Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror

Submission + - Government of Canada's Plan to Improve Cybersecurity? Be Less Attractive (eweek.com)

darthcamaro writes: Though Justin Trudeau is the envy of many world leaders for his likeability, the head of of the Canadian Centre for Cyber Security at the Canadian Security Establishment (CSE), which helps to protect federal government networks says that his agency is trying to make Canada less attractive — to hackers.

Speaking at the SecTor conference in Toronto Scott Jones said:
"By doing the basics, you're making the adversaries that come after you deploy more advanced tools and techniques, and you just might not be worth the expense," Jones said. "My ultimate goal is to make Canada unattractive to cyber-criminals and data hackers, because our community is vigilant and engaged so much so that threat actors aren't enticed to even attack us."

Submission + - Torvalds No Longer Knows the Whole Linux Kernel And That's OK (eweek.com)

darthcamaro writes: In a wide ranging conversation at the Open Source Summit, Linus Torvalds admitted that he no longer knows everything that's in LInux.

"Nobody knows the whole kernel anymore," Torvalds said. "Having looked at patches for many years, I know the big picture of all the areas in the kernel and I can look at a patch and know if it's right or wrong."

Overall he emphasized that being open source, has enabled Linux to attract new developers that can pick up code and maintain all the various system in Linux. In his view, the only way to deal with complexity is to be open.

Submission + - SPAM: Memcached Attacks Slow Down - But It's Not Due to the Kill Switch

darthcamaro writes: Days after the massive 1.7 Terabit per second memcached reflection Distributed Denial of Service attack set a net internet record, there are signs that attack sizes are getting smaller. According to Arbor Networks, which defended against the 1.7 Tbps attack, memcached ddos attacks have gotten a lot smaller in recent day. The prevailing idea is that memcached administrators have patched their systems, or simply disable access to the outside internet. Of note, the so-call "kill switch" that some vendors have proposed is not actually the solution.
from the article:
"The 'kill switch' was immediately obvious to everyone who worked on mitigating this DDoS attack," Graham-Cumming said. "We chose not to use or test this method because it would be unethical and likely illegal since it alters the state of a remote machine without authorization."

Link to Original Source

Submission + - Attackers Drain CPU Power from Water Utility Plant in Cryptojacking Attack (eweek.com)

darthcamaro writes: Apparently YouTube isn't the site that is draining CPU power with unauthorized cryptocurrency miners. A Water utiliy in Europe is *literally* being drained of its CPU power via an cryptojacking attack that was undetected for three weeks.
from the report:
At this point, Radiflow's investigation indicates that the cryptocurrency mining malware was likely downloaded from a malicious advertising site. As such, the theory that Kfir has is that an operator at the water utility was able to open a web browser and clicked on an advertising link that led the mining code being installed on the system.

Submission + - Torvalds Wants Attackers to Join Linux Before They Turn to the "Dark Side" (eweek.com)

darthcamaro writes: People attack LInux everyday and Linus Torvalds is impressed by many of them. Speaking at the Open Source Summit in LA, Torvalds said he wants to seek out those that would attack Linux and get them to help improve Linux, before they turn to the "dark side."

"There are smart people doing bad things, I wish they were on our side and they could help us," Torvalds said. "Where I want us to go, is to get as many smart people as we can before they turn to the dark side."
"We would improve security that way and get those that are interested in security to come to us, before they attack us," he added.


Submission + - Should the Internet Be Secure by Default? (esecurityplanet.com) 1

darthcamaro writes: There are lots of tools and different secure protocols that could be used by internet service providers to embed security into the fabric of the internet, making the internet secure by default, but that's not something that Facebook's Chief Security Officer, Alex Stamos wants to happen. Instead of security by default, his view is that carriers should be neutral and let malicious traffic do whatever it wants.

""I believe strongly in the end-to-end principle, I think we should have neutral carriers in the middle and it should not be the responsibility of ISPs to secure the internet," Stamos said in a press conference at the Black Hat USA conference last week.


Submission + - Docker's LinuxKit Incubating Multiple Security Project to Improve Linux Security (eweek.com)

darthcamaro writes: Back in April, when Docker announced its' LinuxKit effort, the primary focus appeared to just be about building a container-optimized Linux distribution. As it turns out, security is also a core focus — with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec.

"We recognize that there are a tonne of people in the Linux community working on security improvements and we want LinuxKit to be a place where they can foster and grow their efforts," Nathan McCauley, Director of Security at Docker Inc, told eWEEK..

Submission + - Pwn2Own 2017 Takes Aim at Linux (eweek.com)

darthcamaro writes: For the first time in its ten year history, the annual Pwn2Own hacking competition is taking direct aim at Linux. Pwn2Own in the past has typically focused mostly on web browsers, running on Windows and macOS. There is a $15,000 reward for security researchers that are able to get a local user kernel exploit on Ubuntu 16.10. The bigger prize though is a massive $200,000 award for exploiting Apache Web Server running on Ubuntu.

Submission + - Stagefright One Year Later - Not One Bug, but 115 (eweek.com)

darthcamaro writes: A year ago, on July 27, 2016 news about the Android Stagefright flaw was first revealed with the initial reports claiming widespread impact with a billion users at risk. As it runs out, the impact of stagefright has been more pervasive than a single point in time flaw. In fact over the course of the last 12 months, Google has patched no less than 115 flaws in stagefright and related Android media libraries. Joshua Drake, the researcher the first discovered the stagefright flaw never expected it to go this far.

"I expected shoring up the larger problem to take an extended and large effort, but I didn't expect it to be ongoing a year later," Drake said.


Submission + - Google Admits that Google.com is Dangerous (eweek.com)

darthcamaro writes: For over a decade, Google's Safe Browsing technology has helped to alert users to dangerous site, where malware and phishing exploits can be found. Apparently one of those unsafe sites is none other than Google.com itself.

Google's automatic spidering of the Web will catch some malicious sites, and by Google's own admission, there are sites in its index that will redirect users to locations that will attempt to install malware on their computers. Google also admits and warns that by way of Google.com (and the sites linked in its index), "Attackers on this site might try to trick you to download software or steal your information (for example passwords, messages, or credit card information)."


Comment Red Hat has a different view - and it's not hype (Score 3, Informative) 21

I don't know much about Windows and there there are 12 other advisories more impactful that Badlock this month - but Red Hat is and has taken the Linux related vulnerabilities *very* seriously - which is a good thing, it means no shellshocked/heartbleed repeat, patches on time and no real risk.

"Working closely with the community over many months, Red Hat engineers have been heavily involved in the process of analyzing and developing Samba patches for Badlock-associated issues," Josh Bressers, security strategist at Red Hat sad.

Submission + - OpenStack Mitaka Debuts (eweek.com)

darthcamaro writes: The 13th release of OpenStack, codenamed Mitaka is now generally available, with updates across all major projects. Among the biggest new capabilities in OpenStack Mitaka however isn't a new project or a new featue in a single existing project, but rather the official debut of the OpenStack Client, which creates for the first time a unified command line interface to control the cloud.

"The OpenStack client is a command line client that unifies access across all the main projects," Jonathan Bryce, executive director of the OpenStack Foundation, said.
So if an administrator wants to create a user, a block storage device or a virtual server, or attach to a network, all those functions are now enabled in the single tool that is the OpenStack client. The OpenStack client provides a standardized set of commands, whereas previously, each project had its own command line client, Bryce said. He added that the OpenStack client can be run locally or in the cloud, and can be configured to control multiple OpenStack clouds.


Submission + - Pwn2Own 2016 Won't Attack Firefox (cause it's too easy!) (eweek.com) 1

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security.

"We wanted to focus on the browsers that have made serious security improvements in the last year," Brian Gorenc, manager of Vulnerability Research at HPE said.


Submission + - CoreOS Launches Rkt 1.0 (eweek.com)

darthcamaro writes: Docker is about to get some real competition in the container runtime space, thanks to the official launch of rkt 1.0. CoreOS started building rkt in 2014 and after more than a year of security, performance and feature improvement are now ready to declare it 'production-ready.' While rkt is a docker runtime rival, docker apps will run in rkt, giving using a new runtime choice.

rkt will remain compatible with the Docker-specific image format, as well as its own native App Container Image (ACI). That means developers can build containers with Docker and run those containers with rkt. In addition, CoreOS will support the growing ecosystem of tools based around the ACI format.


Submission + - Shuttleworth Says Snappy Won't Replace .deb Linux Package Files in Ubuntu 15.10 (serverwatch.com)

darthcamaro writes: Mark Shuttleworth, BDFL of Ubuntu is clearing the air about how Ubuntu will make use of .deb packages even in an era where it is moving to its own Snappy ('snaps') format of rapid updates. Fundamentally it's a chicken and egg issue.

We build Snappy out of the built deb, so we can't build Snappy unless we first build the deb," Shuttleworth said.


Slashdot Top Deals

Surprise due today. Also the rent.

Working...