Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Saturday, 23 Feb 19 - Tux Machines is a community-driven public service/news site which has been around for over a decade and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Type Title Author Replies Last Postsort icon
Story Security: Certificates, Spectre, Switzerland and Dark Overlord Roy Schestowitz 23/02/2019 - 10:22pm
Story Today in Techrights Roy Schestowitz 23/02/2019 - 10:17pm
Story today's leftovers Roy Schestowitz 23/02/2019 - 7:08pm
Story Security Leftovers Roy Schestowitz 23/02/2019 - 7:02pm
Story NetBSD Virtual Machine Monitor Roy Schestowitz 23/02/2019 - 6:55pm
Story GNU Releases: mailutils, cflow, tar and parallel Roy Schestowitz 23/02/2019 - 6:53pm
Story Devices: AArch64, Siemens/Mentor Embedded Linux (MEL), Raspberry Pi and Xiaomi Roy Schestowitz 23/02/2019 - 6:36pm
Story GAFAM: Microsoft's Misappropriation of "Linux", Google 'Invents' Linux Support for Sound, Apple Shuns GNU/Linux Roy Schestowitz 23/02/2019 - 6:25pm
Story Fedora and SUSE: Fedora Program Management, 'Cloud' and Leap 15.1 Beta Roy Schestowitz 23/02/2019 - 6:22pm
Story today's howtos Roy Schestowitz 23/02/2019 - 6:17pm

Security: Certificates, Spectre, Switzerland and Dark Overlord

Filed under
Security
  • Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else

    Browsers rely on this list of authorities, which are trusted to verify and issue the certificates that allow for secure browsing, using technologies like TLS and HTTPS. Certificate Authorities are the basis of HTTPS, but they are also its greatest weakness. Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS. Certificate Transparency can mitigate some of the risk by requiring public logging of all issued certificates, but is not a panacea.

  • This is bad: the UAE's favorite sleazeball cybermercenaries have applied for permission to break Mozilla's web encryption

    Now Darkmatter has applied to Mozilla to become a "Certificate Authority," which means they'd get the ability to produce cryptographically signed certificates that were trusted by default by Firefox and its derivatives, giving them the power to produce cyberweapons that could break virtually any encrypted web session (though Certificate Transparency might expose them if they're careless about it).

    And since Moz's root of trust is used to secure Linux updates, this could affect literally billions of operating systems.

  • Spectre is here to stay: An analysis of side-channels and speculative execution

    As a result of our work, we now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

  • Experts Find Serious Problems With Switzerland's Online Voting System Before Public Penetration Test Even Begins

    The public penetration test doesn’t begin until next week, but experts who examined leaked code for the Swiss internet voting system say it’s poorly designed and makes it difficult to audit the code for security and configure it to operate securely.

  • A Decryption Key for Law Firm Emails in Hacked 9/11 Files Has Been Released

    The release of the files was part of an extortion scheme against The Dark Overlord’s hacking victims, and followed the group’s established technique of stealing information and then approaching media outlets with the files in an attempt to exert further pressure on the group’s targets. The Dark Overlord also distributed a set of encrypted folders, ready to be unlocked at a later date, and which they claimed contained more 9/11-linked material.

    Now, around two months after the first data dump, someone has released another encryption key for the third layer of stolen material, which appears to contain thousands of emails, at least some of which are between different law firms.

today's leftovers

Filed under
Misc
  • Postgresql major version upgrade (gentoo)

    Just did an upgrade from postgres 10.x to 11.x on a test machine..

    The guide on the Gentoo Wiki is pretty good, but a few things I forgot at first:

    First off when initializing the new cluster with "emerge --config =dev-db/postgresql-11.1" making sure the DB init options are the same as the old cluster. They are stored in /etc/conf.d/postgresql-XX.Y so just make sure PG_INITDB_OPTS collation ,.. match - if not delete the new cluster and re-run emerge --config Wink

  • Redis Labs Looks to Grow Database Technology for Next Generation Applications

    Despite some open source licensing issues, Redis is moving forward.

    Database technology provides a foundational role in modern applications, and one of the emerging database technologies of the last few years has been Redis.

  • Mozilla Open Innovation Team: Sustainable tech development needs local solutions: Voice tech ideation in Kigali

    Developers, researchers and startups around the globe working on voice-recognition technology face one problem alike: A lack of freely available voice data in their respective language to train AI-powered Speech-to-Text engines.

    Although machine-learning algorithms like Mozilla’s Deep Speech are in the public domain, training data is limited. Most of the voice data used by large corporations is not available to the majority of people, expensive to obtain or simply non-existent for languages not globally spread. The innovative potential of this technology is widely untapped. In providing open datasets, we aim to take away the onerous tasks of collecting and annotating data, which eventually reduces one of the main barriers to voice-based technologies and makes front-runner innovations accessible to more entrepreneurs. This is one of the major drivers behind our project Common Voice.

    Common Voice is our crowdsourcing initiative and platform to collect and verify voice data and to make it publicly available. But to get more people involved from around the world and to speed up the process of getting to data sets large enough for training purposes, we rely on partners — like-minded commercial and non-commercial organizations with an interest to make technology available and useful to all.

  • Mozilla B-Team: happy bmo push day!
  • What if everything you know is wrong?

    In interesting intellectual design challenge is to take a working thing (library, architecture, etc) and then see what would happen if you would reimplement it with the exact opposite way. Not because you'd use the end result anywhere, but just to see if you can learn something new.

  • Qt Roadmap for 2019

    It’s around this time of the year I sit down to write a blog post about our plans and roadmap for the coming year. Typically, some of the items have already been cooking for a while, but some are still plans in the making. If you want to look into the previous roadmap blog posts, here are the ones I wrote for 2016, 2017 and 2018. There is always more to tell than what would reasonably fit in a blog post, but I’ll try to talk about the most interesting items.

    Before diving any further into the new items planned for 2019, I would like to thank each and every Qt developer for their contribution. We have a great ecosystem with many contributors who have provided multiple extremely valuable contributions throughout the years and continue to shape Qt in the future, too. In addition to those contributing code, we also have many active people in the Qt Project forums, on mailing lists, as well as reviewing code and testing the Qt development releases.

  • Qt Publishes A 2019 Public Roadmap: More Work On WebAssembly, Tooling

    The Qt Company has published a 2019 roadmap of sorts for areas they plan on focusing their resources this 2019 calendar year.

    Their 2019 roadmap doesn't come as a big surprise if considering the areas where they have been focusing a lot of attention recently. For instance, they'll work on maturing the Qt WebAssembly support that was recently introduced for offering Qt access within web browsers via this high-performance, sandbox-secured technology.

Security Leftovers

Filed under
Security

NetBSD Virtual Machine Monitor

Filed under
BSD
  • NetBSD Virtual Machine Monitor

    NVMM provides hardware-accelerated virtualization support for NetBSD. It is made of an ~MI frontend, to which MD backends can be plugged. A virtualization API is shipped via libnvmm, that allows to easily create and manage virtual machines via NVMM. Two additional components are shipped as demonstrators, toyvirt and smallkern: the former is a toy virtualizer, that executes in a VM the 64bit ELF binary given as argument, the latter is an example of such binary.

  • NetBSD Gains Hardware Accelerated Virtualization

    NetBSD, the highly portable Unix-like Open Source operating system known for its platform diversity, has gained hardware-accelerated virtualization support via an improved NetBSD Virtual Machine Monitor (NVMM).

GNU Releases: mailutils, cflow, tar and parallel

Filed under
GNU

Devices: AArch64, Siemens/Mentor Embedded Linux (MEL), Raspberry Pi and Xiaomi

Filed under
Hardware
  • We need Arm64 systems for developers. Again.

    Getting AArch64 hardware for developers is important. When it happen? One day. Maybe even before people forget that such architecture existed.

    We talk about it during each Linaro Connect. So far nothing serious came from it. We had some failed attempts like Cello or Husky. There is Synquacer with own set of issues. Some people use MACCHIATObin. Some still use Applied Micro Mustangs which should get a place in computer museums.

    It is chicken and egg issue. No one makes affordable AArch64 systems because no one buys them. Because no one makes them. Hardware vendors concentrate on server market — no chips to choose for developer systems.

  • Siemens PLM Software announces enterprise Mentor Embedded Linux (MEL) solution

    Siemens PLM Software announced an enterprise Mentor Embedded Linux (MEL) solution that provides electronics manufacturers secure, scalable and configurable distributions for industrial, medical, aerospace and defense applications. This MEL technology is a configurable distribution that provides an operating system platform for embedded systems development and is a result of the continued integration of the recently acquired embedded systems design capabilities from Mentor Graphics. The solution is based on Debian, an enterprise class, open source Linux operating system.

  • Siemens launches new enterprise class embedded Linux solution for embedded systems development

    With the growth of internet of things (IoT) and other smart devices, it is becoming increasingly complex and expensive for manufacturers to develop embedded distributions and applications for these devices based on the Linux® operating system. Siemens PLM Software today announced a new enterprise Mentor® Embedded Linux® (MEL) solution that provides electronics manufacturers secure, scalable and configurable distributions for industrial, medical, aerospace and defense applications. This new MEL technology is a configurable distribution that provides a robust operating system platform for embedded systems development and is a result of the continued integration of the recently acquired embedded systems design capabilities from Mentor Graphics. The solution is based on Debian, a broadly utilized, enterprise class, open source Linux operating system.

  • Raspberry Pi Begins Rolling Out The Linux 4.19 Kernel

    The Raspberry Pi folks have been working the past few months on upgrading their kernel in moving from Linux 4.14 to 4.19. That roll-out has now begun.

    Linux 4.19 has been the target of the Raspberry Pi Foundation due to this newer kernel being a Long-Term Support (LTS) release and thus will be maintained for the long-term. That large jump in the standard kernel version for Raspberry Pi ultimately means less work too for the developers involved: between 4.14 and 4,19, a lot of Raspberry Pi patches and other Broadcom improvements were upstreamed.

  • Raspberry Pi Updates Devices to Linux 4.19
  • Xiaomi’s 2019 goal is to release kernel source code more quickly for all its devices

    Just before MWC 2019, Xiaomi took to the stage at an event in China to launch the new Xiaomi Mi 9 and Mi 9 SE. Both the devices represent the best of what OEM has to offer, bringing in a high value device at a fraction of the cost of a premium flagship. While this approach lets them appeal to the average consumer, Xiaomi has also been quite developer-friendly, which makes them a good purchase even for those who are looking for a device with a very good third party development community. Xiaomi does not void the warranty of devices (in India at least) if you unlock the bootloader, and they have worked on significantly bringing down the waiting times for bootloader unlock requests too.

GAFAM: Microsoft's Misappropriation of "Linux", Google 'Invents' Linux Support for Sound, Apple Shuns GNU/Linux

Filed under
Google
Microsoft
Mac

Fedora and SUSE: Fedora Program Management, 'Cloud' and Leap 15.1 Beta

Filed under
Red Hat
SUSE
  • Fedora Community Blog: FPgM report: 2019-08

    Here’s your report of what has happened in Fedora Program Management this week.

    I’ve set up weekly office hours in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else.

  • Webinar: Accelerate and Modernize Container Application Delivery with SUSE

    Do you want to learn about building applications with containers on AWS? Or, would you rather learn more about SUSE Cloud Application Platform? How about learning how Wipro modernizes application delivery for the retail industry? Or how about all three?

  • Is a Services Partner the Key to a Successful IT Transformation?

    Why are Services Partners key to a digital transformation? Recently, SUSE had the chance to catch up with Katy Ring, Research Director, at 451 Research.

  • Leap 15.1 Beta Pizza Party

    The release manager for openSUSE Leap announced that Leap 15.1 entered its Beta phase this week and that means it’s time for a Beta Pizza Party. Yeah!.

    Leap’s Beta phase is a rolling beta until it’s official release. Once released, it will begin its maintenance phase.

    To celebrate the Beta phase, why not have a Pizza Party and test the openSUSE Leap 15.1 Beta.

No! Ubuntu is NOT Replacing Apt with Snap

Filed under
Ubuntu

Don’t get what I am talking about? Let me give you some context.

There is a ‘blueprint’ on Ubuntu’s launchpad website, titled ‘Replace APT with snap as default package manager’. It talks about replacing Apt (package manager at the heart of Debian) with Snap ( a new packaging system by Ubuntu).

Read more

Also: Full Circle Magazine #142

OpenSUSE Leap 15.1 Beta Is Running Well - Benchmarks On AMD EPYC Workstation

Filed under
Graphics/Benchmarks

With openSUSE Leap 15.1 reaching beta this week I decided to take it for a quick spin of this Linux distribution derived from the same sources as SUSE Linux Enterprise 15 SP1. Here are some quick benchmarks compared to Leap 15.0 as well as the latest rolling-release openSUSE Tumbleweed.

OpenSUSE Leap 15.1 remains under active development and is expected to be officially released in May. But given reaching the beta state and being curious how the performance has evolved compared to openSUSE Tumbleweed, I ran some initial benchmarks of this beta snapshot this week. This preliminary round of tests was done using an AMD EPYC 7351P workstation with ASRockRack EPYCD8-2T, 8 x 4GB DDR4-2666 memory, and 800GB Intel DC P3600 (SSDPE2ME800G4) NVMe solid-state drive. Tests on more hardware will come as the openSUSE Leap 15.1 stable release approaches.

Read more

Servers: Red Hat, Kubernetes, OpenShift, WriteFreely and WordPress

Filed under
Server
  • Taking System Monitoring to the Next Level: an Interview with Scalyr CEO Steve Newman [Ed: Linux Journal back to the pre-PIA days of promoting proprietary software?]
  • Time zone data (tzdata): 2018 data format changes and Red Hat Enterprise Linux

    Red Hat Enterprise Linux (RHEL) needs time zone information in order for all applications in the operating system to correctly print local time. The GNU C Library (glibc) makes use of the tzdata package in order to make APIs such as strftime() work correctly, while applications such as /usr/bin/date make use of this information to print the local date.

    The tzdata package contains the data files documenting both current and historic transitions for various time zones around the world. This data represents changes required by local government bodies or by time zone boundary changes, as well as changes to UTC offsets and daylight saving time (DST).

  • Upcoming Silicon Valley OpenShift Commons Gathering, March 11 on Operating at Scale with Speakers Google, Facebook, Uber, Red Hat and Rook

    The OpenShift Commons Gathering brings together experts from all over the world to discuss the container technologies, operators, the operator framework, best practices for cloud-native application developers and the open source software projects that underpin the OpenShift ecosystem to help take us all to the next level in cloud-native computing. This next gathering will feature 400+ developers, project leads, cloud architects, DevOps professionals, sysadmins, and cloud-native practitioners coming together to explore the next steps in making container technologies successful and secure at scale.

  • 7 Key Considerations for Kubernetes in Production

    Today Enterprise IT does not question the value of containerized applications anymore. Given the move to adopting DevOps and cloud native architectures, it is critical to leverage container capabilities in order to enable digital transformation. Google’s Kubernetes (K8s), an open source container orchestration system, has become the de facto standard — and the key enabler — for cloud native applications, and the way they are architected, composed, deployed, and managed. Enterprises are using Kubernetes to create modern architectures composed of microservices and serverless functions which scale seamlessly.

    However, two years of working with Kubernetes for enterprise applications, and large-scale production deployments have taught us valuable real-world lessons about the challenges of Kubernetes in the enterprise, and what it REALLY takes in order to make it ready for prime time and enable organizations to safely bet on Kubernetes to power mission-critical enterprise application. Large and complex enterprises that have invested in container-based applications often struggle to realize the value of Kubernetes and container technology, due to operational or Day-two management challenges. In this post, we share seven fundamental capabilities large enterprises need to instrument around their Kubernetes investments in order to be able to effectively implement it and utilize it to drive their business.

  • Kubernetes job interview questions: How to prepare

    As Kubernetes adoption grows, so does the need for IT pros with the skills and experience needed to run it in production.

    “There’s a strong correlation between the popularity of Kubernetes and the demand for engineers who have in-depth knowledge of the system,” says Leo Shemesh, CTO at Jackpocket.

    Signs suggest that demand for Kubernetes skills is pointing skyward. That creates a tricky proposition for IT executives and hiring managers. Don’t worry, we’re not here to moan and groan about another skills shortage. Actually, Shemesh notes that it’s relatively easy for IT pros to begin learning about Kubernetes, thanks to a wealth of articles and other resources available online, a vibrant open source community, and the commercial platforms and services that sit on top of the Kubernetes project. It’s also relatively simple to start running a single-node cluster on a local machine with Minikube, a good option for getting your hands messy.

  • OpenShift platform seen as biggest IBM gain from Red Hat acquisition

    IBM's acquisition of open source company Red Hat means that Big Blue is betting that the future of cloud computing is hybrid and it has made the purchase to cover its flanks in this area, the technology analyst firm Gartner says.

  • Four Startup Engineering Killers

    Startup engineering is different from any other type of software engineering. It demands short- and medium-term productivity, relative to the “right way” of building systems. It values people who are able to iterate quickly and are comfortable with hacky code. It rewards pragmatism in technology choices versus picking the most hyped — or most stable — technology.

  • Phoronix Test Suite 8.6.1 Released For Open-Source, Cross-Platform Benchmarking

    Phoronix Test Suite 8.6.1 is now available as a minor update over Phoronix Test Suite 8.6-Spydeberg that shipped at the start of February.

  • WriteFreely: Start a blog, build a community

    As more of our lives move online, we become dependent on large services with millions (or billions) of users to communicate with each other. Although we tend to notice problems only when these platforms change a policy, erect a paywall, or suffer a data breach, we can often feel how these mass-broadcast platforms don't always have our best interests in mind and often don't "connect" us in the ways they purport to.

    However, over the past few years, we've also seen a renaissance of small, close-knit online communities. New protocols for building federated social networks, like ActivityPub, are seeing more use, popularized by open source platforms like Mastodon. People still gather on forums to discuss their interests with like-minded people. And even on the large, centralized services, many people use "group" features to have more intimate conversations than they would by sending their latest status update to a wide swath of unrelated people.

    In the blogging world, we've also seen platforms like Medium and Tumblr become more popular, partially because of the networks they offer. With these large platforms, each blog is no longer an "island," but part of a huge community. Yet, like any other closed-source, centralized service, if they make a change that doesn't benefit their users, we're forced to find another platform. That's why I built WriteFreely.

  • WordPress 5.1 Improves Security With Site Health Mechanism

    WordPress 5.1 became generally available on Feb. 21, providing users of the popular open-source blogging and content management system (CMS) with updates to improve site operations and site health.

    WordPress is one of the most widely deployed CMS technologies, powering over 30 percent of all websites on the internet. The new WordPress release follows the open-source project's tradition of naming releases after famous Jazz musicians by code-naming the 5.1 release Betty, after jazz vocalist Betty Carter. Among the key new features in the release is a check to warn users if they are running older, unsupported versions of the PHP programming language that is needed to operate WordPress.

    "Following WordPress 5.0 — a major release which introduced the new block editor — 5.1 focuses on polish, in particular by improving the overall performance of the editor," WordPress founder Matt Mullenweg wrote in a blog post. "In addition, this release paves the way for a better, faster, and more secure WordPress with some essential tools for site administrators and developers."

Linus Torvalds on World Domination (x86 Servers)

Filed under
GNU
Linux
Server
  • Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo

    Linux kernel king Linus Torvalds this week dismissed cross-platform efforts to support his contention that Arm-compatible processors will never dominate the server market.

    Responding to interest in Arm's announcement of its data center-oriented Neoverse N1 and E1 CPU cores on Wednesday, and a jibe about his affinity for native x86 development, Torvalds almost abandoned his commitment to civil discourse while doing his best to dampen enthusiasm for a world of heterogeneous hardware harmony.

    "Some people think that 'the cloud' means that the instruction set doesn't matter," Torvalds said in a forum post. "Develop at home, deploy in the cloud. That's bullshit. If you develop on x86, then you're going to want to deploy on x86, because you'll be able to run what you test 'at home' (and by 'at home' I don't mean literally in your home, but in your work environment)."

  • Linus on why x86 won for servers

    Responding to a forum post on upcoming ARM server offerings, Linus Torvalds makes a compelling case for why Linux and x86 completely overwhelmed commercial Unix and RISC...

  • ARM announces Ares

    I can pretty much guarantee that as long as everybody does cross-development, the platform won't be all that stable.

    Or successful.

    Some people think that "the cloud" means that the instruction set doesn't matter. Develop at home, deploy in the cloud.

    That's bullshit. If you develop on x86, then you're going to want to deploy on x86, because you'll be able to run what you test "at home" (and by "at home" I don't mean literally in your home, but in your work environment).

    Which means that you'll happily pay a bit more for x86 cloud hosting, simply because it matches what you can test on your own local setup, and the errors you get will translate better.

    This is true even if what you mostly do is something ostensibly cross-platform like just run perl scripts or whatever. Simply because you'll want to have as similar an environment as possible,

    Which in turn means that cloud providers will end up making more money from their x86 side, which means that they'll prioritize it, and any ARM offerings will be secondary and probably relegated to the mindless dregs (maybe front-end, maybe just static html, that kind of stuff).

    Guys, do you really not understand why x86 took over the server market?

Redis Licence/Licensing Getting Weirder, Swim Openwashing

Filed under
OSS
  • Redis Labs drops Commons Clause for a new license

    Redis Labs is dropping its Commons Clause license in favor of its new "available-source" license: Redis Source Available License (RSAL). This is not an open-source license.

    Redis Labs had used Commons Clause on top of the open-source Apache License to protect its rights to modules added to its 3-Clause-BSD-licensed Redis, the popular open-source in-memory data structure store. But, as Manish Gupta, Redis Labs' CMO, explained, "It didn't work. Confusion reigned over whether or not the modules were open source. They're not open-source."

    So, although it hadn't wanted to create a new license, that's what Redis Labs ended up doing.

    RSAL covers some Redis Modules, which run on top of open-source Redis. The current modules covered by RSAL are: RedisSearch, RedisGraph, RedisJSON, RedisML, and RedisBloom. Redis remains under the BSD license.

  • Redis Labs changes its open-source license — again

    Redis Labs, fresh off its latest funding round, today announced a change to how it licenses its Redis Modules. This may not sound like a big deal, but in the world of open-source projects, licensing is currently a big issue. That’s because organizations like Redis, MongoDB, Confluent and others have recently introduced new licenses that make it harder for their competitors to take their products and sell them as rebranded services without contributing back to the community (and most of these companies point directly at AWS as the main offender here).

    “Some cloud providers have repeatedly taken advantage of successful opensource projects, without significant contributions to their communities,” the Redis Labs team writes today. “They repackage software that was not developed by them into competitive, proprietary service offerings and use their business leverage to reap substantial revenues from these open source projects.”

  • Redis Labs Changing Its Licensing for Redis Modules Again, Raspberry Pi Rolling Out the Linux 4.19 Kernel, Windows Subsystem for Linux Updates Coming, Facebook Removing Its Spyware Onavo VPN from the Google Store and openSUSE Leap 15.1 Beta Pizza Party

    Redis Labs has changed its licensing for Redis Modules again. According to TechCrunch, the new license is called the Redis Source Available license, and as with the previous Commons Clause license, applies only to certain Redis Modules created by Redis Labs. With this license, "Users can still get the code, modify it and integrate it into their applications—but that application can't be a database product, caching engine, stream processing engine, search engine, indexing engine or ML/DL/AI serving engine." The TechCrunch post notes that by definition, an open-source license can't enforce limitations, so this new license technically isn't open source. It is, however, similar to other "permissive open-source licenses", which "shouldn't really affect most developers who use the company's modules".

  • Swim Open Sources Its Machine Learning Platform for Edge Computing [Ed: "Taking the "open core" route" means proprietary software or 'free' bait, so this headline is a tad misleading to say the least]

    Taking the "open core" route, the startup wants the open source community to take its platform in more directions than it's been able to so far.

GNU/Linux Security Leftovers

Filed under
Security
  • Major 9.8 vulnerability affects multiple Linux kernels— CVE-2019-8912 (af_alg_release())

    Our assessment is that the cause is this commit, the introduction of a "sockfs_setattr()" function. This function neglects to null-out values in a structure, making their values usable after exiting from the function (a so-called ‘use-after-free’ error).

  • Linux use-after-free vulnerability found in Linux 2.6 through 4.20.11

    Last week, a Huawei engineer reported a vulnerability present in the early Linux 2.6 kernels through version 4.20.11. The Kernel Address Sanitizer (KASAN) that detects dynamic memory errors within the Linux kernel code was used to uncover the use-after-free vulnerability which was present since early Linux versions.

    The use-after-free issue was found in the networking subsystem’s sockfs code and could lead to arbitrary code execution as a result.

  • Taking Care of Your Personal Online Security (For Paranoids)

    So, use Linux, and preferably coreboot or Libreboot (open source BIOS). You can buy hardware based on the recommendations of well-known and respected (still a bit paranoid) cypherpunk Richard Stallman.

  • Why do PAM projects fail? Tales from the trenches

    Privileged accounts hold the keys to highly sensitive company information and once these credentials are targeted, they can easily lead to a breach of a company’s most valuable assets; from databases to social media and unstructured data. Most enterprises have implemented some form of Privileged Access Management (PAM), but many find these initiatives fail to live up to expectations. Below are some common reasons why a PAM project might fail to meet the initial expectations; coupled with practical insights on how to prevent it from becoming a dud.

  • Sailfish OS: Security and Data Privacy

    Mobile World Congress is back again! Like every single year during the Jolla journey, we are excited to take part in this event. We have had great experiences in the past MWC’s, our main drivers for attending are the current and relevant topics discussed during the congress. One of this year’s core themes is Digital Trust; “Digital trust analyses the growing responsibilities required to create the right balance with consumers, governments and regulators.” It makes us happy that these topics are being discussed, especially since several scandals have recently affected trust in digital solutions.
    At Jolla we work constantly towards providing a secure and transparent solution. Our value towards our customer’s privacy is reflected in our values and actions. Back in May of 2018 our CEO Sami Pienimäki wrote a blog post on the GDPR laws passed within the European Union and stated the cornerstones on how Jolla views data privacy. This stand on privacy is not rocket science – the core idea is to respect our customers’ privacy and allow them to be in control of their data.

  • Security updates for Friday
  • Which is More Secure: Windows, Linux, or macOS? [Ed: security is not an OS feature but a separate product, insists company that sells "security" as a proprietar ysoftware product]

Games: BATTLETECH, Tesla vs Lovecraft and More

Filed under
Gaming

Linux Foundation, Linux 5.0 and Linux 5.1

Filed under
Linux
  • Certified danger

    I suspected Linux Foundation went to the dark side when they started strange deals with Microsoft. But I'm pretty sure they went to dark side now.

  • The Most Interesting Highlights To The Linux 5.0 Kernel

    With the Linux 5.0 kernel due out within the next week or two, here's a look back at the biggest end-user facing changes for this kernel release that started out as Linux 4.21.

  • AMDGPU Squeezes In Revised Context Priority Handling For Linux 5.1

    With the Linux 5.1 kernel cycle soon to kick-off, an early batch of fixes for the AMDGPU DRM driver and other fixes were sent in on Thursday to queue along with all of the new functionality being staged in DRM-Next.

    There's a lot of DRM improvements and throughout all the kernel subsystems of new material queuing up for Linux 5.1. On the AMDGPU side there is AMDGPU DC seamless boot bits, PCI Express bandwidth utilization is now exported to user-space, Vega power management updates, DCC support for scanout surfaces, better page-flipping in DC, and various Vega 20 fixes.

Videos: Manjaro 18.0.3 Cinnamon, Bash Commands and FLOSS Weekly With ClearlyDefined

Filed under
GNU
Linux
  • Manjaro 18.0.3 Cinnamon Run Through

    In this video, we look at Manjaro 18.0.3 Cinnamon.

  • JC’s Favorite BASH Commands

    We chill and look at some cool commands for the BASH terminal and scripts.

  • FLOSS Weekly 518: Clearly Defined

    Carol Smith is the program manager for ClearlyDefined, a project under the Open Source Initiative. ClearlyDefined is an open source project to crowd-source the gathering, curation, and upstreaming of licensing and security (and more) data about free and open source projects.

Syndicate content

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story Security: Certificates, Spectre, Switzerland and Dark Overlord Roy Schestowitz 23/02/2019 - 10:22pm
Story Today in Techrights Roy Schestowitz 23/02/2019 - 10:17pm
Story today's leftovers Roy Schestowitz 23/02/2019 - 7:08pm
Story Security Leftovers Roy Schestowitz 23/02/2019 - 7:02pm
Story NetBSD Virtual Machine Monitor Roy Schestowitz 23/02/2019 - 6:55pm
Story GNU Releases: mailutils, cflow, tar and parallel Roy Schestowitz 23/02/2019 - 6:53pm
Story Devices: AArch64, Siemens/Mentor Embedded Linux (MEL), Raspberry Pi and Xiaomi Roy Schestowitz 23/02/2019 - 6:36pm
Story GAFAM: Microsoft's Misappropriation of "Linux", Google 'Invents' Linux Support for Sound, Apple Shuns GNU/Linux Roy Schestowitz 23/02/2019 - 6:25pm
Story Fedora and SUSE: Fedora Program Management, 'Cloud' and Leap 15.1 Beta Roy Schestowitz 23/02/2019 - 6:22pm
Story today's howtos Roy Schestowitz 23/02/2019 - 6:17pm