Language Selection

English French German Italian Portuguese Spanish

Security

Security: Chrome and 'Cyber Attack’ Shutting Pipeline Data System ('Windows Shop' Apparently)

Filed under
Security

A radical proposal to keep your personal data safe - by Richard Stallman

Filed under
GNU
Security

To restore privacy, we must stop surveillance before it even asks for consent.

Finally, don’t forget the software in your own computer. If it is the non-free software of Apple, Google or Microsoft, it spies on you regularly. That’s because it is controlled by a company that won’t hesitate to spy on you. Companies tend to lose their scruples when that is profitable. By contrast, free (libre) software is controlled by its users. That user community keeps the software honest.

Read more

Political Security Inquiry Regarding GNU/Linux and Free Software

Filed under
Linux
Security
  • Republicans seek information on open source security, stability

    Republican members of the US Government's Committee on Energy and Commerce have sought information from the Linux Foundation on the open source software that is most critical to global information infrastructure and the sustainability and stability of the open source software ecosystem.

    Greg Walden, the chairman, and Gregg Harper, chairman of the sub-committee on oversight and investigations, wrote to Linux Foundation chief executive Jim Zemlin on Monday, saying they were seeking the information to gain a deeper understanding of the open source software ecosystem.

  • Lawmakers press Linux on security of open-source software

    The Republicans asked Linux executive director Jim Zemlin whether the foundation has studied which pieces of open-source software are “most critical” to global computer networks and whether it compiled statistics on the usage of open-source software.

  • Lawmakers Seek Input On Addressing Open-Source Software Vulnerabilities

Security: Updates and Drupal's Patch

Filed under
Security
  • Security updates for Monday
  • ‘Highly critical’ CMS bug has left over 1 million sites open to attack [Ed: Scary headline. But having spent hours dealing with this (two of my sites, also some stuff at work), I have heard of nobody that actually got cracked (so far). Nobody.]

    Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

  • SD Times news digest: Cloudflare 1.1.1.1, Drupal security vulnerability, and Linux 4.16

    Drupal reveals a security vulnerability within Drupal 7 and 8

    Drupal has announced that there is a vulnerability within Drupal 7.x and 8.x that could allow attackers to exploit attack vectors on Drupal sites, which would leave those sites vulnerable. Drupal is an open source solution for building websites and solutions.

    The company has issued a fix, which can be obtained by installing the most recent version of Drupal 7 or 8 core.

    In addition, the company releasing updates for Drupal 8.3.x and 8.4.x, even though those releases are no longer supported. The company has also stated that the vulnerability affects Drupal 6, which is at End of Life anyway.

    Linux 4.16 is released

    Linus Torvalds has announced the release of Linux 4.16. He claims that this release looks very similar to rc7 due to the fact that half of it is networking. Other new additions in this release are arch fixlets, driver fixes, and updates to documentation. A complete list of new features can be found here.

Security: CopperheadOS, remctl, and Open Source Security Podcast

Filed under
Security
  • Further securing devices running CopperheadOS by using separate Encryption/Lockscreen passphrases

    If you value “vendor-based” security more than freedom, you may consider CopperheadOS an viable alternative to the free but rather insecure Replicant (it requires an unlocked bootloader and is way behind in terms of security patches atm). Personally, I find both neither Replicant nor CopperheadOS perfectly satisfying options, but they are the very best you can have at the moment. In the future, I hope that (1) more devices will be supported by non-Android-based alternatives like postmarketOS and (2) devices which require less blobs such as the Librem 5 (I highly doubt that it will run completely without blobs) will become available.

  • remctl 3.14

    remctl is a client/server protocol supporting remote execution of specific configured commands using GSS-API or ssh for authentication and encryption.

    This is a minimal release that fixes a security bug introduced in 3.12, discovered by Santosh Ananthakrishnan. A remctl client with the ability to run a server command with the sudo configuration option may be able to corrupt the configuration of remctld to run arbitrary commands, although I believe this would be moderately difficult to do. Only remctld (not remctl-shel) is vulnerable, and only if there are commands using the sudo configuration option.

  • Open Source Security Podcast: Episode 90 - Humans and misinformation

Intel's Microcode Update for Spectre Makes a Comeback in Ubuntu's Repositories

Filed under
Security
Ubuntu

After it's been pulled from Ubuntu's repositories in late January at Intel's request due to serious hardware issues reported by numerous users, Inte's microcode update to mitigate the Spectre security vulnerability makes a comeback.

On January 22, 2018, Canonical replaced the Intel microcode firmware versioned 20180108 with the older 20170707 release at Intel's request, thus no longer protecting users' computers against the Spectre security vulnerability that could allow a local attacker to expose sensitive information from kernel memory.

"Jann Horn discovered that microprocessors utilizing speculative execution and branch prediction may allow unauthorized memory reads via side-channel attacks. This flaw is known as Spectre. A local attacker could use this to expose sensitive information, including kernel memory (CVE-2017-5715)," reads the security advisory.

Read more

Also: Finally extradited from Europe, suspected LinkedIn [cracker] faces US charges

Security: NoScript, Georgia and CFAA, FUD, and MyFitnessPal 'Cloud' Breach

Filed under
Security
  • Firefox 57-59 & Noscript 10 usage guide - 2nd edition

    Noscript is maturing nicely. It is not the all-can-do tool that we had in Firefox before the 57th release, but it is adequate and suitable for most people, and it provides the necessary protection, and more importantly, the necessary quiet you want when browsing the net. Silent, static pages so you can focus on reading and not having your senses assailed any which Web 2.0 or Web 3.0 way. But I guess most people will focus on the security side of things.

    I am using the addon across multiple profiles and systems, and I have not observed any big breakages or bugs. Occasional tiny issues crop here and there, and then vanish a day later. The one that I do remember was a temporary issue with XSS for a brief while, but other than that, it seems to work in a very similar fashion to the old Noscript. Performance is also comparable. And then, there's still more room for improvements and new stuff, which I'm sure will be coming. Hopefully, this was a pleasant read. Take care.

  • Georgia Passes Anti-Infosec Legislation

    Despite the full-throated objections of the cybersecurity community, the Georgia legislature has passed a bill that would open independent researchers who identify vulnerabilities in computer systems to prosecution and up to a year in jail.

    EFF calls upon Georgia Gov. Nathan Deal to veto S.B. 315 as soon as it lands on his desk.

    For months, advocates such as Electronic Frontiers Georgia, have descended on the state Capitol to oppose S.B. 315, which would create a new crime of “unauthorized access” to computer systems. While lawmakers did make a major concession by exempting terms of service violations under the measure—an exception we’ve been asking Congress for years to carve out of the federal Computer Fraud & Abuse Act (CFAA)—the bill stills fall short of ensuring that researchers aren’t targeted by overzealous prosecutors. This has too often been the case under CFAA.

  • Newly Found Malware Deliberately Avoids Government Networks [Ed: So-called 'Malware'. Basically just someone running a script to scan for machines with an open SSH port and truly shitty (if not still-default) password. It is not hard to understand why crackers typically try not to touch government IPs. Governments don't care about cracking (they do it themselves) unless the cracks affect government and immunity/impunity is available only for other "state actors" (crackers taxpayers pay for). Systemic hypocrisy.]
  • Your MyFitnessPal Account Was Almost Certainly Hacked, Change Your Password Now

    If you’re one of the millions of the 150 million MyFitnessPal users, bad news: hackers have your email address, your user name, and your hashed password.

  • MyFitnessPal data breach affects 150 million users, Including fitness wearables

    Digital data thefts are on the rise and sports apparel merchant Under Armour has become the latest victim of the crime. The Baltimore (USA) based company has disclosed that there was a massive data breach into its food and nutrition app and website, MyFitnessPal, system earlier this year. An unauthorized party gained access to the system and was able to acquire data of about 150 million users.

Security: Updates and Kaspersky

Filed under
Security

pfSense 2.4.3-RELEASE now available

Filed under
Security
BSD

We are excited to announce the release of pfSense® software version 2.4.3, now available for new installations and upgrades!

pfSense software version 2.4.3 brings security patches, several new features, support for new Netgate hardware models, and stability fixes for issues present in previous pfSense 2.4.x branch releases.

Read more

Kaspersky Lab researchers puts KLara into open source domain

Filed under
OSS
Security

Further technical and API details can be found on Securelist. The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.

Kaspersky Lab's GitHub account also includes another tool, created and shared by Kaspersky Lab researchers in 2017. Named BitScout, it was created by principal security researcher, Vitaly Kamluk, and can remotely collect vital forensic data such as malware samples without risk of contamination or loss. Further information on BitScout can be found here.

Read more

Syndicate content

More in Tux Machines

Critical Live Boot Bug Fixed and Ubuntu 18.04 is Finally Released

A critical bug in live boot session delayed Ubuntu 18.04 LTS release for several hours. The bug has been fixed and the ISO are available to download. Read more

Nintendo Switch hack + Dolphin Emulator could bring GameCube and Wii game support

This week security researchers released details about a vulnerability affecting NVIDIA Tegra X1 processors that makes it possible to bypass secure boot and run unverified code on some devices… including every Nintendo Switch game console that’s shipped to date. Among other things, this opens the door for running modified versions of Nintendo’s firmware, or alternate operating systems such as a GNU/Linux distribution. And if you can run Linux… you can also run Linux applications. Now it looks like one of those applications could be the Dolphin emulator, which lets you play Nintendo GameCube and Wii games on a computer or other supported devices. Read more

Openwashing Leftovers

Linux Foundation: New Members, Cloud Foundry, and Embedded Linux Conference + OpenIoT Summit

  • 41 Organizations Join The Linux Foundation to Support Open Source Communities With Infrastructure and Resources
    The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the addition of 28 Silver members and 13 Associate members. Linux Foundation members help support development of the shared technology resources, while accelerating their own innovation through open source leadership and participation. Linux Foundation member contributions help provide the infrastructure and resources that enable the world's largest open collaboration communities.
  • Cloud Foundry for Developers: Architecture
    Back in the olden days, provisioning and managing IT stacks was complex, time-consuming, and error-prone. Getting the resources to do your job could take weeks or months. Infrastructure-as-a-Service (IaaS) was the first major step in automating IT stacks, and introduced the self-service provisioning and configuration model. VMware and Amazon were among the largest early developers and service providers. Platform-as-a-Service (PaaS) adds the layer to IaaS that provides application development and management. Cloud Foundry is for building Platform as a Service (PaaS) projects, which bundle servers, networks, storage, operating systems, middleware, databases, and development tools into scalable, centrally-managed hardware and software stacks. That is a lot of work to do manually, so it takes a lot of software to automate it.
  • Jonathan Corbet on Linux Kernel Contributions, Community, and Core Needs
    At the recent Embedded Linux Conference + OpenIoT Summit, I sat down with Jonathan Corbet, the founder and editor-in-chief of LWN to discuss a wide range of topics, including the annual Linux kernel report. The annual Linux Kernel Development Report, released by The Linux Foundation is the evolution of work Corbet and Greg Kroah-Hartman had been doing independently for years. The goal of the report is to document various facets of kernel development, such as who is doing the work, what is the pace of the work, and which companies are supporting the work.