You are here

Agreguesi i feed

Raphaël Hertzog: Freexian’s report about Debian Long Term Support, June 2018

Planet Ubuntu - Pre, 20/07/2018 - 4:28md

Like each month, here comes a report about the work of paid contributors to Debian LTS.

Individual reports

In June, about 202 work hours have been dispatched among 13 paid contributors. Their reports are available:

  • Abhijith PA did 8 hours (out of 10 hours allocated, thus keeping 2 extra hours for July).
  • Antoine Beaupré did 24 hours (out of 12 hours allocated + 12 extra hours).
  • Ben Hutchings did 12 hours (out of 15 hours allocated, thus keeping 3 extra hours for July).
  • Brian May did 10 hours.
  • Chris Lamb did 18 hours.
  • Emilio Pozuelo Monfort did 17 hours (out of 23.75 hours allocated, thus keeping 6.75 extra hours for July).
  • Holger Levsen did nothing (out of 8 hours allocated, thus keeping 8 extra hours for July).
  • Hugo Lefeuvre did 4.25 hours (out of 23.75 hours allocated, but gave back 10 hours, thus keeping 9.5 hours for July).
  • Markus Koschany did 23.75 hours.
  • Ola Lundqvist did 6 hours (out of 8 hours allocated + 17.5 remaining hours, but gave back 15.5 unused hours, thus keeping 4 extra hours for July).
  • Roberto C. Sanchez did 29.5 hours (out of 18 hours allocated + 11.5 extra hours).
  • Santiago Ruano Rincón did 5.5 hours (out of 8 hours allocated + 7 extra hours, thus keeping 9.5 extra hours for July).
  • Thorsten Alteholz did 23.75 hours.
Evolution of the situation

The number of sponsored hours increased to 210 hours per month. We lost a silver sponsor but gained a new platinum sponsor with the Civil Infrastructure Platform project (hosted by the Linux Foundation, see their announce).

We are very happy to see the CIP project engage directly with the Debian project and try to work together to build the software stack for tomorrow’s world’s infrastructure.

The security tracker currently lists 57 packages with a known CVE and the dla-needed.txt file 52.

Thanks to our sponsors

New sponsors are in bold.

No comment | Liked this article? Click here. | My blog is Flattr-enabled.

The Fundamental Flaw in Security Awareness Programs

LinuxSecurity.com - Pre, 20/07/2018 - 11:29pd
LinuxSecurity.com: Most security awareness programs are at best gimmicks that will statistically fail at their goal. They intend to educate people so that they can make better decisions regarding how to behave or whether they are being conned.

IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day

LinuxSecurity.com - Pre, 20/07/2018 - 11:24pd
LinuxSecurity.com: How long does it take to build a botnet? Not long, if you consider Anarchy's 18,000-device-strong creation, brought to life in only 24 hours.

next-20180720: linux-next

Kernel Linux - Pre, 20/07/2018 - 10:29pd
Version:next-20180720 (linux-next) Released:2018-07-20

The Fridge: Ubuntu 17.10 (Artful Aardvark) End of Life reached on July 19 2018

Planet Ubuntu - Pre, 20/07/2018 - 1:59pd

This is a follow-up to the End of Life warning sent earlier this month to confirm that as of today (July 19, 2018), Ubuntu 17.10 is no longer supported. No more package updates will be accepted to 17.10, and it will be archived to old-releases.ubuntu.com in the coming weeks.

The original End of Life warning follows, with upgrade instructions:

Ubuntu announced its 17.10 (Artful Aardvark) release almost 9 months ago, on October 19, 2017. As a non-LTS release, 17.10 has a 9-month support cycle and, as such, the support period is now nearing its end and Ubuntu 17.10 will reach end of life on Thursday, July 19th.

At that time, Ubuntu Security Notices will no longer include information or updated packages for Ubuntu 17.10.

The supported upgrade path from Ubuntu 17.10 is via Ubuntu 18.04.

Instructions and caveats for the upgrade may be found at:

https://help.ubuntu.com/community/BionicUpgrades

Ubuntu 18.04 continues to be actively supported with security updates and select high-impact bug fixes. Announcements of security updates for Ubuntu releases are sent to the ubuntu-security-announce mailing list, information about which may be found at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

Since its launch in October 2004 Ubuntu has become one of the most highly regarded Linux distributions with millions of users in homes, schools, businesses and governments around the world. Ubuntu is Open Source software, costs nothing to download, and users are free to customise or alter their software in order to meet their needs.

Originally posted to the ubuntu-announce mailing list on Thu Jul 19 22:47:22 UTC 2018 by Adam Conrad, on behalf of the Ubuntu Release Team

Ubuntu Podcast from the UK LoCo: S11E19 – Nineteen Minutes - Ubuntu Podcast

Planet Ubuntu - Enj, 19/07/2018 - 4:00md

This week we recover from a failed disk in a ReadyNAS and get to grips with the Amazon Kindle Oasis E-reader. npm gets pwned, Debian 9.5 is released, the Snap Store get verified publishers, categories and other improvements. Humble Bundle offer a Linux Geek Book Bundle, we also round up the community news and events.

It’s Season 11 Episode 19 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Ryan are connected and speaking to your brain.

In this week’s show:

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

4.4.142: longterm

Kernel Linux - Enj, 19/07/2018 - 3:35md
Version:4.4.142 (longterm) Released:2018-07-19 Source:linux-4.4.142.tar.xz PGP Signature:linux-4.4.142.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.4.142

Millions of Health Records at Risk Following LabCorp Suspected Breach

LinuxSecurity.com - Enj, 19/07/2018 - 11:29pd
LinuxSecurity.com: LabCorp, a healthcare diagnostics company, has shut down its systems after a suspected network breach, which could have put millions of health records at risk.

Gov Slow to Address Urgent CNI Security Needs

LinuxSecurity.com - Enj, 19/07/2018 - 11:23pd
LinuxSecurity.com: A committee of MPs and peers in the UK has criticised the government for its lack of urgency in addressing the cybersecurity skills gap in relation to critical national infrastructure (CNI).

White House Cybersecurity Strategy at a Crossroads

LinuxSecurity.com - Enj, 19/07/2018 - 11:20pd
LinuxSecurity.com: Fallout from a rapid-fire series of developments surrounding the 2016 election hacking and meddling by Russia continued today as President Donald Trump attempted to walk back Monday's public dismissal of his intelligence agencies' findings pointing to Russia.

David Tomaschik: Hacker Summer Camp 2018: Cyberwar?

Planet Ubuntu - Enj, 19/07/2018 - 9:00pd

I actually thought I was done with the pre-con portion of my Hacker Summer Camp blog post series, but it turns out that people wanted to know more about “the most dangerous network in the world”. Specifically, I got questions about how to protect yourself in this hostile environment, like whether people should bring a burner device, how to avoid getting hacked, what to do after the con, etc.

The Network

So, is it “the most dangerous network in the world”? Well, there’s probably some truth to that in the sense that in terms of density of threats, it’s likely fairly high. In terms of sheer volume of threats, the open internet is obviously going to be a leader.

First off, the DEF CON network is really multiple networks. There’s the open WiFi, which is undeniably the Wild West of computers, and there’s the DEF CON “secure” network, which uses WPA2-Enterprise (802.1x) with certificates to verify the APs. The secure network also features client isolation. Additionally, the secure network is monitored by a dedicated NOC/SOC with some very talented and hard-working individuals. I would assert that being compromised on the secure network is approximately the same risk as being compromised on any internet connection.

So, there’s 0-day flying around left and right? Not so much. Most of the malicious traffic is likely coming from someone who just learned how to use Metasploit or just found out about some cool tool in a talk or workshop. Consequently, it’s unlikely to have much impact for those who patch and are security-aware.

What you will see a ton of is WiFi pineapples. People will go buy one at the Hak5 booth, and then immediately turn it on and try to mess with other attendees. It gets pretty old, pretty quickly. Just make sure you’re connected to the DEF CON Secure WiFi and this will be a minimal problem (maybe a denial of service).

In all honesty, the con hotel WiFi is a worse place to be than DEF CON secure, by a large margin. Plenty of stupid things happening there.

3 Approaches The Minimalist

The minimalist carries a flip phone with a burner SIM. He/she maintains contact with friends using SMS or (gasp) actual phone calls. No laptop, no smart phone to be compromised. This is a great approach if you’re not going to participate in any activities that require tech on hand. If you’re going to hang out, listen to a few talks, and drink, this is the approach with no need to worry about getting compromised.

The Burner

No, this isn’t about Burning Man, although DEF CON is kinda like Burning Man for “400-lb hackers in basements”. This hacker brings a burner version of everything: so a smart phone, but a cheap burner. This probably will get compromised, as their carrier hasn’t pushed a patch in 3 years. (And even before that, it shipped with some shady pre-installed apps that send all your contacts over plaintext to a server in China…). They also bring a $200 Dell or HP laptop with Kali Linux on board.

They connect to the first WiFi they see, never mind that it’s labeled “FBI Surveillance Van 404”. If you plan for your hardware to get pwned, it doesn’t really matter if it’s bad WiFi, right?

Of course, in order for this to work correctly, you have to never use your devices for anything sensitive. Hopefully the urge to check your real email doesn’t get too strong. Or maybe your card is suspended for potentially fraudulent activity (like that $300 SDR) and you decide to log in “briefly” to reactivate it. This route really only works if you can maintain good OpSec.

“Good Enough” Security

If you can set aside ego and assume nobody is willing to try using a $100k+ O-day on you, you can get by with a reasonable level of security. This involves bringing a modern fully-patched phone (iPhone or “flagship” Android phone), and optionally a well-secured laptop.

For the laptop, I’ve previously discussed using a Chromebook. Even with dev mode for crouton, I believe this to be reasonably safe from remote exploitation. This can also be cheap enough to be a disposable device. In my previous post, I suggested 3 Chromebook options:

Alternatively, you can get a cheap laptop and run fully-updated Windows 10 or Linux with a firewall enabled and be in a pretty good state for passive attacks over the network.

In either case, you should then run a VPN. I like Private Internet Access, but there’s a lot of options out there, or you can even run your own OpenVPN server if you’re feeling adventurous.

Summary

There’s never a guarantee of security, but with updated devices & good security hygiene, you can survive the DEF CON networks. The basic elements involved are:

  • Fully updated OS
  • Be super careful
  • Use a VPN
  • No Services Exposed

Good luck and see you at Hacker Summer Camp!

Cloud Security: Lessons Learned from Intrusion Prevention Systems

LinuxSecurity.com - Mër, 18/07/2018 - 11:33pd
LinuxSecurity.com: I recently had the opportunity to brief an industry analyst on the rapid advancement of artificial intelligence (AI) in solving public cloud security. Both the analyst and I had navigated the inception and commercialization of intrusion prevention systems (IPS) and have been skeptical for many years that just because a security technology is capable of preventing a threat or an active attack, customers won't necessarily operate the technology in a protection mode.

US Vote-Counting Computers Had Flaw, Allowed Hackers Access

LinuxSecurity.com - Mër, 18/07/2018 - 11:28pd
LinuxSecurity.com: In the US, vote-counting computers used in government elections contained a security vulnerability which could have been used to affect election results. The systems, which were sold by Elections Systems & Software (ES&S), contained remote-access software and were sold between 2000 and 2006, with some machines still being used as late as 2011.

US Orgs Overly Optimistic About Cyber-Readiness

LinuxSecurity.com - Mër, 18/07/2018 - 11:00pd
LinuxSecurity.com: Senior executives at most US organizations believe the cybersecurity of their firms is above board, according to a new survey of 500 senior IT executives. The survey included responses from interviews conducted with executives across multiple sectors in the US and 10 other countries.

4.17.8: stable

Kernel Linux - Mër, 18/07/2018 - 7:56pd
Version:4.17.8 (stable) Released:2018-07-18 Source:linux-4.17.8.tar.xz PGP Signature:linux-4.17.8.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.17.8

Simon Raffeiner: Improving data safety on Linux systems using ZFS and BTRFS

Planet Ubuntu - Mar, 17/07/2018 - 3:20md

Why everybody should you care about data safety, and how ZFS and BTRFS can help protect the data on your Linux systems.

The post Improving data safety on Linux systems using ZFS and BTRFS appeared first on LIEBERBIBER.

Sergio Schvezov: New Laptop

Planet Ubuntu - Mar, 17/07/2018 - 2:50md
Triggers Recently, as of last week, I decided to purchase a new laptop to replace my Microsoft Surface Pro 4 with which I was having a bittersweet relationship. The Surface Pro 4 is really nice hardware, I originally got it to get a head start and collaborate on the convergence story with Unity 8 on the desktop, but as is of folk knowledge now, some strategic choices were made.

4.14.56: longterm

Kernel Linux - Mar, 17/07/2018 - 11:39pd
Version:4.14.56 (longterm) Released:2018-07-17 Source:linux-4.14.56.tar.xz PGP Signature:linux-4.14.56.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.14.56

4.9.113: longterm

Kernel Linux - Mar, 17/07/2018 - 11:37pd
Version:4.9.113 (longterm) Released:2018-07-17 Source:linux-4.9.113.tar.xz PGP Signature:linux-4.9.113.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.9.113

Time to Yank Cybercrime into the Light

LinuxSecurity.com - Mar, 17/07/2018 - 11:20pd
LinuxSecurity.com: At a time when the public and governments are watching their every move, today's organizations are up against an unprecedented wave of crime and fraud-related risks that affect their internal and external relationships, regulatory status, and reputation. Unfortunately, not enough companies are truly aware of the fraud threats they face.

Faqet

Subscribe to AlbLinux agreguesi