Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Equifax, Black Duck FUD, Emacs 25.3, and Measuring Security

Filed under
Security
  • Security updates for Monday
  • Researchers use Windows 10 Linux subsystem to run malware

    The provision of a Linux subsystem on Windows systems — a new Windows 10 feature known as Subsystem for Linux (WSL) — has made it possible to run known malware on such systems and bypass even the most common security solutions, security researchers at Check Point claim.

    In a detailed blog post, researchers Gal Elbaz and Dvir Atias said they had dubbed this technique of getting malware onto a Windows system as Bashware, with Bash being the default shell on a large number of Linux distributions.

  • Episode 62 - All about the Equifax hack
  • Equifax moves to fix weak PINs for “security freeze” on consumer credit reports

    As Equifax moved to provide consumers the ability to protect their credit reports on the heels of a major data breach, some of the details of the company's response were found lacking. As consumers registered and moved to lock their credit reports—in order to prevent anyone who had stolen data from opening credit in their name—they found that the security personal identification number (PIN) provided in the locking process was potentially insecure.

    [...]

    The PIN revelation came on the heels of concerns that Equifax was attempting to block the ability of those checking to see if their data was exposed or enrolling in the TrustedID Premiere service to sue Equifax over the breach. An Equifax spokesperson said that the arbitration clause in the Terms of Service for TrustedID Premier only applied to the service itself, not to the breach.

  • Unpatched Open Source Software Flaw Blamed for Massive Equifax Breach [Ed: But this claim has since then been retracted, so it might be fake news]
  • Equifax Breach Blamed on Open-Source Software Flaw [Ed: This report from a News Corp. tabloid has since been retracted, so why carry on linking to it?]
  • The hidden threat lurking in an otherwise secure software stack [Ed: Yet another attack on FOSS security, courtesy of the Microsoft-connected Black Duck]
  • [ANNOUNCE] Emacs 25.3 released
  • Emacs 25.3 Released To Fix A Security Vulnerability Of Malicious Lisp Scripts

    GNU --
    Emacs 25.3 is now available, but it doesn't offer major new features, rather it fixes a security vulnerability.

    Emacs' x-display decoding feature within the Enriched Text mode could lead to executing arbitrary malicious Lisp code within the text.

  • Measuring security: Part 1 - Things that make money

    If you read my previous post on measuring security, you know I broke measuring into three categories. I have no good reason to do this other than it's something that made sense to me. There are without question better ways to split these apart, I'm sure there is even overlap, but that's not important. What actually matters is to start a discussion on measuring what we do. The first topic is about measuring security that directly adds to revenue such as a product or service.

    [...]

    I see a lot of groups that don't do any of this. They wander in circles sometimes adding security features that don't matter, often engineering solutions that customers only need or want 10% of. I'll never forget when I first looked at actual metrics on new features and realized something we wanted to add was going to have a massive cost and generate zero additional revenue (it may have actually detracted in future product sales). On this day I saw the power in metrics. Overnight my group became heroes for saving everyone a lot of work and headaches. Sometimes doing nothing is the most valuable action you can take.

More in Tux Machines

Android Leftovers

Baidu puts open source deep learning into smartphones

A year after it open sourced its PaddlePaddle deep learning suite, Baidu has dropped another piece of AI tech into the public domain – a project to put AI on smartphones. Mobile Deep Learning (MDL) landed at GitHub under the MIT license a day ago, along with the exhortation “Be all eagerness to see it”. MDL is a convolution-based neural network designed to fit on a mobile device. Baidu said it is suitable for applications such as recognising objects in an image using a smartphone's camera. Read more

AMD and Linux Kernel

  • Ataribox runs Linux on AMD chip and will cost at least $250
    Atari released more details about its Ataribox game console today, disclosing for the first time that the machine will run Linux on an Advanced Micro Devices processor and cost $250 to $300. In an exclusive interview last week with GamesBeat, Ataribox creator and general manager Feargal Mac (short for Mac Conuladh) said Atari will begin a crowdfunding campaign on Indiegogo this fall and launch the Ataribox in the spring of 2018. The Ataribox will launch with a large back catalog of the publisher’s classic games. The idea is to create a box that makes people feel nostalgic about the past, but it’s also capable of running the independent games they want to play today, like Minecraft or Terraria.
  • Linux 4.14 + ROCm Might End Up Working Out For Kaveri & Carrizo APUs
    It looks like the upstream Linux 4.14 kernel may end up playing nicely with the ROCm OpenCL compute stack, if you are on a Kaveri or Carrizo system. While ROCm is promising as AMD's open-source compute stack complete with OpenCL 1.2+ support, its downside is that for now not all of the necessary changes to the Linux kernel drivers, LLVM Clang compiler infrastructure, and other components are yet living in their upstream repositories. So for now it can be a bit hairy to setup ROCm compute on your own system, especially if running a distribution without official ROCm packages. AMD developers are working to get all their changes upstreamed in each of the respective sources, but it's not something that will happen overnight and given the nature of Linux kernel development, etc, is something that will still take months longer to complete.
  • Latest Linux kernel release candidate was a sticky mess
    Linus Torvalds is not noted as having the most even of tempers, but after a weekend spent scuba diving a glitch in the latest Linux kernel release candidate saw the Linux overlord merely label the mess "nasty". The release cycle was following its usual cadence when Torvalds announced Linux 4.14 release candidate 2, just after 5:00PM on Sunday, September 24th.
  • Linus Torvalds Announces the Second Release Candidate of Linux Kernel 4.14 LTS
    Development of the Linux 4.14 kernel series continues with the second Release Candidate (RC) milestone, which Linus Torvalds himself announces this past weekend. The update brings more updated drivers and various improvements. Linus Torvalds kicked off the development of Linux kernel 4.14 last week when he announced the first Release Candidate, and now the second RC is available packed full of goodies. These include updated networking, GPU, and RDMA drivers, improvements to the x86, ARM, PowerPC, PA-RISC, MIPS, and s390 hardware architectures, various core networking, filesystem, and documentation changes.

Red Hat: ‘Hybrid Cloud’, University of Alabama, Red Hat Upgrades Ansible and Expectations