March 18, 2022
Companies and governments have, shall we say, interesting relations. Just ask any Chinese tech company in recent days. But, while they’re losing billions, companies in war-mongering countries like Russia have an even harder row to hoe. How can Russian companies support Russia’s unprovoked invasion of Ukraine?
You may say they can’t, but that just shows you haven’t studied history. When money and ethics are weighed against each other, money usually wins. For example, such American-as-apple-pie-and-baseball companies as General Motors, Ford, Coca-Cola, and IBM supported Nazi Germany during World War II.
Really. Look it up.
So, there’s nothing too surprising when we see Moscow-based security leader Kaspersky founder Eugene Kaspersky trying to tiptoe his way around Russia’s invasion of Ukraine on Twitter: “We welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise.”
Do svidaniya, Kaspersky — goodby More>
March 8, 2022
As I write this, there’s already a nasty exploit out there using the latest Linux kernel vulnerability, Dirty Pipeline, for any J. Random Luser to overwrite root’s password field in /etc/passwd. The experts at LWN.net called it a “disconcerting kernel vulnerability.” I call it a “shoot me now” security problem.
But let’s not do that, shall we? Here’s the 411 on Dirty Pipeline, aka CVE-2022-0847. Web host sysadmin and programmer Max Kellermann found the security hole back in 2021, but he wasn’t at first sure what was going on. After a lot of blood, sweat, tears, and research Kellermann tracked down the problem to changes in the Linux kernel that became critical in Linux 5.8. With this update, Kellermann wrote, “it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.”
It Gets Worse
OK, that’s bad. But there’s much worse to come. Kellermann found that “To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
Oh My God.
Dirty Pipeline Is an Awful Linux Mess. More>
March 7, 2022
Patent trolls, aka Patent Assertion Entities (PAE)s, have plagued open-source software for ages. Over the years though, other groups have risen up to keep them from stealing from the companies and organizations that actually use patents’ intellectual property (IP). One such group, Unified Patents, an international organization of over 200 businesses, has been winning for the last two years. This is their story to date.
Open Source Zone grinds away at patent trolls More>
February 21, 2022
Here we go again. Another obnoxious security bug, CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel was found by Appgate senior exploit developer Samuel Page while he was poking around at a Linux heap overflow security bug, CVE-2021-43267 from November 2021. Page’s discovery is a remotely and locally reachable stack overflow in the Linux kernel’s Transparent Inter-Process Communication (TIPC) protocol networking module.
Nasty Linux Kernel Stack Overflow Flaw Found and Patched. More>
February 18, 2022
It’s always something when it comes to security. This time around the JFrog’s Security Research team has found a remote code execution (RCE) issue in Apache Cassandra, the popular open source NoSQL database. And, oh joy, of course with this RCE, you can stop Cassandra in its tracks. Since companies such as Netflix, Twitter, Reddit, and hundreds of others rely on Cassandra to be running every moment of the day, this is not good news.
JFrog Finds RCE Issue in Apache Cassandra. More>
February 18, 2022
Netgear’s Orbi Wi-Fi 6E , aka AXE11000 or RBKE963, mesh Wi-Fi router hardware is expensive with a capital E. It currently costs a cool $1,500 for the router and its two satellites. But, for that money, you’ll get the fastest Wi-Fi networking you’ve ever seen.
How fast is it? I used the Ixia’s IxChariot networking benchmark and my Galaxy S21 Ultra smartphone to measure its throughput and it beat every other Wi-Fi network I’ve ever tested. And, friends, I’ve tested a lot of network gear in my day.
Netgear Orbi Wi-Fi 6E: The fastest and most expensive Wi-Fi you can buy. More>