Easy Contact
253 Main Ave, Passaic NJ 07055Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821

© 2025 ~ All Rights Reserved
Advantage Computer Solutions, Inc
Company
Services
Testimonials
Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix things and at a reasonable price. This time I went to Advantage Computer Solutions to find a new laptop. I needed help because like most of us I had no… Read more “Amazing!”
Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not operate my small biz without them!
stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient and terrific. So happy with Advantage Computer Solutions and Al and his AMAZINGLY WONDERFUL STAFF.
I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or small my problem, they have been unfailingly helpful, friendly and professional. Services are performed promptly and effectively, and they are very fair with pricing, too. I am lucky to have… Read more “Whatever my need, unfailingly helpful”
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens thousands of dollars they saved us over the years; they can be trusted to never scam anyone even though they would do so very easily. The turnaround time is also… Read more “Best Kept Secret”
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after my appointment, and really resolved IT issues in my home office that had been plaguing me for years. I am so relieved to not have to think about this anymore!… Read more “Excellent Experience”
Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super reliable – whether it’s everyday maintenance or emergencies that may arise, The Advantage Team take care of us! Our team is grateful for their knowledgeable and professional services – a… Read more “Simply The Best!”
The engineering team at Advantage Computers is the best in the business. They are nothing short of technical wizards.
Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems. When we have an emergency, they make it their emergency. Its like having a cousin in the business.
In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those times. Zack Rahhal has been our hardware and technical consultant for our servers, Pc’s and other technical equipment since April 2004 and has provided valuable input and courteous service to… Read more “Exceptional People”
I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am an attorney and operate my own small firm. I have limited knowledge of computers. Zack is very patient in explaining things. He has offered practical and economical solutions to multiple… Read more “Highly Recommended”
THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they said it would be $600, I went in they did a quick diagnostic, and based on his observations he gave me a step by step of the possible problems and… Read more “Life Savers”
I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen County and travel to Passaic County because of the trust I have in the competence and honesty of Advantage Computers. What a blessing to have such seasoned and caring professionals… Read more “I don’t have enough words to express my appreciation”
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer companies had to keep coming back to fix things they “forgot” to do….) and are fairly priced. Zack is awesome, reliable, dependable, knowledgeable….everything you want in a computer solutions vendor.
Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in that the staff is very knowledgeable, approaching needs and issues in a very straightforward, common sense manner, resulting in timely solutions and resolutions. Enjoyable, these guys are really friendly (not… Read more “Knowledgeable, Reliable, Reasonable”
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for installation, set-up and for service. The response time is immediate and the staff is often able to provide help remotely. Very affordable and honest…. A++!!! Essex Surgical relies on Advantage… Read more “Excellent service!”
Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great price. They are very professional. I was very satisfied with their service. I am a newbie in terms of PC gaming so they gave me great advice on this new piece… Read more “Great Advice and Service”
Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical support both onsite and offsite. It was through a recommendation that we contacted Advantage to have them provide us with a quote to install a new server and update our… Read more “Great Service, Support and Sales”
Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult to be loyal as they offer services from the most intricate and personalized to the global scale. Our company has grown beyond its doors of a local office to National… Read more “Extremely Professional and Passionate”
Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service is always prompt. When your computers are down or not working properly is affects all aspects of your business, it is wonderful to have such a reliable team on our… Read more “Handles all our Office IT”
Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services and expertise to solve our technologic problems and growth over the past eighteen years. We would like to personally thank them for proposing cost effective solutions while reducing labor-intense tasks… Read more “Passaic Housing Authority”
“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on that computer to deliver final products to my clients. Fortunately, I brought my HP into Advantage for repair and in one day I had my computer back. Not only did… Read more “They made sure EVERYTHING was working”
Innovation and the Roots of Progress
If you look back at the long arc of history, it’s clear that one of the most crucial drivers of real progress in society is innovation
The post Innovation and the Roots of Progress appeared first on WeLiveSecurity
How to SLSA Part 1 – The Basics
Posted by Tom Hennen, Software Engineer, BCID & GOSST
One of the great benefits of SLSA (Supply-chain Levels for Software Artifacts) is its flexibility. As an open source framework designed to improve the integrity of software packages and infrastructure, it is as applicable to small open source projects as to enterprise organizations. But with this flexibility can come a bewildering array of options for beginners—much like salsa dancing, someone just starting out might be left on the dance floor wondering how and where to jump in.
Though it’s tempting to try to establish a single standard for how to use SLSA, it’s not possible: SLSA is not a line dance where everyone does the same moves, at the same time, to the same song. It’s a varied system with different styles, moves, and flourishes. The open source community, organizations, and consumers may all implement SLSA differently, but they can still work with each other.
In this three-part series, we’ll explore how three fictional organizations would apply SLSA to meet their different needs. In doing so, we will answer some of the main questions that newcomers to SLSA have:
Part 1: The basics
Part 2: The details
Part 3: Putting it all together
The Situation
Our fictional example involves three organizations that want to use SLSA:
Squirrel: a package manager with a large number of developers and users
Oppy: an open source operating system with an enterprise distribution
Acme: a mid sized enterprise.
Squirrel wants to make SLSA as easy for their users as possible, even if that means abstracting some details away. Meanwhile, Oppy doesn’t want to abstract anything away from their users under the philosophy that they should explicitly understand exactly what they’re consuming.
Acme is trying to produce a container image that contains three artifacts:
This series demonstrates one approach to using SLSA that lets Acme verify the Squirrel and Oppy packages ‘foo’ and ‘baz’ and its customers verify the container image. Though not every suggested solution is perfect, the solutions described can be a starting point for discussion and a foundation for new solutions.
Basics
In order to SLSA, Squirrel, Oppy, and Acme will all need SLSA capable build services. Squirrel wants to give their maintainers wide latitude to pick a builder service of their own. To support this, Squirrel will qualify some build services at specific SLSA levels (meaning they can produce artifacts up to that level). To start, Squirrel plans to qualify GitHub Actions using an approach like this, and hopes it can achieve SLSA 4 (pending the result of an independent audit). They’re also willing to qualify other build services as needed. Oppy on the other hand, doesn’t need to support arbitrary build services. They plan to have everyone use their Autobuilder network which they hope to qualify at SLSA 4 (they’ll conduct the audit/certification themselves). Finally, Acme plans to use Google Cloud Build which they’ll self-certify at SLSA 4 (pending the result of a Google-conducted audit).
Squirrel, Oppy, and Acme will follow a similar qualification process for the source control systems they plan to support.
Verification options
Full verification
At some point, one or more of the organizations will need to do full verification of each artifact to determine if it is acceptable for a given use case. This is accomplished by checking if the artifact meets the appropriate policy.
Typically, full verification would take place with SLSA provenance, source attestations, and perhaps other specialized attestations (like vulnerability scan results). While having to coordinate this data for all of its dependencies seems like a lot of work to Acme, they’re prepared to do full verification if Squirrel and Oppy are unable to.
When Acme isn’t using full verification, they can instead use delegated verification where they check if an artifact is acceptable for a use case by checking if some other trusted party who performed a full verification (such as Squirrel or Oppy) believes the artifact is acceptable.
Delegated verification is easier to perform quickly with limited data and network connectivity. It may also be easier for some users who value if someone they trust verified the artifact is good.
Squirrel likes how easy delegated verification would make things for their users and plans to support it by creating a Verification Summary Attestation (VSA) when they perform full verification.
Verification (full or delegated) could happen at a number of different times.
Squirrel plans to perform full verification when an artifact is published to their repo. This will ensure that packages in the repo have met their corresponding policy. It’s also helpful because all the required data can be gathered when latency isn’t critical.
If this were the only time verification is performed, it would put the repository’s storage in the trusted computing base (TCB) of its users. Squirrel’s plans to use delegated verification (and issue VSAs) can prevent this. The signature on the VSA will prevent the artifacts from being tampered with while sitting in storage, even if they’re just SLSA 0. Downstream users will just need to verify the VSA.
Acme also wants to do some sort of verification on the import to their internal repo since it simplifies their security story. They’re not quite sure what this will look like yet.
Acme also wants to do verification when an artifact is actually installed since it can remove a number of intermediaries from their TCB (their repo, the network, upstream storage systems).
If they perform full verification at install then they must gather all the required information. That could be a lot of data, but it might be simplified by gathering the data from external sources and caching it in their internal repo. A larger problem is that it requires Acme to have established trust in all parties that produced that information (e.g. every builder of every package). For a complex supply chain that may be difficult.
If Acme performs delegated verification, they only need the VSA for the packages being installed and to explicitly trust a handful of parties. This allows the complex full verification to be performed once while allowing all users of that package to perform a much simpler operation.
Given these tradeoffs Acme prefers delegated verification at install time. Squirrel also really likes the idea and plans to build install time verification directly into the Squirrel tool.
Time of use verification allows the most context with which decisions can be made (“is this job allowed to run this code and is it free from vulns right now?”). It also allows policy changes to affect already built & installed software (which may or may not be desirable).
Acme wants their users to be able to verify on use without too many dependencies so they plan to provide VSAs users can use to perform delegated verification when they start the container (perhaps using something like Kyverno).
How to handle artifacts without provenance?
Inevitably a build or system may require that an artifact without ‘original’ provenance is used. In these cases it may be desirable for the importer to generate provenance that details where it got this artifact. For example, this generated provenance shows that http://example.com/foo.tgz with sha256:abc was imported by ‘auto-importer’:
Such an artifact would likely not be accepted at higher SLSA levels, but the provenance can be used to: 1) prevent tampering with the artifact after it’s been imported and 2) be a data point for future analysis (e.g. should we prioritize asking for foo.tgz to be distributed with native SLSA provenance?).
Acme might be interested in taking this approach at some point, but they don’t need it at the moment.
Next time
In our next post we’ll cover specific approaches that can be used to answer questions like “where should attestations and policies be stored?” and “how do I trust the attestations that I receive?”
Industroyer2: Industroyer reloaded
This ICS-capable malware targets a Ukrainian energy company
The post Industroyer2: Industroyer reloaded appeared first on WeLiveSecurity
Week in security with Tony Anscombe
Fake e-shops & Android malware – A journey into the dark recesses of the world wide web – Keeping your cloud resources safe
The post Week in security with Tony Anscombe appeared first on WeLiveSecurity
How secure is your cloud storage? Mitigating data security risks in the cloud
As cloud systems are increasingly the bedrock on which digital transformation is built, keeping a close eye on how they are secured is an essential cybersecurity best practice
The post How secure is your cloud storage? Mitigating data security risks in the cloud appeared first on WeLiveSecurity
Improving software supply chain security with tamper-proof builds
Posted by Asra Ali and Laurent Simon, Google Open Source Security Team (GOSST)
Many of the recent high-profile software attacks that have alarmed open-source users globally were consequences of supply chain integrity vulnerabilities: attackers gained control of a build server to use malicious source files, inject malicious artifacts into a compromised build platform, and bypass trusted builders to upload malicious artifacts.
Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume. Currently, provenance generation is not widely supported, and solutions that do exist may require migrating build processes to services like Tekton Chains.
This blog post describes a new method of generating non-forgeable provenance using GitHub Actions workflows for isolation and Sigstore’s signing tools for authenticity. Using this approach, projects building on GitHub runners can achieve SLSA 3 (the third of four progressive SLSA “levels”), which affirms to consumers that your artifacts are authentic and trustworthy.
Provenance
SLSA (“Supply-chain Levels for Software Artifacts”) is a framework to help improve the integrity of your project throughout its development cycle, allowing consumers to trace the final piece of software you release all the way back to the source. Achieving a high SLSA level helps to improve the trust that your artifacts are what you say they are.
This blog post focuses on build provenance, which gives users important information about the build: who performed the release process? Was the build artifact protected against malicious tampering? Source provenance describes how the source code was protected, which we’ll cover in future blog posts, so stay tuned.
Go prototype to generate non-forgeable build provenance
To create tamperless evidence of the build and allow consumer verification, you need to:
The full isolation described in the first two points allows consumers to trust that the provenance was faithfully recorded; entities that provide this guarantee are called trusted builders.
Our Go prototype solves all three challenges. It also includes running the build inside the trusted builder, which provides a strong guarantee that the build achieves SLSA 3’s ephemeral and isolated requirement.
How does it work?
Leveraging GitHub’s reusable workflows provides the isolation mechanism from both maintainers’ caller workflows and from the build process. Within the workflow, Github Actions creates fresh instances of virtual machines (VMs), called runners, for each job. These separate VMs give the necessary isolation for a trusted builder, so that different VMs compile the project and generate and sign the SLSA provenance (see diagram below).
Running the workflow on GitHub-hosted runners gives the guarantee that the code run is in fact the intended workflow, which self-hosted runners do not. This prototype relies on GitHub to run the exact code defined in the workflow.
The reusable workflow also protects against possible interference from maintainers, who could otherwise try to define the workflow in a way that interferes with the builder. The only way to interact with a reusable workflow is through the input parameters it exposes to the calling workflow, which stops maintainers from altering information via environment variables, steps, services and defaults.
To protect against the possibility of one job (e.g. the build step) tampering with the other artifacts used by another job (the provenance step), this approach uses a trusted channel to protect the integrity of the data. We use job outputs to send hashes (due to size limitations) and then use the hashes to verify the binary received via the untrusted artifact registry.
OpenID Connect (OIDC) is a standard used across the web for identity providers (e.g., Google) to attest to the identity of a user for a third party. GitHub now supports OIDC in their workflows. Each time a workflow is run, a runner can mint a unique JWT token from GitHub’s OIDC provider. The token contains verifiable information of the workflow identity, including the caller repository, commit hash, trigger, and the current (reuseable) workflow path and reference.
Using OIDC, the workflow proves its identity to Sigstore’s Fulcio root Certificate Authority, which acts as an external verification service. Fulcio signs a short-lived certificate attesting to an ephemeral signing key generated in the runner and tying it to the workload identity. A record of signing the provenance is kept in Sigstore’s transparency log Rekor. Users can use the signing certificate as a trust anchor to verify that the provenance was authenticated and non-forgeable; it must have been created inside the trusted builder.
Verification
See an example in action in the official repository.
Performing these steps guarantees to the consumer that the binary was produced in the trusted builder at a given commit hash attested to in the provenance. They can trust that the information in the provenance was non-forgeable, allowing them to trust the build “recipe” and trace their artifact verifiably back to the source.
Extra Bonus: Keyless signing
One extra benefit of this method is that maintainers don’t need to manage or distribute cryptographic keys for signing, avoiding the notoriously difficult problem of key management. The OIDC protocol requires no hardcoded, long-term secrets be stored in GitHub’s secrets, which sidesteps the potential problem of key mismanagement invalidating the SLSA provenance. Consumers simply use OIDC to verify that the binary artifact was built from a trusted builder that produced the expected provenance.
Next Steps
Utilizing the SLSA framework is a proven way for ensuring software supply-chain integrity at scale. This prototype shows that achieving high SLSA levels is easier than ever thanks to the newest features of popular CI/CD systems and open-source tooling. Increased adoption of tamper-safe (SLSA 3+) build services will contribute to a stronger open-source ecosystem and help close one easily exploited gap in the current supply chain.
We encourage testing and adoption and welcome any improvements to the project. Please share feedback, comments and suggestions at slsa-github-generator-go and slsa-verifier project repositories. We will officially release v1 in a few weeks!
In follow-up posts, we will demonstrate adding non-forgeable source provenance attesting to secure repository settings, and showcase the same techniques for other build toolchains and package managers, etc. Stay tuned!
Fake e‑shops on the prowl for banking credentials using Android malware
ESET researchers analyzed three malicious applications targeting customers of eight Malaysian banks
The post Fake e‑shops on the prowl for banking credentials using Android malware appeared first on WeLiveSecurity
Find and $eek! Increased rewards for Google Nest & Fitbit devices
Posted by Medha Jain, Program Manager, Devices & Services Security
At Google, we constantly invest in security research to raise the bar for our devices, keeping our users safe and building their trust in our products. In 2021, we published Google Nest security commitments, in which we committed to engage with the research community to examine our products and services and report vulnerabilities.
We are now looking to deepen this relationship and accelerate the path toward building more secure devices. Starting today, we will introduce a new vulnerability rewards structure for submissions impacting smart home (Google Nest) and wearables (Fitbit) devices through our Bug Hunters platform.
Bonus!
We are paying higher rewards retroactively for eligible Google Nest and Fitbit devices reports submitted in 2021. And, starting today, for the next six months, will double the reward amount for all new eligible reports applicable to Google Nest & Fitbit devices in scope.
We will continue to take reports on our web applications, services, and mobile apps at their existing reward levels. Please keep those coming!
An enhanced rewards program
Building on our previous programs to improve devices’ embedded security posture, we’re bringing all our first-party devices under a single program, starting with Google Nest, Fitbit, and Pixel.
This program extends the Android Security Reward Program, making it easier for researchers to submit a vulnerability in first-party devices and improving consistency across our severity assignments. Refer to the Android and Google Devices Security Reward Program for more details.
What interests us?
We encourage researchers to report firmware, system software, and hardware vulnerabilities. Our wide diversity of platforms provides researchers with a smorgasbord of environments to explore.
What’s next?
We will be at the Hardwear.io conference this year! The VRP team is looking forward to meeting our security peers in person. We’ll be talking about the architecture of a couple of our devices, hoping to give security researchers a head start in finding vulnerabilities. We’ll have plenty of swag, too!
We will continue to enhance the researchers’ experience and participation. We intend to add training documentations and target areas that interest us as we grow the program.
A huge thanks to Sarah Jacobus, Adam Bacchus, Ankur Chakraborty, Eduardo’ Vela” <Nava>, Jay Cox, and Nic Watson.
We’re going on Tor
If better privacy and anonymity sound like music to your ears, you may not need to look much further than Tor Browser. Here’s what it’s like to surf the dark web using the browser.
The post We’re going on Tor appeared first on WeLiveSecurity
Week in security with Tony Anscombe
Under the hood of Wslink’s VM – The energy sector & cyber-risk – SMB cybersecurity survival tips
The post Week in security with Tony Anscombe appeared first on WeLiveSecurity