The 8 Best Root Vegetables to Eat This Winter
The 8 Best Root Vegetables to Eat This Winter
As the cold winter months approach, it can be harder to find fresh and local produce. Most of the growing season ends with the first frost. You can still find some of the healthiest vegetables year-round but eating somewhat seasonally can be both more economical and more nourishing for your health. The winter months are a perfect time to embrace root vegetables.
These types of vegetables grow underground and tend to persist through the colder months and are harvested during the fall and winter seasons. They are the edible root of the plant which means they store vitamins, minerals, and other nutrients for the plant, making them highly nutritional. Finally, as most root vegetables are somewhat starchy and rich in complex carbohydrates, they can be cooked into comforting, satisfyingly warm dishes on chilly days. Expand your palate this winter with the healthy winter root vegetables introduced below.
It’s common for an app to be organized into a tree of nested components:
For example, you might have components for a header, sidebar, and content area, each typically containing other components for navigation links, blog posts, etc.
To use these components in templates, they must be registered so that Vue knows about them. There are two types of component registration: global and local. So far, we’ve only registered components globally, using Vue.component :
Globally registered components can be used in the template of any root Vue instance ( new Vue ) created afterwards – and even inside all subcomponents of that Vue instance’s component tree.
That’s all you need to know about registration for now, but once you’ve finished reading this page and feel comfortable with its content, we recommend coming back later to read the full guide on Component Registration.
Analyzing a watering hole campaign using macOS exploits
To protect our users, TAG routinely hunts for 0-day vulnerabilities exploited in-the-wild. In late August 2021, TAG discovered watering hole attacks targeting visitors to Hong Kong websites for a media outlet and a prominent pro-democracy labor and political group. The watering hole served an XNU privilege escalation vulnerability (CVE-2021-30869) unpatched in macOS Catalina, which led to the installation of a previously unreported backdoor.
As is our policy, we quickly reported this 0-day to the vendor (Apple) and a patch was released to protect users from these attacks.
Based on our findings, we believe this threat actor to be a well-resourced group, likely state backed, with access to their own software engineering team based on the quality of the payload code.
In this blog we analyze the technical details of the exploit chain and share IOCs to help teams defend against similar style attacks.
The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server—one for iOS and the other for macOS.
The iOS exploit chain used a framework based on Ironsquirrel to encrypt exploits delivered to the victim's browser. We did not manage to get a complete iOS chain this time, just a partial one where CVE-2019-8506 was used to get code execution in Safari.
The macOS exploits did not use the same framework as iOS ones. The landing page contained a simple HTML page loading two scripts—one for Capstone.js and another for the exploit chain.
The parameter rid is a global counter which records the number of exploitation attempts. This number was in the 200s when we obtained the exploit chain.
The exploit chain combined an RCE in WebKit exploiting CVE-2021-1789 which was patched on Jan 5, 2021 before discovery of this campaign and a 0-day local privilege escalation in XNU (CVE-2021-30869) patched on Sept 23, 2021.
Remote Code Execution (RCE)
Loading a page with the WebKit RCE on the latest version of Safari (14.1), we learned the RCE was an n-day since it did not successfully trigger the exploit. To verify this hypothesis, we ran git bisect and determined it was fixed in this commit.
Sandbox Escape and Local Privilege Escalation (LPE)
It was interesting to see the use of Capstone.js, a port of the Capstone disassembly framework, in an exploit chain as Capstone is typically used for binary analysis. The exploit authors primarily used it to search for the addresses of dlopen and dlsym in memory. Once the embedded Mach-O is loaded, the dlopen and dlsym addresses found using Capstone.js are used to patch the Mach-O loaded in memory.
With the Capstone.js configured for X86-64 and not ARM, we can also derive the target hardware is Intel-based Macs.
After the WebKit RCE succeeds, an embedded Mach-O binary is loaded into memory, patched, and run. Upon analysis, we realized this binary contained code which could escape the Safari sandbox, elevate privileges, and download a second stage from the C2.
Analyzing the Mach-O was reminiscent of a CTF reverse engineering challenge. It had to be extracted and converted into binary from a Uint32Array.
Then the extracted binary was heavily obfuscated with a relatively tedious encoding mechanism—each string is XOR encoded with a different key. Fully decoding the Mach-O was necessary to obtain all the strings representing the dynamically loaded functions used in the binary. There were a lot of strings and decoding them manually would have taken a long time so we wrote a short Python script to make quick work of the obfuscation. The script parsed the Mach-O at each section where the strings were located, then decoded the strings with their respective XOR keys, and patched the binary with the resulting strings.
After downloading the payload, it removes the quarantine attribute of the file to bypass Gatekeeper. It then elevated privileges to install the payload.
N-day or 0-day?
Before further analyzing how the exploit elevated privileges, we needed to figure out if we were dealing with an N-day or a 0-day vulnerability. An N-day is a known vulnerability with a publicly available patch. Threat actors have used N-days shortly after a patch is released to capitalize on the patching delay of their targets. In contrast, a 0-day is a vulnerability with no available patch which makes it harder to defend against.
Despite the exploit being an executable instead of shellcode, it was not a standalone binary we could run in our virtual environment. It needed the address of dlopen and dlsym patched after the binary was loaded into memory. These two functions are used in conjunction to dynamically load a shared object into memory and retrieve the address of a symbol from it. They are the equivalent of LoadLibrary and GetProcAddress in Windows.
To run the exploit in our virtual environment, we decided to write a loader in Python which did the following:
- load the Mach-O in memory
- find the address of dlopen and dlsym
- patch the loaded Mach-O in memory with the address of dlopen and dlsym
- pass our payload url as a parameter when running the Mach-O
For our payload, we wrote a simple bash script which runs id and pipes the result to a file in /tmp. The result of the id command would tell us whether our script was run as a regular user or as root.
Having a loader and a payload ready, we set out to test the exploit on a fresh install of Catalina (10.15) since it was the version in which we were served the full exploit chain. The exploit worked and ran our bash script as root. We updated our operating system with the latest patch at the time (2021-004) and tried the exploit again. It still worked. We then decided to try it on Big Sur (11.4) where it crashed and gave us the following exception.
The exception indicates that Apple added generic protections in Big Sur which rendered this exploit useless. Since Apple still supports Catalina and pushes security updates for it, we decided to take a deeper look into this exploit.
Elevating Privileges to Root
The Mach-O was calling a lot of undocumented functions as well as XPC calls to mach_msg with a MACH_SEND_SYNC_OVERRIDE flag. This looked similar to an earlier in-the-wild iOS vulnerability analyzed by Ian Beer of Google Project Zero. Beer was able to quickly recognize this exploit as a variant of an earlier port type confusion vulnerability he analyzed in the XNU kernel (CVE-2020-27932). Furthermore, it seems this exact exploit was presented by Pangu Lab in a public talk at zer0con21 in April 2021 and Mobile Security Conference (MOSEC) in July 2021.
In exploiting this port type confusion vulnerability, the exploit authors were able to change the mach port type from IKOT_NAMED_ENTRY to a more privileged port type like IKOT_HOST_SECURITY allowing them to forge their own sec_token and audit_token, and IKOT_HOST_PRIV enabling them to spoof messages to kuncd.
After gaining root, the downloaded payload is loaded and run in the background on the victim's machine via launchtl. The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules. For example, the payload we obtained contained a kernel module for capturing keystrokes. There are also other functionalities built-in to the components which were not directly accessed from the binaries included in the payload but may be used by additional stages which can be downloaded onto the victim's machine.
Notable features for this backdoor include:
- victim device fingerprinting
- screen capture
- file download/upload
- executing terminal commands
- audio recording
Our team is constantly working to secure our users and keep them safe from targeted attacks like this one. We continue to collaborate with internal teams like Google Safe Browsing to block domains and IPs used for exploit delivery and industry partners like Apple to mitigate vulnerabilities. We are appreciative of Apple’s quick response and patching of this critical vulnerability.
For those interested in following our in-the-wild work, we will soon publish details surrounding another, unrelated campaign we discovered using two Chrome 0-days (CVE-2021-37973 and CVE-2021-37976). That campaign is not connected to the one described in today’s post.
AMFinder interface: AMFinder is used either to predict fungal colonisation and intraradical hyphal structures within plant root images (prediction mode), or to train AMFinder neural networks (training mode).
AMFinder was developed using a deep learning system called convolutional neural networks (CNNs). This is a class of artificial neural network is often used to analyse images, where the computer model learns to extract relevant information from pre-analysed data. AMFinder adapts to a wide array of experimental conditions and produces accurate and reproducible analyses of plant root systems. Not only that, “AMFinder improves the way researchers document root colonisation by allowing them to go back to archived computer annotations if needed,” added Sebastian Schornack.
AMFinder accurately identifies colonised root sections and intraradical hyphal structures in several plant species commonly used in mycorrhiza research, including Nicotiana benthamiana, Medicago truncatula, Lotus japonicus, and Oryza sativa, and is compatible with the AM fungi Rhizophagus regularis, Claroideoglomus claroideum, Rhizoglomus microaggregatum, Funneliformis geosporum and Funneliformis mosseae.
This article is also highlighted in FacultyOpinions.
Edouard Evangelisti, Carl Turner, Alice McDowell, Liron Shenhav, Temur Yunusov, Aleksandr Gavrin, Emily K. Servante, Clément Quan, Sebastian Schornack (2021) Deep learning-based quantification of arbuscular mycorrhizal fungi in plant roots, New Phytologist
How to get rid of a toothache at night
A toothache is a painful annoyance, especially at night. Getting a toothache at night can make falling asleep or staying asleep very difficult.
However, there are a number of remedies that may help people find relief and get to sleep, including taking pain relievers or applying a cold compress or even cloves to the tooth.
In this article, learn more about nine home remedies for relieving a toothache at night.
Treating a toothache at night may be more difficult, as there is not much to distract a person from the pain.
However, people can try the following methods to relieve pain:
1. Oral pain medication
Share on Pinterest Oral pain medication may help treat a toothache at night.
Taking over-the-counter (OTC) pain medications such as acetaminophen (Tylenol) or ibuprofen (Advil) is a quick, simple way for many people to effectively reduce mild-to-moderate toothaches.
Always stay within the recommended dosage on the packaging.
If the toothache is severe, it is best to see a dentist and speak to them about stronger pain relievers.
2. Cold compress
Using a cold compress may help ease the pain of a toothache.
Applying a bag of ice wrapped in a towel to the affected side of the face or jaw helps constrict the blood vessels in the area, which can reduce pain to allow a person to fall asleep.
Applying a cold compress to the area for 15–20 minutes every few hours in the evening may also help prevent pain when going to bed.
Pooling blood in the head may cause additional pain and inflammation. For some people, elevating the head with an extra pillow or two may relieve the pain enough for them to fall asleep.
4. Medicated ointments
Some medicated ointments may also help reduce toothache pain. OTC numbing gels and ointments that contain ingredients such as benzocaine may numb the area.
However, benzocaine is not suitable for use by young children.
5. Salt water rinse
A simple salt water rinse is a common home remedy for a toothache.
Salt water is a natural antibacterial agent , so it may reduce inflammation. This, in turn, helps protect damaged teeth from infection.
Rinsing with salt water may also help remove any food particles or debris stuck in the teeth or gums.
6. Hydrogen peroxide rinse
Periodontitis is a serious gum infection that generally occurs as a result of poor oral hygiene. It can cause issues such as soreness, bleeding gums, and teeth that come loose in their sockets.
The author of a 2016 study found that rinsing with hydrogen peroxide mouthwash helped reduce plaque and symptoms of periodontitis.
People should always dilute food-grade hydrogen peroxide with equal parts water. Swish the solution in the mouth, but do not swallow it.
This remedy is not suitable for children, as there is a risk they may accidentally swallow the mixture.
7. Peppermint tea
Swishing peppermint tea or sucking on peppermint tea bags may also help temporarily relieve pain from a toothache.
Researchers note that peppermint contains antibacterial and antioxidant compounds. Menthol, an active ingredient in peppermint, may also have a mild numbing effect on sensitive areas.
Eugenol, which is one of the main compounds in cloves, can reduce tooth pain. The results of a 2015 clinical trial indicated that people who applied eugenol to their gums and socket after having a tooth extracted had less pain and inflammation during healing.
Eugenol acts as an analgesic, which means that it numbs the area. To use clove for a toothache, soak ground cloves in water to make a paste. Then, apply the paste to the tooth, or put it in an empty tea bag and place it in the mouth.
Alternatively, gently chewing or sucking on a single clove and then allowing it to sit near the painful tooth may help relieve pain.
This is not a suitable remedy for children, as they may swallow too much clove. Single cloves can be spiky and painful if a person swallows them.
Share on Pinterest The antibacterial effect of garlic may help kill bacteria in the mouth.
Garlic is a common household ingredient that some people use to relieve toothache pain.
Allicin, which is the main compound in garlic, has a strong antibacterial effect that may help kill the bacteria in the mouth that lead to cavities and tooth pain.
Simply chewing a clove of garlic and allowing it to sit near the tooth may help relieve pain. That said, the taste of raw garlic can be too strong for some people, so this may not be the right solution for everyone.
Tooth decay is a very common cause of a toothache. Tooth decay may lead to cavities if a person does not receive treatment.
Cavities occur when acids and bacteria break through the enamel and eat away at the delicate tissues inside the tooth. This can expose the nerve, causing mild-to-severe pain.
Sinus infections may also cause toothache in some people. This symptom occurs as the infection drains from the head. Symptoms such as pain and pressure from the infection may hurt more at night.
Other potential causes for a toothache include:
- losing a filling
- trauma to the jaw
- a wisdom tooth or adult tooth coming in
- food stuck in the teeth or gums
Toothaches can be painful in the day, but they may seem to get worse at night.
One reason that this may occur is because when a person is lying down, blood rushes to the head. This extra blood in the area may increase the pain and pressure that people feel from a toothache.
Another reason why many aches feel worse at night is because there are fewer distractions. With little else to focus on but the toothache, a person may find it difficult to fall asleep.
Gary Neville suggests root of Man United problems with Ole Gunnar Solskjaer sack prediction
Ole Gunnar Solskjaer is under huge pressure at Manchester United following a fourth defeat in their last six league games at the weekend.
- 13:00, 10 NOV 2021
Former captain Gary Neville believes Manchester United will stand by manager Ole Gunnar Solskjaer until the end of the season.
The Norwegian, who watched his side fall to a fourth defeat in their last six Premier League matches on Saturday, going down 2-0 to cross-city rivals Manchester City, is under enormous pressure, both from the supporters and the United hierarchy.
Despite the pressure on Solskjaer from the United board increasing, the club is not poised to pull the trigger on the former striker just yet, with him almost certain to take charge of next Saturday's clash with Watford at Vicarage Road.
The trip to Watford marks the beginning of a hugely difficult week for United, with trips to Villarreal and Chelsea to come after their visit to Vicarage Road.
Despite their recent woes, Neville believes United will continue to stand by Solskjaer, pointing to their lack of a succession plan being in place.
"The club aren't going to do anything here," Neville told Sky Sports. "Getting Antonio Conte was never, ever going to happen. The hierarchy were never going to appoint him, as great a manager as he is.
"The plan all season has been to stick with Ole Gunnar Solskjaer until the end of the season, and that's where I'm at, even after Saturday. They've got Watford away, Villarreal away and then Chelsea away. That's a horrid, horrid week. This is not going to get any easier in the short term.
"Being that far behind the top with 11 games gone, that can't happen. He's progressed from sixth to third to second, and should have won the Europa League final against Villarreal."
The defeat to Villarreal in Gdansk back in May was a bitter pill for United to swallow. It was seen as a golden opportunity to win their first trophy of the Solskjaer era and sign off for the summer in style.
Instead, United lost the contest on penalties, with goalkeeper David de Gea missing the decisive spot-kick.
For Neville, the defeat to Villarreal, as well as losing any cup match, can have a "real impact on players."
"I hark back to that because when you lose finals, it has a real impact on players," continued the former United defender. "If you win it, the medal around your neck, you get used to winning.
"Going out of the Carabao Cup to West Ham — it's a big problem. That can't happen, it's a trophy you can win.
"The league has almost gone, the Champions League is a long shot because of the quality of teams. The FA Cup and Carabao Cup cannot be dismissed, and going out to West Ham was a really bad situation for the club to be in.
"I think the fans left this stadium on Saturday tired and drained from what they've seen. Thinking: 'Where are we on our journey as a club?'"
United's recent performances, barring the 3-0 win over Tottenham Hotspur, have been more than questionable, especially the displays against both Liverpool and City.
Nevertheless, Neville believes the club had not prepared for questions over Solskjaer's position.
He added: "The club have not prepared for this, not prepared for a new manager, they didn't expect it, they thought everything was sort of plain sailing along.
"They've planned around a structure of way of working in the last two or three years that they're not going to veer away from, but in this moment in time they're going to have to put their helmets on if they're going to defend it."
Root-права на Android: преимущества и недостатки
Существует немало руководств для пользователей, как получить root-права на своем смартфоне, но что вообще такое «root» или «root-права»? В этой статье мы расскажем, что такое root, и какие преимущества и недостатки есть у root-прав.
В основе Android как системы лежит ядро Linux с открытым исходным кодом (Open Source System), поэтому и сам Android — это система с открытым исходным кодом. Многие термины, такие как «root», изначально относились к системе Linux / Unix. В принципе, «root» обозначает аккаунт, у которого есть полный доступ ко всем файлам в системе и права на запись. Поэтому корневая учетная запись или корневой доступ часто сравниваются с правами администратора под Windows, хотя существуют и некоторые различия в деталях.
Root-доступ: основные преимущества и недостатки
|Изменение / добавление системных настроек (например, общесистемный эквалайзер)||Потеря гарантии на устройство|
|Подключение нескольких пользовательских профилей (Multi-User)||Вредоносное ПО может нанести больший вред, чем это было бы без root-прав|
|Настройки CPU / GPU (например, для увеличения мощности)||Неудачный процесс рутирования выводит смартфон из строя (Soft-Brick / Hard-Brick)|
|Удаление предустановленных приложений|
|Настройка интерфейса Android|
|Возможность сделать полный Backup системы|
Как только пользователь получает права администратора или права root на своем устройстве, он может настроить всю систему Android под свои потребности. В качестве основных возможностей можно назвать полную перенастройку пользовательского интерфейса, а также изменение системных настроек. С помощью root, например, можно установить общесистемный эквалайзер, увеличить максимальную громкость и даже перенастроить всю навигацию по меню. Корневой доступ также позволяет удалять предустановленные приложения, поставляемые многими производителями.
Поскольку Android — открытая система, Вы можете не только вносить свои изменения, но и полностью удалить систему и установить кастомную прошивку. Эти пользовательские прошивки часто основаны на «Android Open Source Project» (AOSP) и предлагают множество функций, которые не предоставляются стандартной прошивкой. Каждый разработчик ПЗУ устанавливает свои собственные приоритеты, такие как улучшенный срок службы батареи, более высокая скорость или альтернативные эксплуатационные концепции. Установка пользовательского ПЗУ требует не получения корневого доступа, а разблокировки загрузчика.
Права администратора в системе Android реализуются через такие корневые приложения, как SuperSU и Superuser, что означает, что любое другое приложение, которое требует root-доступа, должно быть вручную запущено через одно из вышеупомянутых приложений.
Получение root-прав несет с собой не только положительные моменты. Прежде чем запустить процедуру рутования устройства, прочитайте о недостатках: в процессе получения root-прав есть определенный риск, так как в случае неудачи Вы можете нарушить работу ОС вплоть до полной потери данных (превратите телефон в «кирпич»). Различают Soft-Brick и Hard-Brick. Soft-Brick — это всего лишь ошибка программного обеспечения, которая не позволяет смартфону загружаться должным образом. Проблема может быть решена просто путем установки новой прошивки. Soft-Brick можно назвать наиболее распространенной формой «кирпича». Очень редко процесс получения root-прав может завершиться тем, что смартфон превратится в полностью нерабочий девайс (Hard-Brick). В таких случаях система повреждена настолько, что доступ к смартфону, а, следовательно, и «спасение» системы невозможны.
Любое приложение с привилегиями root должно запрашивать разрешение на установку
Система Android через root-доступ становится открытой, что увеличивает риск случайной установки вредоносного ПО. Хотя пользователь с правами root и проводит все операции вручную, небрежное прикосновение пальцем или установка предположительно безобидного приложения для корневого каталога может привести к проникновению вредоносного ПО и нанести гораздо больший урон, чем если бы root-прав у пользователя не было.
Распространение гарантийных обязательств на рутованный смартфон
Для многих пользователей наиболее важным моментом является потеря гарантии по договору — гарантия по закону остается. Давайте уточним: гарантия по закону — это юридическое обязательство, которое продавец должен соблюдать, если клиент обнаружил в устройстве дефект, существовавший на момент покупки. Гарантия по договору — добровольная услуга, которая гарантирует покупателю нормальное функционирование товара в течение определенного периода времени после покупки.
Если клиент обнаруживает дефект, который еще не существовал во время покупки, гарантия по договору теряется, если на телефон были получены root-права. Однако и здесь невозможно подвести все случаи под один знаменатель, потому что производители в каждом случае поступают по-разному. Например, HTC косвенно сообщает, что гарантия сохраняется, если дефект не вызван рутованием устройства. Многие другие производители замалчивают этот вопрос или сразу указывают на потерю гарантии в подобных случаях.
Если вы не знаете, как поступить, то можно порекомендовать лишь одно: попытайте удачу, но до этого постарайтесь по возможности удалить все следы root-прав на устройстве.