Security and FUD (UPDATED)
-
WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws [Ed: This is a WordPress plugins issue (not WordPress, not Linux); calling this Linux is like calling an Adobe Photoshop bug a "Windows bug"; WordPress runs not only on Linux]
WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.
-
Reproducible Builds Summit Venice 2022
The sixth Reproducible Builds Summit took place exactly two months ago in Venice, Italy. These three days of workshops were filled with a succession of interactive sessions, where everyone attending had the opportunity to present or learn about anything related to Build Reproducibility. This included the status of specific Open Source projects, techniques to locate, analyse, and understand issues, or also how to explain and communicate better around this topic.
-
Can we encrypt data using Elliptic Curves? - Andrea Corbellini
From time to time, I hear people saying that Elliptic Curve Cryptography (ECC) cannot be used to directly encrypt data, and you can only do key agreement and digital signatures with it. This is a common misconception, but it's not actually true: you can indeed use elliptic curve keys to encrypt arbitrary data. And I'm not talking about hybrid-encryption schemes (like ECIES or HPKE): I'm talking about pure elliptic curve encryption, and I'm going to show an example of it in this article. It's true however that pure elliptic curve encryption is not widely used or standardized because, as I will explain at the end of the article, key agreement is more convenient for most applications.
[...]
I wrote an in-depth article about elliptic curve cryptography in the past on this blog, and here is a quick recap: points on an elliptic curve from an interesting algebraic structure: a cyclic group. This group lets us do some algebra with the points of the elliptic curve: if we have two points $A$ and $B$, we can add them ($A + B$) or subtract them ($A - B$). We can also multiply a point by an integer, which is the same as doing repeated addition ($n A$ = $A + A + \cdots + A$, $n$ times).
We know some efficient algorithms for doing multiplication, but the reverse of multiplication is believed to be a "hard" problem for certain elliptic curves, in the sense that we know efficient methods for computing $B = n A$ given $n$ and $A$, but we do not know very efficient methods to figure out $n$ given $A$ and $B$. This problem of reversing a multiplication is known as Elliptic Curve Discrete Logarithm Problem (ECDLP).
-
Security updates for Monday [LWN.net]
Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).
-
Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. | PyTorch
If you installed PyTorch-nightly on Linux via pip between December 25, 2022 and December 30, 2022, please uninstall it and torchtriton immediately, and use the latest nightly binaries (newer than Dec 30th 2022).
-
Nightly PyTorch builds compromised [LWN.net]
Anybody who installed a nightly release from the PyTorch machine-learning library between December 25 and 30 will want to uninstall it immediately...
UPDATE
One more update:
-
PyTorch: Machine Learning toolkit pwned from Christmas to New Year - Naked Security
Unfortunately, the project was compromised by means of a supply-chain attack during the holiday season at the end of 2022, between Christmas Day [2022-12-25] and the day before New Year’s Eve [2022-12-30].
The attackers malevolently created a Python package called torchtriton on PyPI, the popular Python Package Index repository.