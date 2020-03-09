Language Selection

Security: Patches, Scams, OWASP and More

Monday 16th of March 2020
Security
  • Updated packages in the past weeks: Plasma5, gcc_multilib, openjdk7 and more

    I do regular updates of packages in my repository. I focus on the software that is popular, or relevant to Slackware. For the software with a high visibility I usually write a blog post to alert people to the new stuff.
    During the last couple of weeks I have not been writing so much about updates due to personal circumstances, some of it has to do with the Corona outbreak.

    I was also affected the death of Erik Jan Tromp (Slackware’s alphageek) early March just after I visited him for a final time in his apartment in Leeuwarden.

  • How Visa built its own container security solution

    Instead of deploying a combination of commercial solutions and spending resources on getting them to work for its environment, Visa's security team went back to basics and created its own continuous monitoring solution that handles security policy enforcement, incident detection and remediation, a project that earned the company a CSO50 Award for security excellence. Called MASHUP (Micro-services based Adaptive Security Hardening and Usage Platform), the solution takes advantage of the native capabilities that already exist on container orchestration platforms such as cgroups, filesystem access controls, and SELinux policies, and it is primarily built on top of open-source tools and libraries.

  • Hackers Use Fake HIV Test Results As Lure to Infect Computers and Steal Data

    Previously, experts found evidence that online crooks were using the novel coronavirus (COVID-19) as a phishing lure, attempting to exploit fears surrounding the ongoing outbreak.

  • Threat Dragon: OWASP launches desktop version of popular threat modeling tool

    The Open Web Application Security Project (OWASP) has released an installable desktop variant of Threat Dragon, its popular threat modeling application.

    The free and open source Threat Dragon tool includes system diagramming and a rule engine to automatically determine and rank security threats, suggest mitigations, and implement countermeasures.

    The newly launched desktop version is based on Electron. There are installers available for both Windows and macOS, as well as RPM and Debian packages for Linux. Models are stored on the local file system.

    There’s also a web application, with model files stored in GitHub – other storage is planned for the future – and OWASP says it is currently maintaining a working prototype in sync with the master code branch.

  • Open-source options offer increased SOC tool interoperability

    Anecdotal evidence of security operations center (SOC) tool overload is overwhelming — at CSO we hear complaints from industry sources about this problem all the time — but the 2019 SANS SOC Survey attempted to quantify the problem. For most survey respondents, there were roughly equal numbers of SOC analysts as there were full-time employees tasked with maintaining the SOC security tools. That's on top of the expense of purchasing those security tools in the first place.

    [...]

    Since October, 25 organisations have joined the OCA, and the alliance hopes to continue to grow to encompass all the major cybersecurity vendors today. Other members include Indegy, CrowdStrike, Fortinet and ReversingLabs.

    “What we’re trying to do as an industry, if we can align around a common data model and a common set of APIs, then that problem [a lack of interoperable security tools] becomes a much smaller problem than it is today,” Chris Smith, principal engineer at McAfee, tells CSO.

    STIX (Structured Threat Information eXpression) is useful “if you’re threat hunting and you want to query all your other tools for evidence of a certain artefact use STIXShifter to ask that question in a vendor-neutral platform agnostic language,” the GitHub rep said.

    “STIXShifter would be the technology that enables a company to search for an indicator of compromise across multiple tools, data repositories,” Jason Keirstead, chief architect, IBM Security Threat Management, tells CSO. (IBM contributed STIXShifter to the project.) “If that search turns up a compromised device, OpenDXL Ontology would be the mechanism that would be used to issue alerts/notifications across other tools in order to begin remediation.”

  • Warning: Are You Using One Of These 20 Dangerous Smartphone PINs?

    But some PIN codes are much more secure than others, and you might be surprised to find out which are the most easy to guess. You would assume, for example, that a longer PIN code was better, but six digit numbers provide little more security than four digit ones, according to a study by researchers from Ruhr University, the Max Planck Institute for Security and Privacy in Bochum, Germany and George Washington University in the U.S.

  • Binance Adds Open-Source Implementation for Edwards-Curve Digital Signature

    By putting consistent efforts, the development team of Binance is excited for the implementation of a powerful new technology. Binance announces the open-source implementation of a TSS library for Edwards-Curve Digital Signature Algorithm-(ECDSA) which aims to extend support for different blockchains like Cardano, NANO, Stellar Lumens, Waves, and Libra.

    Binance announced the implementation of an open-source Threshold Signature Scheme (TSS) library three months ago, which is considered to be a major step taken by Binance that will further contribute to the development of open-source blockchain. The library is reconcilable with ECDSA-based blockchains, which comprises of Binance Chain, Bitcoin, and Ethereum networks, which is already used to build token swap bridges and more.

Chips that pass in the night: How risky is RISC-V to Arm, Intel and the others? Very

How well does Intel sleep? It's just rounded off a record year with a record quarter, turning silicon into greenbacks more efficiently than ever, redeeming recent wobbles in the data centre market and missteps in fabrication with double-digit growth. The company should be slumbering with all the unworried ease of Scrooge McDuck on a mattress stuffed with thousand-dollar bills. Yet the wake-up packet of unease should be pinging its management port with some insistence right now. Intel remains a one-trick pony, entirely dependent on the x86 ISA. It has no game in GPUs, it is tuning out of its 5G interests, it has long handed over handsets to Arm. It has memory, it has Wi-Fi, it has wired networking, but compared to the cash cows of edge and central x86, these are barely cash coypu. Read more

KDE: Release of KDE Frameworks 5.68, New Changes and 20.04 RC Next Month

  • KDE Frameworks 5.68 Release Brought Many Fixes

    Flying under our radar until now was that KDE Frameworks 5.68 was released last week as the monthly update to this collection of KDE-minded libraries complementing the Qt tool-kit.

  • Open Source KDE Plasma Mobile Adds New Apps And Improvements

    Apart from the hardware specifications and performance of smartphones, user interfaces also play a significant role in attracting the user’s attention. Hence, it becomes crucial for mobile platforms to work more on the visual aspect of the software. Plasma Mobile is one such software system that supports open-source apps on top of Linux as well as Android mobile platforms. Though it is still under heavy development, the recent changes add major new features and enhancements in applications.

  • 20.04 releases branches created

    Make sure you commit anything you want to end up in the 20.04 releases to them We're already past the dependency freeze. The Feature Freeze and Beta is this Thursday 19 of March. More interesting dates April 2: 20.04 RC (20.03.90) Tagging and Release April 16: 20.04 Tagging April 23: 20.04 Release

Programming: Golang, C, Eclipse, Perl and Python/WebRTC

  • Golang project structures for independent teams: A better way to go

    Working in small and independent teams can be tricky for engineers. In my experience as an engineer at Curve, a fast growth scale-up in the fintech sector, I’ve often found that different teams tend to use completely different approaches. This can make moving teams and cross-team communications a challenge. At Curve, we use Golang (or Go for short) for programming. Go is an open-source programming language that makes it easy to build simple, reliable and efficient software. Working with open source language across multiple teams can present its own unique set of challenges. For instance, lots of problems can arise from differences in structure and conforming to different standards. Trying to maintain high code quality standards while also ensuring every project follows best practices can be tough.

  • numpysane and broadcasting in C

    Since the beginning, the numpysane library provided a broadcast_define() function to decorate existing Python routines to give them broadcasting awareness. This was very useful, but slow. I just did lots of typing, and now I have a flavor of this in C (the numpysane_pywrap module; new in numpysane 0.22). As expected, you get fast C loops! And similar to the rest of this library, this is a port of something in PDL: PDL::PP.

  • Eclipse Foundation Survey: IoT Is Real and Adoption Is Growing
  • The Eclipse Foundation Releases IoT Commercial Adoption Survey Results

    The Eclipse Foundation, one of the world’s largest open source foundations focused on the Internet of Things (IoT), today announced the release of its first annual IoT Commercial Adoption survey. One of the first of its kind, this survey’s objective was to gain a better understanding of the IoT industry landscape by identifying the requirements, priorities, and challenges faced by organizations that are deploying and using commercial IoT solutions, including those based on open source technologies. This survey is distinct and separate from the IoT Developer Survey, the industry’s most influential survey from the development front lines, which the Eclipse Foundation has conducted for the last six years.

  • Perl Weekly Challenge 051: 3 Sum and Colourful Numbers
  • WebRTC: a working example

    Recently I had to use WebRTC for a simple project. The technology itself has many advantages and is being developed as an open standard, without the need for any plugins. However, I was quite new to WebRTC and had some problems getting my head around the basic concepts, as well as creating a working solution. There are many tutorials available, but most of them are incomplete, obsolete, or forced me to use some third party services (e.g. Google Firebase), that only made the whole process more complicated to setup and more difficult to understand. I decided to put together the information from all those resources and create a simple, working example of a WebRTC application. It does not require any third party services, unless you want to use it over a public network (in which case owning a server would really help). I hope it will provide a good starting point for everyone who is interested in exploring WebRTC. This is not going to be a full tutorial of the WebRTC technology. You can find plenty of tutorials and detailed explanations all over the internet, for example here. You can also check the WebRTC API, if you want more information. This post is just going to show you one possible working example of WebRTC and explain how it works.

FOSS in Finance

  • Human Rights Foundation Accepts Fully Open Source Bitcoin Donations

    The Human Rights Foundation has just announced that it will be accepting Bitcoin donations via BTC Pay Server. Unlike other payment processing services, BTC Pay Server is an entirely open source project than can’t censor transactions. Previously, Bitcoin payment processing companies have been the subject of controversy. With a middleman facilitating transactions, using Bitcoin with such a service might forfeit both the peer-to-peer and censorship resistance of payments.

  • Digital Monetary System Tagion Claims Open Source User-driven Networks Are The Future Of Liquidity In Crypto Assets And Fiat Digitalisation

    Tagion, a monetary and open banking protocol, has launched its much-anticipated devnet allowing individuals and companies to test a new developer kit and wallet application with everything needed to begin the process of transferring tags.

  • Celo Foundation to develop open-source platform for payments and more

    The Celo Foundation, the group behind the Celo blockchain project, has announced the Alliance for Prosperity. The alliance has 50 founding members across a range of industries, including blockchain and cryptocurrency, finance, venture capital, payment companies, charities and telecommunications. They have committed to develop the Celo blockchain as a decentralised and open-source platform. The platform supports stablecoins, dubbed Celo dollars, which are designed to make financial tools accessible to anyone with a mobile phone. The platform can be used to build mobile applications, including cash transfers, peer-to-peer lending, international remittances and digital wallets.

  • AVA Labs open-sources codebase for decentralized finance blockchain platform

    The codebase for the distributed ledger blockchain platform developed by AVA Labs Inc., a financial blockchain infrastructure development startup, officially became open source today and was released to the global community. AVA’s vision for its blockchain platform is to become the “AWS of finance,” referring to the cloud computing leader Amazon Web Services Inc. It intends to provide blockchain technology for building decentralized financial applications, or DeFi apps.

  • Blockchain can empower women financially, former Mozilla COO says

    In an op-ed for Coindesk, Denelle Dixon, CEO and Executive Director of the Stellar Development Foundation, a non-profit organization that supports development and growth of Stellar, an open-source blockchain network that connects world’s financial infrastructure, shared her thoughts about the power of the technology in bridging the financial gap for women. Dixon was the former COO of Mozilla, a free and open-source web browser. She also serves as the general counsel and legal advisor in private equity and technology.

