Language Selection

English French German Italian Portuguese Spanish

Security: Meltdown, Spectre, Apple, CoffeeMiner, EMC, VMware and More

Filed under
Security
  • NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says

    The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).

  • spectre and the end of langsec

    Like many I was profoundly saddened by this analysis. I want to believe in constructive correctness, in math and in proofs. And so with the rise of functional programming, I thought that this historical slide from reason towards observation was just that, historical, and that the "safe" languages had a compelling value that would be evident eventually: that "another world is possible".

    In particular I found solace in "langsec", an approach to assessing and ensuring system security in terms of constructively correct programs. One obvious application is parsing of untrusted input, and indeed the langsec.org website appears to emphasize this domain as one in which a programming languages approach can be fruitful. It is, after all, a truth universally acknowledged, that a program with good use of data types, will be free from many common bugs. So far so good, and so far so successful.

    The basis of language security is starting from a programming language with a well-defined, easy-to-understand semantics. From there you can prove (formally or informally) interesting security properties about particular programs. For example, if a program has a secret k, but some untrusted subcomponent C of it should not have access to k, one can prove if k can or cannot leak to C. This approach is taken, for example, by Google's Caja compiler to isolate components from each other, even when they run in the context of the same web page.

    But the Spectre and Meltdown attacks have seriously set back this endeavor. One manifestation of the Spectre vulnerability is that code running in a process can now read the entirety of its address space, bypassing invariants of the language in which it is written, even if it is written in a "safe" language. This is currently being used by JavaScript programs to exfiltrate passwords from a browser's password manager, or bitcoin wallets.

  • Is Apple Even Paying Attention To macOS Security Anymore?

    A new Mac security flaw lets you type literally any username and password in order to unlock the Mac App Store panel in System Preferences. It’s probably not a big deal practically speaking—the panel is unlocked by default—but the fact that this issue exists at all is a worrying reminder that Apple isn’t prioritizing security like they used to.

  • Ubuntu Linux Unbootable After Users Install Meltdown And Spectre Patches
  • Ubuntu Update For Meltdown And Spectre Chip Flaws Leaves Some PCs Unbootable

    Sometimes the cure is worse than the disease. Just ask the affected users of older AMD systems who had their PCs bricked after downloading and installing a Windows update that was supposed to protect them from Meltdown and Spectre. It is not just Windows users who are suffering, either. Some Ubuntu Xenial 16.04 users also report that the latest update for their OS has rendered their system unable to boot.

  • How CoffeeMiner Attack Hacks Public Wi-Fi And Uses Your PC For Mining Cryptocurrency

    After a series of ransomware attacks capturing the headlines past year, crypto mining malware and cryptojacking attacks came into the play. Just last month, a Starbucks customer found that the infected Wi-Fi hotspot was trying to mine Monero digital coins. It was a new kind of threat associated with using public hotspots, which are often labeled unsafe and users are advised to use VPN services for extra privacy.

  • Prosecutors say Mac spyware stole millions of user images over 13 years

    An indictment filed Wednesday in federal court in Ohio may answer some of those questions. It alleges Fruitfly was the creation of an Ohio man who used it for more than 13 years to steal millions of images from infected computers as he took detailed notes of what he observed.

  • EMC, VMware security bugs throw gasoline on cloud security fire

    While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection—could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

  • Malware based on open source Kotlin language discovered lurking in Google Play [Ed: This has nothing to do with "open source". They don't say "proprietary" when the framework is.]

    Basically, it's pretty typical of the malware that crops up in dodgy apps that have wormed their way past the digital bouncers on the Play Store.

  • How to increase Linux security by disabling USB support

    This may sound like a crazy way of enhancing security on a server, but if you can get away with it—as in you don't need any USB devices such as keyboards, mice, external drives—disabling USB support can be an added means of ensuring malicious files do not find their way onto your servers. Obviously, this will only work for headless machines, so you better make certain you can SSH into those servers, otherwise, you'll find yourself in trouble trying to input anything via keyboard or mouse.

More in Tux Machines

Red Hat News

  • An Open Source Load Balancer for OpenShift
    A highly-available deployment of OpenShift needs at least two load balancers: One to load balance the control plane (the master API endpoints) and one for the data plane (the application routers). In most on-premise deployments, we use appliance-based load balancers (such as F5 or Netscaler).
  • Red Hat Beefs Up Platform as a Service Suite
    Red Hat has begun shipping Red Hat Fuse 7, the next major release of its distributed, cloud-native integration solution, and introduced a new fully hosted low-code integration platform as a service (iPaaS) offering, Fuse Online. With Fuse 7, the vendor says expanding its integration capabilities natively to Red Hat OpenShift Container Platform, an enterprise Kubernetes platform. Fuse gives customers a unified solution for creating, extending and deploying containerized integration services across hybrid cloud environments.
  • Red Hat ‘Fuses’ Low Code Development and Data Integration
    Red Hat, a provider of open source solutions, has announced Red Hat Fuse 7, the next major release of its distributed, cloud-native integration solution, and introduced a new fully hosted low-code integration platform as a service offering, Fuse Online. With Fuse 7, Red Hat is expanding its integration capabilities natively to Red Hat OpenShift Container Platform, a comprehensive enterprise Kubernetes platform. Fuse gives customers a unified solution for creating, extending and deploying containerized integration services across hybrid cloud environments.
  • The GPL cooperation commitment and Red Hat projects
    As of today, all new Red Hat-initiated open source projects that opt to use GPLv2 or LGPLv2.1 will be expected to supplement the license with the cure commitment language of GPLv3. The cure language will live in a file in the project source tree and will function as an additional permission extended to users from the start. This is the latest development in an ongoing initiative within the open source community to promote predictability and stability in enforcement of GPL-family licenses. The “automatic termination” provision in GPLv2 and LGPLv2.x is often interpreted as terminating the license upon noncompliance without a grace period or other opportunity to correct the error in compliance. When the Free Software Foundation released GPLv2 in 1991, it held nearly all GPL-licensed copyrights, in part a consequence of the copyright assignment policy then in place for GNU project contributions. Long after the Linux kernel and many other non-GNU projects began to adopt the GPL and LGPL, the FSF was still the only copyright holder regularly engaged in license enforcement. Under those conditions, the automatic termination feature of GPLv2 section 4 may have seemed an appropriate means of encouraging license compliance.
  • Monness Believes Red Hat (NYSE: RHT) Still Has Room to Grow
  • Comparing Red Hat (RHT) & Autoweb (AUTO)
  • As Red Hat (RHT) Share Value Rose, Calamos Advisors Upped Its Position by $300,831; Chilton Capital Management Increases Stake in Equinix (EQIX)
  • Blair William & Co. IL Buys 23,279 Shares of Red Hat Inc (RHT)

Total War: WARHAMMER

Red Hat changes its open-source licensing rules

From outside programming circles, software licensing may not seem important. In open-source, though, licensing is all important. So, when leading Linux company Red Hat announces that -- from here on out -- all new Red Hat-initiated open-source projects that use the GNU General Public License(GPLv2) or GNU Lesser General Public License (LGPL)v2.1 licenses will be expected to supplement the license with GPL version 3 (GPLv3)'s cure commitment language, it's a big deal. Read more

Android Leftovers