Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security

Canonical Releases Massive Mir 0.24.0 Display Server Update for Ubuntu Linux OS

Filed under
Security
Ubuntu

Canonical has pushed a new massive update (version 0.24.0) of the Mir display server used to power the Unity 8 user interface of the next-generation Ubuntu Linux operating system.

Read more

Security Leftovers

Filed under
Security

Security News

Filed under
Security

GitLab Features Expansion

Filed under
Development
Security

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Security and reproducible-build progress in Guix 0.11

    The GNU Guix package-manager project recently released version 0.11, bringing with it support for several hundred new packages, a range of new tools, and some significant progress toward making an entire operating system (OS) installable using reproducible builds.

    Guix is a "functional" package manager, built on many of the same ideas found in the Nix package manager. As the Nix site explains it, the functional paradigm means that packages are treated like values in a functional programming language—Haskell in Nix's case, Scheme in Guix's. The functions that build and install packages do so without side effects, so the system can easily offer nice features like atomic transactions, rollbacks, and the ability for individual users to build and install separate copies of a package without fear that they will interfere. Part of making such a system reliable is to ensure that builds are "reproducible"—meaning that two corresponding copies of a binary built on different systems at different times will be bit-for-bit identical.

  • VeraCrypt Audit Under Way; Email Mystery Cleared Up

    To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.

    On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.

  • Cryptocurrency Mining Virus Targets Linux Machines
  • Why The Windows Secure Boot Hack Is a Good Thing

    Most coverage of the subject has been written in that panicky, alarmist prose that makes for exciting news, but the problem is that the invalidation of Secure Boot is a very positive development for everyone concerned, except for Microsoft. Yes, it shows why backdoors for “the good guys” are a terrible idea — yes, it even has far-reaching implications for every piece of computing technology using the UEFI standard. However, I maintain that it will have a positive influence on the direction of security and tech standards moving forward.

Security Leftovers

Filed under
Security

Security News

Filed under
Security
  • Friday's security updates
  • Thursday's security advisories
  • Microsoft Windows UAC can be bypassed for untraceable hacks

    USER ACCOUNT Control (UAC), the thing in Microsoft Windows that creates extra menus you wish would just sod off, can be bypassed, allowing hackers to gain registry access.

    Security researcher Matt Nelson has discovered that the flaw allows someone to start PowerShell, access the registry and then leave no trace.

    The workaround/feature/bug/massive security hole works on any version of Windows with UAC, which was introduced in Windows Vista and later softened in Windows 7 as it proved such a spectacular pain in the Vista.

    The technique uses no files, no injections and leaves no trace. It's just pure direct access via a vulnerability. You could go off and do it to someone now.

    Don't do that, though.

  • all that’s not golden

    Several stories and events recently that in some way relate to backdoors and golden keys and security. Or do they? In a couple cases, I think some of the facts were slightly colored to make for a more exciting narrative. Having decided that golden keys are shitty, that doesn’t imply that all that’s shit is golden. A few different perspectives here, because I think some of the initial hoopla obscured some lessons that even people who don’t like backdoors can learn from.

    Secure Boot

    Microsoft added a feature to Secure Boot, accidentally creating a bypass for older versions. A sweet demo scene release (plain text) compares this incident to the FBI’s requested golden keys. Fortunately, our good friends over at the Register dug into this claim and explained some of the nuance in their article, Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea. Ha, ha, I kid.

    Matthew Garrett also has some notes on Microsoft’s compromised Secure Boot implementation. He’s purportedly a Linux developer, but he doesn’t once in this post call Windows a steaming pile, so he’s probably a Microsoft shill in disguise.

    Returning to the big question, What does the MS Secure Boot Issue teach us about key escrow? Maybe not a whole lot. Some questions to consider are how thoroughly MS tried to guard the key and whether they actually lost the key or just signed the wrong thing.

    Relevant to the crypto backdoor discussion, are the actions taken here the same? In a key escrow scheme, are iPhones sending encrypted data to the FBI or is the FBI sending encrypted messages to iPhones? The direction of information flow probably has a profound effect on the chances of the wrong thing leaking out. Not to say I want anything flowing in either direction, but it does affect how analogous the situations are.

    A perhaps more important lesson, for all security or crypto practitioners, is just barely hinted at in mjg59’s post. Microsoft created a new message format, but signed it with a key trusted by systems that did not understand this format. Misinterpretation of data formats results in many vulnerabilities. Whenever it’s possible that a message may be incorrectly handled by existing systems, it’s vital to roll keys to prevent misinterpretation.

  • Security against Election Hacking – Part 1: Software Independence

    So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won. The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

    In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts. Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example. And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes). Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

  • Security against Election Hacking (Freedom to Tinker)

    Over at the Freedom to Tinker blog, Andrew Appel has a two-part series on security attacks and defenses for the upcoming elections in the US (though some of it will obviously be applicable elsewhere too). Part 1 looks at the voting and counting process with an eye toward ways to verify what the computers involved are reporting, but doing so without using the computers themselves (having and verifying the audit trail, essentially). Part 2 looks at the so-called cyberdefense teams and how their efforts are actually harming all of our security (voting and otherwise) by hoarding bugs rather than reporting them to get them fixed.

Syndicate content

More in Tux Machines

Ubuntu 16.04.2 LTS Delayed Until February 2, Will Bring Linux 4.8, Newer Mesa

If you've been waiting to upgrade your Ubuntu 16.04 LTS (Xenial Xerus) operating system to the 16.04.2 point release, which should have hit the streets a couple of days ago, you'll have to wait until February 2. We hate to give you guys bad news, but Canonical's engineers are still working hard these days to port all the goodies from the Ubuntu 16.10 (Yakkety Yak) repositories to Ubuntu 16.04 LTS, which is a long-term supported version, until 2019. These include the Linux 4.8 kernel packages and an updated graphics stack based on a newer X.Org Server version and Mesa 3D Graphics Library. Read more

Calamares Release and Adoption

  • Calamares 3.0 Universal Linux Installer Released, Drops Support for KPMcore 2
    Calamares, the open-source distribution-independent system installer, which is used by many GNU/Linux distributions, including the popular KaOS, Netrunner, Chakra GNU/Linux, and recently KDE Neon, was updated today to version 3.0. Calamares 3.0 is a major milestone, ending the support for the 2.4 series, which recently received its last maintenance update, versioned 2.4.6, bringing numerous improvements, countless bug fixes, and some long-anticipated features, including a brand-new PythonQt-based module interface.
  • Due to Popular Request, KDE Neon Is Adopting the Calamares Graphical Installer
    KDE Neon maintainer Jonathan Riddell is announcing today the immediate availability of the popular Calamares distribution-independent Linux installer framework on the Developer Unstable Edition of KDE Neon. It would appear that many KDE Neon users have voted for Calamares to become the default graphical installer system used for installing the Linux-based operating system on their personal computers. Indeed, Calamares is a popular installer framework that's being successfully used by many distros, including Chakra, Netrunner, and KaOS.

Red Hat Financial News

Wine 2.0 RC6 released