Archive for the ‘Programming’ Category

The next version of HTTP won’t be using TCP

November 12th, 2018
The next version of HTTP won’t be using TCP

Enlarge (credit: Andy Maguire / Flickr)

The next version of the Hypertext Transfer Protocol (HTTP)—the network protocol that defines how browsers talk to Web servers—is going to make a major break from the versions in use today.

Today's HTTP (versions 1.0, 1.1, and 2) are all layered on top of TCP (Transmission Control Protocol). TCP, defined as part of the core set of IP (Internet Protocol) layers, provides reliable, ordered, and error-checked delivery of data over an IP network. "Reliable" means that if some data goes missing during transfer (due to a hardware failure, congestion, or a timeout), the receiving end can detect this and demand that the sending end re-send the missing data; "ordered" means that data is received in the order that it was transmitted in; "error-checked" means that any corruption during transmission can be detected.

These are all desirable properties and necessary for a protocol such as HTTP, but TCP is designed as a kind of one-size-fits-all solution, suitable for any application that needs this kind of reliability. It isn't particularly tuned for the kinds of scenarios that HTTP is used for. TCP requires a number of round trips between client and server to establish a connection, for example; using SSL over TCP requires subsequent round trips to establish the encrypted connection. A protocol purpose-built for HTTP could combine these negotiations and reduce the number of round trips, thereby improving network latency.

Read 4 remaining paragraphs | Comments

Posted in HTTP, IETF, networking, open standards, Programming, quic, standards, Tech, Web | Comments (0)

GitHub is now officially a part of Microsoft

October 26th, 2018
GitHub is now officially a part of Microsoft

Enlarge

satyan@redmond:~/src$ git checkout -b microsoft-acquisitions
Switched to a new branch 'microsoft-acquisitions'

satyan@redmond:~/src$ scp satyan@github.com:/github .

satyan@redmond:~/src$ git add github

satyan@redmond:~/src$ git commit -m "Microsoft announced in June that it
> was buying the Git repository and collaboration platform GitHub for 
> $7.5 billion in stock. That acquisition has received all the necessary 
> regulatory approvals, and has now completed. Nat Friedman, formerly of
> Xamarin, will take the role as GitHub CEO on Monday.
>
> The news of the acquisition sent ripples around the open source world,
> as GitHub has become the home for a significant number of open source
> projects. We argued at the time that the sale was likely one of
> necessity, and that of all the possible suitors, Microsoft was the best
> one, due to common goals and shared interests. Friedman at the time
> sought to reassure concerned open source developers that the intent was
> to make GitHub even better at being GitHub, and that he would work to
> earn the trust of the GitHub community. Those views were reiterated
> today.
>
> Since then, Microsoft has joined the Open Invention Network, a patent
> cross-licensing group that promises royalty free licenses for any patents
> that apply to the Linux kernel or other essential open source packages.
> This was a bold move that largely precludes Redmond from asserting its
> patents against Android, and should mean that the company will no longer
> receive royalties from smartphone manufacturers.
>
> Sources close to the matter tell us that Microsoft's decision to join
> OIN was driven in no small part by the GitHub acquisition. GitHub is
> already a member of OIN, which left Microsoft with only a few options:
> withdraw GitHub from OIN, a move that would inevitably upset the open
> source world; acquire GitHub as some kind of arm's length subsidiary
> such that GitHub's OIN obligations could not possibly apply to
> Microsoft; or join OIN too, as the most straightforward approach that
> also bolstered the company's open source reputation. Microsoft took
> the third option."
[microsoft-acquisitions baadf00d] Microsoft announced...
1 file changed, billions of insertions(+), 0 deletions(-)

satyan@redmond:~/src$ git checkout microsoft-corp
Switched to branch 'microsoft-corp'

satyan@redmond:~/src$ git merge microsoft-acquisitions
Updating cafef00d..baadf00d
Fast-forward
 billions-of-files | billions ++++++++++++

satyan@redmond:~/src$ git branch -d microsoft-acquisitions

Read on Ars Technica | Comments

Posted in acquisitions, development, git, GitHub, microsoft, Open Source, Programming, Tech | Comments (0)

BASIC turns 53 – find out just how cool that is!

May 3rd, 2017

There aren’t a lot of quasi-religious moments in computer science, but the official launch of Dartmouth BASIC 53 years ago was one of them.

Posted in BASIC, Dartmouth, Programming | Comments (0)

Suspected Kelihos Botnet Operator Arrested in Spain

April 10th, 2017

Update (Tuesday, April 11): The arrest of a Russian man in Spain was apparently for his role in Kelihos botnet responsible for sending hundreds of millions of spam emails worldwide.

A Russian computer hacker and alleged spam kingpin was arrested in Barcelona, Spain, on Friday reportedly over suspicion of being involved in hacking attacks linked to alleged interference in last year’s United

Posted in Botnet, computer programmer, election hacking, hacker arrested, hacking news, presidential election, Programming, Russian hackers, Spam botnet, spamming, us election | Comments (0)

Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)

February 17th, 2016
glibc-linux-flaw

A highly critical vulnerability has been uncovered in the GNU C Library (glibc), a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.

Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.
The vulnerability is similar to the last year’s GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks, representing a major Internet threat.
GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.
The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc’s DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.
The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.

How Does the Flaw Work?

The flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program’s memory with code.
This code then compromises the vulnerable application or device and tries to take over the control over the whole system.
It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.
However, an attacker need to bypass several operating system security mechanisms – like ASLR and non-executable stack protection – in order to achieve successful RCE attack.
Alternatively, an attacker on your network could perform man-in-the-middle (MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.

Affected Software and Devices

All versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.
The widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.
The vulnerability could extend to a nearly all the major software, including:
  • Virtually all distributions of Linux.
  • Programming languages such as the Python, PHP, and Ruby on Rails.
  • Many others that use Linux code to lookup the numerical IP address of an Internet domain.
  • Most Bitcoin software is reportedly vulnerable, too.

Who are Not Affected

The good news is users of Google’s Android mobile operating system aren’t vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.
Additionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the uclibc library as it is more lightweight than hefty glibc.
The vulnerability was first introduced in May 2008 but was reported to the glibc maintainers July 2015.
The vulnerability was discovered independently by researchers at Google and Red Hat, who found that the vulnerability has likely not been publicly attacked.
The flaw was discovered when one of the Google’s SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google’s security team reported in a blog post published Monday.

Where glibc went Wrong

Google researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.
Here’s what went wrong, according to the Google engineers:

“glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.”

“Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.”

Proof-of-Concept Exploit Released

Google bod Fermin J. Serna released a Proof-of-Concept (POC) exploit code on Tuesday.
With this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.

Patch glibc Vulnerability

Google researchers, working with security researchers at Red Hat, have released a patch to fix the programming blunder.
However, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.
For people running servers, fixing the issue will be a simple process of downloading and installing the patch update.
But for other users, patching the problem may not be so easy. The apps compiled with a vulnerable glibc version should be recompiled with an updated version – a process that will take time as users of affected apps have to wait for updates to become available from developers.
Meanwhile, you can help prevent exploitation of the flaw, if you aren’t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.
For more in-depth information on the glibc flaw, you can read Red Hat blog post.

Posted in DNS hijacking, glibc, GNU C Library, Google Security, hacking news, Linux hacking, Linux OS, linux security, Programming, remote code execution, Vulnerability | Comments (0)

Next Hacker to Organize Biggest Java Programming Competition In Germany

January 16th, 2016

Great news for Hackers and Bug-hunters who enjoy Programming and playing around with Software.

A worldwide group of like-minded computer programmers is hosting The Next Hacker IPPC event on the 26th and 27th of February in Berlin, Germany, where participants can meet hackers and programmers from around the world while getting an opportunity to participate in one of the major

Posted in bug hunting, hackathon, hacker next conference, hacking competition, hacking conference, Java, Java Programming, Programming, Programming competition | Comments (0)

Raspberry Pi Zero — The $5 Tiny Computer is Here

November 26th, 2015

Get ready for a ThanksGiving celebration from the Raspberry Pi Foundation.

Raspberry Pi, the charitable foundation behind the United Kingdom’s best-selling computer, has just unveiled its latest wonder – the Raspberry Pi Zero.

Raspberry Pi Zero is a programmable computer that costs just $5 (or £4), may rank as the world’s cheapest computer.

<!– adsense –>

Raspberry Pi Zero: Just $5

Posted in hardware hacking, Programming, Raspberry Pi, raspberry pi projects, Raspberry Pi Zero, Smallest Computer, Technology News | Comments (0)

Micro:bit — A Pocket-sized Programmable Computer

July 9th, 2015

The BBC has unveiled the final design of the Micro:bit — a pocket-sized computer board designed to lure U.K. school children to embedded electronics.

The Micro:bit is essentially a codeable computer that lets kids get creative with technology. It measures 5cm by 4cm and will be available in different colors.

The idea behind the Micro:bit is to encourage young children to learn how

Posted in BBC Micro bit, micro chip, Micro:bit, Programming, Raspberry Pi, Silicon Chip, Technology | Comments (0)