Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Thursday
  • Jelle Van der Waa: Mini DebConf Hamburg 2019

    The reproducible builds project was invited to join the mini DebConf Hamburg sprints and conference part. I attended with the intention to get together to work on Arch Linux reproducible test setup improvements, reproducing more packages and comparing results.

    The first improvement was adding JSON status output for Arch Linux and coincidently also OpenSUSE and in the future Alpine the commit can be viewed here. The result was deployed and the Arch Linux JSON results are live.

    The next day, I investigated why Arch Linux's kernel is not reproducible.

  • Rogue Raspberry Pi allowed hackers to infiltrate NASA's systems [iophk: "article is missing any relevant details, lack of bureaucracy was not the cause here unlike what is asserted]

    That's according to a recent audit by the agency's Office of Inspector General, which reveals a number of security weaknesses affecting its Jet Propulsion Laboratory (JPL).

    The report claims that multiple IT security control weaknesses "reduce JPL's ability to prevent, detect and mitigate attacks targeting its systems and networks" while "exposing NASA systems and data to exploitation by cybercriminals".

  • Hacking Hardware Security Modules

    This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials. Finally, we exploit a cryptographic bug in the firmware signature verification to upload a modified firmware to the HSM. This firmware includes a persistent backdoor that survives a firmware update.

  • The looming threat of malicious backdoors in software source code

    The history of backdoors in source code has largely been about managing insider threats. For example, a rogue developer looking to sabotage the organization. What’s changed is that increasingly well-funded nation-state attackers can afford to take a much longer-term view. This means writing useful code with backdoors planted deep inside it, making the code widely available, and waiting to see who adopts it.

  • A Florida city paid a $600,000 bitcoin ransom to hackers who took over its computers — and it's a massive alarm bell for the rest of the US [iophk: "Windows TCO"]

    A Florida city's council voted to pay a ransom of $600,000 in Bitcoin to [crackers] that targeted its computer systems — and the payout is a sign of how unprepared much of the US is to deal with a coming wave of cyberattacks.

More in Tux Machines

Red Hat Leftovers

  • How we brought JavaScript to life for Command Line Heroes

    Animators within Red Hat?s Open Studio help bring Command Line Heroes? artwork more to life. All throughout Season 3, they?ve added movement to our episode pages and created eye-catching trailers for social and Red Hat?s YouTube channel. This post highlights their important contributions to the Command Line Heroes? creative process by looking at their work for Episode 3 of Season 4: Creating JavaScript. Also, designer Karen Crowson talks about the easter eggs in that episode?s artwork.

  • Red Hat Ceph Storage RGW deployment strategies and sizing guidance

    Starting in Red Hat Ceph Storage 3.0, Red Hat added support for Containerized Storage Daemons (CSD) which allows the software-defined storage components (Ceph MON, OSD, MGR, RGW, etc) to run within containers. CSD avoids the need to have dedicated nodes for storage services thus reducing both CAPEX and OPEX by co-located storage containerized daemons. Ceph-Ansible provides the required mechanism to put resource fencing to each storage container which is useful for running multiple storage daemon containers on one physical node. In this blog post, we will cover strategies to deploy RGW containers and their resource sizing guidance. Before we dive into the performance, let's understand what are the different ways to deploy RGW.

  • OpenShift 4.2: New YAML Editor

    Through our built-in YAML editor, users can create and edit resources right in the Red Hat OpenShift Web Console UI. In the latest release, we’ve upgraded our editor to include language server support. What is language server support? The language server support feature uses the OpenAPI schema from Kubernetes to provide content assist inside the YAML editor based on the type of resource you are editing. More specifically, the language server support offers the following capabilities: Improved YAML validation: The new editor provides feedback in context, directing you to the exact line and position that requires attention. Document outlining: Document outlines offer a quick way to navigate your code. Auto completion: While in the editor, language server support will provide you with valid configuration information as you type, allowing you to edit faster. Hover support: Hovering over a property will show a description of the associated schema. Advanced formatting: Format your YAML.

LibreOffice 6.4 Alpha1 is ready for testing

The LibreOffice Quality Assurance ( QA ) Team is happy to announce LibreOffice 6.4 Alpha1 is ready for testing! LibreOffice 6.4 will be released as final at the beginning of February, 2020 ( Check the Release Plan ) being LibreOffice 6.4 Alpha1 the first pre-release since the development of version 6.4 started in the beginning of June, 2019. Since then, 4600 commits have been submitted to the code repository and more than 720 bugs have been set to FIXED in Bugzilla. Check the release notes to find the new features included in this version of LibreOffice. Read more

Events: Cloud Foundry Summit, OpenSUSE Asia and FSFE System Hackers

  • The Importance of Culture in Software Development

    A few weeks ago at Cloud Foundry Summit, I had the chance to grab a few of our partners and talk about how culture plays a part in the software development process. While appropriate tools are very important, it is only part of the story. Culture will make or break any change initiative regardless of how amazing our technology is.

  • openSUSE Asia Summit

    I met Edwin and Ary earlier this year at the openSUSE Conference in Nuremberg. They invited me to come to the openSUSE Asia Summit happening in Bali. I wasn't sure that I would be able to attend it. But then, around June I saw a tweet reminding about the deadline for the Call for Proposal for the openSUSE Asia Summit and I thought maybe I should give it a try. I submitted a workshop proposal on MicroOS and a lightning talk proposal to the openSUSE Asia CFP team. Both were accepted and I couldn't be happier. It gave me the chance to meet friends from the openSUSE community again, learn and share more. We do not have direct flights to Indonesia. I traveled through Air Mauritius to Kuala Lumpur and then Malaysia Arlines to Denpasar, Bali. I spent almost 24 hours traveling before reaching my hotel in Jimbaran. I was totally knackered when I arrived but the enthusiasm of being there for the summit was stronger than anything. I booked a taxi through Traveloka ahead of my arrival in Bali. It was recommended by Edwin. When I compared other taxi fares I felt glad I booked it online. I also bought a SIM card on my way to the hotel with a 6GB data package. I knew we'd all communicate mostly on Telegram, just as we did for oSC 2019. My hotel WiFi connection wasn't great but I was impressed by the 4G coverage of my mobile Internet provider, XL Axiata. Mobile connectivity was extremely helpful as I would rely on GoJek car-hailing for the next few days.

  • The 3rd FSFE System Hackers hackathon

    On 10 and 11 October, the FSFE System Hackers met in person to tackle problems and new features regarding the servers and services the FSFE is running. The team consists of dedicated volunteers who ensure that the community and staff can work effectively. The recent meeting built on the great work of the past 2 years which have been shaped by large personal and technical changes. The System Hackers are responsible for the maintenance and development of a large number of services. From the fsfe.org website’s deployment to the mail servers and blogs, from Git to internal services like DNS and monitoring, all these services, virtual machines and physical servers are handled by this friendly group that is always looking forward to welcoming new members.

GNU Parallel Released and 10 Years of GNU Health

  • GNU Parallel 20191022 ('Driving IT') released [stable]

    GNU Parallel 20191022 ('Driving IT') [stable] has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/ No new functionality was introduced so this is a good candidate for a stable release. GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to a reception on Friday 2020-04-17.

  • GNU Health: 10 years of Freedom and Equity in Healthcare

    I am back from my trip to India, where I spent a week with the team of All India Institute of Medical Sciences – AIIMS –, the largest public hospital in Asia and a leading research institution. They have taken the decision to adopt GNU Health, the Free Hospital and Health Information System. One key aspect in Free Software is ownership. From the moment they adopted GNU Health, it now also belongs to AIIMS. They have full control over it. They can download and upgrade the system; access the source code; customize it to fit their needs; and contribute back to the community. This is the definition of Free Software. The definition of Free Software is universal. GNU Health is equally valid for very large institutions, national public health networks and small, rural or primary care centers. The essence is the same.