Language Selection

English French German Italian Portuguese Spanish

Security

Adobe Digital Editions 4 Spies on Users - Because of DRM

Filed under
Security

This column has written many times about the deep flaws of Digital Rights Management (DRM) - or "Digital Restrictions Management" as Richard Stallman rightly calls it - and the ridiculous laws that have been passed to "protect" it. What these effectively do is place copyright above basic rights - not just in the realm of copyright, but even in areas like privacy. Yesterday, another example of the folly of using DRM'd products came to light.

Read more

The Source of Vulnerabilities, How Red Hat finds out about vulnerabilities.

Filed under
Red Hat
Security

Red Hat Product Security track lots of data about every vulnerability affecting every Red Hat product. We make all this data available on our Measurement page and from time to time write various blog posts and reports about interesting metrics or trends.

One metric we’ve not written about since 2009 is the source of the vulnerabilities we fix. We want to answer the question of how did Red Hat Product Security first hear about each vulnerability?

Every vulnerability that affects a Red Hat product is given a master tracking bug in Red Hat bugzilla. This bug contains a whiteboard field with a comma separated list of metadata including the dates we found out about the issue, and the source. You can get a file containing all this information already gathered for every CVE. A few months ago we updated our ‘daysofrisk’ command line tool to parse the source information allowing anyone to quickly create reports like this one.

Read more

USB Sees Many Changes For Linux 3.18 Kernel

Filed under
Linux
Hardware
Security

Greg Kroah-Hartman sent in pull requests on Tuesday for the various kernel subsystems he maintains. The USB changes as he put it are "lots of little changes in here, all over the place", per his mailing list post.

Read more

Ten Year Old "Critical" Bug Discovered In OpenBSD

Filed under
Security
BSD

While OpenBSD generally prides itself on being a secure, open-source operating system and focusing more on code corectness and security rather than flashy features, it turns out a potential security bug has been living within OpenBSD for the past decade.

Phoronix German ready "FRIGN" wrote in to Phoronix this afternoon with a subject entitled, "10 year old critical bug in OpenBSD discovered." He pointed out a post today about a bug discovered in OpenBSD's polling subsystem that could allow DDoS-style attacks on servers, "a critical bug in the polling-subsystem in OpenBSD has been uncovered which allows DDoS-attacks on servers using a non-standard derivation from the POSIX-standard in marking file descriptors non-readable when they should return EOF."

Read more

Open source's "shallow bugs" theory hasn't been Shellshocked

Filed under
OSS
Security

It hasn't been a good year for open source. Not for its generally golden reputation for software quality and security, anyway. But in a rush to lay blame for the Bash Shellshock vulnerability (and previously for Heartbleed) some, like Roger Grimes, want to dismantle some of the cardinal tenets of open source, like the suggestion that "given enough eyeballs, all bugs are shallow."

Read more

Tor executive director hints at Firefox integration

Filed under
Moz/FF
Security

Tor, which is capable of of all that and more, crucially blocks websites from learning any identifying information about you and circumvents censorship. It also stymies eavesdroppers from discovering what you’re doing on the Web. For those reasons, it would be a powerful addition to the arsenal of privacy tools Firefox already possesses.

The Tor Browser is already a modified version of Firefox, developed over the last decade with close communication between the Tor developers and Mozilla on issues such as security and usability.

Read more

LibreSSL: More Than 30 Days Later

Filed under
Security
BSD

Instead, libressl is here because of a tragic comedy of other errors. Let's start with the obvious. Why were heartbeats, a feature only useful for the DTLS protocol over UDP, built into the TLS protocol that runs over TCP? And why was this entirely useless feature enabled by default? Then there's some nonsense with the buffer allocator and freelists and exploit mitigation countermeasures, and we keep on digging and we keep on not liking what we're seeing. Bob's talk has all the gory details.
But why fork? Why not start from scratch? Why not start with some other contender? We did look around a bit, but sadly the state of affairs is that the other contenders aren't so great themselves. Not long before Heartbleed, you may recall Apple dealing with goto fail, aka the worst bug ever, but actually about par for the course.

Read more

Secure Linux Systems Require Savvy Users

Filed under
Linux
Security

Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.

Read more

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

Filed under
GNU
Security

Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.

Read more

Firejail – A Security Sandbox for Mozilla Firefox

Filed under
Moz/FF
Security

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Read more

Syndicate content

More in Tux Machines

UNIX Industry Banks on Linux Strategies

Struggling UNIX server makers are strengthening their Linux strategy in line with the open-source application environment. The move is aimed at maintaining remaining customers, since users are increasingly abandoning UNIX servers. However, it is receiving a lukewarm response from the market. According to industry sources on Dec. 22, server vendors such as IBM and HP are concentrating on the development of products so that the Linux operating system and related applications can be used as UNIX servers. Read more

Mageia Beta Delayed, Christmas Quiz, and 7 Best Alternatives

Today in Linux news the Mageia project announced another delay in version 5 Beta 2. The Linux Voice is running a Linux quiz for Christmas and Gary Newell offers up his list of the seven best alternative Linux distributions of the year. The Register says 2015 will be the year of Linux - on mobile. Three reviews need to be highlighted and, finally today, Matt Hartley says everyone should switch to Ubuntu MATE. Read more Also: Linux Bloat, Linux Lite, and Devuan Update

Christmas rest for the braves

We planned initially to release Mageia 5 beta 2 around the 16th of December. We still have some work left to complete to release a proper beta 2 that would drive us through to the final release. Releasing development ISOs is a good way to test all the functions of the installer with the largest possible scope of use cases and variety of hardware. We still have some issues left with EFI integration and some tricky bugs in the installer. So in order to allow some time to fix them and also to still enjoy the Christmas period with friends and family, it has been decided to delay beta 2 until the 6th of January 2015, the initial date of the RC, and then postpone the final release. Read more

Enterprise Advances Brought Linux Success in 2014

For Linux, 2014 could easily be labeled the year enterprise really and truly embraced Linux. It could just as easily be labeled the year that nearly forgot Linux on the desktop. If you weren’t Docker, containers, OpenStack, or big data ─ chances are the spotlight didn’t brighten your day much. If, however, you (or your product) fell into one of those categories, that spotlight shined so brightly, it was almost blinding. Let’s glance back into our own wayback machine and see where Linux succeeded and where it did not. The conclusions should be fairly simple to draw and are incredibly significant to the state of Linux as a whole. Read more