|
|
Subscribe / Log in / New account

Brief items

Security

Security quotes of the week

But we really did use to use ROT13 a lot. We used it to keep secrets. And it worked.

Why it worked is a fascinating look at all the different meanings that "security" has.

ROT13 was once a mainstay of online conversations on Usenet and message boards.

It was essential to joke forums (where it was used to scramble punchlines) and media forums (where it was used to scramble spoilers).

You see, "security" doesn't exist in the abstract. Every security measure is a counter to a threat.

[...] The threat that ROT13 defended against was…you. It was a way to prevent you from accidentally reading something you didn't want to know – a counter to your haste and/or curiosity.

Cory Doctorow

But ‘if you build it, they will come’. If device vendors are compelled to install remote surveillance, the demands will start to roll in. Who could possibly be so cold-hearted as to argue against the system being extended to search for missing children? Then President Xi will want to know who has photos of the Dalai Lama, or of men standing in front of tanks; and copyright lawyers will get court orders blocking whatever they claim infringes their clients’ rights. Our phones, which have grown into extensions of our intimate private space, will be ours no more; they will be private no more; and we will all be less secure.
Ross Anderson introduces "Bugs in our Pockets: The Risks of Client-Side Scanning"

This is where a competent and responsible government would thank the journalists for finding the vulnerability and disclosing it in an ethical manner designed to protect the info of the people the state failed to properly protect.

But that's not what happened.

[...] And then, it got even worse. Missouri Governor Mike Parson called a press conference in which he again called the journalists hackers and said he had notified prosecutors and the Highway Patrol's Digital Forensic Unit to investigate. Highway Patrol? He also claimed (again) that they had "decoded the HTML source code." That's... not difficult. It's called "view source" and it's built into every damn browser, Governor. It's not hacking. It's not unauthorized.

Mike Masnick

Comments (17 posted)

Kernel development

Kernel release status

The current development kernel is 5.15-rc6, released on October 17. Linus said: "I'd love to say that it's all looking average, but rc6 is actually bigger than rc5 was, and larger than normal for this time in the release cycle. It's not _enormously_ larger than normal, and it's not the largest rc6 we've had, but it's still slightly worrisome."

Stable updates: 5.14.13, 5.10.74, 5.4.154, 4.19.212, 4.14.251, 4.9.287, and 4.4.289 were released on October 17, followed by 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 on October 20.

Comments (none posted)

How a simple Linux kernel memory corruption bug can lead to complete system compromise (Project Zero)

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug.
This blog post describes a straightforward Linux kernel locking bug and how I exploited it against Debian Buster's 4.19.0-13-amd64 kernel. Based on that, it explores options for security mitigations that could prevent or hinder exploitation of issues similar to this one.

I hope that stepping through such an exploit and sharing this compiled knowledge with the wider security community can help with reasoning about the relative utility of various mitigation approaches.

A lot of the individual exploitation techniques and mitigation options that I am describing here aren't novel. However, I believe that there is value in writing them up together to show how various mitigations interact with a fairly normal use-after-free exploit.

Comments (19 posted)

Distributions

Devuan 4.0 (Chimaera) released

Version 4.0 of the Devuan distribution has been released; it is code-named Chimaera. This release is based on Debian Bullseye, has improved desktop support, and benefits from more accessibility work. See the release notes for details.

Full Story (comments: 6)

Ubuntu 21.10 (Impish Indri) released

The latest release of the Ubuntu Linux distribution is out: Ubuntu 21.10, code named "Impish Indri". The release notes fills in all of the details for the new features in this version, but the announcement lists some as well:
Ubuntu Desktop 21.10 makes wayland sessions available while using the Nvidia proprietary driver. PulseAudio 15 introduces support for Bluetooth LDAC and AptX codecs, as well as HFP Bluetooth profiles providing better audio quality. The recovery key feature at installation time has been improved, with the recovery key now optional, stronger and editable. Ubuntu Desktop 21.10 includes GNOME version 40, with a new and improved Activities Overview design. Workspaces are now arranged horizontally, and the overview and app grid are accessed vertically. Each direction has accompanying keyboard shortcuts, touchpad gestures and mouse actions.

Ubuntu Server 21.10 integrates recent innovations from key open infrastructure projects like OpenStack Xena, QEMU 6.0, PHP8, libvirt 7.6, Kubernetes, and Ceph with advanced life-cycle management tools for multi-cloud and on-prem operations from bare metal, VMWare and OpenStack, to every major public cloud.

Full Story (comments: 31)

Development

Plasma 25th Anniversary Edition released

The KDE project is celebrating its 25th anniversary with a special release of the Plasma desktop.

This time around, Plasma renews its looks and, not only do you get a new wallpaper, but also a gust of fresh air from an updated theme: Breeze - Blue Ocean. The new Breeze theme makes KDE apps and tools not only more attractive, but also easier to use both on the desktop and your phone and tablet.

Of course, looks are not the only you can expect from Plasma 25AE: extra speed, increased reliability and new features have also found their way into the app launcher, the software manager, the Wayland implementation, and most other Plasma tools and utilities.

Lots of details can be found in the changelog.

Comments (10 posted)

Miscellaneous

SFC files suit against Vizio over GPL violations

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement.
"We are asking the court to require Vizio to make good on its obligations under copyleft compliance requirements," says [Software Freedom Conservancy executive director Karen] Sandler. She explains that in past litigation, the plaintiffs have always been copyright holders of the specific GPL code. In this case, Software Freedom Conservancy hopes to demonstrate that it's not just the copyright holders, but also the receivers of the licensed code who are entitled to rights.

The lawsuit suit seeks no monetary damages, but instead seeks access to the technical information that the copyleft licenses require Vizio to provide to all customers who purchase its TVs (specifically, the plaintiff is asking for the technical information via "specific performance" rather than "damages").

The complaint is also available.

Comments (54 posted)

Page editor: Jake Edge
Next page: Announcements>>


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds