Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

The best, until OpenMandriva does better: released OMLx 4.0

Exciting news! Shortly after the release candidate we are very proud to introduce you the fruit of so much work, some visible and much more behind the scenes and under the hood. OpenMandriva Lx is a cutting edge distribution compiled with LLVM/clang, combined with the high level of optimisation used for both code and linking (by enabling LTO, and profile guided optimizations for some key packages where reliable profile data is easy to generate) used in its building. OMLx 4.0 brings a number of major changes since 3.x release... Read more Also: OpenMandriva Lx 4.0 Released With AMD Zen Optimized Option, Toolchain Updates

Today in Techrights

today's leftovers

  • Georges Basile Stavracas Neto: Calendar management dialog, archiving task lists, Every Detail Matters on Settings (Sprint 2)
    This was a long-time request, and something that I myself was missing when using To Do. Since it fits well with the product vision of the app, there was nothing preventing it from being implemented. Selecting this feature to be implemented during the week was a great choice – the task was self contained, had a clear end, and was just difficult just enough to be challenging but not more than that. However, I found a few issues with the implementation, and want to use the next round to polish the feature. Using the entire week to polish the feature might be too much, but it will give me some time to really make it great.
  • Open Source Answer To Dropbox And OneDrive: Meet Frank Karlitschek
    During the OpenSUSE Conference in Nurnberg (German), Nextcloud founder Frank Karlitschek appeared on “Let’s Talk’ to talk about the importance of fully open source file sync and storage solutions for enterprise customers. As one of the early contributors to desktop Linux he also talked about the reasons why desktop Linux has not succeeded.
  • Load-Bearing Internet People
    Some maintainers for critical software operate from a niche at a university or a government agency that supports their effort. There might be a few who are independently wealthy.
  • Robert Helmer: Vectiv and the Browser Monoculture
    So, so tired of the "hot take" that having a single browser engine implementation is good, and there is no value to having multiple implementations of a standard. I have a little story to tell about this. In the late 90s, I worked for a company called Vectiv. There isn't much info on the web (the name has been used by other companies in the meantime), this old press release is one of the few I can find. Vectiv was a web-based service for commercial real estate departments doing site selection. This was pretty revolutionary at the time, as the state-of-the-art for most of these was to buy a bunch of paper maps and put them up on the walls, using push-pins to keep track of current and possible store locations. The story of Vectiv is interesting on its own, but the relevant bit to this story is that it was written for and tested exclusively in IE 5.5 for Windows, as was the style at the time. The once-dominant Netscape browser had plummeted to negligible market share, and was struggling to rewrite Netscape 6 to be based on the open-source Mozilla Suite.

OSS Leftovers

  • Letter of Recommendation: Bug Fixes
    I wouldn’t expect a nonprogrammer to understand the above, but you can intuit some of what’s going on: that we don’t need ImageMagick to scale images anymore, because the text editor can scale images on its own; that it’s bad form to spell-check hex values, which specify colors; that the bell is doing something peculiar if someone holds down the alt key; and so forth. But there’s also something larger, more gladdening, about reading bug fixes. My text editor, Emacs, is a free software project with a history going back more than 40 years; the codebase itself starts in the 1980s, and as I write this there are 136,586 different commits that get you from then to now. More than 600 contributors have worked on it. I find those numbers magical: A huge, complex system that edits all kinds of files started from nothing and then, with nearly 140,000 documented human actions, arrived at its current state. It has leaders but no owner, and it will move along the path in which people take it. It’s the ship of Theseus in code form. I’ve probably used Emacs every day for more than two decades. It has changed me, too. It will outlive me. Open source is a movement, and even the charitably inclined would call it an extreme brofest. So there’s drama. People fight it out in comments, over everything from semicolons to codes of conduct. But in the end, the software works or it doesn’t. Politics, our personal health, our careers or lives in general — these do not provide a narrative of unalloyed progress. But software, dammit, can and does. It’s a pleasure to watch the code change and improve, and it’s also fascinating to see big companies, paid programmers and volunteers learning to work together (the Defense Department is way into open source) to make those changes and improvements. I read the change logs, and I think: Humans can do things.
  • The Top 17 Free and Open Source Network Monitoring Tools
    Choosing the right network monitoring solution for your enterprise is not easy.
  • Hedge-fund managers are overwhelmed by data, and they're turning to an unlikely source: random people on the internet
    Alternative data streams of satellite images and cellphone-location data are where managers are now digging for alpha, as new datasets are created every day. And hedge funds have been spending serious cash searching for those who can take all this information and quickly find the important pieces. Now, as margins shrink and returns are under the microscope, hedge funds are beginning to consider a cheaper, potentially more efficient way to crunch all this data: open-source platforms, where hundreds of thousands of people ranging from finance professionals to students, scientists, and developers worldwide scour datasets — and don't get paid unless they find something that a fund finds useful.
  • TD Ameritrade Is Taking Its First Steps Towards Major Open Source Contributions
    STUMPY is a python library to identify the patterns and anomalies in time series data. STUMPY has benefited from open source as a means to shorten development roadmaps since the early 2000s and it represents a new opportunity for TD Ameritrade to give back to the developer community.
  • The Future of Open Source Big Data Platforms
    Three well-funded startups – Cloudera Inc., Hortonworks Inc., and MapR Technologies Inc. — emerged a decade ago to commercialize products and services in the open-source ecosystem around Hadoop, a popular software framework for processing huge amounts of data. The hype peaked in early 2014 when Cloudera raised a massive $900 million funding round, valuing it at $4.1 billion.
  • No Easy Way Forward For Commercial Open Source Software Vendors
    While still a student in 1995, Kimball developed the first version of GNU Image Manipulation Program (GIMP) as a class project, along with Peter Mattis. Later on as a Google engineer, he worked on a new version of the Google File System, and the Google Servlet Engine. In 2012, Kimball, Mattis, and Brian McGinnis launched the company Viewfinder, later selling it to Square.
  • 6 Reasons Why Developers Should Contribute More To Open Source
    Even by fixing minor things like a bug in a library or writing a piece of documentation can also help the developers to write readable or maintainable code. They can independently suggest to the community and generally tend to stick by the rules of writing a code that is easy to understand. The fact that the code will be exposed to everyone naturally makes them write focus on making it readable.
  • WIDE Project, KDDI develop router with open-source software, 3.2T-packet transmission
    The WIDE Project has adopted a router developed by Japanese operator KDDI. The router runs open-source software, and will be used with the networks operated and managed by the WIDE Project. The router will use open-source software with up to 3.2T-packet transmission. For this project, KDDI plans to start tests this month to verify the practical utility and interoperability of these routers when put to use in the actual service environment. The WIDE Project will be in charge of network administration and definition of requirements for router implementation.
  • Lack of progress in open source adoption hindering global custody’s digitisation
    Custody industry is lagging behind the rest of the financial services sector for open source projects, according to industry experts.
  • TNF: Industry should be focusing on open source development
    According to O'Shea, open source and the community are helping firms to find and attract experienced technology talent “uber engineers”.
  • Google Open Sources TensorNetwork , A Library For Faster ML And Physics Tasks
    “Every evolving intelligence will eventually encounter certain very special ideas – e.g., about arithmetic, causal reasoning and economics–because these particular ideas are very much simpler than other ideas with similar uses,” said the AI maverick Marvin Minsky four decades ago. Mathematics as a tool to interpret nature’s most confounding problems from molecular biology to quantum mechanics has so far been successful. Though there aren’t any complete answers to these problems, the techniques within domain help throw some light on the obscure corners of reality.
  • Open source to become a ‘best practice’
    There are many magic rings in this world… and none of them should be used lightly. This is true. It is also true that organisations in every vertical are now having to work hard and find automation streams that they can digitise (on the road to *yawn* digital transformation, obviously) and start to apply AI and machine learning to. Another key truth lies in the amount of codified best practices that organisations now have the opportunity to lay down. One we can denote a particular set of workflows in a particular department (or team, or group, or any other collective) to be deemed to be as efficient as possible, then we can lay that process down as a best practice.
  • 10 Open-Source and Free CAD Software You Can Download Right Now
    Many CAD software products exist today for anyone interested in 2D or 3D designing. From browser tools to open-source programs, the market is full of free options available for hobbyists or small companies just starting out.