Language Selection

English French German Italian Portuguese Spanish

Security

Study: open source groups take security serious

Filed under
OSS
Security

The IT security practices of some open source communities are exemplary, shows a study for the European Commission and European Parliament. Many communities use experts to ensure software security and to help their developers avoid security flaws. “These communities take security serious”, says Alberto Dominguez Serra, one of the authors working for Everis, a IT consultancy.

Read more

Nextcloud 10.0.1 Maintenance Release Improves the Updater, Patches Over 40 Bugs

Filed under
OSS
Security

The Nextcloud developers have released recently the first maintenance update to the Nextcloud 10 series of the open-source and cross-platform self-hosting cloud server forked from ownCloud.

Read more

Microsoft Malware and Spyware, GNU/Linux Routers

Filed under
GNU
Linux
Microsoft
Security
  • ‘We’re From Microsoft and We’ve Been Remotely Watching Your Computer’

    We are going into our third year of living in the Gardens of Taylor. When you come off of the city street and onto this property, you can sometimes get a creepy feeling, like this is familiar in an unpleasant sort of way. It can feel like you’ve just stepped into Stepford Village. Every yard has been manicured to match the ones on either side of it. The edging along all driveways and sidewalks is a perfect two inches across and if a weed or mushroom happens to grow within that etched space, it is gone the next time you look for it.

    Stuff like that just vanishes. Spooky like.

    Fact is, the property manager pays the lawn service to make a drive through every other day in order to take care of any anomalies. Once I got used to it, I became comfortable with living here, being that it’s for people with physical disabilities and age 55 or over.

    On moving-in day, we hadn’t been there an hour before people began to take notice of us from across the street. They would stop just long enough to pretend they weren’t checking us out, then they would be on their way. Some even stopped to help.

    [...]

    Now Claude and Jane both run Linux. Their money is safe, and if anyone calls giving them instructions how to get a virus off of their Windows’ computer, they just laugh and hang up, but not before telling them they run Linux.

    There will come a day, maybe sooner than any of us think, when a scam like this might actually work on a Linux machine. In the past two years we’ve seen stories of Linux servers being compromised, and there is constant news that this or that piece of malicious code might be making its way to Linux computers soon.

    Being prudent, I run both Avast for day-to-day stuff and various Clam iterations for biweekly sweeps for rootkits. I exchange a lot of Windows stuff with my Reglue kids, so that’s only smart. Not that I expect anything to go south in the near future. Everything I’ve seen coming down the Linux pike demands hands-on the target computer to inject the badware.

    Here’s a Helios Helpful Hint: Don’t let someone you don’t know have access to your computer, sans the repair guy.

    However I do believe in preparedness. Jane’s Linux Mint install runs the same security as mine and I administrate it remotely (from home. I’ll get Claude up to speed on Wednesday.

    How long ago was it that many of us gave up on the “disconnected generation?” For a while I didn’t work with people who were so set in their ways that they bucked any suggestion of having to learn something new. And honest-to-goodness, a lady in the neighborhood asked me to make her computer the same way it was when she bought it. That would be the Windows Vista release. Sigh.

    “No ma’am. Not for any amount of money. Sorry.”

    I’m not into any more stress than necessary these days.

    Vista? Really?

  • Security Design: Stop Trying to Fix the User

    Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

    Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

  • Security Design: Stop Trying to Fix the User [It says (scroll down) "Getting a virus simply by opening an email was an urban legend, a technically impossible but scary sounding thing to frighten normies with, as late as the 90s. ...Microsoft made that myth real with the first release of Outlook"]
  • A tiny PC as a router

    We needed a router and wifi access point in the office, and simultaneously both I and my co-worker Ivan needed such a thing at our respective homes. After some discussion, and after reading articles in Ars Technica about building PCs to act as routers, we decided to do just that.

    The PC solution seem to offer better performance, but this is actually not a major reason for us.

    We want to have systems we understand and can hack. A standard x86 PC running Debian sounds ideal to use.

    Why not a cheap commercial router? They tend to be opaque and mysterious, and can't be managed with standard tooling such as Ansible. They may or may not have good security support. Also, they may or may not have sufficient functionality to be nice things, such as DNS for local machines, or the full power if iptables for firewalling.

    Why not OpenWRT? Some models of commercial routers are supported by OpenWRT. Finding good hardware that is also supported by OpenWRT is a task in itself, and not the kind of task especially I like to do. Even if one goes this route, the environment isn't quite a standard Linux system, because of various hardware limitations. (OpenWRT is a worthy project, just not our preference.)

Systemd is not Magic Security Dust

Filed under
Linux
Security

Systemd maintainer David Strauss has published a response to my blog post about systemd. The first part of his post is replete with ad hominem fallacies, strawmen, and factual errors. Ironically, in the same breath that he attacks me for not understanding the issues around threads and umasks, he betrays an ignorance of how the very project which he works on uses threads and umasks. This doesn't deserve a response beyond what I've called out on Twitter.

In the second part of his blog post, Strauss argues that systemd improves security by making it easy to apply hardening techniques to the network services which he calls the "keepers of data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we have to harden the front lines against the real attacks we see every day." Although systemd does make it easy to restrict the privileges of services, Strauss vastly overstates the value of these features.

Read more

Why health implants should have open source code

Filed under
OSS
Security

As medical implants become more common, sophisticated and versatile, understanding the code that runs them is vital. A pacemaker or insulin-releasing implant can be lifesaving, but they are also vulnerable not just to malicious attacks, but also to faulty code.

For commercial reasons, companies have been reluctant to open up their code to researchers. But with lives at stake, we need to be allowed to take a peek under the hood.

Over the past few years several researchers have revealed lethal vulnerabilities in the code that runs some medical implants. The late Barnaby Jack, for example, showed that pacemakers could be “hacked” to deliver lethal electric shocks. Jay Radcliffe demonstrated a way of wirelessly making an implanted insulin pump deliver a lethal dose of insulin.

But “bugs” in the code are also an issue. Researcher Marie Moe recently discovered this first-hand, when her Implantable Cardioverter Defibrillator (ICD) unexpectedly went into “safe mode”. This caused her heart rate to drop by half, with drastic consequences.

Read more

Also: Hack Crashes Linux Distros with 48 Characters of Code

Hardware Firewall: Choosing the Right Firewall Distribution

Filed under
GNU
Linux
Security

Over the years I've bought some less than impressive consumer routers, so these days I run my own self-built hardware firewall appliance. Surprisingly, deciding on which option was best for my needs was not as easy as I had hoped.

Building a hardware firewall requires you to decide on the hardware your firewall/router computer operating system will be installed on. Like myself, some people might use an old PC. Others might decide to install their selected firewall operating system onto a rack mount server. However one decides to do this, the completed act of installing this OS onto the dedicated hardware creates a dedicated hardware firewall.

And unlike a software firewall, hardware firewalls serve a single dedicated purpose – to act as a gateway appliance for your network. Having had experience with three popular firewall operating systems in the past, I found that choosing the "right one" is a matter of perspective.

In this article, I'm going to share my experience and overall impressions about those three different firewall solutions. Some of these are highly advanced while others are incredibly easy to use. Each of these solutions share something that I feel good about sharing with my readers. All of the firewalls are easily downloadable without any annoying sign-up pages (I'm looking at you, Sophos).

Read more

Security News

Filed under
Security
  • Security updates for Monday
  • Impossible is impossible!

    Sometimes when you plan for a security event, it would be expected that the thing you're doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I'm here to tell you it's impossible to make something impossible.

    As you think about that statement for a bit, let me explain what's happening here, and how we're going to tie this back to security, business needs, and some common sense. We've all heard of the 80/20 rule, one of the forms is that the last 20% of the features are 80% of the cost. It's a bit more nuanced than that if you really think about it. If your goal is impossible it would be more accurate to say 1% of the features are 2000% of the cost. What's really being described here is a curve that looks like this

  • What is the spc_t container type, and why didn't we just run as unconfined_t?

    If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.

  • The importance of paying attention in building community trust

    Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

    This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

Systemd bug in the News

Filed under
Linux
Security
  • Systemd bug allows ordinary user to crash Linux systems

    The systemd project is yet to release a fix for a bug that was disclosed on 28 September but at least one GNU/Linux distribution has patched the same.

    The bug, allowing a user to crash a system by using a short command as an ordinary user, was disclosed by a developer named Andrew Ayer.

    After running this command, according to Ayer, "You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system)."

  • Major Linux distributions suffer from the latest system crippling bug

    A system administrator, Andrew Ayer discovered a crippling bug while working with his Linux System. He reported the issue at length in a blogpost pointing out how anyone could crash Systemd by one single tweet. The system will not collapse as soon as the tweet is rendered on screen by the system. Instead, what it meant was that any Linux distribution could be crippled by a command that can fit into one tweet. He even posted a tweet with the command to prove his point.

Down the rabbit hole, part 3: Linux and Tor are key to ensuring privacy, security

Filed under
Linux
Security

So, I’ve decided I need to improve the privacy and security of my life (especially as it relates to computing). And I’ve come to the conclusion that in order to effectively do this, I need to focus on utilizing open source software as much as possible.

What next?

Let’s start at a very simple, basic level: the operating system of my laptop computers (I don’t actually have a desktop currently, but the same ideas will apply) and how they connect to the internet.

Read more

Syndicate content

More in Tux Machines

Linux Graphics

  • LibRetro's Vulkan PlayStation PSX Renderer Released
    A few days back I wrote about a Vulkan renderer for a PlayStation emulator being worked on and now the code to that Vulkan renderer is publicly available. For those wanting to relive some PlayStation One games this week or just looking for a new test case for Vulkan drivers, the Vulkan renderer for the LibRetro Beetle/Mednafen PSX emulator is now available, months after the LibRetro folks made a Vulkan renderer for the Nintendo 64 emulator.
  • Etnaviv DRM Updates Submitted For Linux 4.10
    The Etnaviv DRM-Next pull request is not nearly as exciting as MSM getting Adreno 500 series support, a lot of Intel changes, or the numerous AMDGPU changes, but it's not bad either for a community-driven, reverse-engineered DRM driver for the Vivante graphics cores.
  • Mesa 12.0.4 Being Prepped For Ubuntu 16.10/16.04
    Ubuntu is preparing Mesa 12.0.4 for Ubuntu Xenial and Yakkety users. It's not as great as Mesa 13, but at least there are some important fixes back-ported. Mesa 12.0.4 is exciting for dozens of bug fixes, including the work to offer better RadeonSI performance. But with Mesa 12.0.4 you don't have the RADV Vulkan driver, OpenGL 4.5, or the other exciting Mesa 13 work.

Games for GNU/Linux

Mageia 5.1 Released, Tumbleweed's Latest, Most Secure

The Mageia project today announced the release of stopgap version 5.1, an updated "respin" of 5.0 and all updates. The Daily Dot posted their picks for the most sure operating systems and the Hectic Geek is "quite pleased" with Fedora 25. Matthew Garrett chimed in on Ubuntu unofficial images and Dedoimedo reviewed Fedora-based Chapeau 24. Read more

SparkyLinux 4.5 is out

There is an update of SparkyLinux 4.5 “Tyche” available now. As before, Sparky “Home” editions provide fully featured operating system based on Debian ‘testing’ with desktops of your choice: LXDE, LXQt, KDE, MATE and Xfce. Read more