Language Selection

English French German Italian Portuguese Spanish

Security: Updates, Flaws, and Purism

Filed under
Security
  • Security updates for Thursday
  • Critical Linux Flaw Opens the Door to Full Root Access
  • It has been a bad week for encrypted messaging and it’s only Wednesday

    Also on Monday, a different team of researchers disclosed a vulnerability in the desktop version of the Signal messenger. It allowed attackers to send messages containing malicious HTML and JavaScript that would be executed by the app. Signal developers published a security update on Friday, a few hours after the researchers privately notified them of the vulnerability. On Monday, Signal developers issued a new patch after discovering over the weekend that the first one didn’t fully fix the bug. (The incompleteness of the patch was independently and more-or-less simultaneously found by the researchers.)

  • Purism and Nitrokey Partner to Build Purekey for Purism’s Librem Laptops

    Purism, the social purpose corporation which designs and produces security focused hardware and software, has announced today that they are partnering with Nitrokey, maker of Free Software and Open Hardware USB OpenPGP security tokens and Hardware Security Modules (HSMs) to create Purekey, Purism’s own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism’s mission to make security and cryptography accessible where its customers hold the keys to their own security and follows on the heels of their announcement of a partnership with cryptography pioneer and GnuPG maintainer Werner Koch.

  • Purism Expands Its Linux Hardware Portfolio To Include A USB-Based GPG SmartCard

    If Purism didn't have their hands full enough already working to further free Linux laptops and their very ambitious project to get their own Linux smartphone software/hardware shipping next year, they have now expanded their portfolio with the Purekey.

More on Purism

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Security: Lustre, Aqua Security, Election Security and Reproducible Builds

  • Fix for July's Spectre-like bug is breaking some supers
    High-performance computing geeks are sweating on a Red Hat fix, after a previous patch broke the Lustre file system. In July, Intel disclosed patches for another Spectre-like data leak bug, CVE-2018-3693. Red Hat included its own fixes in an August 14 suite of security patches, and soon after, HPC sysadmins found themselves in trouble. The original report, from Stanford Research Computing Center, details a failure in LustreNet – a Lustre implementation over InfiniBand that uses RDMA for high-speed file and metadata transfer.
  • Aqua Security Launches Open-Source Kube-Hunter Container Security Tool
    Aqua Security has made its new Kube-hunter open-source tool generally available, enabling organizations to conduct penetration tests against Kubernetes container orchestration deployments. Aqua released Kube-hunter on Aug.17, and project code is freely available on GitHub. Rather than looking for vulnerabilities inside of container images, Kube-hunter looks for exploitable vulnerabilities in the configuration and deployment of Kubernetes clusters. The project code is open-source and can be run against an organization's own clusters, with additional online reporting capabilities provided by Aqua Security.
  • Election Security Bill Without Paper Records and Risk Limiting Audits? No Way.
    The Senate is working on a bill to secure election infrastructure against cybersecurity threats, but, unless amended, it will widely miss the mark. The current text of the Secure Elections Act omits the two most effective measures that could secure our elections: paper records and automatic risk limiting audits. Cybersecurity threats by their very nature can be stealthy and ambiguous. A skillful attack can tamper with voting machines and then delete itself, making it impossible to prove after the fact that an election suffered interference. Paper records ensure that it is possible to detect and quickly correct for such interference. Automatic audits ensure that such detection actually happens.
  • Reproducible Builds: Weekly report #173

Android Leftovers

Debian GNU/Linux 9 "Stretch" Receives L1 Terminal Fault Mitigations, Update Now

According to the security advisory published on Monday, the new kernel security update addresses both CVE-2018-3620 and CVE-2018-3646 vulnerabilities, which are known as L1 Terminal Fault (L1TF) or Foreshadow. These vulnerabilities had an impact on normal systems, as well as virtualized operating systems, allowing a local attacker to expose sensitive information from the host OS or other guests. "Multiple researchers have discovered a vulnerability in the way the Intel processor designs have implemented speculative execution of instructions in combination with handling of page-faults. This flaw could allow an attacker controlling an unprivileged process to read memory from arbitrary (non-user controlled) addresses," reads today's security advisory. Read more