Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Security updates for Thursday
  • Black Hat Researchers Hack Rifle for Fun

    "The reason we started doing this in the first place is Runa [Sandvik] is from Norway and has a very romanticized vision of the U.S., so loving all things America, we needed to go to a gun show," Augur said.

    At to the gun show, Sandvik became interested in the TrackingPoint weapon after learning that it is a Linux-powered device that could be connected to a phone via a mobile app.

  • And even Wintel is not safe

    At the annual Black Hat conference delegates have been shown a new exploit for Intel and AMD x86 central processor units that has hitherto existed since 1977!

    [...]

    Christopher Domas, a security researcher with the Battelle Memorial Institute discovered the flaw. “By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldn’t help, because they too rely on the SMM to be secure. The attack essentially breaks the hardware roots of trust,” Domas said.

  • HTML5 privacy hole left users open to tracking for three years

    A feature of HTML5 that allows sites to detect battery life on a visitor's device can also be used to track behaviour, a piece of research has revealed.

  • Sick of Flash security holes? HTML5 has its own

    HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe's Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash's major weaknesses, HTML5 is no panacea.

    In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.

  • Attackers can access Dropbox, Google Drive, OneDrive files without a user's password

    The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

  • SDN switches aren't hard to compromise, researcher says

    Onie is a small, Linux based operating system that runs on a bare-metal switch. A network operating system is installed on top of Onie, which is designed to make it easy and fast for the OS to be swapped with a different one.

  • Open Network Switches Pose Security Risk, Researcher Says

    At the Black Hat show, a security expert demonstrates how vulnerable SDN switches that use the ONIE software are open to attacks by hackers.

  • OPM wins Pwnie, Google on Android security, DoJ on CFAA: Black Hat 2015 roundup

    Black Hat USA is finishing up in Las Vegas. News from its 18th year includes nuclear nightmares, Department of Justice on computer crime and research, Google on the state of Android security and much more.

  • on the detection of quantum insert

    The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

More in Tux Machines

Software: ledger2beancount, TenFourFox, KDE Itinerary, GCompris

  • Martin Michlmayr: ledger2beancount 2.2 released

    I released version 2.2 of ledger2beancount, a ledger to beancount converter.

  • TenFourFox FPR23 available

    TenFourFox Feature Parity Release 23 final is now available for testing (downloads, hashes, release notes). This blog post was composed in the new Blogger interface, which works fine but is slower, so I'm going back to the old one. Anyway, there's no difference from the beta except for outstanding security fixes and as usual, if all goes well, it will go live Monday evening Pacific time.

  • April/May in KDE Itinerary

    It has been a busy two month since the last report again, KDE’s source code hosting is now using Gitlab, we got the 20.04 release out, notifications were significantly improved, and we are now leveraging OpenStreetMap in more places, with even more exciting things still to come. The global travel restrictions have been hampering field testing, but they have most certainly not slowed down the development of KDE Itinerary!

  • GSoC’20 Wrapping up Community Bonding Period

    As the coding period of GSoC is going to begin in the next 2 days. In this blog, I am going to write all about what I did during the community bonding period. During this period I have interacted with my mentors and finalized the multiple datasets of a few activities. Recently, the GCompris project has been moved to GitLab so I set up my account over there and also asked my mentors how can I push my branches to the server and everything else. I have also gone through the code of the memory activities and planned about the resources I will be using. I have also set up my environment as to how to test the GCompris on the android platform. I plan to start my work with the enumeration memory game activity so I have created a branch for it and pushed it to the server.

Security Leftovers

Kernel: Reiser4 and Generic USB Display Driver

  • Reiser4 Updated For Linux 5.6 Kernel Support

    While the Linux 5.7 kernel is likely being released as stable today, the Reiser4 port to the Linux 5.6 kernel is out this weekend. Edward Shishkin continues working on Reiser4 while also spearheading work on the new Reiser4 file-system iteration of the Reiser file-system legacy. Taking a break from that Reiser5 feature work, Shishkin has updated the out-of-tree Reiser4 patches for Linux 5.6.0 compatibility. This weekend on SourceForge he uploaded the Reiser4 patch for upstream Linux 5.6.0 usage. This is just porting the existing 5.5.5-targeted code to the 5.6 code-base with no mention of any other bug fixes or improvements to Reiser4 in this latest patch.

  • The Generic USB Display Driver Taking Shape For Linux 5.9~5.10

    One of the interesting new happenings in the Direct Rendering Manager (DRM) driver space is a Generic USB Display stack including a USB gadget driver that together allow for some interesting generic USB display setups. This work was motivated by being able to turn a $5 Raspberry Pi Zero into a USB to HDMI display adapter.

Games: Project Cars 2 and Valve/Vulkan

  • Project Cars 2 | Linux Gaming | Ubuntu 19.10 | Steam Play

    Project Cars 2 running through Steam Play on Linux. Using my Logitech G29 which also worked as expected.

  • Valve continues to improve Linux Vulkan Shader Pre-Caching

    Recently we wrote about a new feature for Linux in the Steam Client Beta, where Steam can now sort out Vulkan shaders before running a game. With the latest build, it gets better. The idea of it, as a brief reminder, is to prepare all the shaders needed for Vulkan games while you download and / or before you hit Play. This would help to stop constant stuttering seen in some games on Linux, mostly from running Windows games in the Proton compatibility layer, as native / supported Linux games would usually do it themselves. Just another way Valve are trying to get Linux gaming on Steam in all forms into tip-top shape.

  • Steam Ironing Out Shader Pre-Caching For Helping Game Load Times, Stuttering

    Valve developers have been working on Vulkan shader pre-caching with their latest Steam client betas to help in allowing Vulkan/SPIR-V shaders to compile ahead of time, letting them be pre-cached on disk to allow for quicker game load times and any stuttering for games that otherwise would be compiling the shaders on-demand during gameplay, especially under Steam Play.