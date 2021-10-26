Language Selection

Proprietary Software and Security Leftovers

Submitted by Roy Schestowitz on Friday 10th of December 2021 04:38:24 PM Filed under
Security
  • Software updates could boost your car's resale value

    That's just the beginning of the software-defined dream car, however. It's also about personalization.

    Unlike their boomer parents or grandparents, who customized their ride with souped-up engines and aftermarket accessories, younger buyers seek to personalize their cars with individual apps and conveniences.

  • Cyber Command Publicly Joins Fight Against Ransomware Groups [iophk: Windows TCO]

    Cybercriminals who launch attacks on critical U.S. companies are going to be targeted by the branch of the military known as Cyber Command, and everyone has been put on notice.

    Gen. Paul Nakasone, who heads up Cyber Command, told the New York Times this weekend that his team isn’t just going after state actors, but that they’re taking on any cybercriminals who attack American infrastructure.

  • 17 Discord malware packages found in NPM repository

    In a blog post published Wednesday, JFrog security researchers Andrey Polkovnychenko and Shachar Menashe detailed how the malicious NPM packages took aim at the popular communications platform with malware and infostealers, including Discord token grabbers; stealing a user's token would give a threat actor complete control over a user's account.

    JFrog hypothesized in its blog post that threat actors could use Discord tokens -- and by extension, the attached account -- for botnets, spreading malware and to resell stolen accounts if the users have Discord's premium Nitro service.

    Menashe told SearchSecurity the packages were found during routine scanning of the NPM repository.

  • Chrome Users Beware: Manifest V3 is Deceitful and Threatening

    Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities. Google’s efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

    It’s also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that’s not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox’s Add-On Operations Manager said about the extensions security review process: “For malicious add-ons, we feel that for Firefox it has been at a manageable level....since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking.” In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn’t said they’ll do that. Instead, their solution is to restrict capabilities for all extensions.

    As for Chrome’s other justification for Mv3– performance– a 2020 study by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance.

  • Over to you MeitY: IFF's representation on CERT-In's Responsible Vulnerability Disclosure and Coordination Policy

    CERT-In responded to our representation about the issues with their Responsible Vulnerability Disclosure and Coordination Policy, explaining that the Policy is an executive decision and so must follow the existing provisions of the law. In light of this, we have written to MeitY, asking them to amend the Information Technology Act, 2000 to provide a safe harbour for genuine security researchers.

    [...]

    On 3rd September 2021, the Indian Computer Emergency Response Team (CERT-In) released its new ‘Responsible Vulnerability Disclosure and Coordination Policy’ with the aim of strengthening trust in the ‘Digital India’ and ‘Make in India’ campaigns, and encouraging responsible vulnerability research. The Policy provides information about where cybersecurity vulnerabilities in products and services can be reported, the details expected in vulnerability reporting, the procedure by which CERT-In will examine and act upon such reports, and the timelines for resolving issues.

    However, the Policy effectively discourages the reporting of vulnerabilities! Clause 7 of the Policy states that: “The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her/him for discovering the vulnerability whatsoever”.

    In response to this, we wrote to CERT-In on 13th October 2021 indicating our concerns about this provision. In our representation, we highlighted that such a policy may lead to a regulatory regime in which genuine security researchers may be penalised for disclosures. We also stated that Clause 7 of the Policy may also be in conflict with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 which adopt a more cooperative and collaborative approach to vulnerability disclosures.

  • Saudi Human Rights Activist, Represented by EFF, Sues Spyware Maker DarkMatter For Violating U.S. Anti-Hacking and International Human Rights Laws

    Loujain Alhathloul Lawsuit Statement“Never have I envisioned myself being recognized for standing up for what I believed was right. My early realization of my privilege to speak up and out for women and myself drove me to engage in the sphere of human rights defenders.“In a 2018 article titled Kidnapped Freedoms, I expressed my understanding of freedom to be safety and peace:

    ‘safety to express, to feel protected, to live and to love.[And] peace to reveal the purest and most sincere humanity implanted deep within our souls and minds without experiencing unforgivable consequences.Deprived of safety and peace, I have lost my freedom. Forever?’“Previously, I had limited consideration of all aspects of harm a human rights defender, or any individual for that matter, could face, especially in the online world. Today, I incorporate online safety as well as protection from misuse of power by cyber companies to my understanding of safety. The latter should be considered a basic and natural right in our digital reality.“No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power. I continue to realize my privilege to possibly act upon my beliefs.“I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”For the complaint:https://www.eff.org/document/alhathloul-v-darkmatter

    For more on state-sponsored malware:https://www.eff.org/issues/state-sponsored-malware

  • EdgeX Foundry to Host "EdgeX Smart * Challenge," a Virtual Global Hackathon, in Early 2022

    EdgeX Foundry, the open source, vendor-neutral IoT/edge platform hosted by the Linux Foundation as part of the LF Edge project umbrella, is pleased to announce the EdgeX Smart * Challenge – a virtual global hackathon – to begin in early 2022.

  • Trend Micro Incorporated : The Evolution of IoT Linux Malware Based on MITRE ATT&CK TTPs | MarketScreener

    In this blog entry, we share the findings of an investigation on theinternet of things (IoT)Linux malware and analyzed how these malware families have been evolving. We relied on the tactics, techniques, and procedures (TTPs) of MITRE ATT&CKto define the malware capabilities and characteristics that we saw.

    Our study showed that IoT Linux malware has been steadily evolving, particularly those that are used to createIoT botnets. Capabilities were both added and removed over time. Notably, neither data exfiltration nor lateral movement has been successful for the authors, and they have pivoted instead to centralized infection.

Another Debian dust-up with Firefox dependencies – but there is an annoying and awkward workaround

Debian is having problems with a current version of Firefox that leaves users with a dangerously outdated browser. One of the grey-bearded elders of the Linux distro world, Debian has had issues with Mozilla before. For years, it built its own forks of the Mozilla apps – Iceweasel, Icedove, Iceape, and Iceowl – because of a disagreement over trademark use. But this time the issues are technical rather than legal. As a conservative, stable distro, Debian includes the Extended Support Release (ESR) version of Firefox – ideal for those who find Mozilla's four-weekly release cycle a bit too rapid. Read more

Today in Techrights

today's leftovers

  • Raku Advent Calendar: Day 10: Java Annotations in Raku or my @annotation is role;

    Today, a little about the fact that the new is better absorbed through the already known. It so happened that I write for $dayjob in Java, so I will come from this side. Java 1.5 introduces an interesting syntactic form – annotations.

  • Lightwood

    I don't usually write about my professional work, this is an exception. I've been working on automatic machine learning for almost 3 years.

    A small amount of that was focused on what I'd call the core of the problem, most of it was focused on platform building. This changed in the last 5 months when I decided to quit management duties and focus solely on "research". The first thing to come out of this is the version 1 redesign of an automatic ml library called Lightwood.

  • HL7 Celebrates 10 Years of FHIR Health IT Data Standard

    The open-source data standard aims to support healthcare interoperability for real-time access to health information across the care continuum.

    FHIR is widely used across the healthcare industry in mobile applications, cloud communications, EHR-based data sharing, and server communications.

  • Masayuki Uemura, Creator Of The NES And SNES, Dies At 78

    Originally, Uemura worked at Sharp, selling photocell tech to various companies, including his future employer Nintendo. Once joinging the company, he worked with Gunpei Yokoi to integrate the photocell technology into electronic light gun games. He would go on to work on plug-and-play consoles like Nintendo’s Color TV-Game.

    But everything changed in 1981 with a single phone call.

    “President Yamauchi told me to make a video game system, one that could play games on cartridges,” Uemura told Matt Alt in an interview published last year on Kotaku. “He always liked to call me after he’d had a few drinks, so I didn’t think much of it. I just said, “Sure thing, boss,” and hung up. It wasn’t until the next morning when he came up to me, sober, and said, “That thing we talked about—you’re on it?” that it hit me: He was serious.”

today's howtos

  • 2021-12-05 singing wires

    I have probably described before the concept of the telephone network forming a single, continuous pair of wires from your telephone to the telephone of the person you are calling. This is the origin of "circuit switching" and the source of the term: the notion that a circuit-switched system literally forms an electrical circuit between two endpoints.

  • NVMe drives and the case of opaque bandwidth limits

    However, I'm not sure I see an obvious place with the bandwidth limit in my PCIe topology, at least with Linux's tools for PCIe topology. Both NVMe drives are connected to 'Intel Corporation 200 Series PCH PCI Express Root Port' PCIe devices that are listed as part of what I think of as the PCI root bus. Since this is an Intel thing, PCH probably stands for Intel's Platform Controller Hub, which has a DMI link between the Intel CPU and the Z370 chipset. Looking at various things, this DMI link is about the speed of PCIe 3.0 x4, which could explain how I'm running into bandwidth limits. If neither NVMe drive is directly connected to any CPU PCIe lanes, the combined bandwidth of both of them together would be limited by the PCH to CPU bandwidth of roughly PCIe 3.0 x4.

  • DNS "propagation" is actually caches expiring

    First – I’m very tired of posts that complain about how people are “wrong” about how a given piece of technology works without explaining why it’s helpful to be “right”. So here’s why I like knowing how DNS works.

  • My Backup Plan

    Over the past year, since I got more serious about my growing YouTube channel's success, I decided to document and automate as much of my backups as possible, following a 3-2-1 backup plan: [...]

  • [Updated] 8 Linux Nslookup Commands to Troubleshoot DNS Lookup

    nslookup is a command-line administrative tool for testing and troubleshooting DNS servers (Domain Name Server). It is used to query specific DNS resource records (RR) as well. Most operating systems come with a built-in nslookup feature.

