Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security

Security support for Wheezy handed over to the LTS team

Filed under
Security
Debian

As of 25 April, one year after the release of Debian 8, alias "Jessie", and nearly three years after the release of Debian 7, alias "Wheezy", regular security support for Wheezy comes to an end. The Debian Long Term Support (LTS) Team will take over security support.

Read more

Also: Debian GNU/Linux 7 "Wheezy" Has Become an LTS Release, Supported Until May 2018

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Friday's security updates
  • Why I gave your paper a Strong Reject

    Writing a bunch of wordy bullshit that doesn't mean anything. Trust me, you're not going to wow and amaze the program committee by talking about dynamic, scalable, context-aware, Pareto-optimal middleware for cloud hosting of sensing-intensive distributed vehicular applications. If your writing sounds like the automatically-generated, fake Rooter paper ("A theoretical grand challenge in theory is the important unification of virtual machines and real-time theory. To what extent can web browsers be constructed to achieve this purpose?"), you might want to rethink your approach. Be concise and concrete. Explain what you're doing in clear terms. Bad ideas won't get accepted just because they sound fancy.

  • Computer System Security Policy Debate (Follow-up)

    The challenge is that political people see everything as a political/policy issue, but this isn’t that kind of issue. I get particularly frustrated when I read ignorant ramblings like this that dismiss the overwhelming consensus of the people that actually understand what needs to be done as emotional, hysterical obstructionism. Contrary to what seems to be that author’s point, constructive dialogue and understanding values does nothing to change the technical risks of mandating exceptional access. Of course the opponents of Feinstein-Burr decry it as technologically illiterate, it is technologically illiterate.

Security Leftovers

Filed under
Security
  • Let's Encrypt Reaches 2,000,000 Certificates

    Earlier today, the Let's Encrypt certificate authority issued its two millionth certificate, less than two months after the millionth certificate. As we noted when the millionth certificate was issued, each certificate can cover several web sites, so the certificates Let's Encrypt has issued are already protecting millions and millions of sites.

  • Hackers Make This Search Engine Out Of 70 Million Voters’ Data

    Did you ever imagine an easily-browsable hacked data available to public and that too in the form of a search engine? Well, here is one of those interesting hacking cases where hackers made a search engine out of the hacked data of the 70 million citizens of Philippines and anyone can easily search for everybody else.

  • How Big Is Your Target?

    In his 2014 TED presentation Cory Doctorow compares an open system of development to the scientific method and credits the methods for bringing mankind out of the dark ages. Tim Berners-Lee has a very credible claim to patent the technology that runs the internet, but instead has championed for its open development. This open development has launched us forward into a brave new world. Nearly one third of all internet traffic rides on just one openly developed project. Its place of dominance may be unsure as we approach a world with cybersecurity headlines. Those headlines do much to feed the industry of fear resulting in government efforts to close doors on open source efforts.

    This paper is a qualitative theoretical discussion regarding cyber security and open source solutions written in three parts. Its goal is to demonstrate that the use of open source technologies reduces vulnerability to cyber attacks. The first part of this paper identifies the difficulties in presenting a software consideration model capable of illustrating the full spectrum of expectations for the performance of today’s code. Previous models merely address basic requirements for execution namely security, functionality & usability. While these aspects are important they fail to take into account modern requirements for maintenance, scalability, price, reliability and accessibility of software. This part of the paper modernizes the model developed by Andrew Waite and presents a clear model for software discussion.

Security Leftovers

Filed under
Security
  • Thursday's security updates
  • libressl - more vague promises

    There hasn’t been a lot of noise coming out of the LibreSSL camp recently. Mostly there’s not much to report, so any talks or presentations will recover a lot of the same material. But it’s an election year, and in that spirit, we can look back at some promises previously made and hopefully make a few new ones.

  • My OpenWrt Tor configuration

    In my previous article I shared my thoughts on running Tor on the router. I described an ideal Tor router configuration and argued that having Tor on the router benefits both security and usability.

    This article is about that ideal Tor router configuration. How did I configure my router, and why did I choose the configuration? The interesting part is that it really is “just configuration”. No programming involved. Even more interesting, it's easy too!

Security Leftovers

Filed under
Security
  • April security sensationalism and FUD

    If you happen to follow the security scene, you must have noticed a lot of buzz around various security issues discovered this month. Namely, a critical vulnerability in the Microsoft Graphics Component, as outlined in the MS16-039 bulletin, stories and rumors around something called Badlock bug, and risks associated using Firefox add-ons. All well and good, except it's nothing more than clickbait hype nonsense.

    Reading the articles fueled my anger to such heights that I had to wait a day or two before writing this piece. Otherwise, it would have just been venom and expletives. But it is important to express myself and protect the Internet users from the torrent of pointless, amateurish, sensationalist wanna-be hackerish security diarrhea that has been produced this month. Follow me.

  • DRAM bitflipping exploits that hijack computers just got easier
  • PacketFence v6.0 released

    The Inverse team is pleased to announce the immediate availability of PacketFence 6.0. This is a major release with new features, enhancements and important bug fixes. This release is considered ready for production use and upgrading from previous versions is strongly advised.

  • [Old] The Athens Affair

    How some extremely smart hackers pulled off the most audacious cell-network break-in ever

  • Write opinionated workarounds

    A few years ago, I decided that I should aim for my code to be as portable as possible. This generally meant targeting POSIX; in some cases I required slightly more, e.g., "POSIX with OpenSSL installed and cryptographic entropy available from /dev/urandom". This dedication made me rather unusual among software developers; grepping the source code for the software I have installed on my laptop, I cannot find any other examples of code with strictly POSIX compliant Makefiles, for example. (I did find one other Makefile which claimed to be POSIX-compatible; but in actual fact it used a GNU extension.) As far as I was concerned, strict POSIX compliance meant never having to say you're sorry for portability problems; if someone ran into problems with my standard-compliant code, well, they could fix their broken operating system.

Security Leftovers

Filed under
Security
  • Tuesday's security updates
  • Security advisories for Wednesday
  • Red Hat Product Security Risk Report: 2015

    This report takes a look at the state of security risk for Red Hat products for calendar year 2015. We look at key metrics, specific vulnerabilities, and the most common ways users of Red Hat products were affected by security issues.

    Our methodology is to look at how many vulnerabilities we addressed and their severity, then look at which issues were of meaningful risk, and which were exploited. All of the data used to create this report is available from public data maintained by Red Hat Product Security.

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

Leftovers: OSS and Sharing

  • Lenovo Cloud Director: Open Source Technologies Are The Glue That Binds The Hybrid Cloud
    Hardware giant Lenovo is banking on a future where both public and private clouds are critical in driving IT innovation, and the glue binding those hybrid environments is mostly open source technologies. Dan Harmon, Lenovo's group director of cloud and software-defined infrastructure, encouraged solution providers attending the NexGen Cloud Conference & Expo on Wednesday to explore opportunities to engage Lenovo as its products stock the next generation of cloud data centers. Both public and private clouds are growing rapidly and will dominate the market by 2020, Harmon told attendees of the conference produced by CRN parent The Channel Company.
  • Cloudera Ratchets Up its Training for Top Open Source Data Solutions
    Recently, we've taken note of the many organizations offering free or low cost Hadoop and Big Data training. MIT and MapR are just a couple of the players making waves in this space. Recently, Cloudera announced a catalog of online, self-paced training classes covering the company's entire portfolio of industry-standard Apache Hadoop and Apache Spark training courses. The courses, according to Cloudera, allow you to learn about the latest big data technologies "in a searchable environment anytime, anywhere." Now, Cloudera has announced an updated lineup of training courses and performance-based certification exams for data analysts, database administrators, and developers. The expanded training offerings address the skills gap around many top open source technologies, such as Apache Impala (incubating), Apache Spark, Apache Kudu, Apache Kafka and Apache Hive.
  • Netflix’s open-source project Hollow, NVIDIA’s deep learning kits for educators, and new IBM Bluemix integrations—SD Times news digest: Dec. 6, 2016
  • Open governance enhances the value of land use policy software
    In December 2015, the COP21 Paris Agreement saw many countries commit to reducing greenhouse gas emissions through initiatives in the land sector. In this context, emissions estimation systems will be key in ensuring these targets are met. Such solutions would not only be capable of assessing past trends but also of supporting target setting, tracking progress and helping to develop scenarios to inform policy decisions.
  • Blender Institute collaborate with Lulzbot in the name of open source
    Blender Institute, a platform for 3D design and animation, are collaborating with Lulzbot 3D printers. This project a continuation of Lulzbot and Blender Institute’s approach to open source and aimed at enhancing collaboration. The Blender Institute in Amsterdam, the Netherlands, is an important figure in the Free and Open Source Software community (FOSS). Providing open source design tool software for 3D movies, games, and visual effects. While Lulzbot, a product line of Aleph Objects take an open source approach to hardware through their 3D printers.
  • Bluetooth 5 Specification Released

Remembering Linux Installfests

Ah, yes. I remember the good old days when you had to be a real man or woman to install Linux, and the first time you tried you ended up saying something like “Help!” or maybe “Mommmmyyyyy!” Really, kids, that’s how it was. Stacks of floppies that took about 7,000 hours to download over your 16 baud connection. Times sure have changed, haven’t they? I remember Caldera advertising that their distribution autodetected 1,500 different monitors. I wrote an article titled “Monitor Number 1501,” because it didn’t detect my monitor. And sound. Getting sound going in Linux took mighty feats of systemic administsationish strength. Mere mortals could not do it. And that’s why we had installfests: so mighty Linux he-men and she-women could come down from the top of Slackware Mountain or the Red Hat Volcano and share their godlike wisdom with us. We gladly packed up our computers and took them to the installfest location (often at a college, since many Linux-skilled people were collegians) and walked away with Linuxized computers. Praise be! Read more

What New Is Going To Be In Ubuntu 17.04 'Zesty Zapus'

Right on the heels of Ubuntu 16.10 'Yakkety Yak' is Ubuntu 17.04 Zesty Zapus. Ubuntu 17.04 is currently scheduled for release on April 13, 2017 but know that this is only an estimate. One thing to know is that all things being equal, it is going to be released in April 2017. Ubuntu Zesty Zapus will be supported for only 9 months until January 2018 as it is not a LTS (long term support) release. Read
more

Security News

  • News in brief: DirtyCOW patched for Android; naked lack of security; South Korea hacked
  • Millions exposed to malvertising that hid attack code in banner pixels
    Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.
  • Backdoor accounts found in 80 Sony IP security camera models
    Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version. Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price. One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.
  • I'm giving up on PGP
    After years of wrestling GnuPG with varying levels of enthusiasm, I came to the conclusion that it's just not worth it, and I'm giving up. At least on the concept of long term PGP keys. This is not about the gpg tool itself, or about tools at all. Many already wrote about that. It's about the long term PGP key model—be it secured by Web of Trust, fingerprints or Trust on First Use—and how it failed me.