Security Leftovers and Windows TCO

posted by Roy Schestowitz on Mar 27, 2025

• Google ☛ Blasting Past Webp

• LWN ☛ The burden of knowledge: dealing with open-source risks

  Organizations relying on open-source software have a wide range of tools, scorecards, and methodologies to try to assess security, legal, and other risks inherent in their so-called supply chain. However, Max Mehl argued recently in a short talk at FOSS Backstage in Berlin (and online) that all of this objective information and data is insufficient to truly understand and address risk. Worse, this information doesn't provide options to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DB Systel, encouraged better risk assessment using qualitative data and direct participation in open source.

  Mehl started with a few assumptions about the audience and open-source usage at the organizations they worked at. The first assumption was that audience members were in some way responsible for the use of open source in their organization. Next, those organizations have a five- to seven-digit number of open-source packages in use, spread out among a three- to five-digit number of internal projects. Many of the packages in use at those organizations are direct dependencies—the software the organization's developers actively chose to use—but the majority are indirect dependencies that are required for the software the organization wants to use.

• Windows TCO / Windows Bot Nets

  • Security Week ☛ Russian Ransomware Gang Exploited Windows Zero-Day Before Patch

    Exploitation of the zero-day, flagged as CVE-2025-26633 and fixed on Patch Tuesday, is being pinned on a group identified as EncryptHub (an affiliate of RansomHub that Trend Micro calls Water Gamayu).

  • The Record ☛ British company Advanced fined £3m by privacy regulator over ransomware attack

    The company had initially faced a fine of £6 million before coming to a voluntary settlement with the Information Commissioner’s Office (ICO) which announced on Thursday that the company’s security failings “put the personal information of 79,404 people at risk.”

    Under both the European Union and United Kingdom’s data protection laws, organizations controlling and processing personal data are required to protect that data and can face investigations and fines from regulators in the wake of an incident.

• Integrity/Availability/Authenticity

  • The Register UK ☛ Public-facing Kubernetes clusters at risk of total takeover

    Kubernetes (K8s) clusters are exposed more often than you might think to external HTTP/S traffic, to allow outside access to the applications they run. Putting the cluster admission controller out there, too, doesn't seem a great idea to us, but apparently thousands of them are accessible.

  • ABC ☛ Identity of hacker behind NSW court website data breach unknown, police say

    "Upon further examination, they worked out that an account holder within the justice link system had gained an unlawful entry into that system," Mr Daley said.

  • ABC ☛ NSW court website involved in major data breach, 9,000 documents downloaded

    The portal, which is overseen by the DCJ, provides access to sensitive information about both civil and criminal cases across the NSW court system.

    NSW Police said detectives were investigating the "major data breach".

  • Sydney Morning Herald ☛ NSW courts data breach: at least 9000 documents exposed

    The breach, which was discovered last week during maintenance and referred to the NSW Police State Crime Command’s Cybercrime Squad on Tuesday, affected the NSW Online Registry Website, an online platform that gives access to information from both civil and criminal cases in the NSW court system.

  • University of Toronto ☛ Three ways I know of to authenticate SSH connections with OIDC tokens

    Suppose, not hypothetically, that you have an MFA equipped OIDC identity provider (an 'OP' in the jargon), and you would like to use it to authenticate SSH connections. Specifically, like with IMAP, you might want to do this through OIDC/OAuth2 tokens that are issued by your OP to client programs, which the client programs can then use to prove your identity to the SSH server(s). One reason you might want to do this is because it's hard to find non-annoying, MFA-enabled ways of authenticating SSH, and your OIDC OP is right there and probably already supports sessions and so on. So far I've found three different projects that will do this directly, each with their own clever approach and various tradeoffs.

    (The bad news is that all of them require various amounts of additional software, including on client machines. This leaves SSH apps on phones and tablets somewhat out in the cold.)