Language Selection

English French German Italian Portuguese Spanish

Security

Systemd is not Magic Security Dust

Filed under
Linux
Security

Systemd maintainer David Strauss has published a response to my blog post about systemd. The first part of his post is replete with ad hominem fallacies, strawmen, and factual errors. Ironically, in the same breath that he attacks me for not understanding the issues around threads and umasks, he betrays an ignorance of how the very project which he works on uses threads and umasks. This doesn't deserve a response beyond what I've called out on Twitter.

In the second part of his blog post, Strauss argues that systemd improves security by making it easy to apply hardening techniques to the network services which he calls the "keepers of data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we have to harden the front lines against the real attacks we see every day." Although systemd does make it easy to restrict the privileges of services, Strauss vastly overstates the value of these features.

Read more

Why health implants should have open source code

Filed under
OSS
Security

As medical implants become more common, sophisticated and versatile, understanding the code that runs them is vital. A pacemaker or insulin-releasing implant can be lifesaving, but they are also vulnerable not just to malicious attacks, but also to faulty code.

For commercial reasons, companies have been reluctant to open up their code to researchers. But with lives at stake, we need to be allowed to take a peek under the hood.

Over the past few years several researchers have revealed lethal vulnerabilities in the code that runs some medical implants. The late Barnaby Jack, for example, showed that pacemakers could be “hacked” to deliver lethal electric shocks. Jay Radcliffe demonstrated a way of wirelessly making an implanted insulin pump deliver a lethal dose of insulin.

But “bugs” in the code are also an issue. Researcher Marie Moe recently discovered this first-hand, when her Implantable Cardioverter Defibrillator (ICD) unexpectedly went into “safe mode”. This caused her heart rate to drop by half, with drastic consequences.

Read more

Also: Hack Crashes Linux Distros with 48 Characters of Code

Hardware Firewall: Choosing the Right Firewall Distribution

Filed under
GNU
Linux
Security

Over the years I've bought some less than impressive consumer routers, so these days I run my own self-built hardware firewall appliance. Surprisingly, deciding on which option was best for my needs was not as easy as I had hoped.

Building a hardware firewall requires you to decide on the hardware your firewall/router computer operating system will be installed on. Like myself, some people might use an old PC. Others might decide to install their selected firewall operating system onto a rack mount server. However one decides to do this, the completed act of installing this OS onto the dedicated hardware creates a dedicated hardware firewall.

And unlike a software firewall, hardware firewalls serve a single dedicated purpose – to act as a gateway appliance for your network. Having had experience with three popular firewall operating systems in the past, I found that choosing the "right one" is a matter of perspective.

In this article, I'm going to share my experience and overall impressions about those three different firewall solutions. Some of these are highly advanced while others are incredibly easy to use. Each of these solutions share something that I feel good about sharing with my readers. All of the firewalls are easily downloadable without any annoying sign-up pages (I'm looking at you, Sophos).

Read more

Security News

Filed under
Security
  • Security updates for Monday
  • Impossible is impossible!

    Sometimes when you plan for a security event, it would be expected that the thing you're doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I'm here to tell you it's impossible to make something impossible.

    As you think about that statement for a bit, let me explain what's happening here, and how we're going to tie this back to security, business needs, and some common sense. We've all heard of the 80/20 rule, one of the forms is that the last 20% of the features are 80% of the cost. It's a bit more nuanced than that if you really think about it. If your goal is impossible it would be more accurate to say 1% of the features are 2000% of the cost. What's really being described here is a curve that looks like this

  • What is the spc_t container type, and why didn't we just run as unconfined_t?

    If you are on an SELinux system, and run docker with SELinux separation turned off, the containers will run with the spc_t type.

  • The importance of paying attention in building community trust

    Trust is important in any kind of interpersonal relationship. It's inevitable that there will be cases where something you do will irritate or upset others, even if only to a small degree. Handling small cases well helps build trust that you will do the right thing in more significant cases, whereas ignoring things that seem fairly insignificant (or saying that you'll do something about them and then failing to do so) suggests that you'll also fail when there's a major problem. Getting the small details right is a major part of creating the impression that you'll deal with significant challenges in a responsible and considerate way.

    This isn't limited to individual relationships. Something that distinguishes good customer service from bad customer service is getting the details right. There are many industries where significant failures happen infrequently, but minor ones happen a lot. Would you prefer to give your business to a company that handles those small details well (even if they're not overly annoying) or one that just tells you to deal with them?

Systemd bug in the News

Filed under
Linux
Security
  • Systemd bug allows ordinary user to crash Linux systems

    The systemd project is yet to release a fix for a bug that was disclosed on 28 September but at least one GNU/Linux distribution has patched the same.

    The bug, allowing a user to crash a system by using a short command as an ordinary user, was disclosed by a developer named Andrew Ayer.

    After running this command, according to Ayer, "You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system)."

  • Major Linux distributions suffer from the latest system crippling bug

    A system administrator, Andrew Ayer discovered a crippling bug while working with his Linux System. He reported the issue at length in a blogpost pointing out how anyone could crash Systemd by one single tweet. The system will not collapse as soon as the tweet is rendered on screen by the system. Instead, what it meant was that any Linux distribution could be crippled by a command that can fit into one tweet. He even posted a tweet with the command to prove his point.

Down the rabbit hole, part 3: Linux and Tor are key to ensuring privacy, security

Filed under
Linux
Security

So, I’ve decided I need to improve the privacy and security of my life (especially as it relates to computing). And I’ve come to the conclusion that in order to effectively do this, I need to focus on utilizing open source software as much as possible.

What next?

Let’s start at a very simple, basic level: the operating system of my laptop computers (I don’t actually have a desktop currently, but the same ideas will apply) and how they connect to the internet.

Read more

Security News

Filed under
Security
  • security things in Linux v4.7
  • Microsoft warns Windows security fix may break network shares

    The latest of these, Preview Build 14936 – for testers on what Microsoft refers to as the Fast Ring – comes with the usual set of updates, new features, and fixes for things that the previous release managed to break.

    However, what caught our eye was a warning that after updating, users may find that shared devices such as NAS boxes have mysteriously disappeared from the home network folder, and that any previously mapped network drives are unavailable.

    Microsoft offers a fix for this; if you change your network to “private” or “enterprise”, it should start working again.

    It seems that the cause of this hiccup is a fix that Microsoft made earlier in September to address a security hole severe enough that it might allow remote code execution with elevated permissions on an affected system, although this would require an attacker to create a specially crafted request.

    The fix addresses this by, among other things, “correcting how Windows enforces permissions”.

    Windows Insiders are typically no newbies and used to preview builds breaking stuff, but it is likely that this change will find its way into the Windows 10 code everybody else is running sooner or later.

  • Android Devices Are Targeted By New Lockscreen Ransomware

Security Leftovers

Filed under
Security
  • Bug Bounty Hunters Can Earn $1.5 Million For A Successful Jailbreak Of iOS 10
  • How To Ensure Trustworthy, Open Source Elections [Ed: This reminds us Microsoft must be kicked out of election process [1, 2]

    A strong democracy hinges not only on the right to vote but also on trustworthy elections and voting systems. Reports that Russia or others may seek to impact the upcoming U.S. presidential election—most recently, FBI evidence that foreign hackers targeted voter databases in Arizona and Illinois—has brought simmering concerns over the legitimacy of election results to a boil.

  • Source Code for IoT Botnet ‘Mirai’ Released

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

Security News

Filed under
Security
  • Your next DDoS attack, brought to you courtesy of the IoT

    The internet is reeling under the onslaught of unprecedented denial-of-service attacks, the sort we normally associate with powerful adversaries like international criminal syndicates and major governments, but these attacks are commanded by penny-ante crooks who are able to harness millions of low-powered, insecure Internet of Things devices like smart lightbulbs to do their bidding.

    Symantec reports on the rising trend in IoT malware, which attack systems that "may not include any advanced security features" and are "designed to be plugged in and forgotten" without "any firmware updates" so that "infection of such devices may go unnoticed by the owner."

    The USA and China are the two countries where people own most of these things, so they're also where most of the malicious traffic originates. Symantec ran a honeypot that recorded attempts to login and compromise a system that presented as a vulnerable IoT device, and found that the most common login attempts used the default passwords of "root" and "admin," suggesting that malware authors have discovered that IoT owners rarely change these defaults. Other common logins include "123456," "test" and "oracle."

  • Meet Linux.Mirai Trojan, a DDoS nightmare
  • Linux.Mirai Trojan Carries Out DDoS Attacks
  • Fears of a hacked election may keep 1 out of every 5 voters home, says report

    Recent hacks of the Democratic National Committee, the Democratic Congressional Campaign Committee and election databases have increased fears that cybercriminals will try to interfere with the upcoming U.S. presidential election.

    Concerns leading up to election day on November 8 could have a real impact on voter turnout, according to a study from cybersecurity firm Carbon Black. More than one in five registered U.S. voters may stay home on election day because of fears about cybersecurity and vote tampering, the study — an online survey of 700 registered voters aged 18-54 — found.

  • Hostile Web Sites

    I was asked whether it would be safe to open a link in a spam message with wget. So here are some thoughts about wget security and web browser security in general.

  • You can crash Linux Systemd with a single Tweet

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with a single command line.”After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons.

  • How to reignite a flamewar in one tweet (and I still don’t get it)
  • Multiple Linux Distributions Affected By Crippling Bug In Systemd

    System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.

Security Leftovers

Filed under
Security
  • Let's Encrypt Wants to Help Improve the CA Model

    Let's Encrypt, a non-profit effort that brings free SSL/TLS certificates to the web, was first announced in November 2014 and became a Linux Foundation Collaborative Project in April 2015. To date, it has provided more than 5 million free certificates.

    While having an SSL/TLS certificate to encrypt traffic is an important element of web security, it's not the only one, said Josh Aas, executive director of the Internet Security Research Group and leader of Let's Encrypt.

    "There is a lot in the total picture of what makes a website secure, and we can do a lot to help a certain part of it," he said in a video interview.

  • How to Throw a Tantrum in One Blog Post

    The systemd team has recently patched a local denial of service vulnerability affecting the notification socket, which is designed to be used for daemons to report their lifecycle and health information. Some people have used this as an opportunity to throw a fresh tantrum about systemd.

Syndicate content

More in Tux Machines

Red Hat and Fedora

  • Is there need for Red Hat Certification training in Zimbabwe?
    A local institution is investigating the need to train Systems Administrators/Engineers who use Linux towards Red Hat certifications. The course is targeted at individuals with at least 2 years experience using Linux.
  • Red Hat, Inc. (NYSE:RHT) By The Numbers: Valuation in Focus
  • Fedora @ Konteh 2017 - event report
    This year we managed to get a booth on a very popular student job fair called Konteh. (Thanks to Boban Poznanovic, one of the event managers)
  • Fedora 26 Alpha status is NO-GO
    The result of the second Fedora 26 Alpha Go/No-Go Meeting is NO-GO. Due to blockers found during the last days [1] we have decided to delay the Fedora 26 Alpha release for one more week. There is going to be one more Go/No-Go meeting on the next Thursday, March 30th, 2017 at 17:00 UTC to verify we are ready for the release.
  • Fedora 26 Alpha Faces Another Delay
    Fedora 26 was set back by a delay last week and today it's been delayed again for another week. Fedora 26 Alpha has been delayed for another week when at today's Go/No-Go meeting it was given a No-Go status due to outstanding blocker bugs.

GNOME News: Gtef, GNOME 3.24 Release Video, Epiphany 3.24

  • Gtef 2.0 – GTK+ Text Editor Framework
    Gtef is now hosted on gnome.org, and the 2.0 version has been released alongside GNOME 3.24. So it’s a good time for a new blog post on this new library.
  • GNOME's GTK Gets Gtef'ed
    Developer Sébastien Wilmet has provided an overview of Gtef with this text editing framework having been released in tandem with GNOME 3.24. Gtef provides a higher level API to make it easier for text editing or in developer-focused integrated development environments.
  • The Official GNOME 3.24 Release Video Is Here
    By now you’re probably well aware that a new update to the GNOME desktop has been released — and if you’re not, where’ve you been?! GNOME 3.24 features a number of neat new features, welcome improvements, and important advances, most of which we’ve documented in blog posts during the course of this week.
  • A Web Browser for Awesome People (Epiphany 3.24)
    Are you using a sad web browser that integrates poorly with GNOME or elementary OS? Was your sad browser’s GNOME integration theme broken for most of the past year? Does that make you feel sad? Do you wish you were using an awesome web browser that feels right at home in your chosen desktop instead? If so, Epiphany 3.24 might be right for you. It will make you awesome. (Ask your doctor before switching to a new web browser. Results not guaranteed. May cause severe Internet addiction. Some content unsuitable for minors.)

today's howtos

AMDGPU Vega Patches and AMD Open-Sources Code

  • More AMDGPU Vega Patches Published
    Less than one week after AMDGPU DRM Vega support was published along with the other Vega enablement patches for the Linux driver stack, more Direct Rendering Manager patches are being shot out today.
  • AMD have announced 'Anvil', an MIT-licensed wrapper library for Vulkan
    AMD are continuing their open source push with 'Anvil' a new MIT-licenses wrapper library for Vulkan. It's aim is to reduce the time developers spend to get a working Vulkan application.
  • AMD Open-Sources Vulkan "Anvil"
    While waiting for AMD to open-source their Vulkan Linux driver, we have a new AMD open-source Vulkan project to look at: Anvil. Anvil is a project out of AMD's GPUOpen division and aims to be a wrapper library for Vulkan to make it easier to bring-up new Vulkan applications/games. Anvil provides C++ Vulkan wrappers similar to other open-source Vulkan projects while also adding in some extra features.