Language Selection

English French German Italian Portuguese Spanish

Security

Security: TED Talks, Kaspersky, and NSA

Filed under
Security

Security: Linux/BillGates, Hyped Bug(fix), DNS over TLS

Filed under
Security
  • Notes on Linux/BillGates

    This post will include some notes on Linux/BillGates, hereafter referred to as just ‘BillGates’, and rather than being very in-depth as the previous blog, I will mostly list high-level notes and remediation or disinfection steps. Additionally, after the conclusion, you will find other resources if necessary.

  • Dirty COW redux: Linux devs patch botched patch for 2016 mess

    Linus Torvalds last week rushed a patch into the Linux kernel, after researchers discovered the patch for 2016's Dirty COW bug had a bug of its own.

    Dirty COW is a privilege escalation vulnerability in Linux's “copy-on-write” mechanism, first documented in October 2016 and affecting both Linux and Android systems.

  • New web browsing security tool arrives: DNS over TLS

    Net neutrality is on its death bed. With it gone, ISPs will be able to strip-data-mine your every move on the web. There are answers. One is Tenta's new secure Domain Name System (DNS) resolver, Tenta DNS. This receives and sends the directions to the websites you visit using the secure Transport Layer Security (TLS) protocol.

    DNS is the internet's master phone book. When you type in a website address or click on a link, it turns human-readable domain names into machine-usable IP addresses. If you use your ISP's DNS server, which is the default, the ISP can watch your every move. Even if you use an ordinary third-party DNS server, such as Google Public DNS servers, 8.8.8.8 or 8.8.4.4, and one of Cisco's OpenDNS servers, 208.67.222.222 or 208.67.220.220, your DNS requests are still made in the clear and your ISP can see where you're going.

Goodbyes to Intel Back Doors (System76 and Even Dell)

Filed under
Security
  • Linux Computer Vendor System76 To Disable Intel ME Firmware

    System76, a vendor of Linux-based laptops, PCs, and servers, will join another Linux laptop maker, Purism, as well as Google and the NSA in disabling the Intel Management Engine (ME) firmware, which has recently been found to contain multiple vulnerabilities. Intel ME provides few to no benefits to consumer laptops, but Intel has been integrating it into all all of its chips since 2008 nonetheless.

    [...]

    We’ve only recently discovered, through Positive Technologies, a Russian security firm that has been working on disabling ME, that the NSA was the only one that could disable the ME via an undocumented High Assurance Platform (HAP) mode. This undocumented mode can now also be used to disable ME by Google, Purism, and System76.

  • Linux laptop-flinger says bye-bye to buggy Intel Management Engine

    In a slap to Intel, custom Linux computer seller System76 has said it will be disabling the Intel Management Engine in its laptops.

    Last month, Chipzilla admitted the existence of firmware-level bugs in many of its processors that would allow hackers to spy on and meddle with computers.

    One of the most important vulnerabilities is in the black box coprocessor – the Management Engine – which has its own CPU and operating system that has complete machine control. It's meant for letting network admins remotely log into servers and workstations to fix any problems (such as not being able to boot).

  • Dell also sells laptops with Intel Management Engine disabled

    Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward.

    Those two computer companies are pretty small players in the multi-billion dollar PC industry. But it turns out one of the world’s largest PC companies is also offering customers the option of buying a computer with Intel Management Engine disabled.

    At least three Dell computers can be configured with an “Intel vPro™ – ME Inoperable, Custom Order” option, although you’ll have to pay a little extra for those configurations.

Security: MacOS Hole is Back and Other Incidents

Filed under
Security
  • Updating macOS can bring back the nasty “root” security bug

    The serious and surprising root security bug in macOS High Sierra is back for some users, shortly after Apple declared it fixed. Users who had not installed macOS 10.13.1 (and thus were running a prior version of the OS when they received the security update) found that installing 10.13.1 resurfaced the bug, according to a report from Wired.

  • MacOS Update Accidentally Undoes Apple's "Root" Bug Patch

    But now multiple Mac users have confirmed to WIRED that Apple's fix for that problem has a serious glitch of its own. Those who had not yet upgraded their operating system from the original version of High Sierra, 10.13.0, to the most recent version, 10.13.1, but had downloaded the patch, say the "root" bug reappears when they install the most recent macOS system update. And worse, two of those Mac users say they've also tried re-installing Apple's security patch after that upgrade, only to find that the "root" problem still persists until they reboot their computer, with no warning that a reboot is necessary.

  • Former Sysadmin Caught Hacking His Ex-Employer by His Replacement

    On Wednesday, November 29, a Kansas City court sentenced a Missouri man to six years in federal prison without parole for hacking his former employer, stealing trade secrets, and for accessing child pornography.

    The man is Jacob Raines, 38, of Parkville, Missouri, who worked as IT manager for American Crane & Tractor Parts (AC&TP) in Kansas City from July 2004 until March 28, 2014, when he resigned his position.

  • Security News This Week: A New Bill Wants Jail Time for Execs Who Hide Data Breaches

    Failure to report within 30 days could come with imprisonment of up to five years for the execs who decided to cover it up.

  • Flaw Found In Dirty COW Patch
  • Researchers dissect open-source ransomware programs Bugware and Vortex

Security: Security Tools for Defenders, China/Russia, JavaScript and Updates

Filed under
Security

Security: NHS, Breaches, Ransom and More

Filed under
Security

  • NHS cyber unit welcomed with cautious optimism by privacy and security groups

    NHS Digital has started a £20 million procurement process for an internal security operations unit that will receive emergency support from the winning third party

  • Here's What I'm Telling US Congress about Data Breaches

    As I explained in that first blog post, I'm required to submit a written testimony 48 hours in advance of the event. That testimony is now publicly accessible and reproduced below.

  • Researchers dissect open-source ransomware programs Bugware and Vortex
  • How Can You Protect Your Computer?

    Virus threats are not new to the cyber community as it is one of those threatening factors that exist for decades now. Hackers are coming with all new malicious codes every then and now. You can find virus threats in the form of spyware, malware, Trojan horses, Worms, phishing scams, adware, ransomware and much more. The ideal solution to protect your system from virus threats is to keep your system up-to-date. Apart of it, some changes in online behavior can also help you deal with this menace. Let’s discuss ways to protect your computer from viruses and hackers.

  • What Apple, Google, Linux and a Huge Dirty COW have in common

    The Industrial Control Systems Cyber Emergency Response Team, aka ICS-CERT, was busy in November issuing alerts about medical device makers while tech stalwarts Apple and Google sent security vulnerabilities of their own. And you thought All Hallows’ Eve made October a frightful month? Here’s what happened in November.

System76 Shuts Off Intel Back Doors, But Will Continue to Pay Intel

Filed under
GNU
Linux
Hardware
Security
  • System76 Will Begin Disabling Intel ME In Their Linux Laptops

    Following the recent Intel Management Engine (ME) vulnerabilities combined with some engineering work the past few months on their end, System76 will begin disabling ME on their laptops.

  • Linux hardware vendor outlines Intel Management Engine firmware plan

    The Linux-equipped computer maker, System76, has detailed plans to update the Intel Management Engine (ME) firmware on its computers in line with Intel’s November 20th vulnerability announcement. In July, System76 began work on a project to automatically deliver firmware to System76 laptops which works in a similar fashion to how software is usually delivered through the operating system.

  • System76 to disable Intel Management Engine on its notebooks

    Intel has recently confirmed the earlier findings of third parties who revealed that its Management Engine firmware has some serious security issues. Since we talked about this recently, we should now move to System76's approach in handling this situation.

Want to switch from Apple macOS to Linux because of the 'root' security bug? Give deepin 15.5 a try!

Filed under
GNU
Linux
Mac
Security

Apple's macOS is a great operating system. Not only is it stable and beautifully designed, but it very secure too. Well, usually it is. Unless you live under a rock, you definitely heard about the macOS High Sierra security bug that made the news over the last couple of days. In case you somehow are unaware, the bug essentially made it so anyone could log into any Mac running the latest version of the operating system.

Luckily, Apple has already patched the bug, and some people -- like me -- have forgiven the company. Understandably, not everyone will be as forgiving as me. Undoubtedly, there are Mac users that are ready to jump ship as a result of the embarrassing bug. While that is probably an overreaction, if you are set on trying an alternative operating system, you should not go with Windows 10. Instead, you should embrace Linux. In fact, rather serendipitously, a Linux distribution with a UI reminiscent of macOS gets a new version today. Called "deepin," version 15.5 of the distro is now ready to download.

Read more

Also: deepin 15.5 Linux Distro Released — Get A Beautiful And Easy-to-use Linux Experience

Ubuntu 16.04 LTS Will Soon Get an Important Unity Stack Update with 27 Bug Fixes

Filed under
Security
Ubuntu

When Mark Shuttleworth said Canonical wouldn't develop Unity anymore, there were rumors that Unity 7 will also no longer receive any maintenance work. But Canonical shattered those rumors and said it would continue to patch things in the Unity Stack for supported releases, such as Ubuntu 16.04 LTS.

Truth be told, we didn't actually see any signs of life support for Unity since that announcement, but it looks like the team responsible for keeping the desktop environment bug-free has done some great work lately and managed to squash no less than 27 bugs for the Unity Stack in Ubuntu 16.04 LTS (Xenial Xerus).

Read more

System76 will disable Intel Management engine on its Linux laptops

Filed under
GNU
Linux
Security

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware.

Intel recently confirmed a major security vulnerability affecting those chips and it’s working with PC makers to patch that vulnerability.

But System76 is taking another approach: it’s going to roll out a firmware update for its recent laptops that disables the Intel Management Engine altogether.

Read more

Syndicate content

More in Tux Machines

Spyder – The Scientific Python IDE for Data Science

I don’t know how many of our readers are research scientists, data analysts, etc. but today, we introduce an IDE that is ideal for Python development and it goes by the name of Spyder. Spyder is an Open Source IDE written in Python for Python development with a focus on research, data analysis, and scientific package creation. It boasts a well-planned User Interface with interactive options, customizable layouts, and toggle-able sections. Its features include a multi-language editor with automatic code completion, real-time code analysis, go-to definitions, etc. It also contains a history log, developer tools, a documentation viewer, a variable explorer, and an interactive console, among other perks. Read more

LWN on Linux: 'Secure' Boot, AF_XDP Patch, 4.17 Release and 'Beep'

  • Kernel lockdown locked out — for now
    As the 4.17 merge window opened, it seemed possible that the kernel lockdown patch set could be merged at last. That was before the linux-kernel mailing list got its hands on the issue. What resulted was not one of the kernel community's finest moments. But it did result in a couple of evident conclusions: kernel lockdown will almost certainly not be merged for 4.17, but something that looks very much like it is highly likely to be accepted in a subsequent merge window. As a reminder: the purpose of the lockdown patches is to enforce a distinction between running as root and the ability to run code in kernel mode. Proponents of UEFI secure boot maintain that this separation is necessary; otherwise the promise of secure boot (that the system will only run trusted code in kernel mode) cannot be kept. Closing off the paths by which a privileged attacker could run arbitrary code in kernel mode requires disabling a number of features in the kernel; see the above-linked article for the details. Most users will never miss the disabled features, but there are always exceptions. [...] One other aspect of this issue that came up briefly is the fear that, if Linux looks like a tool that can be used to compromise secure-boot systems running Windows, that Microsoft might blacklist the signing key and render Linux unbootable on most x86 hardware. David Howells expressed this worry, for example. Greg Kroah-Hartman said, though, that he has researched this claim numerous times and it has turned out to be an "urban myth".
  • Accelerating networking with AF_XDP
    The Linux network stack does not lack for features; it also performs well enough for most uses. At the highest network speeds, though, any overhead at all is too much; that has driven the most demanding users toward specialized, user-space networking implementations that can outperform the kernel for highly constrained tasks. The express data path (XDP) development effort is an attempt to win those users back, with some apparent success so far. With the posting of the AF_XDP patch set by Björn Töpel, another piece of the XDP puzzle is coming into focus.
  • The first half of the 4.17 merge window
    As of this writing, 5,392 non-merge changesets have been pulled into the mainline repository for the 4.17 release. The 4.17 merge window is thus off to a good start, but it is far from complete. The changes pulled thus far cover a wide part of the core kernel as well as the networking, driver, and filesystem subsystems.
  • What the beep?
    A "simple" utility to make a system beep is hardly the first place one would check for security flaws, but the strange case of the "Holey Beep" should perhaps lead to some rethinking. A Debian advisory for the beep utility, which was followed by another for Debian LTS, led to a seemingly satirical site publicizing the bug (and giving it the "Holey Beep" name). But that site also exploits a new flaw in the GNU patch program—and the increased scrutiny on beep has led to more problems being found.

Games: Cities: Skylines - Parklife expansion, Supposedly Wonderful Future, Serious Sam 4

Graphics: AMD, RADV, RadeonSI, Mesa 18.0.1

  • AMDGPU DRM Gets "GFXOFF" Patches To Turn Off Graphics Engine
    AMD's Huang Rui has posted a set of 20 patches providing "GFXOFF" support for the AMDGPU Direct Rendering Manager Linux kernel driver. GFXOFF is a new graphics processor feature that allows for powering off the graphics engine when it would otherwise be idle with no graphics workload. Obviously, this would equate to a potentially significant power savings with that engine being able to be shut-off.
  • RADV Driver Lands Support For Vulkan's New Descriptor Indexing Extension
    Earlier this month with the Vulkan 1.1.72 specification update was the new VK_EXT_descriptor_indexing extension that is quickly being well received by developers. The VK_EXT_descriptor_indexing extension allows for creating large descriptor sets made up of all their combined resources and selecting those resources via dynamic indexes in a shader.
  • RadeonSI Now Appears To Support "RX Vega M" With Intel Core CPUs
    One of the most common Linux hardware questions I've received dozens of times in the past few weeks alone has been over the support for "RX Vega M" Vega-based graphics processors found on select newer Intel Kabylake CPUs. It appears RadeonSI at least should now support these Radeon graphics on Intel CPUs.
  • mesa 18.0.1
  • Mesa 18.0.1 Released With A Number Of Fixes
    In addition to Mesa 17.3.9 being released today, Mesa 18.0.1 also rolled out the door as the first point release to last quarter's Mesa 18.0 series. Mesa 18.0.1 features improvements to its Meson build system support, several RADV Vulkan driver fixes, various fixes to the Gallium3D Nine (D3D9) state tracker, various Intel driver fixes, several core Mesa improvements, and then the other random smothering of fixes collected over the past few weeks.