Language Selection

English French German Italian Portuguese Spanish

Security

Security: Twitter and Facebook

Filed under
Security
  • Twitter banned Kaspersky Lab from advertising in Jan

     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data

     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook

     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers

     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.

Security: Updates, IBM, Elytron and Container Vulnerability Scanning

Filed under
Security
  • Security updates for Friday
  • IBM Security launches open-source AI

    IBM Security unveiled an open-source toolkit at RSA 2018 that will allow the cyber community to test their AI-based security defenses against a strong and complex opponent in order to help build resilience and dependability into their systems.

  • Elytron: A New Security Framework in WildFly/JBoss EAP

    Elytron is a new security framework that ships with WildFly version 10 and Red Hat JBoss Enterprise Application Platform (EAP) 7.1. This project is a complete replacement of PicketBox and JAAS. Elytron is a single security framework that will be usable for securing management access to the server and for securing applications deployed in WildFly. You can still use the legacy security framework, which is PicketBox, but it is a deprecated module; hence, there is no guarantee that PicketBox will be included in future releases of WildFly. In this article, we will explore the components of Elytron and how to configure them in Wildfly.

  • PodCTL #32 – Container Vulnerability Scanning

Security Leftovers

Filed under
Security
  • Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank

    Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

  • Certificate Transparency and HTTPS

    CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.

  • Security updates for Thursday
  • IBM introduces open-source library for protecting AI systems
  • How to combine SSH key authentication and two-factor authentication on Linux
  • openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange

    openSUSE loves Let's Encrypt™

    Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

    As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

    This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

Security Leftovers

Filed under
Security

OSS and Security Leftovers

Filed under
OSS
Security
  • Open-source library for improving security of AI systems

    Attacks against neural networks have recently been flagged as one of the biggest dangers in our modern world where AI systems are increasingly getting embedded in many technologies we use and depend on daily.

    Adversaries can sometimes tamper with them even if they don’t know much about them, and “breaking” the system could result in very dangerous consequences.

    [...]

    The library is written in Python, as it is the most commonly used programming language for developing, testing and deploying Deep Neural Networks.

  • IBM launches open-source library for securing AI systems

    On Tuesday at the RSA conference in San Francisco, IBM announced the launch of the Adversarial Robustness Toolbox to support developers and users of AI that may become the victims of attacks against AI systems including Deep Neural Networks (DNNs).

    According to the tech giant, threat actors may be able to exploit weaknesses in AI systems through very subtle means. Simple, small, and often undetectable alterations in content including images, video, and audio recordings can be crafted to confuse AI systems, even without a deep knowledge of the AI or DNN a cyberattack is targeting.

  • IBM releases new toolbox to protect AI from adversarial attacks

    IBM is releasing an open-source software library to combat against adversarial attacks in deep neural networks (DNNs). DNNs are machine learning models that are capable of recognizing patterns.

  • Build a serverless framework at home: Go on, bit of open sourcey hijinx won't hurt

    First unveiled at SpringOne Platform in December, riff is still an early project. It emerged from the Spring Cloud Data Flow, a data integration project to run Java code as microservices created under Pivotal's open source Java-focused Spring framework.

    "Riff is the next step in that evolution," says Jürgen Leschner, a riff organiser who works at Pivotal. Instead of running microservices that persist in containers, serverless models hide the containers from the developers and operations teams entirely. Instead, when a developer calls a software function, the container orchestration system (in riff's case, Kubernetes) spins one up and then kills it off silently.

    [...]

    The benefits of open source serverless

    What do these open source serverless options bring to the party? Unless you're using them to slurp services on the AWS platform and minimise container fees by weeding out idle compute power, why bother?

    Efficiency for developers is one driver, says Leschner. "Developers don’t have to worry about building the connectors and boilerplate stuff into their code. They can package a simpler project and the boilerplate is already in the platform."

  • Failure to secure open source code spurs DevSecOps boom [Ed: Yet another one of those 'journalists' who help marketing from anti-FOSS entity because it's disguised as 'research']

    A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software.

  • Security updates for Wednesday

Security: Russia, Librem, and Apple's Faux Security

Filed under
Security
  • U.S. & U.K. Issue Joint Warning About Risks of Russian Cyberattacks
  • Demonstrating Tamper Detection with Heads

    We are excited about the future of Heads on Librem laptops and the extra level of protection it can give customers. As a result we’ve both been writing about it a lot publicly and working on it a lot privately. What I’ve realized when I’ve talked to people about Heads and given demos, is that many people have never seen a tamper-evident boot process before. All of the concepts around tamper-evident boot are pretty abstract and it can be difficult to fully grasp how it protects you if you’ve never seen it work.

    We have created a short demo that walks through a normal Heads boot process and demonstrates tamper detection. In the interest of keeping the demo short I only briefly described what was happening. In this post I will elaborate on what you are seeing in the video.

  • Stop Using Six Digit Numeric iPhone Passcodes Right Now

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • McAfee's Upgraded Cloud Security Protects Containers [Ed: Looks like marketing/spam from ECT]
  • Has a Russian intelligence agent hacked your wifi? [iophk: "AV is not relevant; there are two main ways to avoid malware" : *BSD and */Linux"]

    In short, a global, invisible, low-level conflict is taking place across the internet and it is possible that your router has been conscripted as a foot soldier. Maybe it is worth getting your firewall and antivirus checked out after all.

  • 55 Infosec Professionals Sign Letter Opposing Georgia’s Computer Crime Bill

    In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers.

    This isn’t just a matter of solidarity among those in the profession. Georgia represents our nation’s third largest information security sector. The signers have clients, partners, and offices in Georgia. They attend conferences in Georgia. They teach and study in Georgia or recruit students from Georgia. And they all agree that S.B. 315, which would create a new crime of "unauthorized access," would do more harm than good.

Security and FUD Leftovers

Filed under
Security

Security: Open Source Security Podcast, Old JavaScript Crypto Flaw and New FUD-based Marketing

Filed under
Security

Security: Cleartext Passwords, Windows Problems, and Meltdown Patches/Performance

Filed under
Security
  • cleartext passwords and transparency

    So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.

  • 911 operator suspended over teen’s death griped about working overtime.

    Plush called 911 again around 3:35 p.m., this time giving Smith a description of the vehicle, a gold Honda Odyssey in the parking lot at Seven Hills — information that never made it to the officers at the scene.

    “This is not a joke,” the teen told Smith. “I’m almost dead.”

    Smith tried to document the call when it came in but her computer screen had frozen, preventing her from entering information immediately, the review found.

  • Defense contractors face more aggressive ransomware attacks

    The rise of ransomware attacks against defense contractors coincides with a rise in the use of ransomware in general. Attacks can spread even after the original target has been hit, hurting unintended victims.

  • A Look At The Meltdown Performance Impact With DragonFlyBSD 5.2

    Besides looking at the HAMMER2 performance in DragonFlyBSD 5.2, another prominent change with this new BSD operating system release is the Spectre and Meltdown mitigations being shipped. In this article are some tests looking at the performance cost of DragonFlyBSD 5.2 for mitigating the Meltdown Intel CPU vulnerability.

    With DragonFlyBSD 5.2 there is the machdep.meltdown_mitigation sysctl for checking on the Meltdown mitigation presence and toggling it. Back in January we ran some tests of DragonFlyBSD's Meltdown mitigation using the page table isolation approach while now testing was done using the DragonFlyBSD 5.2 stable release.

  • A Last Minute Linux 4.17 Pull To Help Non-PCID Systems With KPTI Meltdown Performance

    While the Linux 4.17 kernel merge window is closing today and is already carrying a lot of interesting changes as covered by our Linux 4.17 feature overview, Thomas Gleixner today sent in a final round of x86 (K)PTI updates for Meltdown mitigation with this upcoming kernel release.

    This latest round of page-table isolation updates should help out systems lacking PCID, Process Context Identifiers. The KPTI code makes use of PCID for reducing the performance overhead of this Meltdown mitigation technique. PCID has been around since the Intel Westmere days, but now the latest kernel patches will help offset the KPTI performance impact for systems lacking PCID.

Syndicate content

More in Tux Machines

today's leftovers

  • CRI: The Second Boom of Container Runtimes
    Harry (Lei) Zhang, together with the CTO of HyperHQ, Xu Wang, will present “CRI: The Second Boom of Container Runtimes” at KubeCon + CloudNativeCon EU 2018, May 2-4 in Copenhagen, Denmark. The presentation will clarify about more about CRI, container runtimes, KataContainers and where they are going. Please join them if you are interested in learning more.
  • Meet Gloo, the ‘Function Gateway’ That Unifies Legacy APIs, Microservices, and Serverless
    Gloo, a single binary file written in Go, can be deployed as a Kubernetes pod, in a Docker container, and now also on Cloud Foundry. The setup also requires a copy of Envoy, though the installation process can be greatly simplified through additional software developed by the company, TheTool. The user then writes configuration objects to capture the workflow logic.
  • Why is the kernel community replacing iptables with BPF?

    The Linux kernel community recently announced bpfilter, which will replace the long-standing in-kernel implementation of iptables with high-performance network filtering powered by Linux BPF, all while guaranteeing a non-disruptive transition for Linux users.

  • The developer of Helium Rain gave an update on their sales, low overall sales but a high Linux percentage
    Helium Rain [Steam, Official Site], the gorgeous space sim from Deimos Games is really quite good so it's a shame they've seen such low overall sales. In total, they've had around 14,000€ (~$17,000) in sales which is not a lot for a game at all. The good news, is that out of the two thousand copies they say they've sold, a huge 14% of them have come from Linux. It's worth noting, that number has actually gone up since we last spoke to them, where they gave us a figure of 11% sales on Linux.
  • Want to try Wild Terra Online? We have another load of keys to give away (update: all gone)
    Wild Terra Online [Steam], the MMO from Juvty Worlds has a small but dedicated following, now is your chance to see if it's for you.
  • Arch Linux Finally Rolling Out Glibc 2.27
    Arch Linux is finally transitioning to glibc 2.27, which may make for a faster system. Glibc 2.27 was released at the start of February. This updated GNU C Library shipped with many performance optimizations particularly for Intel/x86_64 but also some ARM tuning and more. Glibc 2.27 also has memory protection keys support and other feature additions, but the performance potential has been most interesting to us.
  • Installed nvidia driver
  • Stephen Smoogen: Fedora Infrastructure Hackathon (day 1-5)
  • Design and Web team summary – 20 April 2018
    The team manages all web projects across Canonical. From www.ubuntu.com to the Juju GUI we help to bring beauty and consistency to all the web projects.
  • Costales: UbuCon Europe 2018 | 1 Week to go!!
    We'll have an awesome weekend of conferences (with 4 parallel talks), podcasts, stands, social events... Most of them are in English, but there will be in Spanish & Asturian too.
  • Tough, modular embedded PCs start at $875
    Advantech has launched two rugged, Linux-ready embedded DIN-rail computers with Intel Bay Trail SoCs and iDoor expansion: an “UNO-1372G-E” with 3x GbE ports and a smaller UNO-1372G-J with only 2x GbE, but with more serial and USB ports.

OSS Leftovers

  • IRS Website Crash Reminder of HealthCare.gov Debacle as OMB Pushes Open Source
    OMB is increasingly pushing agencies to adopt open source solutions, and in 2016 launched a pilot project requiring at least 20 percent of custom developed code to be released as open source – partly to strengthen and help maintain it by tapping a community of developers. OMB memo M-16-21 further asks agencies to make any code they develop available throughout the federal government in order to encourage its reuse. “Open source solutions give agencies access to a broad community of developers and the latest advancements in technology, which can help alleviate the issues of stagnated or out-dated systems while increasing flexibility as agency missions evolve over time,” says Henry Sowell, chief information security officer at Hortonworks Federal. “Enterprise open source also allows government agencies to reduce the risk of vendor lock-in and the vulnerabilities of un-supported software,” he adds.
  • Migrations: the sole scalable fix to tech debt.

    Migrations are both essential and frustratingly frequent as your codebase ages and your business grows: most tools and processes only support about one order of magnitude of growth before becoming ineffective, so rapid growth makes them a way of life. This isn't because they're bad processes or poor tools, quite the opposite: the fact that something stops working at significantly increased scale is a sign that it was designed appropriately to the previous constraints rather than being over designed.

  • Gui development is broken

    Why is this so hard? I just want low-level access to write a simple graphical interface in a somewhat obscure language.

OpenBSD and NetBSD

Security: Twitter and Facebook

  • Twitter banned Kaspersky Lab from advertising in Jan
     

    Twitter has banned advertising from Russian security vendor Kaspersky Lab since January, the head of the firm, Eugene Kaspersky, has disclosed.  

  • When you go to a security conference, and its mobile app leaks your data
     

    A mobile application built by a third party for the RSA security conference in San Francisco this week was found to have a few security issues of its own—including hard-coded security keys and passwords that allowed a researcher to extract the conference's attendee list. The conference organizers acknowledged the vulnerability on Twitter, but they say that only the first and last names of 114 attendees were exposed.

  • The Security Risks of Logging in With Facebook
     

    In a yet-to-be peer-reviewed study published on Freedom To Tinker, a site hosted by Princeton's Center for Information Technology Policy, three researchers document how third-party tracking scripts have the capability to scoop up information from Facebook's login API without users knowing. The tracking scripts documented by Steven Englehardt, Gunes Acar, and Arvind Narayanan represent a small slice of the invisible tracking ecosystem that follows users around the web largely without their knowledge.

  • Facebook Login data hijacked by hidden JavaScript trackers
     

    If you login to websites through Facebook, we've got some bad news: hidden trackers can suck up more of your data than you'd intended to give away, potentially opening it up to abuse.