Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
For the out-of-band Slashdot experience (mostly headlines), follow us on Twitter, or Facebook. ×

+ - Will Red Hat Buy Docker Inc?->

darthcamaro writes: Red Hat CEO Jim Whitehurst bought a company called Gluster from Ben Golub in 2011 for $136 million. Now in 2015, Golub is the CEO of Docker Inc and Whitehurst might be considering buying another company from Golub — or not. In a video interview from the Red Hat Summit Whitehurst states that he's ok with how his company is doing on Docker on its own — but he adds that you should never say never when it comes to what could happen in the future.
Link to Original Source

+ - Docker and CoreOS Join Together for Open Container Project at Linux Foundation->

darthcamaro writes: the great schism in the container world is now at an end. Today, Docker and CoreOS, announced along with Amazon Web Services, Apcera, Cisco, EMC, Fujitsu, Goldman Sachs, Google, HP, Huawei, IBM, Intel, Joyent, the Linux Foundation, Mesosphere, Microsoft, Pivotal, Rancher Labs, Red Hat and VMware the Open Container Project, as a Linux Foundation Collaborative Project. The new effort will focus specifically on libcontainer — providing a baseline for a container runtime.

"By participating with Docker and all the other folks in the OCP, we're getting the best of all worlds," Alex Polvi, CEO of CoreOS told eWEEK. "We're getting the contributions from Docker with the format and runtime that underpin container usage, and then we're also getting the shared standard and vendor neutrality aspects that we've designed with app container."

Link to Original Source

+ - Rancher Labs Raises $10 Million for Docker Optimize Linux Distro without Systemd->

darthcamaro writes: Who doesn't like systemd? (raise your hands or comment below..) — beyond that apparently Docker doesn't work as well as it should with systemd either. So new startup Rancher Labs has now raised $10 million to build out a systemd-less, Docker optimize Linux distro.

"We saw that there was a lot of conflict between systemd and Docker," Shannon Williams, co-founder of Rancher Labs Williams said in a video interview.

Link to Original Source

+ - Google, VMware, RedHat Embrace CoreOS' App Container Spec- What now Docker?->

darthcamaro writes: Big news today in container land as Google, VMware, Red Hat and Appcera are now supporters of the CoreOS led App Container spec (appc), which aims to define a broader spectrum of app containers beyond just Docker.

"The compatibility that we are aiming for is someone who packages up an image to run on top, or rkt should run another compatible runtime such as Kurma," Alex Polvi CEO of CoreOS explained. "This promise of having portability was something that the industry didn't quite achieve with virtual machines and cloud."

The big outstanding question though is with the new appc support — where does that leave Docker?
Link to Original Source

+ - Heartbleed One Year Later: Has Anything Changed?->

darthcamaro writes: It was on April 7, 2014 that the CVE-2014-0160 vulnerability titled "TLS heartbeat read overrun" in OpenSSL was first publicly disclosed — but to many its a bug known simply as Heartbleed. A new report from certificate vendor Venafi claims that 76% of organizations are still at risk, though it's a statistic that is contested by other vendors as well as other statistics. Qualys' SSL Pulse claims that only 0.3 percent of sites are still at risk. Whatever the risk is today, the bottom line is that Heartbleed did change the security conversation — but did it change it for the better or the worse?
Link to Original Source

+ - Firefox's Opportunistic Encryption Turns into an Opportunity for Hackers->

darthcamaro writes: Barely a week ago, Mozilla released Firefox 37, with a key new feature being Opportunistic Encryption. The basic idea behind Opportunistic Encryption is that it acts to encrypt data that might have otherwise been sent by a user over clear text. It's a great opportunity to improve the security of the web, but as it turns out, it's also another opportunity for hackers to exploit users. Mozilla has already issued Firefox 37.0.1 removing Opportunistic Encryption after a security vulnerability was reported in the underlying Alternative Services capability that helps to enable Opportunistic Encryption.

"We plan to re-enable this feature once we've had time to fully investigate the issue," Chad Weiner, director of product management at Mozilla said. /blockquote

Link to Original Source

+ - Every Browser Hacked at Pwn2own 2015 as HP Pays out $557,500 in Awards->

darthcamaro writes: Every year, browser vendors patch their browsers ahead of the annual HP Pwn2own browser hacking competition in a bid to prevent exploitation. Sad truth is that it's never enough. This year, security researchers were able to exploit fully patched versions of Mozilla Firefox, Google Chrome, Microsoft Internet Explorer 11 and Apple Safari in record time. For their efforts, HP awarded researchers the princely sum of $557,500. So why does this happen every year? Why can't browser vendors actually produce software that can't be exploited — year after year?

Every year, we run the competition, the browsers get stronger, but attackers react to changes in defenses by taking different, and sometimes unexpected, approaches," Brian Gorenc manager of vulnerability research for HP Security Research said.

Link to Original Source

+ - Red Hat Enterprise Linux 7.1 and Atomic Host Hit General Availability->

darthcamaro writes: Red Hat today released the first milestone update to its flagship Red Hat Enterprise Linux 7.x (RHEL) platform. Among the new features in RHEL is the dogtag certificate system and improved two-factor authentication support. Perhaps more noteworthy is the first release of Red Hat Enterprise Linux 7.1 Atomic Host which is an optimized version of RHEL specifically for the deployment of Docker containers. Red Hat is using Google Kubernets for orchestration and the OStree open source technology as a way to enable 'snappy' transactional updates and rollback capabilities. Atomic Host also introduces the concept of 'super-privileged' containers. The super-privileged containers allow users to deploy system services as containers and then run those service containers with privileged access to the host system.
Link to Original Source

+ - DNS Hacked / Brought Back Online by CloudFlare->

darthcamaro writes: Multiple reports emerged this afternoon about an attack against Lenovo, allegedly executed by the notorious Lizard Squad. It appears as though the attackers were able to hack's domain registrar and change the DNS records. Though Lenovo wasn't a customer of security vendor CloudFlare, CEO Matt Prince">said that his firm was able to jump in and fix the situation.
Link to Original Source

+ - Canonical Launches Internet of Things Division Embedding Ubuntu Linux Everywhere->

darthcamaro writes: Ubuntu Linux isn't just for desktops, servers and the cloud anymore, Mark Shuttleworth wants Ubuntu to be the operating system of choice for the Internet of Things too. The new Snappy Ubuntu Core is being targeted at device developers and its the basis for an entire new division of Canonical Inc. The promise of Snappy Ubuntu Core is also one of security, protecting the devices of the world, by keeping them updated.

With Snappy there is also a division of responsibilities for updating that can also help protect IoT devices and users.
"So we could deliver an update for a Heartbleed or Shellshock vulnerability, completely independently of the lawnmower control app that would come from the lawnmower company," Shuttleworth said.

Link to Original Source

+ - Mark Shuttleworth Says Open-Source is More Secure Because of Diversity->

darthcamaro writes: 2014 was seen by some as a tough year for open-source, given the Heartbleed and Shellshock vulnerabilities that impacted millions of users and systems. Mark Shuttleworth, founder of Ubuntu Linux (and former space tourist) has a different view. 2014 was a great year for him, as he marked the 10th anniversary of Ubuntu — and in terms of security he knows exactly why the open-source model is superior.

"The great thing about open source is that it's so dynamic and has so much innovation, that we have much more diversity in our ecosystem than there has ever been in the proprietary ecosystem," Shuttleworth said. "You'll never stop security issues from occurring in either open source or proprietary software but you deal with issues faster in open source."

Link to Original Source

+ - WordPress Can Now Automatically Update Plugins->

darthcamaro writes: There have been lots of stories here on /. in recent years about vulnerable WordPress plugins that aren't patched by users, resulting in those sites being exploited by attackers. While WordPress has provided a fully automated way to keep the core WordPress application updated for security fixes, plugins have been a gap. With the new Jetpack update from, a site administrator can now choose a setting that will enable automatic updates of plugins.
Is this the feature that could make massive WordPress exploits extinct in the future?

Link to Original Source

Comment: Grinch is not a flaw - has no CVE!!! (Score 5, Informative) 118 118

The linked story is factually incorrect. Red Hat (and others) have publicly stated that this isn't a flaw at all but is in fact an expected and specified feature of PolicyKIt. I spoke with Red Hat on this, which is something that neither of the linked articles in this /. post did. It's not a flaw at all.
Also check out Red Hat Knowledgebase article on this too.

A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.

+ - Linux Hit by Privilege Escalation Flaw; The Grinch is Not to Blame-> 1 1

darthcamaro writes: Some media outlets in the past 24 hours have been reporting on a new alleged flaw in Linux that has been branded as the Grinch. The only problem with the flaw, is that it's not actually a flaw at all, it's a pre-defined feature in PolicyKit.

Basically, this bug report on Grinch was a bit more sensational than it needed to be," Josh Bressers, lead of the Red Hat Product Security Team said.

Ironically though, the same day that the Grinch was disclosed, a bona fide real Linux kernel privilege escalation vulnerability identified as CVE-2014-9322 was disclosed and patched.
Link to Original Source

+ - After a Five Year Delay, Snort 3.0 is Back in Development->

darthcamaro writes: The world's most popular open-source Intrusion Prevention System (IPS) has long been Snort, but it has been a while since there has been a major upgrade. Back in 2009 an effort started to build a Snort 3.0 but it got shelved. This week, Cisco announced that Snort 3.0 is now in development and it will bring a new policy language engine and a new command line shell.

"The user-friendliness features, for example, might enable users to build a programmatic interface for Snort, so when you run it, it can ask the user what class of attacks to look for," Marty Roesch, Snort founder said

Link to Original Source

"Love is a snowmobile racing across the tundra and then suddenly it flips over, pinning you underneath. At night, the ice weasels come." --Matt Groening