Yearly Archives: 2024

Притеснение във връзка с предатоящото решение на Конституционния съд

Post Syndicated from Bozho original https://blog.bozho.net/blog/4330

Тези дни чета внимателно и обсъждам с експерти няколко решения на Конституционния съд, във връзка с дебата за измененията в Конституцията и предстоящото решение по тях, и виждам един доста притеснителен момент във връзка с членството ни в ЕС.

Решение 3 от 2003 г. казва, че промяна в баланса между органи, уредени в конституция, вкл. отнемане на техни правомощия, представлява „промяна на формата на държавно управление“ и може да се прави единствено от Велико Народно събрание.

Решението, според доста юристи, е спорно тъй като разширява прекалено много значението на “форма на държавно управление”. То е целяло да гарантира, че и косъм няма да падне от правомощията на главния прокурор (тогава Филчев).

Ако Конституционният съд сега се увлече в прилагането на това Решение 3 и отмени промените в глава „съдебна власт“ в съществена степен, това ще създаде риск за конституционните текстове, с които България става член на Европейския съюз.

Чл. 85, ал. 1, т. 9, приета през 2005 г., казва, че НС може да отстъпи на ЕС правомощия на конституционни органи. Т.е. не както казва Решение 3 от 2003 – че присъединяването само добавя правомощия, а реално такива се прехвърлят към европейски институции.

Съдът на Европейският съюз може да обявява български закон за противоречащ на правото на ЕС, което обвързва нашия съд да не го прилага. Европейската прокуратура дублира част от правомощията на българската в определени случаи, като така демонополизира ролята на нашата. Има сфери на т.нар. „пълна хармонизация“ на европейското право, като на практика се отнема правомощието на нашия парламент да законодателства в тези сфери. Няколко европейски институции дублират външнополитически правомощия от Министерския съвет (напр. налагането на санкции). Като цяло, това са сериозни промени в правомощията и балансите.

Ако промяна във вътрешната организация на прокуратурата или отделянето на колегиите на ВСС като отделни съвети е „промяна на формата на държавно управление“, то отстъпеният суверенитет на европейските институции е много повече такова. И ако кажем, че да махнем свръхцентрализацията на прокуратурата изисква Велико Народно събрание, същото би се изисквало и за промените, позволяващи даването на правомощия към европейската прокуратура (макар ининдиректно, през регламенти и директиви).

Някой по-конспиративно настроен може да допусне, че това е част от замисъла в оспорването на текстовете от последните изменения пред Конституционния съд, напр. от Възраждане.

Има, разбира се, тълкувателно Решение 3 от 2004 г, с което КС потвърждава политическата воля тогава за влизане с ЕС и осигурява привидно спокойствие. То обаче не изследва в дълбочина реалните последици от отстъпения суверенитет в светлината на Решение 3 от 2003. И двете решения „бягат по тъча“ и анализират основно добавянето на правомощия, но не и фактическотото отнемане на такива. Което, по логиката на спорното Решение 3 от 2003, би изисквало ВНС. Всъщност, в едната си част, решението от 2004 казва, че прехвърлянето на правомощия от националния парламент към органи на ЕС не било такава съществена промяна, защото България участва в органите на ЕС – валидна логика, която обаче влиза в колизия с решението от 2003 г..

И ако Решение 8 от 2005 г. (което смекчава изводите на Решение 3 от 2003) не е достатъчна спирачка пред отмяната на сегашните изменения, то няма гаранция, че решението от 2004 (за бъдещото влизане в ЕС) ще е достатъчна спирачка.

Разбира се, прилагането на Конституцията е комбинация от внимателно търсене на баланс между основни конституционни принципи, съобразяване с предишни решения и вътрешните убеждения на съдиите. Но включва и отговорността за евентуалните последствия от дадено решение.

Нямам съмнения, че промените, свързани с членството в ЕС, са в компетенциите на обикновено Народно събрание, но притеснението ми е, че предароящото решение надхвърля темата „съдебна власт“ и ако се получи „пресоляване на манджата“ с отмяна на норми на база на Решение 3 (2003), после ще е трудно да се даде заден по отношение на прилагане на същата логика при евентуално последващо оспорване на текстовете за членството ни в ЕС.

Материалът Притеснение във връзка с предатоящото решение на Конституционния съд е публикуван за пръв път на БЛОГодаря.

Седмицата (15–20 юли)

Post Syndicated from Светла Енчева original https://www.toest.bg/sedmitsata-15-20-yuli/

Седмицата (15–20 юли)

Животът на повечето от нас, читателите на „Тоест“, минава под знака на китайското проклятие „Да ти се случи да живееш в интересни времена!“. Колкото и да сме свикнали да е интересно, не можем да отречем, че напоследък става особено интересно. Атентат срещу Тръмп, две ДПС-та, екстравагантно и отхвърлено предложение на ПП–ДБ за излизане от политическата криза… и какво ли още не.

Преди да сме се гмурнали обаче в конкретиката, да ви подпитам: попълнихте ли вече читателската анкета на „Тоест“? Ако не сте, сега хващате последния влак. В случай че в понеделник сутринта внезапно се събудите с мисълта „Искам да попълня анкетата!“, ще имате повод да се поздравите с песента на Георги Станчев „Ти ужасно закъсня“.

Тази седмица в „Тоест“ започна не с политика, а с наука и култура. Знаете ли какво са прионите? Допреди няколко дни и аз нямах никакво понятие, но Анастасия Орманджиева ни обяснява защо е важно да знаем какво представляват те. Прионите са протеини, които съществуват в две форми – нормална и погрешно нагъната. „Погрешните“ приони обаче могат да променят структурата на нормалните. На всичко отгоре са склонни да се обединяват и могат да унищожат цял организъм. Представям си ги като едни микробиологични популистки партии, които заразяват нормалния политически живот.

В рубриката „На второ четене“ Антония Апостолова ни представя романа „Неудачниците“ от Том Ракман в превод на Ангел Игов. Книгата е своеобразно обяснение в любов към традиционната печатна преса – повествованието проследява от създаването му до края един вестник и редакционния му екип. Така не само се припомня определен период от американската политика, а и се представят типични персонажи, каквито всеки, който е работил в редакция, познава.

Докато сме на вълната на словото – знаете ли какво означава „хармолипи“ (χαρμολύπη)? Хем радост, хем тъга. Тази голяма странна гръцка дума за Екатерина Петрова е като вход към гръцкия език, от който много от нас се стряскат, като започнем от азбуката му. И не сме само ние. Както на български се казва, че нещо е „като на патагонски“, така на английски съществува израз в същия смисъл – It’s all Greek to me.

Плавно прехождаме към политиката, започвайки с външната. „Предопределени за война, но не съвсем“ – така Искрен Иванов резюмира отношенията между САЩ и Китай. Той разсъждава защо тези две страни не намират обща формула за преодоляване на различията си. Може би защото глобалният мир е идеал – човечеството е живяло много по-дълго в състояние на война. Ако ни е трудно да си представим свят, в който Китай е победил САЩ, авторът ни го описва.

Междувременно режимът на Путин става все по-тираничен, а на войната на Русия срещу Украйна не се вижда краят. В третото от петте отровни дела, за които разказва Николета Атанасова, става въпрос за перипетиите на една руска бежанка в България – Ирина Дмитриева. Руска, но не съвсем, защото по баща е украинка. Повече от две години тя е противозаконно разделена от непълнолетната си дъщеря, болна от муковисцидоза. Разделя ги Държавната агенция за бежанците (ДАБ).

Като стана дума за ДАБ, помните ли саудитския дисидент Абдулрахман ал-Халиди, за когото „Тоест“ разказа? На 5 юли той обяви гладна стачка и вече повече от две седмици не е ял. Защото е затворен в центъра за задържане в Бусманци над 32 месеца. Въпреки българското законодателство, според което никой не може да бъде затворен на такова място повече от 21 месеца. Въпреки решението на Върховния административен съд той да бъде освободен. Въпреки доказателствата за опозиционната му дейност и за заплахите към него в родината му. Защо ДАБ не му дава статут и го държи затворен? Ами така. Защото може.

Българската държава умее да е несправедлива не само към търсещите убежище, а и към собствените си граждани. Един от основните механизми, с които тя възпроизвежда неравенството, е образованието. За масовото образование, което (не) служи на всички, Надежда Цекулова разговаря с Ирина Манушева, инициирала подписка за промяна в правилата на националното външно оценяване. Макар децата на Манушева да са минали и през частно, и през домашно образование, според нея цялата образователна система трябва да се преосмисли, за да не се налага родителите да спасяват децата си поединично, дори и да могат да си го позволят.

Не само образованието в България, а комай всички институции не изпълняват ролята си, защото са превзети и играят за частни интереси. И вие ли се сетихте за Делян Пеевски? Възможна ли е сглобка срещу Пеевски, пита Емилия Милчева. Тя предлага анализ на потенциалните съюзници на ПП–ДБ за осъществяването на тази цел – като се почне от президента и се стигне до… почетния председател на ДПС Ахмед Доган. Дали възможното ще стане действително, е друг въпрос.

На Пеевски му се вижда краят, защото ще се препъне в електората на ДПС, мисля си пък аз. Не всички избиратели могат да бъдат купени или сплашени. Пеевски има опит най-вече с контролирания вот. Не с традиционните гласоподаватели на ДПС, за които т.нар. Възродителен процес продължава да е травма и които помнят – лично или чрез колективната памет – какво е да стоиш пред дулото на танк. За тях Пеевски е чуждо тяло.

Знаете си, че няма да ви оставя без препоръки.

Чухте ли летния хит на Котарака Румен, композиран с помощта на изкуствен интелект? „ЛЕЦ ДЕНС“, както е казал „дейвит мяуи“!

За мен парчето си е направо приятно, леко пънкарско, по-слушаемо от повечето летни хитове, дело на естествени интелекти. Та се замислих, че не разбирам една от основните критики срещу изкуствения интелект: че се учи от вече създадени от реални автори произведения. А не правят ли огромната част от хората същото? Как е възможно да се учиш, без да стъпваш на наличните артефакти? И колко са онези, които действително създават нещо ново, несъществувало преди?

Завършвам с едно и половина неща за „Тоест“. 

Тази седмица Манол Пейков (издател, политик, граждански активист, певец любител и какво ли още не) имаше рожден ден. Той си пожела… подкрепа за „Тоест“. Повод да напомним, че съществуваме благодарение на вашите дарения.

И половинката, понеже с това започнах – ако не сте попълнили още читателската ни анкета, сега е моментът. Другата седмица може да поискате, ама няма.

И последно: пазете се в жегите, имаме само един живот и само едно здраве.

Към анкетата

Understanding Google Postmaster Tools (spam complaints) for Amazon SES email senders

Post Syndicated from Bruno Giorgini original https://aws.amazon.com/blogs/messaging-and-targeting/understanding-google-postmaster-tools-spam-complaints-for-amazon-ses-email-senders/

Introduction

Amazon Simple Email Service (SES) includes a robust set of built-in tools, such as the Virtual Deliverability Manager (VDM), to help senders ensure optimal email deliverability. Additionally, deliverability data from email service providers like Postmaster Tools by Google can provide invaluable insights for all sending domain owners, including those using SES for bulk or transactional email. Postmaster Tools offers detailed metrics on factors like delivery errors, spam rates, domain reputation, and recipient feedback for Gmail-hosted inboxes. Combining this external data with SES email sending events is critical for maintaining a healthy sender reputation. By leveraging both SES-native tools and resources like Postmaster Tools, senders can identify and address deliverability issues, ensuring their SES-powered emails reach intended recipients across providers.

Many, but not all, mailbox providers will send recipient feedback in the form of “complaints” that can each be attributed directly to the message that the recipient found to be objectionable. These complaints are available in the SES email sending event type “Complaint”. Gmail does not send spam complaint events because their priority is to protect the privacy of their users from the tracking techniques employed by spammers and data brokers. Gmail requires bulk senders to adopt “easy unsubscribe” mechanisms to reduce the need for their users to report messages as spam, and they will show spam complaint metrics in Postmaster Tools. This blog will show you how to maximize value in the spam complaint metric provided by Postmaster Tools.

Amazon SES now supports custom values in the Feedback-ID header in messages sent through SES. This feature provides additional details to help customers identify deliverability trends. Together with Postmaster Tools, customers can group complaints by identifiers of their choice, such as sender business unit or campaign ID. This makes it easier to track deliverability performance associated with independent workloads and campaigns, and accelerates troubleshooting when diagnosing complaint rates.

This image describes the flow for spam complaints to the email sender

Figure 1: Email Feedback Loop

This blog will guide you through implementing and using Feedback Loops within Postmaster Tools to identify email campaigns receiving high complaint volumes from Gmail users. It covers the history and background of feedback loops, the specific requirements for implementing them with Postmaster Tools, and practical examples using AWS CLI and Boto3 to send SES emails with the necessary Feedback-ID header. By the end, you’ll understand how to effectively set up and use Postmaster Tools to monitor and improve your SES email deliverability.

History and Background of FBLs

Traditional Feedback Loops (herein “FBLs”) have been a cornerstone of email deliverability for many years. Initially developed by Internet Service Providers (ISPs), FBLs serve as a mechanism for recipients to report spam complaints to the sender. This feedback is crucial for email service providers and senders to identify problematic email campaigns, take corrective actions, and maintain a healthy sender reputation.

FBLs operate by allowing recipients to mark emails as spam, which then sends a report to the sender’s email service provider. This report typically includes details about the email that triggered the complaint, enabling the sender to investigate and address any issues. By analyzing these reports, senders can refine their email lists, improve content, and ensure that their emails comply with best practices and regulatory requirements. Senders who receive a higher volume of spam complaints are more likely to be blocked or have their emails routed to the spam folder. While high spam complaints are not the sole reason for deliverability issues, they are often the underlying cause.

Postmaster Tools by Gmail is not a traditional FBL. Postmaster Tools will show complaint feedback metrics, but the complaints are not attributable to any individual recipient.

Requirements for using Postmaster Tools FBL with SES

The FBL helps identify campaigns with high complaint rates from Gmail users, specifically useful for email service providers to detect potential abuse of their services.

Note: Data in Postmaster Tools only applies to messages sent to personal Gmail accounts. A personal Gmail account is an account that ends in @gmail.comor @googlemail.com.

  • Implementation of FBL:
    • Feedback-ID Header: SES embeds a header called Feedback-ID containing parameters (Identifiers) uniquely identifying the account and SenderID (AmazonSES)
    • Header Format: The Feedback-ID header consists of four parameters, separated by colons:
      a:b:c:SenderId
      Where:
      • SenderId is a mandatory parameter that uniquely identifies the sender.
      • In the case of Amazon SES (Simple Email Service), the SenderId is always “AmazonSES” and cannot be overridden.
Header Parameter  Description
a  First parameter in the Feedback-ID header. SES users can customize through ses:feedback-id-a EmailTag
b  Second parameter in the Feedback-ID header. SES users can customize through ses:feedback-id-b EmailTag.
c  Third parameter in the Feedback-ID header. SES uses this to identify the sender account
SenderID  Fourth parameter in the Feedback-ID header. Mandatory parameter that uniquely identifies the sender. For Amazon SES, this is always “AmazonSES” and cannot be overridden.
  • Sender Data Handling:
    • DKIM signing by a sender-owned domain is required to prevent spoofing.
    • The domain must be added and verified in Postmaster Tools.
    • Complaint data is aggregated by distinct values on each of the 4 fields of Feedback-ID.
  • Feedback-ID header Requirements:
    • When sending emails through Amazon SES, users are limited to a single verified header value per traffic stream.
      • This means that the Feedback-ID header cannot contain an individualized value for each destination email address.
      • Instead, the Feedback-ID header needs to contain an identifier that can be used to match a larger campaign or batch of emails, rather than a unique value per recipient.
      • This constraint helps maintain a consistent sender reputation, improves deliverability monitoring and troubleshooting within tools like Postmaster Tools. The Feedback-ID acts as a grouping mechanism, rather than a per-message identifier
    • Identifiers must be unique and non-repetitive across fields.
  • Feedback-ID Example:
    • CampaignIDX:CustomerID2:1.us-west-2.TDQeKqHkSNfQztk25wIeVIGTuNmGDud4r1l7dUlxOio=:AmazonSES
      • Each Identifier is used to report spam percentages independently if unusual rates occur.
      • Amazon SES lets customers set the part a and part b of the Feedback-ID header using the EmailTag ses:feedback-id-a and ses:feedback-id-b
      • Amazon SES will combine these tags into a single Feedback-ID header with the format: Feedback-ID=a:b:region.accountId:AmazonSES

The next steps will cover what’s needed to leverage FBLs with SES.

Step 1 – Add Your Domain(s) To Google’s Postmaster Tools

  • In order to verify with Postmaster Tools that you’re authorized to track the feedback from your domain, you first need to register your ownership of the domain with Postmaster Tools by visiting https://gmail.com/postmaster/.
Verify a new domain with Google Postmaster Tools

Figure 2: Step 1 to verify a domain in Google Postmaster Tools

  • After entering in your domain, you’d be prompted to add a TXT record into your DNS configuration.
Step 2 to verify a domain in Google Postmaster Tools

Figure 3: Step 2 to verify a domain in Google Postmaster Tools

  • Update your sending domain(s) DNS records accordingly.
    • The example below specifies how to create the TXT record in Route53. If you’re using another DNS service provider, please refer to their documentation.
Create a new record in Route53

Figure 4: Create a new record in Route53

    • Navigate to the Route53 Console and click on Hosted zones , specify the hosted zone that contains the domain you want to verify and then Create record.
This image describe the creation of a TXT record including the value provided by Google Postmaster to verify the domain

Figure 5: Add a TXT record with the provided value for verification

    • Following the screenshot, create a TXT record type and paste the value assigned by Google for verification in step 2 here.
  • Go to Postmaster Tools and click on Verify. After successful verification of your domain in Postmaster Tools, you should see the Status column changed from Not Verified to Verified. You can verify your compliance status with the requirements in the Dashboard (2) link.
In this picture we show an example of how the domain would appear once verified in Google Postmaster Tools

Figure 6: Domain verified

  • Follow the recommendations provided in the Postmaster Tools dashboard to fully comply with the requirements (example below):
Email sender requirements

Figure 7: Email sender requirements compliance status recommendations

  • Once you have completed all the verification and configuration steps, you should see compliant checkmarks next to all available requirements (see example below):
Email sender requirements

Figure 8: Email sender requirements compliant status

Step 2 – Add Feedback-ID headers to your SES emails

  • Use this command line to send an email with Feedback-ID using the AWS CLI:
aws sesv2 send-email --from-email-address [email protected] \
   --destination '{"ToAddresses":["[email protected]"]}' \
   --content '{"Simple":{"Subject":{"Data":"Test Subject","Charset":"UTF-8"},"Body":{"Text":{"Data":"Test Data","Charset":"UTF-8"}}}}' \
   --email-tags '[{"Name": "ses:feedback-id-a","Value":"feedback-id-part-a-value"}]'

The values of ses:feedback-id-a and ses:feedback-id-b are specified using the --email-tags option.

  • Alternatively, use Boto3 to send an email with Feedback-ID with the following Python script:
import boto3
from botocore.exceptions import ClientError

def send_email(region_name):
    # Create a new SES client
    ses = boto3.client('sesv2', region_name=region_name)

    # Replace sender and recipient values
    SENDER = "Sender Name <[email protected]>"
    RECIPIENT = "[email protected]"
    CONFIGURATION_SET = "SES_Config_Set"
    SUBJECT = "Amazon SES Test (SDK for Python)"
    BODY_TEXT = "Amazon SES Test (Python)\r\nThis email was sent with Amazon SES using the AWS SDK for Python (Boto)."
    BODY_HTML = """<html>
    <head></head>
    <body>
      <h1>Amazon SES Test (SDK for Python)</h1>
      <p>This email was sent with
        <a href='https://aws.amazon.com/ses/'>Amazon SES</a> using the
        <a href='https://aws.amazon.com/sdk-for-python/'>
          AWS SDK for Python (Boto)</a>.</p>
    </body>
    </html>"""
    CHARSET = "UTF-8"

    try:
        # Send email
        response = ses.send_email(
            FromEmailAddress=SENDER,
            Destination={'ToAddresses': [RECIPIENT]},
            ConfigurationSetName=CONFIGURATION_SET,
            Content={
                "Simple": {
                    "Subject": {
                        "Charset": CHARSET,
                        "Data": SUBJECT
                    },
                    "Body": {
                        "Text": {
                            "Charset": CHARSET,
                            "Data": BODY_TEXT
                        },
                        "Html": {
                            "Charset": CHARSET,
                            "Data": BODY_HTML
                        }
                    },
                    "Headers": [
                        {
                            "Name": "List-Unsubscribe",
                            "Value": "<https://unsubscribe.example.email/[email protected]&topic=topic1>"
                        },
                        {
                            "Name": "List-Unsubscribe-Post",
                            "Value": "One-Click"
                        }
                    ]
                }
            },
            EmailTags=[
                {
                    'Name': 'ses:feedback-id-a',
                    'Value': 'campaign1'
                },
                {
                    'Name': 'ses:feedback-id-b',
                    'Value': 'line-of-business'
                }
            ] #the ses:feedback-id-a and ses:feedback-id-b are specified as a list using EmailTags
        )
        print("Email sent! Response:", response)
        print("Message ID:", response['MessageId'])

    except ClientError as e:
        print(e.response['Error']['Message'])

# Call the function to send the email
send_email(region_name='us-west-2')  # Specify the region here

Step 3 – Viewing FBL results in Postmaster Tools

In order to see any results in the Postmaster Tool dashboard (see examples below), you must send a substantial daily volume of email through the domain(s) you’ve registered. If you see the message “No Data to Display”, your reputation may already be too low, more likely the volume of email traffic sent since you configured the Postmaster tool is insufficient (return to the dashboard in later, after you’ve sent 1,000s of emails).

Figure 9: Feedback loop example image

Figure 9: Feedback loop example image

The image shows a section of the Postmaster Tools dashboard, specifically the Feedback Loop section. This dashboard provides insights into the spam complaint rates and the number of feedback loop identifiers flagged across a given time period, in this case, the last 120 days.

Conclusion

High-volume email senders should look to the combination of Amazon SES’ powerful framework for monitoring in concert with Postmaster Tools to improve and ensure email deliverability. Implementing the Feedback-ID header in your SES emails can significantly enhance your ability to track and troubleshoot deliverability issues. Use Postmaster Tools and the Feedback Loop via Feedback-ID headers in SES emails to gain detailed insights into complaint rates and other key metrics, enabling you to maintain a healthy sender reputation and ensure their emails reach the intended recipients.

Call to Action:

  1. Set Up Postmaster Tools for your sending domain(s)
  2. Verify Your Domain: Register and verify your domain with Postmaster Tools to access valuable insights and track your compliance status.
  3. Set Up Feedback-ID: Start embedding the Feedback-ID header in your emails sent via Amazon SES to take advantage of detailed complaint data and improve your email campaigns.
  4. Monitor and Adjust: Regularly check the Postmaster Tools dashboard to monitor your spam rates and feedback loop identifiers. Use this data to refine your email content and sending practices.
  5. Leverage AWS CLI and Boto3: Utilize the provided AWS CLI commands and Boto3 scripts to automate the process of sending emails with Feedback-ID headers, ensuring consistent and accurate tracking.

By following these steps, you can enhance your email deliverability, reduce spam complaints, and maintain a strong sender reputation. For more information on using Amazon SES and Google’s Postmaster Tools, refer to the Amazon SES Documentation and the Postmaster Tools Guide.

NGI project may lose funding

Post Syndicated from daroc original https://lwn.net/Articles/982585/

The Next Generation Internet
(NGI) project, an initiative of the EU’s European Commission (EC),
provides funding in the form of grants for a wide variety of
open-source software,
including
Redox,
Briar,
SourceHut, and many more.
But the NGI project is not among those that would be funded under the current draft budget for 2025,

as The Register reports. More than 60 organizations have signed on to an open letter asking the
EC to reconsider:

We find this transformation incomprehensible, moreover when NGI has proven efficient and economical to support free software as a whole, from the smallest to the most established initiatives. This ecosystem diversity backs the strength of European technological innovation, and maintaining the NGI initiative to provide structural support to software projects at the heart of worldwide innovation is key to enforce the sovereignty of a European infrastructure.
Contrary to common perception, technical innovations often originate from European rather than North American programming communities, and are mostly initiated by small-scaled organizations.

Metasploit Weekly Wrap-Up 7/19/2024

Post Syndicated from Christophe De La Fuente original https://blog.rapid7.com/2024/07/19/metasploit-weekly-wrap-up-7-19-2024/

GeoServer Unauthenticated RCE

Metasploit Weekly Wrap-Up 7/19/2024

This week, contributor h00die-gr3y added an interesting exploit module that targets the GeoServer open-source application. This software is used to view, edit, and share geospatial data. Versions prior to 2.23.6, versions between 2.24.0 and 2.24.3 and versions between 2.25.0 and 2.25.1 are unsafely evaluating property names as XPath expressions, which can lead to unauthenticated remote code execution. This vulnerability is identified as CVE-2024-36401, and affects all GeoServer instances. This has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute requests.

New module content (1)

GeoServer Unauthenticated Remote Code Execution

Authors: Steve Ikeoka, h00die-gr3y, and jheysel-r7
Type: Exploit
Pull request: #19311 contributed by h00die-gr3y
Path: multi/http/geoserver_unauth_rce_cve_2024_36401
AttackerKB reference: CVE-2024-36401

Description: This adds an exploit module for CVE-2024-36401, an unauthenticated RCE vulnerability in GeoServer versions prior to 2.23.6, between version 2.24.0 and 2.24.3 and in version 2.25.0, 2.25.1.

Enhancements and features (1)

  • #19325 from pmauduit – Updates the TARGETURI description for the geoserver_unauth_rce_cve_2024_36401 module.

Bugs fixed (3)

  • #19322 from dledda-r7 – This fixes an issue that was causing some Meterpreters to consume large amounts of memory when configured with an HTTP or HTTPS transport that was unable to connect.
  • #19324 from adfoster-r7 – This updates the rpc_session library such that RPC-compatible modules are able to handle unknown sessions, i.e. rpc.call('session.compatible_modules', -1).
  • #19327 from dledda-r7 – This bumps the version of metasploit_payloads-mettle to pull in changes for the Linux and OS X Meterpreters. The changes fix an issue which prevented the sniffer extension from loading.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the commercial edition Metasploit Pro.

[$] A new major version of NumPy

Post Syndicated from daroc original https://lwn.net/Articles/981663/

The
NumPy project
released version 2.0.0 on
June 16, the first major release of the widely
used Python-based numeric-computing library since 2006. The release has been planned for some
time, as an opportunity to clean up NumPy’s API. As with most NumPy updates,
there are performance improvements to several individual functions. There are only a few new
features, but several backward-incompatible changes, including a change to
NumPy’s numeric-promotion rules. Changes to the Python API require relatively minor changes to
Python code using the library, but the changes to the C API may be more
difficult to adapt to. In
both cases, the official

migration guide describes what needs to be adapted to the new version.

Exploring Internet traffic during the 2024 U.S. Republican National Convention

Post Syndicated from João Tomé original https://blog.cloudflare.com/exploring-internet-traffic-during-the-2024-us-republican-national-convention


Internet traffic typically mirrors human behavior, with significant fluctuations during large political events. This comes during a time when the United States is in election mode, as political campaigns are in full swing and candidates for various offices, primaries and caucuses make their case to voters and debates are being held. This week, the Republican National Convention was hosted in Milwaukee, Wisconsin from July 15 to 18, 2024. We examined traffic shifts and cyberattacks since June 2024 to see how these events have impacted the Internet.

Attacks on political related websites

Cyberattacks are a constant threat, and aren’t necessarily driven by elections. With that said, notable trends can often be observed, and we’ve seen before how specific geopolitical events can trigger online attacks. For example, we saw cyberattacks at the start of the war in Ukraine to more recently in the Netherlands, when the June 2024 European elections coincided with cyberattacks on Dutch political-related websites that lasted two days — June 5th and 6th. The main DDoS (Distributed Denial of Service attack) attack on June 5, the day before the Dutch election, reached 73,000 requests per second (rps).

Shifting our focus to the United States in particular, in the weeks since April 2024, we’ve seen several DDoS attacks targeting both federal and state government and political-related websites in the United States. In recent days Cloudflare has also blocked DDoS attacks targeting two political-related websites.

One of those is related to a political campaign, represented by the yellow line on the chart below. The first spike was a DDoS attack on July 2, 2024, peaking at 56,000 rps and lasting around 10 minutes. The same political-related site was attacked later on July 14, with a 34,000 rps peak, lasting four minutes.

The other political-related site under attack, in green on the previous chart, is a think tank website that does policy advocacy related to presidential politics. It was already attacked before, around the time of the Biden vs Trump debate, as we’ve published at the time in a related blog post. The main attack was on July 11, with a 137,000 rps peak, lasting a few minutes, and was repeated, with slightly lower intensity, a few hours later on July 12.

As we’ve seen in our recent DDoS report, the vast majority of DDoS attacks are short. This emphasizes the need for automated, in-line detection and mitigation systems. Ten minutes are hardly enough time for a human to respond to an alert, analyze the traffic, and apply manual mitigations.

Trump assassination attempt impact

The attempted assassination of former President Trump at a campaign rally near Butler, Pennsylvania precipitated an increase in Internet traffic within the United States, particularly to news-related media outlets. As news broke of shots fired at a Trump rally, injuring the former president, Internet traffic in the United States (in bytes) increased around 22:30 – 23:00 UTC (18:30-19:00 EST) by 10% to 12%.

HTTP requests in the United States saw up to an 8% increase on July 13th compared to the previous week.

At the same time, DNS traffic to TV news sites, via our 1.1.1.1 resolver, surged by as much as 215%, and to general news sites by 141%.

Republican National Convention

The Republican National Convention is an important political event as delegates of the United States Republican Party choose the party’s nominees for president and vice president in the 2024 United States presidential election. Over the four-day event, convention delegates formally nominate the party’s presidential and vice presidential candidates and adopt the party’s platform, which outlines its policies and positions on various issues. The convention features speeches from prominent party members, including the nominees, party leaders, and other influential figures.

This year’s convention was held in Milwaukee, Wisconsin. During this time, we didn’t identify any noticeable traffic spikes from Milwaukee or from Wisconsin in general.

Compared to the previous week, there was an increase in DNS traffic to Republican political party and fundraising websites. On July 18th, the last day of the convention, we saw two considerable increases in hourly traffic compared to a week prior. The first at 14:00 EDT, an increase of 268% in traffic to these sites. The second, at 23:00 EDT with another increase at 266%. The daily aggregation on this day was an increase of 90.48% compared to daily traffic aggregations in the previous week.

For DNS traffic during the convention for TV news channels, we see steady traffic numbers with the highest peaking days before the convention on July 14, then during the late hours of July 15th.

For political news websites covering the RNC, traffic numbers tend to decrease slightly as the event progresses.

We identified an attack against a think-tank based in Washington D.C. that does policy advocacy related to presidential politics. The attack itself lasted around 3 minutes, from July 18th 13:18 to 13:22 exclusive (EDT) with a total of 3.12 million DDoS requests mitigated. The attack peaked at around 30.33k rps.

We see that major political events may not always cause significant shifts in Internet traffic. Our data indicates increases in traffic primarily to news and media organizations from July 13th onward. When it comes to cyber attacks, a majority of activity we see targets political campaigns and policy organizations.

If you want to follow more trends and insights about the Internet and elections in particular, you can check Cloudflare Radar, and more specifically our new 2024 Elections Insights report, which will be updated as elections take place throughout the year.

[$] Restricting execution of scripts — the third approach

Post Syndicated from corbet original https://lwn.net/Articles/982085/

The kernel will not consent to execute just any file that happens to be
sitting in a filesystem; there are formalities, such as the checking of
execute permission and consulting security policies, to get through first.
On some systems, security policies have been established to limit execution
to specifically approved programs. But there are files that are not
executed directly by the kernel; these include scripts fed to language
interpreters like Python, Perl, or a shell. An attacker who is able to get
an interpreter to execute a file may be able to bypass a system’s security
policies. Mickaël Salaün has been working on closing this hole for years;
the latest
attempt takes the form of a new flag to the execveat()
system call.