Седмицата (10–15 февруари)

Post Syndicated from Йовко Ламбрев original https://www.toest.bg/sedmitsata-10-15-fevruari-2025/

Седмицата (10–15 февруари)

Голямата новина от тази седмица можеха да бъдат мирните преговори за Украйна. Ако тревогите около тях не бяха много повече от надеждите, ако не изглеждаше, че американската дипломация предварително е свалила гарда, ако ЕС не беше оставен да гледа развитието на събитията отстрани (заедно с Украйна) и ако преговарящите не си представяха развръзката като нищо повече от сделка. Прощавайте! Сделка е твърде засукана дума. Пазарлък е далеч по-подходяща.

Защо мирът в Украйна е трудно постижим, е тема и на анализа на Александър Малинов за „Тоест“ тази седмица. Перфектната буря от вабанк стратегията на Русия, мъглата в американската политика и все така колебливата Европа не предвещават лесни и ясни отговори за бъдещето.

И ако е вярно, че историята се повтаря първо като трагедия, а после като фарс, никак не съм убеден, че фарсът, в който живеем, няма да доведе и до по-голяма трагедия. Намеци за това и около нас, на родна земя, не липсват. Но пък ако миналата седмица сте пропуснали нашия намек да сравните мотивите на ДПС – Ново начало за разследване на „Отворено общество“ с Гьобелсовата пропаганда срещу евреите между двете световни войни, сега ви препоръчвам да гледате целия филм „Дом, ужас, Холокост, надежда“, който авторите му са пуснали в YouTube. Засега не е ясно дали ще има някаква друга възможност да го видите.

По тази тема нека подскажа още нещичко. Графичната новела „Маус. Разказът на един оцелял“ на Арт Спигелман излезе в превод на български език. Повод да се върнем в наше време и на родна земя…

Заглавието на политическия коментар на Емилия Милчева тази седмица е „Кога ще избухне Румен Радев“. Разбира се, метафорично казано. Иначе, Емилия обобщава сигналите, които Радев дава по темата дали възнамерява да се премести от Президентството в някоя от другите съседни сгради. Според нея сигналите са прозрачно ясни. Пространство за интерпретация остава само около някои нюанси.

И ако всичко дотук ви идва твърде песимистично, значи точно сега е моментът за краткия видеокоментар на Елена Телбис с високооктанов дестилат на темите от седмицата.

Чакайте, чакайте… изобщо не съм обещавал да стане по-весело…

Темата за организирания бойкот на супермаркетите така или иначе вече получи незаслужен дял медийно внимание, затова съзнателно я пропускаме. Още повече че извън плиткия популизъм, подобни акции провокират най-често грешни решения.

Ако останем на темата за храните и цените, в края на миналата година ЕС подписа споразумение със страните от Меркосур (най-голямото междудържавно обединение в Южна Америка) във връзка с търговията със земеделски стоки. Преговорите за това споразумение вече са отнели около 25 години. Анахит Хачикян разказва за най-съществените детайли от него и обяснява с какво то тревожи европейските земеделци.

Вихрен Георгиев е двигателят на проекта People of Sofia, превърнал се в местен културен феномен. От любовта към уличната фотография, през разговорите с хората и споделянето на истории, проектът всъщност може да бъде погледнат и като нишова медия, обърната към човека и човешкото. Ина Иванова разговаря с Вихрен Георгиев за градската фотография, за визуалната култура и за каузите, които могат да бъдат разказани (и подкрепени) чрез фотожурналистика.

От фотографията не е трудно да насочим обектива и към киното. С първата част на критичния си анализ Борислав Михайловски, освен че прави своя дебют в „Тоест“, разказва за проблемите при държавното финансиране на българските кинопродукции. Текстът е доста прям и назовава ключови болежки с къси и недвусмислени изречения. Може да ги прочетете под заглавието „Има ли филм през 2024 г. в българското кино?“.

И накрая – на кого, ако не на Атанас Шиников, да се довери човек за малко по-ведро четиво. Неговата авторска поредица „Ориент кафе“ продължава с „Истории на върха на налъма“. Няма да се изненадам, ако някои от най-младите ни читатели не знаят какво представляват налъмите, или не са имали шанс да видят такива „обувки“ на живо. За добро или лошо. Но за сметка на това едва ли може да попаднете на по-любопитен разказ за историята им. Не подминавайте този текст.

И преди да ви оставя да четете, гледате и слушате препратките към всичко, което споделих с вас тази седмица, е редно да призная, че напълно съзнателно този редакционен обзор на моменти звучи тревожно и дори черногледо. Така е, защото предстоят поне няколко години, които вероятно ще определят съдбата на света за десетилетия напред. Съдбата на децата, които са днес около нас. На вашите деца.

През идните месеци и години ще трябва да опазим този свят, с който разполагаме. Дори да не успеем да намерим решения за много от несъвършенствата му. Налага се да го спасим поне от автократите, от безумците, от алчността. И имаме само две оръжия срещу това – човечността, която единствено може да събере разпокъсаните ни убежища на илюзии, на които позволихме да раздробят обществата ни; и свободата на мисълта и словото, за да можем да се убедим взаимно, че заедно означаваме повече от алгебричния сбор на нашите егота.

В работещите демокрации медиите са в ролята на пазители и трибуна на свободата на мисълта и смисъла. И трябва да ги съхраним, защото без свободни медии ще сме загубили всички битки. Не се залъгвайте, че не всички сме на мушката.

Останете будни!

Подкрепете „Тоест“

Introducing Impressions at Netflix

Post Syndicated from Netflix Technology Blog original https://netflixtechblog.com/introducing-impressions-at-netflix-e2b67c88c9fb

Part 1: Creating the Source of Truth for Impressions

By: Tulika Bhatt

Imagine scrolling through Netflix, where each movie poster or promotional banner competes for your attention. Every image you hover over isn’t just a visual placeholder; it’s a critical data point that fuels our sophisticated personalization engine. At Netflix, we call these images ‘impressions,’ and they play a pivotal role in transforming your interaction from simple browsing into an immersive binge-watching experience, all tailored to your unique tastes.

Capturing these moments and turning them into a personalized journey is no simple feat. It requires a state-of-the-art system that can track and process these impressions while maintaining a detailed history of each profile’s exposure. This nuanced integration of data and technology empowers us to offer bespoke content recommendations.

In this multi-part blog series, we take you behind the scenes of our system that processes billions of impressions daily. We will explore the challenges we encounter and unveil how we are building a resilient solution that transforms these client-side impressions into a personalized content discovery experience for every Netflix viewer.

Impressions on homepage

Why do we need impression history?

Enhanced Personalization

To tailor recommendations more effectively, it’s crucial to track what content a user has already encountered. Having impression history helps us achieve this by allowing us to identify content that has been displayed on the homepage but not engaged with, helping us deliver fresh, engaging recommendations.

Frequency Capping

By maintaining a history of impressions, we can implement frequency capping to prevent over-exposure to the same content. This ensures users aren’t repeatedly shown identical options, keeping the viewing experience vibrant and reducing the risk of frustration or disengagement.

Highlighting New Releases

For new content, impression history helps us monitor initial user interactions and adjust our merchandising efforts accordingly. We can experiment with different content placements or promotional strategies to boost visibility and engagement.

Analytical Insights

Additionally, impression history offers insightful information for addressing a number of platform-related analytics queries. Analyzing impression history, for example, might help determine how well a specific row on the home page is functioning or assess the effectiveness of a merchandising strategy.

Architecture Overview

The first pivotal step in managing impressions begins with the creation of a Source-of-Truth (SOT) dataset. This foundational dataset is essential, as it supports various downstream workflows and enables a multitude of use cases.

Collecting Raw Impression Events

As Netflix members explore our platform, their interactions with the user interface spark a vast array of raw events. These events are promptly relayed from the client side to our servers, entering a centralized event processing queue. This queue ensures we are consistently capturing raw events from our global user base.

After raw events are collected into a centralized queue, a custom event extractor processes this data to identify and extract all impression events. These extracted events are then routed to an Apache Kafka topic for immediate processing needs and simultaneously stored in an Apache Iceberg table for long-term retention and historical analysis. This dual-path approach leverages Kafka’s capability for low-latency streaming and Iceberg’s efficient management of large-scale, immutable datasets, ensuring both real-time responsiveness and comprehensive historical data availability.

Collecting raw impression events

Filtering & Enriching Raw Impressions

Once the raw impression events are queued, a stateless Apache Flink job takes charge, meticulously processing this data. It filters out any invalid entries and enriches the valid ones with additional metadata, such as show or movie title details, and the specific page and row location where each impression was presented to users. This refined output is then structured using an Avro schema, establishing a definitive source of truth for Netflix’s impression data. The enriched data is seamlessly accessible for both real-time applications via Kafka and historical analysis through storage in an Apache Iceberg table. This dual availability ensures immediate processing capabilities alongside comprehensive long-term data retention.

Impression Source-of-Truth architecture

Ensuring High Quality Impressions

Maintaining the highest quality of impressions is a top priority. We accomplish this by gathering detailed column-level metrics that offer insights into the state and quality of each impression. These metrics include everything from validating identifiers to checking that essential columns are properly filled. The data collected feeds into a comprehensive quality dashboard and supports a tiered threshold-based alerting system. These alerts promptly notify us of any potential issues, enabling us to swiftly address regressions. Additionally, while enriching the data, we ensure that all columns are in agreement with each other, offering in-place corrections wherever possible to deliver accurate data.

Dashboard showing mismatch count between two columns- entityId and videoId

Configuration

We handle a staggering volume of 1 to 1.5 million impression events globally every second, with each event approximately 1.2KB in size. To efficiently process this massive influx in real-time, we employ Apache Flink for its low-latency stream processing capabilities, which seamlessly integrates both batch and stream processing to facilitate efficient backfilling of historical data and ensure consistency across real-time and historical analyses. Our Flink configuration includes 8 task managers per region, each equipped with 8 CPU cores and 32GB of memory, operating at a parallelism of 48, allowing us to handle the necessary scale and speed for seamless performance delivery. The Flink job’s sink is equipped with a data mesh connector, as detailed in our Data Mesh platform which has two outputs: Kafka and Iceberg. This setup allows for efficient streaming of real-time data through Kafka and the preservation of historical data in Iceberg, providing a comprehensive and flexible data processing and storage solution.

Raw impressions records per second

We utilize the ‘island model’ for deploying our Flink jobs, where all dependencies for a given application reside within a single region. This approach ensures high availability by isolating regions, so if one becomes degraded, others remain unaffected, allowing traffic to be shifted between regions to maintain service continuity. Thus, all data in one region is processed by the Flink job deployed within that region.

Future Work

Addressing the Challenge of Unschematized Events

Allowing raw events to land on our centralized processing queue unschematized offers significant flexibility, but it also introduces challenges. Without a defined schema, it can be difficult to determine whether missing data was intentional or due to a logging error. We are investigating solutions to introduce schema management that maintains flexibility while providing clarity.

Automating Performance Tuning with Autoscalers

Tuning the performance of our Apache Flink jobs is currently a manual process. The next step is to integrate with autoscalers, which can dynamically adjust resources based on workload demands. This integration will not only optimize performance but also ensure more efficient resource utilization.

Improving Data Quality Alerts

Right now, there’s a lot of business rules dictating when a data quality alert needs to be fired. This leads to a lot of false positives that require manual judgement. A lot of times it is difficult to track changes leading to regression due to inadequate data lineage information. We are investing in building a comprehensive data quality platform that more intelligently identifies anomalies in our impression stream, keeps track of data lineage and data governance, and also, generates alerts notifying producers of any regressions. This approach will enhance efficiency, reduce manual oversight, and ensure a higher standard of data integrity.

Conclusion

Creating a reliable source of truth for impressions is a complex but essential task that enhances personalization and discovery experience. Stay tuned for the next part of this series, where we’ll delve into how we use this SOT dataset to create a microservice that provides impression histories. We invite you to share your thoughts in the comments and continue with us on this journey of discovering impressions.

Acknowledgments

We are genuinely grateful to our amazing colleagues whose contributions were essential to the success of Impressions: Julian Jaffe, Bryan Keller, Yun Wang, Brandon Bremen, Kyle Alford, Ron Brown and Shriya Arora.

Introducing Impressions at Netflix was originally published in Netflix TechBlog on Medium, where people are continuing the conversation by highlighting and responding to this story.

How to restrict Amazon S3 bucket access to a specific IAM role

Post Syndicated from Chris Craig original https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

February 14, 2025: This post was updated with the recommendation to restrict S3 bucket access to an IAM role by using the aws:PrincipalArn condition key instead of the aws:userid condition key.

April 2, 2021: In the section “Granting cross-account bucket access to a specific IAM role,” we updated the second policy to fix an error.

July 11, 2016: This post was first published.

Customers often ask how to limit access to an Amazon Simple Storage Service (Amazon S3) bucket to only a specific AWS Identity and Access Management (IAM) user or role. A popular approach has been to use the Principal element to list the users or roles who need access to the bucket. However, the Principal element needs the exact values of the user ARN, role ARN, or assumed-role ARN. It does not support using a wildcard (*) to include all role sessions, nor does it allow you to use policy variables.

In this blog post, we show how to restrict S3 bucket access to a specific IAM role or user within an account by using the Conditions element. Even if another user in the same account has an Admin policy or a policy with s3:*, they will be denied access if they are not explicitly listed in the Conditions element. You can use this approach, for example, to limit access to a bucket with sensitive content or additional security requirements.

Solution overview

The solution in this post uses a bucket policy to restrict access to an S3 bucket, even if an entity has access to the full API of S3 through an attached identity-based policy. The following diagram illustrates how this works for accessing an S3 bucket within the same account as your IAM user or IAM role. We recommend that you use IAM roles, and only use IAM users for use cases that aren’t supported by federated users.

Figure 1: Diagram illustrating how to access an S3 bucket within the same account as your IAM user or IAM role

Figure 1: Diagram illustrating how to access an S3 bucket within the same account as your IAM user or IAM role

The workflow in Figure 1 is as follows:

  1. The IAM user’s policy and the IAM role’s identity-based policy grant access to “s3:*”.
  2. The S3 bucket policy associated with Bucket B restricts access to only the IAM role. This means that only the IAM role is able to access its content.
  3. Both the IAM user and the IAM role can access other S3 buckets (for example, Bucket A) in the account. The IAM role is able to access both buckets, but the user can access only the S3 buckets without the bucket policy attached to them. Even though both the role and the user have full “s3:*” permissions, the bucket policy negates access to the bucket for anyone that has not assumed the role.

The main difference in the cross-account approach is that every bucket must have a bucket policy attached to allow access to the IAM role from the other account. The following diagram illustrates how this works in a cross-account deployment scenario.

Figure 2: Diagram illustrating how to access an S3 bucket in a different account than your IAM role

Figure 2: Diagram illustrating how to access an S3 bucket in a different account than your IAM role

The workflow in Figure 2 is as follows:

  1. The IAM role’s identity-based policy and the IAM users’ policy in the bucket account both grant access to “s3:*”
  2. Bucket policy B denies access to all IAM users and roles except the role specified, and the policy defines what the role is allowed to do with the bucket.
  3. Bucket policy A allows access to the IAM role from the other account.
  4. The IAM user and IAM role can both access Bucket A because the IAM user is in the same account and there is an explicit Allow in bucket policy A for the role. The role can access both buckets because the Deny in bucket policy B is only for principals other than the IAM role.

Using the aws:PrincipalArn condition

You can use different types of condition keys to compare details about the principal making the request with the principal properties that you specify in the policy. We recommend that you use the aws:PrincipalArn key. The aws:PrincipalArn key compares the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy.

You could also use the aws:userid policy variable to uniquely identify a user or role in their explicit Deny statements. There is added complexity with using aws:userid to find the value because you have to perform an API call using valid credentials. When working with IAM roles this activity has additional complexity because you are required to get the AssumedRoleUser information, which will not only include the unique role ID, but also the role-session-name that was provided while assuming the role. For example, the aws:userid for an AssumedRoleUser will be as follows:

aws:userid – AROADBQP57FF2AEXAMPLE:role-session-name

It becomes inconvenient to manage and track these IDs when you have a large list of users and roles to be included in the policy.

To mitigate these challenges, we recommend that you use the aws:PrincipalArn condition key. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role. AWS recommends that you specify the ARN for resources in policies instead of unique IDs and that you perform IAM policy audits on a periodic basis. Let’s look at how to use the condition key in an IAM policy.

Granting same-account bucket access to a specific role

When accessing a bucket from within the same account, in most cases it is not necessary to use a bucket policy because the policy defines access that is already granted by the user’s direct IAM policy. S3 bucket policies are usually used for cross-account access, but you can also use them to restrict access through an explicit Deny. The Deny would be applied to all principals whether they were in the same account as the bucket or within a different account.

In this case, you use the IAM user or role ARN with the aws:PrincipalArn condition key in a StringNotEquals or StringNotLike condition with a wildcard string. In addition, you use the aws:PrincipalARN key to compare the ARN of the principal that made the request with the ARN that you specify in the policy. Using a conditional logic element allows for the use of a wildcard string to allow for any role session name to be accepted.

Once you have the ARN of the role to which you want to allow access, you need to block the access of other users from within the same account as the bucket. An example policy to block access to the bucket and its objects for users that are not using the IAM role credentials would look like the following.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket",
        "arn:aws:s3:::amzn-s3-demo-bucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalArn": [
            "arn:aws:iam::111122223333:role/<ROLE-NAME>"
          ]
        }
      }
    }
  ]
}

Use this same policy for IAM users as shown below.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket",
        "arn:aws:s3:::amzn-s3-demo-bucket/*"
      ],
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalARN": [
            "arn:aws:iam::111122223333:role/<ROLE-NAME>”,
            “arn:aws:iam::111122223333:user/<USER-NAME>"
          ]
        }
      }
    }
  ]
}

Granting cross-account bucket access to a specific IAM role

When granting cross-account bucket access to an IAM user or role, you must define what the IAM user or role is allowed to do with the granted access. Learn more about the permissions needed to allow an IAM entity to access a bucket via the CLI/API and the console in Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket. Using the information found in this blog post, an example bucket policy would look like the following.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/<ROLE-NAME>"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:role/<ROLE-NAME>"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::111122223333:role/<ROLE-NAME>"
                    ]
                }
            }
        }
    ]
}

To grant access to an IAM user in another account, you need to add the ARN for the IAM user to the aws:PrincipalArn condition as outlined in the previous section of this blog post. In addition to the aws:PrincipalArn condition, you would also need to add the IAM user’s full ARN to the Principal element of these policies. An example policy is shown below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": [
                {
                    "AWS": [
                        "arn:aws:iam::444455556666:role/<ROLE-NAME>”,
                        “arn:aws:iam::444455556666:user/<USER-NAME>"
                    ]
                }
            ],
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
        },
        {
            "Effect": "Allow",
            "Principal": [
                {
                    "AWS": [
                        "arn:aws:iam::444455556666:role/<ROLE-NAME>”,
                        “arn:aws:iam::444455556666:user/<USER-NAME>"
                    ]
                }
            ],
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::444455556666:role/<ROLE-NAME>”,
                        “arn:aws:iam::444455556666:user/<USER-NAME>"
                    ]
                }
            }
        }
    ]
}

In addition to including role permissions in the bucket policy, you need to define these permissions in the IAM user’s or role’s user policy. The permissions are added to a customer managed policy and attached to the role or user in the IAM console, with the following example policy document.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
    }
  ]
}

By following the guidance in this post, you restrict S3 bucket access to a specific IAM role or user in same-account and cross-account scenarios, even if the user has an Admin policy or a policy with “s3:*”. There are many applications of this logic in which requirements will vary across use cases. We recommend to employ the principle of least privilege wherever possible, and to grant only the minimum permissions that are required to perform necessary tasks.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Identity and Access Management re:Post or contact AWS Support.
 

Chris Craig

The original author of this blog post is no longer at AWS. In 2016, when this post was first published, we did not include author bios.
Laura Verghote
Laura Verghote

Laura is a Senior Solutions Architect for public sector customers in the Europe, Middle East, and Africa (EMEA) region. She works with customers to design and build solutions in the AWS Cloud, bridging the gap between complex business requirements and technical solutions. She joined AWS as a technical trainer and has wide experience delivering training content to developers, administrators, architects, and partners across EMEA.
Ashwin Phadke
Ashwin Phadke

Ashwin is a Senior Solutions Architect working with large enterprises and independent software vendor (ISV) customers to build highly available, scalable, and secure applications, and to help them successfully navigate their cloud journeys. He is passionate about information security and enjoys working on creative solutions for customers’ security challenges.

Metasploit Weekly Wrap-Up 02/14/2025

Post Syndicated from Christopher Granleese original https://blog.rapid7.com/2025/02/14/metasploit-weekly-wrap-up-45/

New module content (2)

Unauthenticated RCE in NetAlertX

Metasploit Weekly Wrap-Up 02/14/2025

Authors: Chebuya (Rhino Security Labs) and Takahiro Yokoyama
Type: Exploit
Pull request: #19868 contributed by Takahiro-Yoko
Path: linux/http/netalertx_rce_cve_2024_46506
AttackerKB reference: CVE-2024-46506

Description: A new module for an unauthenticated remote code execution bug in NetAlertX (CVE-2024-46506). An unauthenticated attacker can change the system configuration and then compel the application to run arbitrary system commands, leading to remote code execution.

mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)

Author: Michael Heinzl
Type: Exploit
Pull request: #19846 contributed by h4x-x0r
Path: windows/scada/mypro_mgr_cmd
AttackerKB reference: CVE-2024-47407

Description: A module for mySCADA myPRO Manager exploiting a command injection vulnerability (CVE-2024-47407) in the email parameter.

Enhancements and features (2)

  • #19851 from zeroSteiner – Updates the ad_cs_cert_template module to parse and display the flags field.
  • #19869 from adfoster-r7 – Removes the datastore_fallbacks feature flag and the corresponding code now that it is enabled by default.

Bugs fixed (3)

  • #19729 from sempervictus – Adds a fix for when an msfuser has established a shell session and wants to run a command on the target that also happens to be a built-in Metasploit command. Prior to this, it was not possible as MSF would intercept the command and run the built-in version. This was fixed by allowing the user to prepend built-ins with ‘.’ to pass-through execution of the intended command (such as ‘.help’ being executed as ‘help’) to the target.
  • #19842 from jheysel-r7 – When setting the JOHNPWFILE datastore option in a module that includes the Msf::Exploit::Remote::SMB::Server::HashCapture, NTLMv1 hashes were incorrectly being placed in the NTLMv2 hash file.
  • #19873 from adfoster-r7 – Remove report note calls from the ldap_esc_vulnerable_cert_finder as they were no longer needed and caused a side-effect crash in some codepaths.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro

Introducing the AWS Trust Center

Post Syndicated from Chris Betz original https://aws.amazon.com/blogs/security/introducing-the-aws-trust-center/

At Amazon Web Services (AWS), earning trust isn’t just a goal—it’s one of our core Leadership Principles that guide every decision we make. As CISO of AWS, I’ve seen firsthand how this commitment to earning trust shapes our culture, our services, and our daily interactions with customers. Customers choose AWS over other providers because they trust us to provide the most secure infrastructure and services, and to tell them exactly how data is being protected.

To make that information even easier to find, we’re launching the AWS Trust Center, a new online resource that shares how we approach securing your assets in the cloud. The AWS Trust Center is a window into our security practices, compliance programs, and data protection controls that demonstrates how we work to earn your trust every day.

Building on a foundation of trust

Security has been our top priority since day one. When we launched AWS in 2006, we designed our infrastructure as the most secure cloud computing environment available. We knew we couldn’t just offer the same level of security as existing on-premises infrastructure. To earn customer trust, we had to disrupt and exceed the exacting industry standards of the world’s most security-conscious organizations. We continue to constantly reinforce security in our everyday decision making. With the Trust Center, we’re making it easier for you to understand how we protect your workloads, safeguard your data, and help you meet your compliance goals.

The Trust Center reflects our belief that more easily accessible information builds and maintains trust. Whether you’re looking for information about our data center controls, checking compliance certifications, or reviewing our shared responsibility model, you’ll now find the security and compliance information you need in one central location.

A single source of truth for security and compliance

In the Trust Center, you’ll find information about our approach to security at every level—from our physical data centers to our cloud infrastructure and our portfolio of cloud services. We’re including documentation about our security services and tools, helping you to understand both how we secure the cloud and how we help you secure your workloads within it. You’ll also find information about our compliance programs, including the certifications and attestations we maintain globally. This is valuable for teams working in regulated industries who need to demonstrate compliance to auditors and regulators.

The Trust Center highlights information about our data protection and privacy practices. Customers can learn how we protect your data and how we manage encryption. Further, we understand that customers are concerned about who can access their data and under what circumstances. We’ve consolidated detailed information about our operator access controls, which are designed to use the principle of least privilege at their core. You’ll learn about our zero-access designs for key services like AWS Key Management Service (AWS KMS) and Amazon Elastic Compute Cloud (Amazon EC2), our use of forward access sessions (FAS) to cryptographically enforce customer authorization, and our global monitoring systems.

The Trust Center provides a central place to find information about service health and security events, so you have the information you need to maintain operational excellence. You can stay up-to-date on security bulletins, and check real-time service health status. If you need to report a security concern or conduct your own security assessment, we’ve made those processes even easier to find. Resources are organized for ease of access, with direct links to the agreements, documentation, and resources you need to make informed decisions about your cloud security posture.

Empowering customers to drive secure innovation

What excites me most about the Trust Center is how it removes barriers for our customers. With detailed security information, easier links to compliance documentation, and operational insights now at your fingertips, you can move faster and innovate with confidence.

As we continue to innovate and expand AWS services, we’re committed to enhancing the Trust Center with the latest security information. This is a living resource that will evolve alongside our cloud and services. Maintaining your trust isn’t just about what we’ve built today—it’s about demonstrating, through both our commitments and delivery, that we’re worthy of being your trusted security partner. That’s our commitment to you, and that’s what the AWS Trust Center represents.

We invite you to explore the AWS Trust Center today, and we look forward to continuing to earn your trust, every day.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.

Chris Betz
Chris Betz

Chris is CISO at AWS. He oversees security teams and leads the development and implementation of security policies with the aim of managing risk and aligning the company’s security posture with business objectives. Chris joined Amazon in August 2023 after holding CISO and security leadership roles at leading companies. He lives in Northern Virginia with his family.

Upcoming Speaking Engagements

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/02/upcoming-speaking-engagements-43.html

This is a current list of where and when I am scheduled to speak:

  • I’m speaking at Boskone 62 in Boston, Massachusetts, USA, which runs from February 14-16, 2025. My talk is at 4:00 PM ET on the 15th.
  • I’m speaking at the Rossfest Symposium in Cambridge, UK, on March 25, 2025.

The list is maintained on this page.

[$] Fighting the AI scraperbot scourge

Post Syndicated from corbet original https://lwn.net/Articles/1008897/

There are many challenges involved with running a web site like LWN. Some
of them, such as finding the courage to write for people who know more
about the subject matter than we do, simply come with the territory we have
chosen. But others show up as an unwelcome surprise; the ongoing task of
fending off bots determined to scrape the entire Internet to (seemingly)
feed into the insatiable meat grinder of AI training is certainly one of
those. Readers have, at times, expressed curiosity about that fight and
how we are handling it; read on for a description of a modern-day plague.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1009765/

Security updates have been issued by AlmaLinux (doxygen, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, and libxml2), Debian (chromium, postgresql-13, and webkit2gtk), Fedora (krb5, openssl, and python3.13), Mageia (ark, ofono, and perl-Net-OAuth, perl-Crypt-URandom, perl-Module-Build), Oracle (firefox, gcc, gcc-toolset-14-gcc, kernel, openssl, tbb, and thunderbird), Red Hat (libxml2), SUSE (chromium, golang-github-prometheus-prometheus, grafana, kernel, kernel-firmware-ath10k-20250206, kernel-firmware-bnx2-20250206, kernel-firmware-brcm-20250206, kernel-firmware-chelsio-20250206, kernel-firmware-dpaa2-20250206, kernel-firmware-mwifiex-20250206, kernel-firmware-platform-20250206, kernel-firmware-realtek-20250206, kernel-firmware-serial-20250206, kernel-firmware-ueagle-20250206, libtasn1, python312, qemu, SUSE Manager Client Tools, SUSE Manager Client Tools MU 5.0.3, and ucode-intel-20250211), and Ubuntu (activemq and libsndfile).

Searching for the cause of hung tasks in the Linux kernel

Post Syndicated from Oxana Kharitonova original https://blog.cloudflare.com/searching-for-the-cause-of-hung-tasks-in-the-linux-kernel/

Depending on your configuration, the Linux kernel can produce a hung task warning message in its log. Searching the Internet and the kernel documentation, you can find a brief explanation that the kernel process is stuck in the uninterruptable state and hasn’t been scheduled on the CPU for an unexpectedly long period of time. That explains the warning’s meaning, but doesn’t provide the reason it occurred. In this blog post we’re going to explore how the hung task warning works, why it happens, whether it is a bug in the Linux kernel or application itself, and whether it is worth monitoring at all.

INFO: task XXX:1495882 blocked for more than YYY seconds.

The hung task message in the kernel log looks like this:

INFO: task XXX:1495882 blocked for more than YYY seconds.
     Tainted: G          O       6.6.39-cloudflare-2024.7.3 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:XXX         state:D stack:0     pid:1495882 ppid:1      flags:0x00004002
. . .

Processes in Linux can be in different states. Some of them are running or ready to run on the CPU — they are in the TASK_RUNNING state. Others are waiting for some signal or event to happen, e.g. network packets to arrive or terminal input from a user. They are in a TASK_INTERRUPTIBLE state and can spend an arbitrary length of time in this state until being woken up by a signal. The most important thing about these states is that they still can receive signals, and be terminated by a signal. In contrast, a process in the TASK_UNINTERRUPTIBLE state is waiting only for certain special classes of events to wake them up, and can’t be interrupted by a signal. The signals are not delivered until the process emerges from this state and only a system reboot can clear the process. It’s marked with the letter D in the log shown above.

What if this wake up event doesn’t happen or happens with a significant delay? (A “significant delay” may be on the order of seconds or minutes, depending on the system.) Then our dependent process is hung in this state. What if this dependent process holds some lock and prevents other processes from acquiring it? Or if we see many processes in the D state? Then it might tell us that some of the system resources are overwhelmed or are not working correctly. At the same time, this state is very valuable, especially if we want to preserve the process memory. It might be useful if part of the data is written to disk and another part is still in the process memory — we don’t want inconsistent data on a disk. Or maybe we want a snapshot of the process memory when the bug is hit. To preserve this behaviour, but make it more controlled, a new state was introduced in the kernel: TASK_KILLABLE — it still protects a process, but allows termination with a fatal signal. 

How Linux identifies the hung process

The Linux kernel has a special thread called khungtaskd. It runs regularly depending on the settings, iterating over all processes in the D state. If a process is in this state for more than YYY seconds, we’ll see a message in the kernel log. There are settings for this daemon that can be changed according to your wishes:

$ sudo sysctl -a --pattern hung
kernel.hung_task_all_cpu_backtrace = 0
kernel.hung_task_check_count = 4194304
kernel.hung_task_check_interval_secs = 0
kernel.hung_task_panic = 0
kernel.hung_task_timeout_secs = 10
kernel.hung_task_warnings = 200

At Cloudflare, we changed the notification threshold kernel.hung_task_timeout_secs from the default 120 seconds to 10 seconds. You can adjust the value for your system depending on configuration and how critical this delay is for you. If the process spends more than hung_task_timeout_secs seconds in the D state, a log entry is written, and our internal monitoring system emits an alert based on this log. Another important setting here is kernel.hung_task_warnings — the total number of messages that will be sent to the log. We limit it to 200 messages and reset it every 15 minutes. It allows us not to be overwhelmed by the same issue, and at the same time doesn’t stop our monitoring for too long. You can make it unlimited by setting the value to “-1”.

To better understand the root causes of the hung tasks and how a system can be affected, we’re going to review more detailed examples. 

Example #1 or XFS

Typically, there is a meaningful process or application name in the log, but sometimes you might see something like this:

INFO: task kworker/13:0:834409 blocked for more than 11 seconds.
 	Tainted: G      	O   	6.6.39-cloudflare-2024.7.3 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/13:0	state:D stack:0 	pid:834409 ppid:2   flags:0x00004000
Workqueue: xfs-sync/dm-6 xfs_log_worker

In this log, kworker is the kernel thread. It’s used as a deferring mechanism, meaning a piece of work will be scheduled to be executed in the future. Under kworker, the work is aggregated from different tasks, which makes it difficult to tell which application is experiencing a delay. Luckily, the kworker is accompanied by the Workqueue line. Workqueue is a linked list, usually predefined in the kernel, where these pieces of work are added and performed by the kworker in the order they were added to the queue. The Workqueue name xfs-sync and the function which it points to, xfs_log_worker, might give a good clue where to look. Here we can make an assumption that the XFS is under pressure and check the relevant metrics. It helped us to discover that due to some configuration changes, we forgot no_read_workqueue / no_write_workqueue flags that were introduced some time ago to speed up Linux disk encryption.

Summary: In this case, nothing critical happened to the system, but the hung tasks warnings gave us an alert that our file system had slowed down.

Example #2 or Coredump

Let’s take a look at the next hung task log and its decoded stack trace:

INFO: task test:964 blocked for more than 5 seconds.
      Not tainted 6.6.72-cloudflare-2025.1.7 #1
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:test            state:D stack:0     pid:964   ppid:916    flags:0x00004000
Call Trace:
<TASK>
__schedule (linux/kernel/sched/core.c:5378 linux/kernel/sched/core.c:6697) 
schedule (linux/arch/x86/include/asm/preempt.h:85 (discriminator 13) linux/kernel/sched/core.c:6772 (discriminator 13)) 
[do_exit (linux/kernel/exit.c:433 (discriminator 4) linux/kernel/exit.c:825 (discriminator 4)) 
? finish_task_switch.isra.0 (linux/arch/x86/include/asm/irqflags.h:42 linux/arch/x86/include/asm/irqflags.h:77 linux/kernel/sched/sched.h:1385 linux/kernel/sched/core.c:5132 linux/kernel/sched/core.c:5250) 
do_group_exit (linux/kernel/exit.c:1005) 
get_signal (linux/kernel/signal.c:2869) 
? srso_return_thunk (linux/arch/x86/lib/retpoline.S:217) 
? hrtimer_try_to_cancel.part.0 (linux/kernel/time/hrtimer.c:1347) 
arch_do_signal_or_restart (linux/arch/x86/kernel/signal.c:310) 
? srso_return_thunk (linux/arch/x86/lib/retpoline.S:217) 
? hrtimer_nanosleep (linux/kernel/time/hrtimer.c:2105) 
exit_to_user_mode_prepare (linux/kernel/entry/common.c:176 linux/kernel/entry/common.c:210) 
syscall_exit_to_user_mode (linux/arch/x86/include/asm/entry-common.h:91 linux/kernel/entry/common.c:141 linux/kernel/entry/common.c:304) 
? srso_return_thunk (linux/arch/x86/lib/retpoline.S:217) 
do_syscall_64 (linux/arch/x86/entry/common.c:88) 
entry_SYSCALL_64_after_hwframe (linux/arch/x86/entry/entry_64.S:121) 
</TASK>

The stack trace says that the process or application test was blocked for more than 5 seconds. We might recognise this user space application by the name, but why is it blocked? It’s always helpful to check the stack trace when looking for a cause. The most interesting line here is do_exit (linux/kernel/exit.c:433 (discriminator 4) linux/kernel/exit.c:825 (discriminator 4)). The source code points to the coredump_task_exit function. Additionally, checking the process metrics revealed that the application crashed during the time when the warning message appeared in the log. When a process is terminated based on some set of signals (abnormally), the Linux kernel can provide a core dump file, if enabled. The mechanism — when a process terminates, the kernel makes a snapshot of the process memory before exiting and either writes it to a file or sends it through the socket to another handler — can be systemd-coredump or your custom one. When it happens, the kernel moves the process to the D state to preserve its memory and early termination. The higher the process memory usage, the longer it takes to get a core dump file, and the higher the chance of getting a hung task warning.

Let’s check our hypothesis by triggering it with a small Go program. We’ll use the default Linux coredump handler and will decrease the hung task threshold to 1 second.

Coredump settings:

$ sudo sysctl -a --pattern kernel.core
kernel.core_pattern = core
kernel.core_pipe_limit = 16
kernel.core_uses_pid = 1

You can make changes with sysctl:

$ sudo sysctl -w kernel.core_uses_pid=1

Hung task settings:

$ sudo sysctl -a --pattern hung
kernel.hung_task_all_cpu_backtrace = 0
kernel.hung_task_check_count = 4194304
kernel.hung_task_check_interval_secs = 0
kernel.hung_task_panic = 0
kernel.hung_task_timeout_secs = 1
kernel.hung_task_warnings = -1

Go program:

$ cat main.go
package main

import (
	"os"
	"time"
)

func main() {
	_, err := os.ReadFile("test.file")
	if err != nil {
		panic(err)
	}
	time.Sleep(8 * time.Minute) 
}

This program reads a 10 GB file into process memory. Let’s create the file:

$ yes this is 10GB file | head -c 10GB > test.file

The last step is to build the Go program, crash it, and watch our kernel log:

$ go mod init test
$ go build .
$ GOTRACEBACK=crash ./test
$ (Ctrl+\)

Hooray! We can see our hung task warning:

$ sudo dmesg -T | tail -n 31
INFO: task test:8734 blocked for more than 22 seconds.
      Not tainted 6.6.72-cloudflare-2025.1.7 #1
      Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:test            state:D stack:0     pid:8734  ppid:8406   task_flags:0x400448 flags:0x00004000

By the way, have you noticed the Blocked by coredump. line in the log? It was recently added to the upstream code to improve visibility and remove the blame from the process itself. The patch also added the task_flags information, as Blocked by coredump is detected via the flag PF_POSTCOREDUMP, and knowing all the task flags is useful for further root-cause analysis.

Summary: This example showed that even if everything suggests that the application is the problem, the real root cause can be something else — in this case, coredump.

Example #3 or rtnl_mutex

This one was tricky to debug. Usually, the alerts are limited by one or two different processes, meaning only a certain application or subsystem experiences an issue. In this case, we saw dozens of unrelated tasks hanging for minutes with no improvements over time. Nothing else was in the log, most of the system metrics were fine, and existing traffic was being served, but it was not possible to ssh to the server. New Kubernetes container creations were also stalling. Analyzing the stack traces of different tasks initially revealed that all the traces were limited to just three functions:

rtnetlink_rcv_msg+0x9/0x3c0
dev_ethtool+0xc6/0x2db0 
bonding_show_bonds+0x20/0xb0

Further investigation showed that all of these functions were waiting for rtnl_lock to be acquired. It looked like some application acquired the rtnl_mutex and didn’t release it. All other processes were in the D state waiting for this lock.

The RTNL lock is primarily used by the kernel networking subsystem for any network-related config, for both writing and reading. The RTNL is a global mutex lock, although upstream efforts are being made for splitting up RTNL per network namespace (netns).

From the hung task reports, we can observe the “victims” that are being stalled waiting for the lock, but how do we identify the task that is holding this lock for too long? For troubleshooting this, we leveraged BPF via a bpftrace script, as this allows us to inspect the running kernel state. The kernel’s mutex implementation has a struct member called owner. It contains a pointer to the task_struct from the mutex-owning process, except it is encoded as type atomic_long_t. This is because the mutex implementation stores some state information in the lower 3-bits (mask 0x7) of this pointer. Thus, to read and dereference this task_struct pointer, we must first mask off the lower bits (0x7).

Our bpftrace script to determine who holds the mutex is as follows:

#!/usr/bin/env bpftrace
interval:s:10 {
  $rtnl_mutex = (struct mutex *) kaddr("rtnl_mutex");
  $owner = (struct task_struct *) ($rtnl_mutex->owner.counter & ~0x07);
  if ($owner != 0) {
    printf("rtnl_mutex->owner = %u %s\n", $owner->pid, $owner->comm);
  }
}

In this script, the rtnl_mutex lock is a global lock whose address can be exposed via /proc/kallsyms – using bpftrace helper function kaddr(), we can access the struct mutex pointer from the kallsyms. Thus, we can periodically (via interval:s:10) check if someone is holding this lock.

In the output we had this:

rtnl_mutex->owner = 3895365 calico-node

This allowed us to quickly identify calico-node as the process holding the RTNL lock for too long. To quickly observe where this process itself is stalled, the call stack is available via /proc/3895365/stack. This showed us that the root cause was a Wireguard config change, with function wg_set_device() holding the RTNL lock, and peer_remove_after_dead() waiting too long for a napi_disable() call. We continued debugging via a tool called drgn, which is a programmable debugger that can debug a running kernel via a Python-like interactive shell. We still haven’t discovered the root cause for the Wireguard issue and have asked the upstream for help, but that is another story.

Summary: The hung task messages were the only ones which we had in the kernel log. Each stack trace of these messages was unique, but by carefully analyzing them, we could spot similarities and continue debugging with other instruments.

Epilogue

Your system might have different hung task warnings, and we have many others not mentioned here. Each case is unique, and there is no standard approach to debug them. But hopefully this blog post helps you better understand why it’s good to have these warnings enabled, how they work, and what the meaning is behind them. We tried to provide some navigation guidance for the debugging process as well:

  • analyzing the stack trace might be a good starting point for debugging it, even if all the messages look unrelated, like we saw in example #3

  • keep in mind that the alert might be misleading, pointing to the victim and not the offender, as we saw in example #2 and example #3

  • if the kernel doesn’t schedule your application on the CPU, puts it in the D state, and emits the warning – the real problem might exist in the application code

Good luck with your debugging, and hopefully this material will help you on this journey!

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

Post Syndicated from Deral Heiland original https://blog.rapid7.com/2025/02/14/xerox-versalink-c7025-multifunction-printer-pass-back-attack-vulnerabilities-fixed/

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

During security testing, Rapid7 discovered that Xerox Versalink C7025 Multifunction printers (MFPs) were vulnerable to pass-back attacks. The affected products identified were:

  • Xerox Versalink MFPs
  • Firmware Version: 57.69.91 and earlier

This issue has been assigned the following CVEs:

  • CVE-2024-12510: LDAP pass-back vulnerability
  • CVE-2024-12511: SMB / FTP pass-back vulnerability

Product description

The Xerox Versalink C7025 Multifunction printer (MFP) is an all-in-one enterprise color printer designed to deliver print, copy, scan, fax, and email capabilities for enterprise business environments.

Credit

The pass-back vulnerabilities in the Xerox Versalink MFPs were discovered by Deral Heiland, Principal IoT Researcher at Rapid7. After coordination with the vendor, this disclosure is being published in accordance with Rapid7’s vulnerability disclosure policy.

Exploitation and remediation

This section details the potential for exploitation and remediation guidance for the issues discovered and reported by Rapid7, so that producers of this technology can gauge the impact of these issues appropriately and develop mitigations.

While examining the Xerox Versalink C7025, Rapid7 found that the Versalink MFP device was vulnerable to a pass-back attack. This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor. This style of attack can be used to capture authentication data for the following configured services:

  • LDAP
  • SMB
  • FTP

Pass-back attack via LDAP (CVE-2024-12510)

If a malicious actor gains access to the Lightweight Directory Access Protocol (LDAP) configuration page and the LDAP services are configured for authentication, the malicious actor can then reconfigure the LDAP service’s IP address (Figure 1) and trigger an LDAP lookup on the LDAP User Mappings page (Figure 2) to authenticate against an attacker-controlled rogue system rather than the expected server.

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

By running a port listener on a host that the malicious actor controls, they are then able to capture the clear text LDAP service credentials as shown below in Figure 3. This attack requires access to the MFP printer admin account, and LDAP services must have been configured for normal operation to a valid LDAP server.
Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

Pass-back attack via user’s address book – SMB / FTP (CVE-2024-12511)

This attack allows a malicious actor to gain access to the user address book configuration to modify the SMB or FTP server’s IP address (Figure 4) and point the IP address to a host they control, potentially triggering a scan to file and capture the SMB or FTP authentication credentials.

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

This attack allows a malicious actor to capture NetNTLMV2 handshakes or leverage the vulnerability in an SMB relay attack against Active Directory file servers. An example of capturing NetNTLMV2 handshake using the Metasploit capture/smb auxiliary module is shown below in Figure 5. In the case of FTP, the malicious actor would be able to capture clear text FTP authentication credentials.

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

For this attack to be successful, the attacker requires an SMB or FTP scan function to be configured within the user’s address book, as well as physical access to the printer console or access to remote-control console via the web interface (Figure 6). This may require admin access unless user level access to the remote-control console has been enabled.

Xerox Versalink C7025 Multifunction Printer: Pass-Back Attack Vulnerabilities (FIXED)

Impact

If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory. This means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems.

Remediation guidance

Organizations leveraging Xerox Versalink MFP devices should upgrade to the latest patched version of the firmware to fix this issue. Additional details are available in the vendor advisory.

If patching the MFP devices cannot be done at this time, it is highly recommended to set a complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a domain admin account for LDAP or scan-to-file SMB services. Also, organizations should avoid enabling the remote-control console for unauthenticated users.

Disclosure timeline

March 26, 2024: Rapid7 contacts vendor to disclose vulnerabilities.
March 27, 2024 – April 11, 2024: Vendor acknowledges receipt of disclosure request; Rapid7 shares vulnerability details. Vendor confirms receipt of disclosure write up and assigns internal case number.
April 19, 2024 – June 11, 2024: Rapid7 requests input on patch ETA and coordinated disclosure date. Vendor requests additional time to determine patch and disclosure timeline; Rapid7 agrees.
July 23, 2024: Rapid7 requests an update on patch ETA and disclosure date.
July 31, 2024 – August 5, 2024: Vendor and Rapid7 agree on a coordinated disclosure date; Rapid7 agrees to test patches once available.
September 3, 2024: Extension requested.
September 26, 2024 – October 4, 2024: Rapid7 requests update. Vendor requests additional time to prepare update.
November 13 – 27, 2024: Rapid7 requests updates.
November 30, 2024 – December 6, 2024: Disclosure extended to January 2025.
December 11 – 30, 2025: Vendor provides CVE IDs and updates.
January 6 – 7, 2025: Vendor provides updates.
January 16, 2025: Disclosure extended to end of January.
January 24 – 27, 2025: Rapid7 requests confirmation on disclosure timeline. Vendor indicates patches are in testing and they will provide Rapid7 an update on progress later in the week.
January 29 – 31, 2025: Vendor indicates patches are generally available, requests that Rapid7 confirm fixes resolved the issue. Rapid7 tests firmware releases, confirms they resolve the vulnerabilities.
February 3, 2025: Vendor indicates advisories are available; Rapid7 notes that reciprocal disclosure will be delayed.
February 14, 2025: This disclosure.

AI and Civil Service Purges

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/02/ai-and-civil-service-purges.html

Donald Trump and Elon Musk’s chaotic approach to reform is upending government operations. Critical functions have been halted, tens of thousands of federal staffers are being encouraged to resign, and congressional mandates are being disregarded. The next phase: The Department of Government Efficiency reportedly wants to use AI to cut costs. According to The Washington Post, Musk’s group has started to run sensitive data from government systems through AI programs to analyze spending and determine what could be pruned. This may lead to the elimination of human jobs in favor of automation. As one government official who has been tracking Musk’s DOGE team told the Post, the ultimate aim is to use AI to replace “the human workforce with machines.” (Spokespeople for the White House and DOGE did not respond to requests for comment.)

Using AI to make government more efficient is a worthy pursuit, and this is not a new idea. The Biden administration disclosed more than 2,000 AI applications in development across the federal government. For example, FEMA has started using AI to help perform damage assessment in disaster areas. The Centers for Medicare and Medicaid Services has started using AI to look for fraudulent billing. The idea of replacing dedicated and principled civil servants with AI agents, however, is new—and complicated.

The civil service—the massive cadre of employees who operate government agencies—plays a vital role in translating laws and policy into the operation of society. New presidents can issue sweeping executive orders, but they often have no real effect until they actually change the behavior of public servants. Whether you think of these people as essential and inspiring do-gooders, boring bureaucratic functionaries, or as agents of a “deep state,” their sheer number and continuity act as ballast that resists institutional change.

This is why Trump and Musk’s actions are so significant. The more AI decision making is integrated into government, the easier change will be. If human workers are widely replaced with AI, executives will have unilateral authority to instantaneously alter the behavior of the government, profoundly raising the stakes for transitions of power in democracy. Trump’s unprecedented purge of the civil service might be the last time a president needs to replace the human beings in government in order to dictate its new functions. Future leaders may do so at the press of a button.

To be clear, the use of AI by the executive branch doesn’t have to be disastrous. In theory, it could allow new leadership to swiftly implement the wishes of its electorate. But this could go very badly in the hands of an authoritarian leader. AI systems concentrate power at the top, so they could allow an executive to effectuate change over sprawling bureaucracies instantaneously. Firing and replacing tens of thousands of human bureaucrats is a huge undertaking. Swapping one AI out for another, or modifying the rules that those AIs operate by, would be much simpler.

Social-welfare programs, if automated with AI, could be redirected to systematically benefit one group and disadvantage another with a single prompt change. Immigration-enforcement agencies could prioritize people for investigation and detainment with one instruction. Regulatory-enforcement agencies that monitor corporate behavior for malfeasance could turn their attention to, or away from, any given company on a whim.

Even if Congress were motivated to fight back against Trump and Musk, or against a future president seeking to bulldoze the will of the legislature, the absolute power to command AI agents would make it easier to subvert legislative intent. AI has the power to diminish representative politics. Written law is never fully determinative of the actions of government—there is always wiggle room for presidents, appointed leaders, and civil servants to exercise their own judgment. Whether intentional or not, whether charitably or not, each of these actors uses discretion. In human systems, that discretion is widely distributed across many individuals—people who, in the case of career civil servants, usually outlast presidencies.

Today, the AI ecosystem is dominated by a small number of corporations that decide how the most widely used AI models are designed, which data they are trained on, and which instructions they follow. Because their work is largely secretive and unaccountable to public interest, these tech companies are capable of making changes to the bias of AI systems—either generally or with aim at specific governmental use cases—that are invisible to the rest of us. And these private actors are both vulnerable to coercion by political leaders and self-interested in appealing to their favor. Musk himself created and funded xAI, now one of the world’s largest AI labs, with an explicitly ideological mandate to generate anti-“woke” AI and steer the wider AI industry in a similar direction.

But there’s a second way that AI’s transformation of government could go. AI development could happen inside of transparent and accountable public institutions, alongside its continued development by Big Tech. Applications of AI in democratic governments could be focused on benefitting public servants and the communities they serve by, for example, making it easier for non-English speakers to access government services, making ministerial tasks such as processing routine applications more efficient and reducing backlogs, or helping constituents weigh in on the policies deliberated by their representatives. Such AI integrations should be done gradually and carefully, with public oversight for their design and implementation and monitoring and guardrails to avoid unacceptable bias and harm.

Governments around the world are demonstrating how this could be done, though it’s early days. Taiwan has pioneered the use of AI models to facilitate deliberative democracy at an unprecedented scale. Singapore has been a leader in the development of public AI models, built transparently and with public-service use cases in mind. Canada has illustrated the role of disclosure and public input on the consideration of AI use cases in government. Even if you do not trust the current White House to follow any of these examples, U.S. states—which have much greater contact and influence over the daily lives of Americans than the federal government—could lead the way on this kind of responsible development and deployment of AI.

As the political theorist David Runciman has written, AI is just another in a long line of artificial “machines” used to govern how people live and act, not unlike corporations and states before it. AI doesn’t replace those older institutions, but it changes how they function. As the Trump administration forges stronger ties to Big Tech and AI developers, we need to recognize the potential of that partnership to steer the future of democratic governance—and act to make sure that it does not enable future authoritarians.

This essay was written with Nathan E. Sanders, and originally appeared in The Atlantic.

Кога ще избухне Румен Радев

Post Syndicated from Емилия Милчева original https://www.toest.bg/koga-shte-izbuhne-rumen-radev/

Кога ще избухне Румен Радев

Има въпроси шлагери, които се задържат за по-дълго на сцената на политическата естрада. „Кога ще избухне (с партия) Румен Радев?“ е един от тях. Този въпрос се върти с по-голяма или по-малка сила от началото на втория мандат на Радев, съвпаднал с политическата криза и позволил му да изпъкне в доспехите на народен закрилник-протагонист-стожер на нацията.

Президентът – къде умело, къде по-грубо, когато налага интересите си – балансира между ролите на арбитър и на активен играч, използвайки нестабилността като фон за своето политическо соло. Въпросът за негова партийна авантюра е рефрен, който никога не изчезва напълно, а само затихва, за да се върне с нов аранжимент при поредния политически трус. А трусовете зачестиха. 

Обичайно на въпросите дали ще дебютира със свой политически проект, Радев отговаря, че сам ще го каже, когато реши, но не казва „не“. Отговорите му са витиевати като на древна пророчица. Харесва му да поддържа напрежението, а в телевизионните студиа винаги се намира по някой и друг говорител, който разпалва аудиторията колко некадърни и невнятни са политиците, как „ключът е в президента и без негова партия ще гледаме едно и също“.

Неизбежна ли е Румен-Радевата алтернатива

Сигналите на държавния глава лесно могат да бъдат категоризирани:

„Аз съм президент, а не партиен лидер.“ Румен Радев обича да подчертава своята НАДпартийност, както и че ролята му е да бъде държавен глава, а не да се включва в партийните ала-бала. (Не че не го прави – въпреки че бяха орязани конституционните му правомощия да назначава служебни кабинети, без неговото съгласие такива не може да има, както се видя в случая с Горица Кожарева.)

„Хората очакват нова алтернатива, неизбежна е появата ѝ.“ Макар да не заявява ясно лични амбиции, той многократно е намеквал, че има нужда от „различен тип политика“, което кара анализаторите да виждат в това индиректно подгряване на почвата за бъдещ политически проект.

„България има нужда от промяна.“ Този лайтмотив върви в публичните му изяви още от първия мандат, когато Радев се позиционира като критик на статуквото, все едно какво – той е срещу него. Към настоящото правителство не е бил критичен, но още не е изминал и месец от избора му. Дали защото в изявления преди конституирането на кабинета той настояваше, че редовно правителство е необходимо в името на стабилността. Или защото поне две от четирите формации в управляващото мнозинство – БСП (след отстраняването на Корнелия Нинова) и „Има такъв народ“ – симпатизират на президента.

С неговите пет служебни правителства за осем години може да се каже, че Румен Радев е бил и петкратен премиер – без партия, но със стабилен рейтинг, свой апарат от бивши министри и дори лобистки договори като този с турската държавна компания „Боташ“, обслужващ приоритетно енергийните интереси на Анкара.

„Ще дойде време за отговори…“ Това е многоточието, което не закрива темата, напротив – оставя отворени всички опции. Някои партийни проекти бяха приписвани на президентска намеса, например „Български възход“ на един от служебните му премиери – Стефан Янев, но също и „Продължаваме промяната“, тъй като нейните лидери Кирил Петков и Асен Василев също бяха поканени за служебни министри от президента, който предостави терен за изява на политическите им амбиции.

Мъдрец в сянка? Не, благодаря

Какви варианти има пред Румен Радев? Може да избере ролята на „мъдреца в сянка“, както направи Жельо Желев, който създаде едноименната си фондация и основа Балканския политически клуб. Или да създаде свой политически проект и активно да влезе в играта с всички произтичащи от това рискове, които изпита също двумандатният президент Георги Първанов, регистрирал АБВ.

Изглежда малко вероятно Радев да си направи фондация и да изнася лекции тук и там. През тези десет години на „Дондуков“ 2, които ще се навършат догодина, властта му прилепна като мундир и няма индикации, че иска да напусне сцената. Политиката го направи известен, но той изгуби онази естествена и симпатична недодяланост, присъща на новаците, която обаче хората харесаха през 2017 г. – наред с професията и произхода му, с който се идентифицираха мнозина българи.

В момента около Радев има немалко фигури – съветници, други на високи позиции в различни институции, но и в изпълнителната и местната власт, придобили влияние и тежест благодарение на присъствието си в президентската орбита. Те не биха подкрепили негово доброволно оттегляне, тъй като ще бъде застрашено тяхното благополучие.

В крак с новото статукво

Моментът за „избухване“ на Радев преди президентския вот през есента на 2026 г. е благоприятен – ако се отвори възможност с предсрочни парламентарни избори. След избора на Доналд Тръмп за президент на Съединените щати започва да се формира ново статукво на сигурността в света, което не подминава и Европа. 

В българската политическа действителност от известно време изчезна употребата на термина „евроатлантически“. Тръмп говори лично с руския президент Владимир Путин, за да се договарят за мир в Украйна, но засега Европа и дори самата Украйна изглеждат изключени от този диалог. Радев, чиито проруски симпатии не са тайна, се оказа в новия тренд, налаган от американския президент, и ще си позволява безнаказано да се отклонява от традиционните евроатлантически рамки. Той е и единственият държавен глава в най-новата история на България, чиито външнополитически позиции са били в разрез с официалните позиции на държава членка на ЕС и НАТО, и той ги е демонстрирал на високи форуми.

Възможността за предсрочни парламентарни избори би могла да му предостави шанс да събере повече подкрепа, особено сред избирателите, които се чувстват отдалечени от традиционните западни алианси и търсят алтернатива в политика на неутралитет или дори на сближаване с Русия. Това би означавало стратегическо преосмисляне на външнополитическата ориентация на България.

Левицата изглежда като естествен терен за него, но е съмнително дали би успял да изгради модерна лява партия, различна от БСП, от каквато българската политика действително се нуждае.

Ако Радев изгрее със свой партиен проект, ще застраши първенството на ГЕРБ. Но също така биха могли да се спогодят, а останалите политически сили съвсем ще се маргинализират. Техният шанс е да използват ефективно времето до следващите президентски избори, за да се позиционират по най-добрия начин, включително и с кандидатите си за президент и вицепрезидент. Къде е Бойко Борисов в този гмеж от хипотези – на „Дондуков“ 2 или в Банкя?

Радев е на прага на решението: да излезе от властта или да открие нов път към нея. 

Времето му за избор наближава.

The collective thoughts of the interwebz