Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Internet Explorer zero-day lets hackers steal files from Windows PCs [Ed: Microsoft Windows has back doors, so this is "small potatoes"]

    A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

  • MicroBriefly: The tiniest firewall I have seen – Firewalla

    ...BSD Unix, and about the size of a paperback novel (small by standards of those days). Now, solid state storage (SSD) and low power CPUs are tiny, enough to easily fit in a matchbox or lighter sized device.

  • 'World's First Smart Contract Firewall' for EOS Launched By SlowMist

    Developers of EOSIO, an initiative supported by Block.one, a Cayman Islands-registered open-source software development firm with $4 billion in total funding (to date), have published a blog post, noting they’ve carefully looked into improving smart contract security on EOS.

    According to EOSIO’s blog, published on April 11th, FireWall.X provides an effective set of tools for “protecting smart contracts built” on EOS from “malicious hacks.” As explained by Zhong Qifu, a product manager at SlowMist Technology Co., the firm that developed FireWall.X, the “world’s first firewall” system for smart contracts aims to ensure the security of all EOS-based decentralized applications (dApps).

  • Bootstrap supply chain attack is another attempt to poison the barrel [Ed: Happens in proprietary software but we don't hear about it. Full of back doors.]

    Somebody smuggled something bad into the vast third-party, open-source supply chain we all depend upon.

  • Framing supply chain attacks

    The increase in the demand for innovative software has effectively reshaped the software development industry itself. Today, speed and agility are paramount and development teams are pushed to deliver highly advanced applications in record time — which means that writing every single line of code from the ground up is often not a sustainable practice. As the NIST puts it, “This ecosystem has evolved to provide a set of highly refined, cost-effective, reusable ICT solutions.”.

  • Apache Axis servers vulnerable to RCE due to expired domain
  • Building a data pipeline to defend New York from cyber threats
  • Linux Foundation aims to improve the sustainability and security of open source projects [Ed: Zemlin PAC pushing a Microsoft-led proprietary software effort]
  • Why AV companies are making their technology open source

    Some AV developers are opening source code for their technology, a strategy they can use to collect data and tech from anyone using their code, and which could help bring products to market faster.

    Why it matters: Open source providers are experimenting with how much of their technology to share, while protecting their intellectual property to stay competitive. Their decisions will have lasting implications for how AV technology develops.

  • Open Source Web Application SSO
  • Magento sites under attack through easily exploitable SQLi flaw

    A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.

  • A security researcher with a grudge is dropping Web 0days on innocent users

    Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.

    Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins—used by 60,000 and 30,000 websites respectively—have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday (three days after the vulnerability was disclosed), Yellow Pencil issued a patch. At the time this post was being reported, Yuzo Related Posts remained closed with no patch available.

More in Tux Machines

Neon: A Wannabe Linux Distro For KDE Lovers

KDE Neon is a bit of an oddball Linux thing. Linuxland has an impressive collection of oddball things. Neon looks and feels much like a Linux distribution, but its developers assert quite openly on their website that Neon is not a real Linux distro. It just installs and functions like one -- sort of. That can make deciding to use it a little confusing. Neon appears to be a Linux operating system. It boots your computer. It displays a full desktop environment. It runs *some* applications so you can go about your computing tasks much like using any other -- ahh -- real Linux distribution. That last part is a clue to what makes KDE Neon different. Getting somewhat technical for a minute, KDE Neon is more of a specialty offering than a fully endowed operating system. Other distros support a wide range of applications from the same software format type. For example, Ubuntu runs .Deb formatted packages from the Debian Linux family. All .Deb packages will run on Ubuntu- and other Debian-based distros. Which desktop environment is used does not matter, be it KDE, Xfce, GNOME or whatever. Ditto for RPM-based Linux distributions, like Fedora and Red Hat. All you need is a package management tool or knowledge of the commands for apt, yum or pacman, depending on the distribution's Linux family. However, that is a skill set that lots of Linux users never had to learn. Not so with KDE Neon. Neon runs only a specific category of KDE applications: the latest. Neon's developers assert that their "pseudo" distro does not support most other software. In fact, non-KDE packages most likely will not even install on Neon. Read more

Hardware With GNU/Linux

  • Linux Foundation ? where do thou go? ? Stay out of the Desktop and you shalt be paid
  • Acer Chromebook R 11 C738T
  • Samsung Chromebook 3 - XE500C13-K02US
  • Acer Chromebook 14
  • HP Chromebook 11 G5 - X9U02UT
  • Acer Chromebook Spin 15
  • HP Chromebook x2
  • ASUS Chromebook Flip C213SA
  • Samsung Chromebook Plus - XE513C24-K01US
  • Samsung Chromebook Pro - XE510C25-K01US
  • ASUS Chromebit CS10
  • ASUS Chromebook Flip C434 - C434TA-DSM4T
  • Lenovo Chromebook S330 - 81JW0001US
  • Data in a Flash, Part IV: the Future of Memory Technologies

    As it relates to memory technologies, the future looks very promising and very exciting. Will the SSD completely replace the traditional spinning HDD? I doubt it. Look at tape technology. It's still around and continues to find a place in the archival storage space. The HDD most likely will have a similar fate. Although until then, the HDD will continue to compete with the SSD in both price and capacity.

  • Jonathan McDowell: Upgrading my home server

    At the end of last year I decided it was time to upgrade my home server. I built it back in 2013 as an all-in-one device to be my only always-on machine, with some attempt towards low power consumption. It was starting to creak a bit - the motherboard is limited to 16G RAM and the i3-3220T is somewhat ancient (though has served me well). So it was time to think about something more up to date. Additionally since then my needs have changed; my internet connection is VDSL2 (BT Fibre-to-the-Cabinet) so I have an BT HomeHub 5 running OpenWRT to drive that and provide core routing/firewalling. My wifi is provided by a pair of UniFi APs at opposite ends of the house. I also decided I could use something low power to run Kodi and access my ripped DVD collection, rather than having the main machine in the living room. That meant what I wanted was much closer to just a standard server rather than having any special needs. The first thing to consider was a case. My ADSL terminates in what I call the “comms room” - it has the electricity meter / distribution board and gas boiler, as well as being where one of the UniFi’s lives and where the downstairs ethernet terminates. In short it’s the right room for a server to live in. I don’t want a full rack, however, and ideally wanted something that could sit alongside the meter cabinet without protruding from the wall any further. A tower case would have worked, but only if turned sideways, which would have made it a bit awkward to access. I tried in vain to find a wall mount case with side access that was shallow enough, but failed. However in the process I discovered a 4U vertical wall mount. This was about the same depth as the meter cabinet, so an ideal choice. I paired it with a basic 2U case from X-Case, giving me a couple of spare U should I decide I want another rack-mount machine or two.

New Releases of GNU/Linux: Clonezilla, EasyOS and ARCOLINUX

OSS Leftovers

  • Kubernetes: The retro-style, Wild West video game

    The Kubernetes API is amazing, and not only are we going to break it down and show you how to wield this mighty weapon, but we will do it while building a video game, live, on stage. As a matter of fact, you get to play along.

  • Celebrating Kubernetes and 5 Years of Open Source

    5 years ago, Kubernetes was born and quickly became one of the most important open-source platform innovations. Today, its Github repository boasts 55,384 stars and 2,205 contributors! We?re not just celebrating Kubernetes and how much easier it makes our lives, but we?re also celebrating the open-source community that added to the container management tool; making it what it is today. When you have an entire community working together to innovate and improve, the possibilities are endless.

  • Public Statement on Neutrality of Free Software

    F-Droid won’t tolerate oppression or harassment against marginalized groups. Because of this, it won’t package nor distribute apps that promote any of these things. This includes that it won’t distribute an app that promotes the usage of previously mentioned website, by either its branding, its pre-filled instance domain or any other direct promotion. This also means F-Droid won’t allow oppression or harassment to happen at its communication channels, including its forum. In the past week, we failed to fulfill this goal on the forum, and we want to apologize for that.

  • What open-source culture can teach tech titans and their critics
                   
                     

    Yet Mozilla turns out to be much more consequential than its mixed record and middling numbers would have you believe. There are three reasons for this.  

  • Request Travel Support for the openSUSE.Asia Summit

    The Travel Support Program (TSP) provides travel sponsorships to openSUSE community who want to attend the openSUSE.Asia Summit and need financial assistance. openSUSE.Asia Summit 2019 will be in Bali, Indonesia, at Information Technology Department, Faculty of Engineering, Udayana University on October 5 and 6. The goal of the TSP is to help everybody in and around openSUSE to be able to attend the openSUSE.Asia Summit!

  • An Indian research university has assembled 73 million journal articles (without permission) and is offering the archive for unfettered scientific text-mining

    The JNU Data Depot is a joint project between rogue archivist Carl Malamud (previously), bioinformatician Andrew Lynn, and a research team from New Delhi's Jawaharlal Nehru University: together, they have assembled 73 million journal articles from 1847 to the present day and put them into an airgapped respository that they're offering to noncommercial third parties who want to perform textual analysis on them to "pull out insights without actually reading the text."

    This text-mining process is already well-developed and has produced startling scientific insights, including "databases of genes and chemicals, map[s of] associations between proteins and diseases, and [automatically] generate[d] useful scientific hypotheses." But the hard limit of this kind of text mining is the paywalls that academic and scholarly publishers put around their archives, which both limit who can access the collections and what kinds of queries they can run against them.

  • The plan to mine the world’s research papers [iophk: this is the kind of collection that Aaron Swartz died over, effectively killed]