowledge: LLMs, Vulnerabilities, and the Quest for Understanding

Posted by Dave Aitel via Dailydave on Nov 02

[image: image.png]

It's impossible not to notice that we live in an age of technological
wonders, stretching back to the primitive hominids who dared to ask "Why?"
but also continually accelerating and pulling everything apart while it
does, in the exact same manner as the Universe at large. It is why all the
hackers you know are invested so heavily in Deep Learning right now, as if
someone got on a megaphone at Chaos...




ue

Episode 50: Announcements and Requests

This is another episode where we mainly announce topics related to the podcast itself.




ue

Episode 82: Organization of Large Code Bases with Juergen Hoeller

In this episode Eberhard Wolff speaks with Jürgen Höller, the co-found of the Spring framework. Spring is a tremendously successful Java framework so they discuss the design of large frameworks and the issues that arise in the evolution. Jürgen explains the management of dependencies in the framework, how to structure such a framework, how to offer compatibility for the existing user base while evolving the framework and the role of metrics during development.




ue

Episode 90: Product Line Engineering, Pt. 3, with Charles Krueger

In this episode Charles Krueger, a well-known member of the product line engineering community, talks about his long term experiences in the field. Charles is also the founder and CEO of a company that provides tooling for variability management and product derivation. Besides some clarifications on terms like product line architecture and reference architecture, you also learn what kind of preconditions need to exist before product line engineering can be applied successfully.




ue

Episode 218: Udi Dahan on CQRS (Command Query Responsibility Segregation)

Guest Udi Dahan talks with host Robert Blumen about the CQRS (command query responsibility segregation) architectural pattern. The discussion begins with a review of the command pattern. Then a high-level overview of CQRS, which consists of a separation of a command processing subsystem that updates a write model from one or more distinct and separate, […]




ue

Episode 229: Flavio Junqueira on Distributed Coordination with Apache ZooKeeper

 




ue

SE-Radio-Episode-231:-Joshua-Suereth-and-Matthew-Farwell-on-SBT-and-Software-Builds




ue

SE-Radio Episode 313: Conor Delanbanque on Hiring and Retaining DevOps

Kishore Bhatia talks with Conor Delanbanque about DevOps Hiring, building and retaining top talent in the DevOps space. Topics include DevOps as a special Engineering skill, building DevOps mindset and culture, challenges in hiring and retaining top talent and building teams and best practices for DevOps engineers and employers hiring for these skills.




ue

SE-Radio Episode 328: Bruce Momjian on the Postgres Query Planner

Postgres developer Bruce Momjian joins Robert Blumen for a discussion of the SQL query optimizer in the Postgres RDBMS. They delve into the internals of query planning and look at how developers can make it work for their apps.




ue

Episode 379: Claire Le Goues on Automated Program Repair

Felienne interviews Claire Le Goues about automatic program repair. Can programs repair themselves and what techniques are involved in that?




ue

Episode 431: Ken Youens-Clark on Learning Python

Felienne spoke with Youens-Clark about new features in Python, why you should teach testing to beginners from the start and the importance of the Python ecosystem.




ue

Episode 472: Liran Haimovitch on Handling Customer Issues

Liram Haimovitch talks about how a business handles customer issues with a software product. How issues start out with a dedicated customer-facing team and when they may be escalated to engineering.




ue

Episode 502: Omer Katz on Distributed Task Queues Using Celery

Omer Katz, a software consultant and core contributor to the Celery discusses the Celery task processing framework with host Nikhil Krishna. We discuss in depth, the Celery task processing framework, it's architecture and the underlying messaging...




ue

SE Radio 630: Luis Rodríguez on the SSH Backdoor Attack

Luis Rodríguez, CTO of Xygeni.io, joins host Robert Blumen for a discussion of the recently thwarted attempt to insert a backdoor in the SSH (Secure Shell) daemon. OpenSSH is a popular implementation of the protocol used in major Linux distributions for authentication over a network. Luis describes how a backdoor in a supporting library was recently discovered and removed before the package was published to stable releases of the Linux distros. The conversation explores the mechanism of the attack through modifying a function table in the runtime; how the attack was inserted during the build; how the attack was carefully staged in a series of modifications to the lz compression library; the nature of “Jia Tan,” the entity who committed the changes to the open source project; social engineering that the entity used to gain the trust of the open source community; what forensics indicates about the location of the entity; hypotheses about whether criminal or state actors backed the entity; how the attack was detected; implications for other open source projects; why traditional methods for detecting exploits would not have helped find this; and lessons learned by the community.

Brought to you by IEEE Computer Society and IEEE Software magazine.




ue

Clams offer clues about the Little Ice Age

-- Delivered by Feed43 service




ue

Philips Performance Wireless TAPH805BK Bluetooth Headset Review

The Philips Performance Wireless TAPH805BK are wireless headphones with battery life that will knock your socks off, but the sound quality has a lot of room for improvement.... [PCSTATS]




ue

Lenovo HT10 True Wireless Bluetooth Earbuds Review

The HT10 True Wireless Bluetooth Earbuds by Lenovo are aimed towards consumers on a tight budget looking to get the best bang for the buck. ... [PCSTATS]




ue

Be Unique And Use RSS Guid Like Everybody Else

Winter scenes: Snowflakes by Theodor Horydczak

If you publish an RSS feed, you should do a solid for the developers of RSS readers by including a guid in each item. The guid's job is to be a unique identifier that helps software downloading your feed decide whether it has seen that item before. Here's the guid for an item on the arts and technology blog Laughing Squid:

<guid isPermaLink="false">https://laughingsquid.com/?p=914660</guid>

No other item on Laughing Squid will ever have this guid value. It's a URL that loads a blog post with the title Playful Elephant Pretends to Eat Woman's Hat. If you load the guid's URL https://laughingsquid.com/?p=914660, it redirects to the permanent link of the post. Because the guid is not the permanent link, there's an isPermaLink attribute with a value of false.

Most guid values in RSS feeds are the permanent link of the item, as in this example from the world news site Semafor:

<guid>https://www.semafor.com/article/07/07/2023/us-jobs-data-what-experts-make-of-the-new-numbers</guid>

A drawback of using the permalink is that if any part of the URL changes -- such as the title text or the domain name -- the guid changes and RSS readers will think this is a new item to show the feed's subscribers, when it's actually a repeat.

A guid doesn't have to be a URL. It can be any string that the feed publisher has chosen to be unique. Here's the guid from the RSS Advisory Board's feed for this blog post:

<guid isPermaLink="false">tag:rssboard.org,2006:weblog.217</guid>

Our guid follows the TAG URI scheme, a simple way to assure uniqueness by putting these five components together in this order:

  1. The text "tag"
  2. A domain owned by the feed provider
  3. A year the provider owned that domain
  4. A short name for the feed different from any other feed on the site
  5. The internal ID number of the post

There's different punctuation between each component. The year 2006 was when the board began using the domain rssboard.org. No one else used that domain that year, so any feed reader that stores "tag:rssboard.org,2006:weblog.217" as this item's guid should never encounter that value in any other item on any other feed.

To see how RSS 2.0 feeds are using guid, several thousand feeds were downloaded this evening from an RSS aggregator that publicly shares the OPML subscription lists of its users.

CategoryTotalPercentage
Total number of feeds4,954--
Feed using guid4,77796.4%
Feeds using non-permalinks in guid75215.2%

The term guid means "globally unique identifier," but RSS 2.0 does not require global uniqueness in guids. Because the TAG URI scheme does a good job of serving that purpose, Blogger, Flickr, MetaFilter, SoundCloud and The Register are among the sites using it in their feeds.










ue

Cómo Apoyar a Las Personas Que Enfrentan el Duelo a Larga Distancia

Para los inmigrantes que enfrentan pérdidas desde lejos, el apoyo puede provenir de la comunidad, nuevos rituales y mejores políticas.




ue

Subway Map Visualization jQuery Plugin &raquo; TechBubble

that's kinda nuts




ue

Salary Negotiation: Make More Money, Be More Valued | Kalzumeus Software

a long but well written and informative posting on how to negotiate your salary when taking a new job




ue

Quiz: The world's most powerful queens

Take our quiz and see how much you know about some of the most powerful women the world has ever seen.




ue

Try our Día de los Muertos Quiz

See how much you know about the Day of the Dead with our quiz.




ue

Clean-up continues in Spain after shock floods cause chaos

Families have had to leave their homes and emergency services are helping people as they deal with the impact of the worst flooding in the country for many years.




ue

Donald Trump's win: YOUR questions answered

Donald Trump has won the 2024 US election and will be president for a second time from early next year. Lots of you had questions and we asked a BBC expert to answer them.




ue

Who do YOU think will win the Premier League?

It's been an unusual season so far with teams that have previously struggled doing well, and champions Man City losing four in a row!





ue

Australian Rhyming Slang 2 (10 questions)

Title: Australian Rhyming Slang 2
Topic: Cockney Rhyming Slang
Level: Advanced
Information: Choose the correct answer.
Link: https://www.usingenglish.com/quizzes/570.html




ue

Which or Where? (10 questions)

Title: Which or Where?
Topic: Relative Clauses and Pronouns
Level: Intermediate
Information: Choose the correct answer.
Link: https://www.usingenglish.com/quizzes/571.html