Language Selection

English French German Italian Portuguese Spanish

Security

Ten Year Old "Critical" Bug Discovered In OpenBSD

Filed under
Security
BSD

While OpenBSD generally prides itself on being a secure, open-source operating system and focusing more on code corectness and security rather than flashy features, it turns out a potential security bug has been living within OpenBSD for the past decade.

Phoronix German ready "FRIGN" wrote in to Phoronix this afternoon with a subject entitled, "10 year old critical bug in OpenBSD discovered." He pointed out a post today about a bug discovered in OpenBSD's polling subsystem that could allow DDoS-style attacks on servers, "a critical bug in the polling-subsystem in OpenBSD has been uncovered which allows DDoS-attacks on servers using a non-standard derivation from the POSIX-standard in marking file descriptors non-readable when they should return EOF."

Read more

Open source's "shallow bugs" theory hasn't been Shellshocked

Filed under
OSS
Security

It hasn't been a good year for open source. Not for its generally golden reputation for software quality and security, anyway. But in a rush to lay blame for the Bash Shellshock vulnerability (and previously for Heartbleed) some, like Roger Grimes, want to dismantle some of the cardinal tenets of open source, like the suggestion that "given enough eyeballs, all bugs are shallow."

Read more

Tor executive director hints at Firefox integration

Filed under
Moz/FF
Security

Tor, which is capable of of all that and more, crucially blocks websites from learning any identifying information about you and circumvents censorship. It also stymies eavesdroppers from discovering what you’re doing on the Web. For those reasons, it would be a powerful addition to the arsenal of privacy tools Firefox already possesses.

The Tor Browser is already a modified version of Firefox, developed over the last decade with close communication between the Tor developers and Mozilla on issues such as security and usability.

Read more

LibreSSL: More Than 30 Days Later

Filed under
Security
BSD

Instead, libressl is here because of a tragic comedy of other errors. Let's start with the obvious. Why were heartbeats, a feature only useful for the DTLS protocol over UDP, built into the TLS protocol that runs over TCP? And why was this entirely useless feature enabled by default? Then there's some nonsense with the buffer allocator and freelists and exploit mitigation countermeasures, and we keep on digging and we keep on not liking what we're seeing. Bob's talk has all the gory details.
But why fork? Why not start from scratch? Why not start with some other contender? We did look around a bit, but sadly the state of affairs is that the other contenders aren't so great themselves. Not long before Heartbleed, you may recall Apple dealing with goto fail, aka the worst bug ever, but actually about par for the course.

Read more

Secure Linux Systems Require Savvy Users

Filed under
Linux
Security

Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.

Read more

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

Filed under
GNU
Security

Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.

Read more

Firejail – A Security Sandbox for Mozilla Firefox

Filed under
Moz/FF
Security

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Read more

Blackphone bug bounty programme aims to find flaws in 'surveillance-proof' smartphone

Filed under
Android
Security

SILENT CIRCLE has announced a bug bounty programme for its Blackphone venture designed to find security flaws in the "surveillance-proof" smartphone.

Blackphone is a joint venture of Silent Circle and Geeksphone, known as SGP Technologies. Running a secure PrivatOS operating system, it is what the companies call "a truly surveillance-proof smartphone" in the wake of the past year's NSA revelations.

Read more

Huawei Is New Official Smartphone Provider For Officials In China

Filed under
Android
Linux
Security

Huawei and their smartphone business have not exactly garnered good press in the past – especially when there were allegations of Huawei churning out spyphones for the China government, which the company vehemently denied. Subsequently, it is said that Huawei themselves decided to pull out from the U.S. market, where we then learned that the tables were turned afterwards with the NSA being accused of spying on Huawei instead. Having said that, it seems as though officials over in China will have a spanking new smartphone soon – and it will not hail from the likes of Samsung, LG, HTC or other big name players, but from Huawei themselves.

Read more

Bash specially-crafted environment variables code injection attack

Filed under
Security

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

Read more

Syndicate content

More in Tux Machines

Netflix FIDO

Chromixium – An Ubuntu Based Google’s Chrome OS Clone

Today, We have come up with an interesting news for both Ubuntu and Chrome OS users. Meet Chromixium – the new modern desktop operating system based on Ubuntu that has the functionality, look and feel of Google’s “Chrome OS”. Chromixium has brought the elegant simplicity of Chromebook and flexibility and stability of Ubuntu together. Chromixium puts the web front and center of the user experience. Web and Chrome apps work straight out of the browser to connect you to all your personal, work and education networks. Sign into Chromium to sync all your apps and bookmarks. When you are offline or when you need more power, you can install any number of applications for work or play, including LibreOffice, Skype, Steam and a whole lot more. Security updates are installed seamlessly and effortlessly in the background and will be supplied until 2019. You can install Chromixium in place of any existing operating system, or alongside Windows or Linux. Read more

BQ Aquaris E4.5 Ubuntu Edition review: A promising start

The first 'production' smartphone running the Ubuntu operating system is finally here. Designed and marketed by the Spanish company BQ (not to be confused with the Chinese company BQ Mobile) and made in China, the first Ubuntu Phone is based on the 4.5-inch BQ Aquaris E4.5, which normally ships with Android 4.4. Included with the BQ Aquaris E4.5 Ubuntu Edition are two copies of the quick-start guide (in four languages each, one of the eight being English), a charger (with a built-in two-pin continental mains plug) and a 1-metre USB-to-Micro-USB cable. A comprehensive User Manual is available for download from the BQ website. The list price for the Aquaris E4.5 Ubuntu Edition, which is only available in the EU, is €169.90 (~£125). Read more Also: Ubuntu and Windows set to contest desktop/smartphone hybrid market Ubuntu phone that works as a desktop PC coming in 2015

Enabling Open Source SDN and NFV in the Enterprise

I recently attended the Intel Developer Forum (IDF) in Shenzhen, China, to promote Intel’s software defined networking (SDN) and network functions virtualization (NFV) software solutions. During this year’s IDF, Intel has made several announcements and our CEO Brian Krzanich showcased Intel’s innovation leadership across a wide range of technologies with our local partners in China. On the heel of Krzanich’s announcements, Intel Software & Services Group Senior VP Doug Fisher extended Krzanich’s message to stress the importance of open source collaboration to drive industry innovation and transformation, citing OpenStack and Hadoop as prime examples. Read more Also: Myth-Busting the Open-Source Cloud Part 2