Language Selection

English French German Italian Portuguese Spanish

Security

Security: Macs Being Attacked by Windows Malware, Linux Attacked by Sensationalist Headlines

Filed under
Security

Security: Massive Data Dump, VFEmail, Docker, Latest Updates and Antivirus Software as Risk

Filed under
Security

Mozilla: Tails 3.12, Better Testing of Firefox and Complaint About Facebook

Filed under
Moz/FF
Security
  • Tails 3.12.1 is out

    This release is an emergency release to fix a critical security vulnerability in Firefox.

    It also fixes other security vulnerabilities. You should upgrade as soon as possible.

  • Mozilla to use machine learning to find code bugs before they ship

    In a bid to cut the number of coding errors made in its Firefox browser, Mozilla is deploying Clever-Commit, a machine-learning-driven coding assistant developed in conjunction with game developer Ubisoft.

    Clever-Commit analyzes code changes as developers commit them to the Firefox codebase. It compares them to all the code it has seen before to see if they look similar to code that the system knows to be buggy. If the assistant thinks that a commit looks suspicious, it warns the developer. Presuming its analysis is correct, it means that the bug can be fixed before it gets committed into the source repository. Clever-Commit can even suggest fixes for the bugs that it finds. Initially, Mozilla plans to use Clever-Commit during code reviews, and in time this will expand to other phases of development, too. It works with all three of the languages that Mozilla uses for Firefox: C++, JavaScript, and Rust.

    The tool builds on work by Ubisoft La Forge, Ubisoft's research lab. Last year, Ubisoft presented the Commit-Assistant, based on research called CLEVER, a system for finding bugs and suggesting fixes. That system found some 60-70 percent of buggy commits, though it also had a false positive rate of 30 percent. Even though this false positive rate is quite high, users of this system nonetheless felt that it was worthwhile, thanks to the time saved when it did correctly identify a bug.

  • Facebook Answers Mozilla’s Call to Deliver Open Ad API Ahead of EU Election

    After calls for increased transparency and accountability from Mozilla and partners in civil society, Facebook announced it would open its Ad Archive API next month. While the details are still limited, this is an important first step to increase transparency of political advertising and help prevent abuse during upcoming elections.

    Facebook’s commitment to make the API publicly available could provide researchers, journalists and other organizations the data necessary to build tools that give people a behind the scenes look at how and why political advertisers target them. It is now important that Facebook follows through on these statements and delivers an open API that gives the public the access it deserves.

    The decision by Facebook comes after months of engagement by the Mozilla Corporation through industry working groups and government initiatives and most recently, an advocacy campaign led by the Mozilla Foundation.

    This week, the Mozilla Foundation was joined by a coalition of technologists, human rights defenders, academics, journalists demanding Facebook take action and deliver on the commitments made to put users first and deliver increased transparency.

    “In the short term, Facebook needs to be vigilant about promoting transparency ahead of and during the EU Parliamentary elections,” said Ashley Boyd, Mozilla’s VP of Advocacy. “Their action — or inaction — can affect elections across more than two dozen countries. In the long term, Facebook needs to sincerely assess the role its technology and policies can play in spreading disinformation and eroding privacy.”

Security: Dirty FUD, Microsoft Holes, USB Cables as a Risk

Filed under
Security

Security: Apple, 'Cloud', Containers and More FUD

Filed under
Security

Security: Class Action Against Apple, Massive Data Dumps, More on CVE-2019-5736

Filed under
Security
  • Apple sued because two-factor authentication is inconvenient

    Class-action lawsuit, filed by one Jay Brodsky in California takes issue with the fact that two-factor authentication (2FA) can't be disabled after two weeks of use, which "imposes an extraneous logging in procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number." Yep, that's 2FA alright.

  • Apple being sued because two-factor authentication on an iPhone or Mac takes too much time

    The suit, filed by Jay Brodsky in California alleges that Apple doesn't get user consent to enable two-factor authentication. Furthermore, once enabled, two-factor authentication "imposes an extraneous logging in procedure that requires a user to both remember password; and have access to a trusted device or trusted phone number" when a device is enabled.

  • 617M Hacked Accounts Up For Sale To Make “Life Easier” For Hackers

    A hacker is selling 617 million stolen accounts online collected from 16 popular websites on Dream Market Cybersouk which can be accessed on the Tor network.

    As reported by The Register, the data can be purchased for less than $20,000 Bitcoin and comprises of account holder names, passwords, and email IDs. Buyers need to crack the hashed, one-way encrypted passwords before using them.

  • 620 million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts

    Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller.

    For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:

    Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (700,000).

    Sample account records from the multi-gigabyte databases seen by The Register appear to be legit: they consist mainly of account holder names, email addresses, and passwords. These passwords are hashed, or one-way encrypted, and must therefore be cracked before they can be used.

  • Researchers Warn of Malicious Container Escape Vulnerability

    A new serious vulnerability in container technology was publicly reported on Feb. 11, one that could potentially enable an attacker to gain unauthorized access to the host operating system.

    Container technology led by the Docker engine has become increasingly popular in recent years as a way to build and deploy applications into isolated segments, on top of a server operating system. At the core of the modern container technology stack is a low-level component known as runc, which spawns and runs containers. The new CVE-2019-5736 vulnerability is a flaw in runc that could enable a malicious container to escape the confines of its isolated process segment.

  • PyPy v7.0.0, Vulernability Affecting runc and Container Technologies, Ubuntu for ARM-based Windows Laptops, antiX MX v18.1

    A vulnerability was just discovered (CVE-2019-5736) affecting runc and the management of container technologies which include Docker, cri-o, containerd, Kubernetes, etc. Learn more about this security hole and the ways it is being patched here.

  • Container Bug Allows Attackers to Gain Root Access on Host Machine

Security: Windows, Microsoft, Kubernetes and GNU/Linux

Filed under
Security
  • Hackers Are Using Windows .EXE File To Infect MacOS
  • Protecting the Logical Security of a Network Environment

    Microsoft Has Made Home Users More Vulnerable by Removing Local Security Policy Editor

    For years, Microsoft Windows provided two key methods for implementing logical security: Local Security Policy Editor (Group Policy Editor in the server environment) and the Advanced Firewall. Unfortunately, Microsoft has now removed the Local Security Policy Editor from Windows 10 Home edition. Microsoft provides it only in the Professional edition, which is a huge security mistake.

  • Runc and CVE-2019-5736

    This morning a container escape vulnerability in runc was announced. We wanted to provide some guidance to Kubernetes users to ensure everyone is safe and secure.

  • Reasonably secure Linux

    Put a lock on your door and they get in through a window. Lock the window and they’ll just smash it. Put bars on the windows and they pick your door lock. Deadbolt the door and they will trick their way in pretending to be the gas man. An analogy, how quaint!
    Computer security can, at times, feel like an arms race between global superpowers. Yet at least with the Linux kernel and open source everything’s out in the open. Indeed, there’s an entire world of developers whose livelihoods depend on the FOSS ecosystem being secured.

  • Meaningful 2fa on modern linux

    So there are a few parts here. AD is for intents and purposes an LDAP server. The
    is also an LDAP server, that syncs to AD. We don’t care if that’s 389-ds, freeipa or vendor solution. The results are basically the same.

    Now the linux auth stack is, and will always use pam for the authentication, and nsswitch for user id lookups. Today, we assume that most people run sssd, but pam modules for different options are possible.

    There are a stack of possible options, and they all have various flaws.

Security: Updates, SS7, Docker, Thunderbolt, Django

Filed under
Security
  • Security updates for Monday
  • SS7 Cellular Network Flaw Nobody Wants To Fix Now Being Exploited To Drain Bank Accounts

    Back in 2017, you might recall how hackers and security researchers highlighted long-standing vulnerabilities in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols first built in 1975 to help connect phone carriers around the world. While the problem isn't new, a 2016 60 minutes report brought wider attention to the fact that the flaw can allow a hacker to track user location, dodge encryption, and even record private conversations. All while the intrusion looks like ordinary carrier to carrier chatter among a sea of other, "privileged peering relationships."

    Telecom lobbyists have routinely tried to downplay the flaw after carriers have failed to do enough to stop hackers from exploiting it. In Canada for example, the CBC recently noted how Bell and Rogers weren't even willing to talk about the flaw after the news outlet published an investigation showing how, using only the number of his mobile phone, it was possible to intercept the calls and movements of Quebec NDP MP Matthew Dubé.

    But while major telecom carriers try to downplay the scale of the problem, news reports keep indicating how the flaw is abused far more widely than previously believed. This Motherboard investigation by Joseph Cox, for example, showed how, while the attacks were originally only surmised to be within the reach of intelligence operators (perhaps part of the reason intelligence-tied telcos have been so slow to address the issue), hackers have increasingly been using the flaw to siphon money out of targets' bank accounts, thus far predominately in Europe...

  • Doomsday Docker Security Hole Uncovered

    Red Hat technical product manager for containers, Scott McCarty, warned: "The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."

  • Doomsday Docker security hole uncovered
  • It starts with Linux: How Red Hat is helping to counter Linux container security flaws

    The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.

    For many Red Hat end users, it’s unlikely that this flaw gets that far. IT organizations using Red Hat Enterprise Linux to underpin their Linux container and cloud-native deployments are likely protected, thanks to SELinux. This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode and it is rarely disabled in a containerized environment.

  • Kubernetes, Docker, ContainerD Impacted by RunC Container Runtime Bug

    The Linux community is dealing with another security flaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.

    The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.

  • Thunderbolt preboot access control list support in bolt

    Recent BIOS versions enabled support for storing a limited list of UUIDs directly in the thunderbolt controller. This is called the pre-boot access control list (or preboot ACL), in bolt simply called "bootacl". The devices corresponding to the devices in the bootacl will be authorized during pre-boot (and only then) by the firmware. One big caveat about this feature should be become obvious now: No device verification can happen because only the UUIDs are stored but not the key, so if you are using SECURE mode but enable preboot ACL in the BIOS you effectively will get USER mode during boot.

    The kernel exposes the bootacl via a per-domain sysfs attribute boot_acl. Every time a device is enrolled, boltd will automatically add it to the bootacl as well. Conversely if the device is forgotten and it is in the bootacl, boltd will automatically remove it from the bootacl. There are is small complication to these seemingly straight forward operations: in BIOS assist mode, the thunderbolt controller is powered down by the firmware if no device is connected to it. Therefore when devices are forgotten boltd might not be able to directly write to the boot_acl sysfs attribute. In a dual boot scenario this is complicated by the fact that another operating system might also modify the bootacl and thus we might be out of sync. As the solution to this boltd will write individual changes to a journal file if the thunderbolt controller is powered down and re-apply these changes (as good as possible) the next time the controller is powered up.

  • Django security releases issued: 2.1.6, 2.0.11 and 1.11.19

Google: FOSS, Security, and Android

Filed under
Android
Google
OSS
Security

Security: Apple, Social Engineering and SPAM Detection With TensorFlow

Filed under
Security
Syndicate content

More in Tux Machines

qoob – excellent foobar-like music player for Linux

Are you debilitated by the countless music players that use web technologies with a massive RAM footprint? Maybe you want a lean yet slick audio player with a good range of features? You might be interested in qoob. It’s a music player written in the versatile and hugely popular Python programming language. The software uses Qt 5, a cross-platform application framework and widget toolkit for creating classic and embedded graphical user interfaces. qoob is similar to foobar2000, a freeware audio player respected for its highly modular design, breadth of features, and extensive user flexibility in configuration. Unlike foobar, qoob is available for Linux and it’s released under an open source license. Read more

Programming: GStreamer, Rust, Python and More

  • GStreamer 1.15.1 unstable development release
    The GStreamer team is pleased to announce the first development release in the unstable 1.15 release series. The unstable 1.15 release series adds new features on top of the current stable 1.16 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework. The unstable 1.15 release series is for testing and development purposes in the lead-up to the stable 1.16 series which is scheduled for release in a few weeks time. Any newly-added API can still change until that point, although it is rare for that to happen. Full release notes will be provided in the near future, highlighting all the new features, bugfixes, performance optimizations and other important changes.
  • GStreamer: GStreamer Rust bindings 0.13.0 release
    A new version of the GStreamer Rust bindings, 0.13.0, was released. This new release is the first to include direct support for implementing GStreamer elements and other types in Rust. Previously this was provided via a different crate. In addition to this, the new release features many API improvements, cleanups, newly added bindings and bugfixes.
  • Niko Matsakis: Rust lang team working groups
    Now that the Rust 2018 edition has shipped, the language design team has been thinking a lot about what to do in 2019 and over the next few years. I think we’ve got a lot of exciting stuff on the horizon, and I wanted to write about it.
  • RVowpalWabbit 0.0.13: Keeping CRAN happy
    Another small RVowpalWabbit package update brings us version 0.0.13. And just like Rblpapi yesterday, we have a new RVowpalWabbit update to cope with staged installs which will be a new feature of R 3.6.0. No other changes were made No new code or features were added.
  • Test automation framework thoughts and examples with Python, pytest and Jenkins
    In this article I'll share some personal thoughts about Test Automation Frameworks; you can take inspiration from them if you are going to evaluate different test automation platforms or assess your current test automation solution (or solutions). Despite it is a generic article about test automation, you'll find many examples explaining how to address some common needs using the Python based test framework named pytest and the Jenkins automation server: use the information contained here just as a comparison and feel free to comment sharing alternative methods or ideas coming from different worlds. It contains references to some well (or less) known pytest plugins or testing libraries too.
  • Basics of Object-Oriented Programming
    In programming, an object is simply a 'thing'. I know, I know...how can you define something as a 'thing'. Well, let's think about it - What do 'things' have? Attributes, right? Let's take a Song for example. A song has attributes! It has a Title, an Artist, a Genre, etc. How about a Dog - A dog has four legs, a color, a name, an owner, and a breed. Though there are millions Dogs with countless names, owners, etc, the one thing that ties them all together are the very fact that every single one can be described as a Dog. Although this may seem like a not-very informative explanation, these types of examples are what ultimately made me understand Object-oriented programing. The set of activities that an object can perform is an Object's behavior. A dog can bark, wag it's tail, sit, and even shake if it's owner trains them. In the same way, a programmer can create an object and teach it tricks in order to achieve certain goals. In Ruby(my first programming language), EVERYTHING is an object. This means that every piece of code you encounter can perform certain tricks at your command, some are built into Ruby while others can be created at your disposal. Let's look at a common element in programming, a simple string. As you can see, after the string is defined, I'm able to call different 'methods' or functions on the string I created. Ruby has several built in methods on common objects(ie strings, integers, arrays, and hashes.
  • Hello pytest-play!
    pytest-play is a rec&play (rec not yet available) pytest plugin that let you execute a set of actions and assertions using commands serialized in JSON format. It tries to make test automation more affordable for non programmers or non Python programmers for browser, functional, API, integration or system testing thanks to its pluggable architecture and third party plugins that let you interact with the most common databases and systems.
  • Nikola v8.0.2 is out!
    Nikola is a static site and blog generator, written in Python. It can use Mako and Jinja2 templates, and input in many popular markup formats, such as reStructuredText and Markdown — and can even turn Jupyter Notebooks into blog posts! It also supports image galleries, and is multilingual. Nikola is flexible, and page builds are extremely fast, courtesy of doit (which is rebuilding only what has been changed).
  • Mu!
    In the past several days, I innaugurated a private Fediverse instance, "Mu", running Pleroma for now. Although Mastodon is the dominant implementation, Pleroma is far easier to install, and uses less memory on small, private instances. By doing this, I'm bucking the trend of people hating to run their own infrastructure. Well, I do run my own e-mail service, so, what the heck, might as well join the Fediverse. So far, it was pretty fun, but Pleroma has problem spots. For example, Pleroma has a concept of "local accounts" and "remote accounts": local ones are normal, into which users log in at the instance, and remote ones mirror accounts on other instances. This way, if users Alice@Mu and Bob@Mu follow user zaitcev@SLC, Mu creates a "remote" account UnIqUeStRiNg@Mu, which tracks zaitcev@SLC, so Alice and Bob subscribe to it locally. This permits to send zaitcev's updates over the network only once. Makes sense, right? Well... I have a "stuck" remote account now at Mu, let's call it Xprime@Mu and posit that it follows X@SPC. Updates posted by X@SPC are reflected in Xprime@Mu, but if Alice@Mu tries to follow X@SPC, she does not see updates that Xprime@Mu receives (the updates are not reflected in Alice's friends/main timeline) [1]. I asked at #pleroma about it, but all they could suggest was to try and resubscribe. I think I need to unsubscribe and purge Xprime@Mu somehow. Then, when Alice resubscribes, Pleroma will re-create a remote, say Xbis@Mu, and things hopefully ought to work. Well, maybe. I need to examine the source to be sure.
  • Django ORM optimization story on selecting the least possible
    This an optimization story that should not surprise anyone using the Django ORM. But I thought I'd share because I have numbers now! The origin of this came from a real requirement. For a given parent model, I'd like to extract the value of the name column of all its child models, and the turn all these name strings into 1 MD5 checksum string.
  • Reasons Mitogen sucks
    I have a particular dislike for nonspecific negativity, where nothing can be done to address its source because the reasons underlying it are never explicitly described. In the context of Mitogen, there has been a consistent stream of this sort originating from an important camp in public spaces, and despite efforts to bring specifics out into the open, still it continues to persist. For that reason I'd like to try a new strategy: justify the negativity and give it a face by providing all the fuel it needs to burn. Therefore in this post, in the interests of encouraging honesty, I will critique my own work.
  • The North Star of PyCascades, core Python developer Mariatta Wijaya, receives the 2018 Q3 Community Service Award
    At Montreal PyCon 2015, Guido Van Rossum delivered the closing keynote during which Guido issued a public ask, “I want at least two female Python core developers in the next year ... and I will try to train them myself if that's what it takes. So come talk to me." Consequently, Mariatta did just that, she reached out to Guido after PyCon 2016 to learn more about starting in Python core development. Mariatta recalls, “I hadn’t contributed to open source [yet] and I wanted to know how to start”. Guido recommended some ways for Mariatta to start including reviewing the dev guide, looking at open issues and joining and introducing herself on the Python dev mailing list .
  • Episode #118: Better Python executable management with pipx

NVIDIA: GTX 1660 and Linux

  • NVIDIA have released the 418.43 driver, includes support for the just released GeForce GTX 1660
    Two bits of NVIDIA news for you today, not only have they released a new stable driver, they've also put out their latest GPU with the GTX 1660. First up, the new stable driver 418.43 is out which you can find here. It follows on from the 418.30 beta driver, released last month. The big new feature of the driver is initial support for G-SYNC Compatible monitors! So those of you with a FreeSync monitor should be able to use it (if you weren't already using the beta driver). This new driver also adds in support for the just released GeForce GTX 1660 Ti, the GeForce RTX 2070 with Max-Q Design and the GeForce RTX 2080 with Max-Q Design. There's also NVIDIA optical flow support, NVIDIA Video Codec SDK 9.0, support for stereo presentation in Vulkan and more.
  • NVIDIA 418.43 Stable Linux Driver Released, Includes GTX 1660 Ti Support
    As expected given today's GeForce GTX 1660 Ti launch, NVIDIA has released a new Linux graphics driver supporting the 1660 Ti as well as the RTX 2070 with Max-Q Design and RTX 2080 with Max-Q Design, among other changes. This is actually the first stable release in the NVIDIA 418 series for Linux users and succeeds last month's NVIDIA 418.30 Linux driver beta. Most of the changes in today's NVIDIA 418.43 driver release were previously found in the 418.30 version, just now made official with this stable driver debut plus adding in the NVIDIA GeForce GTX 1660 Ti graphics card support.
  • NVIDIA 390.116 Legacy & 410.104 Long-Lived Linux Drivers Released
    In addition to NVIDIA christening the 418 driver series as stable today with the GeForce GTX 1660 Ti release, they also issued updates for their 390 legacy driver series as well as the 410 long-lived driver release series. The NVIDIA 390.116 driver is out for those still using NVIDIA Fermi graphics cards on Linux. This update is the first in a while and has a number of fixes to the Linux driver, on the FreeBSD side there is now 12.0 support, support for the Linux 5.0 kernel, X.Org Server 1.20 fixes, and other random fixes collected in the past few months. For those using this NVIDIA legacy driver can find out more information via this DevTalk thread.
  • GeForce GTX 1660 Ti Launch Today - Supported By The NVIDIA Linux Driver, No Nouveau Yet
    After weeks of leaks, the GeForce GTX 1660 Ti is expected to be formally announced in just a few hours. This is a ~$300 Turing graphics card but without any ray-tracing support as so far has been common to all Turing graphics cards. The GTX 1600 series family is expected to expand as well in the weeks ahead.

Betty – A Friendly Interface For Your Linux Command Line

All Linux experts might already know this statement “Command line mode is more powerful than GUI” but newbies are scared about CLI. Don’t think that working on Linux CLI is difficult as everything is opensource nowadays and you can get it in online whatever you want. If you have any doubt just google it and you will get many suggestion, select the suitable one and move forward. If you are looking for some virtual assistant tool instead of google. Yes, there is a tool is available for this and the tool name is Betty which helps you to get the information right from your terminal. Do you want to try? if so, go through the entire article for details. Read more