Language Selection

English French German Italian Portuguese Spanish

Security

Internet Bug Bounty Helps Secure Open Source and the Internet [VIDEO]

Filed under
OSS
Security

Alex Rice spent five-and-half years working as head of product security at Facebook before he helped found HackerOne, provider of a platform that enables organizations to run bug bounty programs. At HackerOne, Rice has teamed with his former employer as well as Microsoft to help sponsor and operate the Internet Bug Bounty.

Rice explained that the Internet Bug Bounty covers approximately a dozen open source projects that are critical to the functioning of the Internet, including PHP, perl, Python, Ruby, OpenSSH and others. Such projects typically don't have the resources to run their own bug bounty programs, Rice said.

Read more

Security Leftovers

Filed under
Security
  • Security advisories for Tuesday
  • SELinux insides – Part2: Neverallow assertions
  • Researchers have disclosed severe security flaws within the firm's products over the holiday weekend.

    Ormandy's disclosures were made at the same time another researcher's findings, Kristian Erik Hermansen, were posted online. Hermansen publicly disclosed a zero-day vulnerability within cyberforensics firm FireEye's security product, complete with proof-of-concept code.

  • Seagate drives at risk of data theft over hidden 'root' account

    A public vulnerability disclosure warns that an attacker could remotely download files from an affected hard drive, thanks to the hard-coded default password.

  • HP Drops Support For Hacking Competition As Wassenaar Arrangement Continues To Make Computing Less Safe

    An international agreement to treat certain software as weaponized is well on its way towards making computing less safe. Recent changes to the Wassenaar Arrangement -- originally crafted to regulate the sale of actual weapons -- have targeted exploits and malware. The US's proposed adoption of the Arrangement expands on the definitions of targeted "weapons," threatening to criminalize the work done by security researchers. While the Arrangement will likely have little effect on keeping weaponized software out of the hands of blacklisted entities, it could easily result in a laptop full of security research being treated like a footlocker full of assault weapons.

  • Duo Security Research Reveals Half of Apple iPhones on Corporate Networks Run Out-of-Date Versions of iOS

    Duo Security, a cloud-based access security provider protecting the world's largest and fastest growing companies, today announced results from a Duo Labs research study focusing on mobile devices on corporate networks. Unpatched and end-of-life devices that are no longer supported by the manufacturer are much more prevalent than expected and create significant risk for corporate networks. The Duo Labs research draws on data gathered from thousands of customer deployments in more than 150 countries worldwide.

  • TSA Master Keys

    Someone recently noticed a Washington Post story on the TSA that originally contained a detailed photograph of all the TSA master keys. It's now blurred out of the Washington Post story, but the image is still floating around the Internet. The whole thing neatly illustrates one of the main problems with backdoors, whether in cryptographic systems or physical systems: they're fragile.

  • A Tale of Three Backdoors

    The tale of three backdoors: TSA locks, the CALEA interface, and the Dual_EC PRNG, all amply illustrate the dangers posed by backdoors in systems. For backdoors may fail catastrophically, degrade national security, and can potentially be used against those who demanded the backdoors in the first place. The scars born by the security field in dealing with failed backdoors provides ample illustration why we find the idea of backdoors troubling and dangerous.

[Debian] reproducible builds are a waste of time

Filed under
Security
Debian
  • reproducible builds are a waste of time

    Yesterday I read an article on Motherboard about Debian’s plan to shut down 83% of the CIA with reproducible builds. Ostensibly this defends against an attack where the compiler is modified to insert backdoors in the packages it builds. Of course, the defense only works if only some of the compilers are backdoored. The article then goes off on a bit of a tangent about self propagating compiler backdoors, which may be theoretically possible, but also terribly, unworkably fragile.

    I think the idea is that if I’m worried about the CIA tampering with Debian, I can rebuild everything myself from source. Because there’s no way the CIA would be able to insert a trojan in the source package. Then I check if what I’ve built matches what they built. If I were willing to do all that, I’m not sure why I need to check that the output is the same. I would always build from scratch, and ignore upstream entirely. I can do this today. I don’t actually need the builds to match to feel confident that my build is clean. Perhaps the idea is that a team of incorruptible volunteers will be building and checking for me, much like millions of eyeballs are carefully reviewing the source to all the software I run.

    The original source document doesn’t actually mention deployment of the whacked SDK, just research into its development. Perhaps they use it, perhaps they rejected it as being too difficult and risky. Tricking a developer into using a whacked toolchain leaves detectable traces and it’s somewhat difficult to deny as an accident. If we assume that the CIA has access to developer’s machines, why not assume they have access to the bug database as well and are mining it for preexisting vulnerabilities to exploit? Easy, safe, deniable.

  • Debian Reproducible Builds to Detect Spyware

    Debian has been getting a lot of attention the last couple of days for Jérémy Bobbio's work on Reproducible Builds. Bobbio has been working on this idea and implementation for a couple of years now, but after a presentation at Chaos Communication Camp last month it's come back into focus. In other Debian news, updates 8.2 and 7.9 were released.

  • Debian Linux versus the CIA

    Hidden backdoors into software have long been a concern for some users as government spying has increased around the world. Now the Debian project has taken aim at the CIA and other government spy agencies with reproducible builds that aim to stop hidden backdoors.

Debian Security

Filed under
Security
Debian

How to Install and run Kali Linux on any Android Smartphone

Filed under
Android
GNU
Linux
Security
HowTos

Kali Linux is one the best love operating system of white hat hackers, security researchers and pentesters. It offers advanced penetration testing tool and its ease of use means that it should be a part of every security professional’s toolbox.

Penetration testing involves using a variety of tools and techniques to test the limits of security policies and procedures. Now a days more and more apps are available on Android operating system for smartphones and tablets so it becomes worthwhile to have Kali Linux on your smartphone as well.

Read more

Security Leftovers

Filed under
Security

Improving Security for Bugzilla

Filed under
Moz/FF
Security

Openness, transparency, and security are all central to the Mozilla mission. That’s why we publish security bugs once they’re no longer dangerous, and it’s why we’re writing a blog post about unauthorized access to our infrastructure. We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations.

Read more

Google Chrome Turns Seven, Advances with Security and Performance Gains

Filed under
Google
Security

After seven years of development, Google continues its rapid pace of release and enhancement for its Chrome browser. On the seventh anniversary of the first Chrome public release on September 2, Google released Chrome stable version 45 and Chrome beta 46.

Google Chrome debuted on September 2, 2008 after months of speculation about Google's intentions regarding entering the browser market. The first Chrome browser entered the market at a time when Microsoft's IE still dominated, though Firefox was making a dent in that market share. Today, according to multiple sets of stats, including Statcounter, Google Chrome stands as the world's most popular web browser.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: OSS

  • Quantifying Benefits of Network Virtualization in the Data Center
    Modern data centers have increased significantly in scale and complexity as compute and storage resources become highly virtualized. The rise of the DevOps style of application deployment means that data center resources must be agile and respond rapidly to changing workload requirements. Data center network technologies have been challenged to keep up with these rapidly evolving application requirements.
  • Apache Zeppelin Joins Several Other Projects Gaining Top-Level Status
    As we've been reporting, The Apache Software Foundation, which incubates more than 350 open source projects and initiatives, has been elevating a lot of interesting new tools to Top-Level Status recently. The foundation has also made clear that you can expect more on this front, as graduating projects to Top-Level Status helps them get both advanced stewardship and certainly far more contributions. Only a few days ago, the foundation announced that a project called TinkerPop has graduated from the Apache Incubator to become a Top-Level Project (TLP). TinkerPop is a graph computing framework that provides developers the tools required to build modern graph applications in any application domain and at any scale. Now, it has announced that Apache Zeppelin has graduated as well. Zeppelin is a web-based notebook that enables interactive data analytics.
  • 6 Open Source Operating Systems for the Internet of Things (IoT)
    Whether you are small to large enterprises, IoT is one of the useful technology that can help you to be connected on-the-go.
  • 6 open source architecture projects to check out
    The world of architecture doesn't change as quickly as software, but architects are still finding new ways to share innovative designs and ideas. The open source architecture movement aims to make architectural designs, drawings, 3D renderings, and documentation freely available for integration into other projects under open source licenses. It owes much of its growth to the growing popularity of the maker movement, DIY culture, 3D printing, and CNC machines, as well as support from architects like Alejandro Aravana.
  • Yorubaname.com has gone opensource, codebase now on GitHub
    Online dictionary for yoruba names, YorubaName, has now made its backlog accessible to the public. In a post on their blog, the guys at YorubaName announced that the website codebase is now on GitHub.
  • A New Version of Rust Hits the Streets
    Version 1.9 of the Rust programming language has been released. Rust is a new language with a small but enthusiastic community of developers.
  • Here's how you can make a career in OpenStack
    OpenStack is one of the biggest open source movements. It is a free and open-source software platform for cloud computing, mostly deployed as an infrastructure-as-a-service (IaaS). The software platform consists of interrelated components that control hardware pools of processing, storage, and networking resources throughout a data centre. According to the official website, hundreds of the world's largest brands rely on OpenStack to run their businesses every day, reducing costs and helping them move faster. OpenStack has a strong ecosystem globally.
  • Compatibility before purity: Microsoft tweaks .NET Core again [Ed: Microsoft lied about .NET going Open Source; just forked it into Open Core version]
    Microsoft's open source fork of the .NET platform, called .NET Core, will be modified for better compatibility with existing applications, says Program Manager Immo Landwerth in a recent post.
  • EMC Ships Open Source Tool for Cloud and IoT Devices
  • Watch Benjamin Hindman Co-Creator of Apache Mesos Speak Live Tomorrow at MesosCon [Ed: Microsoft proxy in a sense]
  • MesosCon Preview: Q&A with Twitter’s Chris Pinkham
  • How to secure your open source code [Ed: more marketing nonsense of Black Duck]
  • Luxembourg launches open data portal
    The Grand Duchy of Luxembourg officially launched its national open data portal data.public.lu on April 8th. This portal, supported by Digital Luxembourg, the government agency in charge of digital affairs in the country, was presented during the Game of Code hackathon.
  • Denmark to accelerate government digitisation
    Open standards The existing shared solutions are to be adopted by all authorities and public sector institutions where relevant, according to a presentation in English. “Shared solutions need to be stable, secure and user-friendly, they will also be easy to implement because the infrastructure is based on open standards.” The strategy, an agreement involving the government, regions and municipalities, was announced on 12 May. It includes 33 initiatives, which among other things deal with ease of use, reuse of data, IT architecture, growth, security and digital skills, DIGST says.

Licensing and Coding

  • The Oracle v. Google Suit is Still an Anti-Open Move That Shouldn't Have Happened
    All the way back in 2010, when Oracle filed a complaint for patent and copyright infringement against Google regarding parts of the Java code found in Google's Android mobile OS, I wrote a post calling the move "the anti-open move of the year." Fast-forward to today, and in the Oracle v. Google trial that just concluded, a jury returned a verdict in Google's favor. It basically concluded that Oracle's suit against Google, claiming that the use of Java APIs in Android violated copyright law, was bunk. Now, in an op-ed piece for Ars Technica, Annette Hurst, an attorney who represented Oracle, equates the jury's decision with the death of open source. [...] Hurst makes a good point that dual licensing models are increasing, with many open source projects available for free, while commercial versions, often including support, come at a cost. But the Oracle suit originated because Oracle essentially perceived itself as owning a moat around Java that didn't really exist. [...] Indeed, one of the lasting images of this long running legal skirmish is going to be Oracle behaving in a decidedly anti-open fashion. It may have been wiser for Oracle to simply let this one go.
  • Here’s how to check if software license is open source
    The Open Source Initiative (OSI), the steward of the Open Source Definition (OSD), announced today it has created a machine readable publication of OSI approved licenses. According to the Initiative, the API will allow third parties to ‘become license-aware’, giving businesses everywhere means to determine if a license is Open Source or not.
  • 3 Things Infrastructure as Code is Not
    The role of the network engineer is changing. This is not a result of DevOps, although some would claim it is. As DevOps takes center stage in organizations, it can seem like network engineers are being asked to become developers. There have been a number of talks discussing this, some of which have surfaced at Interop Las Vegas. The shift has been Infrastructure as Code (IaC), which was fundamental to the start of the DevOps movement. So maybe you could say this is caused by DevOps.
  • Introducing Blue Ocean: a new user experience for Jenkins
    While this project is in the alpha stage of development, the intent is that Jenkins users can install Blue Ocean side-by-side with the Jenkins Classic UI via a plugin. Not all the features listed on this blog are complete but we will be hard at work over the next few months preparing Blue Ocean for general use. We intend to provide regular updates on this blog as progress is made. Blue Ocean is open source today and we invite you to give us feedback and to contribute to the project.

Security Leftovers

  • Security updates for Tuesday
  • Security challenges for the Qubes build process
    Ultimately, we would like to introduce a multiple-signature scheme, in which several developers (from different countries, social circles, etc.) can sign Qubes-produced binaries and ISOs. Then, an adversary would have to compromise all the build locations in order to get backdoored versions signed. For this to happen, we need to make the build process deterministic (i.e. reproducible). Yet, this task still seems to be years ahead of us. Ideally, we would also somehow combine this with Intel SGX, but this might be trickier than it sounds.
  • Katy Perry’s Twitter Account With 90 Million Followers Hacked
    Notably, with 90 million followers, Katy Perry is the most followed person on the platform.

FOSS Events (LibrePlanet, OSCON)

  • LibrePlanet conference videos and slides online: Edward Snowden, Richard Stallman, Karen Sandler, and more
    Tuesday, May 31, 2016 – The Free Software Foundation (FSF) today announces that recordings and slides from its LibrePlanet 2016 free software conference are now available online. LibrePlanet 2016: Fork the System was held in the Massachusetts Institute of Technology's Stata Center on March 19 and 20, 2016. Video for the opening keynote with NSA whistleblower Edward Snowden and dozens more sessions from the conference – over 25 hours of free software ideas – are available on the FSF's instance of GNU MediaGoblin, a free software media publishing platform that is a decentralized replacement to sites like YouTube and Flickr.
  • Women Dominate 2016’s O’Reilly Open Source Awards
    In an illustration of the value of diversity, four out of five of the recipients presented with O’Reilly Open Source Awards at this year’s OSCON were women.