Security Patches, Incidents, FUD, and Windows TCO
-
LWN ☛ Security updates for Monday
Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss).
-
OpenSSF (Linux Foundation) ☛ Unlock the Keys to Improved Software Security
This post summarizes key steps that software developers can take to improve software security. It is a text version of a talk given at Open Source Summit North America (OSS NA) 2024.
-
Security Week ☛ $2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest
The Chinese hacking contest Matrix Cup is offering big rewards for exploits targeting OSs, smartphones, enterprise software, browsers, and security products.
-
LinuxSecurity ☛ McGrail Foundation Celebrates 20 Years of Fighting Email Threats with Its KAM Ruleset
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly critical. Apache SpamAssassin is an anti-spam framework we stand behind and have been using in Guardian Digital EnGarde Cloud Email Security for decades as a component of our email security solution to help detect fraudulent and malicious mail.
-
SANS ☛ Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th)
Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Fashion Company Apple patched this vulnerability for more recent versions of iOS and macOS.
-
Bruce Schneier ☛ LLMs’ Data-Control Path Insecurity
Back in the 1960s, if you played a 2,600Hz tone into an AT&T pay phone, you could make calls without paying. A phone hacker named John Draper noticed that the plastic whistle that came free in a box of Captain Crunch cereal worked to make the right sound. That became his hacker name, and everyone who knew the trick made free pay-phone calls.
-
Security Week ☛ Europol Investigating Breach After Hacker Offers to Sell Classified Data
Europol is investigating a data breach, but says no core systems are impacted and no operational data has been compromised.
-
Security Week ☛ Cinterion Modem Flaws Pose Risk to Millions of Devices in Industrial, Other Sectors
A critical vulnerability in the Cinterion cellular modems can be exploited for remote code execution via SMS messages.
-
Security Week ☛ FBCS Collection Agency Data Breach Impacts 2.7 Million
Financial Business and Consumer Solutions (FBCS) says the personal information of 2.7 million was impacted in the recent data breach.
-
Net2 ☛ Ways to Protect Your Open-Source Software from Vulnerabilities During Development
Open-source software is gaining a lot of traction in the tech world. Developers, organizations, and even government entities are leveraging their collective power to innovate faster and to create better solutions at a lower cost. But while open source has its advantages, it also has its vulnerabilities.
-
APNIC ☛ Collaboratively increasing the DDoS resilience of digital societies through anti-DDoS Coalitions
Guest Post: Collaborative DDoS mitigation — from research to operational practice.
-
"Is This Project Still Maintained?" [Ed: the issue here]
As both a producer and consumer of open source software, I completely understand the reasons someone might want to know whether a project is abandoned. It’s comforting to be able to believe that there’s someone “on the other end of the line”, and that if you have a problem, you can ask for help with a non-zero chance of someone answering you. There’s also a better chance that, if the maintainer is still interested in the software, that compatibility issues and at least show-stopper bugs might get fixed for you.
But often there’s more at play. There is a delusion that “maintained” open source software comes with entitlements – an expectation that your questions, bug reports, and feature requests will be attended to in some fashion.
This comes about, I think, in part because there are a lot of open source projects that are energetically supported, where generous volunteers do answer questions, fix reported bugs, and implement things that they don’t personally need, but which random Internet strangers ask for. If you’ve had that kind of user experience, it’s not surprising that you might start to expect it from all open source projects.
Of course, these wonders of cooperative collaboration are the exception, rather than the rule. In many (most?) cases, there is little practical difference between most projects that are “maintained” and those that are formally declared “unmaintained”. The contributors (or, most often, contributor – singular) are unlikely to have the time or inclination to respond to your questions in a timely and effective manner. If you find a problem with the software, you’re going to be paddling your own canoe, even if the maintainer swears that they’re still “maintaining” it.
-
Windows TCO
-
Scoop News Group ☛ Ransomware used in attack that disrupted US hospitals
Electronic health records and systems used to order tests, procedures and medications remain unavailable at some affected hospitals.
-
Federal News Network ☛ Congressmen request Abusive Monopolist Microsoft president testify about ‘cascade of security failures, cybersecurity shortfalls’ [Ed: They tried to distract everyone using Linux FUD that week; likely all pre-planned]
Leaders on the House Homeland Security Committee wrote to Brad Smith, the vice chairman and president of Microsoft, asking him to testify on May 22.
-