Language Selection

English French German Italian Portuguese Spanish


Security Leftovers

Filed under
  • Security updates for Friday
  • Security brief: CoreOS Linux Alpha remote SSH issue

    On May 15, CoreOS was informed of a vulnerability in the alpha version of CoreOS Linux. Within 8 hours of this notification, over 99% of affected systems had been automatically patched. Though this issue was limited to an alpha version, we hold all of our releases to the same security standards, and we immediately responded, reported, and corrected the issue. This post describes the nature of the vulnerability, our response, and our plans to avoid similar issues in the future.

  • Purism Laptops to Protect You from Surveillance Capitalism

    There's a new hardware company on the scene called Purism, and the name is a significant clue as to what the company is all about: pure software. At its heart, Purism is dedicated to providing computer hardware driven entirely by open source software so that users can "trust, but verify." Purism is putting itself in direct opposition to what it considers "surveillance capitalism."

    I spoke with CEO Todd Weaver at Pepcom, and it was one of the most significant conversations I've had with a tech exec in a long time. I was already on board with Mr. Weaver's general message when he laid that phrase on me, "surveillance capitalism." That's when he really had me hooked.

Security Leftovers

Filed under
  • “Robin Hood” Hacker Steals $11,000 In Bitcoin, Donates It To Help Fight ISIS

    The hacker who claimed to hack the Hacking Team and Gamma Group is back again. This time, he has sent about $11,000 of allegedly stolen Bitcoin to help fight ISIS.

  • Aqua Launches Container Security Platform

    Looking beyond just application vulnerability scanning, Aqua also provides a degree of runtime protections. Aqua uses a layered security approach to keep containers safe, according to Jerbi. The layered approach starts with running the container application images in learning mode, usually during functional testing. In the learning mode, Aqua examines a container's behavior in the application context and uses that to set granular runtime parameters, based on which files, executables and network connections a container is using.

Security Leftovers

Filed under

Security Leftovers

Filed under
  • Tuesday's security advisories
  • Secure Hardware vs. Open Source

    Recently there have been discussions regarding Yubico’s OpenPGP implementation on the YubiKey 4. While open source and security remains central to our mission, we think some clarifications and context around current OpenPGP support would be beneficial to explain what we are doing, why, and how it reflects our commitment to improved security and open source.

  • The Alarming Truth

    Car alarms don't deter criminals, and they're a public nuisance. Why are they still so common?

  • Security hole in Symantec antivirus exposes Windows, Linux and Macs

    A major security vulnerability has been uncovered by UK white hat hacker and Google Project Zero developer, Tavis Ormandy. The vulnerability applies to the Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products and could see Linux, Mac and Windows PCs compromised.

  • Patch now: Google and JetBrains warn developers of buggy IDE

    Google has emailed Android developers advising them to update Android Studio, the official Android IDE, to fix security bugs. Other versions of the JetBrains IntelliJ IDE, on which Android Studio is based, are also affected.

    The bugs are related to the built-in web server in the IDE. A cross-site request forgery (CSRF) flaw means that if the IDE is running and the developer visits a malicious web page in any browser, scripts on the malicious web page could access the local file system.

  • Researchers crack new version of CryptXXX ransomware
  • How to empty your bank's vault with a few clicks and lines of code

    A security researcher has demonstrated how he could have theoretically emptied an Indian bank's coffers with no more than a few clicks and lines of code.

    Earlier this week, researcher Sathya Prakash revealed the discovery of multiple, critical vulnerabilities and poor coding in an unnamed government-run Indian bank.

Security Leftovers

Filed under
  • SourceForge Tightens Security With Malware Scans

    After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

  • Mozilla Issues Legal Challenge to FBI to Disclose Firefox Flaw
  • Judge In Child Porn Case Reverses Course, Says FBI Will Not Have To Turn Over Details On Its Hacking Tool

    Back in February, the judge presiding over the FBI's case against Jay Michaud ordered the agency to turn over information on the hacking tool it used to unmask Tor users who visited a seized child porn site. The FBI further solidified its status as a law unto itself by responding that it would not comply with the court's order, no matter what.

    Unfortunately, we won't be seeing any FBI officials tossed into jail cells indefinitely for contempt of court charges. The judge in that case has reversed course, as Motherboard reports.

  • Judge Changes Mind, Says FBI Doesn’t Have to Reveal Tor Browser Hack

    In February, a judge ordered the FBI to reveal the full malware code it used to identify visitors of a dark web child pornography site, including the exploit that circumvented the protections of the Tor Browser. The government fought back, largely in sealed motions, and tried to convince the judge to reconsider.

  • Symantec antivirus security flaw exposes Linux, Mac and Windows

    Security holes in antivirus software are nothing new, but holes that exist across multiple platforms? That's rare... but it just happened. Google's Tavis Ormandy has discovered a vulnerability in Symantec's antivirus engine (used in both Symantec- and Norton-branded suites) that compromises Linux, Mac and Windows computers. If you use an early version of a compression tool to squeeze executables, you can trigger a memory buffer overflow that gives you root-level control over a system.

  • Apache incubating project promises new Internet security framework

    The newly announced Apache Milagro (incubating) project seeks to end to centralized certificates and passwords in a world that has shifted from client-server to cloud, IoT and containerized applications.

More Security Leftovers

Filed under
  • Security updates for Monday
  • The Truth about Linux 4.6

    As anticipated in public comments, the Linux Foundation is already beginning a campaign to rewrite history and mislead Linux users. Their latest PR release can be found at:, which I encourage you to read so you can see the spin and misleading (and just plain factually incorrect) information presented. If you've read any of our blog posts before or are familiar with our work, you'll know we always say "the details matter" and are very careful not to exaggerate claims about features beyond their realistic security expectations (see for instance our discussion of access control systems in the grsecurity wiki). In a few weeks I will be keynoting at the SSTIC conference in France, where a theme of my keynote involves how little critical thinking occurs in this industry and how that results in companies and users making poor security decisions. So let's take a critical eye to this latest PR spin and actually educate about the "security improvements" to Linux 4.6.

  • Major Remote SSH Security Issue in CoreOS Linux Alpha, Subset of Users Affected

    A misconfiguration in the PAM subsystem in CoreOS Linux Alpha 1045.0.0 and 1047.0.0 allowed unauthorized users to gain access to accounts without a password or any other authentication token being required. This vulnerability affects a subset of machines running CoreOS Linux Alpha. Machines running CoreOS Linux Beta or Stable releases are unaffected. The Alpha was subsequently reverted back to the unaffected previous version (1032.1.0) and hosts configured to receive updates have been patched. The issue was reported at May 15 at 20:21 PDT and a fix was available 6 hours later at 02:29 PDT.

  • Let's Encrypt: The Good and the Bad

    By now, most of you have heard about the "Let's Encrypt" initiative. The idea being that it's high time more websites had a simple, easy to manage method to offer https encryption. As luck would have it, the initiative is just out of its beta phase and has been adding sponsors like Facebook, Cisco, and Mozilla to their list of organizations that view this initiative as important.

    In this article, I want to examine this initiative carefully, taking a look at the good and the bad of Let's Encrypt.

Security Leftovers

Filed under
  • Security will fix itself, eventually

    Here's my prediction though. In the future, good security will be cheaper to build, deploy, and run that bad security. This sounds completely insane with today's technology. A statement like is some kook ten years ago telling everyone solar power is our future. Ten years ago solar wasn't a serious thing, today it is. Our challenge is figuring out what the new security future will look like. We don't really know yet. We know we can't train our way out of this, most existing technology is a band-aid at best. If I had to guess I'll use the worn out "Artificial Intelligence will save us all", but who knows what the future will bring. Thanks to Al Gore, I'm now more optimistic things will get better. I'm impatient though, I don't want to wait for the future, I want it now! So all you smart folks do me a favor and start inventing the future.

  • Does Microsoft care about security? [Ed: no, because leaks show it gives back doors to governments]

    On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.

    This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.

    It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.

    The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.

How Fuzzing Can Make A Large Open Source Project More Secure

Filed under

Emily Ratliff of the Linux Foundation explains the considerations to take when planning to fuzz your open source project

One of the best practices for secure development is dynamic analysis. Among such techniques, fuzzing has been highly popular since its invention and a multitude of fuzzing tools of varying sophistication have been developed.

Read more

Also: Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Ubuntu 16.04 LTS Receives Minor Kernel Update That Patches Two Vulnerabilities

Filed under

Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Read more

Security Leftovers

Filed under
  • Replacing /dev/urandom

    The kernel's random-number generator (RNG) has seen a great deal of attention over the years; that is appropriate, given that its proper functioning is vital to the security of the system as a whole. During that time, it has acquitted itself well. That said, there are some concerns about the RNG going forward that have led to various patches aimed at improving both randomness and performance. Now there are two patch sets that significantly change the RNG's operation to consider.

  • Mozilla asks the FBI for details of Tor vulnerability that could also affect Firefox

    Mozilla is fighting to force the FBI to disclose details of a vulnerability in the Tor web browser. The company fears that the same vulnerability could affect Firefox, and wants to have a chance to patch it before details are made public.

    The vulnerability was exploited by FBI agents to home in on a teacher who was accessing child pornography. Using a "network investigative technique", the FBI was able to identify the man from Vancouver, but Mozilla is concerned that it could also be used by bad actors.

    Perhaps unsurprisingly, the government says that it should be under no obligation to disclose details of the vulnerability to Mozilla ahead of anyone else. But the company has filed a brief with a view to forcing the FBI's hand. The argument is that users should be kept protected from known flaws by allowing software companies to patch them.

Syndicate content

More in Tux Machines

Leftovers: OSS and Sharing

  • Google’s Open Source Report Card Highlights Game-Changing Contributions
    Ask people about Google’s relationship to open source, and many of them will point to Android and Chrome OS — both very successful operating systems and both based on Linux. Android, in particular, remains one of the biggest home runs in open source history. But, as Josh Simmons from Google’s Open Source Programs Office will tell you, Google also contributes a slew of useful open source tools and programs to the community each year. Now, Google has issued its very first “Open Source Report Card,” as announced by Simmons on the Google Open Source Blog. "We're sharing our first Open Source Report Card, highlighting our most popular projects, sharing a few statistics and detailing some of the projects we've released in 2016. We've open sourced over 20 million lines of code to date and you can find a listing of some of our best known project releases on our website," said Simmons.
  • Nino Vranešič: Open Source Advocate and Mozilla Rep in Slovenia
    “My name is Nino Vranešič and I am connecting IT and Society,” is what Nino says about himself on LinkedIn. The video is a little hard to understand in places due to language differences and (we think) a slow or low-bandwidth connection between the U.S.-based Zoom servers and Eastern Europe, a problem that crops up now and then in video conversation and VOIP phone calls with people in that part of the world, no matter what service you choose. But Vranešič is worth a little extra effort to hear, because it’s great to learn that open source is being used in lots of government agencies, not only in Slovenia but all over Europe. And aside from this, Vranešič himself is a tres cool dude who is an ardent open source volunteer (“Mozilla Rep” is an unpaid volunteer position), and I hope I have a chance to meet him F2F next time he comes to a conference in Florida — and maybe you’ll have a chance to meet him if he comes to a conference near you.
  • MySQL and database programming for beginners
    Dave Stokes has been using MySQL for more than 15 years and has served as its community manager since 2010. At All Things Open this year, he'll give a talk about database programming for newbies with MySQL. In this interview, he previews his talk and shares a few helpful resources, required skills, and common problems MySQL beginners run into.
  • Nadella's trust talk is just so much hot air
    Microsoft chief executive Satya Nadella appears to have an incredibly short memory. Else he would be the last person who talks about trust being the most pressing issue in tech in our times. Over the last year, we have been treated to a variety of cheap tricks by Microsoft, attempting to hoodwink Windows users left, right and centre in order to get them to upgrade to Windows 10. After that, talking about trust sounds odd. Very odd. Microsoft does not have the best reputation among tech companies. It is known for predatory practices, for being convicted as a monopolist, and in recent times has been trying to cultivate a softer image as a company that is not as rapacious as it once was. That has, in large measure, come about as its influence and rank in the world of computing have both slipped, with other companies like Apple, Facebook and Google coming to dominate.
  • If you wish, you may rebuild all dports to use non-base SSL library of your choice
  • DragonFlyBSD Continues LibreSSL Push, OpenSSL To Be Dropped
    DragonFlyBSD is now defaulting to LibreSSL throughout its operating system stack and is planning to completely remove OpenSSL in the near future. Last month DragonFlyBSD began using LibreSSL by default while that effort has continued. OpenSSL is no longer being built by default and in about one month's time the OpenSSL support will be completely stripped from the DragonFly tree.
  • Ranking the Web With Radical Transparency
    Ranking every URL on the web in a transparent and reproducible way is a core concept of the Common Search project, says Sylvain Zimmer, who will be speaking at the upcoming Apache: Big Data Europe conference in Seville, Spain. The web has become a critical resource for humanity, and search engines are its arbiters, Zimmer says. However, the only search engines currently available are for-profit entities, so the Common Search project is creating a nonprofit engine that is open, transparent, and independent. We spoke with Zimmer, who founded Jamendo, dotConferences, and Common Search, to learn more about why nonprofit search engines are important, why Apache Spark is such a great match for the job, and some of the challenges the project faces.
  • A look inside the 'blinky flashy' world of wearables and open hardware
    While looking at the this year's All Things Open event schedule, a talk on wearables and open hardware caught my eye: The world of the blinky flashy. Naturally, I dug deeper to learn what it was all about.
  • Why Perl is not use for new development , most of time use for maintenance and support projects ?
    There has been a tendency amongst some companies to play a “wait and see” attitude towards Perl, but the Perl market appears to have stabilized in the past couple of years and more companies appear to be returning to Perl. As one of our clients explained to me when I asked why they chose Perl “We’re tired of being bitten by hype.”

And More Security Leftovers

  • The NyaDrop Trojan for Linux-running IoT Devices
  • Flaw resides in BTB helps bypass ASLR
  • Thoughts on the BTB Paper
    Though the attack might have some merits with regards to KASLR, the attack on ASLR is completely debunked. The authors of the paper didn't release any supporting code or steps for independent analysis and verification. The results, therefore, cannot be trusted until the authors fully open source their work and the work is validated by trusted and independent third parties.
  • Spreading the DDoS Disease and Selling the Cure
    Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

Blockchain and FOSS

Ubuntu Leftovers

  • Celebrating 12 years of Ubuntu
    Founder Mark Shuttleworth announced the first public release of Ubuntu – version 4.10, or “Warty Warthog” – on Oct. 20, 2004. The idea behind what would become the most recognizable and widely used Linux distributions ever was simple – create a Linux operating system that anybody could use. Here’s a look back at Ubuntu’s history.
  • Happy 12th Birthday, Ubuntu!
    Yup, it’s twelve years to the day since Mark Shuttleworth sat down to tap out the first Ubuntu release announcement and herald in an era of “Linux for human beings”.
  • A Slice of Ubuntu
    The de facto standard for Raspberry Pi operating systems is Raspbian–a Debian based distribution specifically for the diminutive computer. Of course, you have multiple choices and there might not be one best choice for every situation. It did catch our eye, however, that the RaspEX project released a workable Ubunutu 16.10 release for the Raspberry Pi 2 and 3. RaspEX is a full Linux Desktop system with LXDE (a lightweight desktop environment) and many other useful programs. Firefox, Samba, and VNC4Server are present. You can use the Ubuntu repositories to install anything else you want. The system uses kernel 4.4.21. You can see a review of a much older version of RaspEX in the video below.
  • Download Ubuntu Yakkety Yak 16.10 wallpaper
    The Yakkety Yak 16.10 is released and now you can download the new wallpaper by clicking here. It’s the latest part of the set for the Ubuntu 2016 releases following Xenial Xerus. You can read about our wallpaper visual design process here.
  • Live kernel patching from Canonical now available for Ubuntu 16.04 LTS
    We are delighted to announce the availability of a new service for Ubuntu which any user can enable on their current installations – the Canonical Livepatch Service. This new live kernel patching service can be used on any Ubuntu 16.04 LTS system (using the generic Linux 4.4 kernel) to minimise unplanned downtime and maintain the highest levels of security.
  • How to enable free 'Canonical Livepatch Service' for Linux kernel live-patching on Ubuntu
    Linux 4.0 introduced a wonderful feature for those that need insane up-time -- the ability to patch the kernel without rebooting the machine. While this is vital for servers, it can be beneficial to workstation users too. Believe it or not, some home users covet long up-time simply for fun -- bragging rights, and such. If you are an Ubuntu 16.04 LTS user (with generic Linux kernel 4.4) and you want to take advantage of this exciting feature, I have good news -- it is now conveniently available for free! Unfortunately, this all-new Canonical Livepatch Service does have a catch -- it is limited to three machines per user. Of course, home users can register as many email addresses as they want, so it is easy to get more if needed. Businesses can pay for additional machines through Ubuntu Advantage. Want to give it a go? Read on. "Since the release of the Linux 4.0 kernel about 18 months ago, users have been able to patch and update their kernel packages without rebooting. However, until now, no other Linux distribution has offered this feature for free to their users. That changes today with the release of the Canonical Livepatch Service", says Tom Callway, Director of Cloud Marketing, Canonical.
  • KernelCare Is Another Alternative To Canonical's Ubuntu Live Kernel Patching
    Earlier this week Canonical announced their Kernel Livepatching Service for Ubuntu 16.04 LTS users. Canonical's service is free for under three systems while another alternative for Ubuntu Linux users interested in a commercial service is CloudLinux's KernelCare. The folks from CloudLinux wrote in to remind us of their kernel patching solution, which they've been offering since 2014 and believe is a superior solution to Canonical's service. KernelCare isn't limited to just Ubuntu 16.04 but also works with Ubuntu 14.04 and other distributions such as CentOS/RHEL, Debian, and other enterprise Linux distributions.