Language Selection

English French German Italian Portuguese Spanish

FUD, Security and Microsoft Spin

Filed under
Microsoft
Security
  • Commercial vs open source software [Ed: Falsehoods all along. FOSS is also "commercial"; they deceive to make proprietary software seem like the only option for commerce]

    Every business owner that needs a personalized software needs to make a choice between two options. Choosing a commercial software or open-source software. If you are not familiar with these two terms, worry not, we’ll explain everything.

  • The need for open source audits in cybersecurity M&As [Ed: Microsoft-connected Black Duck is smearing FOSS again... to sell its proprietary software snakeoil]
  • Software Security Witching Hour is Upon us [Ed: Microsoft-connected Black Duck continues to attack FOSS with FUD. Microsoft hates FOSS. It just uses Synopsys et al as proxies for the badmouthing.]
  • Let’s Talk Open Source Trends (A 2020 Early Look) [Ed: Well, Flexera views "open source" as little more than opportunity for "compliance" job (money), much like Black Duck]

    There are two emerging trends to take note of now. First, there’s an increased importance around open source compliance and security due to specific industry regulatory changes and requirements. For example, this year the PCI Security Standards Council introduced a new standard of making electronic payments more secure. The standard requires software companies to continuously identify and assess weaknesses in software applications, including the entire software supply chain; key word here being “continuously.” Prior to the implementation of this standard, companies were advised to monitor their use of open source software with no emphasis on ongoing scanning and management.

  • The First BlueKeep Mass Hacking Is Finally Here—but Don't Panic [Ed: NSA collusion with Microsoft gives us this and much more]

    When Microsoft revealed last May that millions of Windows devices had a serious hackable flaw known as BlueKeep—one that could enable an automated worm to spread malware from computer to computer—it seemed only a matter of time before someone unleashed a global attack. As predicted, a BlueKeep campaign has finally struck. But so far it's fallen short of the worst case scenario.

    Security researchers have spotted evidence that their so-called honeypots—bait machines designed to help detect and analyze malware outbreaks—are being compromised en masse using the BlueKeep vulnerability. The bug in Microsoft's Remote Desktop Protocol allows a hacker to gain full remote code execution on unpatched machines; while it had previously only been exploited in proofs of concept, it has potentially devastating consequences. Another worm that targeted Windows machines in 2017, the NotPetya ransomware attack, caused more than 10 billion dollars in damage worldwide.

    But so far, the widespread BlueKeep hacking merely installs a cryptocurrency miner, leeching a victim's processing power to generate cryptocurrency. And rather than a worm that jumps unassisted from one computer to the next, these attackers appear to have scanned the internet for vulnerable machines to exploit. That makes this current wave unlikely to result in an epidemic.

  • Hackers can steal the contents of Horde webmail inboxes with one click [Ed: Microsoft Zack ('former' employee) not covering Microsoft NSA back doors that cause billions in damage, instead trying to damage the name of FOSS because sending people a malicious link and a trick can cause problems?

    A security researcher has found several vulnerabilities in the popular open-source Horde web email software that allow hackers to near-invisibly steal the contents of a victim’s inbox.

    Horde is one of the most popular free and open-source web email systems available. It’s built and maintained by a core team of developers, with contributions from the wider open-source community. It’s used by universities, libraries and many web hosting providers as the default email client.

    Numan Ozdemir disclosed his vulnerabilities to Horde in May. An attacker can scrape and download a victim’s entire inbox by tricking them into clicking a malicious link in an email.

  • New Tool Will Find Secrets – Including Crypto Keys – in Your Public Code

    The app, which is open source, scans code repository GitHub for dangerous files and data. As a beginning coder, you may have left your password data or private keys inside public repository without realizing. When this happens, hackers and other nasties can easily access your stuff.

  • Briefing: Microsoft's GitHub Employees Still Pushing Back On ICE Contract

    Employees from Microsoft’s GitHub subsidiary are continuing to voice their concerns over the recent decision to renew a software contract with U.S. Immigration and Customs Enforcement (ICE), and least one GitHub employee has resigned in protest, the Los Angeles Times reported.

    The situation illustrates the difficulties large software companies sometimes experience when integrating acquisitions of smaller companies.

    GitHub, which has built a more diverse and inclusive corporate culture in the years following a gender harassment scandal in 2014, is one of several open source companies where employees pay close attention to how their products are used, said Josh McKenty, an executive who has worked at companies that sell open source software.

    “The open source ethos represents a fundamental attitude of being able to control what happens to your work product,” he said.

More in Tux Machines

Security: Updates, Mozilla AMO and Reproducible Arch Linux Packages

  • Security updates for Monday

    Security updates have been issued by Debian (ampache, chromium, djvulibre, firefox-esr, gdal, and ruby-haml), Fedora (chromium, file, gd, hostapd, nspr, and rssh), openSUSE (bcm20702a1-firmware, firefox, gdal, libtomcrypt, php7, python-ecdsa, python3, samba, and thunderbird), SUSE (apache2-mod_auth_openidc, libssh2_org, and rsyslog), and Ubuntu (bash).

  • Security improvements in AMO upload tools

    We are making some changes to the submission flow for all add-ons (both AMO- and self-hosted) to improve our ability to detect malicious activity. These changes, which will go into effect later this month, will introduce a small delay in automatic approval for all submissions. The delay can be as short as a few minutes, but may take longer depending on the add-on file. If you use a version of web-ext older than 3.2.1, or a custom script that connects to AMO’s upload API, this new delay in automatic approval will likely cause a timeout error. This does not mean your upload failed; the submission will still go through and be approved shortly after the timeout notification. Your experience using these tools should remain the same otherwise.

  • Reproducible Arch Linux Packages

    Arch Linux has been involved with the reproducible builds efforts since 2016. The goal is to achieve deterministic building of software packages to enhance the security of the distribution. After almost 3 years of continued effort, along with the release of pacman 5.2 and contributions from a lot of people, we are finally able to reproduce packages distributed by Arch Linux! This enables users to build packages and compare them with the ones distributed by the Arch Linux team. Users can independently verify the work done by our packagers, and figure out if malicious code has been included in the pristine source during the build, which in turns enhances the overall supply chain security. We are one of the first binary distributions that has achieved this, and can provide tooling down to users. That was the TL;DR! The rest of the blog post will explain the reproducible builds efforts, and the technical work that has gone into achieving this.

  • Arch Linux Updates Its Kernel Installation Handling

    Arch Linux has updated the behavior when installing the linux, linux-lts, linux-zen, and linux-hardened kernel options on this popular distribution.  The actual kernel images for their official Linux, Linux LTS, Linux Zen, and Linux Hardened flavors will no longer be installed to /boot by default. By not having the actual kernel reside on /boot should help those with separate boot partitions that are quite small and avoid running out of space when keeping multiple kernels installed. 

Sparky 2019.11 Special Editions

There are new live/install media of Sparky 2019.11 “Po Tolo” Special Editions available to download: GameOver, Multimedia & Rescue. The live system is based on the testing branch of Debian “Bullseye”. GameOver Edition features a very large number of preinstalled games, useful tools and scripts. It’s targeted to gamers. Multimedia Edition features a large set of tools for creating and editing graphics, audio, video and HTML pages. The live system of Rescue Edition contains a large set of tools for scanning and fixing files, partitions and operating systems installed on hard drives. Read more

The Many Features & Improvements of the KDE Plasma 5.18 LTS Desktop Environment

With the KDE Plasma 5.17 release out the door last month, it's time to take a closer look at the new features and improvements coming to KDE Plasma 5.18, which will be released early next year as the next LTS (Long Term Support) version of open-source desktop environment designed to run on GNU/Linux distributions. Among the enhancements of the KDE Plasma 5.18 LTS desktop environment, we can mention the ability to select and remove multiple Bluetooth devices simultaneously, support for KSysGuard to display stats for Nvidia graphics hardware, and a new "Home" button in System Settings that will take users back to the main page. Read more

Open-spec, dual-port router offers a choice of Allwinner H3 or H5

FriendlyElec’s Linux-driven, $20 “NanoPi R1S-H3” router uses a modified version of the Allwinner H3-based NanoPi R1, upgrading the second LAN port to GbE while removing a USB port. There’s also a similar, $23 “NanoPi R1S-H5” with a quad -A53 H5. Back in February, FriendlyElec launched the community-backed NanoPi R1 router SBC, which still sells for $29. Now it has followed up with two more affordable NanoPi R1S routers based on upgraded versions of the NanoPi R1 that that give you dual GbE ports instead of 10/100Mbps and 10/1000/1000Mbps. The mainboards are smaller than the R1 at 55.6 x 52mm, and the board and the case have been entirely redesigned. Read more