Language Selection

English French German Italian Portuguese Spanish

Linux Stressed in Fedora, Red Hat/IBM and Security

Filed under
Red Hat
Security
  • Fedora Developers Discuss Ways To Improve Linux Interactivity In Low-Memory Situations

    While hopefully the upstream Linux kernel code can be improved to benefit all distributions for low-memory Linux desktops, Fedora developers at least are discussing their options for in the near-term improving the experience. With various easy "tests", it's possible to easily illustrate just how poorly the Linux desktop responds when under memory pressure. Besides the desktop interactivity becoming awful under memory pressure, some argue that an unprivileged task shouldn't be able to cause such behavior to the system in the first place.

  • How open source can help banks combat fraud and money laundering

    Jump ahead a few years to the Fourth EU AML Directive - a regulation which required compliance by June 2017 - demanding enhanced Customer Due Diligence procedures must be adhered to when cash transactions reach an aggregated amount of more than $11,000 U.S. dollars (USD). (The Fifth EU AML Directive is on the way, with a June 2020 deadline.) In New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Amendment Act of 2017 it is stated that banks and other financial entities must provide authorities with information about clients making cash transactions over $6,500 USD and international monetary wire transfers from New Zealand exceeding $650 USD. In 2018, the updated open banking European Directive on Payment Services (PSD2) that requires fraud monitoring also went into effect. And the Monetary Authority of Singapore is developing regulations regarding the use of cryptocurrencies for terrorist funding and money laundering, too.

  • Automate security in increasingly complex hybrid environments

    As new technologies and infrastructure such as virtualization, cloud, and containers are introduced into enterprise networks to make them more efficient, these hybrid environments are becoming more complex—potentially adding risks and security vulnerabilities.

    According to the Information Security Forum’s Global Security Threat Outlook for 2019, one of the biggest IT trends to watch this year is the increasing sophistication of cybercrime and ransomware. And even as the volume of ransomware attacks is dropping, cybercriminals are finding new, more potent ways to be disruptive. An article in TechRepublic points to cryptojacking malware, which enables someone to hijack another's hardware without permission to mine cryptocurrency, as a growing threat for enterprise networks.

    To more effectively mitigate these risks, organizations could invest in automation as a component of their security plans. That’s because it takes time to investigate and resolve issues, in addition to applying controlled remediations across bare metal, virtualized systems, and cloud environments -- both private and public -- all while documenting changes.

  • Josh Bressers: Appsec isn’t people

    The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

    Humans are never going to write bug free code, this isn’t a controversial subject. Pretending we can somehow teach people to write bug free code would be a monumental waste of time and energy so we don’t even try.

    Now it’s time for a logic puzzle. We know that we can’t train humans to write bug free code. All security vulnerabilities are bugs. So we know we can’t train humans to write vulnerability free code. Well, we don’t really know it, we think we can if you look at history. The last twenty years has had an unhealthy obsession with getting humans to change their behaviors to be “more secure”. The only things that have come out of these efforts are 1) nobody likes security people anymore 2) we had to create our own conferences and parties because we don’t get invited to theirs 3) they probably never liked us in the first place.

More in Tux Machines

Security Leftovers

  • Security Researchers Find Several Bugs in Nest Security Cameras

    Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

  • Better SSH Authentication with Keybase

    With an SSH CA model, you start by generating a single SSH key called the CA key. The public key is placed on each server and the server is configured to trust any key signed by the CA key. This CA key is then used to sign user keys with an expiration window. This means that signed user keys can only be used for a finite, preferably short, period of time before a new signature is needed. This transforms the key management problem into a user management problem: How do we ensure that only certain people are able to provision new signed SSH keys?

  • Texas ransomware attacks deliver wake-up call to cities [iophk: Windows TCO]

    The Texas Department of Information Resources has confirmed that 22 Texas entities, mostly local governments, have been hit by the ransomware attacks that took place late last week. The department pointed to a “single threat actor” as being responsible for the attacks, which did not impact any statewide systems.

  • Texas Ransomware Attack

    On Security Now, Steve Gibson talks about a huge ransomware attack. 23 cities in Texas were hit with a well-coordinated ransomware attack last Friday, August 16th.

  • CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry

    Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side. This was added to address the Java deserialization vulnerability disclosed in CVE-2014-1972. In the fix for the previous vulnerability, the HMACs were compared by string comparison, which is known to be vulnerable to timing attacks.

GNOME Feeds is a Simple RSS Reader for Linux Desktops

Feedreader, Liferea, and Thunderbird are three of the most popular desktop RSS readers for Linux, but now there’s a new option on the scene. GNOME Feeds app is simple, no-frills desktop RSS reader for Linux systems. It doesn’t integrate or sync with a cloud-based service, like Feedly or Inoreader, but you can import a list of feeds via an .opml file. “Power” users of RSS feeds will likely find that GNOME Feeds a little too limited for their needs. But the lean feature set is, arguably, what will make this app appeal to more casual users. Read more

GNU Radio Launches 3.8.0.0, First Minor-Version Release In Six Years

The GNU Radio maintainers have announced the release of GNU Radio 3.8.0.0, the first minor-version release of the popular LimeSDR-compatible software defined radio (SDR) development toolkit in over six years. “It’s the first minor release version since more than six years, not without pride this community stands to face the brightest future SDR on general purpose hardware ever had,” the project’s maintainers announced this week. “What has not changed is the fact that GNU Radio is centred around a very simple truth: Let the developers hack on DSP. Software interfaces are for humans, not the other way around. And so, compared to the later 3.7 releases, nothing has fundamentally modified the way one develops signal processing systems with GNU Radio: You write blocks, and you combine blocks to be part of a larger signal processing flow graph.” Read more

IBM/Red Hat Leftovers

  • Accelerating the journey to open hybrid cloud with Red Hat Modernization and Migration Solutions

    The integration of technology into all areas of a business (the "digital transformation" we hear so much about) is fundamentally changing how organizations operate as well as how they deliver value to customers. An example is Lockheed Martin, who opted to undergo an eight-week agile transformation labs residency to implement an open source architecture onboard the F-22 and simultaneously disentangle its web of embedded systems. But such transformation can also create new challenges, from additional competitive pressures to increased customer expectations. To help overcome these challenges, Red Hat is introducing a family of solutions to help optimize infrastructure, modernize applications and accelerate innovation while supporting customers in their journey to the open hybrid cloud. Red Hat Modernization and Migration Solutions are designed to help customers realize the benefits of open technologies and adopt containers, Kubernetes and hybrid cloud-ready platforms. The family of solutions offers a path for customers from restrictive, proprietary environments to more flexible and (often) less costly open source alternatives, in an iterative approach.

  • Let’s talk about Privacy by Design

    Privacy by Design or Privacy by Default (PbD) is not a new concept. However PbD received renewed attention when the GDPR added PbD as a legal requirement. PbD refers to the process of building in technical, organizational and security measures at the beginning stage of product development and throughout the product lifecycle. [...] One PbD tool we use to build in privacy to our development process is our Privacy Impact Assessment, also known as a PIA. The PIA is a process which assists developers at the early stages in identifying and mitigating privacy risks associated with the collection and use of personal data. The PIA tool begins with a self assessment that asks a lot of questions about the planned project or product. This initiates a process of review by individuals trained in privacy and security. The process is collaborative and creates an on-going dialogue about privacy with respect to the product, system or application at hand.

  • IBM Open Sources Its Workhorse Power Chip Architecture

    RISC-V now has formidable competition from an architecture with a long track record in servers and supercomputers.