Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • 10 Most Commonly Used FOSS Packages

    The Core Infrastructure Initiative Census Program II report released earlier this year identified the most commonly used FOSS components in production applications, with the goal of understanding potential vulnerabilities in these components and better securing the open source software supply chain.

  • Don’t penalise cybersecurity researchers!

    We wrote to the Indian Computer Emergency Response Team regarding a provision in their new Responsible Vulnerability Disclosure and Coordination Policy that penalises cybersecurity researchers for vulnerability disclosures. In our representation, we highlighted how such provisions would create an atmosphere in which researchers would be reluctant about reporting vulnerabilities and recommended that a robust disclosure mechanism be implemented that protects researchers from harm.

    [...]

    Such provisions contribute to a disclosure regime in which security researchers would be liable under the Information Technology Act, 2000 (‘IT Act’), and are penalised for disclosures of genuine security vulnerabilities. Section 43 of the Information Technology Act, 2000 penalizes anyone who gains unauthorized access to a computer resource without permission of the owner, and so fails to draw a distinction between malicious hackers and ethical security researchers. Thus, even when researchers have acted in good faith they may be charged under the IT Act. As we have mentioned earlier, companies have exploited this loophole in the said provision to press charges against cybersecurity researchers who expose data breaches in their companies. The Personal Data Protection Bill, 2019, currently being considered by a Joint Parliamentary Committee, also fails to protect security researchers and whistleblowers. All of this leads to situations in which researchers are reluctant to report vulnerabilities for fear of being sued.

    Clause 7 of the Policy is also in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘2013 IT Rules’) which adapts a cooperative and collaborative approach. Rule 10 requires CERT-IN to interact with stakeholders including research organisations and security experts for preventing cyber security incidents. Under Rule 11(2), CERT-IN is obligated to collaborate with, among others, organisations and individuals engaged in preventing and protecting against cyber security attacks. Thus, by imposing complete and sole responsibility on cyber security researchers for actions undertaken during the discovery of a vulnerability, the policy is in conflict with the collaborative spirit of the 2013 IT Rules and so is a genuine impediment to effective collaboration.

  • Airline Passenger Mistakes Vintage Camera for a Bomb

    Back in 2007, I called this the “war on the unexpected.” It’s why “see something, say something” doesn’t work. If you put amateurs in the front lines of security, don’t be surprised when you get amateur security. I have lots of examples.

  • How to create an effective security policy: 6 tips

    Are your security policies boring? OK, that’s not entirely fair. Security policies are boring, especially to people outside of IT – in the way that children find their parents’ or teachers’ rules “boring.” There’s a limit to how interesting one can make “best practices for creating strong passwords” sound to the masses.

    The point of such policies is to educate people on organizational rules and the habits of good security hygiene. This is the administrative layer of security controls: all of the rules, standards, guidelines, and training an organization puts in place as part of its overall security program. It’s the human-focused component that rounds out the other two general categories of security controls, according to Terumi Laskowsky, an IT security consultant and cybersecurity instructor at DevelopIntelligence. The other two categories are technical/logical controls (your hardware and software tools) and physical controls (things like building or site access).

    Laskowsky notes that people tend to question the value of administrative controls. That’s partly because it can be difficult to measure or “see” their effectiveness, especially relative to technical or physical controls. But Laskowsky and other security experts generally agree that they are necessary. Security is not a steady-state affair – while our security tooling and processes are becoming more automated, a strong posture still requires human awareness, intelligence, and adaptability.

    “Raising our security awareness through administrative controls allows us to start seeing the patterns of unsafe behavior,” Laskowsky says. “We can then generalize and respond to new threats faster than security companies can come up with software to handle them.”

More in Tux Machines

today's leftovers

  • Here's how initial Chromebook performance will improve in a future Chrome OS update

    Have you noticed that your Chromebook isn’t very responsive until a minute or so after startup? Depending on your hardware, you may not have as higher performing components could mask this. But Google has. And it has a solution to improve initial Chromebook performance in an upcoming Chrome OS update. The issue is laid out in a description in this code commit. ARCVM “continuously consumes CPU for several minutes on user login before user has even launched any Android app or playstore.” If you’re not familiar with the term, ARCVM is the virtual machine used to run Android apps on a Chromebook. Based on the description, this virtual machine launches when you boot your Chromebook. This occurs even if you don’t immediately open an Android app or the Google Play Store. And that causes the CPU in your Chromebook to spend most, if not all, of its resources firing up ARCVM.

  • Percepio Wins Coveted Elektra Award for Tracealyzer for Linux

    Percepio®, the leader in visual trace diagnostics for embedded systems and the Internet of Things (IoT), has been awarded the prestigious Elektra Award 2021 for its visual trace diagnostics tool Tracealyzer for Linux.

  • [Amazon spam] How CentOS changes the cloud Linux game [Ed: Check that first paragraph and beyond. AWS employee Mac Asay spamming for his employer... and it is disguised as 'article'. IDG has become little but a spamfarm]

today's howtos

  • How to install and configure Grafana OSS in Debian 11

    In this guide, we are going to learn how to install and set up Grafana OSS in Debian 11. Grafana is a multi-platform open source analytics and interactive visualization web application. It provides charts, graphs, and alerts for the web when connected to supported data sources.

  • How to Install and Use MySQL on Ubuntu 20.04 - RoseHosting

    In this tutorial, we are going to show you how to install MySQL on your Ubuntu 20.04 and how to use it with the basic MySQL commands. MySQL is an open-source relational database management system and with its popularity is used widely on different systems for storing data. In this post you will learn more about logging to MySQL with or without root user, database creation, user creation, granting privileges, external access to your databases, importing a database, making a dump of a database and etc. Let’s get started!

  • How to install Scratch on a Chromebook

    In this video, we are looking at how to install WPS Office 2019 on Elementary OS 6.0.

  • How to install Scratch on a Chromebook

    Today we are looking at how to install Scratch on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.

  • How to install and configure Apache webserver on Fedora 35. – NextGenTips

    Apache HTTP Server is a free and open-source cross-platform web server software. The goal of Apache is to provide a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards. The main job of the Apache web server is to establish connections between the server and a browser. This aids in the transfer of files between the server and the client. Apache provides many modules that allow server administrators to turn on and off some functionalities. It has modules such as those for security, caching, password authentication, URL rewriting, etc. In this tutorial guide, I will take you through the installation steps of the Apache webserver on the Fedora 35 server.

  • How to change the output color of echo in Linux - buildVirtual

    Sometimes it’s nice to be able to change the text, or foreground, color when working with shell scripts or the Linux command line. This is a useful trick as it allows us to make the text more readable and the output more interesting. This can be done using ansi escape codes. Let’s take a look at a quick example.

Programming Leftovers

  • Kiwi TCMS: Call for participation: Testing and Automation devroom, FOSDEM'22

    Attention testers! On behalf of Testing and Automation devroom we'd like to announce that call for participation is now open.

  • LLVM Clang 14 Lands An "Amazing" Performance Optimization - Phoronix

    While the performance of LLVM/Clang has improved a lot over the years and for x86_64 and AArch64 can be neck-and-neck with the GCC compiler, the fierce performance battle is not over. With LLVM/Clang 14.0 due out in the early months of 2022 will be more performance work with one recent commit in particular showing a lot of promise. LLVM developer Djordje Todorovic recently landed an improvement to LLVM's Loop Invariant Code Motion (LICM) Pass for being able to hoist a LOAD without STORE. The patch explains, "When doing load/store promotion within LICM, if we cannot prove that it is safe to sink the store we won't hoist the load, even though we can prove the load could be dereferenced and moved outside the loop. This patch implements the load promotion by moving it in the loop preheader by inserting proper PHI in the loop. The store is kept as is in the loop. By doing this, we avoid doing the load from a memory location in each iteration." The improvement to this pass helps to address this bug report around missed opportunities for register promotion.

  • Dirk Eddelbuettel: tidyCpp 0.0.6 on CRAN: Package Maintenance

    Another small release of the tidyCpp package arrived on CRAN this morning. The packages offers a clean C++ layer (as well as one small C++ helper class) on top of the C API for R which aims to make use of this robust (if awkward) C API a little easier and more consistent. See the vignette for motivating examples. This release makes a tiny code change, remove a YAML file for the disgraced former continuous integration service we shall not name (yet that we all used to use). And just like digest five days ago, drat four days ago, littler three days ago, RcppAPT two days ago, and RcppSpdlog yesterday, we converted the vignettes from using the minidown package to the (fairly new) simplermarkdown package which is so much more appropriate for our use of the minimal water.css style.

  • Takao Fujiwara: gnome-remote-desktop

    Seems Vino is deprecated in Fedora 35 because of the security issue and gnome-remote-desktop is the replacement but there are a few document to setup the VNC server and let me summarize the setup and differences.

  • No easter eggs in curl

    There are no Easter eggs in curl. For the good. I’ve been asked about this many times. Among the enthusiast community, people seem to generally like the concept of Easter eggs and hidden treasures, features and jokes in software and devices. Having such an embedded surprise is considered fun and curl being a cool and interesting project should be fun too! With the risk of completely ruining my chances of ever being considered a fun person, I’ll take you through my thought process on why curl does not feature any such Easter eggs and why it will not have any in the future either.

  • Tricked-Out Breadboard Automatically Draws Schematics Of Whatever You Build | Hackaday

    When it comes to electronic design, breadboarding a circuit is the fun part — the creative juices flow, parts come and go, jumpers build into a tangled mess, but it’s all worth it when the circuit finally comes to life. Then comes the “What have I done?” phase, where you’ve got to backtrack through the circuit to document exactly how you built it. If only there was a better way. Thanks to [Nick Bild], there is, in the form of the “Schematic-o-matic”, which aims to automate the breadboard documentation process. The trick is using a breadboard where each bus bar is connected to an IO pin on an Arduino Due. A program runs through each point on the breadboard, running a continuity test to see if there’s a jumper connecting them. A Python program then uses the connection list, along with some basic information about where components are plugged into the board, to generate a KiCad schematic.

  • Multiplication by Halving and Doubling in AARCH64 Assembly | Adam Young’s Web Log

    While multiplication is defined in the context of repeated addition, implementing it that way algorithmically is not nearly as efficient as some other approaches. One algorithm for multiplication that is an order of magnitude faster is to halve one number while doubling the other. I gave myself the challenge of implementing this algorithm in AARCH64 Assembly, and it was not too hard.

  • The Apache Weekly News Round-up: week ending 3 December 2021

    Welcome, December --we're opening the month with another great week. Here's what the Apache community has been up to...

  • Website Load Testing with Apache JMeter on Ubuntu 20.04

    In this article, I will show you how to install Apache JMeter and how to use it to do load testing on websites. JMeter is an open-source Java-based load testing tool. It is useful to check and improve the performance after developing a new website. With load tests, it checks the performance of the system and helps to stimulate the weight of the load. As it is mainly focused on testing web applications, one can make a better website for all the users. But now, it is also used for different other purposes like functional testing and database testing. Now let’s see how to install the Apache JMeter and use it on Ubuntu 20.04.

  • gfldex: MAIN course

    On IRC vasko asked how to handle a --verbose-flag. This is quite simple.

  • Rakudo Weekly News: 2021.49 Adventing Is On!
  • Bash Shell Scripting for beginners (Part 3)

    Welcome to part 3 of Bash Shell Scripting at a beginner level. This final article will look at a few more items that will get you primed for your continued personal development. It will touch on functions, using comparisons with if/elif statements, and will wrap up with looking into the while loop.

Graphics: Mali, GRVK, Vulkan

  • Mesa Begins Trek Bringing Up Arm Mali "Valhall" Graphics - Phoronix

    The Panfrost Gallium3D OpenGL driver and PanVK open-source drivers in Mesa have come a long way via reverse-engineering for Arm Mali graphics support. However, to this point the focus has been on Arm's "Midgard" and "Bifrost" architectures while the newer "Valhall" architecture has been around the past two years. The Panfrost effort for bringing up Valhall is now getting underway. Alyssa Rosenzweig who has led the Panfrost effort for open-source Arm Mali graphics has been working for a while now on getting Arm's Valhall architecture reverse-engineered and supported by the Linux graphics driver code. (That's also in addition to her separate work on reverse-engineering the Apple M1 graphics as another ongoing open-source adventure.)

  • GRVK 0.5 Gets Battlefield 4 Running With AMD's Mantle Over Vulkan API - Phoronix

    It's been a number of months since GRVK 0.4 as the open-source project re-implementing AMD's defunct Mantle API over the modern Vulkan API that was originally based on the former. With Sunday's release of GRVK 0.5, this Mantle-on-Vulkan translation layer is now capable of correctly rendering Battlefield 4. Battlefield 4 back in the day was one of the flagship titles having a native Mantle renderer for that AMD-specific graphics API. Battlefield 4 was a flagship title for Mantle and one of the few games using this API along with the likes of Battlefield Hardline, Thief, Sniper Elite III, and others.

  • Radeon RADV Driver Lands Vulkan Dynamic Rendering Support - Phoronix

    Landing in Mesa 22.0 on Sunday night was the Radeon Vulkan driver "RADV" support for the recently introduced VK_KHR_dynamic_rendering extension. VK_KHR_dynamic_rendering premiered last month with Vulkan 1.2.197. This new extension allows for creating single-pass render pass instances without the need of creating render pass objects or frame-buffers. The Khronos documentation on dynamic rendering explains, "If you’re not using multiple subpasses or input attachments though, go ahead, rip those render pass objects right out! Dynamic rendering offers similar rendering performance to a single pass render pass object but with a much simpler interface on all implementations. Hopefully this extension will make writing future Vulkan renderers just a bit more enjoyable."