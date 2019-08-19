Security: Updates, Linux "Lockdown" Patches, Webmin FUD (Mischaracterisation) and Dawn for Security Vulnerabilities in HPC
Security updates for Tuesday
Security updates have been issued by Debian (flask), openSUSE (clementine, dkgpg, libTMCG, openexr, and zstd), Oracle (kernel, mysql:8.0, redis:5, and subversion:1.10), SUSE (nodejs6, python-Django, and rubygem-rails-html-sanitizer), and Ubuntu (cups, docker, docker-credential-helpers, kconfig, kde4libs, libreoffice, nova, and openldap).
Linux "Lockdown" Patches Hit Their 40th Revision
The long-running Linux "Lockdown" patches were sent out again overnight for their 40th time but it remains to be seen if these security-oriented patches will be pulled in for the upcoming Linux 5.4 cycle.
The Linux Lockdown functionality is for restricting access to the kernel and underlying hardware by blocking writes to /dev/mem, restricting PCI BAR and CPU MSR access, disabling system hibernation support, limiting Tracefs, and restricting or outright disabling other functionality that could alter the hardware state or running Linux kernel image.
Linux Lockdown has been opt-in only and designed for use-cases like honoring UEFI SecureBoot for ensuring nothing nefarious could happen once booted into the operating system by bad actors. Most end-users won't voluntarily want the lockdown mode due to all the restrictions in place, but could be a favor for enterprises and very security conscious users.
Backdoor Found in Webmin Utility [Ed: It is not a back door but a bug inserted by a malicious entity rather than the project developers themselves; this incident demonstrates or classically highlights the need for reproducible builds.]
On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.
A New Dawn for Security Vulnerabilities in HPC
In February 2018, Russian nuclear scientists at the Federal Nuclear Center were arrested for using their supercomputer resources to mine the crypto-currency, Bitcoin. Previously, high-performance computing (HPC) security breaches like this tended to be few and far between. However, recent trends are increasing the vulnerabilities and threats faced by HPC systems.
Previously, compute clusters enjoyed a level of security through obscurity due to their idiosyncratic architectures in terms of both hardware, with different CPU architectures and networking, and software of often home-grown applications running on Unix-like operating systems. In addition, the reward for compromising a cluster wasn’t all that great. Although hacking into HPC data generated by atomic weapons research and pharmaceutical modelling does present a valuable outcome; meteorological institutes, astrophysics laboratories or other mathematical research is less so.
Chromebooks Switching Over To The BFQ I/O Scheduler
On Chromebooks when moving to the latest Chrome OS that switches over to a Linux 4.19 based kernel, BFQ has become the default I/O scheduler. BFQ has been maturing nicely and as of late there's been an uptick in interest around this I/O scheduler with some also calling for it to be used by default in distributions. Google has decided BFQ is attractive enough to enable by default for Chromebooks to provide better responsiveness.
