Language Selection

English French German Italian Portuguese Spanish

Security and FUD Leftovers

Filed under
Security
  • Security updates for Thursday [LWN.net]

    Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

  • Travis CI flaw exposed secrets of thousands of open source projects [Ed: Hidden cost of bloat, but Microsoft-funded Ars 'Tech'nica spins this as an "Open Source" problem]

    A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.

  • Travis CI flaw exposed secrets of thousands of open source projects (ars technica) [LWN.net]

    Any project storing secrets in this service would be well advised to replace them.

  • The long-term consequences of maintainers’ actions – Ariadne's Space

    OpenSSL 3 has entered Alpine, and we have been switching software to use it over the past week. While OpenSSL 1.1 is not going anywhere any time soon, it will eventually leave the distribution, once it no longer has any dependents. I mostly bring this up because it highlights a few examples of maintainers not thinking about the big picture, let me explain.

    First, the good news: in distribution-wide rebuilds, we already know that the overwhelming majority of packages in Alpine build just fine with OpenSSL 3, when individually built against it. Roughly 85% of main builds just fine with OpenSSL 3, and 89% of community builds with it. The rebuild effort is off to a good start.

    Major upgrades to OpenSSL are not without their fallout, however. In many cases, we cannot upgrade packages to use OpenSSL 3 because they have dependencies which themselves cannot yet be built with OpenSSL 3. So, that 15% of main ultimately translates to 30-40% of main once you take into account dependencies like curl, which builds just fine with OpenSSL 3, but has hundreds of dependents, some of which don’t.

    A major example of this is mariadb. It has been known that OpenSSL 3 was on the horizon for over 4 years now, and that the OpenSSL 3 release would remove support for the classical OpenSSL programming approach of touching random internals. However, they are just now beginning to update their OpenSSL support to use the modern APIs. Because of this, we wound up having to downgrade dozens of packages which would otherwise have supported OpenSSL 3 just fine, because the maintainers of those packages did their part and followed the OpenSSL deprecation warnings as they showed up in OpenSSL releases. MariaDB is a highly profitable company, who do business with the overwhelming majority of the Fortune 500 companies. But yet, when OpenSSL 3 releases started to be cut, they weren’t ready, and despite having years of warning they’re still not, which accordingly limits what packages can get the OpenSSL 3 upgrade as a result.

  • Level up your digital security hygiene! Cybersec Charcha #5

    By popular demand from our staff and community members, this edition of cybersec charcha will explore the basic digital security hygiene practices everyone should follow and how they protect your information from falling into the wrong hands.

    As attacks like Pegasus gain more limelight and become part of public knowledge, many of us feel that there is nothing we can do to protect ourselves. And currently, this stands true for sophisticated attacks like Pegasus. However, it’s important to remain cognizant that every time someone’s data is compromised, it’s not because they were targeted with a military grade spyware. It’s crucial for us to be aware of our personal threat levels. This threat level can be determined through a process called Threat Modelling.

  • Microsoft Releases Security Update for Azure Linux Open Management Infrastructure [Ed: This is how CISA covers Microsoft 'bug doors' inside Linux]

    Microsoft has released an update to address a remote code execution vulnerability in Azure Linux Open Management Infrastructure (OMI). An attacker could use this vulnerability to take control of an affected system.

  • Drupal Releases Multiple Security Updates

    Drupal has released security updates to address multiple vulnerabilities affecting Drupal 8.9, 9.1, and 9.2. An attacker could exploit some of these vulnerabilities to take control of an affected system.

  • New Go malware Capoae targets WordPress installs, Linux systems [Ed: Charlatans and frauds at ZDNet now try to blame some malware that targets WordPress on "Linux" and on the programming language the malware is written in (Go); this isn't journalism and it's even lower than tabloid level. Part of a trend. Imagine ZDNet blaming Photoshop holes on Windows and on C++ (if some malware is coded in that language).]
  • Democracy Now: NSO Group Spies Secretly Seized Control of Apple Devices by Exploiting Flaw in Code - The Citizen Lab

    Ron Deibert joined Democracy Now to discuss how Citizen Lab research of a zero-click zero-day exploit—used by NSO Group—led Apple to issue a patch to over 1.65 billion products.

  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: WSL was always a security joke; it's compromised, totally controlled by Microsoft, and only a fool would call that "Linux"]
  • Theory confirmed: Lumen Black Lotus Labs discovers Linux executable files have been deployed as stealth Windows loaders [Ed: They've paid to spread this misleading thing which conflates WSL with "Linux"]
  • ACSC Releases Annual Cyber Threat Report

    The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year.

    The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email as last year’s most significant threats.

More Fear, Uncertainty, Doubt/Fear-mongering/Dramatisation

Microsoft to Azure Linux users: Patch this problem yourself

  • Microsoft to Azure Linux users: Patch this problem yourself

    Azure Linux administrators, it's time to get patching. In response to the recent OMIGOD vulnerabilities, Microsoft has released an updated version of OMI, but you'll need to upgrade on your own (via BleepingComputer). Here's the full scoop.

    OMIGOD vulnerabilities are named after OMI, an acronym that stands for the Open Management Infrastructure software agent. The OMIGOD vulnerabilities found in OMI have opened the door for RCE (Remote Code Execution) attacks from malicious parties. And if you're an Azure user operating on a Linux setup with a service such as Azure Diagnostics or Azure Automation enabled, that means you have OMI on your Virtual Machine.

More of the WSL FUD

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

How to Install Python 3.10 in Ubuntu and Other Related Linux

Planning to get the Python 3.10 installed for your work? Here's how to install Python 3.10 in Ubuntu and related distributions. Read more

today's leftovers

  • Newest Linux Optimizations Can Achieve 10M IOPS Per-Core With IO_uring - Phoronix

    Just one week ago Linux block subsystem maintainer Jens Axboe was optimizing the kernel to get 8 million IOPS on a single CPU core. He progressed the week hitting around ~8.9M IOPS per-core and began to think he was hitting the hardware limits and running out of possible optimizations. However, this week he is kicking things off by managing to hit 10 million IOPS!

  • Ubuntu Kylin 21.10 Quick overview #Shorts - Invidious

    A Quick overview of Ubuntu Kylin 21.10.

  • Reset Password On Any Linux Distro (No Root Needed) - Invidious

    Losing your access to your user account on Linux can be really frustrating but luckily resetting that lost password is actually incredibly easy but the process slightly changes depending on the bootloader you're using at least for the easy approach

  • Ubuntu Weekly Newsletter Issue 706

    Welcome to the Ubuntu Weekly Newsletter, Issue 706 for the week of October 17 – 23, 2021.

  • Rakudo Weekly News: 2021.43 Thank You

    Oleksandr Kyriukhin has released the 2021.10 version of the Rakudo Compiler, which includes all of the work of the new MoarVM dispatch mechanism. This is the culmination of more than 1.5 year work by many people, but mostly by Jonathan Worthington. A historic step forward that lays the groundwork on more efficient executing of Raku programs, and actually delivers on a number of improvements.

  • Team Profile by KDE's Cornelius Schumacher

    What makes a great team? One important factor is that you have a balanced set of skills and personalities in the team. A team which only consists of leaders won't get much work done. A team which only consists of workers will not work into the right direction. So how can you identify the right balance and combination of people? One answer is the Team Member Profile Test. It's a set of questions which team members answer. They are evaluated to give a result indicating which type of team member the person is and where it lies in the spectrum of possible types.

  • Some users on Reddit report that Windows 11 loses Internet connectivity when trying to connect to NordVPN.
  • Pat Gelsinger's Open-Source Bias, Intel's Pledge To Openness [Ed: Intel is openwashing again, but leaks from Intel show that Intel is a foe, not a a friend. It's also rather ironic that Intel puts an "open" letter in a proprietary site of Microsoft, which is viciously attacking Free software. Intel is a Microsoft booster.]

    Ahead of Intel's inaugural Intel Innovation event taking place virtually later this week, Intel CEO Pat Gelsinger published an open letter to an open ecosystem. In this open ecosystem letter, Gelsinger talks up opennness and choice, adding, "This is why I fundamentally believe in an open source bias, which powers the software-defined infrastructure that transformed the modern data center and ushered in the data-centric era."

Raspberry Pi and Arduino Leftovers

  • Fast Indoor Robot Watches Ceiling Lights, Instead of the Road

    To pull this off, [Andy] uses a camera with a fisheye lens aimed up towards the ceiling, and the video is processed on a Raspberry Pi 3.

  • Tackle The Monkey: Raspberry Pi Gets Round Screen | Hackaday

    You could argue that the project to add a round screen to a Raspberry Pi from [YamS1] isn’t strictly necessary. After all, you could use a square display with a mask around it, giving up some screen real estate for aesthetics. However, you’d still have a square shape around the screen and there’s something eye-catching about a small round screen for a watch, an indicator, or — as in this project — a talking head. The inspiration for the project was a quote from a Google quote about teaching a monkey to recite Shakespeare. A 3D printed monkey with a video head would be hard to do well with a rectangular screen, you have to admit. Possible with a little artistry, we are sure, but the round head effect is hard to beat. Honestly, it looks more like an ape to us, but we aren’t primate experts and we think most people would get the idea.

  • Move! makes burning calories a bit more fun | Arduino Blog

    Gamifying exercise allows people to become more motivated and participate more often in physical activities while also being distracted by doing something fun at the same time. This inspired a team of students from the Handong Global University in Pohang, South Korea to come up with a system, dubbed “Move!,” that uses a microcontroller to detect various gestures and perform certain actions in mobile games accordingly. They started by collecting many different gesture samples from a Nano 33 BLE Sense, which is worn by a person on their wrist. This data was then used to train a TensorFlow Lite model that classifies the gesture and sends it via Bluetooth to the host phone running the app. Currently, the team’s mobile app contains three games that a player can choose from.

Security Leftovers