Language Selection

English French German Italian Portuguese Spanish

Security: SELinux, Dirk Hohndel, Gentoo, Arch Linux AUR Package Repository

Filed under
Security
  • Lukas Vrabec: Why do you see DAC_OVERRIDE SELinux denials?
  • With So Many Eyeballs, Is Open Source Security Better? [Ed: Ask a FOSS company. Not VMware. VMware puts back doors in its proprietary software blobs.]

    Back in 1999, Eric Raymond coined the term "Linus' Law," which stipulates that given enough eyeballs, all bugs are shallow.

    Linus' Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus' Law isn't valid?

    According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus' Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.

  • The aftermath of the Gentoo GitHub hack [Ed: What a bad choice of password leads to.]

    Late last month (June 28), the Gentoo GitHub repository was attacked after someone gained control of an admin account. All access to the repositories was soon removed from Gentoo developers. Repository and page content were altered. But within 10 minutes of the attacker gaining access, someone noticed something was going on, 7 minutes later a report was sent, and within 70 minutes the attack was over. Legitimate Gentoo developers were shut out for 5 days while the dust settled and repairs and analysis were completed.

  • New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows

    Security researchers Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) have published a paper to disclose a new variant of the infamous Spectre security vulnerability, which creates speculative buffer overflows.

    In their paper, the two security researchers explain the attacks and defenses for the new Spectre variant they discover, which they call Spectre1.1 (CVE-2018-3693), a new variant of the first Spectre security vulnerability unearthed earlier this year and later discovered to have multiple other variants.

    The new Spectre flaw leverages speculative stores to create speculative buffer overflows. Similar to the classic buffer overflow security flaws, the new Spectre vulnerability is also known as "Bounds Check Bypass Store" or BCBS to distinguish it from the original speculative execution attack.

  • AT&T acquires open-source threat intelligence firm

    As AT&T continues down its network virtualization efforts using the open-source Open Networking Automation Platform (ONAP), the operator has acquired cybersecurity firm AlienVault, which uses open-source software to provide what the companies call “threat intelligence.” Financial details of the transaction were not disclosed; AT&T expects the deal to close in Q3 this year.

  • Malware Found in Arch Linux AUR Package Repository

    Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.

    The malicious code has been removed thanks to the quick intervention of the AUR team.

  • Amateur bid to add code to Arch Linux packages found and squashed

More in Tux Machines

today's leftovers

  • GUADEC 2018 Reminiscences
    This year’s GUADEC in Almería, Spain, was over two months ago, and so here is a long overdue post about it. It was so long ago that I might as well call it a reminiscence! This will be a different kind of post than the ones I’ve done in past years, as plenty of other bloggers have already posted summaries about the talks.
  • Rugged, Linux-ready transportation PC has four SIM slots
    Nexcom’s Apollo Lake based “VTC 6220-BK” in-vehicle PC features triple displays, 2x SATA bays, 3x GbE with optional PoE, Ublox GPS, and 4x mini-PCIe or M.2 slots paired with SIM slots. Intel-based in-vehicle computers have been around for a while — here’s a Linux-friendly Kontron model from 2004 -– but over the last year or two the market has picked up considerably. Like many in-vehicle systems, Nexcom’s VTC 6220-BK is not an automotive IVI computer, but like Lanner’s Apollo Lake based V3G and V3S systems, is designed for buses. The rugged VTC 6220-BK straddles the IVI and telematics worlds, offering triple display support for passenger entertainment plus CAN and OBD connections.
  • FreeBSD Desktop – Part 16 – Configuration – Pause Any Application
    After using UNIX for so many years I knew that I could freeze (or pause) any process in the system with kill -17 (SIGSTOP) signal and then unfreeze it with with kill -19 (SIGCONT) signal as I described in the Process Management section of the Ghost in the Shell – Part 2 article. Doing it that way for the desktop applications is PITA to say the least. Can you imagine opening xterm(1) terminal and searching for all Chromium or Firefox processes and then freezing them one by one every time you need it? Me neither. Fortunately with introduction of so called X11 helper utilities – like xdotool(1) – it is now possible to implement it in more usable manner.
  • Custom Sustes Malware Infects Linux and IoT Servers Worldwide [Ed: This only impacts poorly-secured and already-cracked servers. The article overstates the risk.]
    The dangerous characteristic is the fact that an estimate of the infected computers cannot be made at this time. The only way to prevent the infiltrations is to strengthen the network security of the Linux and IoT servers exposed in public. It is very possible that further attacks will be carried out with other distribution tactics.
  • C Programming | Introduction | Features – For Beginners
    C is a general-purpose programming language developed by the ultimate god of the programming world, “Mr.Dennis Ritchie” (Creator of C programming ). The language is mainly used to create a wide range of applications for operating systems like windows and iOS. The popularity of the language can be clearly seen as this language has made to the list of top 10 programming languages in the world.

'We expect this is the bottom' in enterprise growth: Red Hat CEO

OSS Leftovers

  • AxonIQ Launches New Open Source Server
    AxonIQ, the company behind the open source Axon Framework, launches Axon 4.0 the open, integrated development and operations tool for Microservices and Event Sourcing on the JVM.
  • L10N Report: September Edition
  • Tidelift surpasses $1M to pay open source software maintainers
    Tidelift announced that it has surpassed one million dollars committed via its platform to pay open source software maintainers to provide professional assurances for their projects, as momentum behind this new approach to professional open source continues to build. Over 100 packages are already on the Tidelift platform, with maintainers getting paid to provide support for their packages through the Tidelift Subscription. Top packages featured include Vue, Material-UI, Babel, Gulp, Fabric, Active Admin, Doctrine, and StandardJS. With Tidelift, software development teams receive assurances around maintenance, security, and licensing from a single source. By bringing together maintainers with a global market of customers, Tidelift is helping make open source work better for everyone.
  • Artifex and First National Title Insurance Company Reach Settlement Over MuPDF Open Source Dispute
    Artifex Software, Inc. and First National Title Insurance Company announced today a confidential agreement to settle their legal dispute. Case No. 4: 18-cv-00503-SBA, filed by Artifex in the United States District Court for the Northern District of California, concerned the use of Artifex's open source software MuPDF under the GNU Affero General Public License and the GNU General Public License. While the parties had their differences in the interpretation of the open source licenses, the companies were able to reach an amicable resolution based on their mutual respect for and recognition of copyright protection and the open source philosophy. Terms of the settlement remain confidential.

EEE, Entryism and Openwashing

  • New Linux distro specifically designed for Windows comes to the Microsoft Store [Ed: WLinux or Whitewater Foundry not the first time people exploit Microsoft to put a price tag on FOSS such as LibreOffice. Microsoft is doing a fine job sabotaging the GNU/Linux 'ecosystem'.]
    WLinux is based on Debian, and the developer, Whitewater Foundry, claims their custom distro will also allow faster patching of security and compatibility issues that appear from time to time between upstream distros and WSL. [...] In return for saving developers time Whitewater Foundry is charging $19.99 (though the app is currently 50% off and the distribution can be downloaded from Github for free).
  • Open source dev gets Win32 apps running on Xbox One [Ed: Running blobs on two DRM platforms does not make you "Open source dev"]
  • Building Blocks of Secure Development: How to Make Open Source Work for You [Ed: Veracode self-promotion in "webinar" form, badmouthing FOSS to push their proprietary things. They work with Microsoft.]
  • SD Times open source project of the week: TonY [Ed: Openwashing of a surveillance operation at Microsoft]
    Unsatisfied with the available solutions for connecting the analytics-generating power of their TensorFlow machine learning implementations with the scalable data computation and storage capabilities of their Apache Hadoop clusters, developers at LinkedIn decided that they’d take matters into their own hands with the development of this week’s highlighted project, TonY.
  • Open Source: Automating Release Notes in Github [Ed: The New York Times is still propping up Microsoft hosting]
  • Opendesk launches augmented-reality shopping for its open-source furniture [Ed: Calling furniture "open"]
    Opendesk customers can now use augmented reality to see how the furniture brand's pieces look in their homes before ordering them from local makers. The augmented-reality (AR) experience launched with the arrival of Apple's iOS 12 operating system this week. It enables customers to use their smartphones to view some of Opendesk's furniture superimposed on the room in front of them.
  • Open Source Testing Startup Cypress Leaves Beta With Thousands of Users, Launches Paid Plans [Ed: This is not Open Source; they misuse the label and even put dashes ("open-source") because they know they're faking it.]
    Cypress.io‘s CEO Drew Lanham explains that the startup’s tool is software created by developers, for developers. The company was founded in 2014 by technologist Brian Mann, after observing that while computing and application development had changed drastically over the past decade, software testing had not. Large companies now release thousands of software updates a year, often on a daily basis across their organization. Technology teams aim to move rapidly, iterating on an agile basis and working in parallel so they can sync their code together even faster. But, as Lanham explains, the testing software out there was far outdated for these agile processes.
  • Kindred Introduces SenseAct, the First Reinforcement Learning Open-Source Toolkit for Physical Robots [Ed: Kindred or SenseAct not actually FOSS; but they sure try to make it seem that way, by focusing on a toolkit.]