|
|
Subscribe / Log in / New account

Brief items

Security

VPN hijacking on Linux (and beyond) systems

William Tolley has disclosed a severe VPN-related problem in most current systems: "I am reporting a vulnerability that exists on most Linux distros, and other *nix operating systems which allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website. Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections." There are various partial mitigations available, but a full solution to the problem has not yet been worked out. Most VPNs are vulnerable, but Tor evidently is not.

Full Story (comments: 22)

Security quotes of the week

As the new operator of .ORG, Ethos Capital would have the ability to engage in these and other forms of censorship. It could enforce any limitations on nonprofits’ speech, including selective enforcement of particular national laws. For intermediaries with power over speech, such conduct can be lucrative, if it wins the favor of a powerful industry like the U.S. movie studios or of the government of an authoritarian country where the intermediary wishes to do business. Since many NGOs are engaged in speech that seeks to hold governments and industry to account, those powerful interests have every incentive to buy the cooperation of a well-placed intermediary, including an Ethos-owned PIR.
Mitch Stoltz in the Electronic Frontier Foundation blog

In order to determine if your username and password appears in any breach, we use a technique called private set intersection with blinding [PDF] that involves multiple layers of encryption. This allows us to compare your encrypted username and password with all of the encrypted breached usernames and passwords, without revealing your username and password, or revealing any information about any other users’ usernames and passwords. In order to make this computation more efficient, Chrome sends a 3-byte SHA256 hash prefix of your username to reduce the scale of the data joined from 4 billion records down to 250 records, while still ensuring your username remains anonymous.
Patrick Nepper, Kiran C. Nair, Vasilii Sukhanov and Varun Khaneja in the Google Security Blog

Comments (13 posted)

Kernel development

Kernel release status

The current development kernel is 5.5-rc1, released on December 8. Linus said: "Everything looks fairly regular - it's a tiny bit larger (in commit counts) than the few last merge windows have been, but not bigger enough to really raise any eyebrows. And there's nothing particularly odd in there either that I can think of: just a bit over half of the patch is drivers, with the next big area being arch updates. Which is pretty much the rule for how things have been forever by now. Outside of that, the documentation and tooling (perf and selftests) updates stand out, but that's actually been a common pattern for a while now too, so it's not really surprising either."

Stable updates: 5.4.2, 5.3.15, 4.19.88, 4.14.158, 4.9.206, and 4.4.206 were all released on December 5.

The 5.4.3, 5.3.16, and 4.19.89 updates are in the review process; they are due on December 13.

Comments (none posted)

Vetter: Upstream Graphics: Too Little, Too Late

Daniel Vetter has posted a summary of his LPC talk on kernel graphics drivers. "Unfortunately the business case for 'upstream first' on the kernel side is completely broken. Not for open source, and not for any fundamental reasons, but simply because the kernel moves too slowly, is too big, drivers aren’t well contained enough and therefore customer will not or even can not upgrade. For some hardware upstreaming early enough is possible, but graphics simply moves too fast: By the time the upstreamed driver is actually in shipping distros, it’s already one hardware generation behind. And missing almost a year of tuning and performance improvements. Worse it’s not just new hardware, but also GL and Vulkan versions that won’t work on older kernels due to missing features, fragmenting the ecosystem further."

Comments (59 posted)

Distributions

Distribution quote of the week

The difference in trust between managed software repositories like Debian, Alpine Linux, Fedora, and so on; and unmanaged software repositories like PyPI, npm, Chrome extensions, the Google Play store, Flatpak, etc — is starkly obvious. Debian and its peers are full of quality software which integrates well into the host system and is free of malware. Unmanaged repositories, however, are constant sources for crapware and malware. I don’t trust developers to publish software with my best interests in mind, and developers shouldn’t ask for that level of trust. It’s only through a partnership with distributions that we can build a mutually trustworthy system for software distribution.
Drew DeVault

Comments (2 posted)

Development

Git v2.24.1 and others

The Git project has released Git v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. "These releases fix various security flaws, which allowed an attacker to overwrite arbitrary paths, remotely execute code, and/or overwrite files in the .git/ directory etc." The release notes contained in this announcement have the details.

Full Story (comments: 20)

Google Summer of Code 2020

Google Open Source has announced Google Summer of Code (GSoC) 2020, a program that introduces university students to open-source development. "And the 'special sauce' that has kept this program thriving for 16 years: the mentorship aspect of the program. Participants gain invaluable experience working directly with mentors who are dedicated members of these open source communities; mentors help bring students into their communities while teaching them, guiding them and helping them find their place in the world of open source." Applications for interested organizations open on January 14.

Comments (none posted)

Development quote of the week

The obscureorganization/obscure-scripts repo contains one of the only examples of Harry Potter parody fan fiction written in bash: patronus.sh (Used to banish all interactive user sessions for a user except the one you are currently running) [patronus.sh]
obscurerichard

Comments (none posted)

Miscellaneous

Behind the One-Way Mirror (EFF)

The Electronic Frontier Foundation has posted a detailed study on third-party corporate surveillance on the Internet (and beyond). "Both Google and Apple encourage developers to use ad IDs for behavioral profiling in lieu of other identifiers like IMEI or phone number. Ostensibly, this gives users more control over how they are tracked, since users can reset their identifiers by hand if they choose. However, in practice, even if a user goes to the trouble to reset their ad ID, it’s very easy for trackers to identify them across resets by using other identifiers, like IP address or in-app storage. Android’s developer policy instructs trackers not to engage in such behavior, but the platform has no technical safeguards to stop it. In February 2019, a study found that over 18,000 apps on the Play store were violating Google’s policy."

Comments (none posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds