Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Matthew Garrett: Bug bounties and NDAs are an option, not the standard

    Zoom had a vulnerability that allowed users on MacOS to be connected to a video conference with their webcam active simply by visiting an appropriately crafted page. Zoom's response has largely been to argue that:

    a) There's a setting you can toggle to disable the webcam being on by default, so this isn't a big deal,
    b ) When Safari added a security feature requiring that users explicitly agree to launch Zoom, this created a poor user experience and so they were justified in working around this (and so introducing the vulnerability), and,
    c) The submitter asked whether Zoom would pay them for disclosing the bug, and when Zoom said they'd only do so if the submitter signed an NDA, they declined.

    (a) and (b ) are clearly ludicrous arguments, but (c) is the interesting one. Zoom go on to mention that they disagreed with the severity of the issue, and in the end decided not to change how their software worked. If the submitter had agreed to the terms of the NDA, then Zoom's decision that this was a low severity issue would have led to them being given a small amount of money and never being allowed to talk about the vulnerability. Since Zoom apparently have no intention of fixing it, we'd presumably never have heard about it. Users would have been less informed, and the world would have been a less secure place.

    [...]

    If your bug bounty requires people sign an NDA, you should think about why. If it's so you can control disclosure and delay things beyond 90 days (and potentially never disclose at all), look at whether the amount of money you're offering for that is anywhere near commensurate with the value the submitter could otherwise gain from the information and compare that to the reputational damage you'll take from people deciding that it's not worth it and just disclosing unilaterally. And, seriously, never ask for an NDA before you're committing to a specific $ amount - it's never reasonable to ask that someone sign away their rights without knowing exactly what they're getting in return.

  • Microsoft July 2019 Patch Tuesday fixes zero-day exploited by Russian hackers [Ed: Let's blame Russia instead of NSA back doors put there by Microsoft. More trash from CBS tabloid ZDNet.]

    Since the Microsoft Patch Tuesday is also the day when other vendors also release security patches, it's also worth mentioning that Adobe and SAP have also published their respective security updates earlier today.

  • William Brown: I no longer recommend FreeIPA

    The FreeIPA project focused on Kerberos and SSSD, with enough other parts glued on to look like a complete IDM project. Now that’s fine, but it means that concerns in other parts of the project are largely ignored. It creates design decisions that are not scalable or robust.

    Due to these decisions IPA has stability issues and scaling issues that other products do not.

    To be clear: security systems like IDM or LDAP can never go down. That’s not acceptable.

  • Ubuntu Source code is Safe in the Canonical GitHub account hacking!

    The canonical Security is once again under questionable notice. The forum has been hacked thrice on different occasions. In July 2013, details of 1.82 Million users were stolen by hackers followed by the second hacking where 2 million users data were stolen in July 2016 and in July 2019, the Github account of Canonical limited has been hacked.

    This company works behind the distribution of Ubuntu Linux and was hacked on July 6th, 2019. The Security team accepted that the Canonical owned account on Github was compromised on credentials and was used to create disturbance and issues among other activities. Though the company has removed the account from the organization in Github, it is still working on checking out the breach. The company believes that the source code or PII was affected in any way.

  • Azure Sphere OS Built on a Compact, Secured Linux

More in Tux Machines

LibreOffice 6.4 Alpha1 is ready for testing

The LibreOffice Quality Assurance ( QA ) Team is happy to announce LibreOffice 6.4 Alpha1 is ready for testing! LibreOffice 6.4 will be released as final at the beginning of February, 2020 ( Check the Release Plan ) being LibreOffice 6.4 Alpha1 the first pre-release since the development of version 6.4 started in the beginning of June, 2019. Since then, 4600 commits have been submitted to the code repository and more than 720 bugs have been set to FIXED in Bugzilla. Check the release notes to find the new features included in this version of LibreOffice. Read more

Events: Cloud Foundry Summit, OpenSUSE Asia and FSFE System Hackers

  • The Importance of Culture in Software Development

    A few weeks ago at Cloud Foundry Summit, I had the chance to grab a few of our partners and talk about how culture plays a part in the software development process. While appropriate tools are very important, it is only part of the story. Culture will make or break any change initiative regardless of how amazing our technology is.

  • openSUSE Asia Summit

    I met Edwin and Ary earlier this year at the openSUSE Conference in Nuremberg. They invited me to come to the openSUSE Asia Summit happening in Bali. I wasn't sure that I would be able to attend it. But then, around June I saw a tweet reminding about the deadline for the Call for Proposal for the openSUSE Asia Summit and I thought maybe I should give it a try. I submitted a workshop proposal on MicroOS and a lightning talk proposal to the openSUSE Asia CFP team. Both were accepted and I couldn't be happier. It gave me the chance to meet friends from the openSUSE community again, learn and share more. We do not have direct flights to Indonesia. I traveled through Air Mauritius to Kuala Lumpur and then Malaysia Arlines to Denpasar, Bali. I spent almost 24 hours traveling before reaching my hotel in Jimbaran. I was totally knackered when I arrived but the enthusiasm of being there for the summit was stronger than anything. I booked a taxi through Traveloka ahead of my arrival in Bali. It was recommended by Edwin. When I compared other taxi fares I felt glad I booked it online. I also bought a SIM card on my way to the hotel with a 6GB data package. I knew we'd all communicate mostly on Telegram, just as we did for oSC 2019. My hotel WiFi connection wasn't great but I was impressed by the 4G coverage of my mobile Internet provider, XL Axiata. Mobile connectivity was extremely helpful as I would rely on GoJek car-hailing for the next few days.

  • The 3rd FSFE System Hackers hackathon

    On 10 and 11 October, the FSFE System Hackers met in person to tackle problems and new features regarding the servers and services the FSFE is running. The team consists of dedicated volunteers who ensure that the community and staff can work effectively. The recent meeting built on the great work of the past 2 years which have been shaped by large personal and technical changes. The System Hackers are responsible for the maintenance and development of a large number of services. From the fsfe.org website’s deployment to the mail servers and blogs, from Git to internal services like DNS and monitoring, all these services, virtual machines and physical servers are handled by this friendly group that is always looking forward to welcoming new members.

GNU Parallel Released and 10 Years of GNU Health

  • GNU Parallel 20191022 ('Driving IT') released [stable]

    GNU Parallel 20191022 ('Driving IT') [stable] has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/ No new functionality was introduced so this is a good candidate for a stable release. GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to a reception on Friday 2020-04-17.

  • GNU Health: 10 years of Freedom and Equity in Healthcare

    I am back from my trip to India, where I spent a week with the team of All India Institute of Medical Sciences – AIIMS –, the largest public hospital in Asia and a leading research institution. They have taken the decision to adopt GNU Health, the Free Hospital and Health Information System. One key aspect in Free Software is ownership. From the moment they adopted GNU Health, it now also belongs to AIIMS. They have full control over it. They can download and upgrade the system; access the source code; customize it to fit their needs; and contribute back to the community. This is the definition of Free Software. The definition of Free Software is universal. GNU Health is equally valid for very large institutions, national public health networks and small, rural or primary care centers. The essence is the same.

Programming Leftovers

  • NumFOCUS and Tidelift partner to support essential community-led open source data science and scientific computing projects

    NumFOCUS and Tidelift today announced a partnership to support open source libraries critical to the Python data science and scientific computing ecosystem. NumPy, SciPy, and pandas—sponsored projects within NumFOCUS—are now part of the Tidelift Subscription. Working in collaboration with NumFOCUS, Tidelift financially supports the work of project maintainers to provide ongoing security updates, maintenance and code improvements, licensing verification and indemnification, and more to enterprise engineering and data science teams via a managed open source subscription from Tidelift.

  • Python Plotting With Matplotlib

    A picture is worth a thousand words, and with Python’s matplotlib library, it fortunately takes far less than a thousand words of code to create a production-quality graphic. However, matplotlib is also a massive library, and getting a plot to look just right is often achieved through trial and error. Using one-liners to generate basic plots in matplotlib is relatively simple, but skillfully commanding the remaining 98% of the library can be daunting.

  • Nominations for 2019 Malcolm Tredinnick Memorial Prize

    Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him. The DSF Prize page summarizes the prize nicely: The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

  • Dirk Eddelbuettel: pkgKitten 0.1.5: Creating R Packages that purr

    This release provides a few small changes. The default per-package manual page now benefits from a second refinement (building on what was introduced in the 0.1.4 release) in using the Rd macros referring to the DESCRIPTION file rather than duplicating information. Several pull requests fixes sloppy typing in the README.md, NEWS.Rd or manual page—thanks to all contributors for fixing these. Details below.