Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • White House ransomware summit calls for virtual asset crackdown, without mentioning cryptocurrency [Ed: They need to crack down on Microsoft Windows, instead; they use their NSA back doors as a ruse to protect big banks. Microsoft has infiltrated think tanks about ransomware, so now instead of tackling the security breaches themselves (which can lead to sabotage or worse) they treat it like a financial transaction issue.]

    The 30-nation gabfest convened under the auspices of the US National Security Council’s Counter-Ransomware Initiative has ended with agreement that increased regulation of virtual assets is required to curb the digital coins' allure to criminals.

    A joint statement issued after the event's conclusion opens with anodyne observations about the need for good infosec, international collaboration, and the benefits of private sector engagement.

    The first mention of concrete action comes in a section of the statement entitled "Countering Illicit Finance" – and while the document never mentions cryptocurrencies, it's plain they're a target.

    "Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering."

  • Thingiverse suffers breach of 228,000 email addresses • The Register

    Thingiverse, a site that hosts free-to-use 3D printer designs, has suffered a data breach – and at least 228,000 unlucky users' email addresses have been circulating on black-hat crime forums.

    News of the breach came from Have I Been Pwned (HIBP), whose maintainer Troy Hunt uploaded the 228,000 breached email addresses to the site after being tipped off to their circulation on the forums.

    Hunt claimed on Twitter that in excess of two million addresses were in the breach. He qualified that by saying the majority were email addresses that appeared to be generated by Thingiverse itself, judging from their format: webdev+$username@makerbot[.]com.

    HIBP's maintainer also claimed that some of the data included poorly encrypted passwords: one he highlighted was an unsalted SHA-1 hash which resolved to the password "test123".

  • Thingiverse Data Leaked — Check Your Passwords | Hackaday

    Every week seems to bring another set of high-profile data leaks, and this time it’s the turn of a service that should be of concern to many in our community. A database backup from the popular 3D model sharing website Thingiverse has leaked online, containing 228,000 email addresses, full names, addresses, and passwords stored as unsalted SHA-1 or bcrypt hashes. If you have an account with Thingiverse it is probably worth your while to head over to Have I Been Pwned to search on your email address, and just to be sure you should also change your password on the site. Our informal testing suggests that not all accounts appear to be contained in the leak, which appears to relate to comments left on the site.

  • New PureBoot Feature: Scanning Root for Tampering – Purism

    With the latest PureBoot R19 pre-release we have added a number of new changes including improved GUI workflows and new security features and published a ROM image so the wider community can test it before it turns into the next stable release. To test it, existing PureBoot users can download the R19-pre1 .rom file that corresponds to their Librem computer and flash it like any other PureBoot release.

    In this post I want to highlight a new experimental security feature we added in this release that will extend the tamper detection PureBoot already does with the boot firmware and the /boot directory into the main root file system. This will allow you to detect attacks that modify system binaries (like /bin/bash) with backdoored versions. I also want to give some background on this feature and my thought process behind it so people understand where I’m coming from and why I made the design decisions I did.

More in Tux Machines

Security Leftovers

  • Linux Fixes Spectre V1 SWAPGS Mitigation After Being Partially Borked Since Last Year - Phoronix

    This week's set of "x86/urgent" changes for the Linux 5.16-rc4 kernel due out later today has some Spectre V1 fixes after kernel commits last year ended up partially messing things up around its SWAPGS handling. These fixes in turn will also likely be back-ported to relevant stable kernel series. Thanks to an Alibaba engineer, Lai Jiangshan, are some important fixes around the Spectre V1 SWAPGS mitigation that are landing today in the mainline kernel.

  • Reproducible Builds: Reproducible Builds in November 2021

    As a quick recap, whilst anyone may inspect the source code of free software for malicious flaws, almost all software is distributed to end users as pre-compiled binaries. The motivation behind the reproducible builds effort is therefore to ensure no flaws have been introduced during this compilation process by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a build was compromised. If you are interested in contributing to our project, please visit our Contribute page on our website.

  • Reproducible Builds (diffoscope): diffoscope 195 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 195. This version includes the following changes:

    [ Chris Lamb ]
    * Don't use the runtime platform's native endianness when unpacking .pyc
      files to fix test failures on big-endian machines.
    

Linux 5.16-rc4

Fairly small rc4 this week. Three areas stand out in the diff: some
kvm fixes (and tests), network driver fixes, and the tegra SoC sound
fixes.

The rest is fairly spread out: drm fixes, some filesystem stuff,
various arch updates, and some smattering of random driver fixes.

Nothing looks all that scary, although I certainly hope the kvm side
will calm down.

                  Linus
Read more Also: Linux 5.16-rc4 Released - "Nothing Looks All That Scary"

EFF Argument in Patent Troll Case to Be Livestreamed on Monday

At 10 am Monday, FOSS folks and others interested in software patent litigation will have a chance to have a firsthand look at how our courts address patent cases. The case involves a “notorious patent troll,” according to Electronic Frontiers Foundation, that is trying to hide information from Apple, which it’s suing. “At a federal appeals court hearing that will be livestreamed, attorney Alexandra H. Moss, Executive Director at Public Interest Patent Law Institute, who is assisting EFF in the case, will argue that a judge’s order to unseal all documents and preserve public access in the case of Uniloc USA, Inc. v. Apple Inc. should be upheld,” EFF said in a statement on Thursday. “Uniloc is entitled to resolve its patent dispute in publicly-funded courts, Moss will argue, but it’s not entitled to do so secretly.” EFF said that this is the second time the plaintiff, Uniloc, has appealed an order to be more transparent in this case. Read more

Gnuastro 0.16 released

Dear all,

I am happy to announce the 16th official release of GNU Astronomy
Utilities (Gnuastro version 0.16).

Gnuastro is an official GNU package, consisting of various
command-line programs and library functions for the manipulation and
analysis of (astronomical) data. All the programs share the same basic
command-line user interface (modeled on GNU Coreutils). For the full
list of Gnuastro's library, programs, and a comprehensive general
tutorial (recommended place to start using Gnuastro), please see the
links below respectively:

https://www.gnu.org/s/gnuastro/manual/html_node/Gnuastro-library.html
https://www.gnu.org/s/gnuastro/manual/html_node/Gnuastro-programs-list.html
https://www.gnu.org/s/gnuastro/manual/html_node/General-program-usage-tutorial.html

For a complete review of the new/changed features in this release,
please see [1] below (also available in the 'NEWS' file within the
source code tarball).

Here is the compressed source and the GPG detached signature for this
release. To uncompress Lzip tarballs, see [2]. To check the validity
of the tarballs using the GPG detached signature (*.sig) see [3]:

  https://ftp.gnu.org/gnu/gnuastro/gnuastro-0.16.tar.lz    (3.7MB)
  https://ftp.gnu.org/gnu/gnuastro/gnuastro-0.16.tar.gz    (5.9MB)
  https://ftp.gnu.org/gnu/gnuastro/gnuastro-0.16.tar.gz.sig (833B)
  https://ftp.gnu.org/gnu/gnuastro/gnuastro-0.16.tar.lz.sig (833B)

Here are the SHA1 and SHA256 checksums (other ways to check if the
tarball you download is what we distributed). Just note that the
SHA256 checksum is base64 encoded, instead of the hexadecimal encoding
that most checksum tools default to.

fe1f84bf1be270f1a62091e9a5f89bb94b182154  gnuastro-0.16.tar.lz
B4hftfYuyc7x3I6aEJ2SQlkp6x7zOOrPz/bK2koGuR8  gnuastro-0.16.tar.lz
1ae00673648fe8db5630f1de9d70b49fadb42d7d  gnuastro-0.16.tar.gz
kMEdJbsFrRNxDLX4EXntgXNgikJv3/2LIEWGLV/e4i0  gnuastro-0.16.tar.gz

For this release, Pedram Ashofteh Ardakani, Natáli D. Anzanello,
Sepideh Eskandarlou, Raúl Infante-Sainz, Vladimir Markelov and Zahra
Sharbaf directly contributed to the source of Gnuastro, I am very
grateful to all of them. I should also thank Alejandro Serrano
Borlaff, Fernando Buitrago, Mark Calabretta, Zohreh Ghaffari, Giulia
Golini, Leslie Hunt, Raúl Infante-Sainz, Matthias Kluge, Juan Miro,
Juan Molina Tobar, Markus Schaney, Zahra Sharbaf, Vincenzo Testa,
Ignacio Trujillo and Aaron Watkins for their very good suggestions or
bug reports that have been implemented in Gnuastro 0.16.

If any of Gnuastro's programs or libraries are useful in your work,
please cite _and_ acknowledge them. For citation and acknowledgment
guidelines, run the relevant programs with a `--cite' option (it can
be different for different programs, so run it for all the programs
you use). Citations _and_ acknowledgments are vital for the continued
work on Gnuastro, so please don't forget to support us by doing so.

This tarball was bootstrapped (created) with the tools below. Note
that you don't need these to build Gnuastro from the tarball, these
are the tools that were used to make the tarball itself. They are only
mentioned here to be able to reproduce/recreate this tarball later.
  Texinfo 6.8
  Autoconf 2.71
  Automake 1.16.4
  Help2man 1.48.5
  ImageMagick 7.1.0-9
  Gnulib v0.1-4944-g7fc3219bc
  Autoconf archives v2021.02.19-29-g0fbee2a

The dependencies to build Gnuastro from this tarball on your system
are described here:
  https://www.gnu.org/s/gnuastro/manual/html_node/Dependencies.html

Best wishes,
Mohammad
Read more