Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under

  • 7 Questions to Ask About Your DevSecOps Program
  • Developers Are Ethical But Not Responsible?

    Ask a person if he or she is a racist and the answer is almost always no. Ask a developer if they consider ethical considerations when writing code and only six percent say no. If everyone acted the way they self-report, then there would be peace and love throughout the world.

    Based on over a hundred thousand respondents, StackOverflow’s Developer Survey 2018 presents a more complicated reality. If they were asked to write code for an unethical purpose, 59 percent would say no, but another 37 percent of developers were non-committal about whether they would comply. In another question, only about 5 percent said they definitely not report unethical problems with code. But sounding the alarm is about as far as most people will go.

  • Cloud Security: 10 Top Tips
  • Group Policy Objects (GPOs) for Linux®

Security: Updates, Synopsys/Black Duck FUD, and Software Security Over Convenience

Filed under
  • Security updates for Tuesday
  • With Much of the Data Center Stack Open Source, Security is a Special Challenge [Ed: Black attacking FOSS again in order to sell its proprietary products; does proprietary software have no security issues? Which cannot be fixed, either?]
  • Synopsys reveals its open-source rookies of the year [Ed: Anti-FOSS company Black Duck, which markets its proprietary software by attacking FOSS (it admitted being anti-GPL since inception, created by Microsoft employee), wants the public to think of it as a FOSS authority]
  • Software security over convenience

    Recently I got inspired (paranoid ?) by my boss who cares a lot about software security. Previously, I had almost the same password on all the websites I used, I had them synced to google servers (Chrome user previously), but once I started taking software security seriously, I knew the biggest mistake I was making was to have a single password everywhere, so I went one step forward and set randomly generated passwords on all online accounts and stored them in a keystore.

Security: Intel, Editors and Windows in Critical Systems

Filed under
  • diff -u: Intel Design Flaw Fallout

    Linux patches for these issues are in a state of ongoing development. Security is always the first priority, at the expense of any other feature. Next would probably be the general speed of a running system for the average user. After that, the developers might begin piecing together any features that had been pulled as part of the initial security fix.

    But while this effort goes on, the kernel developers seem fairly angry at Intel, especially when they feel that Intel is not doing enough to fix the problems in future processors.

    In response to one set of patches, for example, Linus Torvalds burst out with, "All of this is pure garbage. Is Intel really planning on making this shit architectural? Has anybody talked to them and told them they are f*cking insane?" He went on, "the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation. Honestly, that's completely unacceptable."

  • Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

    Advanced Unix Text Editors offers extensibility by allowing users to install third-party plugins for ease of use and to enhance the Text Editors functionalities.

    Server administrators often run text editors with elevated privileges “sudo gedit” to edit root-owned configuration files. If the text editor contains vulnerable third-party plugin it enlarges attack surface.

  • House approves legislation to authorize Homeland Security cyber teams

    House lawmakers on Monday passed legislation that would codify into law the Department of Homeland Security’s cyber incident response teams that help protect federal networks and critical infrastructure from cyberattacks.

Security: Endgame, Updates, antiX, Fedora and SELinux

Filed under
  • Endgame Launches Open-Source Initiative to Drive Adoption of MITRE ATT&CK™, the Best Model of Attacker Behavior

    Endgame, the leader in unified endpoint protection against targeted attacks, today announced it released a set of open-source tools that allow enterprises to test defenses against modern attacker behaviors. These tools, called red team automation (RTA), directly map to MITRE's ATT&CK™ matrix, the most comprehensive framework for attacker techniques and tactics. Security teams that lack sufficient time and resources will now have the ability to measure protection capabilities beyond malware-based attacks.

  • Security updates for Monday
  • Security updates for Friday
  • Debian-Based antiX Linux OS Receives New Kernel Patches for Meltdown and Spectre

    The first point release of the Debian-based antiX 17 "Heather Heyer" operating system series arrived this past weekend with a new kernel patched against the Meltdown and Spectre security flaws, as well as the latest software versions.

    antiX 17.1 (Heather Heyer) is now available, powered by the Linux 4.9.87 LTS kernel patched against the Meltdown and Spectre security vulnerabilities unearthed in January 2018 and discovered to put billions of devices at risk of attacks. This protects new antiX installations against these type of attacks.

    Based on the latest Debian GNU/Linux 9.4 "Stretch" operating system, antiX 17.1 comes with up-to-date packages from its software repositories, including the LibreOffice 5.2.7 office suite and Mozilla Firefox 52.7.1 ESR web browser. Additionally, this release comes with eudev 3.5 and latest xf86-video-sisimedia-antix release.

  • Update on the Meltdown & Spectre vulnerabilities

    January saw the annoucement of a series of critical vulnerabilities called Spectre and Meltdown. The nature of these issues meant the solutions were complex and required fixing delicate code. The initial fix for Meltdown on x86 was KPTI, which was available almost immediately. Developing mitigations for Spectre was more complex. Other architectures had to look at their vulnerability status as well, and get mitigation in where it was needed. As a bit of time has passed, what is the exposure on Fedora now?

  • SELinux should and does BLOCK access to Docker socket

AMD And CTS Labs: A Story Of Failed Stock Manipulation

Filed under

We have attempted to contact Jessica Schaefer from Bevel PR, the listed PR firm on the vulnerability disclosure website, only to be greeted by a full voicemail inbox. We attempted to contact both Bevel PR and CTS Labs by email and inquire about the relationship between CTS and Viceroy, and provided them with ample time to respond. They did not respond to our inquiry.

So, let's look at Viceroy Research. According to MoneyWeb, Viceroy Research is headed by a 44-year-old British citizen and ex-social worker, John Fraser Perring, in conjunction with two 23-year-old Australian citizens, Gabriel Bernarde and Aidan Lau. I wonder which of these guys is so fast at typing. Viceroy Research was the group responsible for the uncovering of the Steinhoff accounting scandal, about which you can read more here.

After successfully taking down Steinhoff, it tried to manufacture controversy around Capitec Bank, a fast-growing South African bank. This time it didn't work out so well. The Capitec stock price dropped shortly and quickly recovered when the South African reserve bank made a statement that Capitec's business is sound. Just a week ago Viceroy attempted to do the same thing with a German company called ProSieben, also with mixed success, and in alleged breach of German securities laws, according to BaFin (similar to the SEC).

Now, it appears it is going after AMD, though it looks to be another unsuccessful attack.

Investor Takeaway

After the announcement of this news, AMD stock generally traded sideways with slight downward movement, not uncommon for AMD in general. Hopefully this article showed you that CTS's report is largely nonsense and a fabrication with perhaps a small kernel of truth hidden somewhere in the middle. If the vulnerabilities are confirmed by AMD, they are likely to be easily fixed by software patches. If you are long AMD, stay long. If you are looking for an entry point, this might be a good opportunity to use this fake news to your advantage. AMD is a company with a bright future if it continues to execute well, and we see it hitting $20 per share by the end of 2018.

Read more

Security: Bitwarden, Container Security, Windows at U.S. Power Plants, Firefox’s Weak Master Password Encryption

Filed under
  • Behind the scenes with the Bitwarden password manager

    Having to remember passwords for web applications, email, banking, and more begat the password manager. And that begat such popular and proprietary services like LastPass and 1Password.

    A little over two years ago, software developer Kyle Spearrin decided the open source world needed its own web-based password manager. His company, 8Bit Solutions, develops and markets an open source alternative to services like LastPass and 1Password called Bitwarden.

    Recently I had the opportunity to ask Spearrin some questions about Bitwarden's origins, how it secures user information, where he sees Bitwarden going, and more.

  • Episode 88 - Chat with Chris Rosen from IBM about Container Security
  • Feds: Russian [Crackers] Are Attacking U.S. Power Plants


    The targets of these attacks include the country’s electric grid, including its nuclear power system, as well as “commercial facilities, water, aviation, and critical manufacturing sectors,” the statement said.

    The report is damning confirmation of what has for months been suspected: that [crackers] in Russia are capable of infiltrating and compromising vital systems relied on by millions of Americans. According to the new report, the attacks began at least as early as March 2016, thriving on vulnerabilities in these systems’ online operations.

  • Firefox’s Weak Master Password Encryption Can Be Cracked In Just 1 Minute [Ed: If you have physical/remote access to a machine and an account, then you have a lot more power over it than just a list of passwords]

    You might rest assured after setting a Master Password in the Firefox web browser, but it’s not as secure as you think. Last year, Mozilla did a major overhaul of their browser in the form of Firefox Quantum. But the non-profit forgot to fix the security holes that exist in their ‘very fast’ web browser for nine years.

Linux 4.9.88, 4.4.122, and 3.18.100, More Security Patches in Linux 4.16

Filed under

Security Leftovers

Filed under
  • As U.S. indicts foreign hackers, American cyber spies fear arrests in tit-for-tat action

    Federal prosecutors call it a “naming and shaming” strategy against hackers working for adversary nations, but former U.S. cyber spies worry they will be the ones ending up in a foreign prison.

    Repeatedly in recent years, U.S. prosecutors have filed criminal charges against hackers working for foreign governments, saying that even if the hackers never get hauled into a U.S. courtroom, the indictments serve as a warning shot across the bow of nations like China, Iran and Russia.

  • Linus Torvalds Slams AMD CPU flaw security report

    The spectre and meldown security vulnerabilities have woken up the industry to potential security flaws in hardware that can be exploited to compromise the integrity of the native computer security role based authentication.

    Now a new report has indicated potential vulnerabilities on AMD, but Linus Torvalds has jumped into this discussion and shot down this report is not technically sound.

  • Gray Hat


    Marcus Hutchins stopped one of the most dangerous cyberattacks ever. Then the FBI arrested him. Does a hacker [sic] hero always have to have a past?

  • [Crackers] could kill patients by attacking their pacemakers, warns Royal Academy of Engineering


    The experts cautioned that pacemakers or wearable health monitors which are linked up to the [I]nternet or internal computer networks could also provide a gateway for [crackers] to plant ransomware into systems, potentially crippling in the NHS or government departments.

  • Security Vulnerability Hidden in Scarlett Johansson Image

Security Leftovers

Filed under

If you hitch a ride with a scorpion… (Coverity)

Filed under

I haven’t seen a blog post or notice about this, but according to the Twitters, Coverity has stopped supporting online scanning for open source projects. Is anybody shocked by this? Anybody?


Not sure what the story is with Coverity, but it probably has something to do with 1) they haven’t been able to monetize the service the way they hoped, or 2) they’ve been able to monetize the service and don’t fancy spending the money anymore or 3) they’ve pivoted entirely and just aren’t doing the scanning thing. Not sure which, don’t really care — the end result is the same. Open source projects that have come to depend on this now have to scramble to replace the service.


I’m not going to go all RMS, but the only way to prevent this is to have open tools and services. And pay for them.

Read more

Syndicate content

More in Tux Machines

Type Title Author Replies Last Postsort icon
Story Android Leftovers Rianne Schestowitz 21/03/2018 - 6:37pm
Story Debian-driven DragonBoard expands to 96Boards Extended spec Rianne Schestowitz 21/03/2018 - 6:25pm
Story today's leftovers Roy Schestowitz 21/03/2018 - 5:17pm
Story Games Leftovers Roy Schestowitz 21/03/2018 - 5:15pm
Story GNOME: GitLab Migration and More Roy Schestowitz 21/03/2018 - 5:14pm
Story OSS, Openwashing and FUD Roy Schestowitz 21/03/2018 - 5:11pm
Story Open Data (OD) for Research of Shootings Roy Schestowitz 21/03/2018 - 5:08pm
Story Security Leftovers Roy Schestowitz 21/03/2018 - 5:06pm
Story GitHub’s tool reduces open source software license violations Rianne Schestowitz 21/03/2018 - 4:46pm
Story LG/webOS Latest Roy Schestowitz 21/03/2018 - 4:46pm