Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Linux Format Special and POWER9 Problems

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

  • Cyber insecurity | Linux Format

    Each year we proclaim it’s time to learn how to hack. But why? Jonni always gets angry at the subversion of the term ‘hacking’ and I can understand why. Hacking is fun, as is finding out how systems work and how to get them to do things they were never meant to do.

    With open source and the Linux ecosystem there’s an abundance of hacking fun to be had, and it’s no wonder all the key tools for learning how to hack – and actually hack – are developed and run out of Linux systems.

    For this year’s look at the world of hacking Jonni’s introducing you to the metasploit framework. This is a playground where you can learn, explore and develop hacking skills. It’s usually paired with Kali Linux, and we’re putting these on the Linux Format DVD, which makes a welcome return.

  • IBM POWER9 CPUs Need To Flush Their L1 Cache Between Privilege Boundaries Due To New Bug

    CVE-2020-4788 is now public and it's not good for IBM and their POWER9 processors... This new vulnerability means these IBM processors need to be flushing their L1 data cache between privilege boundaries, similar to other recent CPU nightmares.

    While IBM POWER9 allows speculatively operating on completely validated data in the L1 cache, when it comes to incompletely validated data that bad things can happen. Paired with other side channels, local users could improperly obtain data from the L1 cache.

    CVE-2020-4788 was made public this morning and is now causing all stable Linux kernel series to receive the mitigation that amounts to hundreds of lines of new code. The mitigation is flushing the L1 data cache for IBM POWER9 CPUs across privilege boundaries -- both upon entering the kernel and on user accesses.

More in Tux Machines

Devices/Embedded and Open Hardware Leftovers

  • Embedded Linux for Teams | Ubuntu

    Developer-friendly embedded Linux should just deliver apps to devices. Satellite companies don’t build their own rockets. They focus on building satellites and lease a rocket to deliver it as a payload. Many developer teams also have to “build the rocket” to deliver embedded applications. Developers would be more successful, if Linux vendors made it their job to provide and maintain the scaffold that teams need to deliver embedded apps. In such a world, teams would focus on creating apps. The resulting app-centric development cycle could boil down to booting, building and deploying. Building on top of vendor-provided scaffolds, developers would create a bootable image for their target boards. Teams would then develop apps. After testing, they will build a system image that delivers all these apps. Then burn, deploy, done.

  • Personal Raspberry Pi music streamer
  • Run Pi-hole as a container with Podman on openSUSE - SUSE Communities

    There is arguably no better way to protect devices on your local network from unwanted content than Pi-hole. Add a machine running Pi-hole to your network, and it will quietly scrub all incoming traffic from pesky stuff like ads and trackers in the background. As the name suggests, Pi-hole was initially designed to run on a Raspberry Pi. But if you already have a machine running openSUSE on your network, you can deploy a Pi-hole container on it instead. And to make things a bit more interesting, you can use Podman instead of Docker for that. Installing Podman on openSUSE 15.2 is a matter of running the sudo zypper install podman command. A Pi-hole container needs the 80 and 53 ports, so make sure that these ports are available on your machine.

  • MorphESP 240 ESP32-S2 board integrates a 1.3-inch color display (Crowdfunding)

    We’ve already seen ESP32 platforms with a color display such as M5Stack, but MorphESP 240 is kind of cute with a 1.3-inch color display, features the more recent ESP32-S2 WiFi processor, and supports battery power & charging.

  • Rockchip RK3588 specifications revealed – 8K video, 6 TOPS NPU, PCIe 3.0, up to 32GB RAM

    Rockchip RK3588 is one of the most anticipated processors for the year on this side of the Internet with the octa-core processor features four Cortex-A76 cores, four Cortex-A55 cores, an NPU, and 8K video decoding support. The roadmap shows an expected launch date in Q3/Q4 2020, but sadly the release date will be pushed back in the future. Having said that, the Rockchip Developer Conference (RKDC) is now taking place, and the company has put up a poster that reveals a bit more about the processor.

  • Arduino Blog » Arduino psychic ‘magically’ guesses random numbers

    Standard Arduino Nanos can be used for many purposes, but they do not feature wireless capabilities. Somehow, though, Hari Wiguna’s Arduino psychic system is apparently able to pass data between two of them. No external communication hardware is implemented, yet one Nano is able to recognize when a random number chosen on the other Nano setup is input via an attached keypad. As noted by Wiguna, it’s easier shown than explained, and you can see this techno-magic trick in action in the first clip. How things work is revealed in the second video, but can you guess how it’s done?

Security, Digital Restrictions (DRM), and Proprietary Problems

  • Best forensic and pentesting Linux distros of 2020

    20.04 LTS and uses the Xfce desktop, and is available as a single ISO only for 64-bit machines. In addition to the regular boot options, the distro’s boot menu also offers the option to boot into a forensics mode where it doesn’t mount the disks on the computer. BackBox includes some of the most common security and analysis tools. The project aims for a wide spread of goals, ranging from network analysis, stress tests, sniffing, vulnerability assessment, computer forensic analysis, exploitation, privilege escalation, and more. All the pentesting tools are neatly organized in the Auditing menu under relevant categories. These are broadly divided into three sections. The first has tools to help you gather information about the environment, assess vulnerabilities of web tools, and more. The second has tools to help you reverse-engineer programs and social-engineer people. The third has tools for all kinds of analysis. BackBox has further customized its application menu to display tooltips with a brief description of each bundled tool, which will be really helpful for new users who aren’t familiar with the tools. As an added bonus, the distro also ships with Tor and a script that will route all Internet bound traffic from the distro via the Tor network.

  • Thanksgiving security updates

    Security updates have been issued by openSUSE (blueman, chromium, firefox, LibVNCServer, postgresql10, postgresql12, thunderbird, and xen), Slackware (bind), SUSE (bluez, kernel, LibVNCServer, thunderbird, and ucode-intel), and Ubuntu (mutt, poppler, thunderbird, and webkit2gtk).

  • Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2020-013

    AC:Complex/A:User/CI:All/II:All/E:Exploit/TD:UncommonVulnerability: Arbitrary PHP code executionCVE IDs: CVE-2020-28949CVE-2020-28948Description: The Drupal project uses the PEAR Archive_Tar library. The PEAR Archive_Tar library has released a security update that impacts Drupal. For more information please see: CVE-2020-28948 CVE-2020-28949 Multiple vulnerabilities are possible if Drupal is configured to allow .tar, .tar.gz, .bz2 or .tlz file uploads and processes them. To mitigate this issue, prevent untrusted users from uploading .tar, .tar.gz, .bz2 or .tlz files. This is a different issue than SA-CORE-2019-12, similar configuration changes may mitigate the problem until you are able to patch.

  • Financial software firm cites security, control as reasons for moving from email to Slack [Ed: Unbelievable stupidity; Slack is illegal mass surveillance and it’s centralised proprietary software (whereas E-mail can be encrypted, e2e)]

    ASX-listed financial software firm Iress is moving away from email to Slack for communications and its chief technology officer, Andrew Todd, says this is because the app offers improved security and control.

  • Introducing another free CA as an alternative to Let's Encrypt

    Let's Encrypt is an amazing organisation doing an amazing thing by providing certificates at scale, for free. The problem though was that they were the only such organisation for a long time, but I'm glad to say that the ecosystem is changing.

  • Denuvo's Anti-Piracy Protection Probably Makes Sense For Big-Selling AAA Titles

    A hacking team believed to have obtained data from gaming giant Ubisoft has published documents that claim to reveal the costs of implementing Denuvo's anti-piracy protection. While the service doesn't come cheap, the figures suggest that for a big company putting out big titles with the potential for plenty of sales, the anti-tamper technology may represent value for money.

  • Disappointing: Netflix Decides To Settle With Chooseco LLC Over 'Bandersnatch' Lawsuit

    Well, it's been quite a stupid and frustrating run in the trademark lawsuit between Netflix and Chooseco LLC, the folks behind Choose Your Own Adventure books from our youth. At issue was the Black Mirror production Bandersnatch, in which the viewer takes part in an interactive film where they help decide the outcome. The main character is creating a book he refers to as a "choose your own adventure" book. Chooseco also complained that the dark nature of the film would make the public think less of CYOA books as a result. Netflix fought back hard, arguing for a dismissal on First Amendment grounds, since the film is a work of art and the limited use or reference to CYOA books was an important, though small, part of that art. The court decided that any such argument was better made at trial and allowed this madness to proceed, leading Netflix to petition for the cancellation of Chooseco's trademark entirely. This story all seemed to be speeding towards an appropriately impactful conclusion.

  • TPM circumvention and website blocking orders: An EU perspective

    Website blocking orders in IP cases (mostly, though not solely, in relation to copyright-infringing websites) are routinely granted in several jurisdictions, whether in Europe or third countries. The availability of such relief has been established in case law, administrative frameworks and academic studies alike. The Court of Justice of the European Union ('CJEU') expressly acknowledged the compatibility of such a remedy with EU law in its 2014 decision in UPC Telekabel. Also the European Court of Human Rights recently found that, although it is necessary that this particular remedy is available within a balanced and carefully drafted legislative framework which contains a robust and articulated set of safeguards against abuse, website blocking orders are not per se contrary to the provision in Article 10 ECHR. Over time, courts and other authorities (including administrative authorities in certain EU Member States) have dealt with applications which have: been based on different legal grounds; been aimed at protecting different types of rights; and resulted in different types of orders against internet service providers ('ISPs'). An interesting recent development concerns website blocking orders in relation to websites that market and sell devices and software aimed at circumventing technological protection measures (‘TPMs’). TPMs offer rights holders an ancillary right of protection and are deployed to protect against infringement of copyright in works that subsist in multimedia content such as video games. TPMs are a cornerstone in copyright protection in the digital age where large-scale copying and dissemination of copyright-protected content is so prevalent. [...] In light of the foregoing, copyright owners appear entitled to seek injunctions against intermediaries to also block access to websites dealing with TPM-circumventing devices. The legal basis for that can also be, subject to satisfying all the other requirements under EU and national law, the domestic provision implementing Article 8(3) of the InfoSoc Directive. All in all, it appears likely that we will see more blocking orders in the future, including orders – issued by courts and competent authorities around Europe – targeting websites that provide TPM-circumventing devices. This is an unsurprising and natural evolution of website blocking jurisprudence. It also serves to show the very flexibility of this type of remedy and, matched inter alia with the loose notion of ‘intermediary’, its inherently broad availability.

  • Prolonged AWS outage takes down a big chunk of the internet

    Many apps, services, and websites have posted on Twitter about how the AWS outage is affecting them, including 1Password, Acorns, Adobe Spark, Anchor, Autodesk, Capital Gazette, Coinbase, DataCamp, Getaround, Glassdoor, Flickr, iRobot, The Philadelphia Inquirer, Pocket, RadioLab, Roku, RSS Podcasting, Tampa Bay Times, Vonage, The Washington Post, and WNYC. Downdetector.com has also shown spikes in user reports of problems with many Amazon services throughout the day.

Mozilla/Firefox: CRLite, Firefox 83 and TenFourFox

  • Querying CRLite for WebPKI Revocations • Insufficient.Coffee

    Firefox Nightly is now using CRLite to determine if websites’ certificates are revoked — e.g., if the Certificate Authority published that web browsers shouldn’t trust that website certificate. Telemetry shows that querying the local CRLite dataset is much faster than making a network connection for OCSP, which makes intuitive sense. It also avoids sending the website’s certificate information in cleartext over the network to check the revocation status: solving one of the remaining cleartext browsing data leakages in Firefox. Mozilla is currently publishing CRLite data to Remote Settings four times per day, keeping a very fresh set of revocation information for the public Web. I’ve provided some direct details on how to get at that data from the CRLite FAQ, and I want to introduce one of my command-line tools I’ve used to analyze and play with the dataset: moz_crlite_query. I’ll introduce crlite_status in a later post.

  • Firefox 83 Introduces HTTPS-Only Mode

    According to Mozilla, “the web contains millions of legacy HTTP links that point to insecure versions of websites. When you click on such a link, browsers traditionally connect to the website using the insecure HTTP protocol.” With HTTPS-Only Mode enabled, Firefox will attempt to establish HTTPS connections to every website and will ask for permission before connecting to a site that doesn’t support secure connections. Even if you click on an HTTP link or manually enter an HTTP address, Firefox will use HTTPS instead.

  • TenFourFox Development: TenFourFox FPR30b1 available

    TenFourFox Feature Parity Release 30 beta 1 is now available (downloads, hashes, release notes). I managed to make some good progress on backporting later improvements to the network and URL handling code, so there are no UI-facing features in this release, but the browser should use a bit less memory and run a little quicker especially on pages that reference a lot of resources (which, admittedly, is a lot of sites these days). There is also a minor update to the host database for basic adblock. Assuming all goes well, this release will come out parallel with Firefox 84 on or around December 15. I'll probably do an SPR-only build for the release immediately following to give myself a break; this will contain just needed security fixes, and there will most likely not be a beta.

Music Production on Guix System

The working title “Ode to One Two Oh” was an obvious choice, being a quasi-palindrome, and its five syllables suggested a time signature of 5/4. Where to from here? As I stared at my Emacs session with a Guile REPL (read, eval, print, loop) buffer I tried to recall what the letters “REPL” stand for. Clearly, in my case the “P” was for “Procrastination”, but what about the others? I had stumbled upon the chorus: a description of the Guix development process. Contribute as others before us have shared their contributions (Reciprocation), review patches and discuss (Evaluation), hack on something else (Procrastination), and repeat (Loop). The words suggested a simple descending melody, which would need to be elevated by a somewhat less simple chord progression. After trying out a few harmonies on the Grand Stick I remembered how terrible my memory was and decided that I would need to scatter the harmonies onto a canvas, listen to the whole progression, and adjust the lines as needed — all without having to build up muscle memory for harmonies and progressions I may very well end up discarding in the process. This is where my composition workflow probably deviates from most other people. Many would use a MIDI sequencer for that kind of approach, whereas I decided to hone in on the exact harmonies with an unlikely tool: the unparalleled music engraving application Lilypond. Lilypond sports a versatile language that covers primitive note input, the means of combining them to larger phrases and musical ideas, and the means of abstraction — it allows for musical ideas to be named and recombined in different shapes. For everything the language doesn’t account for with specialized syntax I can simply switch to Guile Scheme. No other notation software is as flexible and malleable as Lilypond. I let it generate both sheet music and a MIDI file — the sheet music is displayed in a PDF viewer in Emacs and the MIDI file sent to fluidsynth (because I trust my ears over my eyes). Read more