Language Selection

English French German Italian Portuguese Spanish

Security: Updates, AMD, Intel, IBM/Power, Blender 3D, CES and More

Filed under
Security
  • Security updates for Friday
  • AMD processors: Not as safe as you might have thought

    In a posting. Mark Papermaster, AMD's CTO, admitted Google Project Zero (GPZ) Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors. But, Papermaster wrote, "We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue."

  •  

  • AMD CPUs Are Potentially Vulnerable To Spectre / Variant 2

    Last week in light of the Spectre disclosure. AMD believed they were at "near zero risk" to Variant Two / Branch Target Injection. But now the company confirmed last night that's not the case: they are at least potentially vulnerable.

  • AMD Confirms Its Chips Are Affected By Spectre Flaw, Starts Pushing Security Patches
  • Intel Releases Linux CPU Microcodes To fix Meltdown & Spectre Bugs

    On January 8th Intel released new Linux Processor microcode data files that can be used to mitigate the Spectre and and Meltdown vulnerabilities in Intel CPUs. Using microcode files, an operating system can fix known bugs in Intel CPU without having to perform a BIOS update on the computer.

  • Power Systems And The Spectre And Meltdown Threats

    Speculative execution is something that has been part of modern processors for well over a decade, and while it is hard to quantify how much of a performance benefit this collection of techniques have delivered, it is obviously significant enough that all CPUs, including IBM Power and System z chips, have them. And that, as the new Spectre and Meltdown security holes that were announced by Google on January 3 show, turns out to be a big problem.

    Without getting too deep into the technical details, there are many different ways to implement speculative execution, which is used to keep the many instruction pipelines and layers of cache in a processor busy doing what is hoped will be useful work. So much of what a computer does is an IF-THEN-ELSE kind of branch, and being able to pre-calculate the answers to multiple possible branches in an instruction stream is more efficient than following each path independently and calculating the answers in series. The speculative part of the execution involves using statistics to analyze patterns in data and instructions underneath an application and guessing which branches and data will be needed. If you guess right a lot of the time, then the CPU does a lot more work than it might otherwise. There are no modern processors (except for the PowerPC A2 chips used in the BlueGene/Q supercomputers from IBM) that we can find that don’t have speculative execution in some form or another, and there is no easy way to quantify how much of a performance boost it gives.

  • Blender 3D open source platform plagued with arbitrary code vulnerabilities

    Cisco Talos researchers identified multiple unpatched vulnerabilities in the Blender Open Source 3D creation suite that could allow an attacker to run arbitrary code.

  • Technologies That Secure the Home, WiFi and More Debut at CES 2018
  • What is the Future of Wi-Fi?
  • Spectre and Meltdown Attacks Against Microprocessors

    This is bad, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

  • Four Tips for a More Secure Website

    Security is a hot topic in web development with great reason. Every few months a major website is cracked and millions of user records are leaked. Many times the cause of a breach is from a simple vulnerability that has been overlooked. Here are a few tips to give you a quick overview of standard techniques for making your websites more secure. Note: I do not guarantee a secure website if you follow these suggestions, there are many facets to security that I don’t even touch in this article. This write-up is for increasing awareness about techniques used to correct some common vulnerabilities that appear in web applications.

  • What is DevSecOps? Developing more secure applications

    The simple premise of DevSecOps is that everyone in the software development life cycle is responsible for security, in essence bringing operations and development together with security functions. DevSecOps aims to embed security in every part of the development process. It is about trying to automate core security tasks by embedding security controls and processes early in the DevOps workflow (rather than being bolted on at the end). For example, this could be the case when migrating to microservices, building out a CI/CD pipeline, compliance automation or simply testing cloud infrastructure.

More in Tux Machines

Android Leftovers

The Linux terminal is no one-trick pony

Welcome to another day of the Linux command-line toys advent calendar. If this is your first visit to the series, you might be asking yourself what a command-line toy even is. We’re figuring that out as we go, but generally, it could be a game, or any simple diversion that helps you have fun at the terminal. Some of you will have seen various selections from our calendar before, but we hope there’s at least one new thing for everyone. Read more

Android Leftovers

today's leftovers

  • Get notifications for your patches
    We are trialing out a new feature that can send you a notification when the patches you send to the LKML are applied to linux-next or to the mainline git trees.
  • A simple blank makes the difference
    OFX is the Open Financial eXchange protocol used by various financial institutions in a few countries. KMyMoney provides an OFX client implementation using the open source LibOFX library allowing users to import transactions directly from the bank’s server without using the detour through a web-browser and a downloaded file into the ledger of the application.
  • Fractal December'18 Hackfest (part 1)
    The Tuesday 11th started the second Fractal Hackfest. I've organized this hackfest in Seville, the city where I studied computer science and here I've a lot of friends in the University so is a good place to do it here. The weather was important too for the hackfest selection, in December Seville is a good choice because the weather is not too cold, we're having sunny days. The first day was a good day, thinking about some relevant issues and planning what we want to do. We talked about the work needed for the interface split, about the E2EE support, new features and the need for a new release. We're having some problems with the internet connection, because the University has a restricted network policy and we ask for the guess internet connection the Monday, but we're still waiting.
  • Unexpected fallout from /usr merge in Debian
    Back in 2011, Harald Hoyer and Kay Sievers came up with a proposal for Fedora to merge much of the operating system into /usr; former top-level directories, /bin, /lib, and /sbin, would then become symbolic links pointing into the corresponding subdirectories of /usr. Left out of the merge would be things like configuration files in /etc, data in /var, and user home directories. This change was aimed at features like atomic upgrades and easy snapshots. The switch to a merged /usr was successful for Fedora 17; many other distributions (Arch, OpenSUSE, Mageia, just to name a few) have followed suit. More recently, Debian has been working toward a merged /usr, but it ran into some surprising problems that are unique to the distribution. Debian and its derivatives are definitely late to the /usr merge party. Systems running Debian testing that were initially installed before June 2018 still have /bin, /sbin, and /lib as normal directories, not as symbolic links. The same applies to Ubuntu 18.10. But both Debian and Ubuntu want to make the switch to a merged /usr. Debian tried, but it hit something completely unexpected. The Debian /usr merge history started in 2016, when Marco d'Itri got the usrmerge package into Debian unstable. This package contains a Perl script that converts an existing system into the state with a merged /usr. Also, a change was made to the debootstrap program (which installs a Debian system into a chroot), so that it could create the needed symbolic links by itself before installing any packages. The end result is the same in both cases. [...] The Debian package sed also has /bin/sed, not /usr/bin/sed. In the bug report, the problem is treated like a one-off issue, to be solved by a rebuild. However, on the debian-devel mailing list, Ian Jackson quickly pointed out that the problem is, in fact, due to /usr merge on the build daemons. He suggested that the change should be reverted. Dirk Eddelbuettel seconded that suggestion, and noted that he expects "much more breakage to follow". Indeed, similar problems were triggered in sympow, pari, and monitoring-plugins. Other bugs of this nature can be found by searching the Debian bug tracking system for a special tag (but this search also finds other kinds of issues). [...] The discussion is still in progress, though; no consensus has been reached. A bug was filed against debootstrap by Jackson to revert the change to merge by default for the next release of Debian. Due to the disagreement of the debootstrap maintainer to the proposed change, Jackson reassigned the bug to the Debian Technical Committee, which is the ultimate authority for resolving otherwise unresolvable technical disputes within Debian. There is also a request from the Debian backports FTP master that the default should be the same in Debian stable backports and in Debian testing. Emilio Pozuelo Monfort, a member of the release team, also spoke in favor of reverting to non-merged /usr in new installations. It is impossible to predict now how the Technical Committee will rule. In the worst case for /usr-merge proponents, proper introduction of a merged /usr into Debian may be delayed by a few more years. But, if it votes for keeping the status quo, new end-user systems in the next stable release of Debian will have merged /usr, old but upgraded ones won't, and the build daemons will reliably build packages suitable for both cases, just like what's planned for Ubuntu 19.04. No flag day is needed in this scenario, so it would follow the best Debian traditions of not forcing transitions onto users.
  • Compiz: Ubuntu Desktop's little known best friend
    The best part is that it takes no time at all to get up and running! I’ll show you how to transform Ubuntu into a desktop that is functionally similar to Mac.  
  • How to use TOAD The Open Source Android Deodexer
    Deodexing Android can be a time-consuming process which involves pulling /system files from your Android device, deodexing them using PC tools, and installing them back on your phone. Not to mention that whenever Google releases a new Android version, the process for deodexing ROMs alters – which means tools for deodexing need to play catchup. Many deodexing tools have become defunct due to lack of update from the developers. A new tool called TOAD (The Open Source Android Deodexer) has been released, which aims to not only be incredibly easy, its open-source nature allows the development community to keep it updated with the latest deodexing methods. TOAD utilizes batch files for processing odexed files, so new batch files can easily be added or modified by the development community.
  • Linux group plans show and tell
    The Linux Users’ Group of Davis presents Open Source Computing “Show and Tell” event, an informal open night to talk about and demonstrate programs, computer projects or tricks and tips. Feel free to bring something to show or tell for 10 minutes, from a Raspberry Pi project to tools or utilities that you find handy. Everyone is welcome to join in the fun, whether you’re a hobbyist, coder, enthusiast or sysadmin.
  • Windows 10 tip: Run Ubuntu Linux in an enhanced Hyper-V session [Ed: When Microsoft's Ad Bot (Ad Bought?) covers Ubuntu it's about putting it as a slave of Vista 10, complete with back doors]
  • ​MS-Linux? Lindows? Could Microsoft release a desktop Linux? [Ed: It’s like CBS wants to just hire pro-Microsoft slants; propaganda and clickbait.]
  • How Facebook Made a Universal Open Source Language for the Web
    THE CODE THAT runs the web is a melting pot of programming languages and technologies. JavaScript, the most popular language on the web, is the standard for writing code that runs in your browser. But the server side is much more diverse. Java (no relationship to JavaScript) remains popular, as do PHP, Python, and Ruby. Mobile app developers, meanwhile, have their own preferred languages, like Kotlin for writing Android apps or Apple's Swift for iOS.
  • C Programming Tutorial Part 2 - Preprocessors
    In the first part of our ongoing C programming tutorial series, we briefly touched on the preprocessing stage. In this tutorial, we will discuss it in a little more detail so that you have a basic idea about it before learning other C programming aspects.
  • Microsoft patches 'dangerous' zero-day already being exploited by [cracking] groups

    This vulnerability in kernel image ntoskrnl.exe was reported to Microsoft on 29 October by security vendor Kasperky Lab. Listed as CVE-2018-8611 and classified as 'important', it is a local privilege escalation bug. Kaspersky Lab researchers say it has already been exploited by [cracking] groups FruityArmor and SandCat.

  • Security updates for Thursday