Brief items
Security
NXNSAttack: upgrade resolvers to stop new kind of random subdomain attack
CZ.NIC staff member Petr Špaček has a blog post describing a newly disclosed DNS resolver vulnerability called NXNSAttack. It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. "This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'. This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names)." At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the paper [PDF].
A remote code execution vulnerability in qmail
Just in case anybody out there is still using qmail: a remote code execution vulnerability has just been disclosed. Its CVE number is CVE-2005-1513 because, as it turns out, the problem was reported 15 years ago but the fix was refused by the maintainer. "As a proof of concept, we developed a reliable, local and remote exploit against Debian's qmail package in its default configuration. This proof of concept requires 4GB of disk space and 8GB of memory, and allows an attacker to execute arbitrary shell commands as any user, except root (and a few system users who do not own their home directory)."
Security quotes of the week
Just two weeks ago, Belkin
announced [plans] to shut down one of its cloud
services, effectively transforming its several product lines of web cameras
into useless bricks. Unlike other end-of-support announcements for IoT
devices that (only) mean devices will never see an update again, many
Belkin cameras simply refuse to work without the “cloud”. This is
particularly disconcerting as many see cloud-based IoT as one possible
solution to improve device security by easing the user maintenance effort
through remote update capabilities.
— Alexander
Vetterl introduces a Light Blue Touchpaper "Three Paper Thursday" on
IoT security
As soon as I saw their house I realized exactly what [the NSA's Richard] Ledgett said. I
remember standing outside the house, looking into the dense forest for
TEMPEST receivers. I didn't see any, which only told me they were well
hidden. I assumed black-bag teams from various countries had been all over
the house when they were out for dinner, and wondered what would have
happened if teams from different countries bumped into each other. I
assumed that all the countries Ledgett listed above -- plus the US and a
few more -- had a full take of what Snowden gave the journalists. These
journalists against those governments just wasn't a fair fight.
— Bruce
Schneier remembers visiting the house of Glenn Greenwald
As a refresher: the way targeted advertising works is that an advertiser
agrees to place an ad and uses whatever system to target those ads to
particular groupings of people, as set up by the ad platform. So, if you
want to advertise to grumpy bloggers in their mid-40s, you can find a way
to have those ads show to that demographic. But the advertiser doesn't get
any data from the platform about anyone. The companies are selling access
to highly targeted demographics, but it's never been selling data.
— Mike Masnick
That doesn't mean there aren't other companies that do sell private data. There are. Lots of them. Data brokers, telcos, some ISPs, and even your local DMV have been caught selling your actual data. But for some reason, everyone wants to keep insisting that Google and Facebook also sell data, when they never have, and have always only sold targeted advertising in which the data only goes in one direction, and not back to the advertiser.
Kernel development
Kernel release status
The current development kernel is 5.7-rc6, released on May 17. "That said, there's nothing particularly scary in here, and it's not like this rc6 is outrageously big or out of control. I was just hoping for less."
Stable updates: 5.6.13, 5.4.41, and 4.19.123 were released on May 14. The 5.6.14, 5.4.42, 4.19.124, 4.14.181, 4.9.224, and 4.4.224 updates followed on May 20.
Distributions
Distribution quote of the week
The hammer is never praised.
— Ryan
Finnie (Thanks to Paul Wise)
That’s a saying I’ve attached to Finnix for many years. A hammer is a tool, and when it does its job, you may consciously or unconsciously appreciate it for doing its job, but there are very few hammer fan clubs.
[...] Finnix was never heavily mentioned by its users in the same way a desktop like, say, Linux Mint was. Why does the tool need to be praised?
Development
Going above and beyond with Inkscape 1.0 (Libre Graphics World)
Libre Graphics World is running an extensive interview with several Inkscape developers. "I'd say we're at the point of supporting SVG as much as possible, but we've mostly given up trying to add editing features to the SVG specification. As the W3C is dominated by web browsers who don't need multi page or connectors. I dare not say much more about W3C-specific things. I know that I'm personally disappointed that Inkscape's considerable importance in the SVG creation space does not lend itself to getting the feature we intend to build into Inkscape into the actual SVG specification. This does lead to the problem that going forwards we're likely to have browser incompatibilities."
Five years of Rust
It seems that the Rust programming language has only been around for five years. "With all that's going on in the world you'd be forgiven for forgetting that as of today, it has been five years since we released 1.0 in 2015! Rust has changed a lot these past five years, so we wanted reflect back on all of our contributors' work since the stabilization of the language."
Page editor: Jake Edge
Next page:
Announcements>>