Security Leftovers

Security
  • Why Cops Can Force You to Unlock Your Phone With Your Face

    The question of whether cops can force someone to unlock their phone in the US for a search hinges on Fifth Amendment protections against self-incrimination—that no one "shall be compelled in any criminal case to be a witness against" themselves. Privacy advocates argue that this extends to the act of unlocking a phone or generally decrypting data on a device. But while that line of thinking has succeeded as a defense against having to produce a passcode, it works less reliably in the context of Touch ID or other biometrics. Something you know, like a passcode, is easier to view as testimonial—legally speaking, a statement made by a witness—than something you have, like a physical attribute.

  • Equifax penalised $3.5 million for consumer law breaches

    Australia’s largest consumer credit reporting agency Equifax Information Services and Solutions is to pay penalties totalling $3.5 million for misleading and deceptive conduct and unconscionable conduct in relation to credit report services.

  • Canonical Outs New Linux Kernel Security Patch for All Supported Ubuntu Releases

    Canonical releases today a new major Linux kernel security update for all supported Ubuntu releases to fix various vulnerabilities discovered by security researchers lately.

    Available now for the Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), and Ubuntu 14.04 LTS (Trusty Tahr) operating system series, the new Linux kernel security patches address a total of eleven vulnerabilities that affect the Linux 4.15, 4.4, and 3.13 kernels of the aforementioned Ubuntu releases and their derivatives.

    Among the fixes, we can notice a use-after-free vulnerability (CVE-2018-17182) discovered by Jann Horn in Linux kernel's vmacache subsystem, which could allow a local attacker crash the system, as well as a stack-based buffer overflow (CVE-2018-14633) in the iSCSI target implementation, which lets a remote attacker crash the system.

  • India bars Huawei, ZTE from 5G trials

    India's Department of Telecommunications has barred Chinese telecommunications providers Huawei Technologies and ZTE Corporation from participating in trials for developing 5G use cases in the country, the Economic Times has reported.

  • India dials Cisco, Samsung, Nokia, Ericsson, says no to Chinese Huawei, ZTE

    The Department of Telecommunications (DoT) has excluded Huawei and ZTE from its list of companies asked to partner it for trials to develop 5G use cases for India, indicating that New Delhi may well follow the US and Australia in limiting involvement of Chinese telecom equipment makers in the roll-out of the next-gen technology.

  • Symantec SSL certificates no longer trusted

    A browser will check the validity of a SSL certificate in order to confirm the validity of the web site being loaded. This is done by validating a chain of trust. Certificate Authorities (CAs) will guarantee the certificates they issue, along with the bona fides of any secondary issuing authority that is operating under their umbrella. Of course this will require a very rigorous process to validate any entity that wishes to obtain a certificate.

    In 2016 users became aware that Symantec (and their supported issuers) was issuing certificates in contravention of the established guidelines and posted their finding to a Mozilla security mailing list. After considerable discussion amongst the other CAs a decision was made to distrust Symantec and to remove it as a CA.

Canonical/Ubuntu: Roundup of Ubuntu Server Progress and Appeal to Hype (AI/ML)

  • Ubuntu Server development summary – 2 Oct 2018
    The purpose of this communication is to provide a status update and highlights for any interesting subjects from the Ubuntu Server Team. If you would like to reach the server team, you can find us at the #ubuntu-server channel on Freenode. Alternatively, you can sign up and use the Ubuntu Server
  • How to build and deploy your first AI/ML model on Ubuntu
    Artificial intelligence and machine learning (AI/ML) have stolen the hearts and minds of the public, the press and businesses. The technological advances in the field have helped to transport AI from the world of fiction, into something more tangible, and within touching distance. However, despite the hype, AI in the ‘real world’ isn’t quite yet a reality. AI is yet to take over, or see mass adoption, and there are still lengthy debates to be had as to what exactly can be considered AI and what is not. Still, AI promises much, and there seems to be no stopping its forward march. For better or for worse, AI is here to stay.

Google Pixel Slate, Android 'Smart' Watch and Google's Censorship/Ban of SuperSU (Root Access)

Devices/Embedded Linux From Enea/Xilinx and Advantech

  • Enea Unveils Integrated Linux Solution for Xilinx UltraScale+ at Xilinx Developer Forum
    Enea (NASDAQ OMX Nordic: ENEA) has announced an extended version of its Accelerated Linux, fully integrating all processing units on the Xilinx UltraScale+ range of devices, at the Xilinx Developer Forum (XDF) 2018. XDF connects software developers and system designers to the deep expertise of Xilinx engineers, partners, and industry leaders.
  • Gaming SBC runs on Ryzen Embedded V1000 SoC
    Advantech-Innocore announced a Linux-ready “DPX-E265” gaming and lottery board based on AMD’s Ryzen V1000 that features 4x DP++ ports, 2x SATA, plus M.2, PCIe x16, and PCIe x4 expansion. Advantech-Innocore announced the DPC-E140 casino gaming platform board in February in conjunction with AMD’s Ryzen Embedded V1000 announcement and followed up with an Intel 7th Gen “Kaby Lake” based DPX-S445 casino gaming SBC in August. Now it’s returning to the Ryzen V1000 with a lower-end DPX-E265 gaming board aimed at gaming and lottery applications that lacks the extensive security and I/O features of the DPC-E140.

Microsoft Takeover of GNU/Linux Machines by Debian/APT

  • Skype's Debian Package Could Allow Attackers To Completely Takeover Machines
    Security researcher Enrico Weigelt uncovered a critical security issue in the way Skype installs itself on Debian Linux machines, adding its Microsoft's APT repository in the system's sources.list file. Skype's Debian package uses an APT configuration profile which automatically inserts Microsoft's apt repository to the default system package sources which would allow anyone with access to it to hypothetically use malicious tools to compromise the machine. In layman's terms, APT repositories are collections of .deb packages used as the central storage, management and delivery platform for all Debian-based Linux machines. The APT repositories can be used to install, remove, or update applications on a Debian machine with the help of the apt-get command.
  • Apt Repositories: Goodbye Aptly, Welcome RepRepro
    I have been using aptly for several years publishing all kinds of repositories for different developments. The other day, when I wanted to update my calibre repository (see previous post) I realized that aptly cannot sign anything anymore. Huuu…

