|
|
Subscribe / Log in / New account

Brief items

Security

Security quotes of the week

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those seeking to abuse and oppress in Turkey, UAE, and elsewhere. [...]

Given the number of opportunities present, we found that it’s possible to execute arbitrary code on a Cellebrite machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into Cellebrite and scanned. There are virtually no limits on the code that can be executed.

— Signal's Moxie Marlinspike "finds" a Cellebrite toolkit and does what comes naturally

There's a similar issue with advertising and privacy, that we discussed just last month. Google clarified its plans to block 3rd party cookies. In many ways, this is good for privacy. 3rd party cookies are often abused in creepy ways to track people. So it's good that Google won't support them (Firefox and Safari already made this move earlier). But lots of people then vocally complained that this would only give more power to Google, because it can deal with the lack of data, while competitive (smaller) advertising firms cannot.

These issues are often in conflict -- and many of the big tech critics out there don't want to recognize that. In fact, it lets them attack these companies no matter what they do. If they do something that's good for privacy, but bad for competition, focus on how it's bad for competition. If they do something that's good for competition, but bad for privacy, focus on how it's bad for privacy.

Mike Masnick

Comments (8 posted)

Kernel development

Kernel release status

The current development kernel is 5.12-rc8, released on April 18. "Ok, so it's been _fairly_ calm this past week, but it hasn't been the kind of dead calm I would have taken to mean 'no rc8 necessary'. So here we are, with an extra rc to make sure things are all settled down."

Stable updates: 5.11.15, 5.10.31, 5.4.113, 4.19.188, 4.14.231, 4.9.267, and 4.4.267, were released on April 16, followed by 5.11.16, 5.10.32, and 5.4.114 on April 21.

Comments (none posted)

Rust in the Linux kernel (Google security blog)

The Google security blog has a detailed article on what a device driver written in Rust looks like. "That is, we use Rust's ownership discipline when interacting with C code by handing the C portion ownership of a Rust object, allowing it to call functions implemented in Rust, then eventually giving ownership back. So as long as the C code is correct, the lifetime of Rust file objects work seamlessly as well, with the compiler enforcing correct lifetime management on the Rust side, for example: open cannot return stack-allocated pointers or heap-allocated objects containing pointers to the stack, ioctl/read/write cannot free (or modify without synchronization) the contents of the object stored in filp->private_data, etc."

Comments (159 posted)

In the trenches with Thomas Gleixner (Linux.com)

Linux.com has published an interview with Thomas Gleixner with a focus on the realtime preemption work. "The approach to funding these kinds of projects reminds me of the Mikado Game, which is popular in Europe, where the first player who picks up the stick and disturbs the pile often is the one who loses. That’s puzzling to me, especially as many companies build key products depending on these technologies and seem to take the availability and sustainability for granted up to the point where such a project fails, or people stop working on it due to lack of funding. Such companies should seriously consider supporting the funding of the Real-Time project."

Comments (none posted)

Quotes of the week — email workflow edition

If you send around code patches by mail instead of directly working on Git repos plus some UI, that feels to me like serializing a data class instance to JSON, printing the JSON string to paper, taking that sheet of paper to another PC with a scanner, using OCR to scan it into a JSON string, and then deserialize it again to a new data class instance, when you could have just a REST API to push the data from one PC to the other.
Sebastian Schuberth

In its effort to control social dissent, Russian censorship organization RosKomNadzor (RKN) has taken steps to deliberately break internet operation -- in a very ham-fisted way. Just a month ago they tried to "slow down" Twitter by blocking DNS queries for any domains containing the substring "t.co" -- which, hey, broke gihubusercontent.com among many other sites. There's every reason to believe that this won't be the only time they do something idiotic like that, so as a result it is increasingly difficult for Russian contributors to justify participating in projects that are hosted on GitHub -- one day they may not be able to reach it reliably (or at all).

(If you think the answer to that would be "just use a VPN", it's one of those recommendations that are easy to make for someone not worried about their ISP reporting "sketchy encrypted traffic" to "the authorities.")

Patches sent via email remain immune to this. Even if vger falls over, it's merely a list service -- there are alternative ways of transmitting RFC2822 messages that don't involve a central host (such as via a NNTP gateway, publishing a public-inbox "feed", etc). Email remains one of the few protocols that are designed ground-up to be decentralized and I'm afraid that we are again finding ourselves in a world where this is increasingly relevant.

Konstantin Ryabitsev

Comments (2 posted)

Distributions

Debian's election results

The Debian project has voted strongly to retain Jonathan Carter as the project leader. On that other little nagging issue, the project has voted not to issue a statement regarding Richard Stallman's return to the Free Software Foundation board of directors. This, too, was a relatively strong result over the other options. Details can be found on the specific pages for the project leader and general resolution ballots.

Comments (63 posted)

Distribution quote of the week

I admit to having really mixed feelings about whether Debian should *ever* make broad public statements about anything. So, no problem in my mind with making it harder for the project to do so.

But then, I've also been around a *long* time, and am often wistful about the days when it at least seemed that most of our discussions were about making technical improvements in Debian.

Bdale Garbee

Comments (none posted)

Development

Firefox 88.0 and 78.10 ESR

Firefox 88 has been released. New features include support for PDF forms with embedded JavaScript and smooth pinch-zooming using a touchpad, and better protection against cross-site privacy leaks. See this article for more information on how Firefox 88 combats window.name privacy abuses.

Firefox 78.10 ESR contains various fixes for stability, functionality, and security.

Comments (22 posted)

LLVM 12.0.0 released

Version 12.0.0 of the LLVM compiler suite is out. This appears to be a release with a lot of incremental improvements rather than large headline features; see the various sets of release notes in the announcement for details.

Full Story (comments: none)

OpenSSH 8.6 released

OpenSSH 8.6 is now available. The "ssh-rsa" signature scheme, which uses the SHA-1 hash algorithm, will be disabled by default in the near future. "Note that the deactivation of "ssh-rsa" signatures does not necessarily require cessation of use for RSA keys. In the SSH protocol, keys may be capable of signing using multiple algorithms. In particular, "ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of these is being turned off by default."

Full Story (comments: 29)

Miscellaneous

Kicking off the GNU Assembly

A new organization for maintainers and contributors to GNU tools, the GNU Assembly, has announced its existence. "We’re excited to kick off the GNU Assembly and its web site! This place intends to be a collaboration platform for the developers of GNU packages who are all 'hacking for user freedom' and who share a vision for the umbrella project." It is an outgrowth of discussions on changes to GNU governance from a few years back, but its origins are even older than that. The organization is working on its governance model and invites those interested to its Assembly mailing list.

Comments (139 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds