Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
Security
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the langsec.org website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Stable kernels 4.19.9, 4.14.88, 4.9.145, 4.4.167, and 3.18.129

Software: Vivaldi, QEMU and Manpages

  • Vivaldi 2.2 adds tweakable toolbars and Netflix for Linux
    UPSTART WEB BROWSER Vivaldi has released version 2.2, with a number of new features which continue its aim to differentiate itself from other Chromium browsers. The privacy passionate progeny of Opera co-founder Jon Von Tetzchner boasts improved tab management, support for pop-out video windows, configurable toolbars and updates to acccessibility. [...] "Customizing a browser as per your needs is not only a thing for pros and geeks. The key is to create something that works for you," says Vivaldi CEO Jon von Tetzchner. "Features are what draw people to Vivaldi and details are what keep them there. That's why we are always striving to fit every use case and giving our users different ways to browse."
  • QEMU 3.1 Released For Advancing The Linux Open-Source Virtualization Stack
    The QEMU emulator that is widely used by the open-source Linux virtualization stack is out with its version 3.1 feature release. This is the QEMU update that is adding multi-threaded Tiny Code Generator support, display improvements, adds the Cortex-A72 model and other ARM improvements, and various other enhancements.
  • What are Linux man pages?
    Have you ever sought help on a technical issue, only to be told RTFM? What is that acronym? In a safe-for-work translation, it means Read The Freaking Manual. That's all fine and good when you working with something that has a downloadable PDF file containing all the necessary information you need. But what about a Linux command? There are no manuals to be had. Or are there?

OSS Leftovers

  • JFrog Empowers Millions of Open Source Go Developers, Announces Community's First Public Go Repository
    JFrog, the Universal DevOps technology leader known for enabling liquid software via continuous software update flows, is announcing the coming availability of JFrog GoCenter, the first-ever central repository for software modules developed in the popular Go programming language. GoCenter is a free, open source and public service that will be provided for the broad Go community in early 2019, and is being showcased at KubeCon Seattle.
  • Open Sesame
    Although it’s free for users, people invest time in making the technology better or creating it in the first place. [...] When a project is open-source, it means that the software, hardware or data are open for users to use, access, change or distribute for free. An open-source project can also make it easier to bring a team together to develop a project, Davis says.
  • Fuchsia SDK and ‘device’ now included in Android Open Source Project
    Fuchsia, Google’s future OS project, is getting more connected to Android. The search giant has added two Fuchsia items to its Android Open Source Project (AOSP) code. A new commit posted to the AOSP Gerrit — an online code collaboration and management tool — added two Fuchsia ‘repos’ to the primary ‘manifest’ of AOSP. In other words, developers added two Fuchsia files to the instructions that tell Google’s download tool ‘Repo’ what to include when a user downloads AOSP. Further, for those unfamiliar with AOSP, it’s a compilation of Android made available for anyone to use.
  • Fuchsia SDK & Test Device Appear In Android Open Source Project
    Google has taken substantial new steps toward the release of its long-awaited new operating system Fuchsia, based on recently noticed changes to the Android Open Source Project (AOSP) codebase. Although AOSP is most often connected to Android OS and development on that platform, Fuchsia OS has now appeared as both an SDK and test device in the repository. According to comments on the commits, the OS's repositories being included in the Android master manifest equates to an added 760MB. The Gerrit UI also shows changes to approximately 977 files in total with the addition of the Fuchsia software development kit (SDK) and a related test device. Interestingly, the test device SDK seems to be based on or at least tested with the configuration for 'Walleye' -- Google's codename for one of the Pixel 2 handsets.
  • ‘This is not a big boys club’: FINOS seeks to open up open source
    Attend an event about open source development and collaboration in financial technology, and you will see developers and executives from Capital One, Barclays, JPMorgan Chase, BlackRock and perhaps a handful of other financial institutions, along with open-source-focused vendors like Red Hat (now part of IBM).
  • The Autoware Foundation - An Open Alliance for Autonomous Driving Technology
  • What is Open Source & Why Should You Care?
    The term ‘open source’ is used with excitement throughout multiple industries, yet folks are still asking a lot of questions, chief among them: What is open source & why should I care? Well, for industrial and process manufacturing, open source is rapidly becoming a fundamental for the digitalization of these industries. Industrial automation users, system integrators, machine builders, and automation suppliers that understand how to embrace and leverage open source are dramatically improving their odds of being effective competitors in their respective industries.
  • QLC Chain to open source WinQ server router, focuses on multi-sig smart contracts
    QLC Chain has released its bi-weekly report, which highlights development progress of the public blockchain and VPN routers, adjustment of QLC Chain’s development plan, and updates to WinQ 2.0. Recently, an incentive program was announced for VPN operators and active community members to test the platform.

Servers: Apache Cassandra, Kubernetes and Red Hat

  • Instaclustr Releases Three Open Source Projects That Facilitate Cassandra-Kubernetes Integration and LDAP/Kerberos Authentication
  • Instaclustr Announces Three Open Source Projects That Facilitate Cassandra-Kubernetes Integration and LDAP/Kerberos Authentication
    Instaclustr, the leading provider of completely managed solutions for scalable open source technologies, today announced the availability of three open source projects purpose-built to expand developers’ capabilities using Apache Cassandra and address pain points. These projects include an open source Cassandra operator for more seamlessly running and operating Cassandra within Kubernetes, and open source LDAP and Kerberos authenticator plug-ins for Cassandra.
  • Instaclustr expands Apache Cassandra with new open-source software
    Instaclustr Pty Ltd., which sells hosted and managed versions of popular open-source software Apache Cassandra, Spark and Kafka, is giving back to the community with three projects of its own. The company says it’s open-sourcing three “purpose-built” projects aimed at addressing pain points and expanding the capabilities of the Apache Cassandra database. Apache Cassandra is a distributed database that’s used to manage large amounts of structured data while providing continuous availability with no single point of failure.
  • Kubernetes open-source project matures as commercialization accelerates
    This week, the annual KubeCon + CloudNativeCon North America 2018 event taking place in Seattle will give the cloud computing industry a chance to take stock of how far Kubernetes has come. On the flip side, the show also will work through the issues that may be preventing this open-source container orchestration platform from achieving its full potential. Kubernetes has been a banner story in high tech throughout 2018, and the technology looks like it will continue its momentum toward ubiquitous adoption in coming years. The Kubernetes ecosystem has become amazingly vibrant, though that’s a double-edged sword.
  • Kubernetes caretaker auditions for Hoarders; takes in another open source project
    At the Cloud Native Computing Foundation's (CNCF) KubeCon + CloudNativeCon North America 2018 meetup on Tuesday, the CNCF revealed it will adopt, shelter and nourish an itinerant jumble of letters known on the street as "etcd." Pronounced "et-cee-dee" among those who dare speak its name, etcd is a distributed key-value store. It hails from the Linux /etc/ directory, which lives in the root folder and stores configuration files and related subdirectories.
  • Kubernetes and serverless are getting chummy in open source
    But the Cloud Native Computing Foundation — home to Kubernetes, the popular open-source container orchestration platform — wants everyone to know it’s not partial to either containers or serverless, and there’s room for both, and others, in next-generation enterprise technology. “We love serverless in CNCF,” said Chris Aniszczyk (pictured), chief technology officer and chief operating officer of CNCF. “We just view it as another kind of programmatic model that eventually runs on some type of containerized stack.”
  • Atomist Announces Delivery to Kubernetes With Its Open Source SDM, adds GitLab Support
    Atomist, the software delivery automation company, today announced the ability for developers to now deliver to Kubernetes using the open source Software Delivery Machine (SDM) in local mode. SDM local is completely open source and now supports delivery to Kubernetes, whether a single-node cluster on a laptop using minikube or a fully-managed Kubernetes service.
  • Why Kubernetes Is Successful and Boring
    Google has had a common message throughout 2018 about Kubernetes, and the message is simple: Kubernetes is boring. At the KubeCon + CloudNativeCon NA 2018 event here, Google engineer and conference co-chair Janet Kuo echoed comments made by her peer Aparna Sinha, group product manager at Google, at the Kubecon and CloudNativecon Europe 2018 keynotes in May, which is simply that Kubernetes is boring, and boring is good. Kuo said in the early days of Kubernetes the focus was on building fast and adding new features. By 2015, a focus was added to make it easier for users and administrators to build, deploy and use Kubernetes. At this point in the maturity cycle of Kubernetes, Kuo commented that adoption has moved from the early stage of adopters to more mainstream deployments. "Kubernetes is now getting so solid and so mature and so great, that it is very, very boring," Kuo said during her keynote. "Boring is good; it means that lots of companies are already using it, and it just works." Kuo added that being boring means organizations can just focus on delivering business value, rather than spending time on making Kubernetes usable.
  • Kubernetes Federation Evolution
    Deploying applications to a kubernetes cluster is well defined and can in some cases be as simple as kubectl create -f app.yaml. The user’s story to deploy apps across multiple clusters has not been that simple. How should an app workload be distributed? Should the app resources be replicated into all clusters, or replicated into selected clusters or partitioned into clusters? How is the access to clusters managed? What happens if some of the resources, which user wants to distribute pre-exist in all or fewer clusters in some form. In SIG multicluster, our journey has revealed that there are multiple possible models to solve these problems and there probably is no single best fit all scenario solution. Federation however is the single biggest kubernetes open source sub project which has seen maximum interest and contribution from the community in this problem space. The project initially reused the k8s API to do away with any added usage complexity for an existing k8s user. This became non-viable because of problems best discussed in this community update.
  • [Red Hat] Men: Step out of your bubble to champion gender diversity
    According to Catalyst Canada, men represent more than 95 per cent of the CEO positions in Canada’s 100 largest publicly traded companies. With such a big divide, those who are leaders must help define the role those with power and privilege play. Many men want to get more involved, but we must go about it the right way. We want to respect the successful work that has already been done, find the right fit for our skills and learn from our female leaders who have the deep knowledge of this issue. As Tanya van Biesen, executive director of Catalyst Canada, has said: “The path to gender equity is a journey. There is no silver bullet – only commitment and action.” As leaders, our self-worth is often measured by meeting hard targets and achieving financial goals. Stepping forward to become an advocate for gender diversity is uncharted territory for many of us. Yet, it is a business imperative with a body of evidence demonstrating a positive effect on the bottom line.
  • IBM's $34 billion Red Hat acquisition came after deal talks with Microsoft, Google, and Amazon, sources say
    When IBM announced its $34 billion acquisition of Red Hat on October 28, the tech word was struck by the huge price tag, as well as its potential to revive IBM's struggling cloud business. But as it turns out, things could have gone a lot differently. Microsoft, Google, and Amazon all engaged in deal discussions with Red Hat and looked closely into an acquisition in the months and weeks before Red Hat struck a deal with IBM, according to sources familiar with the deal. As an open-source software company, Red Hat is strategic because of its popularity with developers. It's also is the largest commercial maker of the Linux operating system. IBM wanted the technology to enhance its hybrid-cloud project and to give its portfolio an edge. Red Hat indicated in a public filing on November 30 that three unnamed companies considered making bids in addition to IBM. CNBC reported in October that Google had looked into buying Red Hat. But Microsoft and Amazon's deal talks with Red Hat have not been previously reported.
  • IBM goes hard in open source so enterprises can take it easy
    IBM’s investment in open source goes back years. Big Blue went all-in on Kubernetes, the popular open-source container orchestration platform about two years ago, according to Chris Rosen (pictured), program director, offering management, IBM Container Service and IBM Container Registry. The company contributes to the open-source Cloud Native Computing Foundation upstream and then simplifies the technology for end users.
  • Arista EOS containers integrated with Red Hat, Tigera products
    Arista has integrated the containerized version of its network operating system with Red Hat and Tigera software to support containers running on public, private and hybrid clouds. Arista released this week a technology preview of the integration of containerized Arista EOS with Tigera Calico, the open source control plane the company developed to distribute security policy rules across containers and virtual machines running on cloud environments. Arista plans to make the integration generally available in 2019 within the Tigera Secure Enterprise Edition product.
  • Contrail, Red Hat treat multicloud-network headache with Kubernetes
    A number of computing customers lately are asking for a smarter network. This might mean programmability, transparency, multiple lanes for prioritized web traffic, etc. The question is, will software developers and administrators need to get smarter in order to use such networks? Don’t they have their hands full already refactoring applications and managing distributed cloud environments? Developers these days simply want to consume the network in the same way they consume compute and storage. They don’t want the job of configuring it — at least not if that entails plunging deep below the application layer. “The app is the thing that’s going to consume these things, and the app developer doesn’t necessarily want to worry about IP address and port numbers and firewall rules and things like that,” said Scott Sneddon (pictured, left), senior director and chief evangelist of cloud at Juniper Networks Inc.