Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Filed under
Security
  • Security will fix itself, eventually

    Here's my prediction though. In the future, good security will be cheaper to build, deploy, and run that bad security. This sounds completely insane with today's technology. A statement like is some kook ten years ago telling everyone solar power is our future. Ten years ago solar wasn't a serious thing, today it is. Our challenge is figuring out what the new security future will look like. We don't really know yet. We know we can't train our way out of this, most existing technology is a band-aid at best. If I had to guess I'll use the worn out "Artificial Intelligence will save us all", but who knows what the future will bring. Thanks to Al Gore, I'm now more optimistic things will get better. I'm impatient though, I don't want to wait for the future, I want it now! So all you smart folks do me a favor and start inventing the future.

  • Does Microsoft care about security? [Ed: no, because leaks show it gives back doors to governments]

    On Wednesday, I also booted my laptop to Windows. I had not used the laptop for several days, so the AV definitions were three days old. It updated after around 3 hours. But the Vista system still has not updated.

    This is the third consecutive month when I have had problems with updating MSE, at around the time of patch Tuesday. The previous two months, I attempted to manually update. On the manual update, it did a search for virus updates, then seemed to hang there forever not actually downloading. It did eventually update, after repeating this for two days. This month, I decided to allow it to update without manual intervention, with the results described above.

    It seems pretty obvious that, recently, Microsoft has worsened the priority for updates to Windows 7 and to Vista. The priority worsening is greater for Vista than for Windows 7. It affects monthly patches as well as MSE virus table updates.

    The message to malware producers is loud and clear. Malware producers should distribute their malware on patch Tuesday, and Microsoft will give them a free run for several days.

How Fuzzing Can Make A Large Open Source Project More Secure

Filed under
OSS
Security

Emily Ratliff of the Linux Foundation explains the considerations to take when planning to fuzz your open source project

One of the best practices for secure development is dynamic analysis. Among such techniques, fuzzing has been highly popular since its invention and a multitude of fuzzing tools of varying sophistication have been developed.

Read more

Also: Despite New FCC Rules, Linksys, Asus Say They'll Still Support Third Party Router Firmware

Ubuntu 16.04 LTS Receives Minor Kernel Update That Patches Two Vulnerabilities

Filed under
Security
Ubuntu

Today, May 16, 2016, Canonical published multiple security notices to inform the Ubuntu community about the availability of a new kernel update for their operating systems.

Read more

Security Leftovers

Filed under
Security
  • Replacing /dev/urandom

    The kernel's random-number generator (RNG) has seen a great deal of attention over the years; that is appropriate, given that its proper functioning is vital to the security of the system as a whole. During that time, it has acquitted itself well. That said, there are some concerns about the RNG going forward that have led to various patches aimed at improving both randomness and performance. Now there are two patch sets that significantly change the RNG's operation to consider.

  • Mozilla asks the FBI for details of Tor vulnerability that could also affect Firefox

    Mozilla is fighting to force the FBI to disclose details of a vulnerability in the Tor web browser. The company fears that the same vulnerability could affect Firefox, and wants to have a chance to patch it before details are made public.

    The vulnerability was exploited by FBI agents to home in on a teacher who was accessing child pornography. Using a "network investigative technique", the FBI was able to identify the man from Vancouver, but Mozilla is concerned that it could also be used by bad actors.

    Perhaps unsurprisingly, the government says that it should be under no obligation to disclose details of the vulnerability to Mozilla ahead of anyone else. But the company has filed a brief with a view to forcing the FBI's hand. The argument is that users should be kept protected from known flaws by allowing software companies to patch them.

Security Leftovers

Filed under
Security
  • Thursday's security advisories
  • Friday's security updates
  • I never imagined a nuclear plant’s control system being online

    Many people think that the web is the internet. They see the Googles, the Facebooks, the Reddits… but the web is something built on top of the internet and so only the tip of the iceberg. The iceberg is composed of webcams, power plants, printers… billions of devices.

  • Heart Surgery Stalled For Five Minutes Thanks To Errant Anti-Virus Scan [Ed: Microsoft Windows]

    If you've ever had the pleasure of simply asking one medical outfit to transfer your records to another company or organization, you've probably become aware of the sorry state of medical IT. Billions are spent on medical hardware and software, yet this is a sector for which the fax machine remains the pinnacle of innovation and a cornerstone of daily business life. Meanwhile, getting systems to actually communicate with each other appears to be a bridge too far. And this hodge podge of discordant and often incompatible systems can very often have very real and troubling implications for patients.

  • How to make containers more secure

    CoreOS's Matthew Garrett talks about the security risks in containers and how he and others are working to mitigate such risks.

  • Docker Ramps Up Container Security

    Docker this week announced the rollout of security scanning technology to safeguard container content across the entire software supply chain.

  • Jenkins security patches could break plug-ins

    Popular open source automation server Jenkins has fixed multiple security vulnerabilities. The latest version changes how plug-ins use build parameters, though, so developers will need to adapt to the new process.

  • Security From Whom?

    To take advantage of the X11 protocol issues, you need to be able to speak X11 to the server. Assuming you haven’t misconfigured something (ssh or your file permissions) so other users’ software can talk to your server, that means causing you to run evil X11 protocol code like XEvilTeddy.

  • Convenience, security and freedom - can we pick all three?

    Moxie, the lead developer of the Signal secure communication application, recently blogged on the tradeoffs between providing a supportable federated service and providing a compelling application that gains significant adoption. There's a set of perfectly reasonable arguments around that that I don't want to rehash - regardless of feelings on the benefits of federation in general, there's certainly an increase in engineering cost in providing a stable intra-server protocol that still allows for addition of new features, and the person leading a project gets to make the decision about whether that's a valid tradeoff.

  • Announcing Certbot: EFF's Client for Let's Encrypt
  • Signal Return Orientated Programming attacks

    When a process is interrupted, the kernel suspends it and stores its state in a sigframe which is placed on the stack. The kernel then calls the appropriate signal handler code and after a sigreturn system call, reads the sigframe off the stack, restores state and resumes the process. However, by crafting a fake sigframe, we can trick the kernel into executing something else.

Linux can't keep you safe if you don't update it

Filed under
Linux
Security

At CoreOS Fest in Berlin, Greg Kroah-Hartman, Linux kernel developer and maintainer of the stable branch, talked about an inconvenient truth about Linux and security: vendors are notoriously bad about implementing patches.

For the last 15 years the kernel community has been following a rule to fix things as soon as possible. The Linux community fixes the bugs and pushed them so that vendors can push them to their users.

Read more

Security Leftovers

Filed under
Security

Mozilla and Tor

Filed under
Moz/FF
Security
  • Mozilla Wants Heads-Up From FBI on Tor Browser Hack

    The maker of the Firefox browser is wading into an increasingly contentious court battle over an undisclosed security vulnerability the FBI used to track down anonymous users of a child-porn site.

  • Mozilla To FBI: “Tell Us About The TOR Bug Used To Hack 1000+ Pedophiles”

    Recently, Mozilla filed a brief with the court, urging the FBI to reveal the technique used to hack 1000+ computers of pedophile TOR users. The open source supporter said that TOR software suite is based on Firefox and any known flaw can compromise the security of the end users.

  • Mozilla Asks U.S. Court to Disclose to it First Any Vulnerabilities in Tor

    There continue to be many people around the globe who want to be able to use the web and messaging systems anonymously, despite the fact that some people want to end Internet anonymity altogether. Typically, the anonymous crowd turns to common tools that can keep their tracks private, and one of the most common tools of all is Tor, an open source tool used all around the world.

    Project leaders behind Tor have continuously improved its security features, but now Mozilla is asking the U.S. District Court for the Western District of Washington, in the interest of Firefox users, to disclose any findings of vulnerability in Tor to it first, before any other party learns of the vulnerability. Here is the thought behind this.

  • Mozilla Asks Court To Force FBI To Turn Over Information On Hacking Tool It Used In Child Porn Case

    With the Tor browser being built on the Firefox framework, any exploit of Tor could affect vanilla Firefox users. Not only that, but the FBI is apparently sitting on another Firefox vulnerability it used in a previous investigation to unmask Tor users. (This refers to the FBI's 2012 child porn sting, which also used a NIT to obtain information about visitors to a seized website.) The filing notes the FBI has been less than helpful when approached for info about this Firefox/Tor-exploiting NIT.

Android Security Update May 2016: What you need to know

Filed under
Android
Security

And we're back! Google has released the latest Android security update and, as you might expect, there's plenty to be had. This time around, Google patched 40 vulnerabilities. Twelve of these 40 issues were marked as critical, with two of those identified as remote code execution vulnerabilities (aka, the worst kind). Unfortunately, the two remote code execution (RCE) issues are found in Android's mediaserver. This is the same subsystem that has been plagued with issues in the past few months. Those two RCE issues aren't the only ones to haunt the mediaserver.

Read more

Security Leftovers

Filed under
Security
Syndicate content

More in Tux Machines

today's howtos

Leftovers: OSS

  • GitHub Visualizes the Impact of Open Source
    Code repository GitHub published data visualizations that show the impact of open source development on hosted projects, along with the "shape" of project activity. The visualizations emphasize the effect of teamwork, collaboration and communication that reinforce coding efforts.
  • Meet Codemoji: Mozilla’s New Game for Teaching Encryption Basics with Emoji
    The above message may seem like a random string of emoji. But not so: When decoded, it reads: “Encryption Matters.” Today, Mozilla is launching Codemoji, a fun, educational tool that introduces everyday Internet users to ciphers — the basic building blocks of encryption — using emoji.
  • DSS, Inc. Releases New Version of Open Source EHR, vxVistA, to Healthcare IT Community
  • GuixSD system tests
  • Self-driving cars and open source - what about GPLv3 and anti-tivoization?
    Primarily, the car manufacturers say that their dislike of the GPLv3 software is due to security issues. According to them, it should not be possible for the car owners to modify the software of the car because this could lead to exposing the users themselves and other road users to danger. In the light of the above, is seems reasonable to question whether security considerations is actually the true reason for the car manufacturers not wanting the users to run their own software on the cars’ hardware. For many years, car owners have replaced parts of their cars, e.g. tires, brakes and even software – which is supported by the car industry. To give an example, there is a large market for the replacement or modification (“remapping”) of the Engine Control Units (“ECU”) software of cars. The ECU’s are computers that control the car’s engine, including fuel mix, fuel supply and gearing. The car industry takes advice and uses data from companies which offer ECU remapping and thereby indirectly supporting the companies although – according to the car industry – changes to the engine allegedly can pose a security risk. Another aspect of the matter is that stating that the clause in GPLv3 absolutely prohibits the car fabricants from forbidding the users running their own software on the hardware of the cars is not completely true. Section 7 of GPLv3 makes it possible for the creators of GPL programs to give the car factories an extra license under which it is possible to use the GPLv3 software in their cars without having to comply with the former-mentioned obligation to provide the installation information to the users of the cars. The way the system works now, the car industry allows modifications of cars which may cause a loss of security. It is possible to develop GPLv3 software that the car fabricants can use without having to allow the car owners modifications. Furthermore, it is only GPLv3 – and therefore not other FOSS licenses – which on a general level forces the car manufacturers to allow modifications of their software. The question of the security level of the cars should hardly be a hindrance to the use of FOSS in self-propelled cars. If the car fabricants could realize this, the many advantages of the freely-available source code could clear the way for the technology generally being adopted faster.
  • Open Source: It’s Not Just About Software Anymore
    Open source is no longer just about the software that sits on your computer. Open methods are being used to develop everything from better automobiles to life altering medical devices.
  • Kickstarting open source steampunk clocks that use meters to tell the time
    Kyle writes, "The Volt is a fully open source, arduino-based, handmade analog clock that tells time with meters. Available in a DIY install kit, 2 pre-made models, and a mix & match hardware option. The clocks are but with solid black walnut and maple, with faceplates produced in brass, copper, and steel. Only on Kickstarter!"
  • Libarchive Security Flaw Discovered
    When it comes to security, everyone knows you shouldn't run executable files from an untrustworthy source. Back in the late 1990s, when web users were a little more naive, it was quite common to receive infected email messages with fake attachments.

More From Red Hat Summit

Android Leftovers