Security Leftovers
-
GO 1.20 Cryptography
The first second release candidate of Go 1.20 is out![1] This is the first release I participated in as an independent maintainer, after leaving Google to become a professional Open Source maintainer. (By the way, that’s going great, and I’m going to write more about it here soon!)
I’m pretty happy with the work that’s landing in it. There are both exciting new APIs, and invisible deep backend improvements that are going to make code more maintainable and secure in the long run. All the main work mentioned in the planning post got done, and then some (but not the “stretch goals”). The whole release is pretty exciting, too, and you should check out the release notes (although the cryptography parts might not be complete yet).
-
How to move away from RSA for SSH keys
For a while cryptographers have feared that RSA is vulnerable to a quantum computing algorithm known as Shor's Algorithm. I won't pretend to understand it in this article, but the main reason why it's not deployed is that the hardware required to attack RSA keys in the wild literally doesn't exist yet (think literally tens of generations more advanced than current quantum computers).
A group of researchers have just published a paper that posits that it's likely you can break 2048-bit RSA (the most widely deployed keysize) with a quantum computer that only uses 372 qubits of computational power. The IBM Osprey has 433 qubits.
-
Linux Backdoor Malware Targets WordPress Sites with Outdated, Vulnerable Themes and Plugins [Ed: The headline is misleading]
-
Security in the smart home: considerations for device makers
When people think of home security they usually think of an alarm system with a keypad next to the door. These days, however, home security should have two meanings. I’m here to talk about the second: cybersecurity. In other words, security in the smart home.
A recent investigation found that a shocking number of leading smart home devices contained outdated SSL libraries. An outdated SSL could leave the door open for malicious actors to listen in on network traffic. In the smart home context, that traffic could include extremely personal information such as when you’re at home or away. This kind of security threat is far from being the only one; consumer device security breaches are consistently in the news. Clearly, this is a significant issue.
-
Security updates for Thursday [LWN.net]
Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).
-
Four cyber concerns looming in the new year [iophk: Windows TCO]
Cyberattacks have surged in recent years, with the health care system and other critical sectors increasingly coming under digital assault as the threat of malware like ransomware and foreign spyware continues to evolve.
Last year in particular saw officials and lawmakers renew their focus on cybersecurity and seek to secure the country’s critical sectors from rising cyber threats. The issue is expected to continue to take center stage in the coming year, as many of those threats are still escalating while the cyber sector is confronting an ongoing workforce shortage in its efforts to bolster the U.S.’s digital defenses.
Here are four cyber concerns expected to take priority in 2023.