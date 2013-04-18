Security Leftovers
Security updates for Tuesday [LWN.net]
Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2).
Hidden Anti-Cryptography Provisions in Internet Anti-Trust Bills
Two bills attempting to reduce the power of Internet monopolies are currently being debated in Congress: S. 2992, the American Innovation and Choice Online Act; and S. 2710, the Open App Markets Act. Reducing the power to tech monopolies would do more to “fix” the Internet than any other single action, and I am generally in favor of them both. (The Center for American Progress wrote a good summary and evaluation of them. I have written in support of the bill that would force Google and Apple to give up their monopolies on their phone app stores.)
There is a significant problem, though. Both bills have provisions that could be used to break end-to-end encryption.
Let’s start with S. 2992. Sec. 3(c)(7)(A)(iii) would allow a company to deny access to apps installed by users, where those app makers “have been identified [by the Federal Government] as national security, intelligence, or law enforcement risks.” That language is far too broad. It would allow Apple to deny access to an encryption service provider that provides encrypted cloud backups to the cloud (which Apple does not currently offer). All Apple would need to do is point to any number of FBI materials decrying the security risks with “warrant proof encryption.”
Slim.AI introduces beta software supply chain container security as a service | ZDNet
This service is being built on the foundation of Slim.AI's open-source project, DockerSlim. This popular developer program optimizes and secures your containers by analyzing your code and throwing away unnecessary code, thus "slimming" down your containers' attack surface. It also can reduce the size of your container by up to 30x.
5 Best Practices When Implementing a Container Strategy
Software developers must be vigilant in regards to their use of hardware resources. Dedicated hardware is often expensive to buy, run, and maintain—and there’s only so much room in a data center for extra servers.
The ability to run multiple virtual machines on one piece of hardware makes virtualization a good option. Yet, each virtual machine must include its own guest OS and everything that entails. That eats up system resources. These days, using virtualization is like using stock music when you could be using a full orchestra. When it comes to scalability, consistency and efficiency, there is a better way: You should be considering implementing a container strategy.
OpenSSF details advancements in open-source security efforts | VentureBeat
Open-source security is currently undergoing a period of accelerated change, thanks in no small part to the efforts of the Linux Foundation’s OpenSSF (Open Source Security Foundation).
