Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • 36C3: Open Source Is Insufficient To Solve Trust Problems In Hardware

    With open source software, we’ve grown accustomed to a certain level of trust that whatever we are running on our computers is what we expect it to actually be. Thanks to hashing and public key signatures in various parts in the development and deployment cycle, it’s hard for a third party to modify source code or executables without us being easily able to spot it, even if it travels through untrustworthy channels.

    Unfortunately, when it comes to open source hardware, the number of steps and parties involved that are out of our control until we have a final product — production, logistics, distribution, even the customer — makes it substantially more difficult to achieve the same peace of mind. To make things worse, to actually validate the hardware on chip level, you’d ultimately have to destroy it.

    On his talk this year at the 36C3, [bunnie] showed a detailed insight of several attack vectors we could face during manufacturing. Skipping the obvious ones like adding or substituting components, he’s focusing on highly ambitious and hard to detect modifications inside an IC’s package with wirebonded or through-silicon via (TSV) implants, down to modifying the netlist or mask of the integrated circuit itself. And these aren’t any theoretical or “what if” scenarios, but actual possible options — of course, some of them come with a certain price tag, but in the end, with the right motivation, money is only a detail.

  • Election security, ransomware dominate cyber concerns for 2020 [iophk: Windows TCO]

    Senate Democrats have repeatedly tried to force Senate Majority Leader Mitch McConnell (R-Ky.) to schedule votes on a raft of various election security bills. The House has passed three major pieces of election security legislation this year that have stalled amid Republican objections in the Senate.

  • There’s Money To Be Made In Taming Open Source Software Code

    “We’re trying to create order out of chaos,” said CEO Wayne Jackson of his company, Sonatype.

    [...]

    “We are building the world’s critical infrastructure on software somebody else wrote, a stranger with unknown skills, motivations and desires, but the desire to innovate is so high, we’re willing to accept the risk of using some random person’s software invention,” Jackson said.

    Sometimes developers understand the practical use of the open source code they’re creating, and sometimes they don’t, according to Jackson. 

  • Medley India Infosolution helps Indian Railways build crew management software system

    The system design is end-to-end UNIX and Linux thereby immunising the systems against malicious threats. The solution has with immense power to control the client locations from central location by way of maintenance tasks, time synchronisation, patch updates and variety of user access requirements thus speeding up the service request handling from a remote location. Service requests can be lodged into the CMS system and are automated through SMS call lodging and reminder mechanisms. At the client side the users are authenticated via a biometric device (thumb impression reader) for logging onto the applications via a kiosk which ensures an audit trail and logging of activities for transparency and accountability.

More in Tux Machines

Programming Leftovers

  • This Week in Rust 340
  • Simplify data visualization in Python with Plotly

    Plotly is a plotting ecosystem that allows you to make plots in Python, as well as JavaScript and R. In this series of articles, I'm focusing on plotting with Python libraries.

  • Perl Hacks, Perl School, and the future of Perl publishing

    Dave Cross, long-time Perl user, trainer, and author, recently released The Best of Perl Hacks, a curated collection of his best posts from his Perl Hacks blog. His imprint, Perl School, has published six e-books, including two that I wrote. There’s an unrelated book, Perl Hacks: Tips & Tools For Programming, Debugging, And Surviving, by chromatic, Damian Conway, and Curtis “Ovid” Poe. It’s also very good, but completely separate from Dave’s.

  • Qt for Automation changed to Qt M2M Protocols

    Qt M2M Protocols is now automatically included for free to every new Qt Device Creation subscription. The additional distribution license price has been removed as well. Qt Application Development license holders can buy Qt M2M Protocols separately.

  • Using Visual Studio Code for Qt Applications – Part Two

    In the last blog post we saw an essential, C++ oriented, Visual Studio Code setup. That was enough to get going right away, but we can still definitely do more and better. Here I’ll show you how to get a complete setup for your qmake and CMake projects, all this while also wearing a Qt hat (on top of my C++ hat) and having a deeper look at the Qt side. Build qmake Qt projects Qmake is not integrated with Visual Studio Code the way CMake is, so setting up a qmake project for build is slightly more convoluted than doing the same with CMake. This means we’ll have to define our own build tasks. We’re going to do this in two stages: build steps definition and build steps combination, leveraging the fact that Visual Studio Code implements task dependencies and ordered sequential execution of dependencies.

  • Where Did Software Go Wrong?

    Computers were supposed to be “a bicycle for our minds”, machines that operated faster than the speed of thought. And if the computer was a bicycle for the mind, then the plural form of computer, Internet, was a “new home of Mind.” The Internet was a fantastic assemblage of all the world’s knowledge, and it was a bastion of freedom that would make time, space, and geopolitics irrelevant. Ignorance, authoritarianism, and scarcity would be relics of the meatspace past.

    Things didn’t quite turn out that way. The magic disappeared and our optimism has since faded. Our websites are slow and insecure; our startups are creepy and unprofitable; our president Tweets hate speech; we don’t trust our social media apps, webcams, or voting machines. And in the era of coronavirus quarantining, we’re realizing just how inadequate the Internet turned out to be as a home of Mind. Where did it all go wrong?

  • good idea bad implementation crosstalk

    Unfortunately products like the latter seem quite common. Most things in my house are still rather dumb because regrettably few products are actually the same thing, but smarter. Instead smart devices are inevitably some inscrutable machine intelligence physically manifested in my house. So no thanks. Battle lines drawn, everybody pick a side, good idea or bad implementation, and fight!

Android Leftovers

Ryzen 9 3900X/3950X vs. Core i9 10900K In 380+ Benchmarks

Following our initial Core i5 10600K and Core i9 10900K Linux benchmarks last week, here is a much larger comparison I have been working on since then in looking specifically at the Ryzen 9 3900X and 3950X against the Core i9 10900K. It's the largest to date with nearly 400 benchmarks being tested, most of them real-world test cases. The past number of days I have been running this Core i9 10900K vs. Ryzen 9 3900X vs. Ryzen 9 3950X comparison with 381 benchmarks out of 138 distinct applications/workloads on both systems. With this round of benchmarking the Gigabyte Z490 AORUS MASTER and ASUS ROG CROSSHAIR VIII HERO were at play with 2 x 8GB DDR4-3600 Corsair memory, Samsung 970 EVO NVMe SSD, and Radeon RX 5700 XT graphics. Benchmarking was run off Ubuntu 20.04 LTS while upgrading to the Linux 5.7 Git kernel for the very latest kernel bits. All other Ubuntu 20.04 packages were at their respective defaults. Read more

Compact 8K video encoder runs Linux on Kaby Lake

Advantech has launched a “VEGA-8300E 8K Broadcast Video Encoder” and streaming appliance for 8Kp60, 10-bit 4:2:2 HEVC real-time encoding. The system runs Ubuntu on a 7th Gen Kaby Lake CPU and offers 2x hot-swappable SATA bays. We realize that most of you are not in the market for an 8K video encoder, but we occasionally like to check in on the high-end video world where Linux is steadily making inroads. Normally Advantech’s VEGA-8300E 8K Broadcast Video Encoder would have been showcased at the NAB Show, which has been cancelled due to the pandemic. (Some NAB content is available on the online NAB Show Express.) We heard about the VEGA-8300E from an Advantech announcement on Businesswire that revealed the product has won a 2020 Best of Show Special Edition Award presented by TV Technology. Read more