Security Leftovers

Data breaches show we’re only three clicks away from anarchy An IT glitch afflicting BP petrol stations for three hours last Sunday evening might not sound like headline news. A ten-hour meltdown of Visa card payment systems in June was a bigger story — as was the notorious TSB computer upgrade cock-up that started on 20 April, which was still afflicting customers a month later and was reported this week to be causing ruptures between TSB and its Spanish parent Sabadell. Meanwhile, what do Fortnum & Mason, Dixons Carphone, Costa Coffee and its sister company Premier Inn have in common with various parts of the NHS? The answer is that they have all suffered recent large-scale ‘data breaches’ that may have put private individuals’ information at risk. IT Governance, a blog that monitors international news stories in this sphere, came up with a global figure of 145 million ‘records leaked’ last month alone. Such leaks are daily events everywhere — and a lesson of the TSB story was that cyber fraudsters are waiting to attack wherever private data becomes accessible, whether because of computer breakdown or lax data protection.

UK security researcher Hutchins makes renewed bid for freedom British security researcher Marcus Hutchins, who was arrested by the FBI last August over alleged charges of creating and distributing a banking trojan, has made a fresh bid to go free, claiming that the US has no territorial jurisdiction to file charges against him for alleged crimes committed elsewhere.

Common Ground: For Secure Elections and True National Security An open letter by Gloria Steinem, Noam Chomsky, John Dean, Governor Bill Richardson, Walter Mosley, Michael Moore, Valerie Plame, and others.

Containers or virtual machines: ​Which is more secure? The answer will surprise you

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs. James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

Linux 4.18-rc5

For some reason this week actually felt very busy, but the rc5 numbers show otherwise. It's all small and calm, and things are progressing nicely. I think the "it felt busy" was partly due to me stressing out over a nasty VM bug that turned out to have a trivial two-liner fix. But there were also a fair amount of email threads for future stuff, so that probably also made me feel last week was busier than the actual rc5 tree shows. Anyway, of what little happened in rc5 (see appended shortlog for details), it's just a fairly random collection of smallish fixes all over. About a third drivers (nothing in particular stands out - rdma, usb, ata, mmc, sound) with the rest being some tooling (mostly perf), some arch updates, some filesystem stuff (mostly reiserfs), some arch fixlets (mips, arm[64], x86) and some misc core kernel (tracing, VM fixes, timers, yadda yadda). Also: Linux 4.18-rc5 Kernel Released: Regressions Continue To Be Tackled