Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, CPU Defects, Patches, Entropy and More

Filed under
Security
  • Security updates for Wednesday
  • ​Linux and Intel slowly hack their way to a Spectre patch

    Spectre and Meltdown are major design flaws in modern CPUs. While they're present in almost all recent processors, because Intel chips are so widely used, Intel is taking most of the heat for these bugs. Nowhere has the criticism been hotter than on the Linux Kernel Mailing List (LKML). That's because unlike Apple and Microsoft operating system developers and OEMS like Dell and HP, Linux programmers do their work in the open. But, when Linux and Intel developers aren't arguing, they are making progress.

  • Meltdown and Spectre - Performance and stability

    There's no perceivable slowness of any kind. So that further helps our experiment, as we have a completely different set of operating systems and kernels to confirm the Windows findings.

  • Randomness in virtual machines

    I always felt that entropy available to the operating system must be affected by running said operating system in a virtual environment – after all, unpredictable phenomena used to feed the entropy pool are commonly based on hardware and in a VM most hardware either is simulated or has the hypervisor mediate access to it. While looking for something tangentially related to the subject, I have recently stumbled upon a paper commissioned by the German Federal Office for Information Security which covers this subject, with particular emphasis on entropy sources used by the standard Linux random-number generator (i.e. what feeds /dev/random and /dev/urandom), in extreme detail:

  • Linus Rants, Cryptojacking Protection, openSUSE and Games

    Linus Torvalds slams Intel's Spectre and Meltdown patches, calling them "COMPLETE and UTTER GARBAGE". See LKML for more.

Why is cryptocurrency open source? This paper from 1999 explains

Filed under
OSS
Security
Sci/Tech

Cryptocurrency's roots go back further than bitcoin. In fact, bitcoin was just the first cryptocurrency to use the blockchain rather than the first cryptocurrency ever.

Other early cryptocurrencies include now venerable names like World of Warcraft (WoW) gold, a digital currency designed for use as a store of value and a transfer medium in the gaming universe of World of Warcraft. It used a proof-of-work mining algorithm in which users would engage with the WoW ecosystem via their computer's graphical interface and complete various digital tasks to be rewarded with gold.

As the fiat currency value of WoW gold increased, it attracted more miners without any corresponding difficulty adjustment, eventually leading to substantial inflation and a collapsing economy.

Today's cryptocurrencies seem to have learned from the problems of the past. For example, bitcoin and many others will adjust mining difficulty to prevent massive inflation when mining power increases.

It's no surprise that almost everything cryptocurrency, from the coins to the exchanges to the wallets, are built on open-source software. This paper from 1999 might be more relevant than ever, especially with a few wallets and coins still being partly or entirely closed source.

Read more

Security: GCab, Open Source Security Podcast, DDoS, Microsoft Hotmail, Tinder's

Filed under
Security
  • GCab and CVE-2018-5345

    Just before Christmas I found a likely exploitable bug in the libgcab library. Various security teams have been busy with slightly more important issues, and so it’s taken a lot longer than usual to be verified and assigned a CVE. The issue I found was that libgcab attempted to read a large chunk into a small buffer, overwriting lots of interesting things past the end of the buffer. ALSR and SELinux saves us in nearly all cases, so it’s not the end of the world. Almost a textbook C buffer overflow (rust, yada, whatever) so it was easy to fix.

  • Open Source Security Podcast: Episode 79 - Skyfall: please don't yell 'fire'
  • Frequency, complexity of DDoS attacks rising: report

    The exploitation of IoT devices and innovation from DDoS attack services are leading to more frequent and complex attacks, according to a newly published infrastructure security report from application and network performance management company Netscout.

  • Hotmail user? You're an insurance risk, says Admiral

    "We found that on comparison website GoCompare, Admiral charged a Hotmail driver £467.04 and a Gmail one £435.68 — £31.36 less," the reporters said.

    Admiral admitted that it does use email domains as one variable in its risk estimation algorithm saying: "Certain domain names are associated with more accidents than others."

  • These Tinder security flaws could let malicious hackers spy on your swipes, photos and matches

    Researchers at Tel Aviv-based security firm Checkmarx found that Tinder's iOS and Android mobile apps still lack the standard HTTPS encryption.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • Initial Retpoline Support Added To LLVM For Spectre v2 Mitigation

    The LLVM code has been merged to mainline for the Retpoline x86 mitigation technique for Spectre Variant 2. This will be back-ported to LLVM 6.0 and also LLVM 5.0 with an immediate point release expected to get this patched compiler out in the wild.

    The compiler-side work -- similar to GCC's Retpoline code -- is to avoid generating code where an indirect branch could have its prediction poisoned by a rogue actor. The Retpoline support uses indirect calls in a non-speculatable way.

  • Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges

    The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It's something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to "verify" the social engineer they're talking to is the person who owns accounts they're granting access to.

    Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen's multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.

  • The Guardian view on cyberwar: an urgent problem [Ed: Lists several attacks by Microsoft Windows (but names neither)]

    The first known, and perhaps the most successful of these, was the joint US/Israeli Stuxnet attack on the Iranian nuclear programme in 2009. Since then there has been increasing evidence of attacks of this sort by Russia – against Estonia in 2009, and then against Ukraine, where tens of thousands of attacks on everything from power supplies to voting machines have opened an under-reported front in an under-reported war. Across the Baltic, the Swedish government has just announced a beefed-up programme of civil defence, of which the most substantial part will be an attempt to protect its software and networks from attacks. Meanwhile, North Korean state hackers are blamed by western intelligence services for the WannaCry ransomware attacks which last year shut down several NHS hospitals in the UK. Persistent reports suggest the US has interfered in this way with North Korea’s nuclear missile programme.

  • Reproducible Builds: Weekly report #143
  • Don’t Install Meltdown And Spectre Patches, Intel Warns It Would Increase System Reebots
  • On that Spectre mitigations discussion

    By now, almost everybody has probably seen the press coverage of Linus Torvalds's remarks about one of the patches addressing Spectre variant 2. Less noted, but much more informative, is David Woodhouse's response on why those patches are the way they are.

Tails 3.5 Anonymous OS Released to Mitigate Spectre Vulnerability for AMD CPUs

Filed under
Security
Debian

Tails, the open-source Linux-based operating system designed to protect user's privacy while surfing the Internet, also known as Anonymous OS, was updated today to version 3.5.

Coming only two weeks after the Tails 3.4 release, which included patches for the Meltdown and Spectre security vulnerabilities publicly disclosed earlier this month, today's Tails 3.5 update is here to bump the Linux kernel to version 4.14.13 and include the microcode firmware for AMD CPUs to mitigate the Spectre flaw.

Read more

Security: Intel, Norton, Bug Bounty, Defacements, OnePlus, ICO

Filed under
Security

More on 'Complete and Utter Garbage' From Intel

Filed under
Linux
Security
  • Linux Creator Calls Intel Meltdown, Spectre Patches 'Complete and Utter Garbage'
  • Linux creator slams Intel for crappy Meltdown/Spectre patches

    Intel’s had a (mostly) crappy start to the year, thanks to the revelation of Meltdown and Spectre, two major security flaws affecting a wide range of its processors that are present in hundreds of thousands of devices around the world. It’s working to release fixes for them, but Linux creator Linus Torvalds is not impressed by the company’s efforts.

  • ‘WTF is going on?!’ Linux creator attacks Intel as it retracts ‘garbage’ fix for critical bug

    Patches released by Intel Corp. to fix highly malicious Spectre and Meltdown vulnerabilities affecting its CPUs turned out to be faulty, the company admitted, urging customers to stop installing them until further notice.

    Earlier this month, security researchers at Google Project Zero disclosed that data processed by the majority of modern CPUs, be they desktop computers or smartphones, could be vulnerable to critical exploits they called ‘Spectre’ and ‘Meltdown.’ Tech companies reportedly had months to prepare, and since the public announcement of the vulnerabilities, Intel released at least three patches – before discovering that their fix led some PCs to reboot unexpectedly.

  • Spectre Patches, Snap, Happy Birthday LWN and More

    Are you using protection? Longtime kernel developer, Greg Kroah-Hartman, just posted a simple recipe for users to verify whether they are running a Spectre/Meltdown patched version of the Linux kernel.

  • Intel’s Spectre fixes are ‘complete and utter garbage,’ says Linux inventor

    Linux inventor Linus Torvalds has never been one for diplomacy. He previously said “fuck you” to Nvidia for not supporting Linux, and now Intel has angered him enough to generate some more expletives. In a message to the Linux kernel mailing list on the weekend, Torvalds has expressed his dismay at Intel’s security updates to protect against the major Spectre variant 2 CPU vulnerability. The industry has been scrambling to fix the Meltdown and Spectre vulnerabilities, and the variant 2 of Spectre has been particularly challenging.

Canonical Releases Spectre Patches for Ubuntu Linux, Meltdown Fix for PowerPC

Filed under
Security
Ubuntu

Canonical published today a new set of kernel updates for all of its supported Ubuntu Linux releases that include patches for the Spectre and Meltdown security vulnerabilities.

After pulling Intel's microcode firmware update from the software repositories of Ubuntu 17.10, 16.04 LTS, and 14.04 LTS, Canonical now released the Spectre patches for all supported Ubuntu Linux releases, including all official flavors and those using HWE (Hardware Enablement) kernels, and Meltdown kernel patches for PowerPC (PPC64el) architectures.

Read more

Also: Canonical announces Ubuntu product month for February

Security: TPM, Yubikey, Holes, Bricking and Uber

Filed under
Security
  • Trusted Computing

    The Trusted Platform Module on your computer's motherboard could lead to better security for your Linux system.

    The security of any operating system (OS) layer depends on the security of every layer below it. If the CPU can't be trusted to execute code correctly, there's no way to run secure software on that CPU. If the bootloader has been tampered with, you cannot trust the kernel that the bootloader boots. Secure Boot allows the firmware to validate a bootloader before executing it, but if the firmware itself has been backdoored, you have no way to verify that Secure Boot functioned correctly.

  • Locking the screen when removing a Yubikey

    I have my Yubikey on my key ring, so whenever I leave my computer, I have to remove the Yubikey. So why not lock the screen automatically?

  • Corporate cultural issues hold back secure software development

    The study of over 1,200 IT leaders, conducted by analysts Freeform Dynamics for software company CA Technologies, finds 58 percent of respondents cite existing culture and lack of skills as hurdles to being able to embed security within processes.

  • Stop installing our buggy Spectre CPU firmware fixes, Intel says
  • Uber shrugs off flaw that lets hackers bypass two-factor authentication

    Security researcher Karan Saini found the bug in Uber's two-factor authentication process, which has yet to be rolled out widely to Uber users. The flaw relates to the way an account is authenticated when users log in, meaning hackers [sic] with someone's username and password can drift pass the 2FA with ease.

Security: Gmail, Windows, Allscripts, Android and Browsers

Filed under
Security
Syndicate content

More in Tux Machines

Debian and Derivatives: Debian Installer Buster Alpha 3, Freexian, GSoC, DebCamp18, Linux Mint

  • Debian Installer Buster Alpha 3 release
    The Debian Installer team[1] is pleased to announce the third alpha release of the installer for Debian 10 "Buster".
  • Debian Installer Buster Alpha 3 Released
    The third alpha release of the Debian Installer to be used by Debian 10 "Buster" is now available for testing. There are many changes to this updated Debian Installer with the last alpha release being from last December. This newest Debian Installer for Buster now uses Cryptsetup 2.0, updates to the Linux 4.16 kernel (rather than 4.13), locale choosing improvements, various flash-kernel updates, debootstrap improvements, and other changes.
  • Freexian’s report about Debian Long Term Support, May 2018
  • GSoC Status Update - First Month
    In the past month I have been working on my GSoC project in Debian’s Distro Tracker. This project aims at designing and implementing new features in Distro Tracker to better support Debian teams to track the health of their packages and to prioritize their work efforts. In this post, I will describe the current status of my contributions, highlight the main challenges, and point the next steps.
  • I'm going to DebCamp18, Hsinchu, Taiwan
  • [Older] Linux Mint vs Ubuntu
    There probably aren't two Linux distributions more closely related than Ubuntu and Linux Mint. Actually, the two are so close to one another, there's serious debate about whether or not they are the same distribution. Linux Mint takes Ubuntu and adds some extra polish to it. Mint has a different default configuration, some additional packages, and its own desktop environments. Otherwise, it's the same distribution as Ubuntu.

OSS Leftovers

  • Sculpt for The Curious
    Sculpt for The Curious is the second development stage of the Genode-based general-purpose OS used at Genode Labs. Compared to the initial version, which was targeted at early adopters only, the new version invites a broader user base to explore the system. It comes in the form of a ready-to-use disk image for a bootable USB thumb drive.
  • Genode-Based Sculpt OS Now Available With Easy-To-Use Disk Image
    Sculpt OS is striving to become a general purpose operating system built off the Genode OS framework. The second release of Sculpt OS is now available and it's much easier now to try out. Sculpt OS relies upon Genode's micro-kernel architecture, sandboxed drivers, and other modern approaches for providing a unique OS on commodity PC hardware.
  • Bitfi and McAfee Announce First Truly Unhackable and Open Source Crypto Wallet
    Bitfi, a global payments technology company working to enable businesses and consumers to participate in the digital currency economy, today announced Bitfi Wallet – the first unhackable, open source hardware wallet with an accompanying dashboard that features wireless setup and support for many popular cryptocurrencies and crypto assets, including Monero, a fully decentralized private cryptocurrency that has previously never had a hardware wallet solution.
  • Call for Code is open and organizations are lining up to join the cause
    Today is the first official day of Call for Code, an annual global initiative from creator David Clark Cause, with IBM proudly serving as Founding Partner. Call for Code aims to unleash the collective power of the global open source developer community against the growing threat of natural disasters. Even as we prepare to accept submissions from technology teams around the world, the response from the technology community has been overwhelming and today I am thrilled to announce two new partners joining the cause.
  • Getting started with Open edX to host your course
    Now in its seventh major release, the Open edX platform is a free and open source course management system that is used all over the world to host Massive Open Online Courses (MOOCs) as well as smaller classes and training modules. To date, Open edX software has powered more than 8,000 original courses and 50 million course enrollments. You can install the platform yourself with on-premise equipment or by leveraging any of the industry-leading cloud infrastructure services providers, but it is also increasingly being made available in a Software-as-a-Service (SaaS) model from several of the project’s growing list of service providers. The Open edX platform is used by many of the world’s premier educational institutions as well as private sector companies, public sector institutions, NGOs, non-profits, and educational technology startups, and the project’s global community of service providers continues to make the platform accessible to ever-smaller organizations. If you plan to create and offer educational content to a broad audience, you should consider using the Open edX platform.
  • Friday Free Software Directory IRC meetup time: June 22nd starting at 12:00 p.m. EDT/16:00 UTC
  • Xapian Joins Conservancy as a Member Project
    Software Freedom Conservancy proudly welcomes Xapian as Conservancy's newest member project. Xapian is a probabilistic information retrieval library that allows developers to add advanced indexing and search facilities to their own applications. Conservancy, a public charity focused on ethical technology, is the home of over forty member projects dedicated to developing free and open source software. Conservancy acts as a corporate umbrella, allowing member projects to operate as charitable initiatives without having to independently manage their own corporate structure and administrative services. "We've spent the past 18 years at Xapian developing a technologically mature software package," said Olly Betts, Xapian's Project Lead. "We're excited about how Conservancy can help us extend that maturity to our project governance."
  • Python and Bash - Contenders for the most used scripting language
    Packt Publishing, publisher of software learning resources, has revealed the results of its 2018 Skill Up survey in a new report. From what programming languages, frameworks, and libraries are most used, to job satisfaction, attitudes to management and what it’s like to work in the software industry today, the report offers a snapshot of what matters to software developers in 2018.

What Is the Intersection of OpenStack and Kubernetes?

Lew Tucker is a busy man. Aside from his day job as VP and CTO for Cloud Computing at Cisco, Tucker also sits on the board of directors at both the OpenStack Foundation and the Cloud Native Computing Foundation, giving him a unique perspective on both organizations. Some in the industry have positioned Kubernetes as a competitive replacement for OpenStack, but that's not what Tucker sees. In a video interview, Tucker explains where the intersection currently exists between OpenStack and Kubernetes and why he expects both to be successful. Read more

Graphics: Vulkan, AMDGPU, Wayland

  • Vulkan Display Extensions To Be Used By SteamVR Merged Into Mesa RADV/ANV
    Keith Packard's long in development work for improving the Linux display stack infrastructure for better dealing with VR head-mounted displays is about rounded out with the new Vulkan extension support being merged into Mesa. Just over a year ago famed X developer Keith Packard started contract work for Valve to improve the plumbing around the Linux/X.Org support for virtual reality HMDs for better performance and better integration. Within the Linux kernel and the X.Org Server he's worked and landed the DRM leasing support of outputs to let a VR compositor (Steam VR) have direct access to the output, "non-desktop" quirk handling so VR HMDs don't become mapped as part of a standard Linux desktop, and related work.
  • A Slew Of AMDGPU DC Updates Published, Further Improvements For Raven Ridge
    There hasn't been a new AMDGPU DC code drop in a while as AMD developers work to improve their internal processes, but hitting the wire today is a set of 51 new patches for this "display code" stack that work on a variety of improvements.
  • Sway 1.0 Wayland Compositor Nears With Floating Windows, Tablet Support & More
    The release of the Sway 1.0 Wayland compositor is inching closer with the recent third alpha release. Sway for the uninformed is a very promising i3-compatible Wayland compositor. Earlier this month Sway 1.0 Alpha 3 was released to succeed the second alpha release from the month prior. Sway 1.0 is succeeding the Sway 0.15 changes with a great deal of improvements. Most notably with the 1.0 series is now requiring the WLROOTS modular Wayland compositor library.