Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug
About polkit polkit is the system service that’s running under the hood when you see a dialog box like the one below: It essentially plays the role of a judge. If you want to do something that requires higher privileges—for example, creating a new user account—then it’s polkit’s job to decide whether or not you’re allowed to do it. For some requests, polkit will make an instant decision to allow o
New – Trigger a Kernel Panic to Diagnose Unresponsive EC2 Instances | Amazon Web Services
AWS News Blog New – Trigger a Kernel Panic to Diagnose Unresponsive EC2 Instances When I was working on systems deployed in on-premises data centers, it sometimes happened I had to debug an unresponsive server. It usually involved asking someone to physically press a non-maskable interrupt (NMI) button on the frozen server or to send a signal to a command controller over a serial interface (yes, s
Declarative Shadow DOM | CSS and UI | Chrome for Developers
Declarative Shadow DOM is a web platform feature, currently in the standardization process. It is enabled by default in Chrome version 111. Shadow DOM is one of the three Web Components standards, rounded out by HTML templates and Custom Elements. Shadow DOM provides a way to scope CSS styles to a specific DOM subtree and isolate that subtree from the rest of the document. The <slot> element gives
by picturepartners アボカドと間違えてわさびを大量に食べてしまった女性が、胸痛や息切れなどの症状が出現する心臓の病気「たこつぼ型心筋症」になってしまったことが報告されました。 Takotsubo cardiomyopathy triggered by wasabi consumption: can sushi break your heart? | BMJ Case Reports https://casereports.bmj.com/content/12/9/e230065 Woman Mistakes Wasabi For Avocado, Ends Up in Hospital With Heart Dysfunction https://www.sciencealert.com/woman-mistakes-wasabi-for-avocado-ends-up-
How does Sidekiq really work?
Sidekiq is one of the most ubiquitous1 Ruby background job processors out there. To anybody who has worked with Ruby on and off Rails, it needs no introduction. Sidekiq has a 10+ year track record of being an efficient, battle-tested and simple-to-use solution for offloading the execution of application logic into the background. It utilizes a threaded model for job processing, uses Redis as a bac
Open SourceSecurityFour tips to keep your GitHub Actions workflows secureResearchers from Purdue and NCSU have found a large number of command injection vulnerabilities in the workflows of projects on GitHub. Follow these four tips to keep your GitHub Actions workflows secure. Continuous Integration and Continuous Deployment (CI/CD) software supply chains are a lucrative target for threat actors.
娘5歳、この度病気が見つかり、あれよあれよという間に検査、検査。 からの入院、手術… そんな数ヶ月を過ごしておりました。 見つかったのは「神経節腫」という「良性の腫瘍」でした。 一時は小児がんも疑われ、文字通り目の前が真っ暗になりました。 今は手術も無事に終わり元気に暮らしています。 病気に気づけたのはずっと続いていた娘からの腹痛の訴え 夫が小児科に一度連れて行ってみてはどうか?と言い出したのが病気発見のきっかけに かかりつけの小児科でお腹の腫瘍が発見される 1週間後、大きい病院へ紹介される 大きい病院でCT検査をする 腫瘍であることに間違いはなく、小児外科へ紹介される 生きた心地のしなかった数週間を過ごした 病気に気づけたのはずっと続いていた娘からの腹痛の訴え 娘は時々「お腹痛い…」と言っていました。 幼稚園や自宅での食中、食後によく言ってました。 熱もないし、食べている時以外はすこぶる
Actions Runner Controller Deep Dive!- コード解説 後編 - - APC 技術ブログ
こんにちは!ACS事業部の谷合です。 皆大好きGitHub Actionsにおける、GitHub社公式のSelf-hosted runnerであるActions Runner Controller(以降ARC)の紹介をシリーズでお送りしております。 前回までに以下の記事を書いておりました。 Actions Runner Controller Deep Dive!- アーキテクチャ編 - - APC 技術ブログ Actions Runner Controller Deep Dive!- 動作解説編 - - APC 技術ブログ Actions Runner Controller Deep Dive!- コード解説 前編 - - APC 技術ブログ 前回に引き続き、Actions Runner Controllerのコード解説をしていきます。 はじめに この記事のこと コード解説 AutoSca
How to safely use GitHub Actions in organizations - Human Who Codes
GitHub Actions1 are programs designed to run inside of workflows2, triggered by specific events inside a GitHub repository. To date, people use GitHub Actions to do things like run continuous integration (CI) tests, publish releases, respond to issues, and more. Because the workflows are executed inside a fresh virtual machine that is deleted after the workflow completes, there isn’t much risk of
EngineeringHow we ship GitHub Mobile every weekLearn how the GitHub Mobile Team automates their release process with GitHub Actions. Every week, the GitHub Mobile team updates the GitHub Mobile apps on both iOS and Android with new features, bug fixes and improvements. Shipping a mobile app is not an easy task. Before a build goes out to our users’ hands, we must make sure the end result is proper
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests Jaroslav Lobacevski This post is the first in a series of posts about GitHub Actions security. Part 2, Part 3 In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilitie
James Mattis Denounces President Trump, Describes Him as a Threat to the Constitution
James Mattis Denounces President Trump, Describes Him as a Threat to the Constitution In an extraordinary condemnation, the former defense secretary backs protesters and says the president is trying to turn Americans against one another. James Mattis, the esteemed Marine general who resigned as secretary of defense in December 2018 to protest Donald Trump’s Syria policy, has, ever since, kept stud
賛否両論を呼ぶAppleのプライバシー強化機能「App Tracking Transparency(ATT)」の影響で、iOS向けに広告を表示する広告主やアプリ開発者の収益が、15~20%減少したことが報じられています。ATTはまだ完全に有効になったわけではないため、今後はこれ以上の影響が現れると考えられています。 Brian Bowman: Apple's IDFA change has triggered 15% to 20% revenue drops for iOS developers | VentureBeat https://venturebeat.com/2021/07/13/brian-bowman-apples-idfa-change-has-triggered-15-to-20-revenue-drops-for-ios-developers/ App Trackin
14 Linting Rules To Help You Write Asynchronous Code in JavaScript
Debugging asynchronous code in JavaScript can feel like navigating a minefield at times. You don't know when and where the console.logs will print out, and you have no idea how your code is executed. It's hard to correctly structure async code so it executes in the right order as you intend it to. Wouldn't it be nice if you had some guidance while writing asynchronous code, and to get a helpful me
Mount Ida─イーデーの山(少年パリスはまだ羊飼いをしている)について 岡﨑 乾二郎 2022年6月、ファーレ立川(東京都立川市曙町)立川高島屋に設置されていた、岡﨑 乾二郎彫刻作品「Mount Ida─イーデーの⼭(少年パリスはまだ⽺飼いをしている)」が2023年2月に撤去されるという計画が作者(岡﨑 乾⼆郎)に知らされました。計画の詳細は不明のまま、作者への提示も延期されてきました。このサイトはその経緯を掲載していましたが、高島屋S.C.は2023年1月17日に「移設・撤去含まず作品保存の方向で計画を見直す」方向であることを広報しました。詳細はまだ提示されておらず不明の点もありますが、高島屋S.C.の今回の決断を尊重し、経緯の掲載を取りやめます。高島屋S.C.のご賢慮と、この期間に発信された多くの方の意見、議論に感謝いたします。 In June 2022, Okazaki Ken
On Wed, Apr 14, 2021 at 11:46 AM <ojeda@kernel.org> wrote: > > Some of you have noticed the past few weeks and months that > a serious attempt to bring a second language to the kernel was > being forged. We are finally here, with an RFC that adds support > for Rust to the Linux kernel. So I replied with my reactions to a couple of the individual patches, but on the whole I don't hate it. HOWEVER.
ローリング女史のブログの最新記事 翻訳 - Privatter
Disclaimer ソースを検索しやすいように個人名や団体名は原文表記のまま残しました 用語の使い間違いや訳し間違い、もしくは特定の人を傷つけるような誤訳があったらあらかじめお詫び申し上げます 大意を優先しての粗訳ですし、正確性は一切保証できないので、これ自体を参照せずに絶対に原文ソースをあたってください 自分で考えるためにとりあえず起こした初稿なので無断で手直しすると思います(ここまで訳者注) *** 読めばすぐにわかるように、これは簡単に書けるような話ではないけれど、今回の有害にまみれてしまった問題について私自身が説明するときだというのはわかっている。この文章を書くことで、問題をさらに煽り立てるようなつもりは一切ない。 一連の事情を知らない人へ:去年の12月、私はMaya Fostater(税理士で、トランスジェンダーに関するツイートがきっかけで仕事を失った)への支持をツイートした。
Wacom drawing tablets track the name of every application that you open | Robert Heaton
Disclaimer: I haven’t asked Wacom for comment about this story because I’m not a journalist and I don’t know how to do that. I don’t believe I’ve got anything important wrong, however. Chapter 1: The discovery I have a Wacom drawing tablet. I use it to draw cover illustrations for my blog posts, such as this one: Last week I set up my tablet on my new laptop. As part of installing its drivers I wa
Keeping your GitHub Actions and workflows secure Part 2: Untrusted input
Keeping your GitHub Actions and workflows secure Part 2: Untrusted input Jaroslav Lobacevski This post is the second in a series of posts about GitHub Actions security. Part 1, Part 3 We previously discussed the misuse of the pull_request_target trigger within GitHub Actions and workflows. In this follow-up piece, we will discuss possible avenues of abuse that may result in code and command inject
Doug Madory on Twitter: "Island nation of #Tonga is completely offline following a #tsunami triggered by a massive volcanic eruption in the… https://t.co/w8QjfMQUbd"
Island nation of #Tonga is completely offline following a #tsunami triggered by a massive volcanic eruption in the… https://t.co/w8QjfMQUbd
Wasm core dumps and debugging Rust in Cloudflare Workers
Wasm core dumps and debugging Rust in Cloudflare Workers08/14/2023 A clear sign of maturing for any new programming language or environment is how easy and efficient debugging them is. Programming, like any other complex task, involves various challenges and potential pitfalls. Logic errors, off-by-ones, null pointer dereferences, and memory leaks are some examples of things that can make software
On Joi and MIT
If you’re coming here from the New York Times article published Saturday, please read this: On the careful reading of the New York Times editors A couple of weeks ago, I signed a petition (the site has since been taken down, but you can see it at archive.org) expressing my support for Joi Ito. Not unexpectedly, that signing produced anger and outrage among many, and among some of my friends. I had
Fixing a Memory Leak in a Production Node.js AppJanuary 12th, 2023 — 15 min read A few months ago, I wrote about my migration from Postgres to SQLite. I ended that with a "to be continued" because I had a number of issues related to memory and CPU spikes that I couldn't really explain. For a while I thought it was bugs in LiteFS (which I'm using to get distributed SQLite for my distributed node ap
The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation | Datadog Security Labs
emerging vulnerabilities The OpenSSL punycode vulnerability (CVE-2022-3602): Overview, detection, exploitation, and remediation November 1, 2022 emerging vulnerability On November 1, 2022, the OpenSSL Project released a security advisory detailing a high-severity vulnerability in the OpenSSL library. Deployments of OpenSSL from 3.0.0 to 3.0.6 (included) are vulnerable and are fixed in version 3.0.
How we chose the Rust programming language to advance the state-of-the-art in real-time communication This post was written collectively with Ryo Kawaguchi, Andrea Law, Brian Schwind. Our goal for tonari is to build a virtual doorway to another space that allows for truly natural human interactions. Nearly two years in development, tonari is, to the best of our knowledge, the lowest-latency high r
IntroductionWhen I started up my journey into the fabulous world of Flutter beginning 2018, very little documentation could be found on Internet compared to what exists today. Despite the number of articles that have been written, very few talk about how Flutter actually works. What are finally the Widgets, the Elements, the BuildContext ? Why is Flutter fast and why does it sometimes work differe
How to improve Python packaging, or why fourteen tools are at least tw
There is an area of Python that many developers have problems with. This is an area that has seen many different solutions pop up over the years, with many different opinions, wars, and attempts to solve it. Many have complained about the packaging ecosystem and tools making their lives harder. Many beginners are confused about virtual environments. But does it have to be this way? Are the current
If you are developing Android apps, chances are you have confronted any sort of CI at some point in your career. If you thought Android fragmentation was a thing, the wide availability of CI systems will be familiar to you. GitHub Actions was released around November 2019, and since then it has proved itself to be reliable for a production environment (one of our requirements before committing to
Unlocking eBPF power
My first steps with eBPF. In this article I'm describing how I used bluetooth tracing with eBPF to handle locking of my laptop. I heard “eBPF” so many times in recent days that I’ve decided to give it a try. I have very limited knowledge about kernel tracing so I thought it is good opportunity to learn something new. One particular talk (by Brendan Gregg) especially caught my attention and I recom
jQuery 3.6.0 has been released! In jQuery 3.5.0, the major change was a security fix for the html prefilter. This release does not include a security fix, but does have some good bug fixes and improvements. We still have our eyes on a jQuery 4.0 release, but until then we will continue to support the 3.x branch and address important issues. As usual, the release is available on our cdn and the npm
前提条件 actを実行するためには、Dockerが必要です。 M1 Macの場合は、--container-architecture linux/amd64のオプションを付けて実行する必要があります。 使い方 # コマンドの構造: act [<イベント>] [オプション] イベント名が指定されない場合は、デフォルトで "on: push" になります アクションが1つのイベントだけを処理する場合は、デフォルトでは "on: push" の代わりに使用されます # すべてのイベントのすべてのアクションを一覧表示: act -l # 特定のイベントのアクションを一覧表示: act workflow_dispatch -l # 特定のジョブのアクションを一覧表示: act -j test -l # デフォルト(`push`)イベントを実行: act # 特定のイベントを実行: act pull_
分類タスクではクロスエントロピーを用いるべきか?
3つの要点 ✔️ 分類タスクにおけるクロスエントロピー損失と平均二乗誤差を比較 ✔️ 自然言語処理、音声認識、コンピュータビジョン等の様々なタスクで検証 ✔️ 二乗誤差を利用したモデルの方が全体として優れた性能を発揮 Evaluation of Neural Architectures Trained with Square Loss vs Cross-Entropy in Classification Tasks written by Like Hui, Mikhail Belkin (Submitted on 12 Jun 2020 (v1), last revised 4 Nov 2020 (this version, v3)) Comments: Accepted to ICLR2021. Subjects: Machine Learning (cs.LG); Machine Le
Deep Dive on Amazon ECS Cluster Auto Scaling | Amazon Web Services
Containers Deep Dive on Amazon ECS Cluster Auto Scaling Introduction Up until recently, ensuring that the number of EC2 instances in your ECS cluster would scale as needed to accommodate your tasks and services could be challenging. ECS clusters could not always scale out when needed, and scaling in could impact availability unless handled carefully. Sometimes, customers would resort to custom to
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction | Microsoft Security Blog
April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. DEV-0537 is now tracked as Strawberry Tempest. To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor namin
More than 1,130 have died in devastating floods triggered by the heaviest monsoon rains in a decade.
Error messages are part of our daily lives online. Every time a server is down or we don’t have internet, or we forget to add some info in a form, we get an error message. “Something went wrong” is the classic. But what went wrong? What happened? And, most importantly, how can I fix it? We encounter error messages all the time, but how often do they actually help us understand what went wrong and
IntroductionOn June 27, 2024, a small number of users globally may have noticed that 1.1.1.1 was unreachable or degraded. The root cause was a mix of BGP (Border Gateway Protocol) hijacking and a route leak. Cloudflare was an early adopter of Resource Public Key Infrastructure (RPKI) for route origin validation (ROV). With RPKI, IP prefix owners can store and share ownership information securely,
[アップデート]Alexa-hostedスキルでPythonが利用できるようになりました | DevelopersIO
Alexa開発者コンソールでスキルの作成、編集、公開が完結できる「Alexa-hostedスキル」でPythonが利用できるようになったので触ってみました。 Alexa開発者コンソールにてスキルの作成、編集、公開が完結できる「Alexa-hostedスキル」で Python が利用できるようになりました! Alexa-hosted スキルとは 「Alexa-hostedスキル」(以下、hostedスキル)は、AlexaがホストするバックエンドのAWSリソースを利用して作成するAlexaスキルのことです。 開発者側でAWSアカウントを用意することなく、スキルの開発を行うことができます。 開発者コンソール上にてすべての作業が完結できることで、開発からリリースまで素早く行うことが可能です。 なお、hostedスキルでAWSリソースを利用するにあたっては、以下の利用制限があります。 (Alexa-
![[アップデート]Alexa-hostedスキルでPythonが利用できるようになりました | DevelopersIO](https://cdn-ak-scissors.b.st-hatena.com/image/square/2d4f93141357257d166ae9acddc16edaed91e0c8/height=288;version=1;width=512/https%3A%2F%2Fdevio2023-media.developers.io%2Fwp-content%2Fuploads%2F2018%2F12%2Falexa-eyecatch.jpg)
MS365に有効なゼロデイ攻撃 CVE-2021-40444 は危険。緩和策を迂回することが可能(大元隆志) - エキスパート - Yahoo!ニュース
9月7日にマイクロソフトが公表したOffice365等に対して有効なゼロデイ攻撃CVE-2021-40444が、当初予想されていた以上に危険であると海外のセキュリティ研究者の間で話題になっている。 ■CVE-2021-40444とは?Internet ExplorerブラウザのレンダリングエンジンであるMSHTMLに関する脆弱性であり、本脆弱性を悪用されると、サイバー攻撃者は遠隔からターゲットのWindows10等で任意のコードを実行可能になるという。 マイクロソフトは「既に本脆弱性が標的型攻撃で悪用されている」としている。 Internet Explorerブラウザはもう利用していないから大丈夫と思われるかもしれないが、MSHTMLはMicrosoft Officeドキュメントにも利用されているため、Office365にも本脆弱性が有効に機能する。サイバー攻撃者の狙いはOffice365
I joined Dropbox not long after graduating with a Master’s degree in computer science. Aside from an internship, this was my first big-league engineering job. My team had already begun designing a critical internal service that most of our software would use: It would handle asynchronous computing requests behind the scenes, powering everything from dragging a file into a Dropbox folder to schedul
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
わさびをアボカドと間違って食べて心筋症になってしまった女性が報告される
Four tips to keep your GitHub Actions workflows secure
5歳娘、神経節腫(良性腫瘍)が見つかり手術しました。【きっかけ】 - 広く浅くまるく
How we ship GitHub Mobile every week
Appleのプライバシー強化で開発者や広告主の収益が15~20%減ったことが判明
Mount Ida─イーデーの山(少年パリスはまだ羊飼いをしている)撤去問題について
LKML: Linus Torvalds: Re: [PATCH 00/13] [RFC] Rust support
Fixing a Memory Leak in a Production Node.js App
3K, 60fps, 130ms: achieving it with Rust | tonari blog
Flutter - Flutter internals
GitHub Actions for Android developers
jQuery 3.6.0 Released! | Official jQuery Blog
actを使ってローカル環境でGitHub Actionsを実行する方法
Pakistan floods: One third of country is under water - minister
When life gives you lemons, write better error messages
Cloudflare 1.1.1.1 incident on June 27, 2024
How we designed Dropbox’s ATF - an async task framework