Agreguesi i feed

LinuxSecurity.com: The idea that organizations should be doing more to protect the personal data they hold about individuals has been gaining ground in recent years. The European Union's General Data Protection Regulation (GDPR) sparked a scramble to operationalize data management and security.

LinuxSecurity.com: Chief US District Judge Janet Hall last week sentenced Olumuyiwa Adejumo to 15 years in federal prison for his role in a business email compromise scheme targeting organizations in the United States. His sentence will be followed by 3 years of supervised release.

LinuxSecurity.com: A leading US healthcare organization (HCO) has admitted that a phishing attack last September may have led to the compromise of highly sensitive data on nearly half a million patients.

Version:next-20180821 (linux-next) Released:2018-08-21

Welcome to the Ubuntu Weekly Newsletter, Issue 541 for the week of August 12 – 18, 2018. The full version of this issue is available here.

In this issue we cover:

• Welcome New Members and Developers
• Ubuntu Stats
• Hot in Support
• LoCo Events
• Mir News: 17th August 2018
• MAAS 2.4.1 released!
• Lubuntu Development Newsletter #9
• Akademy: closing time
• Canonical News
• In the Blogosphere
• In Other News
• Featured Audio and Video
• Meeting Reports
• Upcoming Meetings and Events
• Updates and Security for 14.04, 16.04, and 18.04
• And much more!

The Ubuntu Weekly Newsletter is brought to you by:

• Krytarik Raido
• Bashing-om
• Chris Guiver
• Wild Man
• And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

Every organization, community, and family has difficult people in them. Some get overly agitated, some are not constructive in their criticism, some rub other people up the wrong way, some always commit but never deliver, and other traits.

In my new video I share some details for how to manage these types of personalities. I share some golden rules for handling them, how to analyze the situation well, and a method for building a resolution and solving problems.

Here it is:

Can’t see it? Watch it here.

The post Video: How to Manage and Work With Difficult Personalities appeared first on Jono Bacon.

Previously: v4.17.

Linux kernel v4.18 was released last week. Here are details on some of the security things I found interesting:

allocation overflow detection helpers
One of the many ways C can be dangerous to use is that it lacks strong primitives to deal with arithmetic overflow. A developer can’t just wrap a series of calculations in a try/catch block to trap any calculations that might overflow (or underflow). Instead, C will happily wrap values back around, causing all kinds of flaws. Some time ago GCC added a set of single-operation helpers that will efficiently detect overflow, so Rasmus Villemoes suggested implementing these (with fallbacks) in the kernel. While it still requires explicit use by developers, it’s much more fool-proof than doing open-coded type-sensitive bounds checking before every calculation. As a first-use of these routines, Matthew Wilcox created wrappers for common size calculations, mainly for use during memory allocations.

removing open-coded multiplication from memory allocation arguments
A common flaw in the kernel is integer overflow during memory allocation size calculations. As mentioned above, C doesn’t provide much in the way of protection, so it’s on the developer to get it right. In an effort to reduce the frequency of these bugs, and inspired by a couple flaws found by Silvio Cesare, I did a first-pass sweep of the kernel to move from open-coded multiplications during memory allocations into either their 2-factor API counterparts (e.g. kmalloc(a * b, GFP...) -> kmalloc_array(a, b, GFP...)), or to use the new overflow-checking helpers (e.g. vmalloc(a * b) -> vmalloc(array_size(a, b))). There’s still lots more work to be done here, since frequently an allocation size will be calculated earlier in a variable rather than in the allocation arguments, and overflows happen in way more places than just memory allocation. Better yet would be to have exceptions raised on overflows where no wrap-around was expected (e.g. Emese Revfy’s size_overflow GCC plugin).

Variable Length Array removals, part 2
As discussed previously, VLAs continue to get removed from the kernel. For v4.18, we continued to get help from a bunch of lovely folks: Andreas Christoforou, Antoine Tenart, Chris Wilson, Gustavo A. R. Silva, Kyle Spiers, Laura Abbott, Salvatore Mesoraca, Stephan Wahren, Thomas Gleixner, Tobin C. Harding, and Tycho Andersen. Almost all the rest of the VLA removals have been queued for v4.19, but it looks like the very last of them (deep in the crypto subsystem) won’t land until v4.20. I’m so looking forward to being able to add -Wvla globally to the kernel build so we can be free from the classes of flaws that VLAs enable, like stack exhaustion and stack guard page jumping. Eliminating VLAs also simplifies the porting work of the stackleak GCC plugin from grsecurity, since it no longer has to hook and check VLA creation.

Kconfig compiler detection
While not strictly a security thing, Masahiro Yamada made giant improvements to the kernel’s Kconfig subsystem so that kernel build configuration now knows what compiler you’re using (among other things) so that configuration is no longer separate from the compiler features. For example, in the past, one could select CONFIG_CC_STACKPROTECTOR_STRONG even if the compiler didn’t support it, and later the build would fail. Or in other cases, configurations would silently down-grade to what was available, potentially leading to confusing kernel images where the compiler would change the meaning of a configuration. Going forward now, configurations that aren’t available to the compiler will simply be unselectable in Kconfig. This makes configuration much more consistent, though in some cases, it makes it harder to discover why some configuration is missing (e.g. CONFIG_GCC_PLUGINS no longer gives you a hint about needing to install the plugin development packages).

That’s it for now! Please let me know if you think I missed anything. Stay tuned for v4.19; the merge window is open. :)

© 2018, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

LinuxSecurity.com: To protect corporate networks against malware, data exfiltration and other threats, security departments have systems in place to monitor email traffic, URLs and employee behaviors. With artificial intelligence (AI) and machine learning, this data can also be used to make predictions.

LinuxSecurity.com: Cyberattacks are now a daily occurrence and hardly a week goes by when we don't hear of a major data breach -- but despite rising numbers of hacking events, prosecutions rates are falling in the United Kingdom.

LinuxSecurity.com: Drawing from a recent study by SophosLabs, Principal Research Scientist Chester Wisniewski highlights a shift to the rise of more targeted and sophisticated ransomware threats, such as SamSam.

LinuxSecurity.com: An Australian teenager hacked into Apple's enterprise computer network, making off with 90 gigabytes of data before being discovered. He also accessed an undisclosed number of customer accounts during his year-long intrusion.

LinuxSecurity.com: ESG recently completed a research survey of 400 cybersecurity and IT professionals working at small organizations (i.e. 50 to 499 employees) in North America. As you can imagine, these firms tend to have a small staff responsible for cybersecurity and IT, reporting to business management rather than CIOs or CISOs. (Note: I am an employee of ESG.)

LinuxSecurity.com: Fileless malware attacks can be seen as the perfect crime of opportunity. The initial vector of an attack appears as a seemingly innocuous business email with a link to a bill or other update.

Version:4.18.3 (stable) Released:2018-08-18 Source:linux-4.18.3.tar.xz PGP Signature:linux-4.18.3.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.18.3

Version:4.17.17 (stable) Released:2018-08-18 Source:linux-4.17.17.tar.xz PGP Signature:linux-4.17.17.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.17.17

Version:4.14.65 (longterm) Released:2018-08-18 Source:linux-4.14.65.tar.xz PGP Signature:linux-4.14.65.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.14.65

Version:4.9.122 (longterm) Released:2018-08-18 Source:linux-4.9.122.tar.xz PGP Signature:linux-4.9.122.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.9.122

Version:4.4.150 (longterm) Released:2018-08-18 Source:linux-4.4.150.tar.xz PGP Signature:linux-4.4.150.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-4.4.150

Version:3.18.119 (EOL) (longterm) Released:2018-08-17 Source:linux-3.18.119.tar.xz PGP Signature:linux-3.18.119.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-3.18.119

We’ve been upgrading RAM and tooting in the fediverse. We discuss Hollywood embracing open source, a new release of LibreOffice, pacemakers getting hacked and fax machines becoming selfaware and taking over the planet. We also round up the community news and events.

It’s Season 11 Episode 23 of the Ubuntu Podcast! Alan Pope, Mark Johnson and Martin Wimpress are connected and speaking to your brain.

In this week’s show:

• We discuss what we’ve been up to recently:
  • Alan has been upgrading RAM.
  • Mark has been tooting on Mastodon.
• We discuss the news:
  • Academy Software Foundation founded
  • LibreOffice 6.1 released
  • Malicious fax causes security panic
  • Hack causes pacemakers to deliver life-threatening shocks

• We discuss the community news:
  • Mystery Donation Lets Elementary Hire Full-Time Staff
  • KDE Plasma 5.14 Desktop Environment Lets You Upgrade Your Computer’s Firmware
  • Opera arrives as an Ubuntu Snap for most Linux distros
• We mention some events:
  • FOSDEM: 2nd – 3rd Feburary 2019, Brussels
  • OggCamp!: 18th – 19th August 2018. Sheffield, UK.
• Image credit: Hunter Johnson

That’s all for this week! You can listen to the Ubuntu Podcast back catalogue on YouTube. If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to show@ubuntupodcast.org or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.

• Join us in the Ubuntu Podcast Telegram group.