Language Selection

English French German Italian Portuguese Spanish

Security: SELinux, Dirk Hohndel, Gentoo, Arch Linux AUR Package Repository

Filed under
Security
  • Lukas Vrabec: Why do you see DAC_OVERRIDE SELinux denials?
  • With So Many Eyeballs, Is Open Source Security Better? [Ed: Ask a FOSS company. Not VMware. VMware puts back doors in its proprietary software blobs.]

    Back in 1999, Eric Raymond coined the term "Linus' Law," which stipulates that given enough eyeballs, all bugs are shallow.

    Linus' Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus' Law isn't valid?

    According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus' Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.

  • The aftermath of the Gentoo GitHub hack [Ed: What a bad choice of password leads to.]

    Late last month (June 28), the Gentoo GitHub repository was attacked after someone gained control of an admin account. All access to the repositories was soon removed from Gentoo developers. Repository and page content were altered. But within 10 minutes of the attacker gaining access, someone noticed something was going on, 7 minutes later a report was sent, and within 70 minutes the attack was over. Legitimate Gentoo developers were shut out for 5 days while the dust settled and repairs and analysis were completed.

  • New Variant of Spectre Security Flaw Discovered: Speculative Buffer Overflows

    Security researchers Vladimir Kiriansky (MIT) and Carl Waldspurger (Carl Waldspurger Consulting) have published a paper to disclose a new variant of the infamous Spectre security vulnerability, which creates speculative buffer overflows.

    In their paper, the two security researchers explain the attacks and defenses for the new Spectre variant they discover, which they call Spectre1.1 (CVE-2018-3693), a new variant of the first Spectre security vulnerability unearthed earlier this year and later discovered to have multiple other variants.

    The new Spectre flaw leverages speculative stores to create speculative buffer overflows. Similar to the classic buffer overflow security flaws, the new Spectre vulnerability is also known as "Bounds Check Bypass Store" or BCBS to distinguish it from the original speculative execution attack.

  • AT&T acquires open-source threat intelligence firm

    As AT&T continues down its network virtualization efforts using the open-source Open Networking Automation Platform (ONAP), the operator has acquired cybersecurity firm AlienVault, which uses open-source software to provide what the companies call “threat intelligence.” Financial details of the transaction were not disclosed; AT&T expects the deal to close in Q3 this year.

  • Malware Found in Arch Linux AUR Package Repository

    Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages.

    The malicious code has been removed thanks to the quick intervention of the AUR team.

  • Amateur bid to add code to Arch Linux packages found and squashed

More in Tux Machines

Software: Newsboat, FreeFileSync, Corebird, FileZilla, nomacs, RAV1E

  • Newsboat: A Snazzy Text-Based RSS Feed Reader
    Newsboat is a sleek, open source RSS/Atom feed reader for the text console. It’s a fork of Newsbeuter. RSS and Atom are a number of widely-used XML formats to transmit, publish and syndicate articles, typically news or blog articles. Newsboat is designed to be used on text terminals on Unix or Unix-like systems. It’s entirely controlled by the keyboard. The software has an internal commandline to modify configuration variables and to run commands.
  • FreeFileSync – Data Backup and File Synchronization App
    FreeFileSync is a free data backup and file synchronization app which is available in Linux systems enables you to seamlessly sync your backup data with the source data. When you take a backup of your HD, or any other disk drive, you should keep it in sync for the file changes you do from time to time. It is often difficult to remember which file/directories you have changed/deleted/updated since the last backup. FreeFileSync solves that problem and it can determine and sync only those changed/deleted/updated files in your backup.
  • Corebird Twitter Client – to Stop Working
    Corebird, the best native GTK+ Twitter client available for Linux desktops including Ubuntu will stop working on August 2018. This has been recently reported by the Corebird developer in patreon as well as in GitHub. This is mainly due to the policy change from Twitter which will remove UserStream API which is used by Corebird and other third party Twitter clients. In the patreon post, the developer stated that, the new API by Twitter named Accounts Activity API is too difficult to implement and he may not have much time available for development.
  • FileZilla – Best FTP Client for Linux, Ubuntu Releases version 3.34.0
    FileZilla is a free and open source FTP client available for Ubuntu, Mint and other Linux systems. FileZilla is the go-to software when you need a FTP client for your need. FileZilla is loaded with supports for FTP, SFTP, FTPS protocols and it is cross platform. It comes with nice user friendly and easy to use GUI.
  • nomacs 3.10.2
    nomacs is licensed under the GNU General Public License v3 and available for Windows, Linux, FreeBSD, Mac, and OS/2.
  • RAV1E: The "Fastest & Safest" AV1 Encoder
    Following the news about VP9 and AV1 having more room to improve particularly for alternative architectures like POWER and ARM, a Phoronix reader pointed out an effort that Mozilla is behind on developing the "rav1e" encoder. AV1 up to this point for encoding on CPUs has been - unfortunately - extremely slow. But it turns out Mozilla and others are working on RAV1E as what they are billing as the fastest and safest AV1 encoder. RAV1E has been in development for a while now but has seemingly flown under our radar.

today's howtos

Red Hat Looks Beyond Docker for Container Technology

While Docker Inc and its eponymous container engine helped to create the modern container approach, Red Hat has multiple efforts of its own that it is now actively developing. The core component for containers is the runtime engine, which for Docker is the Docker Engine which is now based on the Docker-led containerd project that is hosted at the Cloud Native Computing Foundation (CNCF). Red Hat has built its own container engine called CRI-O, which hit its 1.0 release back in October 2017. For building images, Red Hat has a project called Buildah, which reached its 1.0 milestone on June 6. Read more

Containers: The Update Framework (TUF), Nabla, and Kubernetes 1.11 Release

  • How The Update Framework Improves Software Distribution Security
    In recent years that there been multiple cyber-attacks that compromised a software developer's network to enable the delivery of malware inside of software updates. That's a situation that Justin Cappos, founder of The Update Framework (TUF) open-source project, has been working hard to help solve. Cappos, an assistant professor at New York University (NYU), started TUF nearly a decade ago. TUF is now implemented by multiple software projects, including the Docker Notary project for secure container application updates and has implementations that are being purpose-built to help secure automotive software as well.
  • IBM's new Nabla containers are designed for security first
    Companies love containers because they enable them to run more jobs on servers. But businesses also hate containers, because they fear they're less secure than virtual machines (VM)s. IBM thinks it has an answer to that: Nabla containers, which are more secure by design than rival container concepts. James Bottomley, an IBM Research distinguished engineer and top Linux kernel developer, first outlines that there are two kind of fundamental kinds of container and virtual machine (VM) security problems. These are described as Vertical Attack Profile (VAP) and Horizontal Attack Profile (HAP).
  • [Podcast] PodCTL #42 – Kubernetes 1.11 Released
    Like clockwork, the Kubernetes community continues to release quarterly updates to the rapidly expanding project. With the 1.11 release, we see a number of new capabilities being added across a number of different domains – infrastructure services, scheduling services, routing services, storage services, and broader CRD versioning capabilities that will improve the ability to not only deploy Operators for the platform and applications. Links for all these new features, as well as in-depth blog posts from Red Hat and the Kubernetes community are included in the show notes. As always, it’s important to remember that not every new feature being released is considered “General Availability”, so be sure to check the detailed release notes before considering the use of any feature in a production or high-availability environment.