Language Selection

English French German Italian Portuguese Spanish

Security

Security: Chrome and 'Cyber Attack’ Shutting Pipeline Data System ('Windows Shop' Apparently)

Filed under
Security

A radical proposal to keep your personal data safe - by Richard Stallman

Filed under
GNU
Security

To restore privacy, we must stop surveillance before it even asks for consent.

Finally, don’t forget the software in your own computer. If it is the non-free software of Apple, Google or Microsoft, it spies on you regularly. That’s because it is controlled by a company that won’t hesitate to spy on you. Companies tend to lose their scruples when that is profitable. By contrast, free (libre) software is controlled by its users. That user community keeps the software honest.

Read more

Political Security Inquiry Regarding GNU/Linux and Free Software

Filed under
Linux
Security
  • Republicans seek information on open source security, stability

    Republican members of the US Government's Committee on Energy and Commerce have sought information from the Linux Foundation on the open source software that is most critical to global information infrastructure and the sustainability and stability of the open source software ecosystem.

    Greg Walden, the chairman, and Gregg Harper, chairman of the sub-committee on oversight and investigations, wrote to Linux Foundation chief executive Jim Zemlin on Monday, saying they were seeking the information to gain a deeper understanding of the open source software ecosystem.

  • Lawmakers press Linux on security of open-source software

    The Republicans asked Linux executive director Jim Zemlin whether the foundation has studied which pieces of open-source software are “most critical” to global computer networks and whether it compiled statistics on the usage of open-source software.

  • Lawmakers Seek Input On Addressing Open-Source Software Vulnerabilities

Security: Updates and Drupal's Patch

Filed under
Security
  • Security updates for Monday
  • ‘Highly critical’ CMS bug has left over 1 million sites open to attack [Ed: Scary headline. But having spent hours dealing with this (two of my sites, also some stuff at work), I have heard of nobody that actually got cracked (so far). Nobody.]

    Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

  • SD Times news digest: Cloudflare 1.1.1.1, Drupal security vulnerability, and Linux 4.16

    Drupal reveals a security vulnerability within Drupal 7 and 8

    Drupal has announced that there is a vulnerability within Drupal 7.x and 8.x that could allow attackers to exploit attack vectors on Drupal sites, which would leave those sites vulnerable. Drupal is an open source solution for building websites and solutions.

    The company has issued a fix, which can be obtained by installing the most recent version of Drupal 7 or 8 core.

    In addition, the company releasing updates for Drupal 8.3.x and 8.4.x, even though those releases are no longer supported. The company has also stated that the vulnerability affects Drupal 6, which is at End of Life anyway.

    Linux 4.16 is released

    Linus Torvalds has announced the release of Linux 4.16. He claims that this release looks very similar to rc7 due to the fact that half of it is networking. Other new additions in this release are arch fixlets, driver fixes, and updates to documentation. A complete list of new features can be found here.

Security: CopperheadOS, remctl, and Open Source Security Podcast

Filed under
Security
  • Further securing devices running CopperheadOS by using separate Encryption/Lockscreen passphrases

    If you value “vendor-based” security more than freedom, you may consider CopperheadOS an viable alternative to the free but rather insecure Replicant (it requires an unlocked bootloader and is way behind in terms of security patches atm). Personally, I find both neither Replicant nor CopperheadOS perfectly satisfying options, but they are the very best you can have at the moment. In the future, I hope that (1) more devices will be supported by non-Android-based alternatives like postmarketOS and (2) devices which require less blobs such as the Librem 5 (I highly doubt that it will run completely without blobs) will become available.

  • remctl 3.14

    remctl is a client/server protocol supporting remote execution of specific configured commands using GSS-API or ssh for authentication and encryption.

    This is a minimal release that fixes a security bug introduced in 3.12, discovered by Santosh Ananthakrishnan. A remctl client with the ability to run a server command with the sudo configuration option may be able to corrupt the configuration of remctld to run arbitrary commands, although I believe this would be moderately difficult to do. Only remctld (not remctl-shel) is vulnerable, and only if there are commands using the sudo configuration option.

  • Open Source Security Podcast: Episode 90 - Humans and misinformation

Intel's Microcode Update for Spectre Makes a Comeback in Ubuntu's Repositories

Filed under
Security
Ubuntu

After it's been pulled from Ubuntu's repositories in late January at Intel's request due to serious hardware issues reported by numerous users, Inte's microcode update to mitigate the Spectre security vulnerability makes a comeback.

On January 22, 2018, Canonical replaced the Intel microcode firmware versioned 20180108 with the older 20170707 release at Intel's request, thus no longer protecting users' computers against the Spectre security vulnerability that could allow a local attacker to expose sensitive information from kernel memory.

"Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory (CVE-2017-5715)," reads the security advisory.

Read more

Also: Finally extradited from Europe, suspected LinkedIn [cracker] faces US charges

Security: NoScript, Georgia and CFAA, FUD, and MyFitnessPal 'Cloud' Breach

Filed under
Security
  • Firefox 57-59 & Noscript 10 usage guide - 2nd edition

    Noscript is maturing nicely. It is not the all-can-do tool that we had in Firefox before the 57th release, but it is adequate and suitable for most people, and it provides the necessary protection, and more importantly, the necessary quiet you want when browsing the net. Silent, static pages so you can focus on reading and not having your senses assailed any which Web 2.0 or Web 3.0 way. But I guess most people will focus on the security side of things.

    I am using the addon across multiple profiles and systems, and I have not observed any big breakages or bugs. Occasional tiny issues crop here and there, and then vanish a day later. The one that I do remember was a temporary issue with XSS for a brief while, but other than that, it seems to work in a very similar fashion to the old Noscript. Performance is also comparable. And then, there's still more room for improvements and new stuff, which I'm sure will be coming. Hopefully, this was a pleasant read. Take care.

  • Georgia Passes Anti-Infosec Legislation

    Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail.

    EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as it lands on his desk.

    For months, advocates such as Electronic Frontiers Georgia, have descended on the state Capitol to oppose S.B. 315, which would create a new crime of “unauthorized access” to computer systems. While lawmakers did make a major concession by exempting terms of service violations under the measure—an exception we’ve been asking Congress for years to carve out of the federal Computer Fraud & Abuse Act (CFAA)—the bill stills fall short of ensuring that researchers aren’t targeted by overzealous prosecutors. This has too often been the case under CFAA.

  • Newly Found Malware Deliberately Avoids Government Networks [Ed: So-called 'Malware'. Basically just someone running a script to scan for machines with an open SSH port and truly shitty (if not still-default) password. It is not hard to understand why crackers typically try not to touch government IPs. Governments don't care about cracking (they do it themselves) unless the cracks affect government and immunity/impunity is available only for other "state actors" (crackers taxpayers pay for). Systemic hypocrisy.]
  • Your MyFitnessPal Account Was Almost Certainly Hacked, Change Your Password Now

    If you’re one of the millions of the 150 million MyFitnessPal users, bad news: hackers have your email address, your user name, and your hashed password.

  • MyFitnessPal data breach affects 150 million users, Including fitness wearables

    Digital data thefts are on the rise and sports apparel merchant Under Armour has become the latest victim of the crime. The Baltimore (USA) based company has disclosed that there was a massive data breach into its food and nutrition app and website, MyFitnessPal, system earlier this year. An unauthorized party gained access to the system and was able to acquire data of about 150 million users.

Security: Updates and Kaspersky

Filed under
Security

pfSense 2.4.3-RELEASE now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.3, now available for new installations and upgrades!

pfSense software version 2.4.3 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

Read more

Kaspersky Lab researchers puts KLara into open source domain

Filed under
OSS
Security

Further technical and API details can be found on Securelist. The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.

Kaspersky Lab's GitHub account also includes another tool, created and shared by Kaspersky Lab researchers in 2017. Named BitScout, it was created by principal security researcher, Vitaly Kamluk, and can remotely collect vital forensic data such as malware samples without risk of contamination or loss. Further information on BitScout can be found here.

Read more

Syndicate content

More in Tux Machines

today's leftovers

  • CRI: The Second Boom of Container Runtimes
    Harry (Lei) Zhang, together with the CTO of HyperHQ, Xu Wang, will present “CRI: The Second Boom of Container Runtimes” at KubeCon + CloudNativeCon EU 2018, May 2-4 in Copenhagen, Denmark. The presentation will clarify about more about CRI, container runtimes, KataContainers and where they are going. Please join them if you are interested in learning more.
  • Meet Gloo, the ‘Function Gateway’ That Unifies Legacy APIs, Microservices, and Serverless
    Gloo, a single binary file written in Go, can be deployed as a Kubernetes pod, in a Docker container, and now also on Cloud Foundry. The setup also requires a copy of Envoy, though the installation process can be greatly simplified through additional software developed by the company, TheTool. The user then writes configuration objects to capture the workflow logic.
  • Why is the kernel community replacing iptables with BPF?

    The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.

  • The developer of Helium Rain gave an update on their sales, low overall sales but a high Linux percentage
    Helium Rain [Steam, Official Site], the gorgeous space sim from Deimos Games is really quite good so it's a shame they've seen such low overall sales. In total, they've had around 14,000€ (~$17,000) in sales which is not a lot for a game at all. The good news, is that out of the two thousand copies they say they've sold, a huge 14% of them have come from Linux. It's worth noting, that number has actually gone up since we last spoke to them, where they gave us a figure of 11% sales on Linux.
  • Want to try Wild Terra Online? We have another load of keys to give away (update: all gone)
    Wild Terra Online [Steam], the MMO from Juvty Worlds has a small but dedicated following, now is your chance to see if it's for you.
  • Arch Linux Finally Rolling Out Glibc 2.27
    Arch Linux is finally transitioning to glibc 2.27, which may make for a faster system. Glibc 2.27 was released at the start of February. This updated GNU C Library shipped with many performance optimizations particularly for Intel/x86_64 but also some ARM tuning and more. Glibc 2.27 also has memory protection keys support and other feature additions, but the performance potential has been most interesting to us.
  • Installed nvidia driver
  • Stephen Smoogen: Fedora Infrastructure Hackathon (day 1-5)
  • Design and Web team summary – 20 April 2018
    The team manages all web projects across Canonical. From www.ubuntu.com to the Juju GUI we help to bring beauty and consistency to all the web projects.
  • Costales: UbuCon Europe 2018 | 1 Week to go!!
    We'll have an awesome weekend of conferences (with 4 parallel talks), podcasts, stands, social events... Most of them are in English, but there will be in Spanish & Asturian too.
  • Tough, modular embedded PCs start at $875
    Advantech has launched two rugged, Linux-ready embedded DIN-rail computers with Intel Bay Trail SoCs and iDoor expansion: an “UNO-1372G-E” with 3x GbE ports and a smaller UNO-1372G-J with only 2x GbE, but with more serial and USB ports.

OSS Leftovers

  • IRS Website Crash Reminder of HealthCare.gov Debacle as OMB Pushes Open Source
    OMB is increasingly pushing agencies to adopt open source solutions, and in 2016 launched a pilot project requiring at least 20 percent of custom developed code to be released as open source – partly to strengthen and help maintain it by tapping a community of developers. OMB memo M-16-21 further asks agencies to make any code they develop available throughout the federal government in order to encourage its reuse. “Open source solutions give agencies access to a broad community of developers and the latest advancements in technology, which can help alleviate the issues of stagnated or out-dated systems while increasing flexibility as agency missions evolve over time,” says Henry Sowell, chief information security officer at Hortonworks Federal. “Enterprise open source also allows government agencies to reduce the risk of vendor lock-in and the vulnerabilities of un-supported software,” he adds.
  • Migrations: the sole scalable fix to tech debt.

    Migrations are both essential and frustratingly frequent as your codebase ages and your business grows: most tools and processes only support about one order of magnitude of growth before becoming ineffective, so rapid growth makes them a way of life. This isn't because they're bad processes or poor tools, quite the opposite: the fact that something stops working at significantly increased scale is a sign that it was designed appropriately to the previous constraints rather than being over designed.

  • Gui development is broken

    Why is this so hard? I just want low-level access to write a simple graphical interface in a somewhat obscure language.

OpenBSD and NetBSD

Security: Twitter and Facebook

  • Twitter banned Kaspersky Lab from advertising in Jan
     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data
     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook
     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers
     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.