Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under

  • 7 Questions to Ask About Your DevSecOps Program
  • Developers Are Ethical But Not Responsible?

    Ask a person if he or she is a racist and the answer is almost always no. Ask a developer if they consider ethical considerations when writing code and only six percent say no. If everyone acted the way they self-report, then there would be peace and love throughout the world.

    Based on over a hundred thousand respondents, StackOverflow’s Developer Survey 2018 presents a more complicated reality. If they were asked to write code for an unethical purpose, 59 percent would say no, but another 37 percent of developers were non-committal about whether they would comply. In another question, only about 5 percent said they definitely not report unethical problems with code. But sounding the alarm is about as far as most people will go.

  • Cloud Security: 10 Top Tips
  • Group Policy Objects (GPOs) for Linux®

Security: Updates, Synopsys/Black Duck FUD, and Software Security Over Convenience

Filed under
  • Security updates for Tuesday
  • With Much of the Data Center Stack Open Source, Security is a Special Challenge [Ed: Black attacking FOSS again in order to sell its proprietary products; does proprietary software have no security issues? Which cannot be fixed, either?]
  • Synopsys reveals its open-source rookies of the year [Ed: Anti-FOSS company Black Duck, which markets its proprietary software by attacking FOSS (it admitted being anti-GPL since inception, created by Microsoft employee), wants the public to think of it as a FOSS authority]
  • Software security over convenience

    Recently I got inspired (paranoid ?) by my boss who cares a lot about software security. Previously, I had almost the same password on all the websites I used, I had them synced to google servers (Chrome user previously), but once I started taking software security seriously, I knew the biggest mistake I was making was to have a single password everywhere, so I went one step forward and set randomly generated passwords on all online accounts and stored them in a keystore.

Security: Intel, Editors and Windows in Critical Systems

Filed under
  • diff -u: Intel Design Flaw Fallout

    Linux patches for these issues are in a state of ongoing development. Security is always the first priority, at the expense of any other feature. Next would probably be the general speed of a running system for the average user. After that, the developers might begin piecing together any features that had been pulled as part of the initial security fix.

    But while this effort goes on, the kernel developers seem fairly angry at Intel, especially when they feel that Intel is not doing enough to fix the problems in future processors.

    In response to one set of patches, for example, Linus Torvalds burst out with, "All of this is pure garbage. Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane?" He went on, "the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation. Honestly, that's completely unacceptable."

  • Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

    Advanced Unix Text Editors offers extensibility by allowing users to install third-party plugins for ease of use and to enhance the Text Editors functionalities.

    Server administrators often run text editors with elevated privileges “sudo gedit” to edit root-owned configuration files. If the text editor contains vulnerable third-party plugin it enlarges attack surface.

  • House approves legislation to authorize Homeland Security cyber teams

    House lawmakers on Monday passed legislation that would codify into law the Department of Homeland Security’s cyber incident response teams that help protect federal networks and critical infrastructure from cyberattacks.

Security: Endgame, Updates, antiX, Fedora and SELinux

Filed under
  • Endgame Launches Open-Source Initiative to Drive Adoption of MITRE ATT&CK™, the Best Model of Attacker Behavior

    Endgame, the leader in unified endpoint protection against targeted attacks, today announced it released a set of open-source tools that allow enterprises to test defenses against modern attacker behaviors. These tools, called red team automation (RTA), directly map to MITRE's ATT&CK™ matrix, the most comprehensive framework for attacker techniques and tactics. Security teams that lack sufficient time and resources will now have the ability to measure protection capabilities beyond malware-based attacks.

  • Security updates for Monday
  • Security updates for Friday
  • Debian-Based antiX Linux OS Receives New Kernel Patches for Meltdown and Spectre

    The first point release of the Debian-based antiX 17 "Heather Heyer" operating system series arrived this past weekend with a new kernel patched against the Meltdown and Spectre security flaws, as well as the latest software versions.

    antiX 17.1 (Heather Heyer) is now available, powered by the Linux 4.9.87 LTS kernel patched against the Meltdown and Spectre security vulnerabilities unearthed in January 2018 and discovered to put billions of devices at risk of attacks. This protects new antiX installations against these type of attacks.

    Based on the latest Debian GNU/Linux 9.4 "Stretch" operating system, antiX 17.1 comes with up-to-date packages from its software repositories, including the LibreOffice 5.2.7 office suite and Mozilla Firefox 52.7.1 ESR web browser. Additionally, this release comes with eudev 3.5 and latest xf86-video-sisimedia-antix release.

  • Update on the Meltdown & Spectre vulnerabilities

    January saw the annoucement of a series of critical vulnerabilities called Spectre and Meltdown. The nature of these issues meant the solutions were complex and required fixing delicate code. The initial fix for Meltdown on x86 was KPTI, which was available almost immediately. Developing mitigations for Spectre was more complex. Other architectures had to look at their vulnerability status as well, and get mitigation in where it was needed. As a bit of time has passed, what is the exposure on Fedora now?

  • SELinux should and does BLOCK access to Docker socket

AMD And CTS Labs: A Story Of Failed Stock Manipulation

Filed under

We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry.

So, let's look at Viceroy Research. According to MoneyWeb, Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here.

After successfully taking down Steinhoff, it tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn't work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec's business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC).

Now, it appears it is going after AMD, though it looks to be another unsuccessful attack.

Investor Takeaway

After the announcement of this news, AMD stock generally traded sideways with slight downward movement, not uncommon for AMD in general. Hopefully this article showed you that CTS's report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD, they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well, and we see it hitting $20 per share by the end of 2018.

Read more

Security: Bitwarden, Container Security, Windows at U.S. Power Plants, Firefox’s Weak Master Password Encryption

Filed under
  • Behind the scenes with the Bitwarden password manager

    Having to remember passwords for web applications, email, banking, and more begat the password manager. And that begat such popular and proprietary services like LastPass and 1Password.

    A little over two years ago, software developer Kyle Spearrin decided the open source world needed its own web-based password manager. His company, 8Bit Solutions, develops and markets an open source alternative to services like LastPass and 1Password called Bitwarden.

    Recently I had the opportunity to ask Spearrin some questions about Bitwarden's origins, how it secures user information, where he sees Bitwarden going, and more.

  • Episode 88 - Chat with Chris Rosen from IBM about Container Security
  • Feds: Russian [Crackers] Are Attacking U.S. Power Plants


    The targets of these attacks include the country’s electric grid, including its nuclear power system, as well as “commercial facilities, water, aviation, and critical manufacturing sectors,” the statement said.

    The report is damning confirmation of what has for months been suspected: that [crackers] in Russia are capable of infiltrating and compromising vital systems relied on by millions of Americans. According to the new report, the attacks began at least as early as March 2016, thriving on vulnerabilities in these systems’ online operations.

  • Firefox’s Weak Master Password Encryption Can Be Cracked In Just 1 Minute [Ed: If you have physical/remote access to a machine and an account, then you have a lot more power over it than just a list of passwords]

    You might rest assured after setting a Master Password in the Firefox web browser, but it’s not as secure as you think. Last year, Mozilla did a major overhaul of their browser in the form of Firefox Quantum. But the non-profit forgot to fix the security holes that exist in their ‘very fast’ web browser for nine years.

Linux 4.9.88, 4.4.122, and 3.18.100, More Security Patches in Linux 4.16

Filed under

Security Leftovers

Filed under
  • As U.S. indicts foreign hackers, American cyber spies fear arrests in tit-for-tat action

    Federal prosecutors call it a “naming and shaming” strategy against hackers working for adversary nations, but former U.S. cyber spies worry they will be the ones ending up in a foreign prison.

    Repeatedly in recent years, U.S. prosecutors have filed criminal charges against hackers working for foreign governments, saying that even if the hackers never get hauled into a U.S. courtroom, the indictments serve as a warning shot across the bow of nations like China, Iran and Russia.

  • Linus Torvalds Slams AMD CPU flaw security report

    The spectre and meldown security vulnerabilities have woken up the industry to potential security flaws in hardware that can be exploited to compromise the integrity of the native computer security role based authentication.

    Now a new report has indicated potential vulnerabilities on AMD, but Linus Torvalds has jumped into this discussion and shot down this report is not technically sound.

  • Gray Hat


    Marcus Hutchins stopped one of the most dangerous cyberattacks ever. Then the FBI arrested him. Does a hacker [sic] hero always have to have a past?

  • [Crackers] could kill patients by attacking their pacemakers, warns Royal Academy of Engineering


    The experts cautioned that pacemakers or wearable health monitors which are linked up to the [I]nternet or internal computer networks could also provide a gateway for [crackers] to plant ransomware into systems, potentially crippling in the NHS or government departments.

  • Security Vulnerability Hidden in Scarlett Johansson Image

Security Leftovers

Filed under

If you hitch a ride with a scorpion… (Coverity)

Filed under

I haven’t seen a blog post or notice about this, but according to the Twitters, Coverity has stopped supporting online scanning for open source projects. Is anybody shocked by this? Anybody?


Not sure what the story is with Coverity, but it probably has something to do with 1) they haven’t been able to monetize the service the way they hoped, or 2) they’ve been able to monetize the service and don’t fancy spending the money anymore or 3) they’ve pivoted entirely and just aren’t doing the scanning thing. Not sure which, don’t really care — the end result is the same. Open source projects that have come to depend on this now have to scramble to replace the service.


I’m not going to go all RMS, but the only way to prevent this is to have open tools and services. And pay for them.

Read more

Syndicate content

More in Tux Machines

today's leftovers

  • Google Patches All Intel Chromebooks Against Spectre Variant 2 with Chrome OS 65
    Google released a new stable version of its Linux-based Chrome OS operating system for Chromebooks, build 65.0.3325.167 (Platform version: 10323.58.0/1) bringing the Meltdown and Spectre mitigations to more devices and a bunch of other improvements.
  • VIDEO: Cooking With Linux: Lots and Lots of Word Processors! The Tuesday Linux Journal Show
  • How to use netstat in GNU/Linux
  • Cutelyst 2 released with HTTP/2 support
    Cutelyst the Qt/C++ web framework just got a major release update, around one and half year ago Cutelyst v1 got the first release with a stable API/ABI, many improvements where made during this period but now it was time to clean up the mistakes and give room for new features.
  • Fedora 28 and GNOME 3.28: New Features for Eastern Europe
    This time this is not fake, edited, patched, nor a custom build from COPR but the real screenshots of the unmodified downstream Fedora 28 planned to be released on May 1 this year. Here is how the default calendar widget in GNOME Shell looks in Greek, Polish, and Ukrainian:
  • Stephen Smoogen: /usr/bin/whoami
  • Debian CEF packages
    I've created some Debian CEF packages—CEF isn't the easiest thing to package (and it takes an hour to build even on my 20-core server, since it needs to build basically all of Chromium), but it's fairly rewarding to see everything fall into place. It should benefit not only Nageru, but also OBS and potentially CasparCG if anyone wants to package that.
  • Reproducible builds folks: Reproducible Builds: Weekly report #151
  • Porting L4Re and Fiasco.OC to the Ben NanoNote (Part 1)
    For quite some time, I have been interested in alternative operating system technologies, particularly kernels beyond the likes of Linux. Things like the Hurd and technologies associated with it, such as Mach, seem like worthy initiatives, and contrary to largely ignorant and conveniently propagated myths, they are available and usable today for anyone bothered to take a look. Indeed, Mach has had quite an active life despite being denigrated for being an older-generation microkernel with questionable performance credentials. But one technological branch that has intrigued me for a while has been the L4 family of microkernels. Starting out with the motivation to improve microkernel performance, particularly with regard to interprocess communication, different “flavours” of L4 have seen widespread use and, like Mach, have been ported to different hardware architectures. One of these L4 implementations, Fiasco.OC, appeared particularly interesting in this latter regard, in addition to various other features it offers over earlier L4 implementations. Meanwhile, I have had some success with software and hardware experiments with the Ben NanoNote. As you may know or remember, the Ben NanoNote is a “palmtop” computer based on an existing design (apparently for a pocket dictionary product) that was intended to offer a portable computing experience supported entirely by Free Software, not needing any proprietary drivers or firmware whatsoever. Had the Free Software Foundation been certifying devices at the time of its introduction, I imagine that it would have received the “Respects Your Freedom” certification. So, it seems to me that it is a worthy candidate for a Free Software porting exercise.
  • Samsung Announces Galaxy Tab Active2, a Rugged Android Tablet for Mobile Workers
    Samsung announced today the Galaxy Tab Active2 rugged Android tablet designed for mobile workers conducting business outdoors in industrial locations, under harsh weather, and other difficult conditions.

Games Leftovers

  • Atari reboots Ataribox as Atari VCS, teases April pre-order date
    Legendary game company Atari set retro hearts aflutter last year when it launched an Indiegogo crowdfunding campaign for something called the Ataribox, a living room device running Linux and supposedly combining the features of a PC with a video game console -- complete with some Atari classic games. But the December 14 pre-order date Atari set was abruptly canceled after an unspecified technical issue, and it looked like the Ataribox would never reach any actual customers. This week, however, the company has emerged at the Game Developers Conference with some very similar hardware, albeit with a new name.
  • The Rocket League 'Spring Fever' event is live promising lots of flower power
    Ready to earn some more cosmetic items? The Spring Fever event in Rocket League [Steam] is now live and you can earn yourself some new items using Flowers you earn while playing like this:
  • Epic Games releases the assets from Paragon, for Unreal Engine developers
    In a move that's both surprising and rather welcome, Epic Games has decided to release the assets from their FPS MOBA Paragon for Unreal Engine developers, since they're shutting it down. This will include 20 AAA-quality characters, with their respective skins, animations, VFX and dialogue, along with over 1,500 environment components from Paragon. Here's where it's a bit insane, this all cost Epic Games around $12 million! It's pretty insane how much it costs to make AAA-like games now—eye watering.
  • Game engine Construct 3 adds a remote preview, new runtime is coming to improve game performance
    I'm a huge fan of drag and drop creation tools like Construct 3 [Official Site], that allow you to create games by building simple events sheets and it seems they've continued making Construct 3 more awesome to use.
  • Open-source re-implementation of RollerCoaster Tycoon 2 'OpenRCT2' has a fresh update
    Miss the days of playing RollerCoaster Tycoon 2? Miss them no more, as OpenRCT2 [GitHub, Official Site] is alive and well with a fresh update. Like many open source game engines, it allows you to play RollerCoaster Tycoon 2 on systems not designed for it—like Linux. Naturally, it comes with tons of improvements like user interface theming, fast-forwarding gameplay, multiplayer and so on.
  • Zombasite - Orc Schism, the expansion to the action RPG is out adding more content
    Here's one I sadly missed, released back in December (oh my!), Zombasite - Orc Schism [Steam, GOG] is an expansion to the dynamic zombie apocalypse action RPG.

GNOME: GitLab Migration and More

  • IMPORTANT: GitLab mass migration plan
    I know some fellows doesn’t read desktop-devel-list, so let me share here an email that it’s important for all to read: We have put in place the plan for the mass migration to GitLab and the steps maintainers needs to do.
  • ED Update – week 11
  • Reflections on Distractions in Work, Productivity and Time Usage
    For the past year or so I have mostly worked at home or remote in my daily life. Currently I’m engaged in my master thesis and need to manage my daily time and energy to work on it. It is no surprise to many of us that working using your internet-connected personal computer at home can make you prone to many distractions. However, managing your own time is not just about whipping and self-discipline. It is about setting yourself up in a structure which rewards you for hard work and gives your mind the breaks it needs. Based on reflections and experimentation with many scheduling systems and tools I finally felt I have achieved a set of principles I really like and that’s what I’ll be sharing with you today. [...] Minimizing shell notifications: While I don’t have the same big hammer to “block access to my e-mail” here, I decided to change the order of my e-mail inboxes in Geary so my more relevant (and far less activity prone) student e-mail inbox appears first. I also turned off the background e-mail daemon and turned off notification banners in GNOME Shell. [...] Lastly, I want to give two additional tips. If you like listening to music while working, consider whether it might affect your productivity. For example, I found music with vocals to be distracting me if I try to immerse myself in reading difficult litterature. I can really recommend Doctor Turtle’s acoustic instrumental music while working though (all free). Secondly, I find that different types of tasks requires different postures. For abstract, high-level or vaguely formulated tasks (fx formulating goals, reviewing something or reflecting), I find interacting with the computer whilst standing up and walking around to really help gather my thoughts. On the other hand with practical tasks or tasks which require immersion (fx programming tasks), I find sitting down to be much more comfortable.

OSS, Openwashing and FUD