Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Jelle Van der Waa: Mini DebConf Hamburg 2019

    The reproducible builds project was invited to join the mini DebConf Hamburg sprints and conference part. I attended with the intention to get together to work on Arch Linux reproducible test setup improvements, reproducing more packages and comparing results.

    The first improvement was adding JSON status output for Arch Linux and coincidently also OpenSUSE and in the future Alpine the commit can be viewed here. The result was deployed and the Arch Linux JSON results are live.

    The next day, I investigated why Arch Linux's kernel is not reproducible.

  • Rogue Raspberry Pi allowed hackers to infiltrate NASA's systems [iophk: "article is missing any relevant details, lack of bureaucracy was not the cause here unlike what is asserted]

    That's according to a recent audit by the agency's Office of Inspector General, which reveals a number of security weaknesses affecting its Jet Propulsion Laboratory (JPL).

    The report claims that multiple IT security control weaknesses "reduce JPL's ability to prevent, detect and mitigate attacks targeting its systems and networks" while "exposing NASA systems and data to exploitation by cybercriminals".

  • Hacking Hardware Security Modules

    This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.

  • The looming threat of malicious backdoors in software source code

    The history of backdoors in source code has largely been about managing insider threats. For example, a rogue developer looking to sabotage the organization. What’s changed is that increasingly well-funded nation-state attackers can afford to take a much longer-term view. This means writing useful code with backdoors planted deep inside it, making the code widely available, and waiting to see who adopts it.

  • A Florida city paid a $600,000 bitcoin ransom to hackers who took over its computers — and it's a massive alarm bell for the rest of the US [iophk: "Windows TCO"]

    A Florida city's council voted to pay a ransom of $600,000 in Bitcoin to [crackers] that targeted its computer systems — and the payout is a sign of how unprepared much of the US is to deal with a coming wave of cyberattacks.

More in Tux Machines

Ubuntu 18.10 Cosmic Cuttlefish reaches end of life on Thursday, upgrade now

Canonical, earlier this month, announced that Ubuntu 18.10 Cosmic Cuttlefish will be reaching end-of-life status this Thursday, making now the ideal time to upgrade to a later version. As with all non-Long Term Support (LTS) releases, 18.10 had nine months of support following its release last October. When distributions reach their end-of-life stage, they no longer receive security updates. While you may be relatively safe at first, the longer you keep running an unpatched system, the more likely it is that your system will become compromised putting your data at risk. If you’d like to move on from Ubuntu 18.10, you’ve got two options; you can either perform a clean install of a more up-to-date version of Ubuntu or you can do an in-place upgrade. Read more

today's leftovers: kernel, games, mozilla...

  • Call for submissions — linux.conf.au 2020

    The linux.conf.au 2020 organising team has issued an invitation to IT professionals for proposals for talks and miniconfs at the next conference, which will take place on the Gold Coast, 13–17 January 2020. Held regularly since 1999, linux.conf.au is the largest Linux and open source conference in the Asia–Pacific region. The conference provides deeply technical presentations from industry leaders and experts on a wide array of subjects relating to open source projects, data and open government and community engagement.

  • Intel Is Still Working On Upstreaming SGX Enclave Support To Linux - Now At 21 Revisions

    Intel Software Guard Extensions "SGX" have been around since Skylake for allowing hardware-protected (via encryption) memory regions known as "enclaves" that prevent processes outside of the enclave from accessing these memory regions. While supported CPUs have been out for years, the Intel SGX support has yet to make it into the mainline kernel and this week marks the twenty-first revision to these patches.  The twenty-eight patches implementing the Intel SGX foundations support for the Linux kernel and Intel Memory Encryption Engine support were revised with various fixes. Even if the review of this twenty-first revision to these patches go spectacular, due to the timing this SGX support won't land until at least the Linux 5.4 kernel with being too late for Linux 5.3. 

  • Ciel Fledge, an Anime-styled sim about raising an adopted daughter

    Quite a peculiar game this one, Ciel Fledge from Studio Namaapa and PQube Games has you adopt a strange child found on the surface of a ruined planet and raise her.

  • Bendy and the Ink Machine & Prison Architect going cheap in the new Humble Very Positive Bundle 3

    Humble just released a new bundle full of highly rated games, with 2 great picks in there for Linux gamers. The Humble Very Positive Bundle 3 is now live, with 7 total games. Sadly, only 2 of those have Linux releases but even so it's a chance for you to get them a lot cheaper than normal and together.

  • backlogs, lag, and waiting
  • MDN’s First Annual Web Developer & Designer Survey

    Today we are launching the first edition of the MDN Developer & Designer Needs Survey. Web developers and designers, we need to hear from you! This is your opportunity to tell us about your needs and frustrations with the web.

  • GSOC19 Ahmed ElShreif: Week 7 Report

    Then I spend more time reading some UI tests written with Python framework and try to figure out what missing of the UI elements and I disccuss adding logs for new events with my mentors.

Video/Audio: LINUX Unplugged, Coder Radio, and Debian 10 "Buster" Video Overview

Devices With Linux: Ibase, AOpen, Purism and ASUS

  • Ryzen Embedded V1000 module supports four USB 3.1 ports

    Ibase’s “ET976” COM Express Type 6 module builds on AMD’s Ryzen Embedded V1000 SoC with USB 3.1, SATA III, GbE, PCIe x8, PEG, and more. Ibase announced a COM Express Type 6 module equipped with AMD’s Ryzen Embedded V1000 system-on-chip. The announcement refers to the ET876 as a Compact module (95 x 95mm) like Ibase’s earlier, Intel 7th Gen “Kaby Lake” ET975, but the spec sheet and the photo indicate it’s a larger 125 x 95mm Basic module like Ibase’s 7th Gen ET970.

  • AOpen’s new kiosk/signage systems span Kaby Lake and Whiskey Lake

    AOpen’s compact, Linux-friendly “Digital Engine DE5500” embedded PC for kiosk and signage has a 7th Gen CPU, 2x HDMI 2.0, 2x GbE, 3x M.2, and SATA. AOpen is also prepping a Whiskey Lake based smart kiosk with OpenVINO and RealSense. Taiwanese signage vendor AOpen, which offers products such as its Android-driven, i.MX6-based MEP320 signage player, has launched an Intel 7th Gen Kaby Lake based signage and kiosk computer called the Digital Engine DE5500. The product supports Linux or Windows 10 and offers an optional AOpen Intelligent Control Unit (AiCU) smart kiosk control software package with “self-perception, self-determination, and self-execution” features.

  • Mr. Librem Kyle Rankin: Consent Matters: When Tech Shares Your Secrets Without Your Permission

    There is a saying that goes around modern privacy circles that “Privacy is about Consent.” This means that the one big factor that determines whether your privacy is violated comes down to whether you consented to share the information. For instance, let’s say Alice tells Bob a secret: if Bob then tells the secret to someone else, Bob will be violating Alice’s privacy, unless he had asked Alice for permission first. If you think about it, you can come up with many examples where the same action, leading to the same result, takes on a completely different tone–depending on whether or not the actor got consent. We have a major privacy problem in society today, largely because tech companies collect customer information and share it with others without getting real consent from their customers. Real consent means customers understand all of the ways their information will be used and shared, all the implications that come from that sharing–now, and in the future. Instead, customers get a lengthy, click-through privacy policy document that no one is really expected to read or understand. Even if someone does read and understand the click-through agreement, it still doesn’t fully explain all of the implications behind sharing your location and contact list with a messaging app or using voice commands on your phone. Big Tech has been funded, over the past two decades, by exploiting the huge influx of young adults who were connected to the Internet and shared their data without restriction. While it’s a generalization that young adults often make decisions based on short-term needs, without considering the long-term impacts, there’s also some truth behind it–whether we are discussing a tattoo that seemed like a good idea at the time, posting pictures or statements on social media that come back to bite you or giving an app full access to your phone. Individuals didn’t understand the value of this data or the risks in sharing it; but tech companies knew it all along and were more than happy to collect, store, share and profit off of it, and Big Tech is now a multi-billion-dollar industry.

  • ASUS Chromebook C523

    Today we are looking at the ASUS Chromebook C523 (C523NA-DH02). It is a strong, modern smart-looking Chromebook for a great price with a big screen. It comes with a fanless Dual-Core Intel Celeron N3350 CPU, a 15.6 inch, 1366x768, HD NanoEdge display, and non-touch screen. It has 4gb of RAM and a 32GB eMMC SSD. It has Android Apps (Google Play) and Linux Apps (crostini) support and it will receive auto-updates until November 2023. It weighs 3.1 lbs and its dimensions are 14.1 x 9.9 x 0.6 in inches. The battery has 2 cells, 38Whr Lithium-ion battery, and 10 hours of battery life.