Security Leftovers
-
Red Hat Official ☛ The Marvin Attack
Since that time, we have identified lots of other vulnerable implementations and have shipped fixes. Note that most of the CVEs in applications that use OpenSSL have only received workarounds, not complete fixes. If such applications are used with hardware security modules (HSMs) or smart cards (PKCS #11 tokens), they may still be vulnerable.
-
Ubuntu ☛ Meet DISA-STIG compliance requirements for Ubuntu 22.04 LTS with USG
DISA, the Defense Information Systems Agency, recently published their Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS in April 2024. We’re pleased to now release the Ubuntu Security Guide profile to enable customers to automatically harden and audit their Ubuntu 22.04 LTS systems for the STIG.
-
Debian Family
-
Daniel Pocock ☛ Sheriff of Cork & Debian Edward Brocklesby or Brockelsby Street confusion
We've seen lots of rude comments about confusion between domain names and trademarks but what about the confusion between different permutations of the name Brocklesby / Brockelsby?
In my last blog, we looked at some of the most unique names in the Debian and FSFE world and I noted that it may be foolish for infiltrators to use names like this because every change they make in the code would attract extra scrutiny.
On the other hand, a name that looks very English and is easily confused like Brocklesby/Brockelsby would appear to be a far more subtle opportunity to obfuscate the real identity.
-
-
Confidentiality
-
Troy Hunt ☛ Troy Hunt: The State of Data Breaches
I'm talking about class actions. I wrote about my views on this a few years ago and nothing has changed, other than it getting worse. I regularly hear from data breach victims about them wanting compensation for the impact a breach has had on them yet when pushed, most struggle to explain why. We've had multiple recent incidents in Australia where drivers' licences have been exposed and required reissuing, which is usually a process of going to a local transport office and waiting in a queue. "Are you looking for your time to be compensated for?", I asked one person. We have to rotate our licenses every 5 years anyway, so would you pro-rata that time based on the hourly value of your time and when you were due to be back in there anyway? And if there has been identity theft, was it from the breach you're now seeking compensation for? Or the other ones (both known and unknown) from which your data was taken?
-
Federal News Network ☛ DoD study sees ‘big breakthrough’ with using AI for declassification
The research study, “Modernizing Declassification with Digital Transformation” is sponsored by the Office of the Under Secretary of Defense for Intelligence and Security. It’s being carried out by the University of Maryland’s Applied Research Laboratory for Intelligence and Security (ARLIS), one of DoD’s University Affiliated Research Centers.
J.D. Smith, chief of the records and declassification division at DoD’s Washington Headquarters Services, said the research project validated a proof of concept that shows AI and machine learning models can use “contextual understanding” to perform records management and declassification functions.
-