Security and Openwashing

posted by Roy Schestowitz on Dec 24, 2022

• Linux admins have a CVSS 10 kernel bug to address • The Register

  Merry Christmas, Linux systems administrators: Here's a kernel vulnerability with a CVSS score of 10 in your SMB server for the holiday season giving an unauthenticated user remote code execution.

  Yes, this sounds bad, and a score of 10 isn't reassuring at all. Luckily for the sysadmins reaching for more brandy to pour in that eggnog, it doesn't appear to be that widespread.

  Discovered the Thalium Team vulnerability research team at French aerospace firm Thales Group in July, the vulnerability is specific to the ksmbd module that was added to the Linux kernel in version 5.15. Disclosure was responsibly held until a patch was issued.

  [...]

  Lots of ready-made kit for would-be hackers can be found on the dark web; one trend recently noticed by the team at Cybersixgill has been gift card generators not only guess card numbers, but also check their validity by the thousands.

  Like brute force password crackers, the tools being sold online randomly guess the digits of gift cards issued by companies like Amazon, Microsoft, Sony, Apple and others, with varying degrees of speed and accuracy based on how predictable a card's number sequence is.

• Okta's source code stolen after GitHub repositories hacked [Ed: Microsoft is a terrible code host]

  Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, says that its private GitHub repositories were hacked this month.

  According to a 'confidential' email notification sent by Okta and seen by BleepingComputer, the security incident involves threat actors stealing Okta's source code

• AWS Releases Open-Source Tool for Command-Line Container Management [Ed: Openwashing. AWS is deeply proprietary and monopolised, centralised, spyware. This is openwashing.]

  AWS has released Finch, an open-source, cloud-agnostic, command-line client for building, running, and publishing Linux containers. Finch bundles together a number of open-source components such as Lima, nerdctl, containerd, and BuildKit. At the time of release, Finch is a native macOS client with support for all Mac CPU architectures.

  According to Phil Estes, Principle Engineer at AWS, and Chris Short, Senior Developer Advocate at AWS, "Finch is our response to the complexity of curating and assembling an open source container development tool for macOS initially, followed by Windows and Linux in the future". They note that the core Finch client will always be comprised of curated open-source, vendor-neutral projects.