Language Selection

English French German Italian Portuguese Spanish

Security: Updates, AMD, Intel, IBM/Power, Blender 3D, CES and More

Filed under
Security
  • Security updates for Friday
  • AMD processors: Not as safe as you might have thought

    In a posting. Mark Papermaster, AMD's CTO, admitted Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors. But, Papermaster wrote, "We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue."

  •  

  • AMD CPUs Are Potentially Vulnerable To Spectre / Variant 2

    Last week in light of the Spectre disclosure. AMD believed they were at "near zero risk" to Variant Two / Branch Target Injection. But now the company confirmed last night that's not the case: they are at least potentially vulnerable.

  • AMD Confirms Its Chips Are Affected By Spectre Flaw, Starts Pushing Security Patches
  • Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs

    On January 8th Intel released new Linux Processor microcode data files that can be used to mitigate the Spectre and and Meltdown vulnerabilities in Intel CPUs. Using microcode files, an operating system can fix known bugs in Intel CPU without having to perform a BIOS update on the computer.

  • Power Systems And The Spectre And Meltdown Threats

    Speculative execution is something that has been part of modern processors for well over a decade, and while it is hard to quantify how much of a performance benefit this collection of techniques have delivered, it is obviously significant enough that all CPUs, including IBM Power and System z chips, have them. And that, as the new Spectre and Meltdown security holes that were announced by Google on January 3 show, turns out to be a big problem.

    Without getting too deep into the technical details, there are many different ways to implement speculative execution, which is used to keep the many instruction pipelines and layers of cache in a processor busy doing what is hoped will be useful work. So much of what a computer does is an IF-THEN-ELSE kind of branch, and being able to pre-calculate the answers to multiple possible branches in an instruction stream is more efficient than following each path independently and calculating the answers in series. The speculative part of the execution involves using statistics to analyze patterns in data and instructions underneath an application and guessing which branches and data will be needed. If you guess right a lot of the time, then the CPU does a lot more work than it might otherwise. There are no modern processors (except for the PowerPC A2 chips used in the BlueGene/Q supercomputers from IBM) that we can find that don’t have speculative execution in some form or another, and there is no easy way to quantify how much of a performance boost it gives.

  • Blender 3D open source platform plagued with arbitrary code vulnerabilities

    Cisco Talos researchers identified multiple unpatched vulnerabilities in the Blender Open Source 3D creation suite that could allow an attacker to run arbitrary code.

  • Technologies That Secure the Home, WiFi and More Debut at CES 2018
  • What is the Future of Wi-Fi?
  • Spectre and Meltdown Attacks Against Microprocessors

    This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

  • Four Tips for a More Secure Website

    Security is a hot topic in web development with great reason. Every few months a major website is cracked and millions of user records are leaked. Many times the cause of a breach is from a simple vulnerability that has been overlooked. Here are a few tips to give you a quick overview of standard techniques for making your websites more secure. Note: I do not guarantee a secure website if you follow these suggestions, there are many facets to security that I don’t even touch in this article. This write-up is for increasing awareness about techniques used to correct some common vulnerabilities that appear in web applications.

  • What is DevSecOps? Developing more secure applications

    The simple premise of DevSecOps is that everyone in the software development life cycle is responsible for security, in essence bringing operations and development together with security functions. DevSecOps aims to embed security in every part of the development process. It is about trying to automate core security tasks by embedding security controls and processes early in the DevOps workflow (rather than being bolted on at the end). For example, this could be the case when migrating to microservices, building out a CI/CD pipeline, compliance automation or simply testing cloud infrastructure.

More in Tux Machines

CPod – A Simple, Beautiful And Cross-platform Podcast App

Podcasts have become very popular in the last few years. Podcasts are what’s called “infotainment”, they are generally light-hearted, but they generally give you valuable information. Podcasts have blown up in the last few years, and if you like something, chances are there is a podcast about it. There are a lot of podcast players out there for the Linux desktop, but if you want something that is visually beautiful, has slick animations, and works on every platform, there aren’t a lot of alternatives to CPod. CPod (formerly known as Cumulonimbus) is an open source and slickest podcast app that works on Linux, MacOS and Windows. CPod runs on something called Electron – a tool that allows developers to build cross-platform (E.g Windows, MacOs and Linux) desktop GUI applications. In this brief guide, we will be discussing – how to install and use CPod podcast app in Linux. Read more

today's howtos

Security: Updates, Anonymity, EFF and Open Source Security Podcast

  • Security updates for Monday
  • For Hackers, Anonymity Was Once Critical. That’s Changing.

    “This is a profession for a lot of people now,” she added. “And you can’t fill out a W-9 with your hacker handle.”

    [...]

    “The thing I worry about today,” he added, taking a more serious tone, “is that people don’t get do-overs.” Young people now have to contend with the real-name policy on Facebook, he said, along with the ever-hovering threats of facial-recognition software and aggregated data. “How are you going to learn to navigate in this world if you never get to make a mistake — and if every mistake you do make follows you forever?”

  • EFF Leader: Security Decisions Are Different When Women Are In The Room
    Women will have their technical credentials doubted throughout their career, said the Electronic Frontier Foundation's Eva Galperin, but being able to participate in important privacy and security decisions makes it worthwhile.
  • Open Source Security Podcast: Episode 115 - Discussion with Brian Hajost from SteelCloud
    Josh and Kurt talk to Brian Hajost from SteelCloud about public sector compliance. The world of public sector compliance can be confusing and strange, but it's not that bad when it's explained by someone with experience.

Android Leftovers