Language Selection

English French German Italian Portuguese Spanish

Security: Currencies, Marcus Hutchins, and Hardware Bugs

Filed under
Security
  • Hot New Cryptocurrency Trend: Mining Malware That Could Fry Your Phone
  • PyCryptoMiner Attacks Linux Machines And Turns Them Into Monero-mining Bots
  • Marcus Hutchins' lawyers seek information around arrest

    Lawyers acting for British security researcher Marcus Hutchins have filed a motion seeking additional information on a number of aspects surrounding his arrest in order to prepare for a trial that is expected to take place this year.

  • AMD Did NOT Disable Branch Prediction With A Zen Microcode Update

    With the plethora of software security updates coming out over the past few days in the wake of the Meltdown and Spectre disclosure, released by SUSE was a Family 17h "Zen" CPU microcode update that we have yet to see elsewhere... It claims to disables branch prediction, but I've confirmed with AMD that is not actually the case.

    AMD did post a processor security notice where they noted their hardware was not vulnerable to variant threee / rogue data cache load, for the "branch target injection" variant that there was "near zero risk" for exploiting, and with the bounds check bypass it would be resolved by software/OS updates.

  • Spectre and Meltdown Attacks Against Microprocessors

    "Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (Here's a running list of who's patched what.)

  • OpenBSD & FreeBSD Are Still Formulating Kernel Plans To Address Meltdown+Spectre

    On Friday DragonFlyBSD's Matthew Dillon already landed his DragonFly kernel fixes for the Meltdown vulnerability affecting Intel CPUs. But what about the other BSDs?

    As outlined in that article yesterday, DragonFlyBSD founder Matthew Dillon quickly worked through better kernel/user separation with their code to address the Intel CPU bug. Similar to Linux, the DragonFlyBSD fix should cause minimal to small CPU performance impact for most workloads while system call heavy / interrupt-heavy workloads (like I/O and databases) could see more significant drops.

  • Retpoline v5 Published For Fending Off Spectre Branch Target Injection

    David Woodhouse of Amazon has sent out the latest quickly-revising patches for introducing the "Retpoline" functionality to the Linux kernel for mitigating the Spectre "variant 2" attack.

    Retpoline v5 is the latest as of Saturday morning as the ongoing effort for avoiding speculative indirect calls within the Linux kernel for preventing a branch target injection style attack. These 200+ lines of kernel code paired with the GCC Retpoline patches are able to address vulnerable indirect branches in the Linux kernel.

    The Retpoline approach is said to only have up to a ~1.5% performance hit when patched... I hope this weekend to get around to trying these kernel and GCC patches on some of my systems for looking at the performance impact in our commonly benchmarked workloads. The Retpoline work is separate from the KPTI page table isolation work for addressing the Intel CPU Meltdown issue.

  • Intel hit with three class-action lawsuits over chip flaws
  • Meltdown, aka "Dear Intel, you suck"

    We have received *no* non-public information. I've seen posts elsewhere by other *BSD people implying that they receive little or no prior warning, so I have no reason to believe this was specific to OpenBSD and/or our philosophy. Personally, I do find it....amusing? that public announcements were moved up after the issue was deduced from development discussions and commits to a different open source OS project. Aren't we all glad that this was under embargo and strongly believe in the future value of embargoes?

  • Hack-proof Quantum Data Encryption

More in Tux Machines

Node.js 10.9 and npm milestone

  • Open Source Node.js Hits v10, with Better Security, Performance, More
    Speaking of which, the brand-new Node.js 10.0 is expected to soon support npm version 6 (currently Node.js ships with npm 5.7.x). The company npm Inc., which maintains the npm software package management application, today announced that major update, called npm@6. The npm company said its JavaScript software installer tool includes new security features for developers working with open source code.
  • Announcing npm@6
    In coordination with today’s announcement of Node.js v10, we’re excited to announce npm@6. This major update to npm includes powerful new security features for every developer who works with open source code. Read on to understand why this matters.

Openwashing: Sony, Scality and Ericsson

Voyage/Open Autonomous Safety (OAS) Now on GitHub

  • Voyage open-sources autonomous driving safety practices
    Dubbed Open Autonomous Safety, the initiative aims to help autonomous driving startups implement better safety-testing practices. Companies looking to access the documents, safety procedures and test code can do so via a GitHub repository.
  • Open-Sourcing Our Approach to Autonomous Safety
    Without a driver to help identify and mitigate failures, autonomous vehicle systems need incredibly robust safety requirements and an equally comprehensive and well-defined process for analyzing risks and assessing capabilities. Voyage models its safety approach after the ISO 26262 standard for automotive safety, taking the best practices from the automotive industry and applying them to autonomous technology. The automotive industry continues to reach for new levels of safety in manufacturing vehicles, and we are inspired by that approach.
  • Startup Voyage Wants to Open Source Self-Driving Car Safety
    Under what the company calls its Open Autonomous Safety initiative, Voyage is publishing information on its safety procedures, materials, and test code in a series of releases. The goal is to create an open-source library of safety procedures that multiple companies can use as a standard, a Voyage blog post said.
  • This startup’s CEO wants to open-source self-driving car safety testing
    The initial release, which Voyage calls Open Autonomous Safety (OAS), will take the form of a GitHub repository containing documents and code. The functional safety requirements are Voyage's interpretation of the ISO 26262 standard for automotive safety, updated for autonomous vehicles. "This is our internal driving test for any particular software build," says Cameron. "It lets us evaluate our designs and look for the different ways they can fail in the real world."

Programming: Qt 5.9.5 and Jakarta EE