Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Wednesday
  • Technology That Could End Humanity—and How to Stop It

    WIRED: What is the vulnerable world hypothesis?

    Nick Bostrom: It's the idea that we could picture the history of human creativity as the process of extracting balls from a giant urn. These balls represent different ideas, technologies, and methods that we have discovered throughout history. By now we have extracted a great many of these and for the most part they have been beneficial. They are white balls. Some have been mixed blessings, gray balls of various shades. But what we haven't seen is a black ball, some technology that by default devastates the civilization that discovers it. The vulnerable world hypothesis is that there is some black ball in the urn, that there is some level of technology at which civilization gets decimated by default.

  • Huawei banned from using US components without approval

    The US has placed Chinese telecommunications equipment vendor Huawei Technologies and some 70 of its affiliates on a list that means it will have to obtain government approval in order to buy American-made components.

  • Trump declares national emergency over IT threats

    He signed an executive order which effectively bars US companies from using foreign telecoms believed to pose national security risks.

  • Huawei offers 'no-spy' contracts and promises to 'shutdown' if China forces backdoors

    Despite emphatic denials from the Chinese tech giant, there are still significant suspicions around the world about how close Huawei is to the Chinese government and whether, if expected to, it would plant back doors in its equipment to allow remote access.

  • The radio navigation planes use to land safely is insecure and can be [cracked]

    Now, researchers have devised a low-cost hack that raises questions about the security of ILS, which is used at virtually every civilian airport throughout the industrialized world. Using a $600 software defined radio, the researchers can spoof airport signals in a way that causes a pilot’s navigation instruments to falsely indicate a plane is off course. Normal training will call for the pilot to adjust the plane’s descent rate or alignment accordingly and create a potential accident as a result.

  • Why I've started using NoScript

    For one, NoScript's user interface has become much better: Now, if a page isn't working right, you simply click the NoScript icon and whitelist any domains you trust, or temporarily whitelist any domains you trust less. You can set it to automatically whitelist domains you directly visit (thereby only blocking third-party scripts).

    A more pressing change is that I'm now much less comfortable letting arbitrary third parties run code on my computer. I used to believe that my browser was fundamentally capable of keeping me safe from the scripts that it ran. Sure, tracking cookies and other tricks allowed web sites to correlate data about me, but I thought that my browser could, at least in principle, prevent scripts from reading arbitrary data on my computer. With the advent of CPU-architecture-based side channel attacks (Meltdown and Spectre are the most publicized, but it seems like new ones come out every month or so), this belief now seems quite naïve.

  • It’s Almost Impossible to Tell if Your iPhone Has Been [Cracked]

    “The simple reality is there are so many 0-day exploits for iOS,” Stefan Esser, a security researcher that specializes in iOS, wrote on Twitter. “And the only reason why just a few attacks have been caught in the wild is that iOS phones by design hinder defenders to inspect the phones.”

  • Google recalls its Bluetooth Titan Security Keys because of a security bug

    To exploit the bug, an attacker would have to within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attackers can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

    Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attackers can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

  • Google offers free 2FA Bluetooth Titan Security Key swaps after security flaw discovered

    Make that most people. In a post on its security blog, Google divulged Wednesday that it has discovered a “misconfiguration” with the Bluetooth Low Energy version of its Titan Security Key that could allow a nearby attacker to “communicate with your security key, or communicate with the device to which your key is paired.”

  • Kubernetes security: 5 mistakes to avoid

    Modern applications and infrastructure no doubt require modern security practices, but the fundamentals still apply.

    “The majority of data breaches are easily preventable with basic cybersecurity hygiene,” says Tim Buntel, VP of application security at Threat Stack.

    That should be received as good news: Fundamental issues such as access and privilege remain fundamental, even as containers, microservices, orchestration, and other evolutionary developments continue to shake up IT. In fact, one of the biggest out-of-the-gate risks that can occur as organizations adopt new technologies is that they develop amnesia around best practices like enforcing the principle of least privilege.

    Consider the rise of Kubernetes in the enterprise: Like any tool or technology, it comes with security considerations. That’s not because Kubernetes is inherently risky or insecure – far from it. Rather, many of the risks occur because teams get caught up in the power and popularity of Kubernetes without properly considering what it will take to effectively run it in production, says Matt Wilson, chief information security advisor at BTB Security.

  • How to protect your devices against the ZombieLoad attack

More in Tux Machines

Ubuntu MATE 19.10 Alpha Arrives, But Only for the GPD MicroPC

Did you know that Ubuntu MATE is besties with the GPD Pocket & Pocket 2? Well it is; the pair of pocket-sized PCs, which were made possible through various crowdfunding efforts, got their own, customised, and 100% official Ubuntu MATE 18.10 install image last year, and a follow-up with the 19.04 release this year. I guess making a custom-spun ISO is the distro equivalent of weaving a friendship bracelet! Accordingly, it’s no major surprise to learn Ubuntu MATE 19.10 will also come tailored for use on China-based GPD’s latest mini-marvel, the GPD MicroPC. Interestingly, the device is sold with Ubuntu MATE 18.10 pre-loaded. Read more

Android Leftovers

IBM and Red Hat Leftovers

  • Big Blue’s Red Hat Brings A Big Change Of Heart

    Perhaps, many years hence, we will call the company that, more than any other, created the enterprise computing environment Big Purple now that it has acquired the company that made open source software in the enterprise safe, sane, and affordable. Twenty years ago next month, Red Hat went public and everything about enterprise software changed. A company with some tens of millions of dollars in revenues, providing subscription support for a commercial Linux distribution for systems within a few months had a ridiculous market capitalization in excess of $20 billion and the mad dash for open source projects to be commercialized was on. Fast forward two decades, and Red Hat is the touchstone for how to work with upstream open source software projects related to datacenter infrastructure and to bring them downstream to harden them to be enterprise grade, package them up, and then sell support for them. Red Hat is by far and away the most successful provider of commercial support for open source code, and has moved well beyond its foundational Enterprise Linux distribution, mostly through key acquisitions including the companies behind the GNU compilers, JBoss application server, the KVM hypervisor, the Gluster parallel file system, the Ceph object storage, the innovative CoreOS Linux distribution, and the Ansible software provisioning tools as well as the OpenShift container controller (a mix of in-house and Kubernetes code these days), the OpenStack cloud controller, and the CloudForms hybrid cloud management system (also largely done in-house). Red Hat, we think, still needs to have a heavy duty open source database management system distribution – perhaps several different ones with different architectural tenets – but it was also perhaps prescient in that it stayed out of the Hadoop storage and data analytics racket, which has not panned out as planned.

  • Splunk Connect for OpenShift: All About Objects

    This is the second post of our blog series on Red Hat OpenShift and Splunk Integration. In the first post, we showed how to send application and system logs to Splunk. The second part is focused on how to use Splunk Kubernetes Objects.

  • Command Line Heroes season 3 episode 2: Learning the BASICs

    Command Line Heroes explores how beginner languages bring people into the world of programming. BASIC lowered the barrier to entry. Now, the next generation is getting their start modifying games, like Minecraft. Listen to the episode.

  • Introducing Red Hat Smart Management for Red Hat Enterprise Linux

    How do you want to manage your systems? That probably depends a lot on the type of environment you have -- whether your systems are primarily on-prem, or if they reside in the cloud. Or a mixture of both. Either way, Red Hat is looking to meet you where you're at and provide management tools to suit your needs with Red Hat Smart Management. We introduced Red Hat Smart Management at Red Hat Summit earlier this year in Boston as a layered add on for Red Hat Enterprise Linux (RHEL), as well as including Red Hat Insights with RHEL subscriptions.

Librem One Design Principles: Services You Can Trust

Our hardware and software puts users back in control of computing–but, you may be wondering, can we do the same with our services? With Librem One, the answer is yes. We have big, no, huge dreams about what we can achieve with your support and the wealth of free software that already exists. But we need to keep our feet firmly on the ground. In this post we will outline the touchstones we have used to do just that–engineer trustworthy services that everyone can use–with a design process called user-centered software engineering. We hope it will facilitate communication with friends and colleagues as we hack towards a common goal… and also show all non-technical readers that human beings are at the center of our bits and bytes. So, how did we do it? Read more Also: joining social media at DebConf19