Language Selection

English French German Italian Portuguese Spanish


Security: Autofill, Intel and Apple

Filed under
  • You Should Turn Off Autofill in Your Password Manager
  • 'Kernel memory leaking' Intel processor design flaw forces Linux, Windows redesign

    A fundamental design flaw in Intel's processor chips has forced a significant redesign of the Linux and Windows kernels to defang the chip-level security bug.

    Programmers are scrambling to overhaul the open-source Linux kernel's virtual memory system. Meanwhile, Microsoft is expected to publicly introduce the necessary changes to its Windows operating system in an upcoming Patch Tuesday: these changes were seeded to beta testers running fast-ring Windows Insider builds in November and December.

    Crucially, these updates to both Linux and Windows will incur a performance hit on Intel products. The effects are still being benchmarked, however we're looking at a ballpark figure of five to 30 per cent slow down, depending on the task and the processor model. More recent Intel chips have features – specifically, PCID – to reduce the performance hit.

  • A Huge Intel Security Hole Could Slow Down Your PC Soon

    Intel chips have a massive design flaw, and both Microsoft and the Linux kernel developers are scrambling to fix it. The security hole can be patched, but the patches will make PCs (and Macs) with Intel chips slower.

    We don’t know how much slowdown you’ll see yet, but one developer says a 5% slowdown will be fairly typical—at least on Linux—while certain tasks could experience slowdowns as high as 30%.

  • MacOS Kernel Flaw Could Allow Full-System Compromise

    A researcher going by the name “Siguza” unveiled a 15-year-old security vulnerability in Apple’s macOS operating system that could allow an attacker to fully compromise the system. The researcher also published proof-of-concept zero-day code to his GitHub page.

FOSS Security Updates and Six Cyber Threats to Really Worry About in 2018

Filed under
  • Security updates for Tuesday
  • Six Cyber Threats to Really Worry About in 2018

    The cyberattack on the Equifax credit reporting agency in 2017, which led to the theft of Social Security numbers, birth dates, and other data on almost half the U.S. population, was a stark reminder that hackers are thinking big when it comes to targets. Other companies that hold lots of sensitive information will be in their sights in 2018. Marc Goodman, a security expert and the author of Future Crimes, thinks data brokers who hold information about things such as people’s personal Web browsing habits will be especially popular targets. “These companies are unregulated, and when one leaks, all hell will break loose,” he says.

Multiple-guess quiz will make Brit fliers safer, hopes drone-maker DJI

Filed under

Meanwhile, security researcher Jon Sawyer has published a root exploit for DJI drones called DUMLRacer. It would appear to allow the technically competent dronie to completely ignore DJI's height and location restrictions, which form a large part of its please-don't-regulate-us-out-of-existence offering to governments around the world.

In his tweet announcing the release, Sawyer said: "Dear DJI, next time I ask for some GPL source code, maybe don't tell me no."

At the heart of DJI's software is GNU General Public Licensed (open source) code. While the firm does publish some of its source code, as previously reported, the company is not exactly clear about what elements of its drones' firmware are based on GPL-licensed code. The GPL contains a provision stating that anyone can modify GPL-licensed code provided that the source of any publicly available modded version is also made public, as the GPL FAQ makes clear.

Read more

Security: Updates, Linux security in 2017, and LogRhythm Study

Filed under
  • Security updates for New Year's day
  • The state of Linux security in 2017

    The year is closing, so it is time to review Linux security. Like last year, we look at the state of Linux security. A collection of the finest moments. Did we forget something important? Let us know in the comments. This post will remain updated in the upcoming weeks.

  • Gaps in software slowing down security professionals

    More a third of IT decision-makers estimated that their security staff spent at least three hours daily on tasks that otherwise could have been handled by better software, revealed a study commissioned by LogRhythm. Conducted by Widmeyer, the study polled 751 respondents from Asia-Pacific, the US, and UK, including 251 from four Asia-Pacific markets: Singapore, Hong Kong, Australia, and Malaysia.

Security: Windows Ransomware, Ukraine, and PS4 Jailbreaking

Filed under
  • Warning: Global cyber crime reaches new highs and worse to come

    There has been an unprecedented level of new cyber crime attacks worldwide in 2017 — both in number and intensity — and next year is expected to be even worse, according to global security firm MailGuard.

  • WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017

    The WannaCry outbreak had shut down computers in more than 80 NHS organisations in England alone, resulting in almost 20,000 cancelled appointments, 600 GP surgeries having to return to pen and paper, and five hospitals simply diverting ambulances, unable to handle any more emergency cases.

  • How An Entire Nation Became Russia's Test Lab for Cyberwar
  • PS4 Jailbreak possible with newly identified exploit

    We have always believed gaming consoles to be most well-protected devices but it is about time manufacturers like Sony take notice of security protections in their devices. Seems like troubles for Sony are about to resume with the New Year since PlayStation 4 (PS4) has become vulnerable to a range of exploits. Reportedly, developer SpecterDev has published online a fully-functional kernel exploit for PS4’s firmware version 4.05, hinting at the fact that the complete jailbreak of the console is now much closer than we have been expecting.


    Previously, TeamFail0verflow got Linux running on the PS4 hardware and now the latest feat from Specter has come up with the even more powerful exploit. Although developers haven’t included the tools required to run homebrew software or to jailbreak the console so as to deflect the legal team of Sony modders can easily run arbitrary code on the device by simply listening for payload through port 9020.

Security: Updates, Quantum Computers, Liability, Cryptojacking

Filed under
  • Security updates for Friday
  • How Classical Cryptography Will Survive Quantum Computers

    Justin Trudeau, the Canadian prime minister, certainly raised the profile of quantum computing a few notches last year, when he gamely—if vaguely1—described it for a press conference. But we’ve heard a lot about quantum computers in the past few years, as Google, I.B.M., and N.A.S.A., as well as many, many universities, have all been working on, or putting money into, quantum computers for various ends. The N.S.A., for instance, as the Snowden documents revealed, wants to build one for codebreaking, and it seems to be a common belief that if a full-scale, practical quantum computer is built, it could be really useful in that regard. A New Yorker article early this year, for example, stated that a quantum computer “would, on its first day of operation, be capable of cracking the Internet’s most widely used codes.” But maybe they won’t be as useful as we have been led to believe.

  • Can a decentralized open source community properly address security?

    SearchSecurity talks with UC Berkeley Professor Steven Weber about the open source community, the security challenges facing it and the prospect of software liability.

  • Chrome Extension With 100,000 Users Caught Cryptojacking Using Your CPU Power

    The trend of mining cryptocurrency hasn’t gone unnoticed by the notorious minds. This technique to use CPU power to earn digital coins has been repeatedly used by malware creators as well as the website owners who chose to keep their users in the dark. In the latest development, a popular Chrome extension has been spotted as a new player in this game.

    Named Archive Poster, this extension has more than 100,000 users. For the past few weeks, the extension has been deploying an in-browser cryptocurrency miner without showing the users any form of notification or asking for their permission.

Security and DRM Leftovers

Filed under

Security: Nation-State Hacking, Microsoft/WannaCry, End-to-End Encryption, Updates and Client Security

Filed under
  • Nation-State Hacking: 2017 in Review

    If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It's not Fancy Bear and Cozy Bear making headlines. This week, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging to John Podesta and the Democratic National Committee, saying it could easily have been the work of a "400 lb hacker" or China. The public calling-out of North Korean hacking appears to signal a very different attitude towards attribution.

    Lazarus Group may be hot right now, but Russian hacking has continued to make headlines. Shortly after the release of WannaCry, there came another wave of ransomware infections, Petya/NotPetya (or, this author's favorite name for the ransomware, "NyetYa"). Petya was hidden inside of a legitimate update to accounting software made by MeDoc, a Ukrainian company. For this reason and others, Petya was widely attributed to Russian actors and is thought to have primarily targeted Ukrainian companies, where MeDoc is commonly used. The use of ransomware as a wiper, a tool whose purpose is to render the computer unusable rather than to extort money from its owner, appears to be one of this year's big new innovations in the nation-state actors' playbook.

  • North Korea asks US for proof of WannaCry claim [iophk: "caused by Microsoft bug doors"]

    A North Korean diplomat has asked the US to provide evidence for its claim that the WannaCry ransomware was created and spread by Pyongyang.

  • Transport-Layer Encryption vs End-to-End Encryption - GIF

    During the course of a digital security training, participants often learn that they should encrypt their information in transit, like emails, chats, messages, and cloud storage. Learners come away from a training with an appreciation for encryption. However, they may not come away learning that there are different ways of using encryption.

    It’s also important for learners to be able to distinguish what the encryption they are using to protect their information does and does not protect against. One way to clarify this conversation is to point out two different types of encryption for their information in transit: transport-layer encryption, and end-to-end encryption.

    HTTPS and VPNs are examples are of transport-layer encryption, which is a way of encrypting data in transit.

  • Security updates for Wednesday
  • Even With the Cloud, Client Security Still Matters

Security: Insecurity, DARPA, Oversight, Uber’s Bug Bounty

Filed under
  • Lack of IT staff leaving companies exposed to hacker attacks [iophk: "very few companies even have an IT staff, usually just Microsoft resellers"]

    According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met.

  • DARPA Triggers Development of The ‘Unhackable’ Computer Morpheus With $3.6 Million

    DARPA (Defense Advanced Research Project Agency), who gave us the early version of the internet is now trying to fix a major problem – computers vulnerable to cyber attacks.

  • Securing the internet of things will be no easy task

    As I testified before House Oversight’s IT subcommittee in early October, many recent, major breaches could have been eliminated or dramatically reduced if some fundamental principles of cyber hygiene had been followed, including constant patching, least privileged, encryption, micro-segmentation and multi-factor authentication.

  • How I Got Paid $0 From the Uber Security Bug Bounty

    So now it’s a completely verified critical security vulnerability, with working POC that will harvest usernames and passwords from an Uber mobile endpoint, and SSL-protected with Uber’s signed certificate. The Uber development team gets involved, and additionally verifies that yes, they can execute arbitrary JavaScript code from any * host, so these are three distinct critical severity security issues: reflected XSS, HTML content injection, and a CSP that allows execution of arbitrary JavaScript from any * host.


    Followed by locking and then closing without payment all of my submitted security reports, so that they can’t be viewed or publicly disclosed.

Security and DRM

Filed under
  • Security updates for a holiday Monday
  • 18 Cyber-Security Trends Organizations Need to Brace for in 2018
  • Seven Awful DRM Moments from the Year (and Two Bright Spots!): 2017 in Review

    The Apollo 1201 project is dedicated to ending all the DRM in the world, in all its forms, in our lifetime. The DRM parade of horribles has been going strong since the Clinton administration stuck America with Section 1201 of the Digital Millennium Copyright Act ("DMCA") in 1998. That law gave DRM special, hazardous legal protection: under that law, you're not allowed to remove DRM, even for a lawful purpose, without risking legal penalties that can include jailtime and even six-figure fines for a first offense.

    That's a powerful legal weapon to dangle in front of the corporations of the world, who've figured out if they add a thin scrim of DRM to their products, they can make it a literal felony to use their products in ways that they don't approve of -- including creative uses, repair, tinkering and security research. (There's an exemption process, but it's burdensome and inadequate to protect many otherwise legal activities.

Syndicate content

More in Tux Machines

today's howtos

KDE: Qt, Plasma, QML, Usability & Productivity

  • Qt 5.11.1 and Plasma 5.13.1 in ktown ‘testing’ repository
    A couple of days ago I recompiled ‘poppler’ and the packages in ‘ktown’ that depend on it, and uploaded them into the repository as promised in my previous post. I did that because Slackware-current updated its own poppler package and mine needs to be kept in sync to prevent breakage in other parts of your Slackware computer. I hear you wonder, what is the difference between the Slackware poppler package and this ‘ktown’ package? Simple: my ‘poppler’ package contains support for Qt5 (in addition to the QT4 support in the original package) and that is required by other packages in the ‘ktown’ repository.
  • Sixth week of coding phase, GSoC'18
    The Menus API enables the QML Plugin to add an action, separator or menu to the WebView context menu. This API is not similar to the WebExtensions Menus API but is rather Falkonish!
  • This week in Usability & Productivity, part 24
    See all the names of people who worked hard to make the computing world a better place? That could be you next week! Getting involved isn’t all that tough, and there’s lots of support available.

Programming: Python Maths Tools and Java SE

  • Essential Free Python Maths Tools
    Python is a very popular general purpose programming language — with good reason. It’s object oriented, semantically structured, extremely versatile, and well supported. Scientists favour Python because it’s easy to use and learn, offers a good set of built-in features, and is highly extensible. Python’s readability makes it an excellent first programming language. The Python Standard Library (PSL) is the the standard library that’s distributed with Python. The library comes with, among other things, modules that carry out many mathematical operations. The math module is one of the core modules in PSL which performs mathematical operations. The module gives access to the underlying C library functions for floating point math.
  • Oracle's new Java SE subs: Code and support for $25/processor/month
    Oracle’s put a price on Java SE and support: $25 per processor per month, and $2.50 per user per month on the desktop, or less if you buy lots for a long time. Big Red’s called this a Java SE Subscription and pitched it as “a commonly used model, popular with Linux distributions”. The company also reckons the new deal is better than a perpetual licence, because they involve “an up-front cost plus additional annual support and maintenance fees.”

Linux 4.18 RC2 Released From China

  • Linux 4.18-rc2
    Another week, another -rc. I'm still traveling - now in China - but at least I'm doing this rc Sunday _evening_ local time rather than _morning_. And next rc I'll be back home and over rmy jetlag (knock wood) so everything should be back to the traditional schedule. Anyway, it's early in the rc series yet, but things look fairly normal. About a third of the patch is drivers (drm and s390 stand out, but here's networking and block updates too, and misc noise all over). We also had some of the core dma files move from drivers/base/dma-* (and lib/dma-*) to kernel/dma/*. We sometimes do code movement (and other "renaming" things) after the merge window simply because it tends to be less disruptive that way. Another 20% is under "tools" - mainly due to some selftest updates for rseq, but there's some turbostat and perf tooling work too. We also had some noticeable filesystem updates, particularly to cifs. I'm going to point those out, because some of them probably shouldn't have been in rc2. They were "fixes" not in the "regressions" sense, but in the "missing features" sense. So please, people, the "fixes" during the rc series really should be things that are _regressions_. If it used to work, and it no longer does, then fixing that is a good and proper fix. Or if something oopses or has a security implication, then the fix for that is a real fix. But if it's something that has never worked, even if it "fixes" some behavior, then it's new development, and that should come in during the merge window. Just because you think it's a "fix" doesn't mean that it really is one, at least in the "during the rc series" sense. Anyway, with that small rant out of the way, the rest is mostly arch updates (x86, powerpc, arm64, mips), and core networking. Go forth and test. Things look fairly sane, it's not really all that scary. Shortlog appended for people who want to scan through what changed. Linus
  • Linux 4.18-rc2 Released With A Normal Week's Worth Of Changes
    Due to traveling in China, Linus Torvalds has released the Linux 4.18-rc2 kernel a half-day ahead of schedule, but overall things are looking good for Linux 4.18.