Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under

Improving Security for Bugzilla

Filed under

Openness, transparency, and security are all central to the Mozilla mission. That’s why we publish security bugs once they’re no longer dangerous, and it’s why we’re writing a blog post about unauthorized access to our infrastructure. We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations.

Read more

Google Chrome Turns Seven, Advances with Security and Performance Gains

Filed under

After seven years of development, Google continues its rapid pace of release and enhancement for its Chrome browser. On the seventh anniversary of the first Chrome public release on September 2, Google released Chrome stable version 45 and Chrome beta 46.

Google Chrome debuted on September 2, 2008 after months of speculation about Google's intentions regarding entering the browser market. The first Chrome browser entered the market at a time when Microsoft's IE still dominated, though Firefox was making a dent in that market share. Today, according to multiple sets of stats, including Statcounter, Google Chrome stands as the world's most popular web browser.

Read more

Security Leftovers

Filed under

Security Leftovers

Filed under
  • Sick of memorizing passwords? A Turing Award winner came up with this algorithmic trick

    Manuel Blum, a professor of computer science at Carnegie Mellon University who won the Turing Award in 1995, has been working on what he calls "human computable" passwords that are not only relatively secure but also don't require us to memorize a different one for each site. Instead, we learn ahead of time an algorithm and a personal, private key, and we use them with the website's name to create and re-create our own unique passwords on the fly for any website at any time.

  • Car thieves use 'mystery device' to break into vehicles

    A car manufacturer recalled more than a million cars following security concerns about car hacking, as the National Insurance Crime Bureau issued an alert about a "mystery device" being used to break into vehicles by defeating the electronic locking system of later-model cars.

    So-called connected car "convenience technology" could put consumers at risk.

    "Right now, what has happened is the digital key fob has become a way for someone to steal your car," NICB investigator James "Herb" Price said.

  • Security Considerations When Moving from VMs to Containers

    We recently ran a sponsored series from Fox Technologies on We want to thank the company for its support and for sharing useful information for SysAdmins and developers alike. Fox Technologies is continuing the conversation with a free webinar September 17 that will address security considerations in moving from VMs to containers. More information about this webinar is below.

OpenSSL Security: A Year in Review

Filed under

Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record.

Read more

Also: Tuesday's security advisories

Linux Foundation publishes best practices for secure workstations

Security Leftovers

Filed under
  • Security updates for Monday
  • Luxembourg to list European IT security policies

    The government of Luxembourg aims to make an inventory of policies on IT security and data protection in the EU Member States. The study is one of the priorities of Luxembourg’s presidency of the EUPAN network, an informal network of European public administration representatives.

  • Indian mobile broadband clients can make Linux system vulnerable to attacks
  • Why is Windows lying about what root certificates it trusts?

    Starting with Windows Vista, a new AutoUpdate mechanism was added, allowing these trusted root certificates to be seamlessly downloaded on first use.

    Why does this matter? Because the incomplete information shown by Windows leads many people (including some security professionals) to believe that Windows trusts only a dozen or two root certificates out of the box, rather than hundreds.

  • Linux Foundation's security checklist can help sysadmins harden workstations

    If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.

    Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.

    The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.

  • Linux Foundation releases PARANOID internal infosec guide

    Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.

    The baseline hardening recommendations are designed that balance security and convenience for its many remote admins, rather than a full-blown security document.

  • Linux workstation security checklist

    This is a set of recommendations used by the Linux Foundation for their systems administrators. All of LF employees are remote workers and we use this set of guidelines to ensure that a sysadmin's system passes core security requirements in order to reduce the risk of it becoming an attack vector against the rest of our infrastructure.

  • Seriousness of the OPM Data Breach Disputed

    On April 15, 2015, officials of the Office of Personnel Management realized they had been hacked and the records of 4.2 million of current and former employees had been stolen. Later investigations by OPM determined in early June that the number affected is 21.5 million, for whom sensitive information, including Social Security Numbers (SSNs), was stolen from the background investigation databases.

    This was the biggest breach of United States government data in history. Reports point to China as the source of the breach, but the Administration has not formally accused China.

  • Automakers fight car hacking bill - Computer Fraud and Abuse Act takes some blows

    You might think the effort to fortify cars’ cybersecurity could possibly make strange bedfellows out of automakers and safety advocates, what with all the recent reports basically amounting to the conclusion that a whole car can be hacked. But you’d be wrong.

  • Oracle, still clueless about security

    Oracle’s chief security officer, Mary Ann Davidson, recently ticked off almost everyone in the security business. She proclaimed that you had to do security “expertise in-house because security is a core element of software development and you cannot outsource it.” She continued, “Whom do you think is more trustworthy? Who has a greater incentive to do the job right — someone who builds something, or someone who builds FUD around what others build?”

  • Grsecurity Forced by Multi-Billion Dollar Company to Release Patches Only to Sponsors

    Grsecurity is a well-known set of patches for the Linux kernel, which greatly enhance the ability of the system to withstand various security threats. As you can imagine, there are many companies that want to use Grsecurity, and they need to follow the accompanying GPL license. They are not doing that, and now Grsecurity needs to take some drastic action.

  • BitTorrent patched against flaw that allowed crippling DoS attacks
  • GitHub wobbles under DDOS attack

    GitHub is under a distributed-denial-of-service attack being perpetrated by unknown actors.

    The service's status page reported “a brief capacity overload” early on Tuesday. The site's assessment of the incident was later upgraded to a a DDOS and at the time of writing the site is at code yellow.

  • CERT Warns of Hard-Coded Credentials in DSL SOHO Routers

Linux Foundation releases PARANOID internal infosec guide

Filed under

Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations.

The baseline hardening recommendations are designed that balance security and convenience for its many remote admins, rather than a full-blown security document.

Read more

Security Leftovers

Filed under
  • Friday's security updates
  • Security updates for Thursday
  • nsenter gains SELinux support

    nsenter is a program that allows you to run program with namespaces of other processes

  • Iceland boosts ICT security measures, shares policy

    Iceland aims to shore up the security of its ICT infrastructure by raising awareness and increasing resilience. And next to updating its legislation, Iceland will also bolster the police’s capabilities to tackle cybercrime.

  • A Project to Guarantee Better Security for Open-Source Projects

    Open-source developers, however, can take steps to help catch these vulnerabilities before software is released. Secure development practices can catch many issues before they become full-blown problems. But, how can you tell which open-source projects are following these practices? The Core Infrastructure Initiative has launched a new "Best Practice Badge Program" this week to provide a solution by awarding digital badges to open-source projects that are developed using secure development practices.

Syndicate content

More in Tux Machines

Openwashing (Fake FOSS)

Android Leftovers

Slackware Live Edition – Beta 2

  • Slackware Live Edition – Beta 2
    Thanks for all the valuable feedback on the first public beta of my Slackware Live Edition. It allowed me to fix quite a few bugs in the Live scripts (thanks again!), add new functionality (requested by you or from my own TODO) and I took the opportunity to fix the packages in my Plasma 5 repository so that its Live Edition should actually work now.
  • Updated multilib packages for -current
  • (Hopefully) final recompilations for KDE 5_15.11
    There was still some work to do about my Plasma 5 package repository. The recent updates in slackware-current broke several packages that were still linking to older (and no longer present) libraries which were part of the icu4c and udev packages.

Leftovers: Software

  • Resuming work on Yokadi
    A few weeks ago we started working again on Yokadi, our command-line oriented, todo list. We are now finally ready to release version 1.0. This new version fixes a few bugs but does not bring new features. This lack of new features is actually a conscious decision: we wanted to make changes under the hood, and doing changes under the hood at the same time as adding new features is often a recipe for disaster.
  • remctl 3.10
    remctl is a simple and secure remote command execution protocol using GSS-API. Essentially, it's the thinnest and simplest possible way to deploy remote network APIs for commands using Kerberos authentication and encryption.
  • rra-c-util 5.9
    A minor release of my C utility library, including some changes required for the previous release of pam-afs-session and the upcoming release of remctl.
  • Feeding Emacs
    For the past fifteen years, I have been tweaking my ~/.emacs continously, most recently by switching to Spacemacs. With that switch done, I started to migrate a few more things to Emacs, an Atom/RSS reader being one that's been in the queue for years - ever since Google Reader shut down. Since March 2013, I have been a Feedly user, but I wanted to migrate to something better for a long time. I wanted to use Free Software, for one.
  • ELKI 0.7.0 on Maven and GitHub
    Version 0.7.0 of our data mining toolkit ELKI is now available on the project homepage, GitHub and Maven.