Security Leftovers
-
OpenSSF (Linux Foundation) ☛ OpenSSF Champions a More Secure Future in Collaboration with Public Sector [Ed: Open-Source Software Security Initiative (OS3I) is now for Open Source"
As the Open Source Security Foundation (OpenSSF), our core mission is to safeguard the open source software (OSS) ecosystem and make it more secure. In 2023, we embraced a significant opportunity to further this mission by working with the US government, including its Open-Source Software Security Initiative (OS3I).
> -
Silicon Angle ☛ FTC orders software maker Blackbaud to overhaul cybersecurity practices
Blackbaud Inc., a publicly traded software maker that experienced a large-scale data breach in 2020, has agreed to settle a lawsuit that the Federal Trade Commission brought over the incident. The FTC announced the agreement on Thursday. -
Bruce Schneier ☛ David Kahn
David Kahn has died. His groundbreaking book, The Codebreakers was the first serious book I read about codebreaking, and one of the primary reasons I entered this field.
He will be missed.
-
LinuxSecurity ☛ Critical Glibc Flaws Put Major GNU/Linux Distros at Risk
Four significant vulnerabilities have been discovered in the GNU C Library (glibc) , a fundamental component of most GNU/Linux distributions. These vulnerabilities pose a significant risk to millions of GNU/Linux systems, as they can allow attackers to gain full root access and execute remote code on affected systems.
-
Software Freedom Conservancy ☛ Without software right to repair, your devices are not secure
A blog post from Software Freedom Conservancy.
Once upon a time, you bought a baby monitor so you could see how your child was doing without disturbing them. You heard about a critical security vulnerability in GNU/Linux and asked a friend with some know-how to see if your baby monitor was affected. They told you it was definitely vulnerable, and anyone who knew how to exploit it could watch your child from anywhere in the world, without your knowledge.
So you asked them: What can I do? And they said the manufacturer had not provided a fix, and they tried to get complete source code for GNU/Linux (as the manufacturer is required to provide), but the manufacturer refused. And they told you that without the complete source code to GNU/Linux (including the scripts used to control compilation, and especially installation of the executable) they couldn't fix your baby monitor (nor could any third party, not even a sophisticated software repair company), even though a fix was available and ready to be applied.
Sound like a fairy tale? Unfortunately it's not. This situation is all too real, and will be increasingly common as more and more people rely on out-of-compliance devices running GNU/Linux and other copylefted code (i.e. code with built-in software right to repair) for crucial parts of their lives. This is one major reason why we at Software Freedom Conservancy (SFC) care so much about defending your software right to repair: it has huge impacts on how you live, and how (and whether) you can secure yourself and your loved ones.