Google and Mozilla
Google has launched a new project for continuously testing open source software for security vulnerabilities.
The company's new OSS-Fuzz service is available in beta starting this week, but at least initially it will only be available for open source projects that have a very large user base or are critical to global IT infrastructure.
Mozilla announced a major change in November 2014 in regards to the company's main revenue stream.
The organization had a contract with Google in 2014 and before that had Google pay Mozilla money for being the default search engine in the Firefox web browser.
This deal was Mozilla's main source of revenue, about 329 million US Dollars in 2014. The change saw Mozilla broker deals with search providers instead for certain regions of the world.
I received a container bugzilla today for someone who was attempting to assign a container process to the object_r role. Hopefully this blog will help explain how roles work with SELinux.
When we describe SELinux we often concentrate on Type Enforcement, which is the most important and most used feature of SELinux. This is what describe in the SELinux Coloring book as Dogs and Cats. We also describe MLS/MCS Separation in the coloring book.
The Internet Society (ISOC) is the latest organisation saying, in essence, “security is rubbish – fix it”.
Years of big data breaches are having their impact, it seems: in its report released last week, it quotes a 54-country, 24,000-respondent survey reporting a long-term end user trend to become more fearful in using the Internet (by Ipsos on behalf of the Centre for International Governance Innovation).
Report author, economist and ISOC fellow Michael Kende, reckons companies aren't doing enough to control breaches.
“According to the Online Trust Alliance, 93 per cent of breaches are preventable” he said, but “steps to mitigate the cost of breaches that do occur are not taken – attackers cannot steal data that is not stored, and cannot use data that is encrypted.”
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.
As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.
Today the European Parliament approved the EU Budget for 2017. The budget sets aside 1.9 million euros in order to improve the EU's IT infrastructure by extending the free software audit programme (FOSSA) that MEPs Max Anderson and Julia Reda initiated two years ago, and by including a bug bounty approach in the programme that was proposed by MEP Marietje Schaake.
Since the initial launch of Qubes OS back in April 2010, work on Qubes has been funded in several different ways. Originally a pet project, it was first supported by Invisible Things Lab (ITL) out of the money we earned on various R&D and consulting contracts. Later, we decided that we should try to commercialize it. Our idea, back then, was to commercialize Windows AppVM support. Unlike the rest of Qubes OS, which is licensed under GPLv2, we thought we would offer Windows AppVM support under a proprietary license. Even though we made a lot of progress on both the business and technical sides of this endeavor, it ultimately failed.
Luckily, we got a helping hand from the Open Technology Fund (OTF), which has supported the project for the past two years. While not a large sum of money in itself, it did help us a lot, especially with all the work necessary to improve Qubes’ user interface, documentation, and outreach to new communities. Indeed, the (estimated) Qubes user base has grown significantly over that period. Thank you, OTF!
Every new Linux system administrator needs to learn a few core concepts before delving into the operating system and its applications. This short guide gives a summary of some of the essential security measures that every root user must know. All advice given follows the best security practices that are mandated by the community and the industry.
The law of leaky abstractions states that “all non-trivial abstractions, to some degree, are leaky”. In this blog post we’ll explore the ashmem shared memory interface provided by Android and see how false assumptions about its internal operation can result in security vulnerabilities affecting core system code.
The government can help us by making software companies distribute the source code. They can say it's "in the interest of national security". And they can sort out the patent system (there are various problems with how the patent system handles software which are out of the scope of this article). So when you chat to your MP please mention this.
Among its many activities, the Software Freedom Conservancy (SFC) is one of the few organizations that does any work on enforcing the GPL when other compliance efforts have failed. A suggestion by SFC executive director Karen Sandler to have a Q&A session about compliance and enforcement at this year's Kernel Summit led to a prolonged discussion, but not to such a session being added to the agenda. However, the co-located Linux Plumbers Conference set up a "birds of a feather" (BoF) session so that interested developers could hear more about the SFC's efforts, get their questions answered, and provide feedback. Sandler and SFC director of strategic initiatives Brett Smith hosted the discussion, which was quite well-attended—roughly 70 people were there at a 6pm BoF on November 3.
At the FSF, we run our own infrastructure using only free software, which makes us stand out from nearly every other nonprofit organization. Virtually all others rely on outside providers and use a significant amount of nonfree software. With your support, we set an example proving that a nonprofit can follow best practices while running only free software.