Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
Security
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the langsec.org website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Ubuntu 18.10 (Cosmic Cuttlefish) Screenshot Tour and Statistics

  • Ubuntu 18.10 (Cosmic Cuttlefish) Screenshot Tour | What’s New
    Here we are going to take a screenshot tour of the latest release Ubuntu 18.10 (Cosmic Cuttlefish). Let’s go through the recent changes since the earlier long term support release Ubuntu 18.04 (Bionic Beaver). Ubuntu 18.10 (Cosmic Cuttlefish) introduces major user interface changes and more mature interface since Canonical decided ditching Unity desktop environment. Cosmic release ships with Gnome Shell 3.30.1 desktop environment for its main Desktop release and there are more variants of desktop environments you could choose from, check the release notes for further information. The default desktop and login screen “GDM” features the Cuttlefish background with the usual color scheme for Ubuntu desktop releases. It comes with multiple colorful and cheering desktop backgrounds. I will leave a link down below if you are interested to download the default Wallpapers for Ubuntu 18.10 (Cosmic Cuttlefish).
  • Canonical and Ubuntu – user statistics
    Then you arrive at the story of Canonical and Ubuntu and things aren’t quite so clear anymore, lines are blurred. Ubuntu appears everywhere, sometimes accompanied by Canonical, but frequently not. Then sometimes Canonical tries to make an appearance alone and everyone is left asking ‘what is Canonical?’ Well, no more. No more shall wondering what Canonical is be akin to a quiz question of who was the fourth Destiny’s Child. (Answer at the end) We all know Ubuntu, it’s the most popular open source operating system (OS) in the world, loved by developers for a multitude of reasons, it’s where innovation happens, and it’s everywhere. Canonical is described by Wikipedia (let’s face it that’s where your Google search takes you) as a UK-based, “privately held computer software company founded and funded by South African entrepreneur Mark Shuttleworth to market commercial support and related services for Ubuntu and related projects.” Well, that’s pretty accurate, but it doesn’t tell the whole story. You see, Canonical is passionate about Ubuntu. We love it. We all use it and we want everyone else to use the OS because we think it’s the best around and it’ll make your lives a lot easier. Canonical is full of people working on improving and adding to Ubuntu, from the OS to things that rely on the OS at the core but are more related to things such as Kubernetes, yes we really do Kubernetes, or OpenStack, AI/ML, and a whole host of technologies related to the internet of things (IoT).

today's howtos

Licensing in Kate and Other KDE News/Changes

  • MIT licensed KSyntaxHighlighting usage
    With the KDE Frameworks 5.50 release, the KSyntaxHighlighting framework was re-licensed to the MIT license. This re-licensing only covers the actual code in the library and the bundled themes but not all of the syntax highlighting definition data files. One of the main motivation points was to get QtCreator to use this, if possible, instead of their own implementation of the Kate highlighting they needed to create in the past due to the incompatible licensing of KatePart at that time (and the impossibility to do a quick split/re-licensing of the parts in question).
  • This week in Usability & Productivity, part 41
  • KDE Will Now Set Scale Factor For GTK Apps, Plasma Gets Other Scaling & UI Polishing Too
    KDE developer Nate Graham is out with his weekly recap of interesting development activities impacting Plasma, Frameworks, and the Applications stack. When the display scaling factor for KDE is set to an integer, KDE will now export that as well to the GNOME/GTK environment variables of GDK_SCALE/GDK_DPI_SCALE, for helping out GTK applications running on the KDE desktop so they should still scale appropriately. The Wayland behavior was already correct while this should help out GTK X11 applications. The GNOME/GTK scaling though only supports scaling by integer numbers.

Graphics: NVIDIA, Kazan, Sway and Panfrost

  • NVIDIA Developers Express Interest In Helping Out libc++/libstdc++ Parallel Algorithms
    NVIDIA developers have expressed interest in helping the open-source GCC libstdc++ and LLVM Clang libc++ standard libraries in bringing up support for the standardized parallel algorithms. C++17 brings parallelized versions for some of the algorithms exposed by the C++ standard library, but sadly GCC's libstdc++ and LLVM's libc++ do not yet support these parallel algorithms while the rest of their C++17 support is in great shape. Going back over a year Intel has been interested in contributing parallel support code to these C++ standard libraries that could be shared by both projects. The Intel path builds in abstractions for supporting different underlying thread/parallelism APIs.
  • The Rust-Written Kazan Vulkan Driver Lights Up Its Shader Compiler
    This week the Kazan project (formerly known as "Vulkan-CPU") celebrated a small but important milestone in its trek to having a CPU-based Vulkan software implementation. As a refresher, Kazan is the project born as Vulkan-CPU during the 2017 Google Summer of Code. The work was started by student developer Jacob Lifshay and he made good progress last summer on the foundation of the project and continued contributing past the conclusion of that Google-funded program. By the end of the summer he was able to run some simple Vulkan compute tests. He also renamed Vulkan-CPU to Kazan (Japanese for "volcano").
  • Sway 1.0 Beta Released - Offers 100% Compatibility With i3 Window Manager
    The Sway Wayland compositor inspired by X11's i3 window manager is now up to its beta ahead of the big 1.0 release. Sway 1.0 Beta offers "100%" compatibility with the i3 window manager. The Sway 1.0 release has also been working on many other changes including improved window handling, multi-GPU support, virtual keyboard protocol, real-time video capture, tablet support, and many other changes.
  • Panfrost Open-Source GPU Driver Continues Advancing For Mali GPUs
    The Panfrost open-source, community-driven, reverse-engineered graphics driver for ARM Mali graphics processors continues panning out pretty well. Alyssa Rosenzweig has provided an update this weekend on the state of Panfrost for open-source Mali 3D support. The developers involved have been working out some texture issues, various OpenGL / GLES issues around GLMark2, and support now for running Wayland's Weston reference compositor.