Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • 10 Most Commonly Used FOSS Packages

    The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.

  • Don’t penalise cybersecurity researchers!

    We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

    [...]

    Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

    Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

  • Airline Passenger Mistakes Vintage Camera for a Bomb

    Back in 2007, I called this the “war on the unexpected.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have lots of examples.

  • How to create an effective security policy: 6 tips

    Are your security policies boring? OK, that’s not entirely fair. Security policies are boring, especially to people outside of IT – in the way that children find their parents’ or teachers’ rules “boring.” There’s a limit to how interesting one can make “best practices for creating strong passwords” sound to the masses.

    The point of such policies is to educate people on organizational rules and the habits of good security hygiene. This is the administrative layer of security controls: all of the rules, standards, guidelines, and training an organization puts in place as part of its overall security program. It’s the human-focused component that rounds out the other two general categories of security controls, according to Terumi Laskowsky, an IT security consultant and cybersecurity instructor at DevelopIntelligence. The other two categories are technical/logical controls (your hardware and software tools) and physical controls (things like building or site access).

    Laskowsky notes that people tend to question the value of administrative controls. That’s partly because it can be difficult to measure or “see” their effectiveness, especially relative to technical or physical controls. But Laskowsky and other security experts generally agree that they are necessary. Security is not a steady-state affair – while our security tooling and processes are becoming more automated, a strong posture still requires human awareness, intelligence, and adaptability.

    “Raising our security awareness through administrative controls allows us to start seeing the patterns of unsafe behavior,” Laskowsky says. “We can then generalize and respond to new threats faster than security companies can come up with software to handle them.”

More in Tux Machines

Amazon Linux 2022 Performs Well, But Intel's Clear Linux Continues Leading In The Cloud

AWS recently introduced Amazon Linux 2022 in preview form as the latest iteration of their Linux distribution now based on Fedora with various alterations to catering to their customers running it on EC2. Last week were benchmarks looking at Amazon Linux 2022 compared to Amazon Linux 2 and other distributions like CentOS and Ubuntu. In this article we are seeing how Amazon Linux 2022 can compete with Intel's own Clear Linux performance-optimized distribution. Read more

Games: Pokémon, Roundup, and Some More Titles on GNU/Linux

  • Bridging Game Worlds With The ‘Impossible’ Pokémon Trade | Hackaday

    Transferring hard-earned Pokémon out of the second generation GameBoy game worlds into the ‘Advance Era’ cartridges (and vice versa) has never been officially supported by Nintendo, however [Goppier] has made these illicit trades slightly easier for budding Pokémon trainers by way of a custom PCB and a healthy dose of reverse engineering. Changes to the data structure between Generation II on the original GameBoy (Pokémon Gold, Silver and Crystal) and Generation III on the GameBoy Advance (Pokémon Ruby, Sapphire, FireRed, LeafGreen and Emerald) meant that trades between these cartridges was never a possibility – at least not through any legitimate means. In contrast, Pokémon trades are possible between the first and second generation games, as well as from Generation III and beyond, leaving the leap from Gen II to Gen III as an obvious missing link.

  • Punk Wars, Axis & Allies 1942 Online, Melvor Idle, Unpacking … - itsfoss.net

    One more to liven up the December bridge, and that is that there is nothing more entertaining to pass the time than to play a game and that is partly Linux Play, our premiere native games section for Linux with this, its monthly edition with the best that came out in November. Including construction and survival title and Punk wars, the classic war strategy of Axis & Allies 1942 Online, the RPG hardcore Melvor idle… And a lot more, without forgetting the free title with which we close the list and that this time transfers the television phenomenon of The Squid Game to PC controls under the name of Crab Game. Linux Play!

  • NeuroNet: Mendax Proxy gets some first footage, mixing elements of Your Grace & Reigns | GamingOnLinux

    NeuroNet: Mendax Proxy is an upcoming adventure that the developer claims blends together elements found in the likes of Your Grace, Reigns and Astrologaster into something new. Set to launch in 2022, NeuroNet sees you take control of an AI charged with managing a city called Catena. You will need to make quick-fire decisions that impact the future and the prosperity of its citizens, with every choice and decision taken having a lasting effect on those you meet and the city's status. Lots of cyberpunk theming going on here with a new trailer giving a look into what to expect you can see below.

  • The Jackie and Daria update for Spiritfarer lands December 13 | GamingOnLinux

    The biggest update yet for the award-winning Spiritfarer lands on December 13, with plenty of new content. Spiritfarer is a casual thoughtful experience about being a ferrymaster for the deceased. You build up a boat, explore and care for various spirits before letting them go. With the new update coming the developer said it is the biggest yet with a new island to explore, there's two new spirits to make friends with and a hospital to bring back from the brink. On top of that there's also some sort of new platforming event and new upgrades for your ferry.

GNU/Linux on Desktop/Laptop Miscellany

  • What Is a Physical Kill Switch, and Does Your PC Need One?

    Purism is a company founded on the idea of having strict privacy and security features built into its computers. The Librem 14 is a prime example of this philosophy, and its hardware, firmware, and operating system have been designed with a significantly higher level of paranoia than typical computers. The Librem 14 Linux laptop features multiple physical kill switches, which the company claims absolutely disables the related hardware. There are switches for the webcam and microphone as well as WiFi and Bluetooth. When it comes to the Librem 14 in particular, there are so many additional privacy features that the kill switches really are the least of it, but there are examples of such kill switches in regular laptops that don’t go to such extremes. All the way back in 2018, HP was already shipping laptops with physical kill switches for the webcam. Their Specter laptops included these switches, so hopefully the chances of a hacked webcam recording you when you don’t want it to are virtually zero. Kill switches may not always take the form of a traditional sliding switch on the side of a laptop. It’s entirely possible to integrate the kill switch with a physical, built-in camera shutter.

  • Partaker Intel Core i3-8130U fanless mini PC Win 10 Linux supported $423

    Partaker have created a new fanless mini PC equipped with a wealth of connectivity and capable of supporting both the Microsoft Windows 10 and operating system most Linux distributions depending on your preference. Pricing starts from $423 for the Intel Core i3-8130U processor version although a more affordable Intel Celeron 3865u/3867u/3965u processor version is also available with prices starting from $246. Both are barebone systems meaning that you will need to provide your own memory, storage and operating system, enabling you to tailor the system to your exact requirements.

  • IGEL Releases Support for VMware Workspace ONE Intelligent Hub for Linux

Kernel and Graphics: Kuiper Linux, Rust, Apple, Mesa, and XWayland

  • Custom Linux allows Raspberry Pi to drive ADI peripherals

    Called Kuiper Linux, it incorporates Linux device drivers for ADI products, and supports other hardware including Digilent Zedboard, TerASIC DE10-Nano and Digilent Cora “The reasoning behind creating this distribution is to minimise the barriers to integrating ADI hardware devices into a Linux-based system,” according to the company. “When starting with a generic Linux distribution, the kernel typically would have to be rebuilt with the desired drivers enabled. While this is not difficult for an engineer that is familiar with the process, it can be a daunting task even when everything goes right. ADI Kuiper Linux solves this problem, and includes a host of additional applications, software libraries, and utilities.”

  • Rust takes a major step forward as Linux's second official language | ZDNet

    It wasn't that long ago that the very idea that another language besides C would be used in the Linux kernel would have been laughed at. Things have changed. Today, not only is Rust, the high-level system language moving closer to Linux, it's closer than ever with the next "patch series to add support for Rust as a second language to the Linux kernel."

  • Apple SoC PMGR driver for 5.17
    Hi SoC folks,
    
    Please merge the new PMGR driver for 5.17.
    
    This should not have any hard deps with the previous pulls. The 
    MAINTAINERS change already rode along the DT pull, for simplicity.
    
  • More Apple Silicon M1 Bring-Up On The Way For Linux 5.17 - Phoronix

    The enablement work for supporting Apple's M1 SoC under Linux continues and with the v5.17 kernel next year will be yet more additions. Among the new driver activity for Linux 5.17 is an Apple PMGR driver for controlling the power states. The Apple PMGR block on their SoC has high-level power state controls for SoC devices. At the moment not all features are supported but important step forward for power management with Apple Silicon on Linux.

  • Intel's SWR Removed From Mainline Mesa, More Classic Code Cleaning Continues - Phoronix

    Last Friday Mesa classic drivers were removed from the mainline code-base and punted off to an "Amber" code branch where they will receive whatever attention moving forward. With that classic Mesa code removed, more code cleaning is now happening on top of the tens of thousands of lines of code already removed. Intel's OpenSWR driver has also now been removed from mainline. Since the original classic Mesa drivers consisting of Radeon R100/R200, original Nouveau, and Intel i915 / i965 drivers were removed, more code cleaning can now happen on mainline for code that was just sticking around for these old, rather unmaintained drivers.

  • XWayland Lands DRM Leasing Support To Handle VR Headsets - Phoronix

    Along with XWayland touchpad gestures, another shiny feature was merged this week into X.Org Server Git for XWayland: DRM leasing support! XWayland now has mainline support for the DRM leasing (drm-lease-v1) protocol for allowing X11 clients running through XWayland to lease non-desktop connectors/outputs from the underlying Wayland compositor. This is particularly useful and designed around the needs of virtual reality (VR) head-mounted displays.