Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Why Aren't There Better Cybersecurity Regulations for Medical Devices?

    This summer, the Food and Drug Administration warned hospitals to stop using a line of drug pumps because of a cybersecurity risk: a vulnerability that could allow an attacker to remotely deliver a fatal dose to a patient. SAINT Corporation engineer Jeremy Richards, one of the researchers who discovered the vulnerability, called the drug pump the “the least secure IP enabled device I’ve ever touched in my life.”

    There is a growing body of research that shows just how defenseless many critical medical devices are to cyberattack. Research over the last couple of years has revealed that hundreds of medical devices use hard-coded passwords. Other devices use default admin passwords, then warn hospitals in the documentation not to change them.

  • Congress Introduces Provision That Could Make Vehicle Security Research Illegal

    Far too often Congress proposes tech legislation that is either poorly researched or poorly drafted (or both). Fortunately, most of the bills don't advance. Unfortunately, this doesn’t seem to dissuade Congress from constantly writing these types of bills. The House Energy and Commerce Committee released such a bill last week. It's only a discussion draft and hasn't been introduced as a formal bill yet, but its provisions would not only effectively put the brakes on car security research, but also immunize auto manufactures from FTC privacy enforcement when (not if) they fail to secure our cars. It's a classic one-two punch from Congress: not understanding something and then deciding to draft a bill about it anyway.

  • Crypto researchers: Time to use something better than 1024-bit encryption

    It’s possible for entities with vast computing resources – such as the NSA and major national governments - to compromise commonly used Diffie-Hellman keys, and over time more groups will be able to afford cracking them as computing costs go down.

  • The first rule of zero-days is no one talks about zero-days (so we’ll explain)

    How do you defend yourself against the unknown? That is crux of the zero-day vulnerability: a software vulnerability that, by definition, is unknown by the user of the software and often its developer as well.

    Everything about the zero-day market, from research and discovery through disclosure and active exploitation, is predicated upon this fear of the unknown—a fear that has been amplified and distorted by the media. Is the world really at threat of destabilisation due to lone-wolf hackers digging up vulnerabilities in popular software packages and selling them to whichever repressive government offers the most money? Or is it just a classic case of the media and megacorp lobbyists focusing on the sexy, scary, offensive side of things, and glossing over the less alluring aspects?

More in Tux Machines

BSD: BGP and OpenBGPD, FreeBSD and OpenBSD

  • Meet Radiant Award Recipient Claudio Jeker

    When we at ISRG think about the greatest threats to Web security today, the lack of Border Gateway Protocol (BGP) security might top our list. Claudio's passion for networking, his focus on security, and his talent as a software developer are enabling him to make great contributions to fixing this and other Web security problems. In particular, he is making great contributions to OpenBSD and OpenBGPD.

  • 2019 in Review: Advocacy

    2019 began with a big announcement regarding the FreeBSD Journal. You can now access every issue for Free! We’re very excited to be able to bring all of the informative articles to the community at no cost. If you haven’t read it yet, please take a look and share with your friends and colleagues.

  • Why computers suck and how learning from OpenBSD can make them marginally less horrible

    Next I will compare this enterprise development model approach with non-enterprise development - projects such as OpenBSD, which do not hesitate to introduce binary interface and API breaking changes to improve the code.

    One of the most commonly referred to pillars of the project's philosophy has long been it's emphasis on clean functional code. Any code which makes it into OpenBSD is subject to ongoing aggressive audits for deprecated, or otherwise unmaintained code in order to reduce cruft and attack surface. Additionally the project creator, Theo de Raadt, and his team of core developers engage in ongoing development for proactive mitigations for various attack classes many of which are directly adopted by various multi-platform userland applications as well as the operating systems themselves (Windows, Linux, and the other BSDs). Frequently it is the case that introducing new features (not just deprecating old ones) introduces new incompatibilities against previously functional binaries compiled for OpenBSD.

AndesCore 27-Series Linux RISC-V SoC Features a Vector Processing Unit

Andes has developed a Linux capable RISC-V based SoC which runs on the first Vector Processing Unit (VPU) that is reported to be groundbreaking in its application ability, especially in the AI sector. The Andes 27 Series CPU has debuted in the RISC-V Summit in San Jose, to a great deal of talk in many quarters. Read more

today's howtos

China's Kylin forks are about to join up for new 'domestic os'

China Standard Software (CS2C) and Tianjin Kylin Information (TKC) are both tied up with the powers that be in Bejing but are, nevertheless, software titans in the land of the rising CO2 emission.

If this all sounds a bit familiar, that's because we've been down this road before - several times.

Read more