RH strategy was mostly focused around OpenShift lately, which makes complete sense. Kubernetes is the next datacenter OS, just as ESX (and virtualization in general) was in the past 15 years and it's going to drive a radical shift in the enterprise IT world in the coming years. IBM (as an active member of the kubernetes community) see that huge opportunity and are doubling down on their efforts.
Any bets on the next player in this space to be acquired by an IT behemoth? Docker and Rancher both come to mind.
Docker just took more funding, so it'll likely be a while, but yeah I'd say they're very likely to get acquired in the medium - long term.
Rancher haven't raised in a couple of years, so might be more prone to acquisition in the short term.
In general it lseems likely that as containerization has taken off over the last couple of years , larger players who missed the boat will be looking to make acquisitions to become more relevant in that space.
Docker seems to be determined to strike it out on their own. The implications of Kubernetes takes time to materialize, and they might well sell too late.
The Nazis established a massive, systemic and vicious program for the complete annihilation of any "enemy" of the aryan race, and by "enemy" we are talking about innocent jews, Romani and many more (although, the complete annihilation of the jewish people was it's main target). You may know this as the "Final Solution". I'm not aware of any event in modern human history that resembles the scale, the intent, the execution level and the pure evil that makes the final solution program.
This does not mean that other atrocities done by any other group of people (including the "allies") are not horrific and should not be condemned or remembered. But, the final solution should always be remembered as an extreme, unique and singular event in modern human history.
> I'm not aware of any event in modern human history that resembles the scale, the intent, the execution level and the pure evil that makes the final solution program.
Read the history of Indian subcontinent from around 1000 AD to 1947 AD. Events of the same magnitude as the holocast (or worse) happend again and again. Read about the ‘conquests’ of the likes of Mahmood Ghaznavi, Muhammad of Ghor, Taimur the Lame, Ahmad Shah Durrani, Nader Shah, Mughals and countless others. Read about the atrocities committed by them to the people they conquered and tell me that the Nazi holocast was a singular event.
> I'm not aware of any event in modern human history that resembles the scale, the intent, the execution level and the pure evil that makes the final solution program.
Again, there's for example the Bengali famine.
> But, the final solution should always be remembered as an extreme, unique and singular event in modern human history.
If you consider singular events maybe. Other countries did it slower and over longer periods and there were multiple events. Idk if efficacy really makes a moral difference to me.
If you consider modern history maybe. However the problem with this formulation is that modern history generally starts around WW2 so in some sense, holocaust was the last event of this colonial style of thinking.
"Console hacking 2010"[0][1] - The story and history of the different hacks and security bypasses around the Sony PlayStation 3 gaming console. Absolutely brilliant.
The title here is misleading. The vulnerabilities were not actually publicly disclosed, the only thing that was disclosed publicly is the fact that the vulnerabilities exist. The actual details of the vulnerabilities were disclosed privately with AMD.
> These are people that regularly write good quality code themselves, but there is a high amount of distrust. Why doesn't a team of talented programmers trust each other?
This has nothing to do with trust or any other personal matter. Everybody makes mistakes, everybody might misinterpret code they use and not every programmer has a complete understanding of the scope of the changes they are making. This happens for both senior and junior engineers. (Obviously one would expect this happening much less for seniors)
The only way minimising the amount of future issues is to have thorough, rigorous and pedantic code reviews. Another major benefit for this approach to code reviews is having more people on the team understand deeply the component you coded.
I'll add to that - It is still very easy to hijack SMB connections and use it steal the NTLM hash in almost any network with Windows machines (Managed with a DC or not). Just go ahead and try [1] (Disclaimer - running responder.py without authorization might be considered as a crime and I do not take any responsibility for it. I encourage you to use it only if you understand what you are doing and you have full permission to do it).
That's why MS recommends that you use a separate forest for admins only these days. You only administer things with remote tools via a trust, you only enable admin perms as long as you absolutely need them, and you put admins in the protected users group so that they can only do Kerberos. It won't stop other peoples credos from getting stolen, but it makes complete ownership of the domain less likely. That being said if you have service accounts running as domain admin, or you have service accounts with "delegate to any service" perms...all bets are off.
Its so hard to get this right these days. I'm just recommending that people move all their clients to Azure AD join and put servers in resource forests.
NTLM has got to go and hardware/virtualization based security like device guard has to become the norm.
Not really. Requires to have the CAP_NET_RAW capability, which is pretty rare. (This capability allows you raw access to the network interface, which is usually only given to the root user)
No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the article, "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so the bug can be exploited to gain root privileges by an unprivileged user."
Thanks, I was a bit concerned at first when I saw the 4 words "Exploiting Linux kernel packet" on one line, but as a privilege escalation after a first exploit I won't worry as much about it.
Bottom line - locally exploitable vulnerability in the linux kernel, in case you have the CAP_NET_RAW capability which never really happens. Not a real security threat for your standard linux distro.
On the other hand, this is a great technical write-up that describes thoroughly the internals of some of the linux kernel subsystems. Probably the best documentation you can find for some subsystems. Also shows how they bypassed exploit mitigations technics such as KASLR, SMAP&SMEP.
Right, but "unprivileged user namespaces" are disabled in many contexts, because they've been a source of many vulnerabilities due to code originally thought to only be reachable by root anyway.
Archlinux has user namespaces disabled, docker does not use them by default and does not allow them inside containers by default, on Ubuntu I make sure to disable kernel.unprivileged_userns_clone on all the servers I deploy to, etc.
No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the article, "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so the bug can be exploited to gain root privileges by an unprivileged user."
As a rule of Thumb, an attack can ALWAYS escape from Docker containers.
These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.
No, Docker usually drops CAP_NET_RAW within the container. But you can change that and other container technologies definitely keep CAP_NET_RAW within the container.
You also need to create a network namespace, because to create an AF_PACKET socket you need to have CAP_NET_RAW in the user namespace that owns your network namespace, not the user namespace you're in.
RH strategy was mostly focused around OpenShift lately, which makes complete sense. Kubernetes is the next datacenter OS, just as ESX (and virtualization in general) was in the past 15 years and it's going to drive a radical shift in the enterprise IT world in the coming years. IBM (as an active member of the kubernetes community) see that huge opportunity and are doubling down on their efforts.
Any bets on the next player in this space to be acquired by an IT behemoth? Docker and Rancher both come to mind.