Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown & Spectre, Critical CSRF Security Vulnerability, OpenVPN and More

Filed under
Security
  • Meltdown & Spectre
  • Meltdown and Spectre Linux Kernel Status

    By now, everyone knows that something “big” just got announced regarding computer security. Heck, when the Daily Mail does a report on it , you know something is bad…

    Anyway, I’m not going to go into the details about the problems being reported, other than to point you at the wonderfully written Project Zero paper on the issues involved here. They should just give out the 2018 Pwnie award right now, it’s that amazingly good.

    If you do want technical details for how we are resolving those issues in the kernel, see the always awesome lwn.net writeup for the details.

    Also, here’s a good summary of lots of other postings that includes announcements from various vendors.

  • Spectre and Meltdown: What you need to know going forward

    As you've likely heard by now, there are some problems with Intel, AMD, and ARM processors. Called Meltdown and Spectre, the discovered attack possibilities are rather severe, as they impact pretty much every technical device on the network or in your house (PCs, laptops, tablets, phones, etc.).

    Here's a breakdown of all the things you need to know. As things change, or new information becomes available, this article will be updated.

    The key thing to remember is not to panic, as the sky isn't about to come crashing down. The situation is one that centers on information disclosure, not code execution (a far more damning issue to deal with).

  • Open Source Leaders: Take Intel to Task

    I do not know Linus Torvalds or Theo de Raadt. I have never met either of them and have read very little about them. What I do know, gleaned from email archives, is when it comes to bum hardware: they both have pretty strong opinions. Both Linus and Theo can be a bit rough around the edges when it comes to giving their thoughts about hardware design flaws: but at least they have a voice. Also, Linus and Theo have often been at odds whether it be about how to approach OS design, licensing etc but I suspect, or I at least have to believe, the latest incident from intel (the Spectre and Meltdown flaws) is one area they agree on.

    Linus and Theo cannot possibly be the only Open Source leaders out there who are frustrated and tired of being jerked around by intel. What I hope comes out of this is not many different voices saying the same thing here and there but instead, perhaps, our various leaders could get together and take intel to task on this issue. Intel not only created a horrible design flaw they lied by omission about it for several months. During those months the Intel CEO quietly dumped his stock. What a hero.

  • Docker Performance With KPTI Page Table Isolation Patches

    Overall most of our benchmarks this week of the new Linux Kernel Page Table Isolation (KPTI) patches coming as a result of the Meltdown vulnerability have showed minimal impact overall on system performance. The exceptions have obviously been with workloads having high kernel interactions like demanding I/O cases and in terms of real-world impact, databases. But when testing VMs there's been some minor impact more broadly than bare metal testing and also Wine performance has been impacted. The latest having been benchmarked is seeing if the Docker performance has been impacted by the KPTI patches to see if it's any significant impact since overall the patched system overhead certainly isn't anything close to how it was initially hyped by some other media outlets.

  • Can We Replace Intel x86 With an Open Source Chip?
  • Critical CSRF Security Vulnerability in phpMyAdmin Database Tool Patched

    A "cross site request forgery" vulnerability in a popular tool for administrating MySQL and MariaDB databases that could lead to data loss has been patched.

  • 8 reasons to replace your VPN client with OpenVPN

    OpenVPN could be the answer. It's an ultra-configurable open source VPN client which works with just about any VPN provider that supports the OpenVPN protocol. It gives you new ways to automate, optimize, control and troubleshoot your connections, and you can use it alongside your existing client, or maybe replace it entirely – it's your call.

  • I’m harvesting credit card numbers and passwords from your site. Here’s how.

More in Tux Machines

GPL Violations: Grsecurity Carries on Bullying Bruce Perens, Israel Complies with AGPL, Xiaomi Violates GPL

  • Linux's Grsecurity dev team takes blog 'libel' fight to higher court
    Open Source Security, Inc., the maker of the Grsecurity Linux kernel patches, suffered a setback last month when San Francisco magistrate judge Laurel Beeler granted a motion by defendant Bruce Perens to dismiss the company's defamation claim, with the proviso that the tossed legal challenge could be amended. The code biz and its president Brad Spengler sued Perens over a blog post in June in which Perens said that using the firm's Grsecurity software could expose customers to a contributory infringement claim under the terms of the Linux kernel's GPLv2 license. Open Source Security contends that statement has damaged its business.
  • Israel’s Information and Communications Technology Authority Bows to Pressure to Comply with Affero GPL
    Under pressure from open source advocates, the Israeli Information and Communications Technology (ICT) Authority recently shared its first open source software, extensions made by the ICT Authority to the CKAN data portal platform to help make the platform usable in Hebrew. The CKAN software is an open source data portal platform used since 2016 by the ICT Authority to make Israeli government data open and available on its government database website. The CKAN software is licensed under the GNU AGPL Version 3 license, an “ultra-strong” open source license that requires users of modified versions of CKAN software to offer its source code, even in the absence of distribution, to users interacting with software over the Internet.
  • Xiaomi Violating GPL 2.0 License With Mi A1 Kernel Sources
    Xiaomi is in violation of the GPL 2.0 license of the Linux Kernel project by still not releasing the kernel sources for the Mi A1 Android One and has been publicly criticized on the matter by established Android developer Francisco Franco earlier this week. While the smartphone was released in September and the Chinese consumer electronics manufacturer’s official policy is to publicize kernel sources for its devices within three months of their market launch, the Android One edition of the Mi A1 remains undetailed in this regard. Mr. Franco — best known for his work on the Franco Kernel, one of the most popular custom OS cores in the Android ecosystem — had some harsh words for the company on Twitter, calling its laidback approach to publicizing the kernel sources for the Mi A1 “an embarrassment” for the open source community and the type of software it allows it to create its commercial devices in the first place.

Security: Updates, Secure Contexts, EFF, Google, Fedora

today's howtos

Introducing my new friend: a Slimbook

I have been following Slimbook for some time now. As you probably know, they ship a KDE laptop that is very cool, with KDE Neon pre-installed. They have attended to a couple of events I have attended to so I have been able to test their laptops, get feedback from buyers and ask them questions directly. The fact that they are a Spanish company was a beautiful surprise, We do not have that many hardware integrators and vendors in Spain. But what definitely caught my attention was the fact that they pay a lot of attention to the software. They ship the laptops with Linux pre-installed. Ok, that is not new any more. But they do pre-install several different distros. Now, that’s uncommon. But news do not stop there. Read more