Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Microsoft Discreetly Drops ‘Telemetry’ As Part Of Larger ‘Security Cumulative Update’ Without First Informing Windows 7 Users? [Ed: Microsoft being Microsoft and backporting surveillance; With Windows Update any piece of software can become more malicious overnight.]

    Microsoft appears to have once again attempted to sneak telemetry components. The company released security updates for all supported operating systems on the July 2019 Patch Day. However, this month’s cumulative updates, which were supposed to contain only security-related components, contain an unexpected compatibility/telemetry component.

    The suspicious components were hidden in plain sight. Incidentally, this is the second time Microsoft has attempted to insert telemetry components. However, during the first attempt the Windows OS maker had openly mentioned the inclusion of the telemetry components, whereas this time, the company didn’t offer any indication. This methodology appears to an attempt to garner more accurate data about usage and installation patterns of the Windows operating system as Microsoft will soon phase out Windows 7.

    Windows Update delivered several packages of security and reliability fixes for Windows 7 earlier this week. The packages are different for each of the Windows operating system’s versions that Microsoft officially supports. However, the ‘cumulative update’ package contained a rather suspicious component. The security update in question was intended for Microsoft Windows 7 Operating System (OS) which was released as part of the July 2019 Patch Day.

  • Swimlane research team open sources pyattack

    As security teams adopt the Mitre ATT&CK Framework to help them identify gaps in their defenses, having a way to identify what malware and tools are being used by specific actors or groups becomes more critical. Additionally, having a way to identify these relationships programatically is even more critical.

    Today, we are excited to announce the Swimlane research team has released pyattck—a Python package to interact with the Mitre ATT&CK Framework. There are many different open-source projects being released on a daily basis, but we wanted to provide a straightforward Python package that allows the user to identify known relationships between all verticals of the Mitre ATT&CK Framework.

  • Strongbox Password Safe is a free, open-source KeePass client for iOS [Ed: iOS from Apple has back doors (see Vault 7 from Wikileaks for instance), so you should not put any passwords in it]
  • Research Finds Loads of Container Vulnerabilities

    Docker containers are great in that it’s easy to get started building an application using frameworks and components that others have made available via open source projects. The challenge, however, is not all those projects are current in terms of their cybersecurity patches. In fact, a developer of a framework may not even be actively supporting it anymore.

    A new report from vulnerability management platform vendor Kenna Security highlights the extent of the problem in the Docker community. Via the VulnerabilitiesContainer.org site, Kenna Security is sharing the results of analyses of containers being reused widely that find some of these open source projects have hundreds of unresolved Common Vulnerabilities and Exposure (CVE) issues.

  • A World of Infinite Choice in Open Source Software

    We recently released the fifth annual State of the Software Supply Chain Report in London. This year, we worked with Gene Kim and Dr. Stephen Magill to examine our largest data sample ever. Our goal? To qualify and quantify how exemplary development teams operate.

    As part of the research we identified the top 3% of DevOps teams using exemplary practices. (Take the quiz to see how your team stacks up.)

    Before we could truly understand these practice, we had to have the right context. The report’s first goal was to compare the use of open source in 2019 - to that of years past - and understand the broader environment developers are working in. As anticipated, open source component use continues to rocket upward.

  • In memoriam – Corby Corbató, MIT computer science pioneer, dies at 93

    Almost everyone’s heard of Linux – it’s the operating system kernel that’s behind a significant proportion of servers on the internet, including most of Google, Facebook, Amazon and many other contemporary online juggernauts.

    In its Android flavour, Linux powers the majority of smartphones out there, and in one form or another it’s also the kernel of choice for many so-called IoT devices such as bike computers, home Wi-Fi routers, webcams, baby monitors and even doorlocks.

    Most people who use Linux know that the name is a sort-of pun on Unix, the operating system that Linux most resembles.

    And Unix, of course, is the operating system behind a significant proportion of the devices out there that don’t run Linux, being at the heart of Apple’s macOS and iOS systems, as well as the various and widely-used open source BSD distributions.

More in Tux Machines

Events: Cloud Foundry Summit, OpenSUSE Asia and FSFE System Hackers

  • The Importance of Culture in Software Development

    A few weeks ago at Cloud Foundry Summit, I had the chance to grab a few of our partners and talk about how culture plays a part in the software development process. While appropriate tools are very important, it is only part of the story. Culture will make or break any change initiative regardless of how amazing our technology is.

  • openSUSE Asia Summit

    I met Edwin and Ary earlier this year at the openSUSE Conference in Nuremberg. They invited me to come to the openSUSE Asia Summit happening in Bali. I wasn't sure that I would be able to attend it. But then, around June I saw a tweet reminding about the deadline for the Call for Proposal for the openSUSE Asia Summit and I thought maybe I should give it a try. I submitted a workshop proposal on MicroOS and a lightning talk proposal to the openSUSE Asia CFP team. Both were accepted and I couldn't be happier. It gave me the chance to meet friends from the openSUSE community again, learn and share more. We do not have direct flights to Indonesia. I traveled through Air Mauritius to Kuala Lumpur and then Malaysia Arlines to Denpasar, Bali. I spent almost 24 hours traveling before reaching my hotel in Jimbaran. I was totally knackered when I arrived but the enthusiasm of being there for the summit was stronger than anything. I booked a taxi through Traveloka ahead of my arrival in Bali. It was recommended by Edwin. When I compared other taxi fares I felt glad I booked it online. I also bought a SIM card on my way to the hotel with a 6GB data package. I knew we'd all communicate mostly on Telegram, just as we did for oSC 2019. My hotel WiFi connection wasn't great but I was impressed by the 4G coverage of my mobile Internet provider, XL Axiata. Mobile connectivity was extremely helpful as I would rely on GoJek car-hailing for the next few days.

  • The 3rd FSFE System Hackers hackathon

    On 10 and 11 October, the FSFE System Hackers met in person to tackle problems and new features regarding the servers and services the FSFE is running. The team consists of dedicated volunteers who ensure that the community and staff can work effectively. The recent meeting built on the great work of the past 2 years which have been shaped by large personal and technical changes. The System Hackers are responsible for the maintenance and development of a large number of services. From the fsfe.org website’s deployment to the mail servers and blogs, from Git to internal services like DNS and monitoring, all these services, virtual machines and physical servers are handled by this friendly group that is always looking forward to welcoming new members.

GNU Parallel Released and 10 Years of GNU Health

  • GNU Parallel 20191022 ('Driving IT') released [stable]

    GNU Parallel 20191022 ('Driving IT') [stable] has been released. It is available for download at: http://ftpmirror.gnu.org/parallel/ No new functionality was introduced so this is a good candidate for a stable release. GNU Parallel is 10 years old next year on 2020-04-22. You are here by invited to a reception on Friday 2020-04-17.

  • GNU Health: 10 years of Freedom and Equity in Healthcare

    I am back from my trip to India, where I spent a week with the team of All India Institute of Medical Sciences – AIIMS –, the largest public hospital in Asia and a leading research institution. They have taken the decision to adopt GNU Health, the Free Hospital and Health Information System. One key aspect in Free Software is ownership. From the moment they adopted GNU Health, it now also belongs to AIIMS. They have full control over it. They can download and upgrade the system; access the source code; customize it to fit their needs; and contribute back to the community. This is the definition of Free Software. The definition of Free Software is universal. GNU Health is equally valid for very large institutions, national public health networks and small, rural or primary care centers. The essence is the same.

Programming Leftovers

  • NumFOCUS and Tidelift partner to support essential community-led open source data science and scientific computing projects

    NumFOCUS and Tidelift today announced a partnership to support open source libraries critical to the Python data science and scientific computing ecosystem. NumPy, SciPy, and pandas—sponsored projects within NumFOCUS—are now part of the Tidelift Subscription. Working in collaboration with NumFOCUS, Tidelift financially supports the work of project maintainers to provide ongoing security updates, maintenance and code improvements, licensing verification and indemnification, and more to enterprise engineering and data science teams via a managed open source subscription from Tidelift.

  • Python Plotting With Matplotlib

    A picture is worth a thousand words, and with Python’s matplotlib library, it fortunately takes far less than a thousand words of code to create a production-quality graphic. However, matplotlib is also a massive library, and getting a plot to look just right is often achieved through trial and error. Using one-liners to generate basic plots in matplotlib is relatively simple, but skillfully commanding the remaining 98% of the library can be daunting.

  • Nominations for 2019 Malcolm Tredinnick Memorial Prize

    Malcolm was an early core contributor to Django and had both a huge influence and large impact on Django as we know it today. Besides being knowledgeable he was also especially friendly to new users and contributors. He exemplified what it means to be an amazing Open Source contributor. We still miss him. The DSF Prize page summarizes the prize nicely: The Malcolm Tredinnick Memorial Prize is a monetary prize, awarded annually, to the person who best exemplifies the spirit of Malcolm’s work - someone who welcomes, supports and nurtures newcomers; freely gives feedback and assistance to others, and helps to grow the community. The hope is that the recipient of the award will use the award stipend as a contribution to travel to a community event -- a DjangoCon, a PyCon, a sprint -- and continue in Malcolm’s footsteps.

  • Dirk Eddelbuettel: pkgKitten 0.1.5: Creating R Packages that purr

    This release provides a few small changes. The default per-package manual page now benefits from a second refinement (building on what was introduced in the 0.1.4 release) in using the Rd macros referring to the DESCRIPTION file rather than duplicating information. Several pull requests fixes sloppy typing in the README.md, NEWS.Rd or manual page—thanks to all contributors for fixing these. Details below.

Commitment To Elevating The Very Best

OSI applauds the efforts of every individual who has ever spoken up and taken steps to make free, libre, and open source software communities more inclusive. Without you, the movement would be less vibrant, less welcoming, and irreversibly diminished. Whether you’ve led your community to implement a code of conduct or taken the time to mentor someone who isn’t like you, whether you’ve reported toxic behavior or pressured community leaders to act: thank you. It takes courage to change the status quo, and all too often, that comes at a personal expense. Ultimately, ours is a moral movement, and our integrity hinges on whether we rise to meet the challenge of seeking justice and equity for all. As we move forward, we hope that we can learn as a community and incorporate the lessons of the past into building a better future. Further, we hope we can build bridges to those who have been shut out of our movement, whether by omission or commission, at the hands of systemic bias as well as toxic and predatory behavior. As the saying goes in open source, “Many eyes lead to shallower bugs.” So too do many perspectives lead to better software. Here’s to a better, more inclusive tomorrow. - The OSI Board of Directors Read more