Socio-technical systems are systems where (groups of) humans interact with (non-trivial) technical systems; an example is the power grid. The people, the technical system and the combination might easily lead to complex behavior that is hard to predict and control over the long term. However, as illustrated by, for example, the need to transition our energy infrastructure to a more sustainable structure, it is necessary for society to “control” such systems. Igor Nikolic is a professor at the TU Delft where he uses agent-based modeling approach to try to understand, and thus help control and evolve such systems. We discuss the systems, the challenges as well as the modeling approaches.
Unikernels have demonstrated enormous advantages over Linux in many important domains, causing some to propose that the days of Linux’s dominance may be coming to an end. On the contrary, we believe that unikernels’ advantages represent the next natural evolution for Linux, as it can adopt the best ideas from the unikernel approach and, along with its battle-tested codebase and large open source community, continue to dominate. In this paper, we posit that an up- streamable unikernel target is achievable from the Linux kernel, and, through an early Linux unikernel prototype, demonstrate that some simple changes can bring dramatic performance advantages.
In the 1960s-1970s, Ken Thompson co-invented the UNIX operating system along with Dennis Ritchie at Bell Labs. He also worked on the language B, the operating system Plan 9, and the language Go. He and Ritchie won the Turing Award. He now works at Google. He’ll be interviewed Brian Kernighan of “K&R” fame.
Five days ago, the internet had a conniption. In broad patches around the globe, YouTube sputtered. Shopify stores shut down. Snapchat blinked out. And millions of people couldn’t access their Gmail accounts. The disruptions all stemmed from Google Cloud, which suffered a prolonged outage—which also prevented Google engineers from pushing a fix.
When it’s time to package up your Python application into a Docker image, the natural thing to do is search the web for some examples. And a quick search will provide you with plenty of simple, easy examples. Unfortunately, these simple, easy examples are often broken in a variety of ways, some obvious, some less so.
The basic premise of this attack is that FollowSymlinkInScope suffers
from a fairly fundamental TOCTOU attack. The purpose of
FollowSymlinkInScope is to take a given path and safely resolve it as
though the process was inside the container. After the full path has
been resolved, the resolved path is passed around a bit and then
operated on a bit later (in the case of 'docker cp' it is opened when
creating the archive that is streamed to the client). If an attacker can
add a symlink component to the path after the resolution but before
it is operated on, then you could end up resolving the symlink path
component on the host as root. In the case of 'docker cp' this gives you
read and write access to any path on the host.
In competing visions of the future of Kubernetes, Paul Czarkowski, principal technologist at Pivotal, predicts that VMs will replace containers, and Joe Fernandes, a VP at Red Hat, considers that VMs usage is evolving for Kubernetes rather than replacing containers. In addition, Chris Short, Red Hat's principal product marketing manager, said that Kubernetes is close to replacing the hypervisor.
TL;DR: containers are not VMs; stop calling everything "Docker"; don't use Kubernetes for tiny projects, use Swarm instead; Kubernetes will only solve your org's problems if you are willing to go all-in, anything in between will fail the same way it failed before.
After Meltdown, Spectre, and Foreshadow, we discovered more critical vulnerabilities in modern processors. The ZombieLoad attack allows stealing sensitive data and keys while the computer accesses them.
Red Balloon Security, Inc. is disclosing two vulnerabilities affecting the products of Cisco Systems, Inc. (“Cisco”). The first, known as 😾😾😾, allows an attacker to fully bypass Cisco’s Trust Anchor module (TAm) via Field Programmable Gate Array (FPGA) bitstream manipulation. The second is a remote command injection vulnerability against Cisco IOS XE version 16 that allows remote code execution as root. By chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm.