Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • 10 Most Commonly Used FOSS Packages

    The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.

  • Don’t penalise cybersecurity researchers!

    We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

    [...]

    Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

    Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

  • Airline Passenger Mistakes Vintage Camera for a Bomb

    Back in 2007, I called this the “war on the unexpected.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have lots of examples.

  • How to create an effective security policy: 6 tips

    Are your security policies boring? OK, that’s not entirely fair. Security policies are boring, especially to people outside of IT – in the way that children find their parents’ or teachers’ rules “boring.” There’s a limit to how interesting one can make “best practices for creating strong passwords” sound to the masses.

    The point of such policies is to educate people on organizational rules and the habits of good security hygiene. This is the administrative layer of security controls: all of the rules, standards, guidelines, and training an organization puts in place as part of its overall security program. It’s the human-focused component that rounds out the other two general categories of security controls, according to Terumi Laskowsky, an IT security consultant and cybersecurity instructor at DevelopIntelligence. The other two categories are technical/logical controls (your hardware and software tools) and physical controls (things like building or site access).

    Laskowsky notes that people tend to question the value of administrative controls. That’s partly because it can be difficult to measure or “see” their effectiveness, especially relative to technical or physical controls. But Laskowsky and other security experts generally agree that they are necessary. Security is not a steady-state affair – while our security tooling and processes are becoming more automated, a strong posture still requires human awareness, intelligence, and adaptability.

    “Raising our security awareness through administrative controls allows us to start seeing the patterns of unsafe behavior,” Laskowsky says. “We can then generalize and respond to new threats faster than security companies can come up with software to handle them.”

More in Tux Machines

Plasma 5.23 available for Kubuntu 21.10 (Impish Indri) in backports PPA

We are pleased to announce that Plasma 5.23.1 is now available in our backports PPA for Kubuntu 21.10 (Impish Indri). The release announcement detailing the new features and improvements in Plasma 5.23 can be found here. Read more

Pumpkins, markets, and one bad Apple

Imagine your local farmers market: every Saturday the whole town comes together to purchase fresh and homemade goods, enjoy the entertainment, and find that there is always something for everyone. Whatever you need, you can find it here, and anyone can sign up to have their own little stand. It is a wonderful place, or so it seems. Now, imagine starting out as a pumpkin farmer, and you want to sell your pumpkins at this market. The market owner asks 30% of every pumpkin that you sell. It's steep, but the market owner -- we'll call him Mr. Apple -- owns all the markets in your area, so you have little choice. Let's continue this analogy and imagine that, since it is a little hard for you to make ends meet, you decide to tell your customers that they can come visit you at your farm to purchase pumpkins. Mr. Apple overhears and shuts your stand down. You explain that your business cannot be profitable this way, but the grumpy market owner says that you can either comply or find another place. At the end of your rope, you look for information about starting your own farmers market, but it seems Mr. Apple owns every building in town. In the midst of Apple announcing its new products, attention is drawn away from its ongoing battle to maintain its subjugation over users globally. The Netherlands’ Authority for Consumers and Markets (ACM) last month informed the U.S. technology giant of its decision that the rules around the in-app payment system are anticompetitive, making it the first antitrust regulator to conclude that the company has abused market power in the App Store. And while Apple is appealing this verdict, the European Union is charging the company with another antitrust claim concerning the App Store. Read more

today's howtos

  • How To Install PostgreSQL 14 on Ubuntu 20.04 - howtodojo

    In this tutorial, we learn how to install PostgreSQL 14 on Ubuntu 20.04 (Focal Fossa). PostgreSQL, or usually called Postgres, is an open-source object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. PostgreSQL is ACID-compliant and transactional. It is developed by PostgreSQL Global Development Group (PGDG) that consists of many companies and individual contributors. PostgreSQL released under the terms of PostgreSQL license.

  • How to Install Minikube on CentOS 8 - Unixcop

    Minikube is open source software for setting up a single-node Kubernetes cluster on your local machine. The software starts up a virtual machine and runs a Kubernetes cluster inside of it, allowing you to test in a Kubernetes environment locally. Minikube is a tool that runs a single-node Kubernetes cluster in a virtual machine on your laptop. In this tutorial we will show you how to install Minikube on CentOS 8.

  • How to Install and Secure Redis on Ubuntu 20.04 | RoseHosting

    Redis (short for Remote Dictionary Server), is an open-source in-memory data structure store. It’s used as a flexible, highly available key-value database that maintains a high level of performance. It helps to reduce time delays and increase the performance of your application by accessing in microseconds.

  • How to Upgrade to Ubuntu 21.10 - OMG! Ubuntu!

    If the glowing reviews for the Ubuntu 21.10 release have you intrigued, here’s how to upgrade to Ubuntu 21.10 from an earlier version. Fair warning: this tutorial is super straightforward (the benefits of upgrading after a stable release, rather than a little bit before). Meaning no, you don’t need to be a Linux guru to get going! There are plenty of good reasons to upgrade from Ubuntu 21.04 to Ubuntu 21.10, such as benefiting from a newer Linux kernel, enjoying a new GNOME desktop, sampling the new Yaru Light theme, and getting to go hands-on with an able assortment of updated apps.

  • How to install Adobe Flash Player on a Chromebook

    Today we are looking at how to install Adobe Flash Player on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install OnlyOffice on Linux Lite 5.4 - Invidious

    In this video, we are looking at how to install OnlyOffice on Linux Lite 5.4. Enjoy!

  • Jenkins: How to add a JDK version - Anto ./ Online

    This guide will show you how to add a JDK version to Jenkins. If you plan to run a Java build requiring a specific version of the Java Development Kit, you need to do this.

  • Sending EmailsSend them from Linux Terminal? | Linux Journal

    Does your job require sending a lot of emails on a daily basis? And you often wonder if or how you can send email messages from the Linux terminal. This article explains about 6 different ways of sending emails using the Linux terminal. Let’s go through them.

Development version: GIMP 2.99.8 Released

GIMP 2.99.8 is our new development version, once again coming with a huge set of improvements. Read more Some early coverage:

  • GIMP 2.99.8 Released with Clone Tool Tweaks, Support for Windows Ink

    A new development version of GIMP is available to download and it carries some interesting new features. While this isn’t a new stable release — GIMP 2.10.28 is the most recent stable release (and the version you’ll find in Ubuntu 21.10’s archives) — the release of GIMP 2.99.8 is yet another brick in the road to the long-fabled GIMP 3.0 release. And it’s a fairly substantial brick, at that.

  • GIMP 2.99.8 Released As Another Step Toward The Long Overdue GIMP 3.0

    GIMP 3.0 as the GTK3 port of this open-source Adobe Photoshop alternative has been talked about for nearly a decade now and the work remains ongoing. However, out today is GIMP 2.99.8 as the newest development snapshot.