Language Selection

English French German Italian Portuguese Spanish

Security: Cleartext Passwords, Windows Problems, and Meltdown Patches/Performance

Filed under
Security
  • cleartext passwords and transparency

    So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.

  • 911 operator suspended over teen’s death griped about working overtime.

    Plush called 911 again around 3:35 p.m., this time giving Smith a description of the vehicle, a gold Honda Odyssey in the parking lot at Seven Hills — information that never made it to the officers at the scene.

    “This is not a joke,” the teen told Smith. “I’m almost dead.”

    Smith tried to document the call when it came in but her computer screen had frozen, preventing her from entering information immediately, the review found.

  • Defense contractors face more aggressive ransomware attacks

    The rise of ransomware attacks against defense contractors coincides with a rise in the use of ransomware in general. Attacks can spread even after the original target has been hit, hurting unintended victims.

  • A Look At The Meltdown Performance Impact With DragonFlyBSD 5.2

    Besides looking at the HAMMER2 performance in DragonFlyBSD 5.2, another prominent change with this new BSD operating system release is the Spectre and Meltdown mitigations being shipped. In this article are some tests looking at the performance cost of DragonFlyBSD 5.2 for mitigating the Meltdown Intel CPU vulnerability.

    With DragonFlyBSD 5.2 there is the machdep.meltdown_mitigation sysctl for checking on the Meltdown mitigation presence and toggling it. Back in January we ran some tests of DragonFlyBSD's Meltdown mitigation using the page table isolation approach while now testing was done using the DragonFlyBSD 5.2 stable release.

  • A Last Minute Linux 4.17 Pull To Help Non-PCID Systems With KPTI Meltdown Performance

    While the Linux 4.17 kernel merge window is closing today and is already carrying a lot of interesting changes as covered by our Linux 4.17 feature overview, Thomas Gleixner today sent in a final round of x86 (K)PTI updates for Meltdown mitigation with this upcoming kernel release.

    This latest round of page-table isolation updates should help out systems lacking PCID, Process Context Identifiers. The KPTI code makes use of PCID for reducing the performance overhead of this Meltdown mitigation technique. PCID has been around since the Intel Westmere days, but now the latest kernel patches will help offset the KPTI performance impact for systems lacking PCID.

More in Tux Machines

Oracle Solaris 11.3 and Solaris 11.4

  • Oracle Solaris 11.3 SRU 34 Brings GCC 7.3, Other Package Updates
    While Solaris 11.4 is still in the oven being baked at Oracle, the thirty-fourth stable release update of Solaris 11.3 is now available.
  • Oracle Solaris 11.3 SRU 34 released
    Full details of this SRU can be found in My Oracle Support Doc 2421850.1. For the list of Service Alerts affecting each Oracle Solaris 11.3 SRU, see Important Oracle Solaris 11.3 SRU Issues (Doc ID 2076753.1).
  • Oracle Solaris 11.4 Open Beta Refresh 2
    As we continue to work toward release of Oracle Solaris 11.4, we present to you our third release of Oracle Solaris 11.4 open beta.
  • Oracle Solaris 11.4 Public Beta Updated With KPTI For Addressing Meltdown
    In addition to sending down a new SRU for Solaris 11.3, the Oracle developers left maintaining Solaris have issued their second beta of the upcoming Solaris 11.4. Oracle Solaris 11.4 Open Beta Refresh 2 is an updated version of their public beta of Solaris 11.4 originally introduced in January. They say this is the last planned public beta with the general availability release now nearing availability.

Security: Back Doors in Voting Machines, Two-Factor Authentication, Introduction to Cybersecurity, and Reproducible Builds

  • Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
    The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said.
  • PSA: Make Sure You Have a Backup for Two-Factor Authentication
  • An Introduction to Cybersecurity: The First Five Steps
    You read all these headlines about the latest data breaches, and you worry your organization could be next. After all, if TalkTalk, Target, and Equifax can’t keep their data safe, what chance do you have? Well, thankfully, most organizations aren’t quite as high profile as those household names, and probably don’t receive quite so much attention from cybercriminals. At the same time, though, no organization is so small or insignificant that it can afford to neglect to take sensible security measures. If you’re just starting to take cybersecurity seriously, here are five steps you can take to secure your organization more effectively than 99 percent of your competitors.
  • Reproducible Builds: Weekly report #168

today's howtos

Mozilla and Google/Firefox and Chrome

  • BATify extension brings Brave Payments to Firefox and Chrome
    A new browser extension lets users support their favorite websites, and YouTube and Twitch creators through donations of BAT cyrpto-tokens via Brave Payments. 91 weeks ago, I argued that Brave Payments would be a better product as a browser extension than a whole web browser. Brave Software has since made no indications that they’re interested in making a browser extension, and have instead scrapped their current Muon based web browser product and begun making yet another web browser built on Chromium. Browser extension developer Michael Volz, however, have detangled the attention tracking and contribution system from the Brave browser in a new unofficial Brave Payments client called BATify.
  • Chrome’s “Heavy Page Capping” To Alert Users About Bandwidth Heavy Pages
    Is your phone on a bandwidth diet? This upcoming Chrome feature will tell you when you are on a page that uses a lot of data. This is currently available as a flag in the latest Canary channel of Chrome.
  • Chrome’s “Heavy Page Capping” Feature Will Alert You About Data-heavy Pages
    Google is continuously upgrading its Chrome web browser to refine the user experience. This time, Google has added a new feature named “Heavy Page Capping” in the Canary build channel that will notify users when a webpage is using excessive bandwidth.
  • The New Thunderbird Add-ons Site is Now Live
    As we announced last week, SeaMonkey and Thunderbird add-ons will now reside on https://addons.thunderbird.net. Add-ons for Firefox and Firefox for Android will remain on https://addons.mozilla.org (AMO). We wanted to let you know that the split is now done and the new site is live.
  • 360° Images on the Web, the Easy Way
    One of the most popular uses for VR today is 360° images and video. 360° images are easy to discover and share online, and you don’t need to learn any new interactions to explore the 360° experience. Building 360° views is not as easy as exploring them, especially if you want to make an experience where the viewer can navigate from scene to scene. Here is the solution I came up with using A-Frame, a web framework for building virtual reality experiences and Glitch, a creative community platform for building, remixing and hosting web apps and sites. I often teach students at my local public library. I have found the combination of A-Frame and Glitch to be ideal, especially for the younger learners. A-Frame lets you write markup that feels like HTML to produce 3D content. You don’t have to write any JS code if you don’t want to. And Glitch is wonderful because I can give my students a sample project that they then ‘remix’ to create their own version. Thinking about it, ‘remix’ is probably a better word for non-programmers than ‘fork’.
  • MOSS is Mozilla’s helping hand to the open-source ecosystem in India
    In a bid to support the fledging open-source ecosystem in India, Mozilla has started its Mozilla Open Source Support (MOSS) programme under which it will promote free software and open-source projects in India. Mozilla has set aside a total of around Rs 1.4 crore to fund India-based projects or programmes supporting open source in the current year. Jochai Ben-Avie, Senior Global Policy Manager of Mozilla Corporation, told ET that Mozilla was born out of the free software and open source movement. As a result, the programme started with the effort to give back to those communities, along with supporting other free software and open-source projects and helping advance those projects around the world. “India has always been a really important country for development, and also for Mozilla. As part of the opensource ecosystem, we have a lot of volunteer contributors around 30,000 of them out of which close to 10,000-20,000 are in India. So India is by far our largest community,” said Ben-Avie. He added that the firm wants to give back to the ecosystem and to the open-source movement in India through this programme.
  • How to help test the 2018 edition
    An edition brings together the features that have landed into a clear package, with fully updated documentation and tooling. By the end of the year we are planning to release the 2018 edition, our first since the Rust 1.0 release. You can currently opt-in to a preview of the 2018 edition to try it out and help test it. In fact, we really need help testing it out! Once you’ve turned it on and seen its wonderful new features, what then? Here we’ve got some specific things we’d like you to test.