Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Licensing With GPL: Greater Certainty

  • A Movement Builds as a Diverse Group of 14 Additional Leaders Seek Greater Predictability in Open Source Licensing
    Today’s announcement demonstrates the expanded breadth and depth of support for the GPL Cooperation Commitment. Companies adopting the commitment now span geographic regions, include eight Fortune 100 companies, and represent a wide range of industries from enterprise software and hardware to consumer electronics, chip manufacturing to cloud computing, and social networking to automotive. The companies making the commitment represent more than 39 percent of corporate contributions to the Linux kernel, including six of the top 10 corporate contributors.1
  • ARM: Arm joins industry leaders in commitment to fair enforcement of open source licenses
    Today, Red Hat announced that several leading technology companies, including Arm, are joining a diverse coalition of organizations that have come together to promote greater predictability in open source license enforcement. Alongside Amazon, Canonical, Linaro, Toyota, VMware and many others we have committed to ensure fair opportunity for our licensees to correct errors in compliance with their GPL and LGPL licensed software before taking action to terminate the licenses.
  • Debian "stretch" 9.5 Update Now Available, Red Hat Announces New Adopters of the GPL Cooperation Commitment, Linux Audio Conference 2018 Videos Now Available, Latte Dock v0.8 Released and More
    Red Hat announced that 14 additional companies have adopted the GPL Cooperation Commitment, which means that "more than 39 percent of corporate contributions to the Linux kernel, including six of the top 10 contributors" are now represented. According to the Red Hat press release, these commitments "reflect the belief that responsible compliance in open source licensing is important and that license enforcement in the open source ecosystem operates by different norms." Companies joining the growing movement include Amazon, Arm, Canonical, GitLab, Intel Corporation, Liferay, Linaro, MariaDB, NEC, Pivotal, Royal Philips, SAS, Toyota and VMware.

Opinion: GitHub vs GitLab

So, Microsoft bought GitHub, and many people are confused or worried. It's not a new phenomenon when any large company buys any smaller company, and people are right to be worried, although I argue that their timing is wrong. Like Microsoft, GitHub has made some useful contributions to free and open-source software, but let's not forget that GitHub's main product is proprietary software. And, it's not just some innocuous web service either; GitHub makes and sells a proprietary software package you can download and run on your own server called GitHub Enterprise (GHE). Let's remember how we got here. BitMover made a tool called BitKeeper, a proprietary version control system that allowed free-of-charge licenses to free software projects. In 2002, the Linux kernel switched to using BitKeeper for its version control, although some notable developers made the noble choice to refuse to use the proprietary program. Many others did not, and for a number of years, kernel development was hampered by BitKeeper's restrictive noncommercial licenses. In 2005, Andrew Tridgell, working at OSDL, developed a client that bypassed this restriction, and as a result, BitMover removed licenses to BitKeeper from all OSDL employees—including Linus Torvalds. Eventually, all non-commercial licenses were stopped, and new licenses included clauses preventing the development of alternative version control systems. As a result of this, two new projects were born: Mercurial and Git. Created in a few short weeks in 2005, Git quickly became the version control system for Linux development. Proprietary version control tools aren't common in free software development, but proprietary collaboration websites have been around for some time. One of the earliest collaboration websites still around today is Sourceforge. Sourceforge was created in the late 1990s by VA Software, and the code behind the project was released in 2000. Read more

Comparing Latencies and Power consumption with various CPU schedulers

The low-latency kernel offering with Ubuntu provides a kernel tuned for low-latency environments using low-latency kernel configuration options. The x86 kernels by default run with the Intel-Pstate CPU scheduler set to run with the powersave scaling governor biased towards power efficiency. While power efficiency is fine for most use-cases, it can introduce latencies due to the fact that the CPU can be running at a low frequency to save power and also switching from a deep C state when idle to a higher C state when servicing an event can also increase on latencies. Read more

csplit: A Better Way to Split File in Linux Based on its Content

Learn some practical examples of the GNU coreutils csplit command for splitting files in Linux. It’s more useful than the popular split command. Read more