document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #17158 from lujun9972/add-MjAyMDAxMjMgSG93IHRvIHN0b3AgdHlwb3NxdWF0dGluZyBhdHRhY2tzLm1kCg==

Browse Source 
自动选题: 20200123 How to stop typosquatting attacks
This commit is contained in:
Xingyu.Wang 2020-01-25 10:01:31 +08:00 committed by GitHub
commit ddbb55277e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 198 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
sources/tech/20200123 6 things you should be doing with Emacs.md Normal file
View File

@ -0,0 +1,91 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (6 things you should be doing with Emacs)
[#]: via: (https://opensource.com/article/20/1/emacs-cheat-sheet)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
6 things you should be doing with Emacs
======
Here are six things you may not have realized you could do with Emacs.
Then, get our new cheat sheet to get the most out of Emacs.
![Text editor on a browser, in blue][1]
Imagine using Python's IDLE interface to edit text. You would be able to load files into memory, edit them, and save changes. But every action you perform would be defined by a Python function. Making a word all capitals, for instance, calls **upper()**, opening a file calls **open**, and so on. Everything in your text document is a Python object and can be manipulated accordingly. From the user's perspective, it's the same experience as any text editor. For a Python developer, it's a rich Python environment that can be changed and developed with just a few custom functions in a config file.
This is what [Emacs][2] does for the 1958 programming language [Lisp][3]. In Emacs, there's no separation between the Lisp engine running the application and the arbitrary text you type into it. To Emacs, everything is Lisp data, so everything can be analyzed and manipulated programmatically.
That makes for a powerful user interface (UI). But if you're a casual Emacs user, you may only be scratching the surface of what it can do for you. Here are six things you may not have realized you could do with Emacs.
## Use Tramp mode for cloud editing
Emacs has been network-transparent for a lot longer than has been trendy, and today it still provides one of the smoothest remote editor experiences available. The [Tramp mode][4] in Emacs (formerly known as RPC mode) stands for "Transparent Remote (file) Access, Multiple Protocol," which spells out exactly what it offers: easy access to remote files you want to edit over most popular network protocols. The most popular and safest protocol for remote editing these days is [OpenSSH][5], so that's the default.
Tramp is already included in Emacs 22.1 or greater, so to use Tramp, you just open a file in the Tramp syntax. In the **File** menu of Emacs, select **Open File**. When prompted in the mini-buffer at the bottom of the Emacs window, enter the file name using this syntax:
```
`/ssh:user@example.com:/path/to/file`
```
If you are required to log in interactively, Tramp prompts you for your password. However, Tramp uses OpenSSH directly, so to avoid interactive prompts, you can also add your hostname, username, and SSH key path to your **~/.ssh/config** file. Like Git, Emacs uses your SSH config first and only stops to ask for more information in the event of an error.
Tramp is great for editing files that don't exist on your computer, and the user experience is not noticeably any different from editing a local file. The next time you start to SSH into a server just to launch a Vim or Emacs session, try Tramp instead.
## Calendaring
If you parse text better than you parse graphical interfaces, you'll be happy to know that you can schedule your day (or life) in plain text with Emacs but still get fancy notifications on your mobile device with open source [Org mode][6] viewers.
The process takes a little setup to create a convenient way to sync your agenda with your mobile device (I use Git, but you could invoke Bluetooth, KDE Connect, Nextcloud, or your file synchronization tool of choice), and you have to install an Org mode viewer (such as [Orgzly][7]) and a Git client app on your mobile. Once you've got your infrastructure sorted, though, the process is inherently perfectly integrated with your usual (or developing, if you're a new user) Emacs workflow. You can refer to your agenda easily in Emacs, make updates to your schedule, and generally stay on task. Pushing changes to your agenda is reflected on your mobile, so you can stay organized even when Emacs isn't available.
![][8]
Intrigued? Read my step-by-step guide about [calendaring with Org mode and Git][9].
## Access the terminal
There are [lots of terminal emulators][10] available. Although the Elisp terminal emulator in Emacs isn't the greatest general-purpose one, it's got two notable advantages.
1. **Opens in an Emacs buffer: **I use Emacs' Elisp shell because it's conveniently located in my Emacs window, which I often run in fullscreen. It's a small but significant advantage to have a terminal just a **Ctrl+x+o** (or C-x o in Emacs notation) away, and it's especially nice to be able to glance over at it for status reports when it's running a lengthy job.
2. **Easy copying and pasting if no system clipboard is available:** Whether I'm too lazy to move my hand from the keys to the mouse, or I don't have mouse functionality because I'm running Emacs in a remote console, having a terminal in Emacs can sometimes mean a quick transfer of data from my Emacs buffer to Bash.
To try the Emacs terminal, type **Alt**+**x** (**M-x** in Emacs notation), then type **shell**, and press **Return**.
## Use Racket mode
[Racket][11] is an exciting emerging Lisp dialect with a dynamic programming environment, a GUI toolkit, and a passionate community. The default editor when learning Racket is DrRacket, which has a Definitions panel at the top and an Interactions panel at the bottom. Using this setup, the user writes definitions that affect the Racket runtime. Imagine the old [Logo Turtle][12] program, but with a terminal instead of just a turtle.
![Racket-mode][13]
LGPL sample code by PLT
Emacs, being based on Lisp, makes a great integrated development environment (IDE) for advanced Racket coders. It doesn't ship with [Racket mode][14] (yet), but you can install Racket mode and several other helper extensions using the Emacs package installer. To install it, press **Alt**+**X** (**M-x** in Emacs notation), type **package-install**, and press **Return**. Then enter the package you want to install (**racket-mode**), and press **Return**.
Enter Racket mode with **M-x racket-mode**. If you're new to Racket but not to Lisp or Emacs, start with the excellent [Quick introduction to Racket with pictures][15].
## Scripting
You might know that Bash scripts are popular for automating and enhancing your Linux or Unix experience. You may have heard that Python does a pretty good job of that, too. But did you know that Lisp scripts can be run in much the same way? There's sometimes confusion about just how useful Lisp really is because many people are introduced to Lisp through Emacs, so there's the latent impression that the only way to run Lisp in the 21st century is to open an Emacs window. Luckily, that's not the case at all, and Emacs is a great IDE for the tools that enable you to run Lisp scripts as general system executables.
There are two popular modern Lisps, aside from Elisp, that are easy to run as standalone scripts.
1. **Racket:** You can run Racket scripts relying on your system's Racket install to provide runtime support, or you can use **raco exe** to produce an executable. The **raco exe** command packages your code together with runtime support files to create an executable. The **raco distribute** command then packages that executable into a distribution that works on other machines. Emacs has many Racket-specific tools, so creating Racket files in Emacs is easy and efficient.
2. **GNU Guile:** [GNU Guile][16] (short for "GNU Ubiquitous Intelligent Language for Extensions") is an implementation of the [Scheme][17] programming language that's used for creating applications and games for the desktop, internet, terminal, and more. Writing Scheme is easy, using any one of the many Scheme extensions in Emacs. For example, here's a "Hello world" script in Guile: [code] #!/usr/bin/guile -s
!#
(display "hello world")
     (newline) [/code] Compile and run it with the **guile** command: [code] $ guile ./hello.scheme
;;; compiling /home/seth/./hello.scheme
;;; compiled [...]/hello.scheme.go
hello world
$ guile ./hello.scheme
hello world
```
## Run Elisp without Emacs
Emacs can serve as an Elisp runtime, but you don't have to "open" Emacs in the traditional sense. The **\--script** option allows you to run Elisp scripts using Emacs as the engine but without launching the Emacs GUI (not even its terminal-based one). In this example, the **-Q** option causes Emacs to ignore your **.emacs** file to avoid any delays in executing the Elisp script (if your script relies upon something

107
sources/tech/20200123 How to stop typosquatting attacks.md Normal file
View File

@ -0,0 +1,107 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (How to stop typosquatting attacks)
[#]: via: (https://opensource.com/article/20/1/stop-typosquatting-attacks)
[#]: author: (Sam Bocetta https://opensource.com/users/sambocetta)
How to stop typosquatting attacks
======
Typosquatting is a way to lure users into divulging sensitive data to
cybercriminals. Learn how to protect your organization, your open source
project, and yourself.
![Gears above purple clouds][1]
Cybercriminals are turning to social engineering to try to trick unsuspecting people into divulging private information or valuable credentials. It is behind many [phishing scams][2] where the attacker poses as a reputable company or organization and uses it as a front to distribute a virus or other piece of malware.
One such risk is [typosquatting][3], a form of social engineering attack that tries to lure users into visiting malicious sites with URLs that are common misspellings of legitimate sites. These sites can cause significant damage to the reputation of organizations that are victimized by these attackers and harm users who are tricked into entering sensitive details into fake sites. Both system administrators and users need to be aware of the risks and take steps to protect themselves.
Open source software, which is developed and tested by large groups in public repositories, is often lauded for its security benefits. However, when it comes to social engineering schemes and malware implantation, even open source tools can fall victim.
This article looks at the rising trend of typosquatting and what these attacks could mean for open source software in the future.
### What is typosquatting?
Typosquatting is a very specific form of cybercrime that is often tied to a larger phishing attack. It begins with the cybercriminal buying and registering a domain name that is the misspelling of a popular site. For example, the cybercriminal might add an extra vowel or replace an "i" with a lowercase "l" character. Sometimes a cybercriminal obtains dozens of domain names, each with a different spelling variation.
A typosquatting attack does not become dangerous until real users start visiting the site. To make that happen, the criminal runs a phishing scam, typically over email, to urge people to click a link and visit the typosquatting website. Normally these rogue pages have simple login screens bearing familiar logos that try to imitate the real company's design.
If the user does not realize they are visiting a fake website and enters sensitive details, such as their password, username, or credit card number, into the page, the cybercriminal gets full access to that data. If a user is utilizing the same password across several sites, their other online accounts are likely to be exploited as well. This is a cybercriminal's payout: identity theft, ruined credit reports, stolen records, and sometimes worse.
### Some recent attacks
From a company perspective, having a typosquatting attack connected to your domain name can be a public relations disaster, even though you played no direct role in it, because it's seen as irresponsible internet stewardship. As a domain owner, you have a responsibility to be proactive in defending against typosquatting to limit the pain caused by this type of fraud.
A few years ago, many [health insurance customers fell victim][4] to a typosquatting attack when they received a phishing email that pointed to we11point.com, with the number 1 replacing the character "l" in the URL.
When the international domain name rules were changed to allow anyone to register a URL with an extension previously tied to specific countries, it created a brand new wave of typosquatting attacks. One of the most prevalent ones seen today is when a cybercriminal registers a .om domain that matches a popular .com domain to take advantage of accidental omissions of the letter "c" when entering a web address.
### How to protect your website from typosquatting
For companies, the best strategy is to try to stay ahead of typosquatting attacks.
That means spending the money to trademark your domain and purchase all related URLs that could be easy misspellings. You don't need to buy all top-level domain variants of your site name, but at least focus on common misspellings to your primary site name.
If you need to send your users to third-party sites, do so from your official website, not in a mass email. It's important to firmly establish a policy that official communication always and only sends users to your site. That way, should a cybercriminal attempt to spoof communication from you, your users will know something's amiss when they end up on an unfamiliar page or URL structure.
Use an open source tool like [DNS Twist][5] to automatically scan your company's domain and determine whether there could already be a typosquatting attack in progress. DNS Twist runs on Linux operating systems and can be used through a series of shell commands.
Some ISPs offer typosquatting protection as part of their product offering. This functions as an extra layer of web filtering—if a user in your organization accidentally misspells a common URL, they are alerted that the page is blocked and redirected to the proper domain.
If you are a system administrator, consider running your own [DNS server][6] along with a blacklist of incorrect and forbidden domains.
Another effective way to spot a typosquatting attack in progress is to monitor your site traffic closely and set an alert for a sudden decrease in visitors from a particular region. It could be that a large number of your regular users have been redirected to a fake site.
As with almost any form of cyberattack, the key to stopping typosquatting is constant vigilance. Your users are counting on you to identify and shut down any fake sites that are operating under your name, and if you don't, you could lose your audience's trust.
### Typosquatting threats to open source software
Most major open source projects go through security and penetration testing, largely because the code is public. However, mistakes happen under even the best of conditions. Here are some things to watch for if you're involved in an open source project.
When you get a merge request or patch from an unknown source, review it carefully before merging, especially if there's a networking stack involved. Don't fall prey to the temptation of only testing your build; look at the code to ensure that nothing nefarious has been embedded into an otherwise functional enhancement.
Also, use the same rigor in protecting your project's identity as a business does for its domain. Don't let a cybercriminal create alternate download sites and offer a version of your project with additional harmful code. Use digital signatures, like the following, to create an assurance of authenticity for your software:
```
gpg --armor --detach-sig \
\--output advent-gnome.sig \
example-0.0.1.tar.xz
```
You should also provide a checksum for the file you deliver:
```
`sha256sum example-0.0.1.tar.xz > example-0.0.1.txt`
```
Provide these safeguards even if you don't believe your users will take advantage of them, because all it takes is one perceptive user to notice a missing signature on an alternative download to alert you that someone, somewhere is spoofing your project.
### Final thoughts
Humans are prone to making mistakes. When you have millions of people around the world typing in a common web address, it's no surprise that a certain percentage enter a typo in the URL. Cybercriminals are trying to capitalize on that trend with typosquatting.
It's hard to stop cybercriminals from registering domains that are available for purchase, so mitigate against typosquatting attacks by focusing on the ways they spread. The best protection is to build trust with your users and to be diligent in detecting typosquatting attempts. Together, as a community, we can all help ensure that typosquatting attempts are ineffective.
--------------------------------------------------------------------------------
via: https://opensource.com/article/20/1/stop-typosquatting-attacks
作者:[Sam Bocetta][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/sambocetta
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/chaos_engineer_monster_scary_devops_gear_kubernetes.png?itok=GPYLvfVh (Gears above purple clouds)
[2]: https://www.cloudberrylab.com/resources/guides/types-of-phishing/
[3]: https://en.wikipedia.org/wiki/Typosquatting
[4]: https://www.menlosecurity.com/blog/-a-new-approach-to-end-typosquatting
[5]: https://github.com/elceef/dnstwist
[6]: https://opensource.com/article/17/4/build-your-own-name-server