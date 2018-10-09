Language Selection

Security: G+, SSH, GAO, Flatpak, Telecommunications (Interception and Access) Act 'Extended', More on China's Alleged Supply Chain Attacks

Submitted by Roy Schestowitz on Wednesday 10th of October 2018 04:52:41 PM Filed under
Security
  • Pete Zaitcev: Ding-dong, the witch is dead

    One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

    Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

  • (SSH) Keys to Unix Security

    Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

  • Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

    Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

    [...]

    In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

    [...]

    When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

  • Flatpak - a security nightmare

    Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

    And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

    The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

  • Encryption bill will hit family violence victims: claim

    In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

    The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

  • Bloomberg says big US telco hit by hardware tampering

    Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

  • RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

    "If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

Submitted by Roy Schestowitz on Wednesday 10th of October 2018 05:30:59 PM.
  • New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

    Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.

  • Security updates for Wednesday

More in Tux Machines

GPUs and Graphics: Nvidia, X.Org Developers' Conference, vRt and ROCm

Kernel: Threading, Streebog, USB 3.0, "Thermal Pressure" and More

  • A Look At Linux Application Scaling Up To 128 Threads
    Arriving last week in our Linux benchmarking lab was a dual EPYC server -- this Dell PowerEdge R7425 is a beast of a system with two AMD EPYC 7601 processors yielding a combined 64 cores / 128 threads, 512GB of RAM (16 x 32GB DDR4), and 20 x 500GB Samsung 860 EVO SSDs. There will be many interesting benchmarks from this server in the days and weeks ahead. For some initial measurements during the first few days of stress testing this 2U rack server, here is a look at how well various benchmarks/applications are scaling from two to 128 threads.
  • Linux Kernel Patches Posted For Streebog - Crypto From Russia's FSB
    Just months after the controversial Speck crypto code was added to the Linux kernel that raised various concerns due to its development by the NSA and potential backdoors, which was then removed from the kernel tree, there is now Russia's Streebog that could be mainlined. The Streebog cryptographic hash was developed by Russia's controversial FSB federal security service and other Russian organizations. Streebog is a Russian national standard and a replacement to their GOST hash function. Streebog doesn't have as much controversy as NSA's Speck, but then again it's not as well known but there is are some hypothetical attacks and some papers have questioned some elements of the design. Streebog is considered to be a competitor to the SHA-3 standard from the NIST.
  • The Linux Kernel In 2018 Finally Deems USB 3.0 Ubiquitous Rather Than An Oddity
    The latest news in the "it's about darn time" section is the Linux kernel's default i386/x86_64 kernel configurations will finally ship with USB 3.0 support enabled, a.k.a. CONFIG_USB_XHCI_HCD. For many years now pretty much all Linux distribution vendor kernels have been shipping with CONFIG_USB_XHCI_HCD enabled either built-in or as a module... But built-in is pretty much the best to avoid potential issues at start-up time. As of this week, CONFIG_USB_XHCI_HCD=y is finally set for the default configurations on the x86/x86_64-based kernel builds should you be spinning up a defconfig kernel.
  • "Thermal Pressure" Kernel Feature Would Help Linux Performance When Running Hot
    Linaro engineer Thara Gopinath sent out an experimental set of kernel patches today that introduces the concept of "thermal pressure" to the Linux kernel for helping assist Linux performance when the processor cores are running hot. While the Linux CPU frequency scaling code already deals with the event of CPU core(s) overheating as to downclock/limit the frequency, the kernel's scheduler isn't currently aware of the CPU capacity restrictions put in place due to that thermal event.
  • Containers are Linux
    Linux is the core of today’s operating system open source software development, and containers are a core feature of Linux. Linux containers and the Kubernetes community supporting them enable agencies to quickly stand up, distribute and scale applications in the hybrid clouds supporting the IT architecture of today’s digitally transformed government. But agencies need more than the speed and flexibility of containers and the power of Kubernetes to take full advantage of today’s hybrid cloud environment. They need open source enterprise software with full lifecycle support and a full complement of hardware certifications to ensure portability across platforms.

Programs and Programming: DICOM Viwers, Turtl, Weblate, Rust and Python

  • Excellent Free DICOM Viewers – Medical Imaging Software
    DICOM (an acronym for Digital Imaging and Communications in Medicine) is a worldwide standard in Health IT and is provided by the National Electrical Manufacturers Assocation (NEMA). It’s the standard open image format used to handle, store, print and transmit information in medical imaging. This standard specifies the way medical images and metadata like study or patient related data are stored and communicated over different digital medias. DICOM is a binary protocol and data format. The binary protocol specifies a set of networking protocols, the syntax and specification of commands that can be exchanged with these protocols, and a set of media storage services. It’s an entire specification of the elements required to achieve a practical level of automatic interoperability between biomedical imaging computer systems—from application layer to bit-stream encoding. DICOM files can be exchanged between two entities that are capable of receiving image and patient data in DICOM format.
  • Encrypted Evernote Alternative Turtl v0.7 Includes Rewritten Server, New Spaces Feature
    Turtl was updated to version 0.7 yesterday, the new release shipping with a rewritten server, among other changes. I'll cover the new version in the second part of this article, after an introduction to Turtl. Turtl is a "secure, encrypted Evernote alternative". The free and open source tool, which is considered beta software, can be used to take notes, save bookmarks, store documents and images, and anything else you may need, in a safe place. There are Turtl applications available for Linux, Windows, macOS and Android, while an iOS application should also be available in the future. Chrome and Firefox extensions are available to easily bookmark the page you're on, great for quickly saving sites for later. The Turtl developers offer the service (hosted server) for free, but a premium service is planned for the future. However, the Turtl server is free and open source software, so you can install and use your own instance.
  • Weblate 3.2.1
    Weblate 3.2.1 has been released today. It's a bugfix release for 3.2 fixing several minor issues which appeared in the release.
  • This Week in Rust 255
  • Code Quality & Formatting for Python
    black, the uncompromising Python code formatter, has arrived in Debian unstable and testing. black is being adopted by the LAVA Software Community Project in a gradual way and the new CI will be checking that files which have been formatted by black stay formatted by black in merge requests. There are endless ways to format Python code and pycodestyle and pylint are often too noisy to use without long lists of ignored errors and warnings.

