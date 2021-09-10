Security Leftovers
Google Launched a Secure Open Source (SOS) Program for Developers [Ed: PR stunt from company that undermines security and privacy because that's just its business model]
Google starts the Secure Open Source (SOS) Rewards pilot program run by the Linux Foundation with initial sponsorship of $1 million.
Google has announced that it’s sponsoring a new open source security program hosted by the Linux Foundation. The Secure Open Source (SOS) Rewards pilot program provides financial incentives for developers working on security around critical open source projects.
ROS CVE alert; ensuring security for robotics
Open Robotics has registered a CVE that affects ROS Kinetic, Melodic and Noetic. CVE stands for Common Vulnerabilities and Exposures, and it’s an international system that provides a method for publicly sharing information on cybersecurity vulnerabilities and exposures. This specific CVE affects ROS users.
“An infinite loop in Open Robotics ros_comm XMLRPC server in ROS Melodic through 1.4.11 and ROS Noetic through1.15.11 allows remote attackers to cause a Denial of Service in ros_comm via a crafted XMLRPC call.”
Open Robotics has already built and tested the security patch and has made the fix available to the community (e.g. Melodic update). So if you haven’t upgraded your ROS stack, please do so.
OpenLogic by Perforce Announces New Download Hub for Enterprise Linux [Ed: Microsoft-connected proxy]
A Closer Look at NSA/CISA Kubernetes Hardening Guidance [Ed: NSA involvement in Kubernetes does not make Kubernetes seem any more secure; quite the contrary and the companies involved here got exposed working for NSA (in Snowden leaks)]
USA's National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released, "Kubernetes Hardening Guidance" on August 3rd, 2021. The guidance details threats to Kubernetes environments and provides secure configuration guidance to minimize risk.
The following sections of this blog correlate to the sections in the NSA/CISA guidance. Any missing sections are skipped because of limited opportunities to add anything new to the existing content.
Note: This blog post is not a substitute for reading the guide. Reading the published guidance is recommended before proceeding as the following content is complementary.
Be Cyber Smart During Cybersecurity Awareness Month [Ed: They put back doors in things and then they cheer for "Cybersecurity Awareness Month"]
CISA and the National Cybersecurity Alliance (NCSA) remind users to continue to “Do Your Part. #BeCyberSmart.” during October—2021’s Cybersecurity Awareness Month!
Wladimir Palant: Abusing Keepa Price Tracker to track users on Amazon pages
As we’ve seen before, shopping assistants usually aren’t a good choice of browser add-on if you value either your privacy or security. This impression is further reinforced by Keepa, the Amazon Price Tracker. The good news here: the scope of this extension is limited to Amazon properties. But that’s all the good news there are. I’ve already written about excessive data collection practices in this extension. I also reported two security vulnerabilities to the vendor.
Today we’ll look at a persistent Cross-Site Scripting (XSS) vulnerability in the Keepa Box. This one allowed any attackers to track you across Amazon web properties. The second vulnerability exposed Keepa’s scraping functionality to third parties and could result in data leaks.
MX Linux 21 Release Candidate Readied for Public Testing with Xfce, KDE Plasma, and Fluxbox Flavors
Coming exactly one month after the second beta release, MX Linux 21 Release Candidate is here with some small changes, numerous bug fixes and updated translations, as well as updated components and latest security patches from the Debian GNU/Linux 11 “Bullseye” software repositories. MX Linux 21 Release Candidate adds “thick” variants of the xfwm4 mx-comfort themes in the Xfce flagship edition, and adds new mx-comfort color schemes as part of the MX global themes to the KDE Plasma edition, which also received various improvements to the default settings.
GNU/Linux Devices and Hacking on Hardware
today's howtos
elementary OS 6 Updates for September, 2021
We’re back with your monthly report on updates to elementary OS 6! It was another incredibly eventful month as we continued fixing reported issues and focused in especially on improvements to AppCenter and Online Accounts apps like Mail. But before we get to all the goodies, we’re proud to report that OS 6 has been downloaded from our website over 137,000 times—and as always, that’s not including downloads from third parties or direct downloads via torrent that bypass our download page.
More on Google and Some Linux FUD
New Program Rewards Developers for Securing Open Source Software
WordPress, Linux Users in Danger of New Malware: Major Warning Signs of Capoae Attack [Ed: What does this have to do with Linux???]