Drupal HackCamp 🇷🇴 How open source helps you prevent the next Drupalgeddon

When Adrian from Softescu reached out to me it was the first time i heard about the Drupal HackCamp. A whole camp focused on security – SURE!

I’ll write more about the camp later. Let’s start with my slides here first!

Slides

Conclusions

  • Web Application Firewalls buy you time till you update your site
  • Update your core and modules regularly (at least the critical Modules)
  • Automate your processes! Sometimes you only have a couple of hours till attacks roll in.
  • Have several layers of security – It will pay out in the long run
  • It’s not humans that exploit your site – It’s bots
  • We should come up with a better naming than shouting Drupalgeddon 😉

Resources

There are many many resources linked directly in the talk but I’ll highlight a few here:

Angelesen #52 – GDPR, remote work and wireguard

After a slightly longer weekend (bank holidays are a fabulous thing) – Back in action! This week is fueled by a few GDPR/DSGVO articles.

fridge 0.1 (joeyh.name)

How about a fridge powered entirely by solar panels without the powerwall? Zero battery use, and yet it still preserves your food.

That’s much cooler, because batteries, even hyped ones like the powerwall, are expensive and innefficient and have limited cycles. Solar panels are cheap and efficient now. With enough solar panels that the fridge has power to cool down most days (even cloudy days), and a smart enough control system, the fridge itself becomes the battery — a cold battery.

Interesting experiment with Solarpower and a Fridge!

The Amish understand a life-changing truth about technology the rest of us don’t (qz.com)

The reason the Amish rejected television is because it is a one-way conduit to bring another society into their living rooms. And they want to maintain the society as they have created it. And the automobile as well. As soon as you have a car, your ability to leave your local community becomes significantly easier.

Good (Anti)Technology Longread

DSGVO – häufig gestellte Fragen, häufig verbreitete Mythen › Jan Philipp Albrecht (janalbrecht.eu)

GDPR #0: DSGVO-Panik

A 2-Year Stanford Study Shows the Astonishing Productivity Boost of Working From Home (thriveglobal.com)

I feel I’m consistently at the most productive I’ve ever been in my entire life. My morning commute is a seven-second walk to my study and I actually start working far earlier than I did in the corporate world.

While I make it a point to not work any later than I did at a corporate office, I’m working more deeply with far fewer breaks in concentration. I quite often “get on a roll” that lasts four-plus hours at a time. I can’t remember the last such streak working in an office.

Surprised, much?

Kubernetes Gardener (gardener.cloud)

Many Open Source tools exist which help in creating and updating single Kubernetes clusters. However, the more clusters you need the harder it becomes to operate, monitor, manage and keep all of them alive and up-to-date. And that is exactly what project Gardener focuses on.

Looks interesting

Intel Shows Xeon Scalable Gold 6138P with Integrated FPGA, Shipping to Vendors (anandtech.com)

A CPU partnered with an FPGA. Hello Future!

We Made a Tool So You Can Hear Both Yanny and Laurel (nytimes.com)

We built a tool to gradually accentuate different frequencies in the original audio clip. Which word or name do you hear, and how far do you have to move the slider to hear the other? (The slider’s center point represents the original recording.)

I’m still left confused hearing two things at the same time…

John Byrd’s answer to What is the most sophisticated piece of software/code ever written? (quora.com)

You would never expect that all those problems were caused by a computer worm, the most devious and intelligent computer worm in history, written by some incredibly secret team with unlimited money and unlimited resources, designed with exactly one purpose in mind: to sneak past every known digital defense, and to destroy your country’s nuclear bomb program, all without getting caught.

A good writeup on Stuxnet 🙂

WordPress 4.9.6 Privacy and Maintenance Release (wordpress.org)

GDPR #1 – WordPress comes with new features!

  • Data Export
  • Data Erasure

Introducing Git protocol version 2 (opensource.googleblog.com)

We recently rolled out support for protocol version 2 at Google and have seen a performance improvement of 3x for no-op fetches of a single branch on repositories containing 500k references. Protocol v2 has also enabled a reduction of 8x of the overhead bytes (non-packfile) sent from googlesource.com servers. A majority of this improvement is due to filtering references advertised by the server to the refs the client has expressed interest in.

New stuff comes to git!

There Will Be WireGuard (latacora.singles)

TL;DR

[NEW] WireGuard for macOS
You can install wg-quick, wg, and wireguard-go using Homebrew. Then you should
be able to run wg-quick up whatever and familiar commands as you’re used to.
If you’re setting up a network manually, you can run wireguard-go utun3 in
place of the usual Linux command ip link add utun3 dev wireguard. Install
with the Homebrew command:
$ brew install wireguard-tools

Completely Silent Computer (tp69.wordpress.com)

I’ve been trying to make my computers quieter for nearly three decades. Custom liquid cooling loops, magnetically-stabilised fluid-dynamic bearings, acoustic dampeners, silicone shock absorbers, you name it. Well, last week I finally managed to build a completely silent computer

Nice! Back when i had those towered confusers at home i tried (and often failed) to make them dead silent. But atleast they were silent enough to sleep next to them (25-30 dBA)

🎥 Iron Man Becoming Real (youtube.com)

Intersting talk on a Jetengine driven suit 😀

A Dark Time for Data: WHOIS Blackout Period Likely Starting in May (cooley.com)

ICANN plans to settle on a final model by the GDPR enforcement date of May 25, at which point it will likely place all of the currently available WHOIS data behind a wall where it will no longer be accessible by the public. This “WHOIS blackout” period will last at least six months until ICANN likely implements its accreditation mechanism to allow third parties to access this “walled” data.

GDBR #2 – Whois!

The headers we don’t want (fastly.com)

At the same time, there are lots of headers that are hugely popular but aren’t new and aren’t actually all that useful

Good Article on the importance and un-importance of some headers that are blasted trough the net.

Mein erster DSGVO Rant – Zu viele Mythen und gefährliches Halbwissen zum neuen europäischen Datenschutzrecht (rechtzweinull.de)

GDPR #3 – Take whatever

Charlotte Roche: Verlasst die Städte! (sz-magazin.sueddeutsche.de)

Im Wald triffst du keine anderen Menschen, die dir voll auf den Sack gehen, und bist nicht gezwungen, Plakate zu lesen, Werbung in deinen Kopf zu lassen und anschließend bei Amazon einzukaufen. Die Natur will dir nichts verkaufen. Du sollst nur sein, im Hier und Jetzt. Glücklich.

Anti-Tech Beitrag #2 😉

Angelesen #51 – Serverless, Rowhammer and Disabled USB Ports

Wow what a week! After leaving Switzerland on Tuesday I made it to Verona  Italy by train where I had the chance to attend JSDay and speak at PHPDay. I am astonished how much work the organisation Team behind those Conferences puts in – They not only run JS- and PHPDay they even branched out into Devops, Containers, React and much more. Way to go! It was a smooth experience and I had tons of fun and learned a lot during the conference.

 

AWS won serverless – now all your software are kinda belong to them (theregister.co.uk)

Leading Edge Forum’s Simon Wardley, never one to mince words, helps to parse what a 70 per cent (or 44 per cent) lead means: “Let me translate that for you. Amazon is currently positioned to own 70 per cent of the future of ALL software.” Developers, for their part, happily focus on writing business logic while AWS (or Microsoft/Google) handle all the server infrastructure. As Matt Wood, AWS general manager of Deep Learning and AI, told me: “With S3, DynamoDB, and Lambda, you can build apps without thinking about the underlying infrastructure.”

Just let that sink in for a minute, shall we? I’m very happy that there are alternatives to the walled gardens that seem to be oh-so-confortable.

Walmart has patented autonomous robot bees (weforum.org)

Walmart has just filed a patent for autonomous, robot bees. Yes, that Walmart — and no, you didn’t slip into another, stranger dimension. The mega-corporation’s patent specifically covers “pollination drones.” These tiny robots could act just like bees, pollinating crops autonomously.

Black mirror is it you?

Google YOLO (blog.innerht.ml)

Buttons are everywhere. Elevator buttons, machinery buttons, and even “Nuclear Button” that sits on the President’s office desk. But are you always sure the button you push really performs what you want it to do?

Fun with Buttons!

iOS 11.4 to Disable USB Port After 7 Days: What It Means for Mobile Forensics (blog.elcomsoft.com)

Apparently, iOS stores information about the date and time the device was last unlocked or had a data connection to a USB port. After the seven days elapse, the Lightning port will be disabled. Once this happens, you will no longer be able to pair the device to a computer or USB accessory, or use an existing lockdown record, without unlocking the device with a passcode. The only thing you’ll be able to do is charging.

A good move! Wondering when Google draws level disabling the USB ports after a while.

Russlands Staatsfeind Nummer eins (republik.ch)

Das russische Internet steht kopf, seitdem Moskau versucht, den Kurznachrichtendienst Telegram zu blockieren. Wer ist Telegram-Gründer Pawel Durow, der als «russischer Zuckerberg» gilt?

Good Longread on Telegram and how their Founder operates.

Conference Buddy (conferencebuddy.io)

The idea was born for a simple reason: While I love going to meetups, barcamps and conferences, I don’t like going on my own when I don’t know anyone. Even the thought is intimidating. And I can’t be the only one, right?

A thing we talked about at PHPDays Verona during the past week. Great initiative!

Now Is The Perfect Time For An RSS Renaissance (neflabs.com)

So the very idea of RSS – obtaining content from a website without having to visit the site itself – is due for a comeback. No ads. No suspicious javascript. Just the signal without the noise. It’s not perfect privacy, but it’s one step back and two steps forward in the right direction.

Still on RSS. Never went away from it… even if it feels a bit oldscool. Own your content.

Victory! Fourth Circuit rules that border officials can’t subject electronic devices to suspicionless forensic searches (boingboing.net)

Now, in U.S. v. Kolsuz, the first appellate ruling since Riley, the Fourth Circuit appeals court has held that it is unconstitutional for US border officials to subject visitors devices to forensic searches without individualized suspicion of criminal wrongdoing.

Win!

Passive Wi-Fi: Bringing Low Power to Wi-Fi Transmissions (usenix.org)

We build prototype hardware and implement all four 802.11b bit rates on an FPGA platform. Our experimental evaluation shows that passive Wi-Fi transmissions can be decoded on off-the-shelf smartphones and Wi-Fi chipsets over distances of 30–100 feet in various line-of-sight and through-the-wall scenarios. Finally, we design a passive Wi-Fi IC that shows that 1 and 11 Mbps transmissions consume 14.5 and 59.2 µW respectively. This translates to 10000x lower power than existing Wi-Fi chipsets and 1000x lower power than Bluetooth LTE and ZigBee.

Impressive presentation!

120+ WordPress-Plugins im DSGVO-Check (mit Lösungen, Alternativen und Plugin-Tipps!) (blogmojo.de)

Because GDPR/DSGVO && WordPress

Everything old is new again: Microservices (blogs.dxc.technology)

Well, it depends. If you got your start programming in the 90s, you’d say I just defined a Service-Oriented Architecture (SOA). But, if you’re younger and cut your developer teeth on the cloud, you’d say: “Oh, you’re talking about microservices.”

Serverless, Microservices – Isn’t that all just SOA?

Translations of My hovercraft is full of eels in many languages (omniglot.com)

Mis Luftchüssiboot isch volle Aal

The most useful phrase in many languages 😉

This is what it’s like using only open-source software on Android (androidpolice.com)

Four years ago, Ars Technica wrote a detailed analysis of using Android without all the proprietary Google software. It wasn’t a great experience, as you can probably guess. But plenty can change in four years, so is the situation any better in 2018? That’s what I wanted to find out.

If you want to go Google-Free that’s a good article here!

New Rowhammer Attack Can Hijack Computers Remotely Over the Network (amp.thehackernews.com)

Since triggering a bit flip requires hundreds of thousands of memory accesses to specific DRAM locations within tens of milliseconds, a successful Throwhammer attack would require a very high-speed network of at least 10Gbps.
In their experimental setup, researchers achieved bit flips on a targeted server after accessing its memory 560,000 times in 64 milliseconds by sending packets over LAN to its RDMA-enabled network card.

Nerdy, i know but Rowhammer attacks are intersting!

Remediating Fukushima—“When everything goes to hell, you go back to basics” (arstechnica.com)

To further limit groundwater flow into reactors buildings, TEPCO actually froze the ground around them, creating a kind of frozen wall down to a depth of about 30 meters. Approximately 1,500 meters long, the wall is kept frozen by pipes filled with an aqueous solution of calcium chloride cooled to -30ºC. Freezing commenced in March 2016 and is now “99 percent complete,” according to Kohta.

Just one piece in the puzzle of cleaning up the Aftermath of Fukushima – And yes it’s already 7 years since the accident happened.

#PHPDay – More on Serverless 🤖

More Serverless! After two inspiring days of attending the JSDay, I had the chance to talk about the concepts around the serverless movement and our approach to it at PHPDay. It’s been a while since my last PHPDay/JSDay and the conference is still as welcoming and nice as I had it in my memory. (Just that I completely forgot about the fabulous strong Italian coffee ) Thank you for having me!

Slides:
Resources: