Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Does Publicly Shaming Companies Improve Security?

    ou might think security teams inside big companies hate it when researchers and the press point out vulnerabilities, but that’s not always the case.

    Security teams are just one voice among many, and often they have trouble convincing bosses that security and privacy should be a priority. An embarrassing story in the press can change that quickly.

  • Security updates for Tuesday
  • Mozilla Security Blog: Protecting Mozilla’s GitHub Repositories from Malicious Modification

    At Mozilla, we’ve been working to ensure our repositories hosted on GitHub are protected from malicious modification. As the recent Gentoo incident demonstrated, such attacks are possible.

    Mozilla’s original usage of GitHub was an alternative way to provide access to our source code. Similar to Gentoo, the “source of truth” repositories were maintained on our own infrastructure. While we still do utilize our own infrastructure for much of the Firefox browser code, Mozilla has many projects which exist only on GitHub. While some of those project are just experiments, others are used in production (e.g. Firefox Accounts). We need to protect such “sensitive repositories” against malicious modification, while also keeping the barrier to contribution as low as practical.

    This describes the mitigations we have put in place to prevent shipping (or deploying) from a compromised repository. We are sharing both our findings and some tooling to support auditing. These add the protections with minimal disruption to common GitHub workflows.

    The risk we are addressing here is the compromise of a GitHub user’s account, via mechanisms unique to GitHub. As the Gentoo and other incidents show, when a user account is compromised, any resource the user has permissions to can be affected.

More in Tux Machines

today's howtos

Games: Ashes of the Singularity: Escalation, Humble Monthly and DXVK Updates

FOSS, standard essential patents and FRAND in the European Union

As part of the research project on “The Interaction between Open Source Software and FRAND licensing in Standardisation”, a workshop was organised by the European Commission, Joint Research Centre (JRC) in collaboration with Directorate General Communications Networks, Content and Technology (CONNECT) to present and discuss the intermediate results to date. The workshop took place in Brussels on September 18, 2018. I presented a set of observations from the research on the case studies performed as part of the project that are outlined below. Other speakers where Catharina Maracke on the issue of legal compliance between Open Source and FRAND licenses, Bruce Perens on “Community Dynamics in Open Source”, and Andy Updegrove on “Dynamics in Standardisation”. You may ask what the relevance of this debate is for the wider Free and Open Source Software community. The obvious answer is that to distribute software “without restriction”, the user needs all the usage rights associated with the program. While most FOSS contributors assume that this is naturally the central motivation for anybody to contribute in the first place, there is a long history of attempts to maintain some sort of exclusive control over a piece of FOSS code, possibly using other rights than copyright. Read more

Today in Techrights