Language Selection

English French German Italian Portuguese Spanish


The linux-stable security tree project

Filed under

Hi all,

I'd like to announce the linux-stable security tree project. The purpose
is to create a derivative tree from the regular stable tree that would
contain only commits that fix security vulnerabilities.

Read more

Hardware Modding/Hacking/Security

Filed under
  • Libreboot on my X60s
  • Nexenta to Showcase Market Leading Open Source-Driven Software-Defined Storage Solutions at Cloud Expo Europe, London
  • Cybersecurity education isn't good, nobody is shocked

    There was a news story published last week about the almost total lack of cybersecurity attention in undergraduate education. Most people in the security industry won't be surprised by this. In the majority of cases when the security folks have to talk to developers, there is a clear lack of understanding about security.

  • Making it easier to deploy TPMTOTP on non-EFI systems

    On EFI systems you can handle this by sticking the secret in an EFI variable (there's some special-casing in the code to deal with the additional metadata on the front of things you read out of efivarfs). But that's not terribly useful if you're not on an EFI system. Thankfully, there's a way around this. TPMs have a small quantity of nvram built into them, so we can stick the secret there. If you pass the -n argument to sealdata, that'll happen. The unseal apps will attempt to pull the secret out of nvram before falling back to looking for a file, so things should just magically work.

  • 6 steps to calculate ROI for an open hardware project

    Free and open source software advocates have courageously blazed a trail that is now being followed by those interested in open source for physical objects. It's called free and open source hardware (FOSH), and we're seeing an exponential rise in the number of free designs for hardware released under opensource licenses, Creative Commons licenses,or placed in the public domain.

Security Leftovers

Filed under

Linux Mint security – 28 days later

Filed under

Linux Mint has suffered a reputation damage, which has led to doubts and questions being raised in the community. Valid questions, because you don’t want any private, confidential data to be transmitted to a third party without your knowledge and consent. So you may want to check if Mint is clean, and whether it can be used safely. This article outlines the technical methods.

However, you should also not forget that this is not the first, nor the last hack of a website related to a distro project. All the big names have had similar issues in the past. Moreover, obscurity does not guarantee security. If you’ve never thought about this topic before Feb 20, then you really should not be focusing too much energy on it now. Because all the other times you downloaded packages and updates your system, there could have been a breach somewhere, but since you were not aware of it, you did not do anything about it. Now you are aware, but it does not change the reality, only your perception. You may want to double-check everything now, it’s a natural reaction, but it’s not really grounded in any hard, solid facts. If anything, the hack only helps put more security highlight on the distros and their management, so they should now be more secure than ever before.


Read more

Security Leftovers

Filed under
  • A perfect storm of broken business and busted FLOSS backdoors everything, so who needs the NSA?

    In 2014, Poul-Henning Kamp, a prolific and respected contributor to many core free/open projects gave the closing keynote at the Free and Open Source Developers' European Meeting (FOSDEM) in Belgium, and he did something incredibly clever: he presented a status report on a fictional NSA project (ORCHESTRA) whose mission was to make it cheaper to spy on the Internet without breaking any laws or getting any warrants.

  • Researchers help shut down spam botnet that enslaved 4,000 Linux machines
  • Mumblehard Linux botnet eliminated as a threat: ESET

    Security researchers at ESET reported that the spam-dispensing Mumblehard Linux botnet is no longer active due to the combined efforts of ESET, the Cyber Police of Ukraine and CyS Centrum.

  • OSVDB Shuts Down, Firefox Add-ons Unsafe & More…

    Speaking of vulnerabilities: We lost an open source security asset this week. On Tuesday we received word that OSVDB, or the Open Sourced Vulnerability Database project, an organization that’s cataloged computer security flaws since 2002, is closing up shop. The news came by way of an OSVDB blog that said, “We are not looking for anyone to offer assistance at this point, and it [the database] will not be resurrected in its previous form.” As for why the database is being shut down, the post went on to somewhat cryptically explain, “The industry simply did not want to contribute and support such an effort.” A good analysis of the details by Jon Gold was published Thursday on Network World.

  • Do You Think Linux Is More Secure Than Other OS?

    There’s an old school of thought that says that Linux is more secure than other operating systems. This topic has been hotly debated over the years. What’s your opinion? Do you think Linux is more secure than other OS?

  • Adobe Issues Emergency Update to Flash After Ransomware Attacks
  • FBI: $2.3 Billion Lost to CEO Email Scams

    The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

Security Leftovers

Filed under
  • Friday's security advisories
  • Thursday's security updates
  • Nation-wide radio station hack airs hours of vulgar “furry sex” ramblings

    Some Tuesday morning listeners of KIFT, a Top 40 radio station located in Breckenridge, Colorado, were treated to a radically different programming menu than they were used to. Instead of the normal fare from Taylor Swift, The Chainsmokers, or other pop stars, a hack by an unknown party caused one of the station's signals to broadcast a sexually explicit podcast related to the erotic attraction to furry characters. The unauthorized broadcast lasted for about 90 minutes.

    KIFT wasn't the only station to be hit by the hack. On the same day, Livingston, Texas-based country music station KXAX also broadcast raunchy furry-themed audio. And according to an article posted Wednesday by radio industry news site, the unauthorized broadcasts from a hobbyist group called FurCast were also forced on an unnamed station in Denver and an unidentified national syndicator.

  • Maryland hospital: Ransomware success wasn’t IT department’s fault

    MedStar refused to respond to Ars Technica's inquiries about the attack. In the statement released to media, MedStar's spokesperson said, "As we have said before, based on the advice of IT, cybersecurity and law enforcement experts, MedStar will not be elaborating further on additional aspects of this malware event. This is not only for the protection and security of MedStar Health, its patients and associates, but is also for the benefit of other healthcare organizations and companies." The spokesperson claimed the hospital had "no evidence of any compromise of patient or associate data… furthermore, we are pleased that we brought our systems back up in what can only be viewed as a very rapid recovery led by dedicated MedStar and external IT expert partners."

  • Its a good thing SELinux blocks access to the docker socket.

    I have seen lots of SELinux bugs being reported where users are running a container that volume mounts the docker.sock into a container. The container then uses a docker client to do something with docker. While I appreciate that a lot of these containers probbaly need this access, I am not sure people realize that this is equivalent to giving the container full root outside of the contaienr on the host system. I just execute the following command and I have full root access on the host.

Security Leftovers

Filed under
  • 'BillGates': Linux botnet is launching DDoS attacks on online gaming services

    IRONY ALERT: Bill Gates-themed software wants to get on as many computers as possible and not budge.

    Not Windows, of course, but a botnet called BillGates. The malware has been around since 2014 but now seems to be leaping forwards (not over a chair) and making a nuisance of itself, according to Akamai.

  • Mumblehard spam-spewing botnet floored

    Security researchers have teamed up with authorities in Ukraine to take down a spam-spewing Linux-infesting botnet.

    Security firm ESET teamed up with CyS-CERT and the Cyber Police of Ukraine to take down the Mumblehard botnet.

  • Authorities Shut Down Botnet of 4,000 Linux Servers Used to Send Spam

    The six-year-old Mumblehard botnet is no more, ESET reports, explaining that a joint effort with CyS Centrum LLC and the Cyber Police of Ukraine has finally allowed them to sinkhole the botnet's main C&C (command and control server).

  • Mumblehard Linux Spamming Botnet Finally Taken Offline

    Thousands of servers running Linux and BSD had been affected by one of world’s most damaging botnets

  • Academics claim Google Android two-factor authentication is breakable

    Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA).

  • Google adds Cloud Test Lab integration to new Android Studio 2.0

    Google has updated its key Android development tool, Android Studio, to version 2.0 and added cloud test integration, a GPU debugger, and faster emulation and resource allocation.

    Mountain view touts the instant run feature as just about the most important new feature in the upgrade, as it analyses Android app code as it runs and determines ways it can be deployed faster, without requiring app re-installation.

  • Heartbleed Remains a Risk 2 Years After It Was Reported

    A vulnerability publicly disclosed in the open-source OpenSSL project two years ago continues to have an impact today.
    On April 7, 2014, CVE-2014-0160, better known as Heartbleed, was publicly disclosed by the OpenSSL project, affecting millions of users and devices around the world. Today, two years to the day it was first reported, the vulnerability remains a risk, and the trend of branded vulnerabilities it created continues to have an impact.

Security Leftovers

Filed under

Security Leftovers

Filed under
  • Linux botnet attacks increase in scale

    Hackers are using malware which targets Linux to build botnets to launch distributed denial of service (DDoS attacks) security researchers have warned.

    The so-called BillGates Trojan botnet family of malware - apparently so named by the virus writers because it targets machines running Linux, not Windows - has been labelled with a "high" risk factor in a threat advisory issued by Akamai's Security Intelligence Research Team.

  • Mumblehard takedown ends army of Linux servers from spamming

    One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016.

    ESET is operating a sinkhole server for all known Mumblehard components. We are sharing the sinkhole data with CERT-Bund, which is taking care of notifying the affected parties around the world through their national CERTs.

  • Ubuntu patches Linux kernel security bugs
  • Linux Kernel Security Bugs Patched

    Ubuntu users can install the update via the Unity Dash. To update, search the Unity Dash for the Software Updater utility and allow the program to reload the software repositories and search for new drivers. Once the Software Updater has found the updates, simply click on the "Install All" button to install them on your machine. Since this is a kernel update, you will need to reboot your device after the update. Canonical notes that the kernel updates have been given a new version number, which may require some users to recompile and reinstall all third party kernel modules.

  • Google reveals its shift to an open security architecture

    Google has revealed how it completely changed its security architecture, shifting from a traditional infrastructure to a more open model in which all network traffic is treated with suspicion.

    The project, called BeyondCorp, shifted the company from a perimeter security model to one where access to services and tools are not gated according to a user's physical location or their originating network, but instead deploys access policies based on information about a device, its state and associated user.

Security Leftovers

Filed under
Syndicate content

More in Tux Machines

DevOps Handbook and Course

Leftovers: Gaming

Android Leftovers

  • Off We Go: Oracle Officially Appeals Google's Fair Use Win
    It was only a matter of time until this happened, but Oracle has officially appealed its fair use Java API loss to the Federal Circuit (CAFC). As you recall, after a years-long process, including the (correct) ruling that APIs are not covered by copyright being ridiculously overturned by CAFC, a new trial found that even if APIs are copyright-eligible, Google's use was covered by fair use. Oracle then tried multiple times to get Judge William Alsup to throw out the jury's ruling, but failed. In fact, on Oracle's second attempt to get Alsup to throw out the jury's ruling, citing "game changing" evidence that Google failed to hand over important information on discovery, it actually turned out that Oracle's lawyers had simply failed to read what Google had, in fact, handed over.
  • On iMessage’s Stickiness
  • Physical RAM attack can root Android and possibly other devices [Ed: Memory flipping is not at all an Android problem]

Leftovers: OSS and Sharing

  • Enterprise Open Source Programs Flourish -- In Tech and Elsewhere
    If you cycled the clock back about 15 years and surveyed the prevailing beliefs about open source technology at the time, you would find nowhere near the volume of welcome for it that we see today. As a classic example, The Register reported all the way back in 2001 that former CEO of Microsoft Steve Ballmer made the following famous statement in a Chicago Sun-Times interview: "Linux is a cancer that attaches itself in an intellectual property sense to everything it touches."
  • 5 More Reasons to Love Kubernetes
    In part one of this series, I covered my top five reasons to love Kubernetes, the open source container orchestration platform created by Google. Kubernetes was donated to the Cloud Native Computing Foundation in July of 2015, where it is now under development by dozens of companies including Canonical, CoreOS, Red Hat, and more. My first five reasons were primarily about the project’s heritage, ease of use, and ramp-up. The next five get more technical. As I mentioned in part one, choosing a distributed system to perform tasks in a datacenter is much more complex than looking at a spreadsheet of features or performance. And, you should make your decision based on your own needs and team dynamics. However, this top 10 list will give you my perspective, as someone who has been using, testing, and developing systems for a while now.
  • Bankers plan to give Corda blockchain code to Hyperledger project
  • Are European Banks Falling Behind in Blockchain Development?
  • Hyperledger adds 10 new members to support open source distributed ledger framework
    The Linux Foundation's Hyperledger project has announced that 10 new members have joined the project in order to help create an open standard for distributed ledgers for a new generation of transactional applications.
  • The Blockchain Created By Ethereum's Fork is Forking Now
    A blockchain that was born out of the rejection of a contentious technical change is on the cusp of making a decision some argue contradicts its core values. That's the situation the developers behind ethereum classic face ahead of a hard fork expected to be enacted on its blockchain on 25th October (should network participants approve the upgrade). Originally formed in reaction to a decision by the ethereum community to edit its "immutable" ledger, the fork caused an ideological schism among its enthusiasts. Alarmed by the action (or seeing a chance to profit by continuing the original network), miners and speculators began running its blockchain, which developers named "ethereum classic". Other investors then bought into the vision, and today, there are currently 85m classic ethers (ETC) worth $87m.
  • Red Hat: OpenStack moving beyond the proof-of-concept phase
    Red Hat’s annual poll found that 43 percent of respondents have deployed the cloud platform in production, compared to just 16 percent one year ago. The company reckons the increase reflects efforts by the community to address complexity and deployment issues that were previously known to have been a major roadblock to adoption. The study also noted that the steep learning curve for deploying OpenStack is being addressed as a growing number of engineers become certified to operate the platform. In addition, Red Hat cited cloud native application development as another driving force in enterprise adoption of OpenStack.
  • OpenStack Summit Emphasizes Security, Interoperability
    From security to interoperabilty to use cases and everything in-between, this week's OpenStack Summit from Oct. 25 to 28 in Barcelona, is set to illuminate the cloud. This year's event, which brings together vendors, operators and developers of the open-source cloud platform, will offer more sessions than ever before on securing OpenStack clouds. The Barcelona Summit follows the release of the OpenStack Newton milestone, which debuted on Oct. 6. While discussions about the most recent release are always part of every OpenStack Summit, so too are case-studies from operators of OpenStack clouds.
  • A complete view into application security must include open source [Ed: Black Duck spam (self-promotional marketing) takes form of FOSS FUD, as usual]
  • While Other Cities Go Linux, Toronto Bets Big on Microsoft Software [Ed: Toronto joins the Dark Forces]
    "" The partnership between Microsoft and the city of Toronto certainly comes at the right time, as other authorities across the world already announced decisions to give up on Windows and Office and replace them with open-source alternatives. Munich is the city that started the entire trend, but it wasn’t at all a smooth transition. Some of the local officials proposed a return to Microsoft software, claiming that training and assistance actually impacted productivity and explaining that in the end it all pays off to use Microsoft software because of the familiarity that users experience, which translates to a substantial productivity boost. And yet, the transition off Microsoft products is happening and more authorities are willing to do it, not necessarily because of the costs, but also due to security concerns, as is the case of Russia.
  • Open-Source Toolkit Lets Communities Build Their Own Street Furniture
    Despite the vast amount of customization options technology has allotted us, it can still be difficult to create projects that are community-centric. For example, though 3D printing can help us personalize our own jewelry, it has limited use for outfitting parks with trash cans or equipping bus stops with comfortable seating. Still, hyper-customizable tech has taught us the convenience of managing our own products, eliminating the bureaucratic complications of mass produced, production-line assembly. Leveraging this ideology to better the community, the Better Block Foundation, a nonprofit dedicated to building local communities, has developed an open-source toolkit for creating a variety of fixtures for communities. The platform, called Wikiblock, allows designs ranging from benches to beer garden fences to be downloaded and taken to a maker space where a computer-aided machine can print the design from plywood. Similar to Ikea’s simplistic, DIY approach, the printed wood can be assembled by hand, without glue or nails.
  • How to make a lighted, porch bag for Halloween
    While I typically go all out for Halloween decorations every year, I'll admit I'm feeling tired this year. I still wanted to delight the neighborhood kids with simple details, so I decided to make lighted bags for my front porch railing this year. If you are someone who has a paper cutting machine like the Silhouette, this project will likely be a lot easier. Simply import the SVG file, resize for whatever size box you want, cut out, and assemble. However, for those of you who don't have one, I've included instructions on how to make this project without any machine at all. The box was created with the help of artists who share their art at OpenClipArt. I also used Inkscape to create the SVG file. If you don't like bats, you could modify the SVG file to include other types of clipart in the center of the bag.