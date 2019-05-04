Language Selection

Security: Cyberseek, Ransom, Google, Huawei and GNOME

Tuesday 7th of May 2019 01:52:21 PM
Security
  • Wired for Safety: Cybersecurity professionals in demand

    We desperately need more cybersecurity professionals. The Bureau of Labor Statistics predicts a 28% increase in the need for cybersecurity professionals by 2021. In 2016, they estimated that there were 100,000 jobs open and Cyberseek suggests there were over 313,000 online job listings between 2017 and 2018.

  • How Does Ransomware Work (And Is It Still A Threat)? [Ed: All ransomware exploits or relies on inherently insecure systems, or those with back doors, like all the proprietary software operation systems (where part of the design is intentional insecurity)]

    Threats come and go, but one thing remains the same: the ability of cybercriminals to adapt to circumstances. A brief decline of interest in ransomware as criminals focused their attention on cryptojacking during the previous year appears to have come to an end, and ransomware attacks are once again escalating.

    In this post, we’ll explain what ransomware is, how it spreads, how prevalent it is and what you can do to protect yourself against it.

  • Google Releases Android Security Patch for May 2019, Includes 30 Security Fixes
  • Huawei Hypocrisy

    Theresa May almost certainly sacked Gavin Williamson not just on the basis of a telephone billing record showing he had a phone call with a Telegraph journalist, but on the basis of a recording of the conversation itself. It astonishes me that still, after Snowden and his PRISM revelations, after Wikileaks Vault 7 releases, and after numerous other sources including my own humble contribution, people still manage to avoid the cognitive dissonance that goes with really understanding how much we are surveilled and listened to. Even Cabinet Ministers manage to pretend to themselves it is not happening.

    The budget of the NSA, which does nothing else but communications intercept, is US $14.2 billion this year. Think about that enormous sum, devoted to just communications surveillance, and what it can achieve. The budget of the UK equivalent, GCHQ, is £1.2 billion, of which about 10% is paid by the NSA. Domestic surveillance in the UK has been vastly expanded and many taboos broken. But the bedrock of the system with regard to domestic intercepts is still that legal restrictions are dodged, as the USA’s NSA spies on UK citizens while the UK’s GCHQ spies on US citizens, and then the information is swapped. It was thus probably the NSA that harvested Williamson’s phone call, passing the details on. Given official US opposition to the UK employing Huawei technology, Williamson’s call would have been a “legitimate” NSA target.

    Mass surveillance works on electronic harvesting. Targeted phone numbers apart, millions of essentially random calls are listened to electronically using voice recognition technology and certain key words trigger an escalation of the call. Williamson’s call discussing Huawei, China, the intelligence services, and backdoors would certainly have triggered recording and been marked up to a human listener, even if his phone was not specifically targeted by the Americans – which it almost certainly was.

  • Georges Basile Stavracas Neto: Restricting users

    Imagine for a second that you are in an elementary school. The leadership is optimistic on exposing students to technology. They have set up big rooms with rows and rows of computers ready for their students to use.

    Would you give complete permissions to these teenagers using the computers? Would you allow them to install and uninstall programs as they wish, access any website they feel like, use for as much time they want?

Mozilla: Firefox 67 Beta 16 Testday, Addon Issue, and Issues With "Clear Browsing Data"

  • Firefox 67 Beta 16 Testday Results
    As you may already know, last Friday May 3rd – we held a new Testday event, for Firefox 67 Beta 16. Thank you all for helping us make Mozilla a better place: Rok Žerdin, Fernando Espinoza, Kamila Kamciatek.
  • Firefox armagg-add-on: Lapsed security cert kills all browser extensions, from website password managers to ad blockers
    On Friday, Mozilla detected a great disturbance in its Firefox browser, as if millions of voices had cried out on social media in annoyance. Every single web extension, theme, search engine plugin, and language pack had been nuked from netizens' Firefox installations, stripping any data and settings associated with them as they were removed. For example, in a post on Hacker News, Rosser Schwarz, who works with databases, lamented how the add-on annihilation lost work stored in the Firefox container add-on. "I did not merely 'lose some tabs'; those, I could just re-open," he said. "I lost work. That data, effort, and time are gone." The source of the trouble was identified in a bug report as the expiration of an intermediate signing certificate, which is used to authenticate third-party Firefox add-ons, also known as extensions. With the cert's unanticipated demise, Firefox stopped allowing these add-ons to run or be installed.
  • Firefox extensions APIs fail to completely clear browsing data
    While I was working on Clear Browsing Data I have learned about several browser bugs that may render some Firefox extensions that focus on user privacy unreliable. The browsingData API in Firefox does not properly remove data, enabling sites to track users that rely on extensions to clear browsing data. Removing certain data types can also lead to side effects and data loss.

Audio: Going Linux and This Week in Linux (TWIL)

Events: Red Hat Summit and Open Infrastructure Summit

  • What to look forward to on Day 1 of Red Hat Summit [Ed: Red Hat "partners ranging from Delta Air Lines (Whitehurst's ex employer), Deutsche Bank (rogue bank), ExxonMobil (climate change denier), Microsoft (don't we love them?), and Volkswagen AG (Dieselgate)."]
  • How open source expands our possibilities
    It’s fascinating to see how the world continues to change around us. And it seems like the changes are coming faster than ever. Our annual Red Hat Summit has become a forum of sorts for me to hit the pause button and reflect on how far we’ve come—and where we still want to go. Looking back at the themes I’ve discussed over the past few years, I now recognize how we’ve been tracking the evolution in how people work. Three years ago, for example, I discussed the power of participation—about how people working together in an open, transparent way are more capable of solving problems. [...] The more people questioned what they saw, and the better and deeper their questions became. As a result, we moved from a world where we believed what we were told by higher authorities to one where conclusions were based on observation and experimentation. As Sir Francis Bacon, who is often credited as the father of The Scientific Method, so aptly put it: "If a man will begin with certainties, he shall end in doubts. But if he will be content to begin with doubts, he shall end in certainties." At the core of The Scientiﬁc Method is an insatiable curiosity about the world we see around us. It’s a methodology for asking why things work the way they do, then learning through experimentation and trial-and-error. It’s a shift from deductive to inductive reasoning—from top-down to bottom-up thinking. It’s about freedom to explore what might be possible—beyond the limits any higher authority might try to impose.
  • My summary of the OpenStack Stein Infrastructure Summit and Train PTG aka Denver III
    My summary of the OpenStack Stein Infrastructure Summit and Train PTG aka Denver III This was the first re-combined event with both summit and project teams gathering happening in the same week and the third consecutive year that OpenStack has descended on Denver. This is also the first Open Infrastructure summit - the foundation is expanding to allow other non openstack projects to use the Open Infrastructure foundation for housing their projects. This is a brief summary with pointers of the sessions or rooms I attended in the order they happened. The full summit schedule is here and the PTG schedule is here.

Programming: Python, GNU C Library, DataCamp Backlash and Tryton

  • Check type annotations in Python with mypy
    Python is one of the most popular programming languages in use today—and for good reasons: it's open source, it has a wide range of uses (such as web programming, business applications, games, scientific programming, and much more), and it has a vibrant and dedicated community supporting it. This community is the reason we have such a large, diverse range of software packages available in the Python Package Index (PyPI) to extend and improve Python and solve the inevitable glitches that crop up. In this series, we've looked at seven PyPI libraries that can help you solve common Python problems. Today, in the final article, we'll look at mypy "a Python linter on steroids."
  • Hacking The Government With The USDS
    The U.S. government has a vast quantity of software projects across the various agencies, and many of them would benefit from a modern approach to development and deployment. The U.S. Digital Services Agency has been tasked with making that happen. In this episode the current director of engineering for the USDS, David Holmes, explains how the agency operates, how they are using Python in their efforts to provide the greatest good to the largest number of people, and why you might want to get involved. Even if you don't live in the U.S.A. this conversation is worth listening to so you can see an interesting model of how to improve government services for everyone.
  • Cavium ThunderX2 getting significant performance boost as glibc optimizations inbound
    Optimizations are coming to the GNU C Library (glibc) for Cavium's ThunderX2 Arm-powered server CPU, as a recent commit changes the behavior of MEMMOVE in glibc 2.30, expected for release around the start of August. The commit, according to Cavium developer Steve Ellcey, provides improvements of "about 20-30% for larger cases and about 1-5% for smaller cases," and uses "SIMD load/store instead of GPR for large overlapping forward moves." Differences in how SIMD (Single Instruction, Multiple Data) instructions are handled between Intel and Arm architectures—where the instruction type is called NEON—have been a primary pain point to adopting Arm-powered processors for servers. Cloudflare, which uses (now discontinued) Qualcomm Centriq servers, has worked on optimizing open-source applications in its technology stack for Arm architectures, and has published its results (and code) publicly.
  • Solving problems with virtualenvwrapper using mismatched python versions
  • Updated Statement About Our Relationship with DataCamp
    We apologize for our poor communications about our response to the DataCamp sexual misconduct incident. We support the victims and we understand this has been a painful and ongoing struggle for them. We also recognize that for underrepresented groups, experiences of harassment and discrimination are far too common. We deeply regret that we did not provide enough context in our communications, and that our word choice contributed to confusion about our position. We want to correct that now.
  • Tryton Release 5.2
    We are proud to announce the 5.2 release of Tryton. This is the first minor release which means that it will be supported for 1 year only. As usual the migration from previous series is fully supported. Some manual operation may be required, see Migration from 5.0 to 5.2.

