Language Selection

English French German Italian Portuguese Spanish

Security

Security Bugs at CPU Level Again

Filed under
Security
  • Google and Microsoft disclose new CPU flaw, and the fix can slow machines down

    Microsoft and Google are jointly disclosing a new CPU security vulnerability that’s similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says “these mitigations are also applicable to variant 4 and available for consumers to use today.”

    However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.

  • Spectre variants 3a and 4

    Intel has, finally, disclosed two more Spectre variants, called 3a and 4. The first ("rogue system register read") allows system-configuration registers to be read speculatively, while the second ("speculative store bypass") could enable speculative reads to data after a store operation has been speculatively ignored. Some more information on variant 4 can be found in the Project Zero bug tracker. The fix is to install microcode updates, which are not yet available.

  • Red Hat Says It'll Soon Fix the Speculative Store Bypass Security Vulnerability

    Red Hat informed us today that they are aware of the recently disclosed Speculative Store Bypass (CVE-2018-3639) security vulnerability and will soon release updates to mitigate the issue on all of its affected products.

    Speculative Store Bypass (CVE-2018-3639) is a security vulnerability recently unearthed by various security researchers from Google and Microsoft, and it appears to be a fourth variant of the Spectre hardware bug publicly disclosed earlier this year in modern microprocessor, and later discovered to affect billions of devices. The Speculative Store Bypass vulnerability appearently lets an unprivileged attacker to bypass restrictions and gain read access to privileged memory.

Security and Bugs

Filed under
Security
  • Open Source Security Podcast: Episode 97 - Automation: Humans are slow and dumb

    Josh and Kurt talk about the security of automation as well as automating security. The only way automation will really work long term is full automation. Humans can't be trusted enough to rely on them to do things right.

  • An introduction to cryptography and public key infrastructure

    Secure communication is quickly becoming the norm for today's web. In July 2018, Google Chrome plans to start showing "not secure" notifications for all sites transmitted over HTTP (instead of HTTPS). Mozilla has a similar plan. While cryptography is becoming more commonplace, it has not become easier to understand. Let's Encrypt designed and built a wonderful solution to provide and periodically renew free security certificates, but if you don't understand the underlying concepts and pitfalls, you're just another member of a large group of cargo cult programmers.

  • Teensafe, A Teen Phone Monitoring App, Leaks Thousands Of Apple ID Passwords

    Teensafe is a monitoring app used by parents for keeping a check on the activities of their children. The app allows parents to access their child’s location, call history, messages, browsing history, and apps downloaded by them without their permission.

  • Teen phone monitoring app leaked thousands of user passwords

    The mobile app, TeenSafe, bills itself as a "secure" monitoring app for iOS and Android, which lets parents view their child's text messages and location, monitor who they're calling and when, access their web browsing history, and find out which apps they have installed.

  • The weirdest bug I’ve found in a compiler: MSVC 2017

    There’s been discussion on cppitertools about the newest MSVC release (15.7) claiming to be fully standards compliant, which led me here.
    The following code fails to compile under MSVC for one reason: the U on lines 4 and 5 is a different name than the T on lines 10 and 11, so the result of the static_assert condition on line 19 is false. (Note that I’m not using std::declval here for simplicity’s sake).

Security/OpenPGP: Purism and Pure FUD From EFF

Filed under
Security
  • Purism's New Purekey OpenPGP Security Token, Windows 10 Now Includes OpenSSH, Vim 8.1 Released and More

    Purism, maker of the security-focused Librem laptops, announced yesterday it has partnered with Nitrokey to create Purekey, "Purism's own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism's mission to make security and cryptography accessible where its customers hold the keys to their own security." You can purchase a Purekey by itself or as an add-on with a laptop order. According to Purism's CSO Kyle Rankin, "By keeping your encryption keys on a Purekey instead of on a hard drive, your keys never leave the tamper-proof hardware. This not only makes your keys more secure from attackers, it makes using your keys on multiple devices more convenient."

  • Encrypted Email and Security Nihilism

    Earlier this week, a group of German researchers published an alarm about newly discovered problems with encrypted email that is creating major controversy in the internet security community. This research — published in a snappy-titled report called EFail — is a valuable and important work highlighting the challenges with email security.

    Unfortunately, many of the responses to this report have been close to the line of "security nihilism:" Throwing your hands in the air and saying that because certain important security measures aren’t perfect, we should abandon them altogether. This is harsh and potentially damaging to the best efforts we currently have to protect email and risks leading people astray when it comes to securing their communications. In fact, there are important things that people can do to protect their email. This post examines the controversy, what people should do to secure their email, and how we might do better in the future.

    Email is a widespread communications tool and people generally expect it to be private. But from a security standpoint, the baseline assumption is that email is "like a postcard:" Anything you write in an email can be read by your email provider (e.g., Google, if you use Gmail) and also by the email provider of the person you send mail to. If those providers (or any of their system administrators or lawyers) want to read your mail, or are hacked, or bribed, or coerced by law enforcement into sharing access, the content of your email is easily accessible to them.

Security and privacy: Do you know what's lurking on your system?

Filed under
Security

The first was the kernel. I ended up hand-crafting a kernel, removing anything I thought was unlikely we'd need, then restarting several times when I discovered that the system wouldn't boot because the things I thought I understood were more … esoteric than I'd realised. I'm not a kernel developer, and this was a salutary lesson in how skilled those folks are. At least, at the time I was doing it, there were less code and fewer options than there are today. On the other hand, I was having to hack back to a required state, and now there are more cut-down kernels and systems to start with than there were back then.

The other piece I left for last was pruning the installed operating system applications and associated utilities. Again, there are cut-down options that are easier to use now than then, but I also had some odd requirements—I believe that we needed Java, for instance, which has, or had …. well let's say a lot of dependencies. Most modern Linux distributions start off by installing lots of pieces so you can get started quickly without having to worry about trying to work out dependencies for every piece of external software you want to run.

Read more

Security: Updates, EFAIL, DHCP, Ubuntu’s Snap Store

Filed under
Security

Security: Updates, Flaws, and Purism

Filed under
Security
  • Security updates for Thursday
  • Critical Linux Flaw Opens the Door to Full Root Access
  • It has been a bad week for encrypted messaging and it’s only Wednesday

    Also on Monday, a different team of researchers disclosed a vulnerability in the desktop version of the Signal messenger. It allowed attackers to send messages containing malicious HTML and JavaScript that would be executed by the app. Signal developers published a security update on Friday, a few hours after the researchers privately notified them of the vulnerability. On Monday, Signal developers issued a new patch after discovering over the weekend that the first one didn’t fully fix the bug. (The incompleteness of the patch was independently and more-or-less simultaneously found by the researchers.)

  • Purism and Nitrokey Partner to Build Purekey for Purism’s Librem Laptops

    Purism, the social purpose corporation which designs and produces security focused hardware and software, has announced today that they are partnering with Nitrokey, maker of Free Software and Open Hardware USB OpenPGP security tokens and Hardware Security Modules (HSMs) to create Purekey, Purism’s own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism’s mission to make security and cryptography accessible where its customers hold the keys to their own security and follows on the heels of their announcement of a partnership with cryptography pioneer and GnuPG maintainer Werner Koch.

  • Purism Expands Its Linux Hardware Portfolio To Include A USB-Based GPG SmartCard

    If Purism didn't have their hands full enough already working to further free Linux laptops and their very ambitious project to get their own Linux smartphone software/hardware shipping next year, they have now expanded their portfolio with the Purekey.

Security: Updates, Russia, RHEL, Thunderbird and More

Filed under
Security

Security: DHCP, System Updates, and Ubuntu Blobs Store

Filed under
Security
  • Protect your Fedora system against this DHCP flaw

    A critical security vulnerability was discovered and disclosed earlier today in dhcp-client. This DHCP flaw carries a high risk to your system and data, especially if you use untrusted networks such as a WiFi access point you don’t own. Read more here for how to protect your Fedora system.

    Dynamic Host Control Protocol (DHCP) allows your system to get configuration from a network it joins. Your system will make a request for DHCP data, and typically a server such as a router answers. The server provides the necessary data for your system to configure itself. This is how, for instance, your system configures itself properly for networking when it joins a wireless network.

    However, an attacker on the local network may be able to exploit this vulnerability. Using a flaw in a dhcp-client script that runs under NetworkManager, the attacker may be able to run arbitrary commands with root privileges on your system. This DHCP flaw puts your system and your data at high risk. The flaw has been assigned CVE-2018-1111 and has a Bugzilla tracking bug.

  • Security updates for Tuesday
  • Potentially Malicious Bytecoin Miner Removed from the Ubuntu Snap Store
  • Canonical on trust and security in the Snap Store

    Here's a posting from Canonical concerning the cryptocurrency-mining app that was discovered in its Snap Store.

  • Canonical finds hidden crypto-miners in the Linux Snap app store

    Last Friday, Canonical, the developer of the popular Ubuntu operating system and owner of the Snapcraft app store, spotted one application surreptitiously mining cryptocurrencies in the background.

Security: Smears Against FOSS From Microsoft-Connected Black Duck, EFAIL/EFF, and Ubuntu's Blob 'Store'

Filed under
Security

Security: EFF Repeated and Refuted, Canonical Removes More Blobs, More Updates

Filed under
Security
Syndicate content

More in Tux Machines

KDE/Qt: Qt 3D, Kube/Kolab, GSoC, and Atelier (3-D Printing)

  • What a mesh!
    With all the advances being made in Qt 3D, we wanted to create some new examples showing some of what it can do. To get us started, we decided to use an existing learning framework, so we followed the open source Tower Defence course, which you can find at CGCookie. Being a game, it allows an interactive view of everything at work, which is very useful.
  • Last week in Kube
    Perhaps if Windows wasn’t such a PITA there would be more progress
  • GSoC 2018: Week 4 & 5
    The last 2 weeks were mainly dedicatd for reviews and testing and thanks to my mentors, I passed the first evaluation with good work till now. Some significant changes were made on discussion with my mentors during the last 2 weeks in the code and some new features.
  • Giving Atelier some Love
    I work for atelier together with Chris, Lays and Patrick for quite a while, but I was basically being the “guardian angel” of the project being invocked when anything happened or when they did not know how to proceed (are you a guardian angel of a project? we have many that need that) For instance I’v done the skeleton for the plugin system, the buildsystem and some of the modules in the interface, but nothing major as I really lacked the time and also lacked a printer.

Proprietary Software on GNU/Linux

  • Winepak – Install Windows Apps and Games on Linux via Flatpak
    A reason for Linux not being more used as added in the comments section of a recent article is “Adobe and Games“. Well, there is a latest Linux bad guy in town and it is here to comfort us in a cooler way than Wine.
  • Mark Text Markdown Editor Adds Sidebar And Tabs Support
    Mark Text is a somewhat new free and open source Electron Markdown editor for Windows, Mac and Linux, which supports the CommonMark Spec and the GitHub Flavored Markdown Spec. The app features a seamless live preview using Snabbdom as the render engine, multiple edit modes (Typewriter, Source Code and Focus), includes code fence support, light and drak themes, emoji auto-completion, and export to PDF, HTML or styled HTML.
  • Google’s VR180 Creator Makes It Easier to Edit VR Video on Linux
    It’s called “VR180 Creator” (catchy) and the tool aims to make it easier for people to edit video shot on 180-degree and 360-degree devices like the Lenovo Mirage camera (pictured opposite). And boy is just-such a tool needed! VR180 Creator: Easier VR Video Editing Editing VR video is, to be perfectly frank, a pain in the rump end. So by releasing this new, open-source tool for free Google is being rather smart.Anything that makes it easier for consumers and content creators to edit VR on something other than a high-end specialist rig is going to help the format flourish.

Devuan GNU+Linux 2.0.0 "ASCII"

When I am trying out a desktop distribution, what really tends to divide the field of Linux distributions in my mind is not whether the system uses MATE or Plasma, or whether the underlying package manager uses RPM or Deb files. What tends to leave a lasting impression with me is whether the desktop environment, its applications and controls feel like a cooperative, cohesive experience or like a jumble of individual tools that happen to be part of the same operating system. In my opinion Ubuntu running the Unity desktop and Linux Mint's Cinnamon desktop are good examples of the cohesive approach. The way openSUSE's administration tools work together provides another example. Like them or hate them, I think most people can see there is an overall design, a unifying vision, being explored with those distributions. I believe Devuan falls into the other category, presenting the user with a collection of utilities and features where some assembly is still required. This comes across in little ways. For example, many distributions ship Mozilla's Firefox web browser and the Thunderbird e-mail client together as a set, and they generally complement each other. Devuan ships Firefox, but then its counterpart is the mutt console e-mail program which feels entirely out of place with the rest of the desktop software. The PulseAudio sound mixing utility is included, but its system tray companion is not present by default. Even the system installer, which switches back and forth between graphical windows and a text console, feels more like a collection of uncoordinated prompts rather than a unified program or script. Some people may like the mix-and-match approach, but I tend to prefer distributions where it feels like the parts are fitted together to create a unified experience. What I found was that Devuan provided an experience where I had to stop and think about where items were or how I was going to use them rather than having the pieces seamlessly fit together. However, once I got the system set up in a way that was more to my liking, I appreciated the experience provided. Devuan offers a stable, flexible platform. Once I shaped the operating system a little, I found it to be fast, light and capable. Having a fairly large repository of software available along with Flatpak support provided a solid collection of applications on a conservative operating system foundation. It was a combination I liked. In short, I think Devuan has some rough edges and setting it up was an unusually long and complex experience by Linux standards. I certainly wouldn't recommend Devuan to newcomers. However, a day or two into the experience, Devuan's stability and performance made it a worthwhile journey. I think Devuan may be a good alternative to people who like running Debian or other conservative distributions such as Slackware. I suspect I may soon be running Devuan's Raspberry Pi build on my home server where its lightweight nature will be welcome. Read more Also: deepin 15.6 Released With New Features: Get This Beautiful Linux Distro Here

Android Leftovers