Exploring Agama’s 2024 roadmap (openSUSE News)

2024-02-16 jzb

Post Syndicated from jzb original https://lwn.net/Articles/962553/

The openSUSE News blog looks at the roadmap for Agama (a new installer from the YaST development team) with releases planned for April and July:

The milestone in April is set to revolutionize Agama’s architecture. It will be moving away from its reliance on Cockpit toward a more autonomous framework that is coupled with a refined user interface that aims to streamline storage configurations.

The aim of the second milestone is to improve Agama’s flexibility and capabilities for unattended installations, which seeks to position Agama as a formidable alternative to AutoYaST.

The Agama page explains why YaST is due for replacement.

Metasploit Weekly Wrap-Up 02/16/2024

2024-02-16 Spencer McIntyre

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2024/02/16/metasploit-weekly-wrap-up-02-16-2024/

New Fetch Payload

Metasploit Weekly Wrap-Up 02/16/2024

It has been almost a year since Metasploit released the new fetch payloads and since then, 43 of the 79 exploit modules have had support for fetch payloads. The original payloads supported transferring the second stage over HTTP, HTTPS and FTP. This week, Metasploit has expanded that protocol support to include SMB, allowing payloads to be run using rundll32 which has the added benefit of capturing the NetNTLM hashes of the requestor.

This also streamlines the workflow the user would have previously used by first starting the exploit/windows/smb/smb_delivery module, and then copying the command into another exploit. Now the user can simply select one of the SMB-enabled fetch payloads and Metasploit will manage the service and generate the command.

As an added benefit, since #18680 merged into Metasploit, multiple SMB services can be run simultaneously. This means that multiple SMB-enabled fetch payloads can have their own independent handlers running at the same time.

New module content (2)

Base64 Command Encoder

Author: Spencer McIntyre
Type: Encoder
Pull request: #18807 contributed by zeroSteiner

Description: This adds a new encoder module that leverages base64 encoding to escape bad characters in ARCH_CMD payloads for the Linux and UNIX platforms.

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Authors: Spencer McIntyre, bwatters-r7, and sf [email protected]
Type: Payload (Adapter)
Pull request: #18664 contributed by zeroSteiner

Description: This adds an SMB fetch-payload service and a new payload to use it. The payload invokes rundll32 but handles everything for the user automatically.

This adapter adds the following payloads:

cmd/windows/smb/x64/custom/bind_ipv6_tcp
cmd/windows/smb/x64/custom/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/custom/bind_named_pipe
cmd/windows/smb/x64/custom/bind_tcp
cmd/windows/smb/x64/custom/bind_tcp_rc4
cmd/windows/smb/x64/custom/bind_tcp_uuid
cmd/windows/smb/x64/custom/reverse_http
cmd/windows/smb/x64/custom/reverse_https
cmd/windows/smb/x64/custom/reverse_named_pipe
cmd/windows/smb/x64/custom/reverse_tcp
cmd/windows/smb/x64/custom/reverse_tcp_rc4
cmd/windows/smb/x64/custom/reverse_tcp_uuid
cmd/windows/smb/x64/custom/reverse_winhttp
cmd/windows/smb/x64/custom/reverse_winhttps
cmd/windows/smb/x64/encrypted_shell/reverse_tcp
cmd/windows/smb/x64/encrypted_shell_reverse_tcp
cmd/windows/smb/x64/exec
cmd/windows/smb/x64/loadlibrary
cmd/windows/smb/x64/messagebox
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp
cmd/windows/smb/x64/meterpreter/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/meterpreter/bind_named_pipe
cmd/windows/smb/x64/meterpreter/bind_tcp
cmd/windows/smb/x64/meterpreter/bind_tcp_rc4
cmd/windows/smb/x64/meterpreter/bind_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_http
cmd/windows/smb/x64/meterpreter/reverse_https
cmd/windows/smb/x64/meterpreter/reverse_named_pipe
cmd/windows/smb/x64/meterpreter/reverse_tcp
cmd/windows/smb/x64/meterpreter/reverse_tcp_rc4
cmd/windows/smb/x64/meterpreter/reverse_tcp_uuid
cmd/windows/smb/x64/meterpreter/reverse_winhttp
cmd/windows/smb/x64/meterpreter/reverse_winhttps
cmd/windows/smb/x64/meterpreter_bind_named_pipe
cmd/windows/smb/x64/meterpreter_bind_tcp
cmd/windows/smb/x64/meterpreter_reverse_http
cmd/windows/smb/x64/meterpreter_reverse_https
cmd/windows/smb/x64/meterpreter_reverse_ipv6_tcp
cmd/windows/smb/x64/meterpreter_reverse_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp
cmd/windows/smb/x64/peinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/peinject/bind_named_pipe
cmd/windows/smb/x64/peinject/bind_tcp
cmd/windows/smb/x64/peinject/bind_tcp_rc4
cmd/windows/smb/x64/peinject/bind_tcp_uuid
cmd/windows/smb/x64/peinject/reverse_named_pipe
cmd/windows/smb/x64/peinject/reverse_tcp
cmd/windows/smb/x64/peinject/reverse_tcp_rc4
cmd/windows/smb/x64/peinject/reverse_tcp_uuid
cmd/windows/smb/x64/pingback_reverse_tcp
cmd/windows/smb/x64/powershell_bind_tcp
cmd/windows/smb/x64/powershell_reverse_tcp
cmd/windows/smb/x64/powershell_reverse_tcp_ssl
cmd/windows/smb/x64/shell/bind_ipv6_tcp
cmd/windows/smb/x64/shell/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/shell/bind_named_pipe
cmd/windows/smb/x64/shell/bind_tcp
cmd/windows/smb/x64/shell/bind_tcp_rc4
cmd/windows/smb/x64/shell/bind_tcp_uuid
cmd/windows/smb/x64/shell/reverse_tcp
cmd/windows/smb/x64/shell/reverse_tcp_rc4
cmd/windows/smb/x64/shell/reverse_tcp_uuid
cmd/windows/smb/x64/shell_bind_tcp
cmd/windows/smb/x64/shell_reverse_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp
cmd/windows/smb/x64/vncinject/bind_ipv6_tcp_uuid
cmd/windows/smb/x64/vncinject/bind_named_pipe
cmd/windows/smb/x64/vncinject/bind_tcp
cmd/windows/smb/x64/vncinject/bind_tcp_rc4
cmd/windows/smb/x64/vncinject/bind_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_http
cmd/windows/smb/x64/vncinject/reverse_https
cmd/windows/smb/x64/vncinject/reverse_tcp
cmd/windows/smb/x64/vncinject/reverse_tcp_rc4
cmd/windows/smb/x64/vncinject/reverse_tcp_uuid
cmd/windows/smb/x64/vncinject/reverse_winhttp
cmd/windows/smb/x64/vncinject/reverse_winhttps

Enhancements and features (7)

#18706 from sjanusz-r7 – Updates multiple PostgreSQL modules to now work with PostgreSQL sessions. This functionality is behind a feature flag which can be enabled with features set postgres_session_type true.
#18747 from zgoldman-r7 – Updates the auxiliary/scanner/mssql/mssql_login module with a new CreateSession option which controls the opening of an interactive MSSQL session. This functionality is currently behind a feature flag which can be enabled with features set mssql_session_type true.
#18759 from cgranleese-r7 – Updates the multiple MySQL modules to work with a provided MySQL session instead of opening a new connection. This functionality is behind a feature flag which can be enabled with features set mysql_session_type true.
#18763 from zgoldman-r7 – Updates multiple MSSQL modules to now work with the new MSSQL session type that is enabled with features set mssql_session_type true.
#18806 from cgranleese-r7 – Improves unknown command handling by suggesting similar valid commands.
#18809 from zeroSteiner – Makes multiple improvements to the dns command – a new command which mimics the functionality of /etc/resolv.conf and /etc/hosts. This functionality is currently behind a feature flag which can be enabled with features set dns_feature true in msfconsole.
#18825 from cgranleese-r7 – Improves the error messages when the current session is not compatible with a post module.

Bugs fixed (13)

#18616 from adfoster-r7 – This fixes an issue with the AARCH64 SO ELF template that was causing SIGBUS exceptions to be raised.
#18774 from adfoster-r7 – Updates the following modules to now work with newer versions of sqlcmd:
post/windows/gather/credentials/mssql_local_hashdump and post/windows/manage/mssql_local_auth_bypass.
#18786 from lihe07 – This fixes an option name collision between the exploit/linux/local/service_persistence when the payload is set to cmd/unix/reverse_netcat. The option to set the writable path is now BACKDOOR_PATH.
#18795 from cgranleese-r7 – Moves the CreateSession option from advanced into basic options for modules, in order to increase discoverability.
#18798 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move module’s check method that was causing version comparisons to fail.
#18799 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2020_17136 module’s check method that was causing version comparisons to fail.
#18800 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2021_40449 module’s check method that was causing version comparisons to fail.
#18801 from upsidedwn – This fixes an issue in the exploit/windows/local/cve_2022_26904_superprofile module’s check method that was causing version comparisons to fail.
#18812 from adfoster-r7 – Reverts the auxiliary/scanner/mssql/mssql_login modules’s TDSENCRYPTION default value to false.
#18813 from adfoster-r7 – Fixes a crash when running the help services or help hosts commands.
#18823 from cdelafuente-r7 – Fix module metadata platform list comparison.
#18826 from dwelch-r7 – Fixes a regression where the windows/smb/psexec module was not correctly performing cleanup logic.
#18828 from dwelch-r7 – Fixes a crash when exploit modules used nops.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Cloud Native Efficient Computing is the Way in 2024 and Beyond

2024-02-16 Patrick Kennedy

Post Syndicated from Patrick Kennedy original https://www.servethehome.com/cloud-native-efficient-computing-is-the-way-in-2024-and-beyond-supermicro-intel-amd-ampere-nvidia/

Why cloud-native energy-efficient compute is the most exciting development for server CPUs since multi-core CPUs

The post Cloud Native Efficient Computing is the Way in 2024 and Beyond appeared first on ServeTheHome.

How to automate rule management for AWS Network Firewall

2024-02-16 Ajinkya Patil

Post Syndicated from Ajinkya Patil original https://aws.amazon.com/blogs/security/how-to-automate-rule-management-for-aws-network-firewall/

AWS Network Firewall is a stateful managed network firewall and intrusion detection and prevention service designed for the Amazon Virtual Private Cloud (Amazon VPC). This post concentrates on automating rule updates in a central Network Firewall by using distributed firewall configurations. If you’re new to Network Firewall or seeking a technical background on rule management, see AWS Network Firewall – New Managed Firewall Service in VPC.

Network Firewall offers three deployment models: Distributed, centralized, and combined. Many customers opt for a centralized model to reduce costs. In this model, customers allocate the responsibility for managing the rulesets to the owners of the VPC infrastructure (spoke accounts) being protected, thereby shifting accountability and providing flexibility to the spoke accounts. Managing rulesets in a shared firewall policy generated from distributed input configurations of protected VPCs (spoke accounts) is challenging without proper input validation, state-management, and request throttling controls.

In this post, we show you how to automate firewall rule management within the central firewall using distributed firewall configurations spread across multiple AWS accounts. The anfw-automate solution provides input-validation, state-management, and throttling controls, reducing the update time for firewall rule changes from minutes to seconds. Additionally, the solution reduces operational costs, including rule management overhead while integrating seamlessly with the existing continuous integration and continuous delivery (CI/CD) processes.

Prerequisites

For this walkthrough, the following prerequisites must be met:

Basic knowledge of networking concepts such as routing and Classless Inter-Domain Routing (CIDR) range allocations.
Basic knowledge of YAML and JSON configuration formats, definitions, and schema.
Basic knowledge of Suricata Rule Format and Network Firewall rule management.
Basic knowledge of CDK deployment.
AWS Identity and Access Management (IAM) permissions to bootstrap the AWS accounts using AWS Cloud Development Kit (AWS CDK).
The firewall VPC in the central account must be reachable from a spoke account (see centralized deployment model). For this solution, you need two AWS accounts from the centralized deployment model:
- The spoke account is the consumer account the defines firewall rules for the account and uses central firewall endpoints for traffic filtering. At least one spoke account is required to simulate the user workflow in validation phase.
- The central account is an account that contains the firewall endpoints. This account is used by application and the Network Firewall.
StackSets deployment with service-managed permissions must be enabled in AWS Organizations (Activate trusted access with AWS Organizations). A delegated administrator account is required to deploy AWS CloudFormation stacks in any account in an organization. The CloudFormation StackSets in this account deploy the necessary CloudFormation stacks in the spoke accounts. If you don’t have a delegated administrator account, you must manually deploy the resources in the spoke account. Manual deployment isn’t recommended in production environments.
A resource account is the CI/CD account used to deploy necessary AWS CodePipeline stacks. The pipelines deploy relevant cross-account cross-AWS Region stacks to the preceding AWS accounts.
- IAM permissions to deploy CDK stacks in the resource account.

Solution description

In Network Firewall, each firewall endpoint connects to one firewall policy, which defines network traffic monitoring and filtering behavior. The details of the behavior are defined in rule groups — a reusable set of rules — for inspecting and handling network traffic. The rules in the rule groups provide the details for packet inspection and specify the actions to take when a packet matches the inspection criteria. Network Firewall uses a Suricata rules engine to process all stateful rules. Currently, you can create Suricata compatible or basic rules (such as domain list) in Network Firewall. We use Suricata compatible rule strings within this post to maintain maximum compatibility with most use cases.

Figure 1 describes how the anfw-automate solution uses the distributed firewall rule configurations to simplify rule management for multiple teams. The rules are validated, transformed, and stored in the central AWS Network Firewall policy. This solution isolates the rule generation to the spoke AWS accounts, but still uses a shared firewall policy and a central ANFW for traffic filtering. This approach grants the AWS spoke account owners the flexibility to manage their own firewall rules while maintaining the accountability for their rules in the firewall policy. The solution enables the central security team to validate and override user defined firewall rules before pushing them to the production firewall policy. The security team operating the central firewall can also define additional rules that are applied to all spoke accounts, thereby enforcing organization-wide security policies. The firewall rules are then compiled and applied to Network Firewall in seconds, providing near real-time response in scenarios involving critical security incidents.

Figure 1: Workflow launched by uploading a configuration file to the configuration (config) bucket

The Network Firewall firewall endpoints and anfw-automate solution are both deployed in the central account. The spoke accounts use the application for rule automation and the Network Firewall for traffic inspection.

As shown in Figure 1, each spoke account contains the following:

An Amazon Simple Storage Service (Amazon S3) bucket to store multiple configuration files, one per Region. The rules defined in the configuration files are applicable to the VPC traffic in the spoke account. The configuration files must comply with the defined naming convention ($Region-config.yaml) and be validated to make sure that only one configuration file exists per Region per account. The S3 bucket has event notifications enabled that publish all changes to configuration files to a local default bus in Amazon EventBridge.
EventBridge rules to monitor the default bus and forward relevant events to the custom event bus in the central account. The EventBridge rules specifically monitor VPCDelete events published by Amazon CloudTrail and S3 event notifications. When a VPC is deleted from the spoke account, the VPCDelete events lead to the removal of corresponding rules from the firewall policy. Additionally, all create, update, and delete events from Amazon S3 event notifications invoke corresponding actions on the firewall policy.
Two AWS Identity and Access Manager (IAM) roles with keywords xaccount.lmb.rc and xaccount.lmb.re are assumed by RuleCollect and RuleExecute functions in the central account, respectively.
A CloudWatch Logs log group to store event processing logs published by the central AWS Lambda application.

In the central account:

EventBridge rules monitor the custom event bus and invoke a Lambda function called RuleCollect. A dead-letter queue is attached to the EventBridge rules to store events that failed to invoke the Lambda function.
The RuleCollect function retrieves the config file from the spoke account by assuming a cross-account role. This role is deployed by the same stack that created the other spoke account resources. The Lambda function validates the request, transforms the request to the Suricata rule syntax, and publishes the rules to an Amazon Simple Queue Service (Amazon SQS) first-in-first-out (FIFO) queue. Input validation controls are paramount to make sure that users don’t abuse the functionality of the solution and bypass central governance controls. The Lambda function has input validation controls to verify the following:
- The VPC ID in the configuration file exists in the configured Region and the same AWS account as the S3 bucket.
- The Amazon S3 object version ID received in the event matches the latest version ID to mitigate race conditions.
- Users don’t have only top-level domains (for example, .com, .de) in the rules.
- The custom Suricata rules don’t have any as the destination IP address or domain.
- The VPC identifier matches the required format, that is, a+(AWS Account ID)+(VPC ID without vpc- prefix) in custom rules. This is important to have unique rule variables in rule groups.
- The rules don’t use security sensitive keywords such as sid, priority, or metadata. These keywords are reserved for firewall administrators and the Lambda application.
- The configured VPC is attached to an AWS Transit Gateway.
- Only pass rules exist in the rule configuration.
- CIDR ranges for a VPC are mapped appropriately using IP set variables.
The input validations make sure that rules defined by one spoke account don’t impact the rules from other spoke accounts. The validations applied to the firewall rules can be updated and managed as needed based on your requirements. The rules created must follow a strict format, and deviation from the preceding rules will lead to the rejection of the request.
The Amazon SQS FIFO queue preserves the order of create, update, and delete operations run in the configuration bucket of the spoke account. These state-management controls maintain consistency between the firewall rules in the configuration file within the S3 bucket and the rules in the firewall policy. If the sequence of updates provided by the distributed configurations isn’t honored, the rules in a firewall policy might not match the expected ruleset.
Rules not processed beyond the maxReceiveCount threshold are moved to a dead-letter SQS queue for troubleshooting.
The Amazon SQS messages are subsequently consumed by another Lambda function called RuleExecute. Multiple changes to one configuration are batched together in one message. The RuleExecute function parses the messages and generates the required rule groups, IP set variables, and rules within the Network Firewall. Additionally, the Lambda function establishes a reserved rule group, which can be administered by the solution’s administrators and used to define global rules. The global rules, applicable to participating AWS accounts, can be managed in the data/defaultdeny.yaml file by the central security team.
The RuleExecute function also implements throttling controls to make sure that rules are applied to the firewall policy without reaching the ThrottlingException from Network Firewall (see common errors). The function also implements back-off logic to handle this exception. This throttling effect can happen if there are too many requests issued to the Network Firewall API.

The function makes cross-Region calls to Network Firewall based on the Region provided in the user configuration. There is no need to deploy the RuleExecute and RuleCollect Lambda functions in multiple Regions unless a use case warrants it.

Walkthrough

The following section guides you through the deployment of the rules management engine.

Deployment: Outlines the steps to deploy the solution into the target AWS accounts.
Validation: Describes the steps to validate the deployment and ensure the functionality of the solution.
Cleaning up: Provides instructions for cleaning up the deployment.

Deployment

In this phase, you deploy the application pipeline in the resource account. The pipeline is responsible for deploying multi-Region cross-account CDK stacks in both the central account and the delegated administrator account.

If you don’t have a functioning Network Firewall firewall using the centralized deployment model in the central account, see the README for instructions on deploying Amazon VPC and Network Firewall stacks before proceeding. You need to deploy the Network Firewall in centralized deployment in each Region and Availability Zone used by spoke account VPC infrastructure.

The application pipeline stack deploys three stacks in all configured Regions: LambdaStack and ServerlessStack in the central account and StacksetStack in the delegated administrator account. It’s recommended to deploy these stacks solely in the primary Region, given that the solution can effectively manage firewall policies across all supported Regions.

LambdaStack deploys the RuleCollect and RuleExecute Lambda functions, Amazon SQS FIFO queue, and SQS FIFO dead-letter queue.
ServerlessStack deploys EventBridge bus, EventBridge rules, and EventBridge Dead-letter queue.
StacksetStack deploys a service-managed stack set in the delegated administrator account. The stack set includes the deployment of IAM roles, EventBridge rules, an S3 Bucket, and a CloudWatch log group in the spoke account. If you’re manually deploying the CloudFormation template (templates/spoke-serverless-stack.yaml) in the spoke account, you have the option to disable this stack in the application configuration.

Figure 2: CloudFormation stacks deployed by the application pipeline

To prepare for bootstrapping

Install and configure profiles for all AWS accounts using Amazon Command Line Interface (AWS CLI)
Install the Cloud Development Kit (CDK)
Install Git and clone the GitHub repo
Install and enable Docker Desktop

To prepare for deployment

Follow the README and cdk bootstrapping guide to bootstrap the resource account. Then, bootstrap the central account and delegated administrator account (optional if StacksetStack is deployed manually in the spoke account) to trust the resource account. The spoke accounts don’t need to be bootstrapped.
Create a folder to be referred to as <STAGE>, where STAGE is the name of your deployment stage — for example, local, dev, int, and so on — in the conf folder of the cloned repository. The deployment stage is set as the STAGE parameter later and used in the AWS resource names.
Create global.json in the <STAGE> folder. Follow the README to update the parameter values. A sample JSON file is provided in conf/sample folder.

Run the following commands to configure the local environment:

npm install
export STAGE=<STAGE>
export AWS_REGION=<AWS_Region_to_deploy_pipeline_stack>

To deploy the application pipeline stack

Create a file named app.json in the <STAGE> folder and populate the parameters in accordance with the README section and defined schema.
If you choose to manage the deployment of spoke account stacks using the delegated administrator account and have set the deploy_stacksets parameter to true, create a file named stackset.json in the <STAGE> folder. Follow the README section to align with the requirements of the defined schema.
You can also deploy the spoke account stack manually for testing using the AWS CloudFormation template in templates/spoke-serverless-stack.yaml. This will create and configure the needed spoke account resources.
Run the following commands to deploy the application pipeline stack:
```
export STACKNAME=app && make deploy
```
Figure 3: Example output of application pipeline deployment

After deploying the solution, each spoke account is required to configure stateful rules for every VPC in the configuration file and upload it to the S3 bucket. Each spoke account owner must verify the VPC’s connection to the firewall using the centralized deployment model. The configuration, presented in the YAML configuration language, might encompass multiple rule definitions. Each account must furnish one configuration file per VPC to establish accountability and non-repudiation.

Validation

Now that you’ve deployed the solution, follow the next steps to verify that it’s completed as expected, and then test the application.

To validate deployment

Sign in to the AWS Management Console using the resource account and go to CodePipeline.
Verify the existence of a pipeline named cpp-app-<aws_ organization_scope>-<project_name>-<module_name>-<STAGE> in the configured Region.
Verify that stages exist in each pipeline for all configured Regions.
Confirm that all pipeline stages exist. The LambdaStack and ServerlessStack stages must exist in the cpp-app-<aws_organization_scope>-<project_name>-<module_name>-<STAGE> stack. The StacksetStack stage must exist if you set the deploy_stacksets parameter to true in global.json.

To validate the application

Sign in and open the Amazon S3 console using the spoke account.
Follow the schema defined in app/RuleCollect/schema.json and create a file with naming convention ${Region}-config.yaml. Note that the Region in the config file is the destination Region for the firewall rules. Verify that the file has valid VPC data and rules.

Figure 4: Example configuration file for eu-west-1 Region
Upload the newly created config file to the S3 bucket named anfw-allowlist-<AWS_REGION for application stack>-<Spoke Account ID>-<STAGE>.
If the data in the config file is invalid, you will see ERROR and WARN logs in the CloudWatch log group named cw-<aws_organization_scope>-<project_name>-<module_name>-CustomerLog-<STAGE>.
If all the data in the config file is valid, you will see INFO logs in the same CloudWatch log group.

Figure 5: Example of logs generated by the anfw-automate in a spoke account
After the successful processing of the rules, sign in to the Network Firewall console using the central account.
Navigate to the Network Firewall rule groups and search for a rule group with a randomly assigned numeric name. This rule group will contain your Suricata rules after the transformation process.

Figure 6: Rules created in Network Firewall rule group based on the configuration file in Figure 4
Access the Network Firewall rule group identified by the suffix reserved. This rule group is designated for administrators and global rules. Confirm that the rules specified in app/data/defaultdeny.yaml have been transformed into Suricata rules and are correctly placed within this rule group.
Instantiate an EC2 instance in the VPC specified in the configuration file and try to access both the destinations allowed in the file and any destination not listed. Note that requests to destinations not defined in the configuration file are blocked.

Cleaning up

To avoid incurring future charges, remove all stacks and instances used in this walkthrough.

Sign in to both the central account and the delegated admin account. Manually delete the stacks in the Regions configured for the app parameter in global.json. Ensure that the stacks are deleted for all Regions specified for the app parameter. You can filter the stack names using the keyword <aws_organization_scope>-<project_name>-<module_name> as defined in global.json.
After deleting the stacks, remove the pipeline stacks using the same command as during deployment, replacing cdk deploy with cdk destroy.
Terminate or stop the EC2 instance used to test the application.

Conclusion

This solution simplifies network security by combining distributed ANFW firewall configurations in a centralized policy. Automated rule management can help reduce operational overhead, reduces firewall change request completion times from minutes to seconds, offloads security and operational mechanisms such as input validation, state-management, and request throttling, and enables central security teams to enforce global firewall rules without compromising on the flexibility of user-defined rulesets.

In addition to using this application through S3 bucket configuration management, you can integrate this tool with GitHub Actions into your CI/CD pipeline to upload the firewall rule configuration to an S3 bucket. By combining GitHub actions, you can automate configuration file updates with automated release pipeline checks, such as schema validation and manual approvals. This enables your team to maintain and change firewall rule definitions within your existing CI/CD processes and tools. You can go further by allowing access to the S3 bucket only through the CI/CD pipeline.

Finally, you can ingest the AWS Network Firewall logs into one of our partner solutions for security information and event management (SIEM), security monitoring, threat intelligence, and managed detection and response (MDR). You can launch automatic rule updates based on security events detected by these solutions, which can help reduce the response time for security events.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Stable kernels 6.7.5, 6.6.17, and 6.1.78

2024-02-16 jake

Post Syndicated from jake original https://lwn.net/Articles/962556/

Greg Kroah-Hartman has announced the release of the 6.7.5, 6.6.17,
and 6.1.78 stable kernels. As is the norm,
they contain important fixes throughout the kernel tree. So far, there are no
new CVEs reported on
the linux-cve-announce mailing list, which means that the new kernel CVE numbering authority (CNA)
powers have not yet been used.

Highlights: Idris Elba | Celebrating Africa Day | Talks at Google

2024-02-16 Talks at Google

Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=mEVux-Yq1NQ

Enhance data security and governance for Amazon Redshift Spectrum with VPC endpoints

2024-02-16 Kanwar Bajwa

Post Syndicated from Kanwar Bajwa original https://aws.amazon.com/blogs/big-data/enhance-data-security-and-governance-for-amazon-redshift-spectrum-with-vpc-endpoints/

Many customers are extending their data warehouse capabilities to their data lake with Amazon Redshift. They are looking to further enhance their security posture where they can enforce access policies on their data lakes based on Amazon Simple Storage Service (Amazon S3). Furthermore, they are adopting security models that require access to the data lake through their private networks.

Amazon Redshift Spectrum enables you to run Amazon Redshift SQL queries on data stored in Amazon S3. Redshift Spectrum uses the AWS Glue Data Catalog as a Hive metastore. With a provisioned Redshift data warehouse, Redshift Spectrum compute capacity runs from separate dedicated Redshift servers owned by Amazon Redshift that are independent of your Redshift cluster. When enhanced VPC routing is enabled for your Redshift cluster, Redshift Spectrum connects from the Redshift VPC to an elastic network interface (ENI) in your VPC. Because it uses separate Redshift dedicated clusters, to force all traffic between Redshift and Amazon S3 through your VPC, you need to turn on enhanced VPC routing and create a specific network path between your Redshift data warehouse VPC and S3 data sources.

When using an Amazon Redshift Serverless instance, Redshift Spectrum uses the same compute capacity as your serverless workgroup compute capacity. To access your S3 data sources from Redshift Serverless without traffic leaving your VPC, you can use the enhanced VPC routing option without the need for any additional network configuration.

AWS Lake Formation offers a straightforward and centralized approach to access management for S3 data sources. Lake Formation allows organizations to manage access control for Amazon S3-based data lakes using familiar database concepts such as tables and columns, along with more advanced options such as row-level and cell-level security. Lake Formation uses the AWS Glue Data Catalog to provide access control for Amazon S3.

In this post, we demonstrate how to configure your network for Redshift Spectrum to use a Redshift provisioned cluster’s enhanced VPC routing to access Amazon S3 data through Lake Formation access control. You can set up this integration in a private network with no connectivity to the internet.

Solution overview

With this solution, network traffic is routed through your VPC by enabling Amazon Redshift enhanced VPC routing. This routing option prioritizes the VPC endpoint as the first route priority over an internet gateway, NAT instance, or NAT gateway. To prevent your Redshift cluster from communicating with resources outside of your VPC, it’s necessary to remove all other routing options. This ensures that all communication is routed through the VPC endpoints.

The following diagram illustrates the solution architecture.

The solution consists of the following steps:

Create a Redshift cluster in a private subnet network configuration:
1. Enable enhanced VPC routing for your Redshift cluster.
2. Modify the route table to ensure no connectivity to the public network.
Create the following VPC endpoints for Redshift Spectrum connectivity:
1. AWS Glue interface endpoint.
2. Lake Formation interface endpoint.
3. Amazon S3 gateway endpoint.
Analyze Amazon Redshift connectivity and network routing:
1. Verify network routes for Amazon Redshift in a private network.
2. Verify network connectivity from the Redshift cluster to various VPC endpoints.
3. Test connectivity using the Amazon Redshift query editor v2.

This integration uses VPC endpoints to establish a private connection from your Redshift data warehouse to Lake Formation, Amazon S3, and AWS Glue.

Prerequisites

To set up this solution, You need basic familiarity with the AWS Management Console, an AWS account, and access to the following AWS services:

AWS Glue
AWS Identity and Access Management (IAM)
Lake Formation
Amazon Redshift
Amazon S3
Amazon Virtual Private Cloud (Amazon VPC)

Additionally, you must have integrated Lake Formation with Amazon Redshift to access your S3 data lake in non-private network. For instructions, refer to Centralize governance for your data lake using AWS Lake Formation while enabling a modern data architecture with Amazon Redshift Spectrum.

Create a Redshift cluster in a private subnet network configuration.

The first step is to configure your Redshift cluster to only allow network traffic through your VPC and prevent any public routes. To accomplish this, you must enable enhanced VPC routing for your Redshift cluster. Complete the following steps:

On the Amazon Redshift console, navigate to your cluster.
Edit your network and security settings.
For Enhanced VPC routing, select Turn on.
Disable the Publicly accessible option.
Choose Save changes and modify the cluster to apply the updates. You now have a Redshift cluster that can only communicate through the VPC. Now you can modify the route table to ensure no connectivity to the public network.
On the Amazon Redshift console, make a note of the subnet group and identify the subnet associated with this subnet group.
On the Amazon VPC console, identify the route table associated with this subnet and edit to remove the default route to the NAT gateway.

If you cluster is in a public subnet, you may have to remove the internet gateway route. If subnet is shared among other resources, it may impact their connectivity.

Your cluster is now in a private network and can’t communicate with any resources outside of your VPC.

Create VPC endpoints for Redshift Spectrum connectivity

After you configure your Redshift cluster to operate within a private network without external connectivity, you need to establish connectivity to the following services through VPC endpoints:

AWS Glue
Lake Formation
Amazon S3

Create an AWS Glue endpoint

To begin with, Redshift Spectrum connects to AWS Glue endpoints to retrieve information from the AWS Data Glue Catalog. To create a VPC endpoint for AWS Glue, complete the following steps:

On the Amazon VPC console, choose Endpoints in the navigation pane.
Choose Create endpoint.
For Name tag, enter an optional name.
For Service category, select AWS services.
In the Services section, search for and select your AWS Glue interface endpoint.
Choose the appropriate VPC and subnets for your endpoint.
Configure the security group settings and review your endpoint settings.
Choose Create endpoint to complete the process.

After you create the AWS Glue VPC endpoint, Redshift Spectrum will be able to retrieve information from the AWS Glue Data Catalog within your VPC.

Create a Lake Formation endpoint

Repeat the same process to create a Lake Formation endpoint:

On the Amazon VPC console, choose Endpoints in the navigation pane.
Choose Create endpoint.
For Name tag, enter an optional name.
For Service category, select AWS services.
In the Services section, search for and select your Lake Formation interface endpoint.
Choose the appropriate VPC and subnets for your endpoint.
Configure the security group settings and review your endpoint settings.
Choose Create endpoint.

You now have connectivity for Amazon Redshift to Lake Formation and AWS Glue, which allows you to retrieve the catalog and validate permissions on the data lake.

Create an Amazon S3 endpoint

The next step is to create a VPC endpoint for Amazon S3 to enable Redshift Spectrum to access data stored in Amazon S3 via VPC endpoints:

On the Amazon VPC console, choose Endpoints in the navigation pane.
Choose Create endpoint.
For Name tag, enter an optional name.
For Service category, select AWS services.
In the Services section, search for and select your Amazon S3 gateway endpoint.
Choose the appropriate VPC and subnets for your endpoint.
Configure the security group settings and review your endpoint settings.
Choose Create endpoint.

With the creation of the VPC endpoint for Amazon S3, you have completed all necessary steps to ensure that your Redshift cluster can privately communicate with the required services via VPC endpoints within your VPC.

It’s important to ensure that the security groups attached to the VPC endpoints are properly configured, because an incorrect inbound rule can cause your connection to timeout. Verify that the security group inbound rules are correctly set up to allow necessary traffic to pass through the VPC endpoint.

Analyze traffic and network topology

You can use the following methods to verify the network paths from Amazon Redshift to other endpoints.

Verify network routes for Amazon Redshift in a private network

You can use an Amazon VPC resource map to visualize Amazon Redshift connectivity. The resource map shows the interconnections between resources within a VPC and the flow of traffic between subnets, NAT gateways, internet gateways, and gateway endpoints. As shown in the following screenshot, the highlighted subnet where the Redshift cluster is running doesn’t have connectivity to a NAT gateway or internet gateway. The route table associated with the subnet can reach out to Amazon S3 via VPC endpoint only.

Note that AWS Glue and Lake Formation endpoints are interface endpoints and not visible on a resource map.

Verify network connectivity from the Redshift cluster to various VPC endpoints

You can verify connectivity from your Redshift cluster subnet to all VPC endpoints using the Reachability Analyzer. The Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing between a source resource and a destination resource in your VPCs. Complete the following steps:

On the Amazon Redshift console, navigate to the Redshift cluster configuration page and note the internal IP address.
On the Amazon EC2 console, search for your ENI by filtering by the IP address.
Choose the ENI associated with your Redshift cluster and choose Run Reachability Analyzer.
For Source type, choose Network interfaces.
For Source, choose the Redshift ENI.
For Destination type, choose VPC endpoints.
For Destination, choose your VPC endpoint.
Choose Create and analyze path.
When analysis is complete, view the analysis to see reachability.

As shown in the following screenshot, the Redshift cluster has connectivity to the Lake Formation endpoint.

You can repeat these steps to verify network reachability for all other VPC endpoints.

Test connectivity by running a SQL query from the Amazon Redshift query editor v2

You can verify connectivity by running a SQL query with your Redshift Spectrum table using the Amazon Redshift query editor, as shown in the following screenshot.

Congratulations! You are able to successfully query from Redshift Spectrum tables from a provisioned cluster while enhanced VPC routing is enabled for traffic to stay within your AWS network.

Clean up

You should clean up the resources you created as part of this exercise to avoid unnecessary cost to your AWS account. Complete the following steps:

On the Amazon VPC console, choose Endpoints in the navigation pane.
Select the endpoints you created and on the Actions menu, choose Delete VPC endpoints.
On the Amazon Redshift console, navigate to your Redshift cluster.
Edit the cluster network and security settings and select Turn off for Enhanced VPC routing.
You can also delete your Amazon S3 data and Redshift cluster if you are not planning to use them further.

Conclusion

By moving your Redshift data warehouse to a private network setting and enabling enhanced VPC routing, you can enhance the security posture of your Redshift cluster by limiting access to only authorized networks.

We want to acknowledge our fellow AWS colleagues Harshida Patel, Fabricio Pinto, and Soumyajeet Patra for providing their insights with this blog post.

If you have any questions or suggestions, leave your feedback in the comments section. If you need further assistance with securing your S3 data lakes and Redshift data warehouses, contact your AWS account team.

Additional resources

About the Authors

Kanwar Bajwa is an Enterprise Support Lead at AWS who works with customers to optimize their use of AWS services and achieve their business objectives.

Swapna Bandla is a Senior Solutions Architect in the AWS Analytics Specialist SA Team. Swapna has a passion towards understanding customers data and analytics needs and empowering them to develop cloud-based well-architected solutions. Outside of work, she enjoys spending time with her family.

[$] Windows NT synchronization primitives for Linux

2024-02-16 corbet

Post Syndicated from corbet original https://lwn.net/Articles/961884/

The futex
mechanism provided by the kernel allows for the creation of efficient and
flexible locking primitives in user space. Futexes work well for many
applications, but not all. One of the exceptions, it seems, is that
perennially difficult-to-support use case: Windows games. With
this
patch series, Elizabeth Figura seeks to provide the sort of locking
that those games need, by way of a special-purpose virtual device.

Shelly Gen3 Mini Smart Relays & Power Monitoring – ESP32-C3

2024-02-16 digiblurDIY

Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=zIKLbPeoxb0

The Most Unwanted, Boring PC: Dell OptiPlex GX270

2024-02-16 LGR

Post Syndicated from LGR original https://www.youtube.com/watch?v=8g-qSdMIFFQ

Security updates for Friday

2024-02-16 jake

Post Syndicated from jake original https://lwn.net/Articles/962506/

Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow).

Monitoring machine learning models for bot detection

2024-02-16 Daniel Means http://blog.cloudflare.com/author/daniel-means/

Post Syndicated from Daniel Means http://blog.cloudflare.com/author/daniel-means/ original https://blog.cloudflare.com/monitoring-machine-learning-models-for-bot-detection

Cloudflare’s Bot Management is used by organizations around the world to proactively detect and mitigate automated bot traffic. To do this, Cloudflare leverages machine learning models that help predict whether a particular HTTP request is coming from a bot or not, and further distinguishes between benign and malicious bots. Cloudflare serves over 55 million HTTP requests per second — so our machine learning models need to run at Cloudflare scale.

We are constantly making improvements to the models that power Bot Management to ensure they are incorporating the latest threat intelligence. This process of iteration is an important part of ensuring our customers stay a step ahead of malicious actors, and it requires a rigorous process for experimentation, deployment, and ongoing observation.

We recently shared an introduction to Cloudflare’s approach to MLOps, which provides a holistic overview of model training and deployment processes at Cloudflare. In this post, we will dig deeper into monitoring, and how we continuously evaluate the models that power Bot Management.

Why monitoring matters

Before bot detection models are released, we undergo an extensive model testing/validation process to ensure our detections perform as expected. Model performance is validated across a wide number of web traffic segments, by browser, HTTP protocol, and other dimensions to get a fine-grained view into how we expect the model to perform once deployed. If everything checks out, the model is gradually released into production, and we get a level up in our bot detections.

After models are deployed to production, it can be challenging to get visibility into performance on a granular level. Sure, we can look at outcomes-based metrics — like bot score distributions, or challenge solve rates. These are informative, but with any change in bot scoring or challenge solve rates, we’re still left asking, “Which segments of web traffic are most impacted by this change? Was that expected?”.

To train a model for the Internet is to train a model against a moving target. Anyone can train a model on static data and achieve great results — so long as the input does not change. Building a model that generalizes into the future, with new threats, browsers, and bots is a more difficult task. Machine learning monitoring is an important part of the story because it provides confidence that our models continue to generalize, using a rigorous and repeatable process.

In the days before machine learning monitoring, the team would analyze web traffic patterns and model scoring results to track the proportion of web requests scored as bot or human. This high-level metric is helpful for evaluating performance of the model in the aggregate, but didn’t provide granular detail into how the model was behaving with particular types of traffic. For a deeper analysis, we’d be left with the additional work of investigating performance on individual traffic segments like traffic from Chrome browser or clients using iOS.

With machine learning monitoring, we get insights into how the model behaves not just at a high level, but in a much more granular way — without having to do a lot of manual investigation. The monitoring closes the feedback loop by answering the critical question: “How are our bot detection models performing in production?” Monitoring gives us the same level of confidence derived from pre-deployment model validation/testing, except applied to all models in production.

The use cases for which monitoring has proven invaluable include:

Investigating bot score anomalies: If a customer reports machine learning scoring false positives/negatives, and we suspect broader issues across a subset of detections, monitoring can help zero-in on the answer. Engineers can find insights from our global monitoring dashboard, or focus on performance for a specific dataset.
Monitoring any model predictions or request field: The monitoring service is flexible and can add an observability layer over any request artifact stored in our web requests databases. If model predictions or outcomes of interest are stored with our request logs, then they can be monitored. We can work across engineering teams to enable monitoring for any outcome.
Deploying new models: We gradually deploy new model versions, eventually ramping up to running across Cloudflare’s global web traffic. Along the way, we have a series of checks before a new model can be deployed to the next release step. Monitoring allows us to compare the latest model with the previous version against granular traffic segments at each deployment stage — giving us confidence when proceeding forward with the rollout.

How does machine learning monitoring work?

The process begins with a ground-truth dataset — a set of traffic data known to be either human or bot-generated, labeled accordingly and accurately. If our model identifies a particular request as bot traffic, when our ground-truth label indicates it originated from a human, then we know the model has miscategorized the request, and vice versa. This kind of labeled data, where we flag traffic as being from a bot or a human, is what our model is trained on to learn to make detections in the first place.

Datasets gathered at training time allow us to evaluate the performance of a trained model for that snapshot in time. Since we want to continuously evaluate model performance in production, we need to likewise get real-time labeled data to compare against our bot score. We can generate a labeled dataset for this purpose when we’re certain that web requests come from a certain actor. For example, our heuristics engine is one source of high-confidence labeled data. Other sources of reliable, labeled data include customer feedback and attack pattern research.

We can directly compare our model’s bot scores on web requests against recently-labeled datasets to judge model performance. To ensure that we are making an apples-to-apples comparison as we evaluate the model’s score over time, consistency is paramount: the data itself will be different, but we want the methodology, conditions, and filters to remain the same between sampling windows. We have automated this process, allowing us to generate labeled datasets in real-time that give us an up-to-the-minute view of model performance.

Getting granular performance metrics

Let’s say we detect a sudden drop in accuracy on a given dataset labeled as bot traffic, meaning our detection is incorrectly scoring bots as human traffic. We would be keen to determine the exact subset of traffic responsible for the scoring miss. Is it coming from the latest Chrome browser or maybe a certain ASN?

To answer this, performance monitoring uses specializations, which are filters applied against our dataset that focus on a dimension of interest (e.g. browser type, ASN). With specializations on datasets, we get both an expectation on how traffic should have been scored, and insight into the exact dimension causing the miss.

Integrating monitoring into our bots machine learning platform

The monitoring system runs on a unified platform called Endeavor, which we built to handle all aspects of bots-related machine learning, including model training and validation, model interpretability, and delivering the most up-to-date information to our servers running bot detection. We can break down monitoring into a few tasks: rendering monitoring queries to fetch datasets, computing performance metrics, and storing metrics. Endeavour uses Airflow, a workflow execution engine, making it a great place to run our monitoring tasks on top of a kubernetes cluster and GPUs, with access to Postgres and ClickHouse databases.

Rendering monitoring queries

A monitoring query is simply a SQL query to our ClickHouse web request database asking “How does machine learning scoring look right now?”. The query gets more precise when we add in dataset and specialization conditions so that we can ask a more refined question “For this set of known (non-)automated traffic, how does machine learning scoring look along these dimensions of interest?”.

In our system, datasets for training and validation are determined using SQL queries, which are tailored to capture segments of request traffic, such as traffic flagged as bots by our heuristics engine. For model monitoring, we adapt these queries to measure performance metrics like accuracy and continuously update the time range to measure the latest model performance. For each dataset used in training and validation, we can generate a monitoring query that produces real-time insight into model performance.

Computing performance metrics

With a rendered monitoring query ready, we can go ahead and fetch bot score distributions from our web request database. The MetricsComputer takes in the bot score distributions as input and produces relevant performance metrics, like accuracy, over a configurable time interval.

We can evaluate model performance along any metric of interest. The MetricInterface is a Python interface that acts as a blueprint for performance metrics. Any newly added metric would only need to implement the interface’s compute_metric method, which defines how the MetricsComputer should perform the calculation.

Storing metrics

After each monitoring run, we store performance metrics by dataset, model version, and specialization value in the ml_performance ClickHouse table. Precomputing metrics enables long data retention periods, so we can review model performance by model versions or dimensions of interest over time. Importantly, newly added performance metrics can be backfilled as needed since the ml_performance table also stores the score distributions used to compute each metric.

Running tasks on GPUs

Metrics computation is load balanced across endeavour-worker instances running across GPUs. From a system perspective, the airflow-scheduler adds a monitoring task to a Redis Queue and Airflow Celery workers running on each GPU will pull tasks off the queue for processing. We benefit from having a production service constantly powered by GPUs, as opposed to only running ad hoc model training workloads. As a result, the monitoring service acts as a health-check that ensures various Endeavour components are functioning properly on GPUs. This helps ensure the GPUs are always updated and ready to run model training/validation tasks.

Machine learning monitoring in action

To better illustrate how Cloudflare uses machine learning monitoring, let’s explore some recent examples.

Improving accuracy of machine learning bot detection

When the monitoring system was first deployed, we quickly found an anomaly: our model wasn’t performing well on web traffic using HTTP/3. At the time, HTTP/3 usage was hardly seen across the web, and the primary model in production wasn’t trained on HTTP/3 traffic, leading to inaccurate bot scores. Fortunately, another bot detection layer, our heuristics engine, was still accurately finding bots using HTTP/3 — so our customers were still covered.

Still, this finding pointed to a key area of improvement for the next model iteration. And we did improve: the next model iteration was consistently able to distinguish between bot and human initiated HTTP/3 web requests with over 3.5x higher accuracy compared to the prior model version. As we enable more datasets and specializations, we can uncover specific browsers, OSs and other dimensions where performance can be improved during model training.

Early detection, quick intervention

Deploying machine learning at a global scale, running in data centers spread over 100 countries around the world, is challenging. Things don’t always go to plan.

A couple of years ago, we deployed an update to our machine learning powered bot detections, and it led to an increase in false positive bot detections — we were incorrectly flagging some legitimate traffic as bot traffic. Our monitoring system quickly showed a drop in performance on residential ASNs where we expect mostly non-automated traffic.

In the graph above, deployments are shown to three colo “tiers”, 1-3. Since software deployments start on tier 3 colocation centers and gradually move up to tier 1, the impact followed the same pattern.

At the same time, a software release was being deployed to our global network, but we didn’t know if it was the cause of the performance drop. We do staged deployments, updating the software in one batch of datacenters at a time before reaching global traffic. Our monitoring dashboards showed a drop in performance that followed this exact deployment pattern, and the release was starting to reach our biggest datacenters.

Monitoring dashboards clearly showed the pattern followed a software update. We reverted the change before the update made it to most of our datacenters and restored normal machine learning bot detection performance. Monitoring allows us to catch performance anomalies, dig into the root cause, and take action — fast.

Model deployment monitoring for all

We’ve seen a lot of value in being able to monitor and control our models and deployments, and realized that other people must be running into the same challenges as well. Over the next few months, we’ll be building out more advanced features for AI Gateway – our proxy that helps people observe and control their AI applications and models better. With AI Gateway, we can do all the same deployments, monitoring, and optimization strategies we have been doing for our Bot detection models in one unified control plane. We’re excited to use these new features internally, but even more excited to release these features to the public, so that anyone is able to deploy, test, monitor and improve the way they use AI or machine learning models.

Next up

Today, machine learning monitoring helps us investigate performance issues and monitor performance as we roll out new models — and we’re just getting started!

This year, we’re accelerating our machine learning model iterations for bot detection to deliver improved detections faster than ever. Monitoring will be key for enabling fast and safe deployments. We’re excited to add alerting based on model performance – so that we’re automatically notified should model performance ever drift outside our expected bounds.

Alongside our Workers AI launch, we recently deployed GPUs in 100+ cities, leveling up our compute resources at a global scale. This new infrastructure will unlock our model iteration process, allowing us to explore new, cutting-edge models with even more powerful bot detection capabilities. Running models on our GPUs will bring inference closer to users for better model performance and latency, and we’re excited to leverage our new GPU compute with our bot detection models as well.

Demon Photographer: Adrian C. Duff

2024-02-16 The History Guy: History Deserves to Be Remembered

Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=SkUGcjfD04Y

Кой се страхува от трупа на Нотариуса?

2024-02-16 Емилия Милчева

Post Syndicated from Емилия Милчева original https://www.toest.bg/koy-se-strahuva-ot-trupa-na-notariusa/

Кой се страхува от трупа на Нотариуса?

Шестнайсет дни след убийството на съдържателя на клуб за търговия с правосъдие Мартин Божанов – Нотариуса е ясно, че със съдействието на n броя прокурори, n броя съдии и n броя служители на ДАНС, МВР, НАП той е осъществявал „върховенството на правото“ по дела от голям материален, а също и обществен интерес. Най-вероятно са замесени и висши политици, тъй като никой не може да плете такива мрежи без покровителството на ония, които си избират главните прокурори по каталог, известен само на тях.

Остава най-трудната работа – да се проведе независимо и ефективно разследване, за да бъдат събрани доказателства, годни за съд.

Възможно ли е? Или ще бъде затвърдено правилото, че мафиотите ги отстрелват, а мрежите им остават за други „концесионери“. В България разплитането на афери от калибъра на клуба за поръчково правосъдие обикновено не стигат до върховете, където са покровителите и поръчителите. В интервю за БНР тази седмица еврокомисарят по правосъдието Дидие Рейндерс заяви по повод убийството на Нотариуса, че е важно да има истинско разследване и за тази цел трябва да се променят много неща в България и да се приложи промененото законодателство.

Важното е да се уверим, че има възможност действително да се проведе реално разследване от независими лица.

Този път на парламента се пада отговорността да е разобличителят на организираната престъпна група (или групи) в съдебната система – не просто на имотните измами, рекета, заплахите към магистрати и уреждането на дела. Това е и изпитание за управляващото мнозинство, с чиито гласове беше одобрена шестата поправка в Конституцията, доколко е искрено в прокламациите си за съдебна реформа. Също е и тест за ПП–ДБ и отколешната им битка със задкулисието. Убийството на Нотариуса им дава шанса да докажат, че онова „Има как България да поеме по пътя на изграждането на справедлива, европейска и модерна държава“ отпреди година не е било само предизборен кьорфишек.

Показното убийство на Нотариуса, извършено след изчезването на друг дилър на правосъдие – Петьо Петров – Еврото, миналата година, може да даде старт на разплитането на престъпните мрежи в правосъдието. Единственото необходимо е политическа воля.

Същото това убийство осветява силно фигурата на внезапно преминалия в лагера на реформаторите на прокуратурата Борислав Сарафов. Изглежда ли приемлив за главен прокурор, или системата е в състояние да направи по-добра селекция?

Не и Сарафов

Едва ли за разследването може да се възлагат големи надежди на силно компрометираната прокуратура, затваряла си очите от десетилетия за търговията с влияние, извършвана от хора като Нотариуса, Еврото, Черничкия с помощници от службите и МВР.

Не и докато изпълняващ функциите на главен прокурор е Борислав Сарафов. До средата на 2023 г. той беше дясна ръка на отстранения главен прокурор Иван Гешев и в качеството си на негов предан заместник беше и шеф на националното следствие. В разследването си в три части „Списък за бърз контрол“ Антикорупционният фонд (АКФ) разкри дейността на Нотариуса още през 2021 г., а прокуратурата игнорира изнесените данни. Пострадалите бяха бизнесменът Веселин Денков и жена му Ивайла Бакалова, от която поискаха минимум 100 000 евро, за да освободят мъжа ѝ от ареста. В по-ранно разследване на АКФ за аферата „Осемте джуджета“ (по името на ресторанта, държан от „колегата“ на Нотариуса, Петър Петров – Пепи Еврото) бяха изнесени данни за чести посещения на Сарафов в заведението, както и негови снимки с Еврото.

Сарафов ще е временно изпълняващ функциите (поне) до есента на 2024 г., когато трябва да се състои изборът за нов главен прокурор. Изглежда, че работата по аферите на Нотариуса ще се върши на принципа „кой ще опере пешкира“. Първите изгорели вече са известни – шефката на Софийската районна прокуратура (СРП) Невена Зартова (дъщеря на бившия шеф на Търговското отделение във Върховния съд Явор Зартов) и четиримата ѝ заместници, които обаче се разграничиха с декларация от нея и заявиха, че подкрепят усилията на и.ф. главен прокурор за реформа на прокуратурата.

Зартова, избрана от Висшия съдебен съвет през 2019 г. без нито един глас против, бе посочена в интервюта на гръцки бизнесмени като магистрат от лагера на Нотариуса. След като подаде оставката си, тя направи медиен рейд, в който обясни, че познава Божанов „официално“ от 2005 г., не подозирала за влиянието му, заведените срещу него общо 19 дела и преписки в СРП са били прекратени. Пред bTV Зартова потвърди, че и тя е посещавала ресторанта „Осемте джуджета“, и съобщи, че миналото лято в СРП било повдигнато обвинение срещу Петьо Петров – Еврото, но Софийската градска прокуратура прекратила делото.

Оставката на Зартова и заместниците ѝ дойде след интервю пред „24 часа“, в което гръцкият бизнесмен Анастасиос Дикос, представител на инвеститор в София Ринг Мол и ИКЕА, разказа за системен рекет от група, свързвана с Мартин Божанов – Нотариуса. СРП незаконно повдигнала обвинение за измама в особено големи размери срещу него и двама негови колеги.

Бяхме заплашвани, искаха ни подкупи. Като в този тормоз постепенно бяха замесени и данъчни служители, прокурори, представители на КПКОНПИ, получавахме телефонни обаждания от служители на ДАНС. За кратко време заведоха срещу нас повече от десет съдебни дела и разследвания. И всичко започна заради наш инвестиционен проект за жилищно строителство.

В интервю за БНР и за „Сега“ адвокат Михаил Екимджиев, известен със спечелените си дела пред Европейския съд по правата на човека, призова за обществен и медиен натиск, за да не се спре само до аферите с Нотариуса и клуба му, каквито опити се правят.

Елиминират се хора, които са станали неконтролируеми и опасни за политическите си ментори. Те се отстраняват, когато вече е ясно кой ще заеме местата им.

Но журналистът от АКФ Николай Стайков, един от авторите на разследванията за Нотариуса и Пепи Еврото, даде да се разбере в свои медийни изяви, че в неправителствената организация разполагат с данни и за други схеми за търговия в правосъдието.

Според адвокат Екимджиев повече от основателни са съмненията, че органът, компетентен да разследва, в случая е ръководен от лице, замесено както в „Осемте джуджета“ – „там ще излезе решение на Европейския съд на 22–23 февруари“, така и в други схеми – Борислав Сарафов.

Изслушването на и.ф. главен прокурор от съдийската колегия на ВСС тази седмица показа, че той не се чувства комфортно, отговаряйки в продължение на близо 5 часа на въпросите по аферата с клуб SS на Нотариуса. Част от тях той отклони с аргумента, че се повтарят, че няма информация, че не знае или че питащият няма правомощия да пита точно това.

„Не е моментът сега да провеждаме лов на вещици, да гоним неудобните и да закриляме удобните“, заяви Сарафов предвид евентуалното огласяване на имената на магистратите с членски карти от клуба на Нотариуса. Причината – нямало проверена и достоверна информация.

Циркулирането на разни списъци в публичното пространство е много опасно. Това не трябва да се превръща в повод за някаква институционална репресия и обществена реакция. Опасно е в подобни списъци да попаднат невинни хора. Аз бих изпратил към прокурорската колегия на ВСС и съдийската колегия на ВСС, ако има колегия, а не съвети, само проверени данни в рамките на проверките и ревизиите, които съм назначил.

Тест за мнозинството в парламента

Сарафов не знаел нищо за списък с имена на магистрати от клуб SS на столичната улица „22 септември“. Но такъв списък е бил подхвърлен в пощенската кутия на депутата Атанас Атанасов (ПП–ДБ), който пък го предал на своя колега Никола Минчев, оглавил временната анкетна комисия на парламента за делата на застреляния Мартин Божанов. Тя ще работи три месеца и амбициите са да изслуша всички замесени, включително заплашваната от Нотариуса съдийка Владислава Цариградска. Временна комисия по случая реши да създаде и съдийската колегия на ВСС, но какво ще проверява – кадровиците тепърва ще решават.

Въпрос на време е имената от списъка да станат публично известни. Първите вече се появиха. Пред БНТ Никола Минчев спомена, че е видял няколко имена на магистрати, предимно от специализираното правосъдие, и уточни, че в този списък няма политици. Но макар Делян Пеевски да не е споменат изрично, също ще бъде поканен. Нотариуса е имал съдия, към когото се е обръщал с „Тони“, като се предполага, че става дума за съдия Андон Миталов, санкциониран за корупция от САЩ през 2020 г.

Важно да се изясни и какви дела са гледали тези магистрати, свързани ли са с Нотариуса по друг начин, освен като посетители на клуба, какво е имотното им състояние. Освен това, ако (изобщо) се докаже, че има дело, решено по точно определен начин заради членството в SS, възможна ли е отмяна на решението – и на какво основание?

Първото заседание на временната парламентарна комисия обаче започна с разобличителите от АКФ, които от своя страна посъветваха членовете ѝ кого да поканят за изслушване. Списъкът се оказа дълъг. Начело са бившите главни прокурори Иван Гешев и Сотир Цацаров, настоящият и.ф. главен прокурор Сарафов, бившият председател на Апелативния специализиран наказателен съд Георги Ушев. Следва бившият вътрешен министър и настоящ депутат от ПП–ДБ Бойко Рашков, също и Веселин Денков и Ивайла Бакалова.

Бойко Рашков е наясно с фигурата на Нотариуса и обхвата на влиянието му:

Ние водихме разследване срещу този човек, когато бях министър. Той е свързан със среди и в прокуратурата, и в магистратурата, и в съда. Сега го отстраниха, защото се уплашиха, че ще разкрие факти за връзките му с такива среди. Съдия Владислава Цариградска е написала днес нещо, там има две имена, едното от които напоследък, след промените в Конституцията в частта за прокуратурата, започна да размахва пръст – от държавния глава докъдето прецени.

Преди коментара на Рашков в парламента заплашваната от Нотариуса съдийка заяви по bTV:

Освен това ми беше казано, за да бъда респектирана, че Марти е много близък с Иван Гешев и Пеевски, дали това е вярно – аз не зная.

Споменаването от съдия Цариградска на председателя на ПГ на ДПС и санкциониран за значима корупция по „Магнитски“ Делян Пеевски е сред аргументите да бъде поискано изслушването му от временната комисия. От „Има такъв народ“, настояха за това, а също и ГДБОП да предостави всички факти и документи по казуса „Нотариуса“ от 2021 г. насам.

Депутатът от ИТН Гроздан Караджов предаде писмо, с което от партията предлагат към списъка с имена да се добавят един от стълбовете на евроатлантическото мнозинство – Пеевски, както и Невена Зартова и министър Калин Стоянов, но и министърът на финансите Асен Василев и шефът на НАП Спецов. Последните двама са споменати в интервюто на гръцкия бизнесмен в контекста на това, че инвеститорът сигнализирал на НАП и Василев за конфликт на интереси на високопоставена данъчна служителка. „Никога Асен Василев не ми се е обаждал, за да ми дава указания кого да проверявам“, каза по този повод Спецов пред Нова телевизия.

Поканата към Ушев пък е свързана с разрешените от него специални разузнавателни средства (СРС) срещу магистрати. За 4 години, до закриването на спецправосъдието, над 150 магистрати са били подслушвани със СРС, но няма образувано нито едно досъдебно производство.

Чадър от МВР

Имаше една шега от годините на Прехода, че МВР назначава престъпните босове. Е, вече ги пази и закриля заедно с прокуратурата. Временната парламентарна комисия би могла да изясни какъв „чадър“ е ползвал Нотариуса – докъде са се простирали мрежите му в ГДБОП, ДАНС и МВР.

Николай Стайков от АКФ каза, че Мартин Божанов е имал кола със синя лампа и е ползвал служебния паркинг на Специализираната прокуратура за нуждите на частния си клуб, който е в близост. Записи от Google Street View показват, че въпросният паркинг бил охраняван от полицейски коли, които са пазели и клуба. Нотариуса ползвал за охрана полицаи от СДВР, а частният му клуб е работел дни преди убийството му на 31 януари. Заведението е било претърсено чак седмица след това. Но не само с SS клуба е било така.

Пред ресторанта „Осемте джуджета“ в продължение на две години е имало патрулка, а бившият вътрешен министър на ГЕРБ Младен Маринов така и не отговори на АКФ какво е налагало това. Като правосъден министър Христо Иванов, днес съпредседател на „Демократична България“, на два пъти поиска от ВСС да образува дисциплинарно производство срещу Петьо Петров – Еврото. Но Еврото беше спасен с намесата на главния прокурор Сотир Цацаров, който предложи да се вземе предвид желанието на самия Петров да бъде освободен. А две години по-късно Еврото отвори „Осемте джуджета“. Връзката между групите на Еврото и Нотариуса също подлежи на разследване.

Странно е също така, че съпругата на Нотариуса започва работа в ГДБОП след вътрешен конкурс през май 2021 г. – точно когато за шеф на антимафиотите е назначен Калин Стоянов, настоящият министър на вътрешните работи. Стоянов прекратява договора ѝ след два месеца поради отказ за издаване на разрешение за достъп до класифицирана информация. Но съдът я връща в МВР.

Промяната на ЕГН-то на Мартин Божанов, както и на фамилията му (от Ангелов на Божанов), е извършена с решение на съдия през 2000 г. Името на магистрата още не е известно, макар процедурата по смяната да е започнала именно със съдебното решение. Не са известни и резултатите от обещаната от вътрешния министър проверка „на място в ГРАО, за да установим кой, как, по какъв начин и с какви мотиви и на какво основание е станало“.

Разследващият журналист Николай Стайков обясни модела на Божанов – от подкупване на съдии за избор на определени оценители и вещи лица до предизвикване на несъстоятелност на фирми, придобиване на активите им и решаване на дела с голям материален интерес. Три от тях Стайков назова: делото по несъстоятелност на КТБ, делото за конфискацията на активите на Евелин Банев – Брендо и семейството му и делото на убития бизнесмен Борислав Манджуков срещу Инвестбанк.

Този път всички – от политици до магистрати, си дават сметка, че скандалът не може да приключи с дисциплинарни наказания, както стана след лобисткия скандал с Красимир Георгиев, известен като Красьо Черничкия. Тогава петима бяха наказани заради накърняване на престижа на съдебната власт. Сега обаче става въпрос за подмяната ѝ с организирани престъпни групи. Някои от виновниците за това състояние са част от конституционното мнозинство, амбицирано да реформира съдебната система – където трупът на Нотариуса си мирише.

Заглавно изображение: Д-р Теодор Цвингер III (1658–1724) – герб с негов портрет в цивилно и в работно облекло със защитен костюм и маска срещу чума. Въпросът е има ли кой да сложи маската и костюма и да се разрoви както трябва там, където никой не иска да влиза. Картината е част от Wellcome Collection.

„Майната ви, тук сме!“ Децата на гастарбайтерите и стрийткултурата

2024-02-16 Емине Садкъ

Post Syndicated from Емине Садкъ original https://www.toest.bg/maynata-vi-tuk-sme-detsata-na-gastarbayterite-i-striytkulturata/

<< Към първа част

Tъмна любов, тъжна любов.
Така наречените марки са фалшива любов.
Тъкмо вързах двата края
и насреща ми се появи смъртта.

Ideal – Aşk, Mark ve Ölüm („Любов, дойчемарки и смърт“), превод Емине Садкъ

„Майната ви, тук сме!“ Децата на гастарбайтерите и стрийткултурата

В своята книга „В клинч. Историята на моите филми“ Фатих Акин разказва за роднините и родителите си, пристигнали през 60-те години, които раждат и отглеждат децата си в Западна Германия с илюзията, че „още малко и ще се върнем в Турция“.

Част от роднините му наистина се завръщат в Турция по време на Световната петролна криза, която разклаща силно икономиката на ФРГ през 80-те. За да се справи с безработицата, правителството на Западна Германия насърчава парично емигрантите да се приберат по родните си места. Родителите на Акин така и не тръгват. Нещо повече, баща му и брат му са актьори в повечето му филми.

Акин е роден през 1973 г. в Хамбург и е един от силните гласове на турските артисти, творящи в Германия. За себе си той казва:

Докато мисля, ще мисля на немски.

Също и:

Моята родина е киното.

Във филма „Срещу стената“ (2004) свободата да избереш езика, на който да мислиш, и да принадлежиш не на територия или култура, а на изкуството (или на идеята за свободата), е представена с очарователна своенравност.

Главният герой Джахит, немски турчин и суициден пънкар, е на гости на консервативното семейството на Сибел, която среща в клиника за самоубийци. Сибел иска да сключи фиктивен брак с Джахит, защото само ако тя стане притежание на друг мъж (турчин), може да се освободи от тираничния брат и семейството си. Тук ставаме свидетели на титаничен сблъсък между две различни идеи за съществуване, а забранените плодове на свободата се достигат по логиката на същите правила, с които биват забранявани.

В същата сцена братът на Сибел говори на турски с „кандидат-зетя“ Джахит. Джахит отговаря на немски:

– Защо не говориш турски? – пита го братът на Сибел, леко ядосан.
Какъв зет ще им става тоя, ако не говори турски? Може ли да се има вяра на подобен човек?
– Забравил съм го! – отговаря Джахит.

В Турция ни наричат немци, в Германия – чужденци.
Аз съм дете на гурбетчии.
Немци ни наричат, но сме непознати за всички.
Нашият път продължава зад кулисите.

Islamic Force – Gurbetçi Çocukları (1997), превод Емине Садкъ

Продължителната безработица през 80-те, довела до масово гетоизиране на гастарбайтерите, както и 90-те години на обединена, но нестабилна Германия, водят до разклащане на ценностната система и традициите. Левите убеждения стават все по-леви, а десните – все по-десни.

„Майната ви, тук сме!“ Децата на гастарбайтерите и стрийткултурата — Кадър от филма „Любов, дойчемарки и смърт“

Както нацистката партия (НСДАП) през 1921-ва и 1922-ра нараства значително заради безработицата, предизвикана от Голямата депресия, така и неонацизмът укрепва през последните две десетилетия на ХХ век и се превръща във все по-сериозна заплаха за чужденците.

В Източна Германия неонацизмът се появява като естествена опозиция на комунизма.

Парадоксално, младежите, борещи се срещу властта на комунистите, връщат забранените от режима нацистки символи и ги превръщат във флагове на възможната свободна и обединена Германия. (Тук може да се запознаете с хронология на терористичните и ксенофобските атаки срещу турците на територията на Германия през 90-те.)

Изолирани, заседнали между две култури, много от децата на турските гастарбайтери буквално порастват по улиците на една неприветлива Германия, която вече не желае нито тях, нито родителите им.

Улицата се превръща в сцена както за криминални прояви, така и за изкуство и създаване на субкултурни течения.

Брейкът, графитите, хип-хопът, или уличната културата е представена за първи път в Германия от американските войници. Уличната култура сред турските младежи създава и обособява пространство, към което можеш да принадлежиш и в което можеш да отстояваш свободите си, следователно – да се чувстваш защитен.

През 90-те години т.нар. ориенталски хип-хоп в Германия, или както някои музикални критици го наричат – „гласът на изгубеното поколение“, е един от най-слушаните стилове. Хип-хоп бандите, като Cartel и Microphone Mafia, се превръщат в суперзвезди. Изнасят концерти в Швейцария, Австрия, Нидерландия, а в Турция препълват стадиони.

Освен че оказва съпротива срещу неонацизма, стрийткултурата противодейства на вътрешната агресия в турските общности и е алтернатива на криминални групи като Fighters, Аraba Boys и други „лоши момчета“, които използват принадлежността към онеправданите групи като извинение за извършване на престъпления и за създаване на още по-голямо напрежение между неонацизма и турските общности.

Фатих Акин признава, че за кратко участва в една от тези групи, но когато агресията стига буквално до нож, разбира, че това не е мястото, което може да представлява неговата идентичност.

Нямаше много варианти да бъдеш себе си. И трябваше да избереш – хип-хопа или криминалните групи,

казва представител на същото поколение във филма „Любов, дойчемарки и смърт“ (2022).

First we had a wall and now we have a war
Between the skinheads and all the blackheads
the real reason why the politicians are that fat

Отначало имахме стена, а сега сме във война
между скинари и гастарбайтери
ето защо политиците са се ояли

Islamic Force – Black hair в албума The Whole World Is Your Home (1993), превод от английски Емине Садкъ

„36 момчета“ е емблематичната берлинска банда, базирана в квартала Кройцберг, или т.нар. „столица на турците в Германия“, споменат в предишната статия. В началото на 90-те тя наброява 500 турски деца, които не искат „да продават наркотици и да използват оръжие“, а „да променят света. С какво? С изкуство!“, споделя в интервю Тамер Йеит, който става член на бандата на единайсет години, защото

онази любов, която не можехме да намерим вкъщи, я намирахме на улицата.

Важно е да отбележим, че по време на петролната криза и нарастването на безработицата Кройцберг е средище на немски пънкари и хипари, които скуотват* стари жилищни сгради или наемат големи апартаменти на много ниски цени. Там заживяват и записват албумите си звезди като Иги Поп и Дейвид Боуи, които често посещават популярния пънкарски клуб SO36.

Истински уникален е Кройцберг – през 80-те и 90-те по улиците му можеш да видиш да се разхождат както жени с фереджета и мъже с мустаци, така и млади хора с гребени, боядисани във всякакви цветове, с кубинки, кожени якета и обеци по лицето. Място, събиращо онези misfits, които не пасват на общата картина и не могат да бъдат интегрирани в системата.

Красотата на този квартал създава предпоставка за много различна и силна (суб)културна съпротива срещу насилието, в която децата на гурбетчиите успяват да потърсят и намерят идентичността си.

Рап музиката в Америка е различна, защото в ДНК-то на американците са закодирани джазът и фънкът. Това е най-силното наследство между поколенията – музиката, която слушаме. Ние, от друга страна, не пораснахме с джаз и фънк. Пораснахме, слушайки турска музика или анадолски поп. И вярвахме, че всяка култура трябва да намери собствената си рап философия. Което значи, че трябва да оставим ДНК-то ни да говори и това да бъде началната точка на нашето изкуство. По този начин ще запазим идентичността си и ще избегнем повторение на други стилове.

Killa Hakkan, рапър, член на бандата Islamic Force

Смятам, че субкултурните течения са в основата на изграждането на здравословна и устойчива културна среда в нашето съвремие. Няма нищо по-смислено от това младите хора да се самоорганизират около изкуството, да бъдат ангажирани със социалните проблеми и осъзнато да се борят срещу несправедливостта. Вярвам също, че субкултурите създават приемственост между поколенията на „различните“ и арена за оказване на съпротива срещу агресията и институциите. Именно затова децата на турските гастарбайтери, отраснали по улиците на обединена Германия, възпяват проблемите и несгодите на своето поколение и отстояват идентичността и свободите си.

Майната ви, тук сме и сме такива, каквито сме! –

казват те. И с тази спечелена битка създават благоприятна среда за следващото поколение, чиято идентичност и музика са в завидна симбиоза и с достойнство присъстват на европейската и световната сцена.

* От англ. squatting – култура на окупиране на безстопанствени сгради, много популярно за субкултурните общества в края на 80-те и началото на 90-те; около Кройцберг съществуват още подобни места.

Comic for 2024.02.16 – Handicapped

2024-02-16 Explosm.net

Post Syndicated from Explosm.net original https://explosm.net/comics/handicapped

New Cyanide and Happiness Comic

Treasure Chests

2024-02-16 xkcd.com

Post Syndicated from xkcd.com original https://xkcd.com/2895/

[earlier] "Your vintage-style handmade chest business is struggling. But I have a plan."

Finance expert on "Ikigai," a concept that will help you find your purpose and your "why."

2024-02-15 Talks at Google

Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=2l2DcIq9zM8

RCE to Sliver: IR Tales from the Field

2024-02-15 Rapid7

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/02/15/rce-to-sliver-ir-tales-from-the-field/

RCE to Sliver: IR Tales from the Field

*Rapid7 Incident Response consultants Noah Hemker, Tyler Starks, and malware analyst Tom Elkins contributed analysis and insight to this blog.*

Rapid7 Incident Response was engaged to investigate an incident involving unauthorized access to two publicly-facing Confluence servers that were the source of multiple malware executions. Rapid7 identified evidence of exploitation for CVE-2023-22527 within available Confluence logs. During the investigation, Rapid7 identified cryptomining software and a Sliver Command and Control (C2) payload on in-scope servers. Sliver is a modular C2 framework that provides adversarial emulation capabilities for red teams; however, it’s also frequently abused by threat actors. The Sliver payload was used to action subsequent threat actor objectives within the environment. Without proper security tooling to monitor system network traffic and firewall communications, this activity would have progressed undetected leading to further compromise.

Rapid7 customers

Rapid7 consistently monitors emergent threats to identify areas for new detection opportunities. The recent appearance of Sliver C2 malware prompted Rapid7 teams to conduct a thorough analysis of the techniques being utilized and the potential risks. Rapid7 InsightIDR has an alert rule Suspicious Web Request - Possible Atlassian Confluence CVE-2023-22527 Exploitation available for all IDR customers to detect the usage of the text-inline.vm consistent with the exploitation of CVE-2023-22527. A vulnerability check is also available to InsightVM and Nexpose customers. A Velociraptor artifact to hunt for evidence of Confluence CVE-2023-22527 exploitation is available on the Velociraptor Artifact Exchange here. Read Rapid7’s blog on CVE-2023-22527.

Observed Attacker Behavior

Rapid7 IR began the investigation by triaging available forensic artifacts on the two affected publicly-facing Confluence servers. These servers were both running vulnerable Confluence software versions that were abused to obtain Remote Code Execution (RCE) capabilities. Rapid7 reviewed server access logs to identify the presence of suspicious POST requests consistent with known vulnerabilities, including CVE-2023-22527. This vulnerability is a critical OGNL injection vulnerability that abuses the text-inline.vm component of Confluence by sending a modified POST request to the server.

Evidence showed multiple instances of exploitation of this CVE, however, evidence of an embedded command would not be available within the standard header information logged within access logs. Packet Capture (PCAP) was not available to be reviewed to identify embedded commands, but the identified POST requests are consistent with the exploitation of the CVE.
The following are a few examples of the exploitation of the Confluence CVE found within access logs:

Access.log Entry
POST /template/aui/text-inline.vm HTTP/1.0 200 5961ms 7753 – Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
POST /template/aui/text-inline.vm HTTP/1.0 200 70ms 7750 – Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
POST /template/aui/text-inline.vm HTTP/1.0 200 247ms 7749 – Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0

Evidence showed the execution of a curl command post-exploitation of the CVE resulting in the dropping of cryptomining malware to the system. The IP addresses associated with the malicious POST requests to the Confluence servers matched the IP addresses of the identified curl command. This indicates that the dropped cryptomining malware was directly tied to Confluence CVE exploitation.
As a result of the executed curl command, file w.sh was written to the /tmp/ directory on the system. This file is a bash script used to enumerate the operating system, download cryptomining installation files, and then execute the cryptomining binary. The bash script then executed the wget command to download javs.tar.gz from the IP address 38.6.173[.]11 over port 80. This file was identified to be the XMRigCC cryptomining malware which caused a spike in system resource utilization consistent with cryptomining activity. Service javasgs_miner.service was created on the system and set to run as root to ensure persistence.

The following is a snippet of code contained within w.sh defining communication parameters for the downloading and execution of the XMRigCC binary.

Rapid7 found additional log evidence within Catalina.log that references the download of the above file inside of an HTTP response header. This response registered as ‘invalid’ as it contained characters that could not be accurately interpreted. Evidence confirmed the successful download and execution of the XMRigCC miner, so the above Catalina log may prove useful for analysts to identify additional proof of attempted or successful exploitation.

Catalina Log Entry
WARNING [http-nio-8090-exec-239 url: /rest/table-filter/1.0/service/license; user: Redacted ] org.apache.coyote.http11.Http11Processor.prepareResponse The HTTP response header [X-Cmd-Response] with value [http://38.6.173.11/xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz xmrigCC-3.4.0-linux-generic-static-amd64.tar.gz… ] has been removed from the response because it is invalid

Rapid7 then shifted focus to begin a review of system network connections on both servers. Evidence showed an active connection with known-abused IP address 193.29.13[.]179 communicating over port 8888 from both servers. netstat command output showed that the network connection’s source program was called X-org and was located within the system’s /tmp directory. According to firewall logs, the first identified communication from this server to the malicious IP address aligned with the timestamps of the identified X-org file creation. Rapid7 identified another malicious file residing on the secondary server named X0 Both files shared the same SHA256 hash, indicating that they are the same binary. The hash for these files has been provided below in the IOCs section.

A review of firewall logs provided a comprehensive view of the communications between affected systems and the malicious IP address. Firewall logs filtered on traffic between the compromised servers and the malicious IP address showed inbound and outbound data transfers consistent with known C2 behavior. Rapid7 decoded and debugged the Sliver payload to extract any available Indicators of Compromise (IOCs). Within the Sliver payload, Rapid7 confirmed the following IP address 193.29.13[.]179 would communicate over port 8888 using the mTLS authentication protocol.

After Sliver first communicated with the established C2, it checked the username associated with the current session on the local system, read etc/passwd and etc/machine-id and then communicated back with the C2 again. The contents of passwd and machine-id provide system information such as the hostname and any account on the system. Cached credentials from the system were discovered to be associated with outbound C2 traffic further supporting this credential access. This activity is consistent with the standard capabilities available within the GitHub release of Sliver hosted here.

The Sliver C2 connection was later used to execute wget commands used to download Kerbrute, Traitor, and Fscan to the servers. Kerbute was executed from dev/shm and is commonly used to brute-force and enumerate valid Active Directory accounts through Kerberos pre-authentications. The Traitor binary was executed from the var/tmp directory which contains the functionality to leverage Pwnkit and Dirty Pipe as seen within evidence on the system. Fscan was executed from the var/tmp directory with the file name f and performed scanning to enumerate systems present within the environment. Rapid7 performed containment actions to deny any further threat actor activity. No additional post-exploitation objectives were identified within the environment.

Mitigation guidance

To mitigate the attacker behavior outlined in this blog, the following mitigation techniques should be considered:

Ensure that unnecessary ports and services are disabled on publicly-facing servers.
All publicly-facing servers should regularly be patched and remain up-to-date with the most recent software releases.
Environment firewall logs should be aggregated into a centralized security solution to allow for the detection of abnormal network communications.
Firewall rules should be implemented to deny inbound and outbound traffic from unapproved geolocations.
Publicly-facing servers hosting web applications should implement a restricted shell, where possible, to limit the capabilities and scope of commands available when compared to a standard bash shell.

MITRE ATT&CK Techniques

Tactics	Techniques	Details
Command and Control	Application Layer Protocol (T1071)	Sliver C2 connection
Discovery	Domain Account Discovery (T1087)	Kerbrute enumeration of Active Directory
Reconnaissance	Active Scanning (T1595)	Fscan enumeration
Privilege Escalation	Setuid and Setgid (T1548.001)	Traitor privilege escalation
Execution	Unix Shell (T1059.004)	The Sliver payload and follow-on command executions
Credential Access	Brute Force (T1110)	Kerbrute Active Directory brute force component
Credential Access	OS Credential Dumping (T1003.008)	Extracting the contents of /etc/passwd file
Impact	Resource Hijacking (T1496)	Execution of cryptomining software
Initial Access	Exploit Public-Facing Application (T1190)	Evidence of text-inline abuse within Confluence logs

Indicators of Compromise

Attribute	Value	Description
Filename and Path	/dev/shm/traitor-amd64	Privilege escalation binary
SHA256	fdfbfc07248c3359d9f1f536a406d4268f01ed63a856bd6cef9dccb3cf4f2376	Hash for Traitor binary
Filename and Path	/var/tmp/kerbrute_linux_amd64	Kerbrute enumeration of Active Directory
SHA256	710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a	Hash for Kerbrute binary
Filename and Path	/var/tmp/f	Fscan enumeration
SHA256	b26458a0b60f4af597433fb7eff7b949ca96e59330f4e4bb85005e8bbcfa4f59	Hash for Fscan binary
Filename and Path	/tmp/X0	Sliver binary
SHA256	29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736	Hash for Sliver binary
Filename and Path	/tmp/X-org	Sliver binary
SHA256	29bd4fa1fcf4e28816c59f9f6a248bedd7b9867a88350618115efb0ca867d736	Hash for Sliver binary
IP Address	193.29.13.179	Sliver C2 IP address
Filename and Path	/tmp/w.sh	Bash script for XMrigCC cryptominer
SHA256	8d7c5ab5b2cf475a0d94c2c7d82e1bbd8b506c9c80d5c991763ba6f61f1558b0	Hash for bash script
Filename and Path	/tmp/javs.tar.gz	Compressed crypto installation files
SHA256	ef7c24494224a7f0c528edf7b27c942d18933d0fc775222dd5fffd8b6256736b	Hash for crypto installation files
Log-Based IOC	"POST /template/aui/text-inline.vm HTTP/1.0 200" followed by GET request containing curl	Exploit behavior within Confluence access.log
IP Address	195.80.148.18	IP address associated with exploit behavior of text-inline followed by curl
IP Address	103.159.133.23	IP address associated with exploit behavior of text-inline followed by curl

[$] Open-source AI at FOSDEM

2024-02-15 LWN.net

Post Syndicated from LWN.net original https://lwn.net/Articles/961868/

At FOSDEM 2024 in Brussels, the
AI and Machine
Learning devroom hosted several talks about open-source AI models. With
talks about a definition of open-source AI, “ethical” restrictions in
licenses, and the importance of open data sets, in particular for
non-English languages, the devroom provided an overview of the current state
of the domain.

New Fetch Payload

New module content (2)

Base64 Command Encoder

SMB Fetch, Windows shellcode stage, Windows x64 IPv6 Bind TCP Stager

Enhancements and features (7)

Bugs fixed (13)

Documentation

Get it

Prerequisites

Solution description

Walkthrough

Deployment

To prepare for bootstrapping

To prepare for deployment

To deploy the application pipeline stack

Validation

To validate deployment

To validate the application

Cleaning up

Conclusion

Solution overview

Prerequisites

Create a Redshift cluster in a private subnet network configuration.

Create VPC endpoints for Redshift Spectrum connectivity

Create an AWS Glue endpoint

Create a Lake Formation endpoint

Create an Amazon S3 endpoint

Analyze traffic and network topology

Verify network routes for Amazon Redshift in a private network

Verify network connectivity from the Redshift cluster to various VPC endpoints

Test connectivity by running a SQL query from the Amazon Redshift query editor v2

Clean up

Conclusion

Additional resources

About the Authors

Why monitoring matters

How does machine learning monitoring work?

Getting granular performance metrics

Integrating monitoring into our bots machine learning platform

Rendering monitoring queries

Computing performance metrics

Storing metrics

Running tasks on GPUs

Machine learning monitoring in action

Improving accuracy of machine learning bot detection

Early detection, quick intervention

Model deployment monitoring for all

Next up

Не и Сарафов

Тест за мнозинството в парламента

Чадър от МВР

В Източна Германия неонацизмът се появява като естествена опозиция на комунизма.

Улицата се превръща в сцена както за криминални прояви, така и за изкуство и създаване на субкултурни течения.

Rapid7 customers

Observed Attacker Behavior

Mitigation guidance

MITRE ATT&CK Techniques

Indicators of Compromise

The collective thoughts of the interwebz