Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Hackers once stole a casino's high-roller database through a thermometer in the lobby fish tank

    Hackers are increasingly targeting "internet of things" devices to access corporate systems, using things like CCTV cameras or air-conditioning units, according to the CEO of a cybersecurity firm.

    The internet of things refers to devices hooked up to the internet, and it has expanded to include everything from household appliances to widgets in power plants.

    Nicole Eagan, the CEO of Darktrace, told the WSJ CEO Council Conference in London on Thursday: "There's a lot of internet-of-things devices, everything from thermostats, refrigeration systems, HVAC systems, to people who bring in their Alexa devices into the offices. There's just a lot of IoT. It expands the attack surface, and most of this isn't covered by traditional defenses."

  • Certificate Transparency and HTTPS

    CT stands for “Certificate Transparency” and, in simple terms, means that all certificates for websites will need to be registered by the issuing Certificate Authority (CA) in at least two public Certificate Logs.

  • Security updates for Thursday
  • IBM introduces open-source library for protecting AI systems
  • How to combine SSH key authentication and two-factor authentication on Linux
  • openSUSE Heroes loves Let’s Encrypt™ – Expect certificate exchange

    openSUSE loves Let's Encrypt™

    Maybe some of you noticed, that our certificate *.opensuse.org on many of services will expire soon (on 2018-04-23).

    As we noticed that – as well – we decided to put a bit of work into this topic and we will use Let’s Encrypt certificates for the encrypted services of the openSUSE community.

    This is just a short notice / announcement for all of you, that we are working on this topic at the moment. We will announce, together with the deployment of the new certificate, the regarding hashes and maybe some further information on our way of implementing things.

Security Leftovers

Filed under
Security

OSS and Security Leftovers

Filed under
OSS
Security
  • Open-source library for improving security of AI systems

    Attacks against neural networks have recently been flagged as one of the biggest dangers in our modern world where AI systems are increasingly getting embedded in many technologies we use and depend on daily.

    Adversaries can sometimes tamper with them even if they don’t know much about them, and “breaking” the system could result in very dangerous consequences.

    [...]

    The library is written in Python, as it is the most commonly used programming language for developing, testing and deploying Deep Neural Networks.

  • IBM launches open-source library for securing AI systems

    On Tuesday at the RSA conference in San Francisco, IBM announced the launch of the Adversarial Robustness Toolbox to support developers and users of AI that may become the victims of attacks against AI systems including Deep Neural Networks (DNNs).

    According to the tech giant, threat actors may be able to exploit weaknesses in AI systems through very subtle means. Simple, small, and often undetectable alterations in content including images, video, and audio recordings can be crafted to confuse AI systems, even without a deep knowledge of the AI or DNN a cyberattack is targeting.

  • IBM releases new toolbox to protect AI from adversarial attacks

    IBM is releasing an open-source software library to combat against adversarial attacks in deep neural networks (DNNs). DNNs are machine learning models that are capable of recognizing patterns.

  • Build a serverless framework at home: Go on, bit of open sourcey hijinx won't hurt

    First unveiled at SpringOne Platform in December, riff is still an early project. It emerged from the Spring Cloud Data Flow, a data integration project to run Java code as microservices created under Pivotal's open source Java-focused Spring framework.

    "Riff is the next step in that evolution," says Jürgen Leschner, a riff organiser who works at Pivotal. Instead of running microservices that persist in containers, serverless models hide the containers from the developers and operations teams entirely. Instead, when a developer calls a software function, the container orchestration system (in riff's case, Kubernetes) spins one up and then kills it off silently.

    [...]

    The benefits of open source serverless

    What do these open source serverless options bring to the party? Unless you're using them to slurp services on the AWS platform and minimise container fees by weeding out idle compute power, why bother?

    Efficiency for developers is one driver, says Leschner. "Developers don’t have to worry about building the connectors and boilerplate stuff into their code. They can package a simpler project and the boilerplate is already in the platform."

  • Failure to secure open source code spurs DevSecOps boom [Ed: Yet another one of those 'journalists' who help marketing from anti-FOSS entity because it's disguised as 'research']

    A survey of over 2,000 IT pros shows that fear of data breaches is increasing investments in DevSecOps tools, particularly automated security tools and oversight of open source software.

  • Security updates for Wednesday

Security: Russia, Librem, and Apple's Faux Security

Filed under
Security
  • U.S. & U.K. Issue Joint Warning About Risks of Russian Cyberattacks
  • Demonstrating Tamper Detection with Heads

    We are excited about the future of Heads on Librem laptops and the extra level of protection it can give customers. As a result we’ve both been writing about it a lot publicly and working on it a lot privately. What I’ve realized when I’ve talked to people about Heads and given demos, is that many people have never seen a tamper-evident boot process before. All of the concepts around tamper-evident boot are pretty abstract and it can be difficult to fully grasp how it protects you if you’ve never seen it work.

    We have created a short demo that walks through a normal Heads boot process and demonstrates tamper detection. In the interest of keeping the demo short I only briefly described what was happening. In this post I will elaborate on what you are seeing in the video.

  • Stop Using Six Digit Numeric iPhone Passcodes Right Now

Security Leftovers

Filed under
Security
  • Security updates for Tuesday
  • McAfee's Upgraded Cloud Security Protects Containers [Ed: Looks like marketing/spam from ECT]
  • Has a Russian intelligence agent hacked your wifi? [iophk: "AV is not relevant; there are two main ways to avoid malware" : *BSD and */Linux"]

    In short, a global, invisible, low-level conflict is taking place across the internet and it is possible that your router has been conscripted as a foot soldier. Maybe it is worth getting your firewall and antivirus checked out after all.

  • 55 Infosec Professionals Sign Letter Opposing Georgia’s Computer Crime Bill

    In a letter to Georgia Gov. Nathan Deal, 55 cybersecurity professionals from around the country are calling for a veto for S.B. 315, a state bill that would give prosecutors new power to target independent security researchers.

    This isn’t just a matter of solidarity among those in the profession. Georgia represents our nation’s third largest information security sector. The signers have clients, partners, and offices in Georgia. They attend conferences in Georgia. They teach and study in Georgia or recruit students from Georgia. And they all agree that S.B. 315, which would create a new crime of "unauthorized access," would do more harm than good.

Security and FUD Leftovers

Filed under
Security

Security: Open Source Security Podcast, Old JavaScript Crypto Flaw and New FUD-based Marketing

Filed under
Security

Security: Cleartext Passwords, Windows Problems, and Meltdown Patches/Performance

Filed under
Security
  • cleartext passwords and transparency

    So let me just jump in with Lars blog post where he talks about cleartext passwords. While he has actually surmised and shared what a security problem they are, the pity is we come to know of this only because the people in question tacitly admitted to bad practises. How many more such bad actors are there, developers putting user credentials in cleartext god only knows. There was even an April Fool’s joke in 2014 which shared why putting passwords in cleartext is bad.

  • 911 operator suspended over teen’s death griped about working overtime.

    Plush called 911 again around 3:35 p.m., this time giving Smith a description of the vehicle, a gold Honda Odyssey in the parking lot at Seven Hills — information that never made it to the officers at the scene.

    “This is not a joke,” the teen told Smith. “I’m almost dead.”

    Smith tried to document the call when it came in but her computer screen had frozen, preventing her from entering information immediately, the review found.

  • Defense contractors face more aggressive ransomware attacks

    The rise of ransomware attacks against defense contractors coincides with a rise in the use of ransomware in general. Attacks can spread even after the original target has been hit, hurting unintended victims.

  • A Look At The Meltdown Performance Impact With DragonFlyBSD 5.2

    Besides looking at the HAMMER2 performance in DragonFlyBSD 5.2, another prominent change with this new BSD operating system release is the Spectre and Meltdown mitigations being shipped. In this article are some tests looking at the performance cost of DragonFlyBSD 5.2 for mitigating the Meltdown Intel CPU vulnerability.

    With DragonFlyBSD 5.2 there is the machdep.meltdown_mitigation sysctl for checking on the Meltdown mitigation presence and toggling it. Back in January we ran some tests of DragonFlyBSD's Meltdown mitigation using the page table isolation approach while now testing was done using the DragonFlyBSD 5.2 stable release.

  • A Last Minute Linux 4.17 Pull To Help Non-PCID Systems With KPTI Meltdown Performance

    While the Linux 4.17 kernel merge window is closing today and is already carrying a lot of interesting changes as covered by our Linux 4.17 feature overview, Thomas Gleixner today sent in a final round of x86 (K)PTI updates for Meltdown mitigation with this upcoming kernel release.

    This latest round of page-table isolation updates should help out systems lacking PCID, Process Context Identifiers. The KPTI code makes use of PCID for reducing the performance overhead of this Meltdown mitigation technique. PCID has been around since the Intel Westmere days, but now the latest kernel patches will help offset the KPTI performance impact for systems lacking PCID.

A Privacy & Security Concern Regarding GNOME Software

Filed under
GNOME
Security

GNOME Software is the default application in the GNOME desktop environment to manage software. It also allows you to receive firmware updates through an underlaying daemon called “fwupd“, which is based on an platform called “LVFS“.

In order to understand the relationship in a clearer way, you can think of LVFS as the online platform where hardware vendors come and upload new versions of their firmware which will be later available to download via fwupd. GNOME Software utilizes the fwupd daemon in order to download and install these updates. fwupd is a dependency for GNOME Software.

The whole ecosystem is developed mainly by Richard Hughes, who is working currently for Red Hat, and who’s also the original creator of PackageKit. But it’s worthy to mention that Red Hat doesn’t develop/manage the project directly, but rather, contributes to it with financial & logistic support.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

today's howtos

KDE: Qt, Plasma, QML, Usability & Productivity

  • Qt 5.11.1 and Plasma 5.13.1 in ktown ‘testing’ repository
    A couple of days ago I recompiled ‘poppler’ and the packages in ‘ktown’ that depend on it, and uploaded them into the repository as promised in my previous post. I did that because Slackware-current updated its own poppler package and mine needs to be kept in sync to prevent breakage in other parts of your Slackware computer. I hear you wonder, what is the difference between the Slackware poppler package and this ‘ktown’ package? Simple: my ‘poppler’ package contains support for Qt5 (in addition to the QT4 support in the original package) and that is required by other packages in the ‘ktown’ repository.
  • Sixth week of coding phase, GSoC'18
    The Menus API enables the QML Plugin to add an action, separator or menu to the WebView context menu. This API is not similar to the WebExtensions Menus API but is rather Falkonish!
  • This week in Usability & Productivity, part 24
    See all the names of people who worked hard to make the computing world a better place? That could be you next week! Getting involved isn’t all that tough, and there’s lots of support available.

Programming: Python Maths Tools and Java SE

  • Essential Free Python Maths Tools
    Python is a very popular general purpose programming language — with good reason. It’s object oriented, semantically structured, extremely versatile, and well supported. Scientists favour Python because it’s easy to use and learn, offers a good set of built-in features, and is highly extensible. Python’s readability makes it an excellent first programming language. The Python Standard Library (PSL) is the the standard library that’s distributed with Python. The library comes with, among other things, modules that carry out many mathematical operations. The math module is one of the core modules in PSL which performs mathematical operations. The module gives access to the underlying C library functions for floating point math.
  • Oracle's new Java SE subs: Code and support for $25/processor/month
    Oracle’s put a price on Java SE and support: $25 per processor per month, and $2.50 per user per month on the desktop, or less if you buy lots for a long time. Big Red’s called this a Java SE Subscription and pitched it as “a commonly used model, popular with Linux distributions”. The company also reckons the new deal is better than a perpetual licence, because they involve “an up-front cost plus additional annual support and maintenance fees.”

Linux 4.18 RC2 Released From China

  • Linux 4.18-rc2
    Another week, another -rc. I'm still traveling - now in China - but at least I'm doing this rc Sunday _evening_ local time rather than _morning_. And next rc I'll be back home and over rmy jetlag (knock wood) so everything should be back to the traditional schedule. Anyway, it's early in the rc series yet, but things look fairly normal. About a third of the patch is drivers (drm and s390 stand out, but here's networking and block updates too, and misc noise all over). We also had some of the core dma files move from drivers/base/dma-* (and lib/dma-*) to kernel/dma/*. We sometimes do code movement (and other "renaming" things) after the merge window simply because it tends to be less disruptive that way. Another 20% is under "tools" - mainly due to some selftest updates for rseq, but there's some turbostat and perf tooling work too. We also had some noticeable filesystem updates, particularly to cifs. I'm going to point those out, because some of them probably shouldn't have been in rc2. They were "fixes" not in the "regressions" sense, but in the "missing features" sense. So please, people, the "fixes" during the rc series really should be things that are _regressions_. If it used to work, and it no longer does, then fixing that is a good and proper fix. Or if something oopses or has a security implication, then the fix for that is a real fix. But if it's something that has never worked, even if it "fixes" some behavior, then it's new development, and that should come in during the merge window. Just because you think it's a "fix" doesn't mean that it really is one, at least in the "during the rc series" sense. Anyway, with that small rant out of the way, the rest is mostly arch updates (x86, powerpc, arm64, mips), and core networking. Go forth and test. Things look fairly sane, it's not really all that scary. Shortlog appended for people who want to scan through what changed. Linus
  • Linux 4.18-rc2 Released With A Normal Week's Worth Of Changes
    Due to traveling in China, Linus Torvalds has released the Linux 4.18-rc2 kernel a half-day ahead of schedule, but overall things are looking good for Linux 4.18.