Language Selection

English French German Italian Portuguese Spanish

Security

Security: “Barack Obama” Ransomware, Wireshark Bugfix, Reproducible Builds Report, Synesthesia

Filed under
Security

John McAfee’s Android-centric product has been cracked

Filed under
Android
Security

Greg Kroah-Hartman and Linus Torvalds Upset at Intel Over CPU Defects and Negative Response

Filed under
Linux
Hardware
Security
  • Intel blocked kernel fixes on Meltdown and Spectre

    Linux kernel developer Greg Kroah-Hartman criticized Intel's slow initial response to the Spectre and Meltdown bugs in a talk at the Open Source Summit North America.

    Kroah-Hartman said that when Intel finally decided to tell Linux developers, the disclosure was siloyed.

    "Intel silenoed SuSE, they siloed Red Hat, they siloed Canonical. They never told Oracle, and they wouldn't let us talk to each other."

  • Linux Creator On Intel CPU Bugs: “It’s Unfair. We Have To Fix Someone Else’s Problems”

    Almost all modern CPUs use Speculative Execution as a means to improve performance and efficiency. Your computer’s processor performs tons of calculations in advance and chooses the correct one according to a program’s flow. It makes sense as an idle CPU is undoubtedly a wasted resource.

    When it comes to Linux creator Linus Torvalds, he likes the way speculative execution improves performance. What irritates him is the fact that not all incorrect calculations are completely discarded — this is what turned out to be the root cause of bugs like Spectre and Meltdown.

Security: Updates, 2FA with ssh on OpenBSD, and Germany's Research

Filed under
Security
  • Security updates for Monday
  • 2FA with ssh on OpenBSD

    Five years ago I wrote about using a yubikey on OpenBSD. The only problem with doing this is that there's no validation server available on OpenBSD, so you need to use a different OTP slot for each machine. (You don't want to risk a replay attack if someone succeeds in capturing an OTP on one machine, right?) Yubikey has two OTP slots per device, so you would need a yubikey for every two machines with which you'd like to use it. You could use a bastion—and use only one yubikey—but I don't like the SPOF aspect of a bastion. YMMV.

    After I played with TOTP, I wanted to use them as a 2FA for ssh. At the time of writing, we can't do that using only the tools in base. This article focuses on OpenBSD; [...]

  • Germany, seeking independence from U.S., pushes cyber security research

    Germany announced a new agency on Wednesday to fund research on cyber security and to end its reliance on digital technologies from the United States, China and other countries.

Security: Titan Security Keys and More FUD From WhiteSource

Filed under
Security

​Linus Torvalds talks frankly about Intel security bugs

Filed under
Linux
Security

At The Linux Foundation's Open Source Summit North America in Vancouver, Linus Torvalds, Linux's creator, and Dirk Hohndel, VMware VP and chief open source officer, had a wide-ranging conversation about Linux security, open-source developer, and quantum computing.

Torvalds would really like his work to get back to being boring. It hasn't been lately because of Intel's CPU Meltdown and Spectre security bugs. The root cause behind these security holes was speculative execution.

In speculative execution, when a program does a calculation, which might go several ways, the processor assumes several results and works on them. If it's wrong, it goes back to the beginning and restarts with the correct data. Because CPUs are so fast these days, it's much quicker to do this than to have the hardware sit idle waiting for data.

Torvalds "loves speculative execution. CPUs must do this." But, Torvalds is annoyed that "people didn't think about the problems of taking shortcuts with speculative execution. We knew speculative work that wasn't used had to be thrown away." It wasn't. That problem is now baked in most modern processors. The long-term fix is a new generation of Intel CPUs.

Read more

Air Canada's Data Breach

Filed under
Security
  • Air Canada app data breach involves passport numbers

    It believes data has been stolen [sic] from about 20,000 of these, and has informed members of this group via email.

  • Air Canada confirms mobile app data breach

    According to an email to customers, attackers may have accessed basic profile data, including names, email addresses and phone numbers — but also more sensitive data that users may have added to their profiles, including passport numbers and expiry date, passport country of issuance, NEXUS numbers for trusted travelers, gender, dates of birth, nationality and country of residence.

  • Air Canada says 20,000 mobile app users affected by data breach

    The app stores names and contact information, which may have been accessed.

    It also may hold information such as passport and NEXUS card numbers, gender, birth date, nationality and credit card numbers.

Limiting Free Licences and New FUD From Veracode/CA

Filed under
OSS
Security
Legal
  • ​Javascript Tool Maker Relents After Mixing Immigration Politics with Open Source Licensing

    In very short order, Lerna, a company that offers some Javascript tooling, has learned the hard way not to mess with the integrity of an open source license. In other words, don’t decide you’re going to take an existing OSI-certified open source license, modify it to suit your agenda, license your code under the newly derived license, and still continue to refer to your offering as "open source.”

    First, this analysis piece is really just a follow up to my previous post about why it’s time to reject the latest attack on open source software (OSS). The main point of that post was to point out that all of us who have experienced the benefits of open source (ok, that’s nearly all human beings) should play a role in defending it. Otherwise, it will whither and so too will the benefits most of us have come to enjoy, blind to the fact that open source is playing such an important role in our lives.

  • Does Redis' Commons Clause threaten open-source software?
  • Get a Jump on Reducing Your Open Source Software Security Risks [Ed: Anti-FOSS firm Veracode/CA pays IDG for spam which stigmatises FOSS as lacking security]

Linux Kernel up to 4.15-rc3 Crypto Subsystem memory corruption

Filed under
Linux
Security
  • Linux Kernel up to 4.15-rc3 Crypto Subsystem memory corruption

    The weakness was shared 08/30/2018 as bug report (Bugzilla). The advisory is available at bugzilla.redhat.com. This vulnerability is traded as CVE-2018-14619 since 07/27/2018. Local access is required to approach this attack. A single authentication is needed for exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 08/31/2018).

  • CVE-2018-14619: New Critical Linux Kernel Vulnerability

    A new Linux kernel vulnerability identified as CVE-2018-14619 has been discovered by Red Hat Engineering researchers Florian Weimer and Ondrej Mosnacek. More particularly, the flaw was found in the crypto subsystem of the Linux kernel.

Security: Alexa Holes, Zemlin on CII, and Apache Struts Patches

Filed under
Security
  • Amazon Alexa Security Risk Allows Hackers to Take Over Voice Commands, Steal Private Information

    The world is changing and in the modern era, we are becoming reliant on our Internet of Things devices by the day. But this reliances could cost us everything, it could allow someone to steal our identity, bank information, medical history, and what not.

    Amazon Alexa has been criticised for having a number of security flaws but Amazon has been quick to deal with them. However, this new security flaw may not have a fix at all. And this could be the most dangerous security threat yet.

    According to research conducted by the University of Illinois at Urbana-Champaign (UIUC), Amazon Alexa’s idiosyncrasies can be exploited through voice-commands to route users to malicious websites. Hackers are targeting the loopholes in machine learning algorithms to access private information.

  • Researchers show Alexa “skill squatting” could hijack voice commands

    The success of Internet of Things devices such as Amazon's Echo and Google Home have created an opportunity for developers to build voice-activated applications that connect ever deeper—into customers' homes and personal lives. And—according to research by a team from the University of Illinois at Urbana-Champaign (UIUC)—the potential to exploit some of the idiosyncrasies of voice-recognition machine-learning systems for malicious purposes has grown as well.

    Called "skill squatting," the attack method (described in a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications. Ars met with the UIUC team (which is comprised of Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Assistant Professor Adam Bates, and Professor Michael Bailey) at USENIX Security. We talked about their research and the potential for other threats posed by voice-based input to information systems.

  • The Linux Foundation Set to Improve Open-Source Code Security

    CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

    "You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

    Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

  • Apache Struts 2.3.25 and 2.5.17 resolve Cryptojacking Exploit Vulnerability

    Information regarding a severe vulnerability found in Apache Struts was revealed last week. A proof of concept of the vulnerability was also published publicly along with the vulnerability’s details. Since then, it seems that malicious attackers have set out to repeatedly exploit the vulnerability to remotely install a cryptocurrency mining software on users’ devices and steal cryptocurrency through the exploit. The vulnerability has been allotted the CVE identification label CVE-2018-11776.

    This behavior was first spotted by the security and data protection IT company, Volexity, and since its discovery, the rate of exploits has been increasing rapidly, drawing attention to the critical severity of the Apache Struts vulnerability. The company released the following statement on the issue: “Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”

Syndicate content

More in Tux Machines

Cozy Is A Nice Linux Audiobook Player For DRM-Free Audio Files

You could use any audio player to listen to audiobooks, but a specialized audiobook player like Cozy makes everything easier, by remembering your playback position and continuing from where you left off for each audiobook, or by letting you set the playback speed of each book individually, among others. The Cozy interface lets you browse books by author, reader or recency, while also providing search functionality. Books front covers are supported by Cozy - either by using embedded images, or by adding a cover.jpg or cover.png image in the book folder, which is automatically picked up and displayed by Cozy. When you click on an audiobook, Cozy lists the book chapters on the right, while displaying the book cover (if available) on the left, along with the book name, author and the last played time, along with total and remaining time: Read more

New KDE.ru website

Today, on September 18th, 2018, the Russian-speaking KDE community launches its updated website on KDE.ru. The new website serves as the main page for the Russian-speaking community. It provides localized information about the community, product download links and the list of social network pages we maintain. It is also meant to help new members get involved in KDE’s projects, particularly in our translation and promotion efforts. The website was created by me and Alexander Potashev on top of Jonah Brüchert‘s work for plasma-mobile.org. It uses Jekyll and is now hosted on official KDE servers. It replaces the old forum that has significantly lost its users in the past years. Read more

Variety Wallpaper Changer And Downloader 0.7.0 Ported To Python 3, Adds Support For Settings GDM Background

A new major version of Variety Wallpaper Changer is out. With the latest 0.7.0 release, Variety was ported to Python 3, while also receiving some improvements like support for setting the Gnome Screensaver / GDM background to match the desktop wallpaper. Read more

10 Free Open Source Tools for Creating Your Own VPN

As more people use the Internet everyday they are becoming more conscious about their privacy with regards to how much of the information they don’t want to share at all is being compromised. Tons of VPN services have been created to solidify users’ safety but that doesn’t seem to be enough as there seems to be an increasing need to create custom VPNs. It isn’t a bad thing to create a VPN service for yourself and there are actually a good number of developers and organizations that favour this habit. Today, we bring you a list of the best open-source tools that you can use to create your own VPN. Some of them are relatively more difficult to set up and use than the others and they all have their feature highlights. Depending on the reason why you want to deploy your own VPN, choose the title that is suitable for you. Read more