Language Selection

English French German Italian Portuguese Spanish

Security

Security: Smears Against FOSS From Microsoft-Connected Black Duck, EFAIL/EFF, and Ubuntu's Blob 'Store'

Filed under
Security

Security: EFF Repeated and Refuted, Canonical Removes More Blobs, More Updates

Filed under
Security

Security: Ubuntu Snap Store, More EFF Scaremongering

Filed under
Security

Security: EFAIL Hype, Kubernetes, 'Smart' Things and More

Filed under
Security
  • Serious vulnerabilities with OpenPGP and S/MIME

    The efail.de site describes a set of vulnerabilities in the implementation of PGP and MIME that can cause the disclosure of encrypted communications, including old messages. "In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs."

  • How the Kubernetes Security Response Team Works

    The open-source Kubernetes container orchestration is an increasingly deployed platform that is now supported across all three major public cloud providers (Google, AWS and Azure) as well as enterprise private clouds.

    Container security is a big issue these days, and keeping Kubernetes secure involves multiple aspects. One of those aspects is the security of the Kubernetes code itself, which has had its share of vulnerabilities that have been reported in the past year. Among those vulnerabilities is CVE-2017-1002101, which was patched in the Kubernetes 1.10 release that became generally available on March 26.

  • Ring doorbell flaw lets others watch after password changes (updated)

    The issue, as you might guess, is that the window exists in the first place. Someone with a still-valid login could not only spy on whatever's happening, but download videos. The same incident that prompted the change also included phantom rings in the middle of the night.

  • Security Innovation Supports Open Source Community with Free Security Tools to Identify and Mitigate Software Vulnerabilities

Critical PGP Security Issue

Filed under
Security
  • Attention PGP Users: New Vulnerabilities Require You To Take Action Now

    A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.

    The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.

    Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email. Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.

  • Disabling PGP in Thunderbird with Enigmail

Security: Malware Found In The Ubuntu Snap Store, Google/Android Patches, ATMs with Windows, Oracle WebLogic Holes, USBGuard, Valve

Filed under
Security

Security: Malicious JS, Microsoft/NSA Back Doors, and Malicious Software in Ubuntu Snap Store

Filed under
Security
  • Google YOLO [iophk: "javascript"]

    Actually don't even click anything. Malicious websites can simply track your cursor's position and change the invisible button/iframe's position accordingly. So even if you make a click by mistake you will be forced to click on something else.

  • One year on from the WannaCry attack, are we more vulnerable than ever? [Ed: The ToryGraph repeats Microsoft's lies about Windows XP; all versions of Windows have NSA back doors and XP was hardly the problem in this case. The problem is Microsoft collusion with NSA.]

    The hackers, reportedly from North Korea, didn’t intentionally target the UK’s health service: it was collateral damage. WannaCry entered computers through a glitch, discovered by the US National Security Agency, in early Windows operating systems. The 33 affected NHS practices were hit because they hadn’t updated their Windows XP software for many years.

    [...]

    One of the biggest problems facing the UK, as WannaCry showed, is a lack of technical proficiency. There just aren’t enough defenders in the face of highly trained foreign criminals and state-sponsored hackers, Hannigan explains.

    [...]

    The fight doesn’t end with education. Hannigan’s other suggestions have included the creation of an international cyber war treaty. In the meantime, he welcomes the news that all NHS computers will be upgraded to Windows 10 and that the Government will spend £150 million in the next three years to improve the service’s security.

  • Malicious Package Found on the Ubuntu Snap Store

    An attentive Ubuntu user has spotted today a cryptocurrency miner hidden in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store.

    The app's name is 2048buntu, a clone of the popular 2024 game, packaged as an Ubuntu snap —a relatively new app format for Ubuntu OS.

    According to a GitHub user named Tarwirdur, the app contained a cryptocurrency mining application disguised as the "systemd" daemon, along with an init script that provided boot persistence.

Get Privacy Tools on Ubuntu 18.04

Filed under
GNU
Linux
Security

If you are already aware about 2013 global privacy case, I believe you care about your internet privacy by now. If you just switched to Ubuntu, here's a list of user-friendly programs (free software only) and search engine to protect your privacy. You will find my recommendation of a web search engine, a specific web browser, add-ons, email client enhancements, and password storage. This list accompanies the previous list of 20 useful programs for 18.04.

[...]

Free software is not gratis software but software that the user is free. Free software is about the user's right, either individually or collectively, to control over the software. If you run your activities with nonfree software (also called proprietary), you don't control the whole things software does within your computer, which only means there is somebody else controlling you and the computers. To protect your privacy, you should make sure you run only free software and relies only on privacy-respecting internet services.

Read more

Security: Google, Blockchains and More

Filed under
Security
  • Google will soon require OEMs to roll out ‘regular’ Android security patches
  • Google Updates Chrome for Desktop to Fix Privilege Escalation Bug in Extensions

    Google released on Thursday a new stable version of its Chrome 66 web browser, version 66.0.3359.170, which is currently rolling out to Linux, Mac, and Windows users, to fix a few important security issues.

  • Will Blockchains Include Insecurity by Design?

    Ask any journalist to pick an adjective to use in connection with standards development and the answer will invariably be "boring." But according to a recent New York Times article (yes, it also used that word - as well as "wonky"), the process of creating standards just became a whole lot more interesting - at least when it comes to the blockchain. The reason? A standards working group may have been infiltrated by state actors bent on embedding security flaws into the very standards being created for the purpose of preventing attacks.

    And why not? The power of a successful standard comes from the fact that vendors have to adopt it in order to sell a given product or service, such as a WiFi router or a USB device. Indeed, laptops and smart phones include hundreds of standards, each of which is essential to a given function or service. As I noted last week, the blockchain will need standards, too, in order for it to take hold in multiple areas. Some of those standards will be intended to make the blockchain more secure.

  • 6 Things You Should Do to Secure Your NAS
  • Packets over a LAN are all it takes to trigger serious Rowhammer bit flips

    For the first time, researchers have exploited the Rowhammer memory-chip weakness using nothing more than network packets sent over a local area network. The advance is likely to further lower the bar for triggering bit flips that change critical pieces of data stored on vulnerable computers and servers.

Security: Updates, NSA Back Doors in Windows/Microsoft, Vista 10 Bricking and Intel Back Doors

Filed under
Security
  • Security updates for Friday
  • Windows Under Attack as NSA Exploit Usage Skyrockets

    EternalBlue, the stolen NSA exploit that was used to create the infamous WannaCry ransomware, is back in business, only that this time usage appears to skyrocket, according to security vendor ESET.

    Researcher Ondrej Kubovič notes that while WannaCry attacks have dropped, EternalBlue is still around, and the first months of 2018 brought a worrying increase in the number of attacks based on this exploit.

    EternalBlue is an exploit stolen from the NSA by hacking group Shadow Brokers in April 2016. It takes advantage of a vulnerability in the Windows Server Message Block (SMB) protocol, and Microsoft shipped patches even before the flaw went public.

    But this doesn’t mean that attackers have stopped searching for targets. The researcher says cybercriminals are scanning the Internet for exposed SMB ports and are trying to compromise the host with an exploit that eventually allows for payloads deployed on the target machine and leading to different outcomes.

    “Interestingly, according to ESET’s telemetry, EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily,” the researcher notes.

    “Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

  • Microsoft Says It Won’t Fix a Bug Causing BSODs on Windows 10

    A bug causing Windows machines to crash when a USB drive is inserted won’t get a patch from Microsoft, despite the issue said to be affecting all versions of the operating system, including the newly-launched April 2018 Update.

    Security researcher Marius Tivadar says in a post on GitHub that he first reported the problem to Microsoft in July 2017 after discovering that a USB drive running a handcrafted NTFS image can cause any system to crash even if locked.

    “Microsoft was very responsive regarding my disclosure 1 year ago, but they didn’t issue a security patch,” Tivadar explains.

  • Purism's FSP Reverse Engineering Effort Might Be Stalled

    Purism has been working on reverse-engineering the Intel Firmware Support Package (FSP) module but it looks like that work may have taken a turn.

    A Phoronix reader tipped us off this morning that the Intel FSP reverse-engineering information made public by Purism has now been retracted. The past several months Purism has been working on reverse-engineering the Intel FSP to free the system further to run on only open-source code rather than still having the Intel binary-only module paired with Coreboot. Their big focus this year has been on figuring out the actual silicon initialization code inside the FSP. Purism's Youness Alaoui was very close to finding out this information at the start of April and he wrote a lengthy blog post outlining his reverse-engineering work.

Syndicate content

More in Tux Machines

Graphics: Wayland, RadeonSI, NVIDIA and More

  • Session suspension and restoration protocol
  • A Session Suspension & Restoration Protocol Proposed For Wayland
    KDE Wayland developer Roman Gilg who started contributing to Wayland via last year's Google Summer of Code is proposing a new Wayland protocol for dealing with desktop session suspension and restoration. This protocol extension would allow for more efficient support for client session suspension and restoration such as when you are logging out of your desktop session and want the windows restored at next log-in or if you are suspending your system. While Roman Gilg is working on this protocol with his KDE hat on, he has been talking with Sway and GNOME developers too for ensuring this protocol could work out for their needs.
  • RadeonSI Lands OpenGL 3.3 Compatibility Profile Support
    Thanks to work done over the past few months by AMD's Marek Olšák on improving Mesa's OpenGL compatibility profile support and then today carried over the final mile by Valve's Timothy Arceri, Mesa 18.2 now exposes OpenGL 3.3 under the compatibility context. Hitting Git tonight is the enabling of the OpenGL 3.3 compatibility profile for RadeonSI.
  • NVIDIA Releases DALI Library & nvJPEG GPU-Accelerated Library For JPEG Decode
    For coinciding with the start of the Computer Vision and Patern Recognition conference starting this week in Utah, NVIDIA has a slew of new software announcements. First up NVIDIA has announced the open-source DALI library for GPU-accelerated data augmentation and image loading that is optimized for data pipelines of deep learning frameworks like ResNET-50, TensorFlow, and PyTorch.
  • NVIDIA & Valve Line Up Among The Sponsors For X.Org's XDC 2018
    - The initial list of sponsors have been announced for the annual X.Org Developers' Conference (XDC2018) where Wayland, Mesa, and the X.Org Server tend to dominate the discussions for improving the open-source/Linux desktop. This year's XDC conference is being hosted in A Coruña, Spain and taking place in September. The call for presentations is currently open for X.Org/mesa developers wishing to participate.
  • Intel Broxton To Support GVT-g With Linux 4.19
    Intel developers working on the GVT-g graphics virtualization technology have published their latest batch of Linux kernel driver changes.

Fedora and Red Hat: Fedora Atomic, Fedora 29, *GPL and Openwashing ('Open Organization')

  • Fedora Atomic Workstation To Be Renamed Fedora Silverblue
    - Back in early May was the announcement of the Silverblue project as an evolution of Fedora Atomic Workstation and trying to get this atomic OS into shape by Fedora 30. Beginning with Fedora 29, the plan is to officially rename Fedora Atomic Workstation to Fedora Silverblue. Silverblue isn't just a placeholder name, but they are moving ahead with the re-branding initiative around it. The latest Fedora 29 change proposal is to officially change the name of "Fedora Atomic Workstation" to "Fedora Silverblue".
  • Fedora 29 Will Cater i686 Package Builds For x86_64, Hide GRUB On Boot
    The Fedora Engineering and Steering Committee (FESCo) approved on Friday more of the proposed features for this fall's release of Fedora 29, including two of the more controversial proposals.
  • Total War: WARHAMMER II Coming to Linux, Red Hat Announces GPL Cooperation Commitment, Linspire 8.0 Alpha 1 Released and More
    Starting today, Red Hat announced that "all new Red Hat-initiated open source projects that opt to use GPLv2 or LGPLv2.1 will be expected to supplement the license with the cure commitment language of GPLv3". The announcement notes that this development is the latest in "an ongoing initiative within the open source community to promote predictability and stability in enforcement of GPL-family licenses".
  • Red Hat Launches Process Automation Manager 7, Brackets Editor Releases Version 1.13, Qt Announces New Patch Release and More
    Red Hat today launched Red Hat Process Automation Manager 7, which is "a comprehensive, cloud-native platform for developing business automation services and process-centric applications across hybrid cloud environments". This new release expands some key capabilities including cloud native application development, dynamic case management and low-code user experience. You can learn more and get started here.
  • A summer reading list for open organization enthusiasts
    The books on this year's open organization reading list crystallize so much of what makes "open" work: Honesty, authenticity, trust, and the courage to question those status quo arrangements that prevent us from achieving our potential by working powerfully together.

Server Domination by GNU/Linux

  • Security and Performance Help Mainframes Stand the Test of Time
    As of last year, the Linux operating system was running 90 percent of public cloud workloads; has 62 percent of the embedded market share and runs all of the supercomputers in the TOP500 list, according to The Linux Foundation Open Mainframe Project’s 2018 State of the Open Mainframe Survey report. Despite a perceived bias that mainframes are behemoths that are costly to run and unreliable, the findings also revealed that more than nine in 10 respondents have an overall positive attitude about mainframe computing. The project conducted the survey to better understand use of mainframes in general. “If you have this amazing technology, with literally the fastest commercial CPUs on the planet, what are some of the barriers?” said John Mertic, director of program management for the foundation and Open Mainframe Project. “The driver was, there wasn’t any hard data around trends on the mainframe.”
  • HPE announces world's largest ARM-based supercomputer
    The race to exascale speed is getting a little more interesting with the introduction of HPE's Astra -- what will be the world's largest ARM-based supercomputer. HPE is building Astra for Sandia National Laboratories and the US Department of Energy's National Nuclear Security Administration (NNSA). The NNSA will use the supercomputer to run advanced modeling and simulation workloads for things like national security, energy, science and health care.

HHVM 3.27 Released