May 17, 2022
by sjvn01
0 comments
SFC v. Vizio lawsuit ruling shows the GPL acts both as copyright licenses and as contractual agreements. Written by Steven Vaughan-Nichols, Senior Contributing Editor Steven Vaughan-Nichols Senior Contributing Editor Steven J. Vaughan-Nichols, aka…Read More
May 17, 2022
by sjvn01
0 comments
I’ve been a Chromebook believer for over a decade now. A week ago, I was reminded of one of the fundamental reasons I use them: when a Chromebook fails, you can buy a new one and be back to work in minutes. I was in Myrtle Beach, SC, on a…Read More
May 16, 2022
by sjvn01
0 comments
The headlines went to the long-anticipated arrival of RHEL 9, but for more pragmatic Linux users, Red Hat Enterprise Linux 8.6 has arrived as well. Written by Steven Vaughan-Nichols, Senior Contributing Editor Steven Vaughan-Nichols Senior…Read More
May 13, 2022
by sjvn01
0 comments
Open-source software supply chain security is now a vital issue of national security. Written by Steven Vaughan-Nichols, Senior Contributing Editor Steven Vaughan-Nichols Senior Contributing Editor Steven J. Vaughan-Nichols, aka sjvn, has been…Read More
March 18, 2022
by sjvn01
0 comments
Companies and governments have, shall we say, interesting relations. Just ask any Chinese tech company in recent days. But, while they’re losing billions, companies in war-mongering countries like Russia have an even harder row to hoe. How can Russian companies support Russia’s unprovoked invasion of Ukraine?
You may say they can’t, but that just shows you haven’t studied history. When money and ethics are weighed against each other, money usually wins. For example, such American-as-apple-pie-and-baseball companies as General Motors, Ford, Coca-Cola, and IBM supported Nazi Germany during World War II.
Really. Look it up.
So, there’s nothing too surprising when we see Moscow-based security leader Kaspersky founder Eugene Kaspersky trying to tiptoe his way around Russia’s invasion of Ukraine on Twitter: “We welcome the start of negotiations to resolve the current situation in Ukraine and hope that they will lead to a cessation of hostilities and a compromise.”
March 8, 2022
by sjvn01
0 comments
As I write this, there’s already a nasty exploit out there using the latest Linux kernel vulnerability, Dirty Pipeline, for any J. Random Luser to overwrite root’s password field in /etc/passwd. The experts at LWN.net called it a “disconcerting kernel vulnerability.” I call it a “shoot me now” security problem.
But let’s not do that, shall we? Here’s the 411 on Dirty Pipeline, aka CVE-2022-0847. Web host sysadmin and programmer Max Kellermann found the security hole back in 2021, but he wasn’t at first sure what was going on. After a lot of blood, sweat, tears, and research Kellermann tracked down the problem to changes in the Linux kernel that became critical in Linux 5.8. With this update, Kellermann wrote, “it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.”
OK, that’s bad. But there’s much worse to come. Kellermann found that “To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
Oh My God.