Language Selection

English French German Italian Portuguese Spanish

Security

Security: The New Kubernetes, Updates and More on Quora

Filed under
Security
  • Kubernetes 1.13 Improves Cloud-Native Storage Features

    Kubernetes 1.13 was released on Dec. 3, providing users of the popular open-source cloud-native platform with new features to make it easier to manage, deploy and operate containers in production.

    Among the features that are now generally available in Kubernetes 1.13 is the kubeadm administration tool for configuring services. The Container Storage Interface is another new generally available feature, providing a stable abstraction layer for different third-party storage plug-ins. Additionally, with Kubernetes 1.13, CoreDNS is now the default DNS (Domain Name Server) technology, replacing KubeDNS.

  • Kubernetes Alert: Security Flaw Could Enable Remote Hacking
  • On demand webcast: DevOps and security – you don't have to play open source whack-a mole
  • Security updates for Tuesday
  • [Intruders] breach Quora.com and steal password data for 100 million users

    Compromised information includes cryptographically protected passwords, full names, email addresses, data imported from linked networks, and a variety of non-public content and actions, including direct messages, answer requests and downvotes. The breached data also included public content and actions, such as questions, answers, comments, and upvotes. In a post published late Monday afternoon, Quora officials said they discovered the unauthorized access on Friday. They have since hired a digital forensics and security firm to investigate and have also reported the breach to law enforcement officials.

  • Quora says [intruders] stole [sic] up to 100 million users’ data

    Quora said it discovered last week that [intruders] broke into its systems and were able to make off with data on up to 100 million users. That data could have included a user’s name, email address, and an encrypted version of their password. If a user imported data from another social network, like their contacts or demographic information, that could have been taken too.

Kali Linux for the Gemini PDA

Filed under
GNU
Linux
Security
Gadgets

Being basically a pimped up cell phone requires a convergence of Linux (glibc) and Android (bionic) to drive the hardware not yet natively supported by GNU/Linux. We are using components from the Halium project to achieve that.

Bringing GNU/Linux to the Gemini PDA, or any other mobile platform, is in the very early stages and some of it still needs a bit of work, such as data and voice support, GPS, power management, etc. There is currently one known issue with the Gemini having occasional issues when shutting down. The community is currently working on it.

Overall, it’s a very stable experience thanks to the hard work of the Sailfish and Gemian communities, in particular TheKit and adam_b, who brought Gemian to the Gemini PDA and helped a lot with this project.

Read more

Security: Quora Cracked and Kubernetes/OpenShift Patched

Filed under
Security
  • Quora Hacked: Data Of 100 Million Users Stolen

    n an official blog post, Quora announced that on Friday it found that user data of about 100 million users was compromised. Some unauthorised third-party gained access to the company’s systems.

  • Quora Security Update

    We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party. We are working rapidly to investigate the situation further and take the appropriate steps to prevent such incidents in the future.

    We also want to be as transparent as possible without compromising our security systems or the steps we're taking, and in this post we’ll share what happened, what information was involved, what we're doing, and what you can do.

    We're very sorry for any concern or inconvenience this may cause.

  • What OpenShift Online customers should know about the recent Kubernetes bugs

    On December 3rd, 2018, the Kubernetes Product Security team released information about a vulnerability in kubernetes. This issue is assigned CVE-2018-1002105 and given a security impact of Critical by Red Hat Product Security. Red Hat OpenShift is built upon kubernetes and as such these bugs were also present in Red Hat OpenShift Container Platform, Red Hat OpenShift Online and Red Hat OpenShift Dedicated.

  • The Kubernetes privilege escalation flaw: Innovation still needs IT security expertise

    IT security matters at every level of the enterprise technology stack, from the foundation of the infrastructure up through to the mission-critical applications and services exposed to end users. This need persists regardless of whether a technology is commoditized or at the leading edge - in short, IT security always matters.

    For open source software that is often pushing innovations used by modern organizations, such as Linux, hybrid cloud, container, and Kubernetes technologies, this balance between innovation and security and stability is a significant part of the value a Red Hat subscription can offer. Security flaws can occur in any piece of software (or beyond software, as 2018 has taught us well). When they do, Red Hat is committed to delivering as quickly as it can both patches to customers and fixes to upstream open source projects.

  • Understanding the critical Kubernetes privilege escalation flaw in OpenShift 3

Qt 5.11.3 Released with Important Security Updates

Filed under
KDE
Security

Qt 5.11.3 is released today. As a patch release it does not add any new functionality, but provides important bug fixes, security updates and other improvements.

Compared to Qt 5.11.2, the Qt 5.11.3 release provides fixes for over 100 bugs and it contains around 300 changes in total. For details of the most important changes, please check the Change files of Qt 5.11.3.

Read more

Security: Marriott Breach, Oscilloscopes' Backdoor Accounts, NSA Back Doors and Broken Windows Patches

Filed under
Security
  • What the Marriott Breach Says About Security

    On this point, as with many others related to Internet security and privacy, I found it hard to argue with the opinion of my home state Senator Mark Warner (D-Va.), who observed:

    “It seems like every other day we learn about a new mega-breach affecting the personal data of millions of Americans. Rather than accepting this trend as the new normal, this latest incident should strengthen Congress’ resolve. We must pass laws that require data minimization, ensuring companies do not keep sensitive data that they no longer need. And it is past time we enact data security laws that ensure companies account for security costs rather than making their consumers shoulder the burden and harms resulting from these lapses.”

  • The week in security: Marriott mega-breach a reminder about ever-present threat

    Lines of succession vary from company to company, but new research showed a spread of opinions about who is best qualified to become the next CEO (hint: CIOs are pretty ambitious). But do CISOs have what it takes?
    The UK’s GCHQ shared information about how it decides whether to report a security bug or keep it secret.

    One security expert was advising that there isn’t much difference between internal and external threats – and that we should stop trying to defend against them as though they are completely separate things.

  • Digital Oscilloscope Comes with Backdoor Accounts, Old Software Components

    Some digital oscilloscopes that can communicate over the network fail to provide a minimum of security protections and allow unfettered access to unauthorized users.

    Oscilloscopes are laboratory instruments that can measure how an electrical signal changes over time by showing a waveform representation. They are widely considered the center of an electronic lab bench since they are useful to any professional doing repairs on electronic gear. So tampering with the values it measures can do a lot of damage, especially in production environments.

  • Hackers Are Using Leaked NSA Tools To Target Networks
  • Windows 10 v1809 Faces yet another Upgrade Block with Anti-Malware Solution Morphisec

    Microsoft’s October 2018 update for Windows 10 has been like none other this time – full of issues and problems. It has caused it to gain notoriety for all the wrong reasons. The software giant has unfortunately failed to call it a day. Yet another issue has been discovered in the update. Windows 10 version 1809 has encountered yet another problem which has also been added to the list of known problems on the update history page. The issue that has sprung up this time relates to anti-malware solution Morphisec. The update history page states that this not only includes Morphisec but also involves other products that have been built on that SDK:

    “Microsoft and Morphisec have identified an issue on devices that have installed Morphisec Protector or another application that uses the Morphisec Software Development Kit (SDK) including:  Cisco AMP for Endpoints. These applications may impact customers’ ability to save Microsoft Office documents.”

STIBP, collaborate and listen: Linus floats Linux kernel that 'fixes' Intel CPUs' Spectre slowdown

Filed under
Linux
Security

Linus Torvalds has stuck to his “no swearing” resolution with his regular Sunday night Linux kernel release candidate announcement.

Probably the most important aspect of the weekend's release candidate is that it, in a way, improves the performance of STIBP, which is a mitigation that stops malware exploiting a Spectre security vulnerability variant in Intel processors.

In November, it emerged that STIBP (Single Thread Indirect Branch Predictors), which counters Spectre Variant 2 attacks, caused nightmare slowdowns in some cases. The mitigation didn't play well with simultaneous multi-threading (SMT) aka Intel's Hyper Threading, and software would take up to a 50 per cent performance hit when the security measure was enabled.

Read more

Security: Event-Stream, PewDiePie, Updates and FUD

Filed under
Security
  • Survey: Should Open-Source Repo Maintainers Be Paid? [Ed: Wrongly assuming or insinuating that money assures or motivates or implies integrity]

    GitHub user dominictarr launched the repo in question, Event-Stream, as a “fun” side project: “I created it for fun. I was learning, and learning is fun. I gave it away because it was easy to do so, and because sharing helps learning too. I think most of the small modules on npm were created for reasons like this.”

    But as dominictarr points out, maintaining an open-source repository yields you nothing tangible: “You get literally nothing from maintaining a popular package.” Later in their screed, they strongly suggest paying open-source repo maintainers for their work.

  • Printers pulled into 9100 port attack spew PewDiePie propaganda

    A battle for who owns the YouTube crown for top channel has been waged over the past few months between fans of Swedish video game commentary celebrity Felix “PewDiePie” Kjellberg and of the Bollywood label T-Series.

    This is getting serious: It’s one thing when a fan launches a PewDiePie “Bro Army,” structured to recruit members’ friends and family in order to keep PewDiePie at the top, replete with “Privates” and “Corporals.”

  • Security updates for Monday
  • Open Source Endpoint Management
  • How to mitigate and manage open source risks [Ed: FUD article of the "FOSS is dangerous" type speaks of "Linux creator Linus Turvold"]

pfSense 2.4.4-RELEASE-p1 now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.4-p1, now available for upgrades!

pfSense software version 2.4.4-p1 is a maintenance release, bringing security patches and stability fixes for issues present in the 2.4.4 release.

Read more

Security: TheHackerGiraffe and Windows Problems/Back Doors

Filed under
Security

Security: NSA Exploit, Marriott, Microsoft Labels FOSS 'Dangerous' (Again)

Filed under
Security
Syndicate content

More in Tux Machines

Linux 4.20--rc76

Well, that's more like it. This is a *tiny* rc7, just how I like it. Maybe it's because everybody is too busy prepping for the holidays, and maybe it's because we simply are doing well. Regardless, it's been a quiet week, and I hope the trend continues. The patch looks pretty small too, although it's skewed by a couple of bigger fixes (re-apply i915 workarounds after reset, and dm zoned bio completion fix). Other than that it's mainly all pretty small, and spread out (usual bulk of drivers, but some arch updates, filesystem fixes, core fixes, test updates..) Read more Also: Linux 4.20-rc7 Kernel Released - Linux 4.20 Should Be Released In Time For Christmas

Android Leftovers

1080p Linux Gaming Performance - NVIDIA 415.22 vs. Mesa 19.0-devel RADV/RadeonSI

Stemming from the recent Radeon RX 590 Linux gaming benchmarks were some requests to see more 1080p gaming benchmarks, so here's that article with the low to medium tier graphics cards from the NVIDIA GeForce and AMD Radeon line-up while using the latest graphics drivers on Ubuntu 18.10. This round of benchmarking was done with the GeForce GTX 980, GTX 1060, GTX 1070, and GTX 1070 Ti using the newest 415.22 proprietary graphics driver. On the AMD side was using the patched Linux 4.20 kernel build (for RX 590 support) paired with Mesa 19.0-devel via the Padoka PPA while testing the Radeon RX 580 and RX 590. Read more

Sparky SU 0.1.0

This tool provides Yad based front-end for su (spsu) allowing users to give a password and run graphical commands as root without needing to invoke su in a terminal emulator. It can be used as a Gksu replacement to run any application as root. Read more