Language Selection

English French German Italian Portuguese Spanish

Security: Spectre and Meltdown, Industrial System Sabotage, VDP, Windows in Healthcare

Filed under
Security
  • Some thoughts on Spectre and Meltdown

     

    Contrast that with what happened this time around. Google discovered a problem and reported it to Intel, AMD, and ARM on June 1st. Did they then go around contacting all of the operating systems which would need to work on fixes for this? Not even close. FreeBSD was notified the week before Christmas, over six months after the vulnerabilities were discovered. Now, FreeBSD can occasionally respond very quickly to security vulnerabilities, even when they arise at inconvenient times — on November 30th 2009 a vulnerability was reported at 22:12 UTC, and on December 1st I provided a patch at 01:20 UTC, barely over 3 hours later — but that was an extremely simple bug which needed only a few lines of code to fix; the Spectre and Meltdown issues are orders of magnitude more complex.  

  • Menacing Malware Shows the Dangers of Industrial System Sabotage

     

    At the S4 security conference on Thursday, researchers from the industrial control company Schneider Electric, whose equipment Triton targeted, presented deep analysis of the malware—only the third recorded cyberattack against industrial equipment. Hackers [sic] were initially able to introduce malware into the plant because of flaws in its security procedures that allowed access to some of its stations, as well as its safety control network.

  • 25 per cent of hackers don't report bugs due to lack of disclosure policies

     

    One of the standout discoveries was that almost 25 per cent of respondents said they were unable to disclose a security flaw because the bug-ridden company in question lacked a vulnerability disclosure policy (VDP).

  • 'Professional' hack [sic] on Norwegian health authority compromises data of three million patients [iophk: "Windows TCO"]

More in Tux Machines

Finally: Historic Eudora email code goes open source

The source code to the Eudora email client is being released by the Computer History Museum, after five years of discussion with the IP owner, Qualcomm. The Mac software was well loved by early internet adopters and power users, with versions appearing for Palm, Newton and Windows. At one time, the brand was so synonymous with email that Lycos used Eudora to brand its own webmail service. As the Mountain View, California museum has noted, "It’s hard to overstate Eudora’s popularity in the mid-1990s." Read more Also: The Computer History Museum Just Made Eudora Open Source

Android Leftovers

Security Leftovers, Mostly 'Spectre' and 'Meltdown' Related

  • More Meltdown/Spectre Variants
  • Spectre V2 & Meltdown Linux Fixes Might Get Disabled For Atom N270 & Other In-Order CPUs
    There's a suggestion/proposal to disable the Spectre Variant Two and Meltdown mitigation by default with the Linux kernel for in-order CPUs. If you have an old netbook still in use or the other once popular devices powered by the Intel Atom N270 or other in-order processors, there may be some reprieve when upgrading kernels in the future to get the Spectre/Meltdown mitigation disabled by default since these CPUs aren't vulnerable to attack but having the mitigation in place can be costly performance-wise.
  • Linux 4.17 Lands Initial Spectre V4 "Speculative Store Bypass" For POWER CPUs
    Following yesterday's public disclosure of Spectre Variant Four, a.k.a. Speculative Store Bypass, the Intel/AMD mitigation work immediately landed while overnight the POWER CPU patch landed.
  • New Variant Of Spectre And Meltdown CPU Flaw Found; Fix Affects Performance
  • Ubuntu 18.04 LTS Gets First Kernel Update with Patch for Spectre Variant 4 Flaw
    Canonical released the first kernel security update for its Ubuntu 18.04 LTS (Bionic Beaver) operating system to fix a security issue that affects this release of Ubuntu and its derivatives. As you can imagine, the kernel security update patches the Ubuntu 18.04 LTS (Bionic Beaver) operating system against the recently disclosed Speculative Store Buffer Bypass (SSBB) side-channel vulnerability, also known as Spectre Variant 4 or CVE-2018-3639, which could let a local attacker expose sensitive information in vulnerable systems.
  • RHEL and CentOS Linux 7 Receive Mitigations for Spectre Variant 4 Vulnerability
    As promised earlier this week, Red Hat released software mitigations for all of its affected products against the recently disclosed Spectre Variant 4 security vulnerability that also affects its derivatives, including CentOS Linux. On May 21, 2018, security researchers from Google Project Zero and Microsoft Security Response Center have publicly disclosed two new variants of the industry-wide issue known as Spectre, variants 3a and 4. The latter, Spectre Variant 4, is identified as CVE-2018-3639 and appears to have an important security impact on any Linux-based operating system, including all of its Red Hat's products and its derivatives, such as CentOS Linux.

LXQt 0.13 Desktop Environment Officially Released, It's Coming to Lubuntu 18.10

For starters, all of LXQt's components are now ready to be built against the recently released Qt 5.11 application framework, and out-of-source-builds are now mandatory. LXQt 0.13.0 also disabled the menu-cached functionality, making it optional from now on in both the panel and runner, thus preventing memory leaks and avoiding any issues that may occur when shutting down or restarting LXQt. Read more