darthcamaro - Slashdot User

Submission + - Government of Canada's Plan to Improve Cybersecurity? Be Less Attractive (eweek.com)

Submitted by darthcamaro on Tuesday October 02, 2018 @02:28PM

darthcamaro writes: Though Justin Trudeau is the envy of many world leaders for his likeability, the head of of the Canadian Centre for Cyber Security at the Canadian Security Establishment (CSE), which helps to protect federal government networks says that his agency is trying to make Canada less attractive — to hackers.

Speaking at the SecTor conference in Toronto Scott Jones said:
"By doing the basics, you're making the adversaries that come after you deploy more advanced tools and techniques, and you just might not be worth the expense," Jones said. "My ultimate goal is to make Canada unattractive to cyber-criminals and data hackers, because our community is vigilant and engaged so much so that threat actors aren't enticed to even attack us."

Submission + - Torvalds No Longer Knows the Whole Linux Kernel And That's OK (eweek.com)

Submitted by darthcamaro on Friday August 31, 2018 @07:03PM

darthcamaro writes: In a wide ranging conversation at the Open Source Summit, Linus Torvalds admitted that he no longer knows everything that's in LInux.
"Nobody knows the whole kernel anymore," Torvalds said. "Having looked at patches for many years, I know the big picture of all the areas in the kernel and I can look at a patch and know if it's right or wrong."

Overall he emphasized that being open source, has enabled Linux to attract new developers that can pick up code and maintain all the various system in Linux. In his view, the only way to deal with complexity is to be open.

Submission + - Is Linus' Law Still Valid? Do Many Eyeballs In fact Make All Bugs Shallow? (esecurityplanet.com)

Submitted by darthcamaro on Wednesday July 11, 2018 @03:12PM

darthcamaro writes: Among the basic tenets that have underpinned open source development for that last two decades, is that having more eyeballs, looking at code, means that bugs (and security vulnerabilities) will be found quicker. It's a concept known as Linus' Law. But is it a law that is still valid today in 2018?
Linus' Law, named in honor of Linux creator Linus Torvalds, has for nearly two decades been used by some as a doctrine to explain why open source software should have better security. In recent years, open source projects and code have experienced multiple security issues, but does that mean Linus' Law isn't valid? According to Dirk Hohndel, VP and Chief Open Source Officer at VMware, Linus' Law still works, but there are larger software development issues that impact both open source as well as closed source code that are of equal or greater importance.

Submission + - SPAM: Memcached Attacks Slow Down - But It's Not Due to the Kill Switch

Submitted by darthcamaro on Friday March 09, 2018 @02:18PM

darthcamaro writes: Days after the massive 1.7 Terabit per second memcached reflection Distributed Denial of Service attack set a net internet record, there are signs that attack sizes are getting smaller. According to Arbor Networks, which defended against the 1.7 Tbps attack, memcached ddos attacks have gotten a lot smaller in recent day. The prevailing idea is that memcached administrators have patched their systems, or simply disable access to the outside internet. Of note, the so-call "kill switch" that some vendors have proposed is not actually the solution.
from the article:
"The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," Graham-Cumming said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."
Link to Original Source

Submission + - Attackers Drain CPU Power from Water Utility Plant in Cryptojacking Attack (eweek.com)

Submitted by darthcamaro on Wednesday February 07, 2018 @10:22PM

darthcamaro writes: Apparently YouTube isn't the site that is draining CPU power with unauthorized cryptocurrency miners. A Water utiliy in Europe is *literally* being drained of its CPU power via an cryptojacking attack that was undetected for three weeks.
from the report:
At this point, Radiflow's investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system.

Submission + - Torvalds Wants Attackers to Join Linux Before They Turn to the "Dark Side" (eweek.com)

Submitted by darthcamaro on Monday September 11, 2017 @02:37PM

darthcamaro writes: People attack LInux everyday and Linus Torvalds is impressed by many of them. Speaking at the Open Source Summit in LA, Torvalds said he wants to seek out those that would attack Linux and get them to help improve Linux, before they turn to the "dark side."
"There are smart people doing bad things, I wish they were on our side and they could help us," Torvalds said. "Where I want us to go, is to get as many smart people as we can before they turn to the dark side."
"We would improve security that way and get those that are interested in security to come to us, before they attack us," he added.

Submission + - Should the Internet Be Secure by Default? (esecurityplanet.com) 1

Submitted by darthcamaro on Thursday August 03, 2017 @08:54AM

darthcamaro writes: There are lots of tools and different secure protocols that could be used by internet service providers to embed security into the fabric of the internet, making the internet secure by default, but that's not something that Facebook's Chief Security Officer, Alex Stamos wants to happen. Instead of security by default, his view is that carriers should be neutral and let malicious traffic do whatever it wants.
""I believe strongly in the end-to-end principle, I think we should have neutral carriers in the middle and it should not be the responsibility of ISPs to secure the internet," Stamos said in a press conference at the Black Hat USA conference last week.

Submission + - Docker's LinuxKit Incubating Multiple Security Project to Improve Linux Security (eweek.com)

Submitted by darthcamaro on Friday June 09, 2017 @01:29PM

darthcamaro writes: Back in April, when Docker announced its' LinuxKit effort, the primary focus appeared to just be about building a container-optimized Linux distribution. As it turns out, security is also a core focus — with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec.

"We recognize that there are a tonne of people in the Linux community working on security improvements and we want LinuxKit to be a place where they can foster and grow their efforts," Nathan McCauley, Director of Security at Docker Inc, told eWEEK..

Submission + - Pwn2Own 2017 Takes Aim at Linux (eweek.com)

Submitted by darthcamaro on Wednesday January 18, 2017 @12:07PM

darthcamaro writes: For the first time in its ten year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.

Submission + - As Linux Turns 25: Torvalds Credits GPL for Sucess (eweek.com)

Submitted by darthcamaro on Wednesday August 24, 2016 @11:43AM

darthcamaro writes: There are a lot of things that make Linux work and today at the LinuxCon conference in Toronto, 25 years after he first announced Linux, Linus Torvalds talked about the highlight and the low-lights of Linux (so far). For low lights he talked about the process challenges during the Linux 2.4 timeframe. When asked why Linux hasn't ended up fragmented like UNIX — Torvalds had an easy answer — the GPL.
I love the GPL and see it as a defining factor in the success of Linux," Torvalds said.

Submission + - Stagefright One Year Later - Not One Bug, but 115 (eweek.com)

Submitted by darthcamaro on Thursday July 28, 2016 @09:45AM

darthcamaro writes: A year ago, on July 27, 2016 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it runs out, the impact of stagefright has been more pervasive than a single point in time flaw. In fact over the course of the last 12 months, Google has patched no less than 115 flaws in stagefright and related Android media libraries. Joshua Drake, the researcher the first discovered the stagefright flaw never expected it to go this far.
"I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later," Drake said.

Submission + - Lennart Poettering Admits he Doesn't Understand SELinux (serverwatch.com)

Submitted by darthcamaro on Thursday May 12, 2016 @05:00PM

darthcamaro writes: No surprise, but Lennart Poettering, the father of (love it or hate it..) systemd prefers it over other systems that can be used to secure Linux, including Red Hat (his employer) and its SELinux.
"My recommendation is that, systemd settings are easy and are just boolean expressions that most people will easily understand, that's why I created them and that's why I think they are more useful to more people than an SELinux policy," Poettering said during a keynote at the CoreOS Fest in Berlin. "There are probably only 50 people in the world that understand SELinux policies, but I really hope there are more than 50 people that understand systemd."

Submission + - All Linux Kernel Bugs are Potential Security Risks: Greg Kroah-Hartman (eweek.com)

Submitted by darthcamaro on Wednesday May 11, 2016 @12:06AM

darthcamaro writes: At the CoreOS Fest event in Berlin this week, Linux stable kernel maintainer Greg Kroah-Hartman provided some impressive stats on Linux kernel development. From April 2015 to March 2016, there were 10,800 new lines of code added, 5,300 lines removed and 1,875 lines modified in Linux every day. All that change however represents a non-trivial security risk.
"When we push out the fixes, you better take advantage of it," Kroah-Hartman said. "If you are not using a stable, long-term kernel, your machine is insecure.

Submission + - CoreOS Ramps up Funding & Tech to Take on Docker (eweek.com)

Submitted by darthcamaro on Monday May 09, 2016 @12:08PM

darthcamaro writes: In a day full of activities at CoreOS Fest in Berlin (and simulcast in San Francisco) CoreOS announced a new $28 Million round of funding, new featuring in the etcd key value store (that is part of Kubernetes) a new microservice authentication technology, bittorrent download of container images and a new Cloud Native Computing Foundation project called Prometheus to help with container monitoring. While CoreOS started out just as a Docker ecosystem vendor, it's now clear they're ramping up to take Docker Inc on, head-on.

Submission + - Shuttleworth Pledges to Never Weaken Encryption in Ubuntu (eweek.com)

Submitted by darthcamaro on Monday May 02, 2016 @01:10PM

darthcamaro writes: As works kicks off this week to build the Ubuntu 16.10 distribution (which may or may not include Mir), there is one item that is certain and that's security. In a video interview Shuttleworth doubles-down on security emphatically stating that he will never allow weak encryption in Ubuntu.
"We don't do encryption to hide things, we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make."

Slashdot Top Deals