Language Selection

English French German Italian Portuguese Spanish

Security: Intel Management Engine (ME), Snyk FUD, and Latest Security Updates

Filed under
Security
  • Replacing x86 firmware with Linux and Go

    The Intel Management Engine (ME), which is a separate processor and operating system running outside of user control on most x86 systems, has long been of concern to users who are security and privacy conscious. Google and others have been working on ways to eliminate as much of that functionality as possible (while still being able to boot and run the system). Ronald Minnich from Google came to Prague to talk about those efforts at the 2017 Embedded Linux Conference Europe.

    He began by noting that most times he is talking about firmware, it is with his coreboot hat on. But he removed said "very nice hat", since his talk was "not a coreboot talk". He listed a number of people who had worked on the project to "replace your exploit-ridden firmware with a Linux kernel", including several from partner companies (Two Sigma, Cisco, and Horizon Computing) as well as several other Google employees.

    The results they achieved were to drop the boot time on an Open Compute Project (OCP) node from eight minutes to 20 seconds. To his way of thinking, that is "maybe the single least important part" of this work, he said. All of the user-space parts of the boot process are written in Go; that includes everything in initramfs, including init. This brings Linux performance, reliability, and security to the boot process and they were able to eliminate all of the ME and UEFI post-boot activity from the boot process.

  • Interview: Why are open-source security vulnerabilities rising? [Ed: Snyk is a FUD firm. It has been smearing Free software a lot lately in an effort to just sell its services.]
  • Security updates for Wednesday

More in Tux Machines

Red Hat: Interview, Releases, Events, Compliance and Finance

Linux Foundation Expansion and Linux Development

  • Deutsche Telekom signs up as platinum member of Linux Foundation Networking
    Deutsche Telekom has doubled down on its commitment to using open source by signing up as a platinum member of Linux Foundation Networking. Earlier this year, the Linux Foundation put some of its open source communities, including the Open Network Automation Platform (ONAP), under the Linux Foundation Networking (LFN) brand in order to foster cross-project collaboration. Mainly thanks to ONAP, the LNF projects currently enable close to 70% of all the world's global mobile subscribers.
  • Deutsche Telekom Joins The Linux Foundation, Deepens Investment in Open Source Networking
  • Samsung Galaxy S Support With The Linux 4.19 Kernel
    Just in case you have your hands still on the Samsung Galaxy S or Galaxy S 4G that were released back in 2010 as once high-end Android smartphones, they have DeviceTree support with the upcoming Linux 4.19 kernel cycle. The DeviceTree additions are currently staged ahead of the Linux 4.19 kernel for these S5Pv210 Aries based smartphones. With this code in place for Linux 4.19, the Galaxy S should at least see working mainline support for storage, PMIC, RTC, fuel gauge, keys, USB, and WiFi working in order.
  • Using the Best CPU Available on Asymmetric Systems
    This is the type of situation with a patch where it might look like a lack of opposition could let it sail into the kernel tree, but really, it just hasn't been thoroughly examined by Linux bigwigs yet. Once the various contributors have gotten the patch as good as they can get it without deeper feedback, they'll probably send it up the ladder for inclusion in the main source tree. At that point, the security folks will jump all over it, looking for ways that a malicious user might force processes all onto only one particular CPU (essentially mounting a denial-of-service attack) or some such thing. Even if the patch survives that scrutiny, one of the other big-time kernel people, or even Linus Torvalds, could reject the patch on the grounds that it should represent a solution for large-scale systems as well as small. Either way, something like Dietmar and Quentin's patch will be desirable in the kernel, because it's always good to take advantages of the full range of abilities of a system. And nowadays, a lot of devices are coming out with asymmetric CPUs and other quirks that never were part of earlier general-purpose systems. So, there's definitely a lot to be gained in seeing this sort of patch go into the tree.

Games: Risin' Goat, CorsixTH, Hegemone Pass, Unreal Engine

Software: Remote Access, EncryptPad, Aria2 WebUI, Qbs

  • Best Linux remote desktop clients of 2018
    This article has been fully updated, and was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. It appeared in issue 220, published February 2017. Subscribe to the print or digital version of Linux Format here. SSH has been the staple remote access tool for system administrators from day one. Admins use SSH to mount remote directories, backup remote servers, spring-clean remote databases, and even forward X11 connections. The popularity of single-board computers, such as the Raspberry Pi, has introduced SSH into the parlance of everyday desktop users as well. While SSH is useful for securely accessing one-off applications, it’s usually overkill, especially if you aren’t concerned about the network’s security. There are times when you need to remotely access the complete desktop session rather than just a single application. You may want to guide the person on the other end through installing software or want to tweak settings on a Windows machine from the comfort of your Linux desktop yourself.
  • EncryptPad: Encrypted Text Editor For Your Secrets
    EncryptPad is a simple, free and open source text editor that encrypts saved text files and allows protecting them with passwords, key files, or both. It's available on Windows, macOS, and Linux. The application comes with a GUI as well as a command line interface, and it also offers a tool for encrypting and decrypting binary files.
  • Aria2 WebUI: Clean Web Frontend for aria2
    Aria2 WebUI is an open source web frontend for aria2. The software bills itself as the finest interface to interact with aria2. That’s a lofty goal considering the competition from the likes of uGet Download Manager (which offers an aria2 plugin). Aria2 WebUI started as part of the GSOC program 2012. But a lot has changed since the software’s creation under that initiative. While the pace of development has lessened considerably in recent years, the software has not been abandoned.
  • qbs 1.12 released
    We are happy to announce version 1.12.0 of the Qbs build tool. [...] All command descriptions now list the product name to which the generated artifact belongs. This is particularly helpful for larger projects where several products contain files of the same name, or even use the same source file. The vcs module no longer requires a repository to create the header file. If the project is not in a repository, then the VCS_REPO_STATE macro will evaluate to a placeholder string. It is now possible to generate Makefiles from Qbs projects. While it is unlikely that complex Qbs projects are completely representable in the Makefile format, this feature might still be helpful for debugging purposes.