Language Selection

English French German Italian Portuguese Spanish

Security

Security: Updates, Western Digital, Microsoft, WPA3, NSA

Filed under
Security

IPFire Open Source Firewall Linux Distro Gets Huge Number of Security Fixes

Filed under
Linux
OSS
Security

IPFire 2.19 Core Update 117 is now available to download and comes with the latest OpenSSL 1.0.2n TLS/SSL and crypto library, as well as an updated OpenVPN implementation that makes it easier to route OpenVPN Roadwarrior Clients to IPsec VPN networks by allowing users to choose routes in each client’s configuration.

The update also improves the IPsec implementation by allowing users to define the inactivity timeout time of an idle IPsec VPN tunnel that's being closed and updating the strongSwan IPsec-based VPN solution to version 5.6.1. It also disabled the compression by default and removed support for MODP groups with subgroups.

Read more

Security: Microsoft, Twitter, Korea and DHS

Filed under
Security

Who Was To Blame For The Ubuntu BIOS Bug?

Filed under
Security
Ubuntu

So who is to blame for the corruption of the BIOS?

Ultimately I would put the majority of the blame at the door of the manufacturers and the BIOS developers. You simply should not be able to corrupt the BIOS and there should be a reset option which returns it to factory settings if all else fails. The Ubuntu developers were the unlucky people to instantiate the bug by including a defective driver within the Kernel.

Some of the blame has to go to the users as well. Maybe we need to be a bit smarter when installing operating systems and not necessarily jump at the latest thing.

Read more

Security: MalwareTech, Linux vs Meltdown and Spectre, Linus Torvalds Rage, Microsoft Bricks Machines

Filed under
Security
  • MalwareTech Prosecution Appears To Be Falling Apart As Gov't Plays Keep Away With Documents Requested By Defense

    Marcus Hutchins, a.k.a. MalwareTech, went from internet hero (following his inadvertent shutdown of the WannaCry ransomware) to federal government detainee in a surprisingly short amount of time. Three months after saving the world from rampaging malware built on NSA exploits, Hutchins was arrested at the Las Vegas airport as he waited for his flight home to the UK.

    When the indictment was published, many people noted the charges didn't seem to be backed by much evidence. The government accused Hutchins of creating and selling the Kronos malware, but the offered very little to support this claim. While it's true much of the evidence against Hutchins will be produced in court, the indictment appeared to be stretching legal definitions of certain computer crimes to their limits.

    The government's case appears to be weak and reliant on dubious legal theories. It's not even 100% clear that creating and selling malware is an illegal act in and of itself. The charges the government brought rely heavily on proving Hutchins constructed malware with the intent to cause damage to computers. This isn't so easily proven, especially when the government itself is buying malware to deploy for its own purposes and has yet to bring charges against any of the vendors it buys from. Anyone selling exploits to governments could be said to be creating malware with intent to cause harm. That it's a government, rather than an individual, causing the harm shouldn't make any difference -- at least not if the government wants to claim selling of malware alone is a federal offense.

  • ​The Linux vs Meltdown and Spectre battle continues

    Meltdown is a CPU vulnerability. It works by using modern processors' out-of-order execution to read arbitrary kernel-memory location. This can include personal data and passwords. This functionality has been an important performance feature. It's present in many modern processors, most noticeably in 2010 and later Intel processors. By breaking down the wall between user applications and operating system's memory allocations, it can potentially be used to spy on the memory of other programs and the operating systems.

  • ‘It Can’t Be True.’ Inside the Semiconductor Industry’s Meltdown

    It was late November and former Intel Corp. engineer Thomas Prescher was enjoying beers and burgers with friends in Dresden, Germany, when the conversation turned, ominously, to semiconductors.

    Months earlier, cybersecurity researcher Anders Fogh had posted a blog suggesting a possible way to hack into chips powering most of the world’s computers, and the friends spent part of the evening trying to make sense of it. The idea nagged at Prescher, so when he got home he fired up his desktop computer and set about putting the theory into practice. At 2 a.m., a breakthrough: he’d strung together code that reinforced Fogh’s idea and suggested there was something seriously wrong.

  • Linus Torvalds Is Not Happy About Intel's Meltdown And Spectre Mess

    Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability could expose protected kernel memory, potentially allowing hackers to gain access to the inner workings of any unpatched system or penetrate security measures.

    The flaw can't be fixed with a microcode update, meaning that developers for major OSes and platforms have had to devise workarounds that could seriously hurt performance.

    In an email to a Linux list this week, Torvalds questioned the competence of Intel engineers and suggested that they were knowingly selling flawed products to the public. He also seemed particularly irritated that users could expect a five to 30 per cent projected performance hit from the fixes.

  • It gets worse: Microsoft’s Spectre-fixer wrecks some AMD PCs

    Microsoft’s fix for the Meltdown and Spectre bugs may be crocking AMD-powered PCs.

    A lengthy thread on answers.microsoft.com records numerous instances in which Security Update for Windows KB4056892, Redmond’s Meltdown/Spectre patch, leaves some AMD-powered PCs with the Windows 7 or 10 startup logo and not much more.

Security: Cryptocurrency Mining, Meltdown and Spectre, Updates, Cryptographic Key Generation

Filed under
Security
  • Cryptocurrency Mining Operations Take Aim at SSH Servers

    As the value of cryptocurrency continues to rise, there has been growing interest from attackers and security researchers alike.  

    So far in January 2018, multiple new attack vectors against cryptocurrencies have been disclosed as well as at least one major vulnerability. While there are potentially great opportunities to be had with cryptocurrency, the security issues serve as a reminder that there are risks too.

    A report released Jan. 8 alleges that among those now taking aim at cryptocurrency is the government of North Korea, which is conducting an un-authorized Monero mining operation. On Jan 3. a report from security firm F5 revealed that attackers are using a new python script to mine Monero on servers. While un-authorized mining operations are taking aim at servers, the security of the Electrum digital wallets used to access cryptocurrency has also been at risk and was patched on Jan. 7.

  • Clear Linux Rolls Out KPTI Page Isolation & Retpoline Support

    Intel's own Clear Linux distribution has now been updated with protection for addressing the Spectre and Meltdown vulnerabilities disclosed last week.

  • What You Need to Know About the Meltdown and Spectre CPU Flaws

    The computer industry is racing to deal with several new vulnerabilities that affect the majority of processors in modern computers and mobile devices. The flaws enable new attacks that break the critical memory defenses in operating systems and bypass fundamental isolation layers, including those vital to virtualization and container technologies.

    The most serious of the flaws, dubbed Meltdown or CVE-2017-5754, allows applications running in userspace to extract information from the kernel’s memory, which can contain sensitive data like passwords, encryption keys and other secrets. The good news is that Meltdown can be largely mitigated through software patches, unlike two other vulnerabilities known collectively as Spectre (CVE-2017-5753 and CVE-2017-5715) that will require CPU microcode updates and will likely haunt the industry for some time to come.

  • GCC 8 Patches Posted For Spectre Mitigation

    There's been a well-published branch the past few days of a patched GCC 7.2 code-base with the code changes for fending off Spectre while now patches have arrived on the mailing list for Spectre/CVE-2017-5715 of mainline GCC 8.

    Toolchain expert H.J. Lu of Intel has posted a set of five patches for Spectre mitigation with the current GCC 8 code-base. These patches introduce the new -mindirect-branch, -mindirect-branch-loop, -mfunction-return, -mindirect-branch-register options for GCC. Enabling the new functionality converts indirect branches to call and return thunks in order to avoid speculative execution.

  • Spectre and Meltdown explained

    I found this great article of Anton Gostev about Spectre and Meltdown, so I’m reposting it here :

    By now, most of you have probably already heard of the biggest disaster in the history of IT – Meltdown and Spectre security vulnerabilities which affect all modern CPUs, from those in desktops and servers, to ones found in smartphones. Unfortunately, there’s much confusion about the level of threat we’re dealing with here, because some of the impacted vendors need reasons to explain the still-missing security patches. But even those who did release a patch, avoid mentioning that it only partially addresses the threat. And, there’s no good explanation of these vulnerabilities on the right level (not for developers), something that just about anyone working in IT could understand to make their own conclusion. So, I decided to give it a shot and deliver just that.

  • Weekend tech reading: Spectre/Meltdown recap, 400Gbps Ethernet, next-gen DisplayPort
  • Security updates for Monday
  • What cryptographic key generation needs is a good source of entropy

    Let's move to computers. As opposed to board games, you generally want a computer to do the same thing every time you ask it to do it, assuming you give it the same inputs: you want its behaviour to be deterministic when presented with the same initial conditions. Random behaviour is generally not a good thing for computers. There are, of course, exceptions to this rule, such as when you want to use your computer to play a game, as things get boring quickly if there's no variation in gameplay.

    There's another big exception: cryptography. Not all cryptography, though; you definitely want a single plaintext to be encrypted to a single ciphertext under the same key in almost all cases. But there is one area where randomness is important, and that's in the creation of the cryptographic key(s) you're going to be using to perform those operations. It turns out that you need to have quite a lot of randomness available to create a key that is unique—and keys really need to be truly unique. If you don't have enough randomness, not only might you generate the same key (or set of them) repeatedly, but other people may do so as well. If they can guess what keys you're using, they could do things like read your messages or pretend to be you.

Security: Meltdown and Spectre, Kaspersky, PowerPC

Filed under
Security

Meltdown and Spectre Linux Perspective

Filed under
Linux
Security
  • Linus Torvalds Is Not Happy About Intel's Meltdown and Spectre Mess

    Famed Linux developer Linus Torvalds has some pretty harsh words for Intel on the fiasco over Meltdown and Spectre, the massive security flaws in modern processors that predominantly affect Intel products.

    Meltdown and Spectre exploit an architectural flaw with the way processors handle speculative execution, a technique that most modern CPUs use to increase speed. Both classes of vulnerability could expose protected kernel memory, potentially allowing hackers to gain access to the inner workings of any unpatched system or penetrate security measures. The flaw can’t be fixed with a microcode update, meaning that developers for major OSes and platforms have had to devise workarounds that could seriously hurt performance.

  • Weekly Roundup 2018 – Week 1

    Mageia kernel updates to mitigate these two flaws are already being worked on. Mageia 6 kernel updates released in the last 24 hours don’t as yet solve all the problems, but kernel-4.14.12-2.mga6 is in updates/testing (as is the .mga7 kernel for Cauldron). Expect updates very shortly. Our thanks to our tireless kernel devs and our ever busy QA team!

  • DragonFlyBSD's Meltdown Fix Causing More Slowdowns Than Linux

    Following the move by Linux to introduced Kernel Page Table Isolation (KPTI) to address the Meltdown vulnerability affecting Intel CPUs, DragonFlyBSD has implemented better user/kernel separation to address this issue. While the Linux performance hit overall was minor, in our tests carried out so far the DragonFlyBSD kernel changes are causing more widespread slowdowns.

  • Episode 76 - Meltdown aftermath
  • Woo-yay, Meltdown CPU fixes are here. Now, Spectre flaws will haunt tech industry for years
  • Meltdown and Spectre Fixes Arrive—But Don't Solve Everything
  • Vendors Share Patch Updates on Spectre and Meltdown Mitigation Efforts

    Intel, Amazon, Microsoft and others are playing down concerns over the impact of the massive Spectre and Meltdown vulnerabilities affecting computers, servers and mobile devices worldwide.

    The two flaws, Spectre and Meltdown, are far reaching and impact a wide range of microprocessors used in the past decade in computers and mobile devices including those running Android, Chrome, iOS, Linux, macOS and Windows. While Meltdown only affects Intel processors, Spectre affects chips from Intel, AMD, ARM and others.

Security: CPU Bugs, Western Digital Back Doors

Filed under
Security
  • There will always be hardware bugs

    By now everyone has seen the latest exploit, meltdown and spectre, complete with logos and full academic paper. The gist of this is that side channel attacks on CPUs are now actually plausible instead of mostly theoretical. LWN (subscribe!) has a good collection of posts about actual technical details and mitigations. Because this involves hardware and not just software, fixes get more complicated.

  • What are Meltdown and Spectre? Here’s what you need to know.
  • Intel faces class action lawsuits regarding Meltdown and Spectre

    The three lawsuits—filed in California, Indiana, and Oregon (PDF)—cite not just the security vulnerabilities and their potential impact, but also Intel's response time to them. Researchers notified Intel about the flaws in June. Now, Intel faces a big headache. The vast majority of its CPUs in use today are impacted, and more class action complaints may be filed beyond these three.

  • Western Digital My Cloud drives have a built-in backdoor

    Western Digital's network attached storage solutions have a newfound vulnerability allowing for unrestricted root access.
    James Bercegay disclosed the vulnerability to Western Digital in mid-2017. After allowing six months to pass, the full details and proof-of-concept exploit have been published. No fix has been issued to date.
    More troubling is the existence of a hard coded backdoor with credentials that cannot be changed. Logging in to Western Digital My Cloud services can be done by anybody using "mydlinkBRionyg" as the administrator username and "abc12345cba" as the password. Once logged in, shell access is readily available followed with plenty of opportunity for injection of commands.

Security: Meltdown & Spectre, Critical CSRF Security Vulnerability, OpenVPN and More

Filed under
Security
  • Meltdown & Spectre
  • Meltdown and Spectre Linux Kernel Status

    By now, everyone knows that something “big” just got announced regarding computer security. Heck, when the Daily Mail does a report on it , you know something is bad…

    Anyway, I’m not going to go into the details about the problems being reported, other than to point you at the wonderfully written Project Zero paper on the issues involved here. They should just give out the 2018 Pwnie award right now, it’s that amazingly good.

    If you do want technical details for how we are resolving those issues in the kernel, see the always awesome lwn.net writeup for the details.

    Also, here’s a good summary of lots of other postings that includes announcements from various vendors.

  • Spectre and Meltdown: What you need to know going forward

    As you've likely heard by now, there are some problems with Intel, AMD, and ARM processors. Called Meltdown and Spectre, the discovered attack possibilities are rather severe, as they impact pretty much every technical device on the network or in your house (PCs, laptops, tablets, phones, etc.).

    Here's a breakdown of all the things you need to know. As things change, or new information becomes available, this article will be updated.

    The key thing to remember is not to panic, as the sky isn't about to come crashing down. The situation is one that centers on information disclosure, not code execution (a far more damning issue to deal with).

  • Open Source Leaders: Take Intel to Task

    I do not know Linus Torvalds or Theo de Raadt. I have never met either of them and have read very little about them. What I do know, gleaned from email archives, is when it comes to bum hardware: they both have pretty strong opinions. Both Linus and Theo can be a bit rough around the edges when it comes to giving their thoughts about hardware design flaws: but at least they have a voice. Also, Linus and Theo have often been at odds whether it be about how to approach OS design, licensing etc but I suspect, or I at least have to believe, the latest incident from intel (the Spectre and Meltdown flaws) is one area they agree on.

    Linus and Theo cannot possibly be the only Open Source leaders out there who are frustrated and tired of being jerked around by intel. What I hope comes out of this is not many different voices saying the same thing here and there but instead, perhaps, our various leaders could get together and take intel to task on this issue. Intel not only created a horrible design flaw they lied by omission about it for several months. During those months the Intel CEO quietly dumped his stock. What a hero.

  • Docker Performance With KPTI Page Table Isolation Patches

    Overall most of our benchmarks this week of the new Linux Kernel Page Table Isolation (KPTI) patches coming as a result of the Meltdown vulnerability have showed minimal impact overall on system performance. The exceptions have obviously been with workloads having high kernel interactions like demanding I/O cases and in terms of real-world impact, databases. But when testing VMs there's been some minor impact more broadly than bare metal testing and also Wine performance has been impacted. The latest having been benchmarked is seeing if the Docker performance has been impacted by the KPTI patches to see if it's any significant impact since overall the patched system overhead certainly isn't anything close to how it was initially hyped by some other media outlets.

  • Can We Replace Intel x86 With an Open Source Chip?
  • Critical CSRF Security Vulnerability in phpMyAdmin Database Tool Patched

    A "cross site request forgery" vulnerability in a popular tool for administrating MySQL and MariaDB databases that could lead to data loss has been patched.

  • 8 reasons to replace your VPN client with OpenVPN

    OpenVPN could be the answer. It's an ultra-configurable open source VPN client which works with just about any VPN provider that supports the OpenVPN protocol. It gives you new ways to automate, optimize, control and troubleshoot your connections, and you can use it alongside your existing client, or maybe replace it entirely – it's your call.

  • I’m harvesting credit card numbers and passwords from your site. Here’s how.
Syndicate content

More in Tux Machines

today's leftovers

  • ‘Crush Them’: An Oral History of the Lawsuit That Upended Silicon Valley

    The then-23-year-old giant, which ruled the personal computer market with a despotic zeal, stood accused of using monopoly power to bully collaborators and squelch competitors. Its most famous victim was Netscape, the pioneering web browser, but everyone from Apple to American Airlines felt threatened by late-’90s Microsoft. The company was big enough to be crowned America’s most valuable firm, bold enough to compare attacks on its domain to Pearl Harbor, and, eventually, bad enough to be portrayed as a (semifictionalized) cadre of hypercapitalist murderers in a major motion picture. The “don’t be evil” optics that colored the rise of today’s tech giants (and have recently lost their efficacy) were a direct response to Microsoft’s tyrannical rule.

  • Michał Górny: Empty directories, *into, dodir, keepdir and tmpfiles.d
  • FRAMED Collection, a noir-styled spy adventure where you rearrange comic tiles is now out
    It's actually a compilation of FRAMED and FRAMED 2, games that have been widely praised and previously only available on mobile platforms. It has you moving around slices of an animated comic book, to put the noir-styled spy adventure story together. It actually sounds hilarious, as it's not a basic "this one has to go here" type of game, as it changes what happens based on where you put the tiles creating some amusing sounding failures:
  • Paradox’s grand strategy titles will be getting more content soon
    At their annual convention, Paradox Interactive have announced new expansions for their current grand strategy titles. There’s a little bit of everything for fans of these games.
  • Why OpenShift Is The New OpenStack For Red Hat
  • Help the Debian kernel team to help you
    I gave the first talk this morning at Mini-DebConf Hamburg, titled "Help the kernel team to help you". I briefly described several ways that Debian users and developers can make it easier (or harder) for us to deal with their requests. The slides are up in on my talks page, and video should be available soon.
  • UbuCon Europe 2018: Analysing a dream [English|Spanish]
    The idea of organising the Ubucon in Xixon, Asturies was set two years ago, while participating in the European Ubucon in Essen (germany). The Paris Ubucon took place and in those days we uderstood that there was a group enough of people with the capacities and the will to hold an European Congress for Ubuntu lovers. We had learnt a lot from German and French colleagues thanks to their respective amazing organizations and, at the same time, our handicap was the lack of s consolidated group in Spain.
  • 19-year-old Developer at the Forefront of TRON (TRX) Opensource Wallet DApp
  • 19-years-old German developer Spearheads TRON (TRX) Opensource Wallet DApp
    No doubt that Tron community is preparing for mainnet launch, with different ideas coming in from all roads. As part of its readiness, Tron has unveiled its Opensource Wallet DApp developed by 19-year old German developer, Marius Gill, who has been programming since 13 years old. The DApp is an outcome of Project Genesis, which was launched in March 2018 purposely to encourage TRON’s community engagement in bringing in new things into Tron ecosystem. The project provides a bonus pool of 2 billion dollars for active members around the world have lent their hands in implementing ideas for the community.
  • Collabora and GStreamer spring in Sweden
    Earlier this month, a few of us from Collabora, Olivier Crête, Nicolas Dufresne, George Kiagiadakis and I attended the GStreamer Spring Hackfest in Lund, Sweden. Hosted by Axis Communications (who uses GStreamer in their surveillance cameras for many years now), it was a great opportunity for the GStreamer community to touch base and work on open bugs and pet projects. [...] As for myself, I mainly worked on (or rather started to work on) split-field interlacing support in GStreamer, adding relevant formats and modes in the GStreamer video library. In addition, as a Meson developer (Nirbheek Chauhan) was present, I took the opportunity to discuss with him the last bit of porting build system of Geoclue to Meson, a side project I've been working on. It helped me get it done faster but also helped Nirbheek find some issues in Meson and fix them! All in all, my first GStreamer hackfest was an awesome experience (even though I was not feeling well). It was also very nice to hangout and socialize with old and new friends in the GStreamer community after a long time. Many thanks again to Axis for hosting us in their offices! See you at the GStreamer Conference this fall!
  • Reality Redrawn Opens At The Tech
    The Tech Museum of Innovation in San Jose was filled on Thursday with visitors experiencing new takes on the issue of fake news by artists using mixed reality, card games and even scratch and sniff cards. These installations were the results of Mozilla’ Reality Redrawn challenge. We launched the competition last December to make the power of misinformation and its potential impacts visible and visceral. Winners were announced in February.
  • Tangerine UI problems
    I've been a big fan of Tangerine for a while, it's a bank that doesn't charge fees and does what I need to do. They used to have a great app and website and then it all went a bit wrong. It's now a HTML app for Desktop and mobile. This isn't the fault of the tools used, but there's some terrible choices in the app across both. [...] The overall feel of the app is that its full of spinners, far too cluttered and just to confusing. Hey not everything I've built is perfect, but even I can spot some real problems with this app. I pretty sure Tangerine can do better than this. And yes, I'm writing this while drinking a beer I recently bought, as shown on my transaction page.
  • Majority of software plagued by vulnerabilities as open source adoption soars [Ed: More of Black Duck's FUD]
  • SiFive Releases 'Expansion Board' to Build Interest in RISC-V Processor
  • FreeBSD 11.2 Beta 2 Available For Testing, Brings PTI Optimization
    The second beta release of FreeBSD 11.2 is now available for weekend testing. FreeBSD 11.2-BETA2 is now available with a variety of bug fixes, a fix to restore boot support for the Banana Pi ARM board, a context switch optimization for page table isolation (PTI), DTrace improvements, various build fixes, and a range of other system fixes.
  • Sony Is Working On AMD Ryzen LLVM Compiler Improvements - Possibly For The PlayStation 5
    One of Sony's compiler experts has taken to working on some tuning for the AMD Ryzen "znver1" microarchitecture support within the LLVM compiler stack. This begs the question why Sony is working on Ryzen improvements if not for a future product.
  • Popular YouTuber Says Apple Won't Fix His iMac Pro Damaged While Disassembled

    The damage resulted when they dropped the display while attempting to reattach it to the aluminum chassis. Towards the end of the video, Sebastian also says the iMac Pro requires a new logic board and power supply unit, suggesting there may have been a short circuit that caused damage to internal components as well.

  • Most dangerous new cyber security threats [iophk: "Windows TCO, yet neither Microsoft nor Windows get a mention"]

Steam Controller Kernel Driver Is Landing In The Linux 4.18 Kernel

The Linux 4.18 kernel will feature the initial Steam Controller kernel driver that works without having to use the Steam client or using third-party user-space applications like the SC-Controller application. A few months back we reported on a kernel driver being worked on for the Steam Controller by an independent user/developer outside of the gates of Valve. In part through reverse-engineering, Rodrigo Rivas Costa has been working on this native Steam Controller Linux kernel driver that works for both USB cable and wireless modes of the Steam Controller and is a proper HID driver. Read more

Video of AsteroidOS

KDevelop 5.2.2 and 5.2.3 released

KDevelop 5.2.2 and 5.2.3 released We today provide a stabilization and bugfix release with version 5.2.2 and 5.2.3. 5.2.2 was tagged 6 weeks ago, but we never managed to release it because we did not have the patience to fix the Windows installers in time due to a broken CI. Windows installers are provided for 5.2.3 again. We'll only provide source tarballs for 5.2.2 and we encourage everyone to just skip this release and use 5.2.3 which contains a few more bug fixes. This is a bugfix-only release, which introduces no new features and as such is a safe and recommended update for everyone currently using KDevelop 5.2.1. Read more Also: This week in Usability & Productivity, part 19