Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

First Release Candidate of Linux 5.3

  • Linux 5.3-rc1
    It's been two weeks, and the merge window is over, and Linux 5.3-rc1
    is tagged and pushed out.
    
    This is a pretty big release, judging by the commit count. Not the
    biggest ever (that honor still goes to 4.9-rc1, which was
    exceptionally big), and we've had a couple of comparable ones (4.12,
    4.15 and 4.19 were also big merge windows), but it's definitely up
    there.
    
    The merge window also started out pretty painfully, with me hitting a
    couple of bugs in the first couple of days. That's never a good sign,
    since I don't tend to do anything particularly odd, and if I hit bugs
    it means code wasn't tested well enough. In one case it was due to me
    using a simplified configuration that hadn't been tested, and caused
    an odd issue to show up - it happens. But in the other case, it really
    was code that was too recent and too rough and hadn't baked enough.
    The first got fixed, the second just got reverted.
    
    Anyway, despite the rocky start, and the big size, things mostly
    smoothed out towards the end of the merge window. And there's a lot to
    like in 5.3. Too much to do the shortlog with individual commits, of
    course, so appended is the usual "mergelog" of people I merged from
    and a one-liner very high-level "what got merged". For more detail,
    you should go check the git tree.
    
    As always: the people credited below are just the people I pull from,
    there's about 1600 individual developers (for 12500+ non-merge
    commits) in this merge window.
    
    Go test,
    
                Linus
    
  • Linux 5.3-rc1 Debuts As "A Pretty Big Release"

    Just as expected, Linus Torvalds this afternoon issued the first release candidate of the forthcoming Linux 5.3 kernel. It's just not us that have been quite eager for Linux 5.3 and its changes. Torvalds acknowledged in the 5.3-rc1 announcement that this kernel is indeed a big one: "This is a pretty big release, judging by the commit count. Not the biggest ever (that honor still goes to 4.9-rc1, which was exceptionally big), and we've had a couple of comparable ones (4.12, 4.15 and 4.19 were also big merge windows), but it's definitely up there."

  • The New Features & Improvements Of The Linux 5.3 Kernel

    The Linux 5.3 kernel merge window is expected to close today so here is our usual recap of all the changes that made it into the mainline tree over the past two weeks. There is a lot of changes to be excited about from Radeon RX 5700 Navi support to various CPU improvements and ongoing performance work to supporting newer Apple MacBook laptops and Intel Speed Select Technology enablement.

today's howtos and programming bits

  • How to fix Ubuntu live USB not booting
  • How to Create a User Account Without useradd Command in Linux?
  • Container use cases explained in depth
  • Containerization and orchestration concepts explained
  • Set_env.py

    A good practice when writing complicated software is to put in lots of debugging code. This might be extra logging, or special modes that tweak the behavior to be more understandable, or switches to turn off some aspect of your test suite so you can focus on the part you care about at the moment. But how do you control that debugging code? Where are the on/off switches? You don’t want to clutter your real UI with controls. A convenient option is environment variables: you can access them simply in the code, your shell has ways to turn them on and off at a variety of scopes, and they are invisible to your users. Though if they are invisible to your users, they are also invisible to you! How do you remember what exotic options you’ve coded into your program, and how do you easily see what is set, and change what is set?

  • RPushbullet 0.3.2

    A new release 0.3.2 of the RPushbullet package is now on CRAN. RPushbullet is interfacing the neat Pushbullet service for inter-device messaging, communication, and more. It lets you easily send alerts like the one to the left to your browser, phone, tablet, … – or all at once. This is the first new release in almost 2 1/2 years, and it once again benefits greatly from contributed pull requests by Colin (twice !) and Chan-Yub – see below for details.

  • A Makefile for your Go project (2019)

    My most loathed feature of Go was the mandatory use of GOPATH: I do not want to put my own code next to its dependencies. I was not alone and people devised tools or crafted their own Makefile to avoid organizing their code around GOPATH.

  • Writing sustainable Python scripts

    Python is a great language to write a standalone script. Getting to the result can be a matter of a dozen to a few hundred lines of code and, moments later, you can forget about it and focus on your next task. Six months later, a co-worker asks you why the script fails and you don’t have a clue: no documentation, hard-coded parameters, nothing logged during the execution and no sensible tests to figure out what may go wrong. Turning a “quick-and-dirty” Python script into a sustainable version, which will be easy to use, understand and support by your co-workers and your future self, only takes some moderate effort. 

  • Notes to self when using genRSS.py

The Status of Fractional Scaling (HiDPI) Between Windows & Linux

There’s a special type of displays commonly called “HiDPI“, which means that the number of pixels in the screen is doubled (vertically and horizontally), making everything drawn on the screen look sharper and better. One of the most common examples of HiDPI are Apple’s Retina displays, which do come with their desktops and laptops. However, one issue with HiDPI is that the default screen resolutions are too small to be displayed on them, so we need what’s called as “scaling”; Which is simply also doubling the drawn pixels from the OS side so that they can match that of the display. Otherwise, displaying a 400×400 program window on a 3840×2160 display will give a very horrible user experience, so the OS will need to scale that window (and everything) by a factor of 2x, to make it 800×800, which would make it better. Fractional scaling is the process of doing the previous work, but by using fractional scaling numbers (E.g 1.25, 1.4, 1.75.. etc), so that they can be customized better according to the user’s setup and needs. Now where’s the issue, you may ask? Windows operating system has been supporting such kind of displays natively for a very long time, but Linux distributions do lack a lot of things in this field. There are many drawbacks, issues and other things to consider. This article will take you in a tour about that. Read more Also: Vulkan 1.1.116 Published With Subgroup Size Control Extension

Android Leftovers