Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • 10 Most Commonly Used FOSS Packages

    The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.

  • Don’t penalise cybersecurity researchers!

    We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

    [...]

    Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

    Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

  • Airline Passenger Mistakes Vintage Camera for a Bomb

    Back in 2007, I called this the “war on the unexpected.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have lots of examples.

  • How to create an effective security policy: 6 tips

    Are your security policies boring? OK, that’s not entirely fair. Security policies are boring, especially to people outside of IT – in the way that children find their parents’ or teachers’ rules “boring.” There’s a limit to how interesting one can make “best practices for creating strong passwords” sound to the masses.

    The point of such policies is to educate people on organizational rules and the habits of good security hygiene. This is the administrative layer of security controls: all of the rules, standards, guidelines, and training an organization puts in place as part of its overall security program. It’s the human-focused component that rounds out the other two general categories of security controls, according to Terumi Laskowsky, an IT security consultant and cybersecurity instructor at DevelopIntelligence. The other two categories are technical/logical controls (your hardware and software tools) and physical controls (things like building or site access).

    Laskowsky notes that people tend to question the value of administrative controls. That’s partly because it can be difficult to measure or “see” their effectiveness, especially relative to technical or physical controls. But Laskowsky and other security experts generally agree that they are necessary. Security is not a steady-state affair – while our security tooling and processes are becoming more automated, a strong posture still requires human awareness, intelligence, and adaptability.

    “Raising our security awareness through administrative controls allows us to start seeing the patterns of unsafe behavior,” Laskowsky says. “We can then generalize and respond to new threats faster than security companies can come up with software to handle them.”

More in Tux Machines

digiKam 7.7.0 is released

After three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. Read more

Dilution and Misuse of the "Linux" Brand

Samsung, Red Hat to Work on Linux Drivers for Future Tech

The metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. Read more

today's howtos

  • How to install go1.19beta on Ubuntu 22.04 – NextGenTips

    In this tutorial, we are going to explore how to install go on Ubuntu 22.04 Golang is an open-source programming language that is easy to learn and use. It is built-in concurrency and has a robust standard library. It is reliable, builds fast, and efficient software that scales fast. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel-type systems enable flexible and modular program constructions. Go compiles quickly to machine code and has the convenience of garbage collection and the power of run-time reflection. In this guide, we are going to learn how to install golang 1.19beta on Ubuntu 22.04. Go 1.19beta1 is not yet released. There is so much work in progress with all the documentation.

  • molecule test: failed to connect to bus in systemd container - openQA bites

    Ansible Molecule is a project to help you test your ansible roles. I’m using molecule for automatically testing the ansible roles of geekoops.

  • How To Install MongoDB on AlmaLinux 9 - idroot

    In this tutorial, we will show you how to install MongoDB on AlmaLinux 9. For those of you who didn’t know, MongoDB is a high-performance, highly scalable document-oriented NoSQL database. Unlike in SQL databases where data is stored in rows and columns inside tables, in MongoDB, data is structured in JSON-like format inside records which are referred to as documents. The open-source attribute of MongoDB as a database software makes it an ideal candidate for almost any database-related project. This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of the MongoDB NoSQL database on AlmaLinux 9. You can follow the same instructions for CentOS and Rocky Linux.

  • An introduction (and how-to) to Plugin Loader for the Steam Deck. - Invidious
  • Self-host a Ghost Blog With Traefik

    Ghost is a very popular open-source content management system. Started as an alternative to WordPress and it went on to become an alternative to Substack by focusing on membership and newsletter. The creators of Ghost offer managed Pro hosting but it may not fit everyone's budget. Alternatively, you can self-host it on your own cloud servers. On Linux handbook, we already have a guide on deploying Ghost with Docker in a reverse proxy setup. Instead of Ngnix reverse proxy, you can also use another software called Traefik with Docker. It is a popular open-source cloud-native application proxy, API Gateway, Edge-router, and more. I use Traefik to secure my websites using an SSL certificate obtained from Let's Encrypt. Once deployed, Traefik can automatically manage your certificates and their renewals. In this tutorial, I'll share the necessary steps for deploying a Ghost blog with Docker and Traefik.