Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Comment Re:When will sudo read email? (Score 1) 19

I assume that there's a research OS somewhere that has discovered that this is much harder than it looks for anything nontrivial; quite possibly even worse than the problem that it is intended to cure; but looking at the increasingly elaborate constructs used when sudo is intended to be a granular delegation makes me wonder if the correct approach lies down the path of better permissions rather than ad-hoc lockdown logic.

There are some cases(eg. password-change or login tools often both reflect granularity limits in credential storage; and make reads or edits on your behalf to parts of files that you wouldn't be allowed to touch directly; but also do things like enforce complexity or age requirements that would require a really expansive view of 'permissions' to encompass) where the delegate program is handling nontrivial delegation logic on its own; but in a lot of instances it's hard to escape the impression that you are basically bodging on 'roles' that can't be or aren't normally expressed in object and device permissions by building carefully selectively broken tools.

I obviously don't blame sudo for that; its scope is letting you run a particular thing as someone else if the sudoers file allows it; but a lot of sudoers files might as well just say "there are no roles on this system between 'useless' and 'apocalyptic'"; and that feels like a permissions design problem.

Of note; probably not one to try to NT yourself out of; I'm not sure that you can build a sufficiently expressive set of permissions on classic UNIX style ones; but I've yet to see an NT-derived system that didn't boil down to 'admin-which-can-be-SYSTEM-at-a-whim'/'little people' regardless of the wacky NT ACL tricks you can get up to.

I'm curious if it's a case of the alternatives being tried and largely found to be worse; or if (along with a number of other OS design/architecture fights) the whole thing has mostly been pushed out of mainstream relevance by the degree to which you can just pretend everything inside a worker VM is basically at a homogeneous privilege level if you don't want to deal with it.

Comment Re: I may be "old fashoned", but... (Score 1) 158

It seems like a way to do multiplication by doing addition.

That's because that's exactly what it's for, along with doing division via subtraction. And, you can use loglogs (the logarithm of a logarithm) to do exponentiation and find roots. Interestingly, I once mentioned loglogs to two friends, a physics professor and a mathematical astronomer turned programmer and neither of them recognized what I was talking about.

Submission + - This overlooked Linux boot flaw defeats Secure Boot heres how to fix it (nerds.xyz)

BrianFagioli writes: Security researcher Alexander Moch of ERNW has uncovered a surprisingly effective method for bypassing Secure Boot protections on modern Linux systems. No, the vulnerability is not in the kernel or GRUB. Actually, it is in the initramfs, and it is hiding in plain sight.

Most hardening guides focus on well-known defenses like full disk encryption, password protected bootloaders, and Secure Boot. But few mention what happens if someone gets their hands on your laptop for just a few minutes. It turns out they can drop into a debug shell from the initramfs, modify it, and inject persistent malware all without ever touching the signed kernel or breaking Secure Boot.

On distributions like Ubuntu 25.04 and Fedora 42, repeatedly failing the password prompt for an encrypted root partition can trigger a debug shell. From there, Moch demonstrates how an attacker could use a USB drive with a few prepared scripts to chroot into the target system and modify the initramfs. A custom script can be inserted into the boot sequence that silently executes each time the system starts up.

The problem stems from the fact that the initramfs is not typically signed. While the kernel and its modules are signed for Secure Boot compliance, the initramfs remains unsigned because it is generated locally and tailored to the host. That makes it easy to modify with no alarms going off.

Itâ(TM)s worth mentioning, this is not a totally new attack. It echoes CVE 2016 4484 and similar techniques like EvilAbigail1 from 2015 and de LUKS2 from 2018, but it is still widely effective today. The attack was tested on modern distributions using default encrypted configurations, including systems with Secure Boot enabled. While some distributions like OpenSuSE Tumbleweed encrypt the boot partition by default and are more resilient, most others including Ubuntu are vulnerable out of the box.

Hardening tools like Lynis and even the CIS Benchmarks for Ubuntu and Red Hat do not mention this risk. NIST STIGs are also silent on the matter.

The fix is shockingly simple.

On Ubuntu, just add panic=0 to your kernel parameters. On Red Hat based systems, use rd.shell=0 rd.emergency=halt. This prevents the system from dropping into a debug shell during boot failures. Beyond that, users can require a bootloader password for every boot, not just when editing entries. Encrypting the boot partition with LUKS or enabling the SSDâ(TM)s built in encryption are other solid steps.

Longer term solutions include using Unified Kernel Images which bundle and sign the kernel and initramfs together, or relying on TPMs to measure boot components. But those are not fully rolled out yet across the Linux ecosystem.

Mochâ(TM)s full writeup includes proof of concept scripts and step by step instructions for modifying the initramfs once access to the debug shell is gained. While his demo uses a harmless timestamp writing script as an example, the same method could be used for far more serious attacks.

Comment Re:The core of the problem (Score 3, Informative) 47

If the summary is correct (which isn't a guarantee, I know), they didn't straight up lie; nobody intentionally made the modifications, it was the photo editing software that tried to be helpful. You can certainly criticize them for not noticing the changes, but my guess is that whoever originally said they didn't modify the photo just asked other people and didn't personally check for themselves.

Comment Re:Sometimes, size doesn't matter (Score 1) 151

I notice that you confine your reply to a cheap shot about my supposed ignorance and avoid responding to my question about the battle that turned the IJN back for the first time and the one that crushed its main strike force, and taking the initiative away from them for the rest of the war.

Comment Re:Teach code reviewing (Score 1) 158

It's almost certainly because you didn't do enough programming in college.

I agree entirely. I teach an intro to programming course at one of the well-known universities. It is a lab course with 2 hours of teaching contact time per week, 2 hours of reading time per week, and 8 hours of expected programming time per week. The students learn by doing.

Comment Re:Give fish to them (Score 1) 69

The point at which some environmentalism reveals itself as misanthropy is where "don't feed the animals" is commanded because it's "unnatural."

Most "don't feed the animals" rules are because people tend to feed animals "unnatural" foods like processed grains and meats, which aren't safe for the animals to eat.

Comment Re:Death is Inevitable, Aging may not be (Score 2) 39

What do you find so funny about the University of Bologna? It was founded in 1088 CE, and is the oldest continually operating university in the world. And no, I didn't know any of that until I read your post and took a moment to do the trivial bit of research that you should have done before showing the world how ignorant you are and how unwilling to learn. Now get off my lawn and go tell your mother she wants you!

Submission + - Ingram Micro admits ransomware attack is disrupting orders and systems (nerds.xyz)

BrianFagioli writes: Ingram Micro is facing a serious disruption after discovering ransomware on parts of its internal systems. The tech distributor confirmed the cyberattack today and says itâ(TM)s working to restore operations as quickly as possible.

Here is the full statement issued by the company:

âoeIngram Micro recently identified ransomware on certain of its internal systems. Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.

Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.â
At the moment, Ingram Micro has not disclosed who is behind the attack or whether any customer or partner data was exposed. But by taking systems offline, the company is clearly prioritizing containment and recovery over speed.

Ransomware incidents like this continue to plague the tech industry, and for a company like Ingram Micro that plays a key role in global supply chains, even temporary outages can have wide-reaching effects.

If you rely on Ingram Micro for products or services, expect delays while the company works to get its systems back online.

Comment Re:sudo-rs (Score 1) 19

The systemd version takes a similar approach - only handling the 99.9% use case of running a local command as a different user based on some basic rules and only really providing a userspace implementation without suid.

IIRC that use case is about 15% of OG sudo's code but most distros carry around all the features. I dunno, maybe it can be compiled without those but I don't see that in distros I've used.

Comment Re:What the fuck?! (Score 1) 28

Corporatism is a distinct concept from Capitalism. That's the one you're describing. There's been a psyop by Socialists to describe corporatism as capitalism so they get more of a merger of business and State (fascism).

Corporations are creations of a government in which governments get a cut and politicians get bribes in exchange for protection from justice for the corporate actors' crimes.

If you read Adam Smith he described this as Mercantilism in his time and recommended free market capitalism as its antidote with an emphasis on the accumulation of capital and investment into more competitive production.

Von Mises fleshed this out more a couple centuries later (followed by Hayek and Rothbard). The definitive work is /Man, Economy, and State/ which breaks it all down in tremendous detail.

Notably corporations in the early USA were limited to public works projects and had time-limited grants (e.g. for building a bridge or later the railroads).

JD Rockefeller bribed Congress during Reconstruction to make corporations permanent, so he wouldn't lose his charter for Standard Oil. He later wrote the Sherman Anti-trust Act to hurt his competition.

Today we have immortal psychopathic corporations with a legal mandate to be depraved and with legal personhood. The Dulles brothers created the CIA to fight wars and conduct assassinations on behalf of the corporations. cf. United Fruit or the Pepsi War.

After the Revolution remember to forbid corporations. The Gini Coefficient is too damn high.

Slashdot Top Deals

We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter.

Working...