Virtual Journey – Journey to the Center of the Earth (2021)

Preface: The period from January 1, 2001 to December 31, 2100 is called the 21st century. Furthermore, our technologies world has demand for virtual technology concept. For example, virtual machine, virtual reality,..etc. Have you been think that you can do a virtual journey. See whether what is the gap in between reality and imagination?

Background: The first version of the Journey to the center of the Earth was published in 25th November 1864 by Jules Verne from France. Jules Gabriel Verne (Jules Gabriel Verne) is a French novelist, poet and playwright. The first industrial revolution started in the 1760s and lasted from the 1830s to the 1840s. Perhaps this revolution trigger his thinking or he has experience for close encounter of the 3rd kind?

Behind the Belief: Lizard People

According to the lizard people theory, bloodthirsty reptilian aliens first arrived on earth in ancient times. Since then, these beings have been merging with humans through the manipulation of DNA, as well as interbreeding with the human population. Conspiracy theories believing that unknown civilization including lizard people are living in the center of earth. Mixed humans (Lizard people) are not only discussed in ancient European culture. The similar of record also appearing in China. The classic Chinese book “Shan Hai Jing” 《山海經》 depicts similar types of mixed humans. However, according to general view point, the “Shan Hai Jing” 《山海經》 is a compilation of mythical geography and beasts. But I don’t think so. You can go through below details (URL and references) see whether any change to your judgement?

Reference 1: American scholar Dr. Henriette Mertz (1898-1985) studied the “Shan Hai Jing” 《山海經》. She published a book to prove that there is a description of American geography in the “Shan Hai Jing”. According to the record of Dongshan Jing《東山經》 descriptions , where the sun rises east of the sea in China. She identified the Rocky Mountains in the central and western United States,the Sierra Nevada mountains,the Cascade Mountains,the Pacific coast of the coastal mountains explicitly similar to the “Dongshan Jing” Records. For instance, four mountain structure, peaks, rivers, flora and fauna, mountain-to-Mountain distance is exactly consistent with the “Dongshan Jing” includes records the four mountain systems, peaks, rivers, flora and fauna, mountain to mountain distance.

Reference 2: During World War II, Dr Mertz worked as a code-breaker for the U.S. government’s cryptography department.

How does planet form?

Here is the simplified answer:

  1. Earth formed when gravity pulled swirling gas and dust in to become the third planet from the Sun.
  2. The formation process of planets in the solar system is likely to be irrelevant to violent collisions, explosions and the like. It may be a slow combination of ice and gravel floating in space.

Recently the scientist of NASA found that the exact way to form a planet may be by a slow combination of ice and gravel floating in space. Instead of something to do with explosion. So called “Big Bang”.

Remark: The Big Bang theory is a cosmological model of the observable universe from the earliest known periods through its subsequent large-scale evolution.

Even though how to form. Since the planet is a circle shape (ball). This shape is difficult to define a central axis. Whereby, in what way to find out the central axis? Perhaps we can use this example. Axis rotation is the difference between the direction the ball is rotating and the direction that it is moving down the lane. The axis of rotation is determined by the horizontal angle of your fingers (how far around the side of the ball your fingers are) as you release the ball. That is the tilt of planet will be depends on the throw angle when it created.

“The process of forming planets has a bunch of stages, and the last stage is what’s called the ‘giant impact’ phase,” said Professor Doug Hamilton. Infographic below for reference:

No matter in which way, there is a lot of explosion happens in universe. The powerful shock wave generated during astral explosion or else. Which cause the astral receiving this powerful energy. If a planet located in is located at Lagrange point. Even this force cannot pull the planet to other location. However it will let the astral spinning. Furthermore the universe is in vacuum state. Maintaining rotation at constant speed in a vacuum does not require any further input of energy.

As a matter of fact, you may seen there is a quite a lot of coincident happens in this astral forming. And therefore a lot of people including myself has queries that whether it is a artificial creation instead of forming by nature.

There is magma in the core of the earth, is it the driving force that causes the earth to rotate?

The solid core of the earth rotates only once every 120 years or so. No one knows the real reason for the reversal. The original energy that caused the rotation of the Earth when the earth was formed. As far as we know, at least two ways found by scientist that what is the possibilities to form our earth (see below).

Why is the core of planets hot?

There are three main sources of heat in the planet:

  1. Heat from when the planet formed and accreted, which has not yet been lost;
  2. Frictional heating, caused by denser core material sinking to the center of the planet; and
  3. Heat from the decay of radioactive elements.

Why is the Earth tilted at 23.4 or 23.5 degrees? The angle varies a little over time, but the gravitational pull of the moon prevents it from shifting by more than a degree or so. This tilt is what gives us seasons. The axial tilt impact seasons, weather, even human life.

What causes the moon to rotate? The easy answer is that the moon’s orbit around Earth is tilted, by five degrees, to the plane of Earth’s orbit around the sun.

Closer look inside our earth

Gold is one of the ingredient in our earth. Pure gold is on demand item since ancient time. We can seen many things in ancient age also made by Gold. People known Gold is an expensive ingredient when mankind founded alchemy technology in ancient age. There are also unproven records of cuneiform writing in ancient Sumerian clay tablets, and advanced and unknown civilization also came to the earth to mine gold. Current scientific theories estimate that there is enough gold in the core to cover the surface of the earth with a 4 meter thick layer of pure gold. But this area cannot be mined. Therefore, the remaining gold component that can be mined is located on the earth’s crust.

According to data from the US Geological Survey (2020), underground gold reserves are currently estimated to be about 50,000 tons. Approximately 20% is still to be mined.

The density of the core is measured using several techniques including seismic geophysics. Seismic waves are measured from earthquakes all over the world.

What Is Earth’s Core Made of?

Earth’s inner core is solid iron, its outer core is liquid iron mixed with other components, and its mantle is dense rock.

Quote: We can’t put a thermometer in the Earth’s core, so the only solution is to simulate the same crushing pressure in the laboratory, said Lidunka Vočadlo (University College London, UK)

In 2013, a French research team created the best simulation conditions. They inserted pure iron into an environment where the pressure was slightly more than half the pressure of the core, which is said to be the temperature of the core. At the core temperature, the melting point of pure iron is about 6230°C. The presence of other substances causes the melting point to drop, about 6000°C, while it is still very hot, comparable to the temperature of the sun’s surface.

The Earth’s core is mainly composed of iron. It is believed that about 80% of the composition of the Earth’s core is iron, although the exact value has yet to be determined. The Iron must have been affected by gravity and settled towards the Earth’s core. Most of the rest of the Earth is made up of a rock material called”silicate”, and the molten iron must find a way to pass through these rocks to reach the core. A lot of unknown information waiting for scientist to figure out. Because we still rely on drilling methods and simulated predetermined environments.

Should the journey continue?

The deepest hole drilled by human being on Earth and deepest artificial point on Earth. It was created the world record by Russia Kola superdeep borehole. (40,230ft-deep (12.2km)). The drilling was stopped in 1992, when the temperature reached 180C (356F). Perhaps this is a prelude and waiting for human being to explore.

The scientific world has unlimited information waiting for human being to explore. Scientific goals allow us to understand the origin of everything in the world. I hereby to thanks for our digital world especially search engine and unlimited information on internet world. Our journey stop here.

End of this article. Thank you for your reading.

28th Jan 2021 (Moon Phase Tonight: Full Moon)

Perhaps the IoT world should be vigilant – CVE-2021-3177 (26th Jan 2021)

Preface: On macOS, dynamic-link libraries are known as dylib files. This is the equivalent to a DLL on Windows and
a shared library (or .so library) on Linux.

Background: ctypes is a foreign function library for Python. It provides C compatible data types, and allows calling functions in DLLs or shared libraries. It can be used to wrap these libraries in pure Python.

Design objective: Calling C++ libraries from Python allows the developer to build an application that takes advantage of the best of Python and C++. The result is an application that combines both speed and simplicity.

Vulnerability details: There’s a buffer overflow in the ctypes PyCArg_repr() function. (Disclosure date: 2021-01-16)

Design weakness: There’s a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of specify sprintf() function.

CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2021-3177

CVE-2021-2018 Vulnerability in the Advanced Networking Option component of Oracle DB Srv (20-01-2021)

Preface: When Oracle has security advisory announce each time, I feel headache because vendor not willing to provide the details.

Vulnerability details: CVE-2021-2018 -Please refer to the link for details: https://nvd.nist.gov/vuln/detail/CVE-2021-2018

Technical Supplement: A large computer foot print around the world in the office is Microsoft window base machine. Therefore DB infrastructure integrate to Active Directory is common. Windows AD server classic way is Kerberos authentication. Oracle database competence support Kerberos. So called configuring the Kerberos authentication adapter. On Nov 2020 Microsoft do the remediation of Kerberos KDC Security Feature Bypass Vulnerability (CVE-2020-17049). When you read the official of Oracle vulnerability (CVE-2021-2018), it say, it is only affects Windows platform only. OK, be my guest. Using your imagination to understand this vulnerability. Great day, great fun!

Ref 1: To setup Kerberos on oracle DB. We will need to make changes in three places: DB Server, Client Workstation & Active Directory.

Ref 2: Kerberos KDC Security Feature Bypass Vulnerability – https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

Bugs in popular chat apps let attackers spy on users. (21-01-2021)

Preface: I found logic bugs that allow audio or video to be transmitted without user consent in five mobile applications including Signal, Duo and Facebook Messenger, said Natalie Silvanovich.

Background: Bugs in Signal, Google chat apps let attackers spy on users. Such vulnerability is given by programming code, and was not due to WebRTC functionality. Furthermore , expert found that facebook messenger is vulnerable to this matter perhaps they are not using WebRTC. Facebook official say that they use ‘fbthrift’. What is Thrift. Facebook’s branch of Apache Thrift, including a new C++ server.\ \.

For the details of vulnerability. You can found on the following website – https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html

Supplement: Discovering this vulnerability let us know the function of Frida hook framework. Frida is a hook framework based on python + javascript. To exploit the design weakness on Facebook Messenger. It was not straightforward because of the amount of reverse engineering required. Finally Frida hook framework complete the task.

Reference: Instrumentation technology

Instrumentation technology refers to injecting additional code into the program to collect runtime information. It can be divided into two types:

(1) Source Code Instrumentation (SCI): Additional code is injected into the program source code.

(2) Binary Instrumentation: Extra code is injected into the binary executable file.

●Static Binary Instrumentation (SBI): Insert additional code and data before program execution to generate a permanently changed executable file.

●Dynamic Binary Instrumentation (DBI): Insert additional code and data in real time while the program is running, without any permanent changes to the executable file.

Cyber security focus – dnsmasq vulnerabilities (20th Jan, 2021)

Preface: On August 27, 2015 Cisco announced it has completed the acquisition of OpenDNS (now branded as Cisco Umbrella). Perhaps they predict that this day will come.

Background: dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server,
router advertisement and network boot features, intended for small computer networks. Dnsmasq is common in Internet-of-Things (IoT) and other embedded devices.

Vulnerability details: Dnsmasq is vulnerable to memory corruption and cache poisoning. For more details, please see the follow links: https://kb.cert.org/vuls/id/434904

Workarounds:

  • Configure dnsmasqnot to listen on WAN interfaces
  • Reduce the maximum queries (–dns-forward-max=). The default is 150.
  • Do a patching
  • Use protocols that provide transport security for DNS (DoT or DoH)
  • Reducing the maximum size of EDNS message (Recommendations related to RFC5625)

Are you worried about UEFI BIOS attacks? (19th Jan, 2021)

Preface: Quite a lot of UEFI vulnerabilities and hardware misconfigurations have been found in past. This is an alert signal. As a matter of fact, the problem is that it’s very difficult to get malicious code into UEFI systems.

Background: Reading the first sector from a disk and loading it to 0x7C00 is a BIOS specific booting protocol. But it never been use. It is a old technology. UEFI bootloaders are loaded from a filesystem. UEFI requires the firmware and operating system loader (or kernel) to be size-matched; for example, a 64-bit UEFI firmware implementation can load only a 64-bit operating system (OS) boot loader or kernel.

Synopsis: A local attacker with access to system memory may exploit the UEFI vulnerability attack. Perhaps this is not the only way.

Dell mitigates design flaws in a specific product (Inspiron 5675). Please refer to the link below. https://www.dell.com/support/kbdoc/zh-hk/000180645/dsa-2020-247-dell-client-platform-security-update-for-uefi-bios-runtimeservices-overwrite-vulnerability

CVE-2021-24122 Apache Tomcat Information Disclosure (14th Jan 2021)

Synopsis:
What is a Reparse Point? According to official information by Microsoft, In NTFS Filesystem, there is a concept called “reparse point. The traditional NTFS junctions and Win10 “Unix-like” symlinks are two different kinds of reparse points.
Starting in Windows 10, version 1607, for the unicode version of this function (FindFirstFileW), you can opt-in to remove the MAX_PATH character limitation without prepending “\\?\”.

Vulnerability details: The existing design weakness affects the function File.getCanonicalPath of the component NTFS File System Handler. The manipulation with an unknown input leads to source code disclosure vulnerability. For details, see attached diagram

Vendor announcement: http://mail-archives.us.apache.org/mod_mbox/www-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E

Fixed in:
– 10.0.x for 10.0.0-M10 onwards
– 9.0.x for 9.0.40 onwards
– 8.5.x for 8.5.60 onwards
– 7.0.x for 7.0.107 onwards

Stack-based buffer overflow – the biggest enemy of IoT world

Preface:ASLR, NX Zones, and Stack Canaries is hard to avoid such memory design weakness exploit by malware authors.

Background: EIP is a register in x86 architectures (32bit). It is a register that points to the next instruction. In order to avoid malware infiltration. How to keep track of memory location when instructions that are being executed is very important.The EIP register cannot be accessed directly by software; it is controlled implicitly by control-transfer instructions (such as JMP, Jcc, CALL, and RET), interrupts, and exceptions. The only way to read the EIP register is to execute a CALL instruction and then read the value of the return instruction pointer from the procedure stack.

Potential cyber attack: Refer to diagram,the malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP. When malware reach the EIP and overwrite it with a new address that points to his shell code, then it will add something called NOP (No Operation) , then finally the shellcode. And breakdown everything espcially access control of priviliges.

Status: under observation.

While astrologers view planetary alignments as foretellers of disasters. Or is this a rare astronomical phenomenon?

This article was published in January 2021.

Preface: If nine different balls are running on a circular orbit. They always have chance to meet up.

Synopsis: The order of magnitude of the nine planets is Jupiter, Saturn, Uranus, Neptune, Earth, Venus, Mars, Mercury, and Pluto. The moon orbits the Earth once every 27.322 days. It also takes approximately 27 days for the moon to rotate once on its axis. The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. As a result, the moon does not seem to be spinning but appears to observers from Earth to be keeping almost perfectly still. This is synchronous rotation.

The above shows the moon actual state. Moon running is a synchronous rotation (only one face is visible from the Earth). The moon’s rate of rotation nearly matches its orbital period, which keep the same side facing Earth. Therefore we are not feeling that moon is rotating.

The moon is the Earth’s only satellite,the moon rotation and revolution synchronization affect the Earth’s tides,the moon is located at Lagrange point.So it can be parked and fixed in a certain location.

Reference: Lagrange point – a planet’s small mass can operate in a constant mode, and the gravity of two large masses is exactly equal to the centripetal force required for a small object to move with it.So it can be parked and fixed in a certain location.

A great conjunction

Great conjunctions occur approximately every 20 years when Jupiter “overtakes” Saturn in its orbit. According to NASA, the Jupiter-Saturn phenomenon in 2020 will occur at night for the first time nearly 800 years apart, and it is the closest double star in the past 400 years.

Including the blue moon,13 full moons appear in 2020. In addition, at least three full moons are considered supermoons (it appear larger and brighter than usual). Perhaps of above issues, let people feeling that 2020 is a special year.

Let’s take a review astronomical phenomenon of 2020 (see below):

What will be the astronomical phenomenon in 2021?

What is triple conjunction? A triple conjunction is an astronomical event where two planets or a planet and a star meet each other three times in a short period, either in opposition or at the time of inferior conjunction, if an inferior planet is involved.

On 8th Jan, 2021, rare three-planet conjunction of Mercury, Jupiter and Saturn to illuminate the sky. What’s the next?

Refer to link – https://solarsystem.nasa.gov/whats-up-skywatching-tips-from-nasa/ or table below.

Since ancient age, the witch and foretellers will exploit astronomical phenomenon to do prediction. It is hard to say it is correct or not correct. My idea is that the genesis of earth looks mystery. For instance, the location of moon looks special. It looks that it is artificial.

Some said, the Black Death is created on March 20, 1345, coincidentally a triple conjunction of Saturn, Jupiter and Mars occurs. Ref: https://www.history.com/this-day-in-history/black-death-is-created-allegedly

Does it true or it is a neuroticism. All depends on the decision making by yourself.

End of article.

NSA releases urgent Guidance (ORN U/OO/800922-17), thus urge to public that not to use obsolete TLS configurations (6th Jan,2020)

Preface: However, obsolete TLS configurations are still in use in U.S. Government systems. Perhaps it is being change. According to the Office of Management and Budget (OMB) memorandum M-15-13 all public accessible federal websites and web services are require to only provide through secure connections.

Synopsis: The Internet Engineering Task Force (IETF) published TLS 1.3 in August 2018. TLS 1.2, the version it replaced, was standardized a decade previous, in 2008. Attached diagram shown the examples of TLS Vulnerabilities and Attacks.

Consequent: Using obsolete encryption provides a false sense of security because it seems as though sensitive data is protected.
Network connections employing obsolete encryption protocols are at an elevated risk of exploitation and decryption.

Recommendation: NSA recommends that only TLS 1.2 or 1.3 be used. As a result, SSL 2.0,3.0,TLS 1.1 not be used anymore.If additional interoperability support is need, configurations should use non-deprecated options from NIST SP 800-52r2 as necessary.

Official announcement (NSA Releases Guidance on Eliminating Obsolete TLS Protocol Configurations): https://media.defense.gov/2021/Jan/05/2002560140/-1/-1/0/ELIMINATING_OBSOLETE_TLS_UOO197443-20.PDF