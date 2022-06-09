Security Leftovers

Closing the Cybersecurity Talent Gap With New Candidate Pools [Ed: Decades of back doors have meant security failures and a lack of people traintd to understand real security] HR and security leaders must deploy new strategies to attract, hire, and retain cyber professionals while looking for ways to leverage the transferable skills and potential of untapped talent. Demand for cybersecurity talent has reached an historic high: 63% of businesses say they have unfilled security positions, and 60% experienced difficulties retaining qualified cybersecurity professionals in 2021, according to the ISACA State of Cybersecurity 2022 report. And information security analyst jobs are expected to grow faster than the average for all other occupations.

Reproducible Builds (diffoscope): diffoscope 217 released The diffoscope maintainers are pleased to announce the release of diffoscope version 217. This version includes the following changes: * Update test fixtures for GNU readelf 2.38 (now in Debian unstable). * Be more specific about the minimum required version of readelf (ie. binutils) as it appears that this "patch" level version change resulted in a change of output, not the "minor" version. (Closes: #1013348) * Don't leak the (likely-temporary) pathname when comparing PDF documents.

On the Subversion of NIST by the NSA

Security updates for Thursday Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3).

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, May 2022 Like each month, have a look at the work funded by Freexian’s Debian LTS offering. Debian project funding Two [1, 2] projects are in the pipeline now. Tryton project is in a final phase. Gradle projects is fighting with technical difficulties. In May, we put aside 2233 EUR to fund Debian projects. We’re looking forward to receive more projects from various Debian teams! Learn more about the rationale behind this initiative in this article.

Enterprise Linux Security Episode 33 - Patch your Confluence Server! - Invidious Atlassian software is constantly under attack, and often the source of many lost weekends for IT admins. Recently, a brand-new vulnerability has been discovered - CVE-2022-26134. This particular vulnerability is remotely exploitable, and has been listed as critical. In this episode, Jay and Joao discuss this vulnerability, as well as some of the struggles around Atlassian software in general.

We have seen an explosion in machine learning in the past decade, alongside an explosion in the popularity of free software. At the same time as FOSS has come to dominate software and found its place in almost all new software products, machine learning has increased dramatically in sophistication, facilitating more natural interactions between humans and computers. However, despite their parallel rise in computing, these two domains remain philosophically distant. Though some audaciously-named companies might suggest otherwise, the machine learning space has enjoyed almost none of the freedoms forwarded by the free and open source software movement. Much of the actual code related to machine learning is publicly available, and there are many public access research papers available for anyone to read. However, the key to machine learning is access to a high-quality dataset and heaps of computing power to process that data, and these two resources are still kept under lock and key by almost all participants in the space.1 The essential barrier to entry for machine learning projects is overcoming these two problems, which are often very costly to secure. A high-quality, well tagged data set generally requires thousands of hours of labor to produce,2 a task which can potentially cost millions of dollars. Any approach which lowers this figure is thus very desirable, even if the cost is making ethical compromises. With Amazon, it takes the form of gig economy exploitation. With GitHub, it takes the form of disregarding the terms of free software licenses. In the process, they built a tool which facilitates the large-scale laundering of free software into non-free software by their customers, who GitHub offers plausible deniability through an inscrutable algorithm.

