Security Leftovers
-
LWN ☛ Security updates for Friday
Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop).
-
William ☛ William Brown: Reproducible Builds
As the maintainer of Rust in openSUSE I am often asked to support build reproducibility in our supply chain. I've spent countless hours researching the problem, and discussing it with security experts to understand details.
Thanks to the XZ incident this topic has once again come up, since after any security incident people always use the attention to further their own agendas. As a result, I'd like to write my very not scientific thoughts about reproducible builds.
-
Security Week ☛ In Other News: China’s Undersea Spying, Hotel Spyware, Iran’s Disruptive Attacks
Noteworthy stories that might have slipped under the radar: Chinese repair ships might be spying on undersea communications, spyware found at hotel check-ins, UK not ready for China threat.
-
Bruce Schneier ☛ On the Zero-Day Market
New paper: “Zero Progress on Zero Days: How the Last Ten Years Created the Modern Spyware Market“:
Abstract: Spyware makes surveillance simple. The last ten years have seen a global market emerge for ready-made software that lets governments surveil their citizens and foreign adversaries alike and to do so more easily than when such work required tradecraft. The last ten years have also been marked by stark failures to control spyware and its precursors and components. This Article accounts for and critiques these failures, providing a socio-technical history since 2014, particularly focusing on the conversation about trade in zero-day vulnerabilities and exploits.
-
Richard W.M. Jones: I was interviewed on NPR Planet Money
I was interviewed on NPR Planet Money about my small role in the Jia Tan / xz / ssh backdoor.
NPR journalist Jeff Guo interviewed me for a whole 2 hours, and I was on the program (very edited) for about 4 minutes! Quite an interesting experience though.
-
Support for Istio 1.20 ends on June 25, 2024
According to Istio’s support policy, minor releases like 1.20 are supported until six weeks after the N+2 minor release (1.22 in this case). Istio 1.22 was released on May 13th, 2024, and support for 1.20 will end on June 25th, 2024.
At that point we will stop back-porting fixes for security issues and critical bugs to 1.20, so we encourage you to upgrade to the latest version of Istio (1.22). If you don’t do this you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.
-
Diffoscope ☛ Reproducible Builds (diffoscope): diffoscope 268 released
The diffoscope maintainers are pleased to announce the release of diffoscope version
268. This version includes the following changes:* Drop apktool from Build-Depends; we can still test our APK code via autopkgtests. (Closes: #1071410) * Fix tests for 7zip version 24.05.
* Add a versioned dependency for at least version 5.4.5 for the xz tests; they fail under (at least xz 5.2.8). (Closes: reproducible-builds/diffoscope#374) * Relax Chris' versioned xz test dependency (5.4.5) to also allow version 5.4.1.
-
Windows TCO
-
[Repeat] Dedoimedo ☛ Windows 11, the gift that keeps on giving
Every time I think Windows 11 cannot surprise me with nonsense anymore, buzzer, bzzzzzzz, wrong. There's always something new. But hey, anger and fresh material for articles, winning. As it happens, a few weeks ago, I powered on my IdeaPad 3 laptop for some dual-boot testing, Plasma 6 and all. Once I was done with that, I thought I should boot into Windows 11, and do some basic maintenance, updates and such.
Like the opening sentence of the War of the Worlds musical, no one would have believed ... that I would find myself behind the keyboard for a good few hours, fuming, tweaking, trying to get the operating system in order, yet again. The exercise from six months ago, repeated, with interest. Let's talk.
-
Tom's Hardware ☛ 'ShrinkLocker' ransomware uses BitLocker against you — encryption-craving malware has already been used against governments [Ed: BitLocker has back door [1, 2]]
The ShrinkLocker ransomware attack uses BitLocker to encrypt corporate systems and destroy all recovery methods. The new attack is more directed at destruction than extortion.
-
The Register UK ☛ Yet more ransomware uses BitLocker to encrypt victims' files
Criminals, including ransomware gangs, using legitimate software tools is nothing new — hello, Cobalt Strike. And, in fact, Microsoft previously said Iranian miscreants had abused Windows' built-in BitLocker full-volume encryption feature to lock up compromised devices. We can recall other strains of extortionware using BitLocker on infected machines to encrypt data and hold it to ransom.
-