Language Selection

English French German Italian Portuguese Spanish

Security

[Debian] reproducible builds are a waste of time

Filed under
Security
Debian
  • reproducible builds are a waste of time

    Yesterday I read an article on Motherboard about Debian’s plan to shut down 83% of the CIA with reproducible builds. Ostensibly this defends against an attack where the compiler is modified to insert backdoors in the packages it builds. Of course, the defense only works if only some of the compilers are backdoored. The article then goes off on a bit of a tangent about self propagating compiler backdoors, which may be theoretically possible, but also terribly, unworkably fragile.

    I think the idea is that if I’m worried about the CIA tampering with Debian, I can rebuild everything myself from source. Because there’s no way the CIA would be able to insert a trojan in the source package. Then I check if what I’ve built matches what they built. If I were willing to do all that, I’m not sure why I need to check that the output is the same. I would always build from scratch, and ignore upstream entirely. I can do this today. I don’t actually need the builds to match to feel confident that my build is clean. Perhaps the idea is that a team of incorruptible volunteers will be building and checking for me, much like millions of eyeballs are carefully reviewing the source to all the software I run.

    The original source document doesn’t actually mention deployment of the whacked SDK, just research into its development. Perhaps they use it, perhaps they rejected it as being too difficult and risky. Tricking a developer into using a whacked toolchain leaves detectable traces and it’s somewhat difficult to deny as an accident. If we assume that the CIA has access to developer’s machines, why not assume they have access to the bug database as well and are mining it for preexisting vulnerabilities to exploit? Easy, safe, deniable.

  • Debian Reproducible Builds to Detect Spyware

    Debian has been getting a lot of attention the last couple of days for Jérémy Bobbio's work on Reproducible Builds. Bobbio has been working on this idea and implementation for a couple of years now, but after a presentation at Chaos Communication Camp last month it's come back into focus. In other Debian news, updates 8.2 and 7.9 were released.

  • Debian Linux versus the CIA

    Hidden backdoors into software have long been a concern for some users as government spying has increased around the world. Now the Debian project has taken aim at the CIA and other government spy agencies with reproducible builds that aim to stop hidden backdoors.

Debian Security

Filed under
Security
Debian

How to Install and run Kali Linux on any Android Smartphone

Filed under
Android
GNU
Linux
Security
HowTos

Kali Linux is one the best love operating system of white hat hackers, security researchers and pentesters. It offers advanced penetration testing tool and its ease of use means that it should be a part of every security professional’s toolbox.

Penetration testing involves using a variety of tools and techniques to test the limits of security policies and procedures. Now a days more and more apps are available on Android operating system for smartphones and tablets so it becomes worthwhile to have Kali Linux on your smartphone as well.

Read more

Security Leftovers

Filed under
Security

Improving Security for Bugzilla

Filed under
Moz/FF
Security

Openness, transparency, and security are all central to the Mozilla mission. That’s why we publish security bugs once they’re no longer dangerous, and it’s why we’re writing a blog post about unauthorized access to our infrastructure. We have notified the relevant law enforcement authorities about this incident, and may take additional steps based on the results of any further investigations.

Read more

Google Chrome Turns Seven, Advances with Security and Performance Gains

Filed under
Google
Security

After seven years of development, Google continues its rapid pace of release and enhancement for its Chrome browser. On the seventh anniversary of the first Chrome public release on September 2, Google released Chrome stable version 45 and Chrome beta 46.

Google Chrome debuted on September 2, 2008 after months of speculation about Google's intentions regarding entering the browser market. The first Chrome browser entered the market at a time when Microsoft's IE still dominated, though Firefox was making a dent in that market share. Today, according to multiple sets of stats, including Statcounter, Google Chrome stands as the world's most popular web browser.

Read more

Security Leftovers

Filed under
Security

Security Leftovers

Filed under
Security
  • Sick of memorizing passwords? A Turing Award winner came up with this algorithmic trick

    Manuel Blum, a professor of computer science at Carnegie Mellon University who won the Turing Award in 1995, has been working on what he calls "human computable" passwords that are not only relatively secure but also don't require us to memorize a different one for each site. Instead, we learn ahead of time an algorithm and a personal, private key, and we use them with the website's name to create and re-create our own unique passwords on the fly for any website at any time.

  • Car thieves use 'mystery device' to break into vehicles

    A car manufacturer recalled more than a million cars following security concerns about car hacking, as the National Insurance Crime Bureau issued an alert about a "mystery device" being used to break into vehicles by defeating the electronic locking system of later-model cars.

    So-called connected car "convenience technology" could put consumers at risk.

    "Right now, what has happened is the digital key fob has become a way for someone to steal your car," NICB investigator James "Herb" Price said.

  • Security Considerations When Moving from VMs to Containers

    We recently ran a sponsored series from Fox Technologies on Linux.com. We want to thank the company for its support and for sharing useful information for SysAdmins and developers alike. Fox Technologies is continuing the conversation with a free webinar September 17 that will address security considerations in moving from VMs to containers. More information about this webinar is below.

OpenSSL Security: A Year in Review

Filed under
OSS
Security

Over the last 10 years, OpenSSL has published advisories on over 100 vulnerabilities. Many more were likely silently fixed in the early days, but in the past year our goal has been to establish a clear public record.

Read more

Also: Tuesday's security advisories

Linux Foundation publishes best practices for secure workstations

Syndicate content

More in Tux Machines

7 tips for bringing open source to networking

I thought it would be helpful to give you some tips for creating open source communities to interact with your SDN or networking hardware. I've divided the tips into two sections: Attract and Maintain. After all, what's the use in building a community if it doesn't stick around? Read more

Tech Writer Matt Hartley on Covering and Using Linux

It would be difficult to find anyone who’s been hanging in FOSS circles for more than a week or two who isn’t familiar with FOSS media maven Matt Hartley. We thought we’d invite him along for a video interview to see what he’s really like. Read more

Linux Devices/Embedded

Kernel Space/Linux