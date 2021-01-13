Security: ID Theft, Microsoft, Free Software Security and Reproducible Builds/Diffoscope
The Taxman Cometh for ID Theft Victims
The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.
[Cracked] therapy centre Vastaamo goes into liquidation [iophk: Windows TCO]
The private mental health services company Vastaamo, which has been at the centre of a [cracking] and blackmail scandal since October, has been placed into liquidation.
The decision was made by the company’s owners, management and board of directors at an emergency general meeting held on Thursday and announced in a Friday morning press release.
You cannot manage your supply chain – Open Source Security
What a year it’s been! I feel like 2021 went by like a … it’s still January???
So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice.
I will start with the usual advice for the worst suggestion every time supply chain discussions happen: You cannot remove all the open source from your supply chain. Even suggesting this would be comparable to making your organization build a coal power plant to go off grid for power. Anyone who suggests this should not be taken seriously.
Now that we have that out of the way, let’s talk about a software supply chain. I wrote a lovely (at least I think it’s lovely) piece about this during Secadvent for DevSecCon. Just go read it, I’m not going to rehash the details here.
diffoscope 166 released
The diffoscope maintainers are pleased to announce the release of diffoscope version 166. This version includes the following changes:
[ Chris Lamb ] * New features and bugfixes: - Explicitly remove our top-level temporary directory. (Closes: #981123, reproducible-builds/diffoscope#234) - Increase fuzzy matching threshold to 130 ensure that we show more differences. (Closes: reproducible-builds/diffoscope#232) - Save our sys.argv in our top-level temporary directory in case it helps debug current/errant temporary directories. - Prefer to use "magic.Magic" over the "magic.open" compatibility interface. (Closes: reproducible-builds/diffoscope#236) - Reduce fuzzy threshold to 110 to prevent some test failures. (Closes: reproducible-builds/diffoscope#233) * Output improvements: - Show fuzzyness amount in percentage terms, not out of the rather-arbitrary "400". - Improve the logging of fuzzy matching. - Print the free space in our temporary directory when we create it, not from within diffoscope.main. * Codebase improvements: - Tidy the diffoscopecomparators.utils.fuzzy module. - Update my copyright years. - Clarify the grammar of a comment. - Clarify in a comment that __del__ is not always called, so temporary directories are not neccessary removed the *moment* they go out of scope. [ Conrad Ratschan ] * Fix U-Boot Flattened Image Tree ("FIT") image detection for larger image files. (MR: reproducible-builds/diffoscope!75)
