Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Reproducible Builds, IoT Applications

Filed under
Security

Purism on Coreboot and More

Filed under
OSS
Security
  • Coreboot and Skylake, part 2: A Beautiful Game!

    While most of you are probably excited about the possibilities of the recently announced “Librem 5” phone, today I am sharing a technical progress report about our existing laptops, particularly findings about getting coreboot to be “production-ready” on the Skylake-based Librem 13 and 15, where you will see one of the primary reasons we experienced a delay in shipping last month (and how we solved the issue).

  • Purism Highlights Challenges During Coreboot Development

    Taking a brief break from their Librem 5 smartphone campaign, there's a new Purism blog post today that explains at length why this summer's Librem laptop shipments were delayed due to a pesky Coreboot bug lasting weeks and what it took to come to a workaround.

  • Linux Phone Crowdfunder Passes $100k Milestone

    Computer maker Purism‘s crowdfunding campaign for a privacy-focused phone powered by open-source software has raised over $100,000 in just 4 days.

    At the time of writing $104,300 has been pledged to the project, which aims to deliver a full-featured Linux phone powered, in part, by Matrix.org‘s communication platform.

Disabling NSA Back Door (Intel ME)

Filed under
Security
  • Researchers Find a Way to Disable Much-Hated Intel ME Component Courtesy of the NSA

    Researchers from Positive Technologies — a provider of enterprise security solutions — have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs.

    Intel ME is a separate processor embedded with Intel CPUs that runs its own operating system complete with processes, threads, memory manager, hardware bus driver, file system, and many other components.

    Intel has always advertised Intel ME as a way for companies to manage computers running on their internal networks. Intel ME includes tools that allow system administrators to monitor, maintain, update, upgrade, and repair computers from a remote, central location.

  • Now you, too, can disable Intel ME 'backdoor' thanks to the NSA

    A team of researchers from Positive Technologies discovered an undocumented configuration setting, designed for use by government agencies, to disable Intel Management Engine 11. Now you too can partake in this government privilege to inactivate Intel’s proprietary CPU master controller.

  • Researchers say Intel's Management Engine feature can be switched off

    That's not an option for the general public, but researchers at Russian security firm Positive Technologies have found a way to use these government-only privileges to disable ME.

    ME is a core component of modern Intel chips that if compromised can provide an attacker with a powerful backdoor. As the researchers note, ME can't be completely disabled because of its role in initializing hardware, power management, and launching the main processor.

Security: PKI, ME, and Titan

Filed under
Security
  • PKI is needed for micro-services

    Someone would say: but we can trust the source IP!
    The short answer to this is: no.

    The long answer is: no! no! no! no! no! no! no! no! no!

    An IP address is not secure by design, the network can be manipulated quite easily with an L2 access (like one server compromised).

    Also, the IP layer is not encrypted by default, so if you have to use some kind of encryption on top in your application, what’s the point of encrypting everything with a pre shared key when you can use an asymmetric layout?

  • Disabling Intel ME 11 via undocumented mode

    Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.

    Disclaimer: The methods described here are risky and may damage or destroy your computer. We take no responsibility for any attempts inspired by our work and do not guarantee the operability of anything. For those who are aware of the risks and decide to experiment anyway, we recommend using an SPI programmer.

    [...]

    Some users of x86 computers have asked the question: how can one disable Intel ME? The issue has been raised by many, including Positive Technologies experts. [, ]. And with the recently discovered critical (9.8/10) vulnerability in Intel Active Management Technology (AMT), which is based on Intel ME, the question has taken on new urgency.

    The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards. The main method used by enthusiasts trying to disable ME is to remove everything "redundant" from the image while maintaining the computer's operability. But this is not so easy, because if built-in PCH code does not find ME modules in the flash memory or detects that they are damaged, the system will not start.

    Intel representatives have been informed about the details of our research. Their response has confirmed our hypothesis about the connection of the undocumented mode with the High Assurance Platform program.

    [...]

    We believe that this mechanism is designed to meet a typical requirement of government agencies, which want to reduce the possibility of side-channel leaks. But the main question remains: how does HAP affect Boot Guard? Due to the closed nature of this technology, it is not possible to answer this question yet, but we hope to do so soon.

  • Google opens up on Titan security: Here's how chip combats hardware backdoors

    Google has detailed how its custom Titan security chip will prevent threats that use firmware-based attacks.

    When it unveiled its tiny Titan chip, Google said it planned to use the processor to give each server in its cloud its own identity.

Security: Updates, FOSS Encryption, and Helicopter Security

Filed under
Security
  • Security updates for Monday
  • Identiv Raises the Standard of Physical Security With Its First Open Source Software Release

    The use of proprietary encryption schemes and measures — or "security through obscurity" — has proven to be inadequate against modern attack methods. By publishing and sharing its Open Access Card Format, Identiv raises the standard of physical access security by encouraging others to use, review, or extend its implementation. This tool will allow users to program and encode their own physical access cards with secure DESFire EV1/EV2 encryption keys and credential identification data. Customers get the benefit of Common Criteria-certified security without being locked into a single card source. Initially, Identiv will be releasing the OACF specification publicly while the source code will be available on request. The code will include a simple tool for reading and writing uTrust TS-compatible cards. All code will be shared via GitHub.

  • Helicopter security

    Now as we know from children, if you prevent someone from doing anything they don't become your obedient servant, they go out of their way to make sure the authority has no idea what's going on. This is basically how shadow IT became a thing. It was far easier to go around the rules than work with the existing machine. Helicopter security is worse than nothing. At least with nothing you can figure out what's going on by asking questions and getting honest answers. In a helicopter security environment information is actively hidden because truth will only get you in trouble.

GnuPG 2.2.0

Filed under
GNU
Security
  • GnuPG 2.2 Released

    Werner Koch has announced the release of GNU Privacy Guard's GnuPG 2.2 stable series.

  • What’s new in GnuPG 2.1

    GnuPG version 2.1 (now known as 2.2) comes with a bag of new features which changes some things old-timers are used to. This page explains the more important ones. It expects that the reader is familiar with GnuPG version 2.0 and aware that GnuPG consists of gpg, gpgsm, and gpg-agent as its main components.

  • GnuPG 2.2.0 released

    Version 2.2.0 of the GNU Privacy Guard is out; this is the beginning of a new long-term stable series. Changes in this release are mostly minor, but it does now install as gpg rather than gpg2, and it will automatically fetch keys from keyservers by default.

Security: Encryption, NSA, and SMTP

Filed under
Security
  • benchmarking security tokens speed
  • How Quantum Computing Will Change Browser Encryption

    From a protocol point of view, we're closer to a large-scale quantum computer than many people think. Here's why that's an important milestone.

  • If you're surprised the NSA can hack your computer, you need a reality check

    Colour me shocked. It appears the NSA has been collecting a treasure trove of hacks for Windows, both desktop and servers, covering all versions of the OS bar Windows 10. And this toolbox of capabilities, which also included ways to get into banking and other related systems, has leaked to the public.

    I suspect your jaw isn’t gaping in surprise. What’s followed has been just as predictable.

    First, there’s shock that the NSA might have built such a collection of exploits. Sorry, what do you expect the NSA to be doing? Creating toolkits that can be used against undesirables is what it exists for. Injecting custom spyware onto the laptop of a terrorist could bring up incredibly useful intelligence information, after all.

  • Twenty-plus years on, SMTP callbacks are still pointless and need to die

    A rarely used legacy misfeature of the main Internet email protocol creeps back from irrelevance as a minor annoyance. You should ask your mail and antispam provider about their approach to 'SMTP callbacks'. Be wary of any assertion that is not backed by evidence.

Security: MalwareTech, Passwords Leak, Security Updates and Reproducible Builds

Filed under
Security
  • MalwareTech’s legal defense fund bombarded with fraudulent donations

    Marcus Hutchins, the popular British security researcher, has a new legal headache beyond the criminal charges against him.

    Hutchins, AKA "MalwareTech," pleaded not guilty two weeks ago to criminal charges in Wisconsin that accuse him of creating and distributing the Kronos malware that steals banking credentials. Now comes word that his legal defense fund was riddled with illicit donations.

  • Leak of >1,700 valid passwords could make the IoT mess much worse

    Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

    The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

  • Security updates for Friday
  • Reproducible Builds: Weekly

Blaming GNU/Linux for Facebook Issues

Filed under
GNU
Linux
Security

Security: Updates, Phones, Kaspersky, Monero Pool, Microsoft-Connected SourceClear, Ransomware, and Android

Filed under
Security
Syndicate content

More in Tux Machines

Firefly COM dual boots Android and Ubuntu on hexa-core RK3399

GNOME developer Bastien Nocera talks in his latest blog post about the enhancements he managed to implement in the past few weeks to the Bluetooth stack of the Fedora Linux operating system. Read more

Games: Morphite, Mooseman, Arma, and PlayStation 4 DualShock Controller

  • Stylish FPS 'Morphite' released without Linux support, but it's coming
    Sadly, Morphite [Steam] has seen a delay with the Linux version. Thankfully, the developer was quick to respond and it's still coming.
  • The Mooseman, a short side-scrolling adventure just released for Linux
    In the mood for something a little out there? Well, The Mooseman [Steam] a short side-scroller might just hit the spot.
  • Arma 3 1.76 for Linux is planned, work on it to start "soon"
    Bohemia Interactive have announced in their latest "SITREP" that the Linux version of Arma 3 will be updated to the latest version of 1.76, work is set to start on it "soon".
  • Sony's PlayStation 4 DualShock Controller Now Supported in Fedora Linux, GNOME
    GNOME developer Bastien Nocera talks in his latest blog post about the enhancements he managed to implement in the past few weeks to the Bluetooth stack of the Fedora Linux operating system. The patches submitted by the developer to the Bluetooth packages in the latest Fedora Linux release promise to bring improvements to the way PlayStation 3 DualShock controllers are set up in the environment if you're using the GNOME desktop environment. Until now, to set up a DualShock 3 controller, users had to plug it in via USB, then disconnect it, and then press the "P" button on the joypad, which would have popped-up a dialog to confirm the Bluetooth connection. But this method had some quirks though.

Debian Development Reports

  • Free software log (July and August 2017)
    August was DebConf, which included a ton of Policy work thanks to Sean Whitton's energy and encouragement. During DebConf, we incorporated work from Hideki Yamane to convert Policy to reStructuredText, which has already made it far easier to maintain. (Thanks also to David Bremner for a lot of proofreading of the result.) We also did a massive bug triage and closed a ton of older bugs on which there had been no forward progress for many years. After DebConf, as expected, we flushed out various bugs in the reStructuredText conversion and build infrastructure. I fixed a variety of build and packaging issues and started doing some more formatting cleanup, including moving some footnotes to make the resulting document more readable.
  • Freexian’s report about Debian Long Term Support, August 2017
    Like each month, here comes a report about the work of paid contributors to Debian LTS.
  • Reproducible Builds: Weekly report #125
    16 package reviews have been added, 99 have been updated and 92 have been removed in this week, adding to our knowledge about identified issues.

The GNOME Foundation Backs Librem 5

  • GNOME Foundation partners with Purism to support its efforts to build the Librem 5 smartphone
    The GNOME Foundation has provided their endorsement and support of Purism’s efforts to build the Librem 5, which if successful will be the world’s first free and open smartphone with end-to-end encryption and enhanced user protections. The Librem 5 is a hardware platform the Foundation is interested in advancing as a GNOME/GTK phone device. The GNOME Foundation is committed to partnering with Purism to create hackfests, tools, emulators, and build awareness that surround moving GNOME/GTK onto the Librem 5 phone. As part of the collaboration, if the campaign is successful the GNOME Foundation plans to enhance GNOME shell and general performance of the system with Purism to enable features on the Librem 5.
  • Now GNOME Foundation Wants to Support Purism's Privacy-Focused Linux Smartphone
    GNOME Foundation, the non-profit organization behind the popular GNOME desktop environment designed for Linux-based operating systems, announced on Wednesday that they plan on supporting Purism's Librem 5 smartphone. The announcement comes only a week after KDE unveiled their plans to work with Purism on an implementation of their Plasma Mobile interface into the security- and privacy-focused Librem 5 Linux smartphone, and now GNOME is interested in advancing the Librem 5 hardware platform as a GNOME/GTK+ phone device. "Having a Free/Libre and Open Source software stack on a mobile device is a dream-come-true for so many people, and Purism has the proven team to make this happen. We are very pleased to see Purism and the Librem 5 hardware be built to support GNOME," said Neil McGovern, Executive Director, GNOME Foundation.
  • GNOME Joins The Librem 5 Party, Still Needs To Raise One Million More Dollars
    One week after announcing KDE cooperation on the proposed Librem 5 smartphone with plans to get Plasma Mobile on the device if successful, the GNOME Foundation has sent out their official endorsement of Purism's smartphone dream. Purism had been planning to use GNOME from the start for their GNU/Linux-powered privacy-minded smartphone while as of today they have the official backing of the GNOME Foundation.