Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • New RAMpage exploit revives Rowhammer attack to root Android devices

    Both Drammer and the newly disclosed RAMpage attacks exploit Rowhammer, a class of exploit that alters data stored in memory chips by repeatedly accessing the internal rows where individual bits are stored. By “hammering” the rows thousands of times a second, the technique causes the bits to flip, meaning 0s are changed to 1s and vice versa.

    The original Rowhammer attack against PCs made it possible for an untrusted computer application to gain nearly unfettered system privileges or to bypass security sandboxes designed to keep malicious code from accessing sensitive operating system resources. A later variation allowed JavaScript hosted on websites to effect the same security-sensitive bitflips.

  • Decreasing Vulnerabilities Seen in Red Hat Linux
  • Over 20,000 Container Management Dashboards Are Exposed on the Internet

    Even though it’s highly discouraged to expose any kind of management dashboard directly to the internet, there are many users who continue to ignore this recommendation, and it seems that infrastructure admins are no exception.

    A recent study by cloud security firm Lacework found over 22,000 publicly exposed container orchestration and API management systems, about 300 of which could be accessed without any credentials and gave attackers full control or remote code execution capability on containers.

Security Leftovers

Filed under
Security

Security and Bugs

Filed under
Security
  • Security updates for Monday
  • Root Store Policy Updated

    After several months of discussion on the mozilla.dev.security.policy mailing list, our Root Store Policy governing Certification Authorities (CAs) that are trusted in Mozilla products has been updated. Version 2.6 has an effective date of July 1st, 2018.

  • FreeBSD Kernel Patch Posted For Addressing Ryzen Errata

    A few days back I wrote about workarounds for getting FreeBSD running stable on AMD Ryzen via a script to adjust some of the CPU's MSRs based upon a recently-updated AMD revision guide. That script, which was making use of FreeBSD's cpucontrol utility for adjusting the bits, has now morphed into a kernel patch.

    Konstantin Belousov who worked on the script based upon the official AMD Ryzen errata guide has now turned it into a kernel patch that will hopefully be accepted upstream in the not too distant future.

  • Ryzen issues on FreeBSD ? (with sort of workaround)

Security: Open Source Security Podcast and Inaccurate Gentoo Coverage

Filed under
Gentoo
Security
  • Open Source Security Podcast: Episode 103 - The Seven Properties of Highly Secure Devices

    We take a real world view into how to secure our devices. What works, what doesn't work, and why this list is actually really good.

  • Github code repository for Gentoo Linux hacked [Ed: Lots of inaccuracies here]

    The Gentoo Linux distribution's Github repository was hacked last June 28, with the attackers modifying the code there.

    Github is a repository for all sorts of source code projects in a variety of programming languages. Gentoo Linux is one such project, stored in Github.

    Gentoo Linux administrators updated users as soon as the issue was found out.

  • Gentoo warning after GitHub hack [Ed: Crack, not "hack"]

    A key Gentoo Linux source code repository should be considered compromised after “unknown individuals” gained access to Gentoo’s Github organisation.

    In an email to the Gentoo announcement list, developer Alec Warner said that the individuals had seized control of the GitHub Gentoo organisation “and modified the content of repositories as well as pages there”.

US Senator Recommends Open-Source WireGuard To NIST For Government VPN

Filed under
OSS
Security

One of the additions we have been looking forward to seeing in the mainline Linux kernel in 2018 is WireGuard. WireGuard is the open-source, performance-minded, and secure VPN tunnel. WireGuard is designed to be run within the Linux kernel but has also been ported to other platforms.

WireGuard hasn't yet made it into the mainline Linux kernel, but it's looking like it still stands good chances of doing so in 2018. Curious about the state, I asked WireGuard's lead developer Jason Donenfeld this week. He informed me that he is in the process of preparing the patch(es) for review and that it won't hopefully be much longer before that happens. Of course, following the review process is when it could be integrated into the mainline Linux kernel at the next available merge window (he gave no explicit indication, but if it's to happen this year, that would mean Linux 4.19 or Linux 5.0).

Read more

Security: LTE, Ticketmaster, Equifax and the "51% Attack"

Filed under
Security
  • LTE wireless connections used by billions aren’t as secure as we thought

    The attacks work because of weaknesses built into the LTE standard itself. The most crucial weakness is a form of encryption that doesn’t protect the integrity of the data. The lack of data authentication makes it possible for an attacker to surreptitiously manipulate the IP addresses within an encrypted packet. Dubbed aLTEr, the researchers’ attack causes mobile devices to use a malicious domain name system server that, in turn, redirects the user to a malicious server masquerading as Hotmail. The other two weaknesses involve the way LTE maps users across a cellular network and leaks sensitive information about the data passing between base stations and end users.

  • LTE (4G) Flaw Allows Attackers To Redirect Browsers And Spy On You

    The Long Term Evolution (LTE) standard for mobile communication, also known as 4G was designed to overcome security flaws of its predecessor standards and is used by millions of people across the globe.

    However, researchers have now uncovered weaknesses in LTE that allows attackers to hijack browsing session which redirects users to malicious websites and spy on their online activity to find out which sites they visit through their LTE device.

  • UK researcher says one line of code caused Ticketmaster breach

    Well-known British security researcher Kevin Beaumont says the breach of the British operations of American multinational ticket sales and distribution company Ticketmaster, that has led to the possible leak of tens of thousands of credit card details, was caused by the incorrect placement of a single line of code.

    As iTWire reported, Ticketmaster UK blamed third-party supplier Inbenta Technologies for the incident. Inbenta, in turn, said that the breach had been caused by Ticketmaster directly applying a customised piece of JavaScript without notifying its (Inbenta's) team.

  • Plant Your Flag, Mark Your Territory

    Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.

    Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.

  • Former Equifax Manager Allegedly Took Advantage of Data Breach Crisis with Insider Trading Scheme

    Federal prosecutors and the Securities and Exchange Commission (SEC) announced charges Thursday against a former software development manager who allegedly took advantage of the chaos in order to run an insider trading scheme. The defendant is Sudhakar Reddy Bonthu, 44.

  • Former Equifax manager is charged with insider trading for selling shares before data breach was disclosed

    Sudhakar Reddy Bonthu allegedly made more than US$75,000 after betting that his company’s shares would fall when the breach was revealed

  • Cryptocurrencies Have Limits

    The Economic Limits Of Bitcoin And The Blockchain by Eric Budish is an important analysis of the economics of two kinds of "51% attack" on Bitcoin and other cryptocurrencies, such as those becoming endemic on Bitcoin Gold and other alt-coins:

Security Leftovers

Filed under
Security

Brave Does Tor

Filed under
Security
Web
  • Brave Introduces Beta of Private Tabs with Tor for Enhanced Privacy while Browsing

    Today we’re releasing our latest desktop browser Brave 0.23 which features Private Tabs with Tor, a technology for defending against network surveillance. This new functionality, currently in beta, integrates Tor into the browser and gives users a new browsing mode that helps protect their privacy not only on device but over the network. Private Tabs with Tor help protect Brave users from ISPs (Internet Service Providers), guest Wi-Fi providers, and visited sites that may be watching their Internet connection or even tracking and collecting IP addresses, a device’s Internet identifier.

    Private Tabs with Tor are easily accessible from the File menu by clicking New Private Tab with Tor. The integration of Tor into the Brave browser makes enhanced privacy protection conveniently accessible to any Brave user directly within the browser. At any point in time, a user can have one or more regular tabs, session tabs, private tabs, and Private Tabs with Tor open.

  • Brave Browser Goes Beyond Private Browsing With Tor-powered Tabs

    The ad blocking browser Brave is presently counted as one of the top net surfing browsers of 2018, primarily for its steady privacy and secure browsing experience. It is now advancing towards perfecting private browsing

    An update (Brave 0.23) launched on Thursday for its desktop clients has integrated Private tabs with Tor to defend users from leaving digital footprints on the internet.

Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux Zero-Days

Filed under
Security
BSD

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails.

The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement.

The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category.

Read more

Gentoo Needs to Delete GitHub

Filed under
Gentoo
Security
  • Gentoo GitHub mirror hacked and considered compromised

    Linux distribution Gentoo has had its GitHub mirror broken into and taken over, with GitHub pages changed and ebuilds replaced.

    In an alert, Gentoo said the attacker gained control of the Github Gentoo organisation at June 28, 20:20 UTC.

    "All Gentoo code hosted on github should for the moment be considered compromised," the alert said.

  • Et tu, Gentoo? Horrible gits meddle with Linux distro's GitHub code

    If you have fetched anything from Gentoo's GitHub-hosted repositories today, dump those files – because hackers have meddled with the open-source project's data.

    The Linux distro's officials sounded the alarm on Thursday, revealing someone managed to break into its GitHub organization account to modify software and webpages.

    Basically, if you downloaded and installed materials from Gentoo via GitHub, you might be compromised by bringing in malicious code. And until the all clear is given, you should avoid fetching anything from the project's 'hub org account.

    "Today, 28 June, at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there," Gentoo dev Alec Warner said in a bulletin.

  • Gentoo Linux GitHub organisation hacked, content modified

    The GitHub organisation of the Gentoo Linux distribution has been compromised and the project behind Gentoo is warning users not to use code from this source.

    In a statement, the Gentoo leadership said some unknown individuals had gained control of the GitHub Gentoo organisation on 28 June at 20.20 UTC and modified the content and pages.

    Gentoo is a Linux distribution meant for advanced users. The source is compiled locally depending on user preferences and is often optimised for specific hardware.

Syndicate content

More in Tux Machines

Stable kernel 4.4.142

I'm announcing the release of the 4.4.142 kernel. It's not an "essencial" upgrade, but a number of build problems with perf are now resolved, and an x86 issue that some people might have hit is now handled properly. If those were problems for you, please upgrade. The updated 4.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-st... Read more

today's leftovers

  • Ditching Windows: 2 Weeks With Ubuntu Linux On The Dell XPS 13 [Ed: sadly it's behind a malicious spywall]
  • What Serverless Architecture Actually Means, and Where Servers Enter the Picture
  • What are ‘mature’ stateful applications?
    BlueK8s is a new open source Kubernetes initiative from ‘big data workloads’ company BlueData — the project’s direction leads us to learn a little about which direction containerised cloud-centric applications are growing. Kubernetes is a portable and extensible open source platform for managing containerised workloads and services (essentially it is a container ‘orchestration’ system) that facilitates both declarative configuration and automation. The first open project in the BlueK8s initiative is Kubernetes Director (aka KubeDirector), for deploying and managing distributed ‘stateful applications’ with Kubernetes.
  • Winds – Machine Learning Powered RSS and Podcast App
    There are numerous RSS reader apps available in Linux universe, some of them are best and some of them are your native Linux apps. Not all of them are having ability to support podcast though. Winds is very beautiful RSS and podcast app based on stream API and it comes with him nice user interface and loaded with features.
  • Reaper audio editing software gets a native Linux installer
    Reaper is a powerful, versatile digital audio workstation for editing music, podcasts, or other audio projects. I’ve used it to edit and mix every single episode of the LPX podcast and Loving Project podcast. The software is also cross-platform. There 32-bit and 64-bit builds available for Windows and macOS, and there’s been an experimental Linux version for a few years.
  • Common Vision Blox 2018 with Enhanced 3D and Linux Functionality
    CVB Image Manager is the core component of Common Vision Blox and offers unrivalled functionality in image acquisition, image handling, image display and image processing. It is also included with the free CameraSuite SDK licence which is supplied with all GigE Vision or USB3 Vision cameras purchased from Stemmer Imaging. CVB 2018 Image Manager features core 3D functionality to handle point clouds and pre-existing calibrations as well as the display of 3D data. A new tool called Match 3D, which operates in both Windows and Linux, has been added. This allows a point cloud to be compared to a template point cloud, returning the 3D transformation between the two. It can be useful for 3D positioning systems and also for calculating the differences for quality control applications. The new features in CVB 2018 Image Manager have also been extended to Linux (on Intel and ARM platforms), making it even more suitable for developing solutions in embedded and OEM applications.
  • Oldest swinger in town, Slackware, notches up a quarter of a century
    Slackware, the oldest Linux distribution still being maintained, has turned 25 this week, making many an enthusiast wonder where all those years went. Mention Slackware, and the odds are that the FOSS fan before you will go a bit misty-eyed and mumble something about dependency resolution as they recall their first entry into the world of Linux. Released by Patrick Volkerding on 17 July 1993, Slackware aimed to be the most “UNIX-like” Linux distribution available and purports to be designed “with the twin goals of ease of use and stability as top priorities”. Enthusiasts downloading the distro for the first time might take issue with the former goal – the lack of a cuddly graphical installer can be jarring.
  • SDR meets AI in a mash-up of Jetson TX2, Artix-7, and 2×2 MIMO
    Deepwave Digital has launched an Ubuntu-driven, $5K “AIR-T” Mini-ITX board for AI-infused SDR, equipped with an Nvidia Jetson TX2, a Xilinx Artix-7 FPGA, and an AD9371 2×2 MIMO transceiver.
  • 8BitDo’s DIY Kit Can Turn Your Fave Retro Gamepad into a Wireless Steam Controller
    The “8BitDo Mod Kit” is a DIY package that gives you everything you need to convert an existing wired game pad for the NES, SNES, or Sega Mega Drive/Genesis systems into a fully-fledged wireless controller. A wireless controller you could then use with Ubuntu. No soldering is required. You just unscrew the case of an existing controller and the PCB inside and replace it with the one included in the mod kit. Screw it all back up and, hey presto, wireless gaming on a classic controller. Modded controllers are compatible with Steam on Windows and macOS (one assumes Linux too), as well the Nintendo Switch, and the Raspberry Pi — that’s a versatility classic game pads rarely had!
  • Are These a Risky Play with big payoff? PayPal Holdings, Inc. (PYPL) and Red Hat, Inc. (RHT)
  • How These Stocks Are Currently Valued TechnipFMC plc (FTI), Red Hat, Inc. (RHT)?
  • Form 4 RED HAT INC For: Jul 16 Filed by: Kelly Michael A
  • Form 4 RED HAT INC For: Jul 16 Filed by: KAISER WILLIAM S

Kernel: Linux 4.19 and LWN Coverage Unleashed From Paywall

  • Linux 4.19 To Feature Support For HDMI CEC With DP/USB-C To HDMI Adapters
    Adding to the big batch of feature additions and improvements queuing in DRM-Next for the upcoming Linux 4.19 kernel merge window is another round of drm-misc-next improvements. While the drm-misc-next material consists of the random DRM core and small driver changes not big enough to otherwise warrant their own individual pull requests to DRM-Next, for Linux 4.19 this "misc" material has been fairly exciting. Last week's drm-misc-next pull request introduced the Virtual KMS (VKMS) driver that offers exciting potential. With this week's drm-misc-next pull are further improvements to the VKMS code for frame-buffer and plane helpers, among other additions.
  • Nouveau Changes Queue Ahead Of Linux 4.19
    Linux 4.19 is going to be another exciting kernel on the Direct Rendering Manager (DRM) front with a lot of good stuff included while hours ago we finally got a look at what's in store for the open-source NVIDIA "Nouveau" driver. Nouveau DRM maintainer Ben Skeggs of Red Hat has updated the Nouveau DRM tree of the latest batch of patches ahead of sending in the pull request to DRM-Next. As has been the trend in recent times, the Nouveau DRM work mostly boils down to bug/regression fixes.
  • IR decoding with BPF
    In the 4.18 kernel, a new feature was merged to allow infrared (IR) decoding to be done using BPF. Infrared remotes use many different encodings; if a decoder were to be written for each, we would end up with hundreds of decoders in the kernel. So, currently, the kernel only supports the most widely used protocols. Alternatively, the lirc daemon can be run to decode IR. Decoding IR can usually be expressed in a few lines of code, so a more lightweight solution without many kernel-to-userspace context switches would be preferable. This article will explain how IR messages are encoded, the structure of a BPF program, and how a BPF program can maintain state between invocations. It concludes with a look at the steps that are taken to end up with a button event, such as a volume-up key event. Infrared remote controls emit IR light using a simple LED. The LED is turned on and off for shorter or longer periods, which is interpreted somewhat akin to morse code. When infrared light has been detected for a period, the result is called a "pulse". The time between pulses when no infrared light is detected is called a "space".
  • The block I/O latency controller
    Large data centers routinely use control groups to balance the use of the available computing resources among competing users. Block I/O bandwidth can be one of the most important resources for certain types of workloads, but the kernel's I/O controller is not a complete solution to the problem. The upcoming block I/O latency controller looks set to fill that gap in the near future, at least for some classes of users. Modern block devices are fast, especially when solid-state storage devices are in use. But some workloads can be even faster when it comes to the generation of block I/O requests. If a device fails to keep up, the length of the request queue(s) will increase, as will the time it takes for any specific request to complete. The slowdown is unwelcome in almost any setting, but the corresponding increase in latency can be especially problematic for latency-sensitive workloads.

Microsoft's Lobbying Campaign for Android Antitrust Woes

  • Google Hints A Future Where Android Might NOT Be Free
  • Android has created more choice, not less
  • Google Fined Record $5 Billion by EU, Given 90 Days to Stop ‘Illegal Practices’

    EU regulators rejected arguments that Apple Inc. competes with Android, saying Apple’s phone software can’t be licensed by handset makers and that Apple phones are often priced outside many Android users’ purchasing power.

  • EU: Google illegally used Android to dominate search, must pay $5B fine

    Thirdly, Google allegedly ran afoul of EU rules by deterring manufacturers from using Android forks. Google "has prevented manufacturers wishing to pre-install Google apps from selling even a single smart mobile device running on alternative versions of Android that were not approved by Google," the commission said.

  • EU hits Google with US$5b fine over alleged Android misuse

    The European Union has hit Google with a second fine in as many years, demanding that the search behemoth pay €4.34 billion (US$5.05 billion, A$6.82 billion) for breaching anti-trust rules over its Android mobile operating system.

    Announcing the fine on Wednesday in Brussels, the EU said Google must end such conduct within 90 days or pay a penalty of up to 5% of the average daily turnover of its parent company, Alphabet.

    The company has said it will appeal against the fine.

  • iPhone users buy half as many apps as Android users, but spend twice as much

    Apple's app store is still yielding twice the revenue of Google Play, and yet is only recording half the number of downloads.

    The figures for Q1&2 of the year suggest Apple owners spent $22.6bn on apps, whilst Android users only spent $11.8bn.

  • The EU fining Google over Android is too little, too late, say experts

    The Play Store is free to use under licence from Google, but comes with a set of conditions smartphone manufacturers must meet. The most important of these, and the one the EC has a problem with, is the requirement to set Google as the default search engine and the pre-installation of certain apps, including Google Chrome, YouTube and the Google search app. Google also dictates that some of the pre-installed apps be placed on the homescreen.

  • Don’t Expect Big Changes from Europe’s Record Google Fine

    The decision by the European Commission, the EU’s regulatory arm, found that Google manages Android, which runs roughly 80 percent of the world’s smartphones, in ways that illegally harm competition. The ruling focused on three practices: the bundling of Google's Chrome web browser and its search app as a condition for licensing the Google Play store; payments Google makes to phone manufacturers and telecom companies to exclusively preinstall the Google search app on their devices; and Google's practice of prohibiting device makers from running Google apps on Android “forks,” or alternative versions of the software unapproved by Google. In its ruling, the commission ordered Google to stop all of those practices.