Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - Lennart Poettering Admits he Doesn't Understand SELinux (serverwatch.com)

darthcamaro writes: No surprise, but Lennart Poettering, the father of (love it or hate it..) systemd prefers it over other systems that can be used to secure Linux, including Red Hat (his employer) and its SELinux.

"My recommendation is that, systemd settings are easy and are just boolean expressions that most people will easily understand, that's why I created them and that's why I think they are more useful to more people than an SELinux policy," Poettering said during a keynote at the CoreOS Fest in Berlin. "There are probably only 50 people in the world that understand SELinux policies, but I really hope there are more than 50 people that understand systemd."


Submission + - All Linux Kernel Bugs are Potential Security Risks: Greg Kroah-Hartman (eweek.com)

darthcamaro writes: At the CoreOS Fest event in Berlin this week, Linux stable kernel maintainer Greg Kroah-Hartman provided some impressive stats on Linux kernel development. From April 2015 to March 2016, there were 10,800 new lines of code added, 5,300 lines removed and 1,875 lines modified in Linux every day. All that change however represents a non-trivial security risk.

"When we push out the fixes, you better take advantage of it," Kroah-Hartman said. "If you are not using a stable, long-term kernel, your machine is insecure.


Submission + - CoreOS Ramps up Funding & Tech to Take on Docker (eweek.com)

darthcamaro writes: In a day full of activities at CoreOS Fest in Berlin (and simulcast in San Francisco) CoreOS announced a new $28 Million round of funding, new featuring in the etcd key value store (that is part of Kubernetes) a new microservice authentication technology, bittorrent download of container images and a new Cloud Native Computing Foundation project called Prometheus to help with container monitoring. While CoreOS started out just as a Docker ecosystem vendor, it's now clear they're ramping up to take Docker Inc on, head-on.

Submission + - Shuttleworth Pledges to Never Weaken Encryption in Ubuntu (eweek.com)

darthcamaro writes: As works kicks off this week to build the Ubuntu 16.10 distribution (which may or may not include Mir), there is one item that is certain and that's security. In a video interview Shuttleworth doubles-down on security emphatically stating that he will never allow weak encryption in Ubuntu.

"We don't do encryption to hide things, we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make."


Submission + - Google Admits that Google.com is Dangerous (eweek.com)

darthcamaro writes: For over a decade, Google's Safe Browsing technology has helped to alert users to dangerous site, where malware and phishing exploits can be found. Apparently one of those unsafe sites is none other than Google.com itself.

Google's automatic spidering of the Web will catch some malicious sites, and by Google's own admission, there are sites in its index that will redirect users to locations that will attempt to install malware on their computers. Google also admits and warns that by way of Google.com (and the sites linked in its index), "Attackers on this site might try to trick you to download software or steal your information (for example passwords, messages, or credit card information)."


Comment Red Hat has a different view - and it's not hype (Score 3, Informative) 21

I don't know much about Windows and there there are 12 other advisories more impactful that Badlock this month - but Red Hat is and has taken the Linux related vulnerabilities *very* seriously - which is a good thing, it means no shellshocked/heartbleed repeat, patches on time and no real risk.

"Working closely with the community over many months, Red Hat engineers have been heavily involved in the process of analyzing and developing Samba patches for Badlock-associated issues," Josh Bressers, security strategist at Red Hat sad.

Submission + - Heartbleed Turns Two -Has Anything Changed? (eweek.com)

darthcamaro writes: Two years ago on April 7 2014, the Heartbleed vulnerability on OpenSSL was first disclosed, arguably changing the open-source security world in many ways. For one there is now an unfortunate trend of security vendors branding vulnerabilities. On a more positive note though is the emergence of more rigor in open-source code auditing, thanks in part to the effort of the Linux Foundation's Core Infrastructure Initiative (CII).

"OpenSSL now has a well-known and published approach for how it will appropriately inform all interested parties of security advisories," Emily Ratliff, senior director of infrastructure security at The Linux Foundation, told eWEEK. "Even trivial patches must follow the review process."


Submission + - OpenStack Mitaka Debuts (eweek.com)

darthcamaro writes: The 13th release of OpenStack, codenamed Mitaka is now generally available, with updates across all major projects. Among the biggest new capabilities in OpenStack Mitaka however isn't a new project or a new featue in a single existing project, but rather the official debut of the OpenStack Client, which creates for the first time a unified command line interface to control the cloud.

"The OpenStack client is a command line client that unifies access across all the main projects," Jonathan Bryce, executive director of the OpenStack Foundation, said.
So if an administrator wants to create a user, a block storage device or a virtual server, or attach to a network, all those functions are now enabled in the single tool that is the OpenStack client. The OpenStack client provides a standardized set of commands, whereas previously, each project had its own command line client, Bryce said. He added that the OpenStack client can be run locally or in the cloud, and can be configured to control multiple OpenStack clouds.


Submission + - Comodo CEO Not Afraid of Google Project Zero (eweek.com)

darthcamaro writes: Google Project Zero researchers have aggressively been going after Comodo anti-virus and security tech in recent week. Now Comodo's CEO is shooting back saying that his company believes in responsible disclosure. He also noted that Comodo is set to debut its own bug bounty program at some point soon.

Submission + - Mozilla Takes Tab Candy Away from Firefox Users (eweek.com)

darthcamaro writes: While most modern web browsers are busy adding news features for users, Mozilla is taking them away. In the new Firefox 45 milestone, Mozilla has decided to remove the Tab Groups features, previously known as Panorama and originally started as the Mozilla Labs Tab Candy project.

"The primary reason for discontinuing the feature is low usage," Nick Nguyen, vice president of Firefox Product at Mozilla said.


Submission + - Pwn2Own 2016 Won't Attack Firefox (cause it's too easy!) (eweek.com) 1

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security.

"We wanted to focus on the browsers that have made serious security improvements in the last year," Brian Gorenc, manager of Vulnerability Research at HPE said.


Submission + - CoreOS Launches Rkt 1.0 (eweek.com)

darthcamaro writes: Docker is about to get some real competition in the container runtime space, thanks to the official launch of rkt 1.0. CoreOS started building rkt in 2014 and after more than a year of security, performance and feature improvement are now ready to declare it 'production-ready.' While rkt is a docker runtime rival, docker apps will run in rkt, giving using a new runtime choice.

rkt will remain compatible with the Docker-specific image format, as well as its own native App Container Image (ACI). That means developers can build containers with Docker and run those containers with rkt. In addition, CoreOS will support the growing ecosystem of tools based around the ACI format.


Submission + - Docker 1.10 Brings Linux SECCOMP Security to Containers (eweek.com)

darthcamaro writes: Starting this week, there is a new tool in the toolbox to secure Docker containers. In addition to SELinux (or AppArmor) and Namespaces — Docker 1.10 will now include a default SECCOMP profile. So what's the difference between SECCOMP and SELinux?

SELinux is the list of people you can talk to, while seccomp is the list of what words you can say, McCarty said. As an example, if a person could communicate with another person using only three or five words, it would very much limit what could be expressed and prevent most types of illicit activities, and applies in much the same way to Linux containers, he added.


Submission + - Docker Inc Acquires Unikernels, but that's Not the End for Linux (eweek.com)

darthcamaro writes: Docker Inc today announced that it is acquiring privately held Unikernel Systems. With a Unikernel, there is not need for a full general purpose operating system, like Linux, instead an application can be built together with its own OS-like libraries. While some might see this as a big challenge for Linux, Solomon Hykes, founder of Docker doesn't quite see it that way.

"It's not an either/or situation with unikernels, and for the foreseeable future, the vast majority of Docker containers will run on Linux," Hykes said. "We're big believers in Linux, and you should expect more Linux-oriented work to come from us."


Submission + - Is Docker Making any Money? (eweek.com)

darthcamaro writes: You can't go to any technology conference today without hearing the word Docker or containers. Docker is everywhere, but is anyone actually making money from it? Or is it another multi-billion dollar unicorn boondoggle? According to a newly posted video interview with Docker Inc CEO Ben Golub, Docker isn't yet profitable — but it will be — soon. As a freely available open-source technology many companies start with Docker in pilot projects.

"A lot of those pilots are now turning into serious revenue, which is nice," Golub said. "While we're certainly not profitable yet, I think what we're building is the foundation for a profitable business."


Slashdot Top Deals

Maternity pay? Now every Tom, Dick and Harry will get pregnant. -- Malcolm Smith

Working...