Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Security updates for Friday
  • Security updates for Thursday
  • Black Hat Researchers Hack Rifle for Fun

    "The reason we started doing this in the first place is Runa [Sandvik] is from Norway and has a very romanticized vision of the U.S., so loving all things America, we needed to go to a gun show," Augur said.

    At to the gun show, Sandvik became interested in the TrackingPoint weapon after learning that it is a Linux-powered device that could be connected to a phone via a mobile app.

  • And even Wintel is not safe

    At the annual Black Hat conference delegates have been shown a new exploit for Intel and AMD x86 central processor units that has hitherto existed since 1977!

    [...]

    Christopher Domas, a security researcher with the Battelle Memorial Institute discovered the flaw. “By leveraging the flaw, attackers could install a rootkit in the processors System Management Mode (SMM), a protected region of code that underpins all the firmware security features in modern computers. Once installed, the rootkit could be used for destructive attacks like wiping the UEFI (Unified Extensible Firmware Interface) the modern BIOS or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldn’t help, because they too rely on the SMM to be secure. The attack essentially breaks the hardware roots of trust,” Domas said.

  • HTML5 privacy hole left users open to tracking for three years

    A feature of HTML5 that allows sites to detect battery life on a visitor's device can also be used to track behaviour, a piece of research has revealed.

  • Sick of Flash security holes? HTML5 has its own

    HTML5 has been billed as the natural, standards-based successor to proprietary plug-ins such as Adobe's Flash Player for providing rich multimedia services on the Web. But when it comes to security, one of Flash's major weaknesses, HTML5 is no panacea.

    In fact, HTML5 has security issues of its own. Julien Bellanger, CEO of application security monitoring firm Prevoty, says HTML5 makes security more complex, not simpler. HTML5 security has been a question mark for years, and it has not improved over the stretch, he says.

  • Attackers can access Dropbox, Google Drive, OneDrive files without a user's password

    The attack differs from traditional man-in-the-middle attacks, which rely on tapping data in transit between two servers or users, because it exploits a vulnerability in the design of many file synchronization offerings, including Google, Box, Microsoft, and Dropbox services.

  • SDN switches aren't hard to compromise, researcher says

    Onie is a small, Linux based operating system that runs on a bare-metal switch. A network operating system is installed on top of Onie, which is designed to make it easy and fast for the OS to be swapped with a different one.

  • Open Network Switches Pose Security Risk, Researcher Says

    At the Black Hat show, a security expert demonstrates how vulnerable SDN switches that use the ONIE software are open to attacks by hackers.

  • OPM wins Pwnie, Google on Android security, DoJ on CFAA: Black Hat 2015 roundup

    Black Hat USA is finishing up in Las Vegas. News from its 18th year includes nuclear nightmares, Department of Justice on computer crime and research, Google on the state of Android security and much more.

  • on the detection of quantum insert

    The NSA has a secret project that can redirect web browsers to sites containing more sophisticated exploits called QUANTUM INSERT. (Do I still need to say allegedly?) It works by injecting packets into the TCP stream, though overwriting the stream may be a more accurate description. Refer to Deep dive into QUANTUM INSERT for more details. At the end of that post, there’s links to some code that can help one detect QI attacks in the wild. As noted by Wired and Bruce Schneier, among dozens of others, now we can defend ourselves against this attack (well, at least detect it).

More in Tux Machines

'This was bigger than GNOME and bigger than just this case.' GNOME Foundation exec director talks patent trolls and much, much more

Patent assertion entities: do not pick a fight with open source. It won't end well for you. This is the message from GNOME Foundation executive director Neil McGovern, who will speak on the subject at the Open Source Summit Europe next week. McGovern talked to The Register ahead of the event on patents, Microsoft, and more. The open-source outfit develops the default desktop environment on major Linux distributions including Ubuntu and Red Hat. In late August 2019, Rothschild Patent Imaging filed a lawsuit against the GNOME foundation claiming that GNOME Shotwell, a photo manager, infringed one of its patents. “We didn't receive a letter before the court documents were filed or any sort of warning, it was just filed and then within a week there was a settlement request for $75,000,” McGovern told us. Read more

Debian Janitor: Hosters used by Debian packages

The Debian Janitor is an automated system that commits fixes for (minor) issues in Debian packages that can be fixed by software. It gradually started proposing merges in early December. The first set of changes sent out ran lintian-brush on sid packages maintained in Git. This post is part of a series about the progress of the Janitor. The Janitor knows how to talk to different hosting platforms. For each hosting platform, it needs to support the platform- specific API for creating and managing merge proposals. For each hoster it also needs to have credentials. At the moment, it supports the GitHub API, Launchpad API and GitLab API. Both GitHub and Launchpad have only a single instance; the GitLab instances it supports are gitlab.com and salsa.debian.org. This provides coverage for the vast majority of Debian packages that can be accessed using Git. More than 75% of all packages are available on salsa - although in some cases, the Vcs-Git header has not yet been updated. Of the other 25%, the majority either does not declare where it is hosted using a Vcs-* header (10.5%), or have not yet migrated from alioth to another hosting platform (9.7%). A further 2.3% are hosted somewhere on GitHub (2%), Launchpad (0.18%) or GitLab.com (0.15%), in many cases in the same repository as the upstream code. Read more Also: Multiple git configurations depending on the repository path

Benchmarks and Graphics Leftovers: x86, Zink, and Navi

  • Intel Core i7 1165G7 Tiger Lake vs. AMD Ryzen 7 PRO 4750U Linux Performance

    For the Intel Tiger Lake Linux benchmarking thus far with the Core i7 1165G7 on the Dell XPS 13 9310 it's primarily been compared against the Ryzen 5 4500U and Ryzen 7 4700U on the AMD side since those are the only Renoir units within my possession. But a Phoronix reader recently provided me with remote access to his Lenovo ThinkPad X13 with Ryzen 7 PRO 4750U (8 cores / 16 threads) for seeing how the Tiger Lake performance compares against that higher-end SKU. Phoronix reader Tomas kindly provided SSH access to his ThinkPad X13 with Ryzen 7 PRO 4750U and 16GB of RAM. The Ryzen 7 PRO 4750U is quite close to the Ryzen 7 4800U with 8 cores / 16 threads but graphics capabilities in line with the 4700U. He's been quite happy with the ThinkPad X13 as a replacement to the Dell XPS 13 for business usage and has been running it with Ubuntu 18.04 LTS on the Linux 5.8 kernel.

  • Mike Blumenkrantz: Catching Up

    A rare Saturday post because I spent so much time this week intending to blog and then somehow not getting around to it. Let’s get to the status updates, and then I’m going to dive into the more interesting of the things I worked on over the past few days. Zink has just hit another big milestone that I’ve just invented: as of now, my branch is passing 97% of piglit tests up through GL 4.6 and ES 3.2, and it’s a huge improvement from earlier in the week when I was only at around 92%. That’s just over 1000 failure cases remaining out of ~41,000 tests. For perspective, a table.

  • AMD 'Big Navi' 3DMark Firestrike results shared by HW testing firm

    The Linux specialists over at Phoronix have noticed that the AMD Linux driver has been tweaked to add support for a new graphics card dubbed the "navi10 blockchain SKU". It comments that the only visible difference in support for this card vs existing Navi 1X support, from the driver perspective, is that the patches disable the Display Core Next (DCN) and Video Core Next (VCN) support - basically creating a 'headless' Navi 1X graphics card. Cryprocurrency is showing signs of a resurgence in popularity and values, and some are worried that the latest and greatest GPUs from both Nvidia and AMD will be plucked from retailers even faster if they are viable mining platforms. It has been reported that AMD is trying to make sure retailers follow certain distribution practices with its upcoming Radeon RX 6000 series products, to make sure they are distributed to gamers and enthusiasts rather than scalpers and such like. An initiative like creating appealing crypto-specific Navi 1X products might help everyday consumers get their hands on a new Navi 2X graphics card too.

Does the Snap Store Use Too Much Memory?

This week I noticed that the Snap Store app on my Ubuntu 20.10 laptop uses a tonne of memory, even when it’s not running — we’re talking more memory than the main GNOME Shell process uses, and that is always running! Naturally I assumed something in my config was to blame. I do make heavy use of Snap apps — don’t worry I use plenty of Flatpak and PPAs too. I’m pretty polyamorous when it comes to packaging formats and I did install using an Ubuntu 20.10 daily build. Therein lay bugs. I know the caveats. All good. Don’t mind. Whatever. Read more