Language Selection

English French German Italian Portuguese Spanish

Security, Openwashing, Proprietary Software and Back Doors

Filed under
Security
  • Reproducible Builds in July 2020

    Welcome to the July 2020 report from the Reproducible Builds project.

    In these monthly reports, we round-up the things that we have been up to over the past month. As a brief refresher, the motivation behind the Reproducible Builds effort is to ensure no flaws have been introduced from the original free software source code to the pre-compiled binaries we install on our systems. (If you’re interested in contributing to the project, please visit our main website.)

  • Have I Been Pwned — which tells you if passwords were breached — is going open source

    While not all password checkup tools actually use Hunt’s database (a just-announced LastPass feature calls on one hosted by Enzoic instead), many of them are apparently based on the same “k-Anonymity” API that Cloudflare engineering manager Junade Ali originally designed to support Have I Been Pwned’s tool.

  • Facebook’s new open-source Pysa security tool detects [cr]ackable code

    Pysa is designed exclusively to analyze code written in Python. That limits the scenarios where the tool can be applied, but it could be still useful for other companies because Python is the world’s second most widely used programming language as of earlier this year. It’s especially popular in artificial intelligence development and is also the language in which most of the code for Instagram is written.

    Facebook has applied Pysa to the Instagram code base to great effect. According to the company, the tool was responsible for spotting 44% of the server-side security issues that it detected in the photo sharing service during the first half of 2020. Some 49 of the flaws Pysa caught were determined to be “severe” vulnerabilities.

    Under the hood, the tool works by employing a technique known as static code analysis. It sifts through Facebook developers’ raw code files without the delay of running them to quickly generate security assessments.

  • [Cr]ackers can still steal wads of cash from ATMs. Here's the vulnerabilities that could let them in.

    “You’re literally trusting this machine to hold thousands of dollars, but it’s running [Windows operating system] CE 6.0? It is just a computer, on a network, running an older operating system,” Keown said, noting that the latest release for CE 6.0 was over a decade ago in 2009. “This is still a problem. Let’s focus some effort here and see if we can’t move the needle in the right direction.”

  • Canon Admits Ransomware Attack in Employee Note, Report

    The consumer-electronics giant has suffered partial outages across its U.S. website and internal systems reportedly, thanks to the Maze gang.

  • Windows, Gates and a firewall: Microsoft's delicate castle in China

    Microsoft arrived in China in 1992 and opened its largest research and development centre outside the United States. It now employs around 6,200 people in China.

  • All you need to hijack a Mac is an old Office document and a .zip file

    The exploit uses a rigged Office document, saved in an archaic format (.slk), to trick the target machine into allowing Office to activate macros without consent and without notifying the user.

    The attack then takes advantage of two further vulnerabilities in order to seize control of the machine. By including a dollar sign at the start of the filename, [an attacker] can break free of the restrictive Office sandbox, while compressing the file within a .zip folder bypasses macOS controls that prevent downloaded items from accessing user files.

  • Apple’s Chinese business could be devastated by Trump’s WeChat ban

    Apple has a significant Chinese customer base, and nearly all of its critical manufacturing and assembly partners are based there. Trump’s ban might not only force Apple to remove WeChat from its App Store — which would destroy Apple’s Chinese smartphone business — it could existentially change how Apple is able to build and sell new products in the future.

  • It's Time To Stop Talking and Take Action Against the Beasts that Want to Control Us

    I know I have not been active on this BLOG the past year. No reasons. Anyway, I'm back at it. This time, I have a specific focus on Big Tech. The way I see it, the root of the problem is not the tech companies themselves, it starts with the software we use. This includes Adobe, Intuit, Microsoft. I call them AIM. They are the worst offenders in there attempts to control the free world.

More in Tux Machines

Leftovers: Canonical on Banks, Raspberry Pi and Curl

  • A ‘Connected’ Bank – The power of data and analytics

    The next 10 years will redefine banking. What will differentiate top banks from their competitors? Data and derived insights. Banks across the globe have been immersed in their digital agenda and with customers adopting digital banking channels aggressively, banks are collecting massive volumes of data on how customers are interacting at various touch points. Apart from the health of balance sheets, what will differentiate top banks from the competition is how effectively these data assets will be used to make banking simpler and improve their products and services. The challenge for large global banks so far has been to capitalise on huge volumes of data that their siloed business units hold and are often constrained by manual processes, data duplication and legacy systems. The use cases for data and analytics in banking are endless. Massive data assets will mean that banks can more accurately gauge the risk of offering a loan to a customer. Banks are using data analytics to improve efficiency and increase productivity. Banks will be able to use their data to train machine learning (ML) algorithms that can automate many of their processes. Artificial Intelligence (AI) solutions have the potential to transform how banks deal with regulatory compliance issues, financial fraud and cybercrime. Banks will have to get better at using customer data for greater personalisation, enabling them to offer products and services tailored to individual consumers in real time. Today, banks have only just scratched the surface of data analytics. [...] For data analytics initiatives, banks now have the option of leveraging the best of open source technologies. Open source databases such as PostgreSQL, MongoDB and Apache Cassandra can deliver insights and handle any new source of data. With data models flexible enough for rich modern data, a distributed architecture built for cloud scale, and a robust ecosystem of tools, open source data platforms can help banks break free from data silos and enable them to scale their innovation.

  • Embedding computational thinking skills in our learning resources
  • Daniel Stenberg: Reducing mallocs for fun

    Everyone needs something fun to do in their spare time. And digging deep into curl internals is mighty fun! One of the things I do in curl every now and then is to run a few typical command lines and count how much memory is allocated and how many memory allocation calls that are made. This is good project hygiene and is a basic check that we didn’t accidentally slip in a malloc/free sequence in the transfer path or something. We have extensive memory checks for leaks etc in the test suite so I’m not worried about that. Those things we detect and fix immediately, even when the leaks occur in error paths – thanks to our fancy “torture tests” that do error injections. The amount of memory needed or number of mallocs used is more of a boiling frog problem. We add one now, then another months later and a third the following year. Each added malloc call is motivated within the scope of that particular change. But taken all together, does the pattern of memory use make sense? Can we make it better?

  • Daniel Stenberg: a Google grant for libcurl work

    Earlier this year I was the recipient of a monetary Google patch grant with the expressed purpose of improving security in libcurl. This was an upfront payout under this Google program describing itself as “an experimental program that rewards proactive security improvements to select open-source projects”. I accepted this grant for the curl project and I intend to keep working fiercely on securing curl. I recognize the importance of curl security as curl remains one of the most widely used software components in the world, and even one that is doing network data transfers which typically is a risky business. curl is responsible for a measurable share of all Internet transfers done over the Internet an average day. My job is to make sure those transfers are done as safe and secure as possible. It isn’t my only responsibility of course, as I have other tasks to attend to as well, but still.

Web Browsing: Mozilla Firefox, Project Maelstrom and FreeTube on PCLinuxOS

  • Firefox usage is down 85% despite Mozilla's top exec pay going up 400%

    One of the most popular and most intuitive ways to evaluate an NGO is to judge how much of their spending is on their programme of works (or "mission") and how much is on other things, like administration and fundraising. If you give money to a charity for feeding people in the third world you hope that most of the money you give them goes on food - and not, for example, on company cars for head office staff.

    Mozilla looks bad when considered in this light. Fully 30% of all expenditure goes on administration. Charity Navigator, an organisation that measures NGO effectiveness, would give them zero out of ten on the relevant metric. For context, to achieve 5/10 on that measure Mozilla admin would need to be under 25% of spending and, for 10/10, under 15%.

  • This is a pretty dire assessment of Mozilla

    Back to Mozilla -- in my humble but correct opinion, Mozilla should be doing two things and two things only:

    1. Building THE reference implementation web browser, and

    2. Being a jugular-snapping attack dog on standards committees.

    3. There is no 3.

  • The Talospace Project: Firefox 81 on POWER

    Firefox 81 is released. In addition to new themes of dubious colour coordination, media controls now move to keyboards and supported headsets, the built-in JavaScript PDF viewer now supports forms (if we ever get a JIT going this will work a lot better), and there are relatively few developer-relevant changes. This release heralds the first official change in our standard POWER9 .mozconfig since Fx67. Link-time optimization continues to work well (and in 81 the LTO-enhanced build I'm using now benches about 6% faster than standard -O3 -mcpu=power9), so I'm now making it a standard part of my regular builds with a minor tweak we have to make due to bug 1644409. Build time still about doubles on this dual-8 Talos II and it peaks out at almost 84% of its 64GB RAM during LTO, but the result is worth it.

  • What happened to BitTorrent’s Project Maelstrom web browser?

    In April 2015, BitTorrent Inc. announced the public beta of Project Maelstrom; its new experimental peer-to-peer web browser. The browser reimagined the web using the company’s name sake file-sharing protocol. Websites would be distributed equally by its visitors instead of being hosted by an expensive central webserver. The company published a beta and some blog posts, but then never mentioned Project Maelstrom again. What happened to it? Project Maelstrom was launched four years after Opera had launched Opera Unite (Project Alien). Unite gave everyone their own web server built right into its web browser. It enabled anyone to host a website, share photos, and do all sorts of web things like music streaming directly from their own computer. Unite failed to account for people wanting to shut their computers — now servers — off at the end of the day, however. BitTorrent’s Project Maelstrom sought to fix this limitation by making everyone who visited a website help contribute to its distribution! As long as someone else was hosting a copy of it, you could shut down your computer for the night without taking your website offline with it.

  • Freetube 0.7.3 added to repository

    FreeTube is a YouTube client built around using YouTube more privately. You can enjoy your favorite content and creators without your habits being tracked. All of your user data is stored locally and never sent or published to the internet. Being powered by the Invidious API, FreeTube has become one of the best methods to watch YouTube privately on the desktop.

Programming Leftovers

  • News from PHP: releases, features, and syntax

    The PHP project has recently released three new versions; two in the PHP 7 series (7.3.22 and 7.4.10) and PHP 8.0beta3. Both PHP 7 releases were for bug fixes, addressing approximately 20 issues which can be seen in the release notes for 7.4.10 and 7.3.22. The most notable of these fixes addressed a language-wide memory leak when using compound assignments, and crash fixes when xml_parser_free() and array_merge_recursive() are called. While the project continues to provide bug-fix releases for PHP 7, development on PHP 8.0 is steaming ahead. The community has succeeded thus far in keeping with its release schedule; it is still on-target for general availability of PHP 8.0 on November 26. One noteworthy recent decision by the project was to drop support for OpenSSL version 1.0.1. Originally, PHP 8.0beta3 was to be the last beta release before entering into the release-candidate (RC) phase, when implementation details regarding APIs and behavior should stop changing. That plan changed, however, at the request of Nikita Popov. In the request to release manager Sara Golemon, Popov said more time was needed, suggesting eliminating the final RC5 release in exchange for an extra beta release...

  • How to use C++ String Literal

    The computer keyboard has characters printed on them. When you press a key, you see the character on the screen. Note: space is also a character. A string literal is a sequence of characters. This article explains how to use C++ string literals. You should know about C++ arrays and pointers to understand this article.

  • Goneovim: Turning Vim Into Emacs One Step At A Time

    I've seen a few people recommending a GUI for vim and I had never really given one a shot so I decided to take up one of your suggestions and do so. Today we're looking at an application known as Goneovim which as the name implies is written in go, it has some neat features but is it worth running a GUI for, I'll let you see.

  • What if data was code?

    Code? Data? Data? Code?

  • I Write comment to Perl7 is a fork of values

    I think the current Perl 7 plan is very heavy for the resources available to the Perl community. Perl 7 will succeed if many people welcome it and everyone supports it. However, I think the remaining users of Perl will remain because of the stability of that Perl.

  • Perl Weekly Challenge 79: Count Set Bits and Trapped Rain Water

    These are some answers to the Week 79 of the Perl Weekly Challenge organized by Mohammad S. Anwar Spoiler Alert: This weekly challenge deadline is due in a couple of days (September 27, 2020). This blog post offers some solutions to this challenge, please don’t read on if you intend to complete the challenge on your own.

  • Sebastian Witowski: Sorting Lists

    There are at least two common ways to sort lists in Python: - With sorted function that returns a new list - With list.sort method that modifies list in place Which one is faster? Let’s find out!

Proprietary Software: Todoist, FreeOffice, and Even Worse

  • Todoist Takes on Trello with New Kanban Board Feature

    Todoist now has a Kanban board feature similar to that made popular by Trello. Kanban boards are an effective project management tool designed to make it easier to organise tasks within projects and get an overview of overall project status. While Kanban boards aren’t super fancy they are, for some, super useful. “A more visual way to organize your projects. Drag tasks between sections, visualize your progress, and simplify your teamwork,” Todoist say of the feature.

  • SoftMaker FreeOffice: A cross-platform Office suite that’s fully compatible to MS Office

    Most Linux users are well-acquainted with LibreOffice – many distributions have it pre-installed. Fewer know its powerful alternative: FreeOffice is a full-fledged office solution with full support for Microsoft Office file formats. It consists of a word processor, a spreadsheet and a presentation program. True to its name, FreeOffice is fully free and available for Linux in 32-bit and 64-bit versions. FreeOffice is far from a LibreOffice clone. The software is being developed by a German software company with a history going all the way back to 1987. Due to its background, FreeOffice has far more in common with Microsoft Office than with LibreOffice.

  • Cutting corners on cybersecurity can leave costly holes [iophk: Windows TCO]

    Such attacks can paralyse an organisation as it weighs up concerns over prolonged business interruption, reputational damage and data protection responsibilities against the financial impact and the ethical implications of capitulating to the demands. The decision to pay or not to pay is very much the question – especially when university budgets are so tight.

    The advice of the NCSC, as well as Jisc, is very clear: do not pay! A range of reasons are cited, but the prime one is the inability of institutions to be sure that the [attacker] will undo the damage and not exploit the data breach at a later date. Those who pay up justify doing so on the grounds of business criticality and expediency. They also rely on the “honour among thieves” paradigm that [attackers] will stick to their word so that victims of future attacks will also feel confident in paying up.

  • As critics call for deplatforming, defunding, and prosecution over Leila Khaled discussion, San Francisco State University president gets it right

    Yesterday, Zoom refused to allow the university to use its service for the discussion — a cancellation praised by FCC Commissioner Brendan Carr, who said there was no “need to hear both sides.” It is not yet clear whether the organizers of the event will switch to another channel of communication.