Language Selection

English French German Italian Portuguese Spanish

Proprietary Software and New FUD

Filed under
Security
  • Back to windows after twenty years

    See, the whole reason I thought Windows might be a suitable alternative for me was all the enthusiasm around Windows Linux Subsystem (WSL). Basically putting all the *nix tooling at your fingertips, like it is on OSX, in a way that doesn’t require crazy hoops.

    But it’s just not there. The first version of WSL is marred with terrible file-system performance, and I got to feel that right away, when I spent eons checking out a git repository via GitHub for Windows. A 10-second operation on OSX took 5-6 minutes on Windows.

    [...]

    Windows still clearly isn’t for me. And I wouldn’t recommend it to any of our developers at Basecamp. But I kinda do wish that more people actually do make the switch. Apple needs the competition. We need to feel like there are real alternatives that not only are technically possible, but a joy to use. We need Microsoft to keep improving, and having more frustrated Apple users cross over, point out the flaws, and iron out the kinks, well, that’s only going to help.

  • These Machines Can Put You in Jail. Don’t Trust Them.

    The machines are sensitive scientific instruments, and in many cases they haven’t been properly calibrated, yielding results that were at times 40 percent too high. Maintaining machines is up to police departments that sometimes have shoddy standards and lack expertise. In some cities, lab officials have used stale or home-brewed chemical solutions that warped results. In Massachusetts, officers used a machine with rats nesting inside.

    Technical experts have found serious programming mistakes in the machines’ software. States have picked devices that their own experts didn’t trust and have disabled safeguards meant to ensure the tests’ accuracy.

    The Times interviewed more than 100 lawyers, scientists, executives and police officers and reviewed tens of thousands of pages of court records, corporate filings, confidential emails and contracts. Together, they reveal the depth of a nationwide problem that has attracted only sporadic attention.

  • Uber’s Self-Driving Car Didn’t Know Pedestrians Could Jaywalk

    The software inside the Uber self-driving SUV that killed an Arizona woman last year was not designed to detect pedestrians outside of a crosswalk, according to new documents released as part of a federal investigation into the incident. That’s the most damning revelation offered up in a trove of new documents related to the crash, but other details indicate that, in a variety of ways, Uber’s self-driving car work failed to consider how humans actually operate.

  • Libarchive vulnerability can lead to code execution on Linux, FreeBSD, NetBSD [Ed: Very typical ZDNet FUD from Catalin Cimpanu, their drama queen hired from a lying site. To exploit the alleged bug one needs to run (and get) malicious files. But CBS tabloids with money from Microsoft don't let facts get in the way. Skip the headline and find "Exploitation scenarios include users who receive malicious files from attackers or local apps that use Libarchive's various components for file decompression."]
  • Former CIA Employee Who Allegedly Disclosed ‘Vault 7’ Files To WikiLeaks Challenges Espionage Act Charges

    Former CIA employee Josh Schulte, who is accused of leaking the “Vault 7” files to WikiLeaks, urged a federal court to rule the Espionage Act is unconstitutional. He also asked the court to dismiss the Espionage Act charges against him.

    The files Schulte allegedly released brought scrutiny to the CIA’s hacking arsenal, which targeted smartphones and computers. A program called “Weeping Angel,” that allowed the CIA to attack Samsung F8000 TVs and convert them into spying devices was exposed. They also showed how the CIA targeted Microsoft Windows, as well as Signal and WhatsApp users, with malware.

More on libarchive

  • Linux users warned to update libarchive to beat flaw [Ed: If users do not download malicious, dodgy files and then execute these, that might be fine. Same for macros in documents. It's not a major or critical issue.]

    The bug is identified as CVE-2019-18408, a high-priority ‘use-after-free’ bug when dealing with a failed archive.

    No real-world exploits have been detected but if one existed, it would attempt to use a malicious archive to induce a denial-of-service state or arbitrary code execution.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

today's howtos

Security Leftovers

  • Security updates for Monday

    Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba).

  • Have I Been Pwned to release code base to the open source community

    Members of the general public can submit their email addresses into the Have I Been Pwned search engine to find out if they have been "pwned," and if their emails have been linked to a data breach, each one and a summary of what happened is displayed -- as well as what information has been exposed. Since its launch in 2013, Hunt has poured more resources, including time and energy, into managing the search engine over time, expanding the service to include domain monitoring and breach alerts. At the heart, one main operator isn't enough to ensure future scalability or sustainability, and with this in mind, Hunt previously attempted to find a buyer to help expand his life's work. Unfortunately, the merger and/or acquisition process failed, and so Hunt has decided to pursue another alternative -- opening up the Have I Been Pwned code base to the open source community.

  • Researcher Demonstrates Several Zoom Vulnerabilities at DEF CON 28

    Popular video conferencing app Zoom has addressed several security vulnerabilities, two of which affect its Linux client that could have allowed an attacker with access to a compromised system to read and exfiltrate Zoom user data—and even run stealthy malware as a sub-process of a trusted application. According to cybersecurity researcher Mazin Ahmed, who presented his findings at DEF CON 2020 yesterday, the company also left a misconfigured development instance exposed that wasn't updated since September 2019, indicating the server could be susceptible to flaws that were left unpatched.

Red Hat/Fedora Leftovers

  • Fedora Nest 2020

    This year Flock did not happen due to COVID-19, and in its place, Fedora Nest happened. After many events I’ve seen going virtual in the last few months, I was skeptical. I was yet to see an acceptable online platform to run events. I was wrong on the platform. Fedora Nest used Hopin , which is by far the best platform for events I’ve seen so far. Don’t get your expectations too high, though, because when I say the best one I’ve seen so far, only means that it is usable, and it does not mean in any way that is on par of real conferences. I might be a weird being, but I find traveling relaxing, so I usually add to the joy of the conference the pleasure of traveling. In addition to this, at conferences, I find myself to connect with people - sometimes briefly, sometimes more deeply - and this does not occur in online events. For those reasons, I really hope we will be able to soon go back to in-person conferences.

  • Miroslav Suchý: Nest 2020 - my notes

    This year, we had Nest conference instead of traditional Flock, which has been canceled due to COVID. The conference happened purely remotely over the Hopin video conference. This was good and bad. The good is that we saved a lot on traveling and that it happened at all. It would be bad if it was canceled. The bad part was that I found it hard to focus on the conference. There are too many distractions at home. It was much harder to socialize. And a lot of people had issues either with microphone or internet upload. It was sometimes hard to follow. The conference was organized mostly for US folks, and therefore some sessions were very late in my timezone.

  • Btrfs by default status updates, 2020-08-09
  • Fedora Btrfs Activity Continues - New Options To Control Discard, Compression

    Fedora developers continue embracing the work on making the Btrfs file-system the default for F33 desktop variants. Their latest progress report indicates new installation options being wired up for the Btrfs support. A new Anaconda Kickstart install configuration knob is being added for setting the async discard behavior for solid-state drives. This configuration option will simply set the Btrfs DISCARD option to be enabled by default per the /etc/fstab options. They are still weighing whether to make it the default or more than likely that default transition would be next year for Fedora 34.

  • “To be, or not to be,” vulnerable… How customers and partners can understand and track Red Hat security vulnerabilities

    That is the question. Yes, I believe William Shakespeare was thinking about container security when he began Act 3 of Hamlet. He probably scanned his Red Hat Universal Base Image (UBI) 8 container with multiple vulnerability scanners, and with "the heart-ache and the thousand natural shocks", noticed each report told him something different. One report said his container had a vulnerability, another indicated the vulnerability was patched, and another didn’t even show the vulnerability. As Hamlet contemplates his fate, it’s no wonder he says: "With this regard their currents turn awry, And lose the name of action." In other words, he rips up the reports and does nothing! In many ways our customers are experiencing the same vulnerability inconsistencies as Hamlet. But unlike our hero’s tragic fate, there is some good news: Red Hat is working with independent software vendors (ISVs) to help drive vulnerability consistency for both Red Hat and our partners.

  • Kubernetes and the hybrid cloud with Skupper

    DevNation Tech Talks are hosted by the Red Hat technologists who create our products. These sessions include real solutions plus code and sample projects to help you get started. In this talk, you’ll learn about Kubernetes and the hybrid cloud with Skupper from Ted Ross and Burr Sutter.

today's howtos