Language Selection

English French German Italian Portuguese Spanish

Security

Replicant developers find and close Samsung Galaxy back-door

Filed under
Android
Security

While working on Replicant, a fully free/libre version of Android, we discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a back-door that lets the modem perform remote file I/O operations on the file system.

Read more ►

Red Hat Risk Reflex (The Linux Security Flaw That Isn't)

Filed under
Red Hat
Security

News headlines screaming that yet another Microsoft Windows vulnerability has been discovered, is in the wild or has just been patched are two a penny. Such has it ever been. News headlines declaring that a 'major security problem' has been found with Linux are a different kettle of fish. So when reports of an attack that could circumvent verification of X.509 security certificates, and by so doing bypass both secure sockets layer (SSL) and Transport Layer Security (TLS) website protection, people sat up and took notice. Warnings have appeared that recount how the vulnerability can impact upon Debian, Red Hat and Ubuntu distributions. Red Hat itself issued an advisory warning that "GnuTLS did not correctly handle certain errors that could occur during the verification of an X.509 certificate, causing it to incorrectly report a successful verification... An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid." In all, at least 200 operating systems actually use GnuTLS when it comes to implementing SSL and TLS and the knock-on effect could mean that web applications and email alike are vulnerable to attack. And it's all Linux's fault. Or is it?

Read more ►

Panic Over Transport Layer Security (TLS) Flaw Which is Already Patched

Filed under
GNU
Security

The only shocking thing is the amount of press coverage this received. PGP/GPG, OpenSSH, OpenSSL etc. were previously named here for flaws that had been found (in the context of Red Hat and the NSA [1, 2, 3]). These are not so uncommon. One just needs to keep up to date (patched) — one that which Apple’s customers cannot do. They can’t even write their own patches.

Read more ►

Yes there was a security hole in Linux, but Red Hat already fixed it

Filed under
GNU
Linux
Red Hat
Security

Originally reported by Ars Technica, the fix was available by the time the general public was made aware of it. It’s actually fairly similar to a certain security hole that lived for a year and could have allowed for exploits to be used in the wild.

Read more ►

Linux companies never miss an opportunity to miss an opportunity

Filed under
Linux
Security

It would be heartening to see James Whitehurst, the head of Red Hat Linux, the biggest commercial Linux outfit, and one that has seen billing go above the billion-dollar mark, deliver a speech at some official forum that underlined the fact that his company's product - and that of other commercial Linux companies - provides a guarantee against the insertion of backdoors.

Read more ►

Tor developing anonymous instant messenger

Filed under
OSS
Security

The instant messenger is still in the early planning stages, but Tor's developers seem to be preparing to turn it around quickly. The messenger will be built on Instantbird, an existing open-source messenger, and development will largely involve adding in Off-the-Record Messaging encryption, making it send its messages over Tor, and stripping it of some automated logging and reporting features. Tor hopes to have its first step of work on the messaging app completed by the end of March, but it doesn't draw a timeline for the project out from there.

Read more ►

Google Android chief: Android may be open, but it is not less secure

Filed under
Android
Google
Security

Does 'open' mean 'lack of security'?

According to Google, no. Instead, an open platform is the best path to take in order to make a platform as impermeable to threats as possible.

On Thursday, FrAndroid reported that Google's head of the Android division, Sundar Pichai, responded in a very candid way when asked about the operating system's security at Mobile World Congress in Barcelona, Spain.

Read more ►

Deep Black: More details on Boeing’s new secure Android smartphone

Filed under
Android
Linux
Security

Black is based on a proprietary security architecture that Boeing calls "PureSecure." Like Samsung’s Knox platform, it has a “trusted boot” mode that can detect and thwart any attempt to root the device—or disable it if it can’t. In addition to onboard media encryption for internal storage, the phone can be configured to inhibit certain functions based on location or the network it is connected to in order to prevent data loss. It might also be used to disable the device’s camera in secure facilities.

Read more ►

PGP Web of Trust: Core Concepts Behind Trusted Communication

Filed under
Security

If you've ever used Linux, you've most likely used OpenPGP without even realizing it. The open-source implementation of OpenPGP is called GnuPG (stands for "GNU Privacy Guard"), and nearly all distributions rely on GnuPG for package integrity verification. Next time you run "yum install" or "yum update", each package will be verified against its cryptographic signature before it is allowed to be installed on your system. This assures that the software has not been altered between the time it was cryptographically signed by distribution developers on the master server, and the time it was downloaded to your system.

However, far fewer people have actually used GnuPG for what it was originally designed for -- secure exchange of information in an untrusted medium (such as the internet), and even fewer have a good understanding of how the trust relationships are supposed to work.

In this mini series of articles, we'll take a look at what the web of trust is and how to use it to set up a secure and trusted communication.

Read more

Java-based malware driving DDoS botnet infects Windows, Mac, Linux devices

Filed under
Software
Security

The cross-platform HEUR:Backdoor.Java.Agent.a, as reported in a blog post published Tuesday by Kaspersky Lab, takes hold of computers by exploiting CVE-2013-2465, a critical Java vulnerability that Oracle patched in June. The security bug is present on Java 7 u21 and earlier. Once the bot has infected a computer, it copies itself to the autostart directory of its respective platform to ensure it runs whenever the machine is turned on. Compromised computers then report to an Internet relay chat channel that acts as a command and control server.

Read more

Syndicate content

More in Tux Machines

Let's Pay for Open Source with a Closed-Source Software Levy

This column has often explored ways in which some of the key ideas underlying free software and open source are being applied in other fields. But that equivalence can flow in both directions: developments in fields outside the digital world may well have useful lessons for computing. A case in point is a fascinating post by James Love, Director of Knowledge Ecology International (KEI), a non-governmental organisation concerned with public health and other important issues. It is called "The value of an open source dividend", and is a discussion of the problems the world of pharma faces because of the distorting effect of patents - problems it shares with the world of computing... Read more

Features Of The Linux 3.18 Kernel

With Linux 3.18-rc1 arriving one week early I didn't have a chance to write a feature overview of Linux 3.18 prior to this first development release that marked the close of the merge window. For those that didn't stay up to date with our dozens of Linux 3.18 kernel articles about changes and new features, here's a concise overview. Read more

Norway closes its open source resource centre

The government of Norway will no longer fund its open source resource centre, Friprog. Activities are wound down and the centre will be closed at the end of the year, Friprog reports. The GoOpen conference, planned for last September but postponed to May 2015, is now cancelled. Read more

Automatic Feedback Directed Optimizer Merged Into GCC

The latest merged feature for next year's GCC 5 compiler release is AutoFDO support! AutoFDO is the Automatic Feedback Directed Optimizer. AutoFDO relies on the Linux kernel's perf framework for profiling with performance counters. AutoFDO interprets the perf output and attempts to use the FDO infrastructure to produce better optimized code generation. AutoFDO according to its Google engineers is said to be noticeably faster than traditional FDO for GCC. Read more