apache-cloudstack-4.15-available-with-a-new-user-interface

Apache CloudStack 4.15 available with a new user interface

The Apache Software Foundation (ASF) has version 4. 15 of their IaaS software (Infrastructure as a Service) CloudStack released. The update is a so-called LTS release with an extended support period (long-term support). Since the release of CloudStack 4. 04 according to ASF, the open source software for creating cloud infrastructures has been about Improvements have been incorporated and 15 new ones Features added – including a modernized user interface.

Renovated surface From CloudStack 4. 15 comes via the URL : 8080 / client uses the new, revised user interface by default, which is now generally available (general availability). The previous legacy UI remains for the time being via : 8080 / client / legacy and will also be used in production environments supported. However, it is already marked as out of date (deprecated) and should be dropped with the release of CloudStack 4. 16.

New in the release is the integration of the VNC console (Virtual Network Computing) noVNC for virtual machines (VM). Another new Websocket Proxy allows interaction with the VNC console, ConsoleProxyClient is used to read and write data during communication between VM and Websocket. The console developed on the basis of noVNC 1.1.0 has been tested on various platforms – including KVM, Ubuntu, CentOS and VMware 6.5.

Workaround for new KVM Hosts CloudStack 4 supports management servers and KVM hosts. 15 now CentOS8 and Ubuntu 20. 04. However, users should note that an End-of-Life (EoL) has already been announced for CentOS8 at the end of the year. When adding new KVM hosts, users of some GNU / Linux distributions must also be aware of a problem associated with the latest OpenSSH package. Due to a lack of support in the trilead-ssh library used by CloudStack, individual SSH algorithms and encryption methods do not work correctly. Therefore, a workaround is currently necessary before adding new KVM hosts. The following lines must be added to / etc / ssh / sshd_config of the KVM host and then the SSH server restarted:

PubkeyAcceptedKeyTypes = + ssh-dss HostKeyAlgorithms = + ssh-dss KexAlgorithms = + diffie-hellman-group1-sha1 Among the other new features in CloudStack 4. 15 are to be mentioned, the support for role-based users in projects, extended storage functions from VMware (vSAN, vVols, VMFS6, Datastore Clusters), PVLAN for L2 networks as well Support for XCP-ng 8.1 and MySQL 8. A complete overview of all round 20 improvements and new functions can be found in the release notes. CloudStack 4. 15 is now available for free download under the Apache license 2.0.

(map)

snort-3:-on-the-trail-of-the-attacker-with-multithreading

Snort 3: On the trail of the attacker with multithreading

Besides Suricata, Snort is the best-known open source network intrusion detection / prevention system (NIDS / NIPS). Originally started 1998 by Martin Roesch as a simple network sniffer, over the years it has developed into the NIDS reference in the open source environment . After seven years of development, the developer team has re-implemented the code in C ++ and now released the long-awaited Snort3.

Snort is a component many commercial solutions and also works at the core of Cisco’s Firepower IPS solutions. The network specialist bought 2013 the company from Martin Roesch (Sourcefire) and then integrated the commercial version into its own products. This long history was also a curse for Snort and already led 2009 to the development of Suricata, since the internal architecture of Snort is considered by many developers to be was viewed as backward. While Suricata was already multi-threaded and offered automatic protocol support, Snort could not come up with these functions. Since 2013 the Snort development team has been working more or less actively on a completely new version that was now written in C ++ instead of C. The main innovations of Snort version 3.1 are:

The packet processing takes place in several parallel threads. These can access a common configuration and attribute table. The PCRE analysis is carried out with the new Hyperscan library from Intel (hyperscan.io). This significantly accelerates the detection compared to version 2. Snort now supports Realtime Network Awareness (RNA). This enables Snort to learn for itself which systems and protocols are used in the network. This was previously a feature that was only available in commercial products. Full plug-in support in Lua. Since Snort can recognize application protocols regardless of the port (RNA), the rules can now be written depending on the protocol are no longer restricted to ports. However, the rule syntax has also changed slightly. Some of the commercial products from Cisco already allow an upgrade to the new Snort 3 Core. However, they do not yet master all functions.

Even in version 3, Snort users don’t be afraid of the command line.

Although Snort is one of the most powerful IDS engines, there is still a lack of suitable management interfaces in the open source environment with which the product can be used effectively. Security Onion and OPNSense are two of the few products that use Snort and offer a rudimentary management interface.

(avr)

beeper:-chat-app-wants-to-combine-15-messengers-in-one-interface

Beeper: Chat app wants to combine 15 messengers in one interface

An app instead of numerous messengers on the smartphone – Beeper wants to be this dream. 15 Services including iMessage are to be combined there in one interface. So far, the project was called NovaChat, which Eric Migicovsky, CEO of the former smartwatch manufacturer Pebble, announced on Twitter Beepers can then be controlled include WhatsApp, Signal, Telegram, Matrix, Skype, Slack, Twitter, Discord, Instagram, Facebook Messenger and iMessages. “Yes, iMessage runs on Android, Windows and Linux with a trick,” tweeted Migicovsky. The trick is to use a permanently running device from Apple as a bridge on which the Beeper app is installed. If such a device is currently unavailable, Beeper helps out with discarded and jailbroken iPhones.

Open source and yet not secure The messenger itself uses the matrix protocol. The client is not open source, however, the connections that are used to the other messengers are. To use it, you have to pay ten US dollars a month. In return you get a “clean interface” with search and filter for the chats, it says on the website. Bots can be created for beepers via Matrix API and extensions can be connected. You can also host yourself. End-to-end encryption is likely to be lifted in all cases.

The app is still not easy to use. You first have to submit an application online and enter at least the ID of your “favorite network” and other usage habits. Perhaps the dream of a new Adium-croaking duck is not quite fulfilled after all. Apple is unlikely to be happy about a service that publicly issues jailbreak iPhones and thus uses its messaging function. There have already been similar attempts, but so far they have not prevailed.

(emw)

end-for-connector-and-electronic-health-card:-gematik-presents-ti-2.0

End for connector and electronic health card: Gematik presents TI 2.0

By the year 2025 a “telematic infrastructure 2.0” should replace the networking of the healthcare system that exists today. With this TI 2.0, the Gematik project company draws the conclusions from the network failure in the year 2020. The connectors used in medical practices, hospitals and pharmacies are being replaced as “proprietary IT solutions” by open “access interfaces on the Internet”. The master data management of the insured by inserting an electronic health card is being replaced by an internet service.

“IT arena for medicine” Gematik’s groundbreaking white paper outlines the future German healthcare system as an “IT arena for medicine” in which different playing fields exist and different games are played, each with its own rules. As the designer of this IT arena, Gematik takes on other roles such as “entrance control for all parties involved” and the role of the referee who makes sure that nobody commits a foul. In addition, it develops new rules of the game and playing fields for “new disciplines”.

Aside from all the beautiful metaphors and graphics, the white paper on TI 2.0 shows that Gematik is now the consequences of the failure of the TI 1.0 in summer 2020. At that time, after a faulty certificate change 80. 000 medical practices were flown out of the telematic infrastructure. In two thirds of the practices, a software update of the connectors had to be installed manually. The entire troubleshooting took 52 days. Now the connectors are to disappear as a “proprietary IT solution” and the “universal accessibility of the services through access interfaces on the Internet” is to be replaced. This universal accessibility also means that the previous smart card solutions will disappear.

For the insured, the doctors and dentists, this means that the insured master data management via the electronic health card through an internet service of the respective health insurance companies is replaced. The electronic health professional card and the SMC cards for the identification of medical practices, hospitals and pharmacies are also to be replaced by electronic ID procedures, in which the medical associations, associations of statutory health insurance physicians and other associations provide the appropriate federated eID. If possible, a single sign-on should always be used.

Open source preferred As the Gematik explains , the redesign of the telematic infrastructure is inevitable, because a lot has happened in recent times technically. IT is thought and implemented differently today than it was ten years ago. “The basic architecture must become more technology-independent so that data silos are dissolved and mobile patient care possible. The trend is clearly towards the cloud with” unlimited resources “and economies of scale. The spread of the open source culture in society and industry has increased significantly.” Wherever possible, TI 2.0 uses open source.

(mho)

pebble-founder-promises-imessage-on-android-and-windows-with-universal-chat-app

Pebble founder promises iMessage on Android and Windows with universal chat app

Beeper is a new universal chat app that’s an attempt to unify 15 different chat platforms into a single interface. The app is the work of a team that includes Eric Migicovsky, the CEO and founder of former smartwatch manufacturer Pebble, who announced its launch on Twitter. Beeper’s site notes that the project was previously known as NovaChat, and requires a $10 per month subscription.

Although Beeper integrates with world’s most popular messaging services like WhatsApp, Signal, Telegram, Slack, Twitter, Discord, Instagram, and Facebook Messenger, it’s the support for Apple’s iMessage that’s perhaps most interesting. iMessage is only officially available on Apple devices, and it’s often cited by users as something that prevents them switching to Android. Migicovsky says Beeper should allow iMessage to work on Android, Windows, and Linux, but admits that it’s “using some trickery” in doing so.

And yes, iMessage works even on Android, Windows and Linux using some trickery 🙂

— Eric Migicovsky (@ericmigi) January 20, 2021

An FAQ on Beeper’s website gives a more in-depth explanation of exactly what this trickery involves. If you’ve got an always-online Mac, then you can install the Beeper Mac app to act as a bridge, similar to the approach AirMessage uses. But things get really wild if you don’t have access to a Mac, at which point Beeper says it’ll literally send each of its users a “Jailbroken iPhone with the Beeper app installed” in order to act as a bridge. At this point we should probably mention that using Beeper involves paying a $10 a month subscription, which may or may not include the cost of the iPhone.

Just in case you thought Beeper was joking, in a followup tweet, Migicovsky said that he currently has 50 old iPhone 4S’s at his desk, ready to be upcycled for use with Beeper.

If the workaround works as Beeper claims, then the result should be a universal chat app that works across MacOS, Windows, Linux, iOS, and Android, offering a unified inbox, and the ability to search across messages from each of the 15 services. It’s built on the open source Matrix messaging protocol (Migicovsky previously described NovaChat’s relationship to Matrix as akin to Gmail’s relationship with email), and although the client app itself isn’t open source, the bridges connecting it to other chat services are.

Oh, and there’s a dark mode coming in Beeper’s next update, naturally.

Beeper’s interface can include chats from multiple different services.
Image: Beeper

While the short-term aim is to make it easier to chat to people across different chat apps, eventually Migicovsky has talked about the prospect of everyone using Matrix itself to chat with friends and colleagues, rather than simply using it as a bridge between services.

Although Migicovsky says he’s been using Beeper as his default chat client for the past two years, it doesn’t appear to be widely available just yet. Instead, Beeper asks prospective users to fill out a form on its website for an invitation.

Here’s the full list of chat services that Beeper currently supports:

  • Whatsapp
  • Facebook Messenger
  • iMessage
  • Android Messages (SMS)
  • Telegram
  • Twitter
  • Slack
  • Hangouts
  • Instagram
  • Skype
  • IRC
  • Matrix
  • Discord
  • Signal
  • Beeper network
java-framework-quarkus-1.11-introduces-resteasy-reactive-and-new-dev-ui

Java framework Quarkus 1.11 introduces RESTEasy Reactive and new Dev UI

The Java framework Quarkus, which was launched under the slogan “Supersonic Subatomic Java” 62 and supported by Red Hat, has been offering JAX-RS-2.1 since then -Implementation RESTEasy, with which HTTP endpoints can be defined. Quarkus 1. 11 now goes one step further and implements RESTEasy Reactive, which offers reactive extensions that go beyond the scope of the JAX-RS-2.1 specification . The RESTEasy-Reactive integration developed in the JBoss project is initially tailored primarily to Quarkus and is based on its vert.x layer in order to be completely reactive.

More speed The RESTEasy-Reactive that was announced experimentally at the end of the year 2020 -Integration is now available to all users of the open source framework with the release of Quarkus 1. 11. As an alternative to Quarkus’ Reactive Routes API, RESTEasy Reactive is intended to open up a way that many Java developers are familiar with to further optimize the performance of their applications. According to the Quarkus development team, it should not be possible to increase the maximum achievable throughput of an application, and start times and memory requirements should also be lower. In addition, typical framework tasks such as scanning annotations or creating metamodels can be done during the build. Further details on RESTEasy Reactive can be found in the implementation documentation.

Expandable developer console With a redesigned console for developer mode, Quarkus developers are to make their work even easier and clearer. The new Dev UI can be flexibly set up to keep an eye on the functions of various extensions of the framework. The range of possibilities ranges from simply listing the CDI beans and endpoints to repeating Flyway migrations and deployments on OpenShift. Quarkus 1. 11 now introduces the technical foundation with a basic set of extensions. In order to gradually expand the Dev Console with further extensions, the support of developers is expressly desired. If you want to contribute your own extensions to the open source framework, you will find valuable information in the Dev UI Guide.

Among the other new features in Quarkus 1. 11 are worth mentioning the improved support for micrometers. Metrics from Kafka streams can now be displayed and the Prometheus registry has been integrated into the core extension. Further registries such as Azure Monitor, Datadog, JMX, SignalFX, Stackdriver and StatsD will be hosted in the extensions on Quarkiverse in the future.

The Quarkus team has also expanded the shell scripting with jbang. The deeper integration of jbang allows the activation of the development mode and the use of Quarkus platforms (BOM) for version management. The prerequisite for this, however, is at least version jbang v0. 62. All other improvements and new functions are summarized in the blog post about the release of Quarkus 1. 11.

(map)

elastic:-now-comes-the-fork

Elastic: Now comes the fork

Logz.io is promising new distributions for Elasticsearch and Kibana, which, in contrast to Elastics’ future direction, should appear completely as free software. The developers do not use the word fork, but due to the new licenses, the future project is left with less than a split from the original provider.

This is exactly what CEO Tomer Levy describes in his announcement of the move, because the community and many as yet unknown organizations should be involved in the new distributions. The choice of the Apache 2 license is also not surprising, as Elasticsearch has previously appeared under it. The aim is to put the free versions of Elasticsearch and Kibana under the umbrella of the CNCF or ASF.

Don’t feel sorry for Elastic Elastics CEO Shay Bannon blamed Amazon and the reluctance of the AWS cloud division to cooperate with the original developers for the license change in drastic terms. Tomer Levy doesn’t skimp on criticism himself – but at Elastic, because the developer has let the open source offerings fall asleep over the years and put the innovations into his commercial offers.

In addition, the new Server Side Public License (SSPL) would not just be a measure against AWS: Parts of the license were formulated in such a way that users would expose themselves to legal risks when using such software. In fact, when switching from MongoDB to the SSPL and now again, the OSI determined that the SSPL was not an open source license.

I entered it myself Gigant Tomer Levy generally rejects Elastics’ victim role, because it would rather be a billion dollar company that wants to force its users into commercial dependency and block competition. A look at the figures shows that in the year 2020, Elastic had sales of 427, generated 6 million US dollars, a growth of 57 percent over the previous year.

Instead of wanting to switch off AWS as a competitor with a license change, Elastic should develop a better cloud service. That is more difficult, but it would be the right step for users. The announcement of the new distributions and the new allegations can be found on the Logz.io blog. The provider offers data analysis software on the ELK stack, among other things. Meanwhile, Amazon did not comment on the allegations by Elastic.

(fo)

dnspooq-is-the-new-series-of-dns-vulnerabilities:-beware-of-phishing,-credential-theft,-ddos-attacks

DNSpooq is the new series of DNS vulnerabilities: beware of phishing, credential theft, DDoS attacks

7 software vulnerabilities identified DNS widely used by connected device manufacturers and which threatens to jeopardize millions of devices

di Andrea Bai published on , at 15: 41 in the channel Security

JSOF, an Israeli company operating in the field of cyber security, today revealed the existence of seven vulnerabilities, known together with the name of DNSpooq , referring to Dnsamsq. The vulnerabilities are particularly serious as they allow for “DNS poisoning” attacks, remote code execution and denial-of-service attacks against a potential pool of millions of devices . Dnsmasq is an open source software involved in DNS forwarding and which allows you to add DNS caching functionality, DHCP server to Internet of Things devices.

Currently Dnsmasq is widely used in the sector and its diffusion does not allow to draw up an exhaustive list of all the companies that use it. JSOF limited itself to compiling a list of 40 reality among the best known, in which we see names like Android / Google, Asus, Cisco, Redhat, Netgear, Qualcomm, Linksys, IBM, D- Link, Dell, Huawei and Synology , just to name a few.

DNSpooq: seven serious vulnerabilities put millions of devices at risk

In DNSpooq vulnerabilities there are three, indicated by the codes CVE – 2020 – 25686, CVE – 2020 – 25684 and CVE – 2020 – 25685 , which allow you to perform “DNS cache poisoning” or “DNS spoofing” attacks. This type of attack allows the perpetrator to replace the DNS on a target device with arbitrary DNS of their choice .

Small step back: DNS is the acronym for Domain Name Service and, in summary, is the system that allows you to translate the domain names of websites into IP addresses. When configuring the devices connected to the internet, it is necessary to specify the IP address of a “DNS server” which has the task of carrying out this “translation” by consulting the appropriate tables.

It then becomes evident how a DNS Spoofing attack allows the attacker to redirect users to server under its control, while the user has the impression of visiting a legitimate website . This opens up the possibility of carrying out phishing attacks, credential theft or malware distribution from what the user perceives to be a trustworthy reality. The first DNS spoofing attack was illustrated in 297 by security researcher Dan Kaminsky, who demonstrated that DNS software can be exploited to steal data and forge any website address.

“Traffic that could be compromised includes normal Internet browsing, but also other types such as e-mails, SSH communications, remote desktop functions, voice calls, software updates, etc. Possible attack scenarios also include JavaScript-based DDoS, reverse DDoS, and wormable attacks in the case of mobile devices that change networks regularly, “JSOF points out in its report.

Other vulnerabilities, identified by codes CVE – 2020 – 25687, CVE – 2020 – 25683, CVE – 2020 – 25682 and CVE – 2020 – 25681 , are buffer overflow types and potentially allow you to execute code remotely on vulnerable network devices when Dnsmasq is configured to use DNSSEC.

Compounding the situation is the fact that perpetuating attacks exploiting the set of DNSpooq vulnerabilities are fairly simple to conduct and do not require the use of unusual tools or knowledge of techniques details: “The attack can be successfully completed in seconds or minutes and requires nothing special. We found that many instances of Dnsmasq are misconfigured to listen on the WAN interface, making the attack possible directly from the Internet “says JSOF.

DNSpooq: resolve by updating to the latest version or, if not possible, mitigate with some countermeasures

Over 1 million Dnsmasq servers are currently exposed on the Internet according to Shodan, while they would be 630 thousand according to BinaryEdge , but there would be millions of routers, VPNs, smartphones, tablets, infotainment systems, modems, access points, drones and any other kind of equipment vulnerable to attack while not directly accessible from the Internet: ” Some of the DNSpooq vulnerabilities allow DNS cache poisoning and one of the vulnerabilities could allow remote code execution capable of acquiring many brands of home routers and other network equipment, with millions of affected devices and over a million instances directly exposed to the Internet “said JSOF.

JSOF explains that it is possible to completely protect yourself from attacks that attempt to exploit DNSpooq vulnerabilities by updating the Dnsmasq software to latest version available which is currently 2. 83. If, on the other hand, it is not possible for any reason to proceed promptly with the update of Dnsmasw, JSOF has prepared a series of possible alternatives that allow to partially mitigate the problem . We report them below:

  • Configure Dnsmasq to avoid listening on the WAN interface unless it is necessary in the operating environment you are in.
  • Reduce the maximum number of queries that can be forwarded via the dns-forward-max = option. The default value is 150, but it may be useful to lower it.
  • Temporarily disable the DNSSEC validation option until you can install a patch or update the DNSpooq version.
  • Use protocols that provide DNS transport security (such as DoT or DoH). This is a measure that can mitigate Dnspooq, which however could have other security and privacy implications depending on the configuration and operating environment.
  • Reducing the size of EDNS messages could mitigate some of the vulnerabilities. This is an untested measure and is inconsistent with the RFC recommendations 5625.