Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • But I have work to do!

    There’s a news story going around that talks about how horrible computer security tends to be in hospitals. This probably doesn’t surprise anyone who works in the security industry, security is often something that gets in the way, it’s not something that helps get work done.

    There are two really important lessons we should take away from this. The first is that a doctor or nurse isn’t a security expert, doesn’t want to be a security expert, and shouldn’t be a security expert. Their job is helping sick people. We want them helping sick people, especially if we’re the people who are sick. The second is that when security gets in the way, security loses. Security should lose when it gets in the way, we’ve been winning far too often and it’s critically damaged the industry.

  • Lenovo ThinkPwn UEFI exploit also affects products from other vendors [Ed: Intel and Microsoft told us UEFI was about security but it wasn't]

    A critical vulnerability that was recently found in the low-level firmware of Lenovo ThinkPad systems also reportedly exists in products from other vendors, including HP and Gigabyte Technology.

    An exploit for the vulnerability was published last week and can be used to execute rogue code in the CPU's privileged SMM (System Management Mode).

    This level of access can then be used to install a stealthy rootkit inside the computer's Unified Extensible Firmware Interface (UEFI) -- the modern BIOS -- or to disable Windows security features such as Secure Boot, Virtual Secure Mode and Credential Guard that depend on the firmware being locked down.

    The exploit, dubbed ThinkPwn, was released by a security researcher named Dmytro Oleksiuk last week without sharing it with Lenovo in advance. However, since then Oleksiuk has found the same vulnerable code inside older open source firmware for some Intel motherboards.

Debian 8 Gets New Kernel Update, Five Vulnerabilities and a Regression Patched

Filed under
Security
Debian

Exactly one week after the release of the major kernel update for the Debian GNU/Linux 8 "Jessie" operating system on June 28, the Debian Project, through Salvatore Bonaccorso, has released a new Linux kernel security update.

Read more

Parsix GNU/Linux 8.10 and 8.5 Get the Latest Debian Security Fixes, Update Now

Filed under
GNU
Linux
Security
Debian

A few hours ago, the development team behind Parsix GNU/Linux, a Debian-based computer operating system sporting the modern GNOME 3 desktop environment, has announced that new security fixes are available for the stable Parsix GNU/Linux 8.5 "Atticus" distribution, and upcoming Parsix GNU/Linux 8.10 "Erik" release.

Read more

Security Leftovers

Filed under
Security

Network Security Toolkit (NST) Linux OS Released Based on Fedora 24, Linux 4.6

Filed under
Red Hat
Security

Today, July 4, 2016, Ronald Henderson has announced the release of a new version of the Fedora-based Network Security Toolkit (NST) Linux distribution for network security analysis and monitoring.

Read more

Security Leftovers

Filed under
Security
  • Progress Towards 100% HTTPS, June 2016
  • Exploiting Recursion in the Linux Kernel
  • Home Computers Connected to the Internet Aren't Private, Court Rules [iophk: "MS Windows == insecure, therefore all computer are game"]

    A judge in Virginia rules that people should have no expectation of privacy on their home PCs because no connected computer "is immune from invasion."
    A federal judge for the Eastern District of Virginia has ruled that the user of any computer that connects to the Internet should not have an expectation of privacy because computer security is ineffectual at stopping hackers.

    The June 23 ruling came in one of the many cases resulting from the FBI's infiltration of PlayPen, a hidden service on the Tor network that acted as a hub for child exploitation, and the subsequent prosecution of hundreds of individuals. To identify suspects, the FBI took control of PlayPen for two weeks and used, what it calls, a "network investigative technique," or NIT—a program that runs on a visitor's computer and identifies their Internet address.

Security Leftovers

Filed under
Security
  • 11 essential data security tips for travelers [iophk: "unfortunately VPNs have dated crypto"]

    I travel all over the world for my job, and for my hobbies. Although there are still plenty of places I haven't been, I've visited enough foreign countries that I don't deny it when someone calls me a world traveler. Over the years, I've experienced my fair share of foreign spying. I know what it's like to be snooped on.

    I'm no longer surprised when I suddenly get gobs of spam from a country I've visited. My best guess is that someone in the country intercepted my email and recorded my email address. I still get porn spam in Arabic and ads for weight loss products in Mandarin. I've had my laptop and USB keys searched at countless borders.

  • Yet another letsencrypt (ACME) client

    Well, I apparently joined the hordes of people writing ACME (the Protocol behind Let’s Encrypt) clients.

    Like the fairy tale Goldilocks, I couldn’t find a client in the right spot between minimalistic and full-featured for my needs: acme-tiny was too bare-bones; the official letsencrypt client (now called certbot) too huge; and simp_le came very close, but it’s support for pluggable certificate formats made it just a bit too big for me.

  • Keynote - Complexity: The Enemy of Security
  • Security Holes Found in Widely-Used File Compression Library, Leaving Other Products Dangerously Exposed
  • StartEncrypt considered harmful today

    Recently, one of our hackers (Thijs Alkemade) found a critical vulnerability in StartCom’s new StartEncrypt tool, that allows an attacker to gain valid SSL certificates for domains he does not control. While there are some restrictions on what domains the attack can be applied to, domains where the attack will work include google.com, facebook.com, live.com, dropbox.com and others.

  • Unikernels Will Create More Security Problems Than They Solve

    Unikernels, the most recent overhyped technology in search of a problem to solve, have a number of claimed attributes that make them a “better choice.” One most often claimed is that they are “more secure.” This is the first in a series of articles bringing some light to the reality of unikernels so that you can think about them properly, employ them for what they are good for, and avoid the hype.

  • The Python security response team

    As the final presentation of the 2016 Python Language Summit—though it was followed by a few lightning talks that we are not covering—Christian Heimes led a discussion on the Python security response team. There have been some problems along the way that generally boil down to a need for more people working on the team.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: Software

  • OpenVZ 7.0 Becomes A Complete Linux Distribution, Based On VzLinux
    OpenVZ, a long-standing Linux virtualization technology and similar to LXC and Solaris Containers, is out with their major 7.0 release. OpenVZ 7.0 has focused on merging the OpenVZ and Virtuozzo code-bases along with replacing their own hypervisor with that of Linux's KVM. Under OpenVZ 7.0, it has become a complete Linux distribution based upon VzLinux.
  • OpenVZ 7.0 released
    I’m pleased to announce the release of OpenVZ 7.0. The new release focuses on merging OpenVZ and Virtuozzo source codebase, replacing our own hypervisor with KVM.
  • Announcing git-cinnabar 0.4.0 beta 2
    Git-cinnabar is a git remote helper to interact with mercurial repositories. It allows to clone, pull and push from/to mercurial remote repositories, using git.
  • FreeIPA Lightweight CA internals
    In the preceding post, I explained the use cases for the FreeIPA lightweight sub-CAs feature, how to manage CAs and use them to issue certificates, and current limitations. In this post I detail some of the internals of how the feature works, including how signing keys are distributed to replicas, and how sub-CA certificate renewal works. I conclude with a brief retrospective on delivering the feature.
  • Lightweight Sub-CAs in FreeIPA 4.4
    Last year FreeIPA 4.2 brought us some great new certificate management features, including custom certificate profiles and user certificates. The upcoming FreeIPA 4.4 release builds upon this groundwork and introduces lightweight sub-CAs, a feature that lets admins to mint new CAs under the main FreeIPA CA and allows certificates for different purposes to be issued in different certificate domains. In this post I will review the use cases and demonstrate the process of creating, managing and issuing certificates from sub-CAs. (A follow-up post will detail some of the mechanisms that operate behind the scenes to make the feature work.)
  • RcppArmadillo 0.7.200.2.0
    The second Armadillo release of the 7.* series came out a few weeks ago: version 7.200.2. And RcppArmadillo version 0.7.200.2.0 is now on CRAN and uploaded to Debian. This followed the usual thorough reverse-dependecy checking of by now over 240 packages using it. For once, I let it simmer a little preparing only a package update via the GitHub repo without preparing a CRAN upload to lower the update frequency a little. Seeing that Conrad has started to release 7.300.0 tarballs, the time for a (final) 7.200.2 upload was now right. Just like the previous, it now requires a recent enough compiler. As g++ is so common, we explicitly test for version 4.6 or newer. So if you happen to be on an older RHEL or CentOS release, you may need to get yourself a more modern compiler. R on Windows is now at 4.9.3 which is decent (yet stable) choice; the 4.8 series of g++ will also do. For reference, the current LTS of Ubuntu is at 5.4.0, and we have g++ 6.1 available in Debian testing.

Red Hat and Fedora

Leftovers: Debian

  • Debian LGBTIQA+
    I have a long overdue blog entry about what happened in recent times. People that follow my tweets did catch some things. Most noteworthy there was the Trans*Inter*Congress in Munich at the start of May. It was an absolute blast. I met so many nice and great people, talked and experienced so many great things there that I'm still having a great motivational push from it every time I think back. It was also the time when I realized that I in fact do have body dysphoria even though I thought I'm fine with my body in general: Being tall is a huge issue for me. Realizing that I have a huge issue (yes, pun intended) with my length was quite relieving, even though it doesn't make it go away. It's something that makes passing and transitioning for me harder. I'm well aware that there are tall women, and that there are dedicated shops for lengthy women, but that's not the only thing that I have trouble with. What bothers me most is what people read into tall people: that they are always someone they can lean on for comfort, that tall people are always considered to be self confident and standing up for themselves (another pun, I know ... my bad).
  • [GSOC] Week 8&9 Report
    This particular week has been tiresome as I did catch a cold ;). I did come back from Cape Town where debconf taking place. My arrival at Montreal was in the middle of the week, so this week is not plenty of news…
  • Debian on Jetson TK1
    I became interested in running Debian on NVIDIA's Tegra platform recently. NVIDIA is doing a great job getting support for Tegra upstream (u-boot, kernel, X.org and other projects). As part of ensuring good Debian support for Tegra, I wanted to install Debian on a Jetson TK1, a development board from NVIDIA based on the Tegra K1 chip (Tegra 124), a 32-bit ARM chip.
  • RC bugs 2016/01-29

Android Leftovers