Feed aggregator

Chromium Project Finds 70% of Its Serious Security Bugs Are Memory Safety Problems

Slashdot.org - Sun, 05/24/2020 - 09:34
"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source." ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages.... Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components... While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact." And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

Read more of this story at Slashdot.

Newly-Released Jailbreak Tool Can Unlock Every iPhone and iPad

Slashdot.org - Sun, 05/24/2020 - 08:34
An anonymous reader quotes TechCrunch: A renowned iPhone hacking team has released a new "jailbreak" tool that unlocks every iPhone, even the most recent models running the latest iOS 13.5. [9to5Mac points out it also works on iPads.] For as long as Apple has kept up its "walled garden" approach to iPhones by only allowing apps and customizations that it approves, hackers have tried to break free from what they call the "jail," hence the name "jailbreak...." The jailbreak, released by the unc0ver team, supports all iPhones that run iOS 11 and above, including up to iOS 13.5, which Apple released this week. Details of the vulnerability that the hackers used to build the jailbreak aren't known, but it's not expected to last forever... Security experts typically advise iPhone users against jailbreaking, because breaking out of the "walled garden" vastly increases the surface area for new vulnerabilities to exist and to be found.

Read more of this story at Slashdot.

As Russia Stalks US Satellites, a Space Arms Race May Be Heating Up

Slashdot.org - Sun, 05/24/2020 - 06:34
Russia "is now challenging the United States' long-standing supremacy in space and working to exploit the U.S. military's dependence on space systems for communications, navigation, intelligence, and targeting." That's the argument made in The Bulletin by a former U.S. Air Force intelligence officer who writes about technology and military strategy, Cold War history, and European security affairs (in an article shared by Lasrick). Moscow is developing counter-space weapons as a part of its overall information warfare strategy. For example, Russia just tested an anti-satellite missile system designed to destroy satellites in low earth orbit. Moreover, military leaders in Russia view U.S. satellites as the key enablers of America's ability to execute rapid, agile, and global military operations; they are intent on echoing this success and modernizing their own military satellites to more effectively support Russian forces. Since the end of the Cold War, the number of countries with space programs has markedly increased. Many of them are actively developing space weapons. China, for example, has an operational ground-launched anti-satellite system, according to the U.S. intelligence community. India successfully tested its own space weapon in 2019. France announced that it will launch a series of armed satellites. Even Iran is believed to be able to develop a rudimentary anti-satellite weapon in the near term... Space systems are essential for warfighting on Earth and the large growth in the number of countries fielding space weapons means the likelihood that outer space will be transformed into a battlefield has increased... Russia is the only country, however, that is reportedly approaching U.S. satellites in an aggressive manner... Moscow's destabilizing behavior could prompt the United States to take a more aggressive posture in space in the future... Russia has been taking advantage of the lack of international consensus on what constitutes acceptable behavior in space... It seems clear that Russia is likely testing how the United States and its allies might react to aggressive space behaviors and is gaining important insights into American national security space capabilities... In 2019, former Secretary of the Air Force Heather Wilson said that at some point, the United States needs the ability to "hit back." Russia's destabilizing actions in space could, therefore, fuel a dangerous arms race in space.

Read more of this story at Slashdot.

How to find a file in Linux - TechRadar

Linux News - Sun, 05/24/2020 - 05:40
Categories: Linux

How to find ulimit for user on Linux

nixCraft - Sun, 05/24/2020 - 03:15

How can I find the correct ulimit values for a user account or process on Linux systems?

The post How to find ulimit for user on Linux appeared first on nixCraft.

Open Source Security Report Finds Library-Induced Flaws in 70% of Applications

Slashdot.org - Sun, 05/24/2020 - 02:34
The State of Software Security (SOSS): Open Source Edition "analyzed the component open source libraries across the Veracode platform database of 85,000 applications which includes 351,000 unique external libraries," reports TechRepublic. "Chris Eng, chief research officer at Veracode, said open source software has a surprising variety of flaws." "An application's attack surface is not limited to its own code and the code of explicitly included libraries, because those libraries have their own dependencies," he said. The study found that 70% of applications have a security flaw in an open source library on an initial scan. Other findings from the report: The most commonly included libraries are present in over 75% of applications for each language. 47% of those flawed libraries in applications are transitive. More than 61% of flawed libraries in JavaScript contain vulnerabilities without corresponding common vulnerabilities and exposures (CVEs). Fixing most library-introduced flaws can be done with a minor version upgrade. Using any given PHP library has a greater than 50% chance of bringing a security flaw along with it.

Read more of this story at Slashdot.

With Highway Traffic Down, Are Reckless Drivers Still Increasing Highway Fatalities?

Slashdot.org - Sat, 05/23/2020 - 22:34
Highway patrols across America "are reporting a rise in reckless driving," writes ABC News. Slashdot reader quonset shared their report: In Connecticut, traffic has been cut in half compared to last year, but fatal motor vehicle accidents are up by about 40%. "We're finding that with the open roads, certain individuals are taking this as an opportunity to push their vehicles to the limit," Connecticut State Police Trooper Josue Dorelus told ABC News' Transportation Correspondent Gio Benitez. Dorelus said they have seen a 90% increase in cars going over 15 miles above the speed limit during the coronavirus pandemic... "When you're going in excess of 100 miles an hour, these crashes are inevitably going to be fatal or near fatal," Advocates for Highway and Auto Safety President Cathy Chase told ABC News. In Massachusetts, the fatality rate for car crashes is rising. In Minnesota, motor vehicle crashes and fatalities have more than doubled compared to the same time period in previous years... Pam Shadel Fischer, the Governors Highway Safety Association's senior director of external engagement, said it could be because it is harder for drivers to gauge their own speed without other drivers on the road. I wonder if that percentage increase of fatalities appears higher in a low-population states like Connecticut (3.565 million people). The article also notes that in California (population 39.5 million), their Highway Patrol "issued nearly 2,500 citations statewide for driving over 100 miles per hour from mid-march to mid-April -- an 87% jump from the same time last year..." But another article points out that from March 19 to April 30, the overall number of crashes in California dropped 75% while the number of people killed declined by 88%, and there was a 62% decrease in injuries (plus a 42% drop in DUI arrests). Interestingly, that same article points out that from late March 19 to May 13 there were 6,043 citations for driving over 100 miles per hour -- so it's spiked by 3,543 in the last month since "mid-April", to a number that's over 1,000 more than the month before.

Read more of this story at Slashdot.

Distribution Release: GoboLinux 017

DistroWatch.com - Sat, 05/23/2020 - 22:01
Lucas Villa Real has announced the release of GoboLinux 017, a new stable build of the project's independently-developed Linux distribution which departs from the standard UNIX filesystem hierarchy by replacing it with an database-like structure. The new GoboLinux also introduces a Homebrew-style package management and the latest version....
Categories: Linux

Munich Says It's Now Shifting Back From Microsoft to Open Source Software -- Again

Slashdot.org - Sat, 05/23/2020 - 20:34
Newly-elected politicians in Munich "have decided its administration needs to use open-source software, instead of proprietary products like Microsoft Office," reports ZDNet: "Where it is technologically and financially possible, the city will put emphasis on open standards and free open-source licensed software," a new coalition agreement negotiated between the recently elected Green party and the Social Democrats says. The agreement was finalized May 10 and the parties will be in power until 2026. "We will adhere to the principle of 'public money, public code'. That means that as long as there is no confidential or personal data involved, the source code of the city's software will also be made public," the agreement states... Munich began the move away from proprietary software at the end of 2006... By 2013, 80% of desktops in the city's administration were meant to be running LiMux software. In reality, the council continued to run the two systems — Microsoft and LiMux — side by side for several years to deal with compatibility issues. As the result of a change in the city's government, a controversial decision was made in 2017 to leave LiMux and move back to Microsoft by 2020. At the time, critics of the decision blamed the mayor and deputy mayor and cast a suspicious eye on the US software giant's decision to move its headquarters to Munich. In interviews, a former Munich mayor, under whose administration the LiMux program began, has been candid about the efforts Microsoft went to to retain their contract with the city. The migration back to Microsoft and to other proprietary software makers like Oracle and SAP, costing an estimated €86.1m ($93.1m), is still in progress today. "We're very happy that they're taking on the points in the 'Public Money, Public Code' campaign we started two and a half years ago," Alex Sander, EU public policy manager at the Berlin-based Free Software Foundation Europe, tells ZDNet. But it's also important to note that this is just a statement in a coalition agreement outlining future plans, he says. "Nothing will change from one day to the next, and we wouldn't expect it to," Sander continued, noting that the city would also be waiting for ongoing software contracts to expire. "But the next time there is a new contract, we believe it should involve free software."

Read more of this story at Slashdot.

Java Programming Language Celebrates Its 25th Birthday. What's Next?

Slashdot.org - Sat, 05/23/2020 - 18:34
May 23rd marks the 25th anniversary of the day Sun Microsystems introduced Java to the world, notes InfoWorld. Looking at both the present and the future, they write that currently Java remains popular "with enterprises even as a slew of rival languages, such as Python and Go, now compete for the hearts and minds of software developers." Java continues to rank among the top three programming languages in the most prominent language popularity indexes — Tiobe, RedMonk, and PyPL. Java had enjoyed a five-year stint as the top language in the Tiobe index until this month, when it was overtaken by the C language, thanks perhaps to the combination of C's wide use in medical equipment and the urgency of the COVID-19 pandemic. Nevertheless, Java represents a huge ecosystem and source of jobs. There were an estimated nine million Java developers worldwide in 2017, according to Oracle. A recent search of jobs site Dice.com found nearly 12,000 Java-related jobs in the USA, compared to roughly 9,000 jobs in JavaScript and 7,600 in Python. Plus, Java has spawned an enormous ecosystem of tools ranging from the Spring Framework to application servers from companies such as IBM, Red Hat, and Oracle to the JavaFX rich media platform. The developers behind Java — including Oracle and the broader OpenJDK community — have kept the platform moving forward. Released two months ago, Java 14, or Java Development Kit (JDK) 14, added capabilities including switch expressions, to simplify coding, and JDK Flight Recorder (JFR) Event Streaming, for continuous consumption of JFR data. Up next for Java is JDK 15, set to arrive as a production release in September 2020, with capabilities still being lined up for it. So far, the features expected include a preview of sealed classes, which provide more-granular control over code, and records, which provide classes that act as transparent carriers for immutable data. Also under consideration for Java is a plan dubbed Project Leyden, which would address "longterm pain points" in Java including resource footprint, startup time, and performance issues by introducing static images to the platform.

Read more of this story at Slashdot.

America's CDC and 11 States Erroneously Conflated Two Kinds of Coronavirus Tests

Slashdot.org - Sat, 05/23/2020 - 17:34
America's Center for Disease Control "is conflating viral and antibody tests..." writes the Atlantic, "distorting several important metrics and providing the country with an inaccurate picture of the state of the pandemic." Thelasko shared their report: We've learned that the CDC is making, at best, a debilitating mistake: combining test results that diagnose current coronavirus infections with test results that measure whether someone has ever had the virus. The upshot is that the government's disease-fighting agency is overstating the country's ability to test people who are sick with COVID-19... The widespread use of the practice means that it remains difficult to know exactly how much the country's ability to test people who are actively sick with COVID-19 has improved. "You've got to be kidding me," Ashish Jha, the K. T. Li Professor of Global Health at Harvard and the director of the Harvard Global Health Institute, told us when we described what the CDC was doing. "How could the CDC make that mistake? This is a mess...." By combining the two types of results, the CDC has made them both "uninterpretable," he said... [T]he portion of tests coming back positive has plummeted, from a seven-day average of 10 percent at the month's start to 6 percent on Wednesday. "The numbers have outstripped what I was expecting," Jha said. "My sense is people are really surprised that we've moved as much as we have in such a short time period. I think we all expected a move and we all expected improvement, but the pace and size of that improvement has been a big surprise." The intermingling of viral and antibody tests suggests that some of those gains might be illusory. "The CDC is not alone in its errors," notes a Reason article shared by schwit1. "Several states have been blending their test results as well, rendering it difficult to determine the local impact of the virus." But the CDC's role as the officially designated first line of defense makes the agency's failure far more significant. Without clear, reliable, and accurate reporting from the CDC, it becomes nearly impossible to take stock of the pandemic's damage. The virus has upended American life in ways that make it unusually difficult to predict the future. But thanks to the CDC, we have a problem that is even worse: No only do we not know what is going to happen, but we don't know what is happening.

Read more of this story at Slashdot.

Trump Administration Mulls First US Nuclear Test in Decades

Slashdot.org - Sat, 05/23/2020 - 17:04
The Trump administration "has discussed whether to conduct the first U.S. nuclear test explosion since 1992," reports the Washington Post, "in a move that would have far-reaching consequences for relations with other nuclear powers and reverse a decades-long moratorium on such actions, said a senior administration official and two former officials familiar with the deliberations." The matter came up at a meeting of senior officials representing the top national security agencies last Friday, following accusations from administration officials that Russia and China are conducting low-yield nuclear tests — an assertion that has not been substantiated by publicly available evidence and that both countries have denied. A senior administration official, who like others spoke on the condition of anonymity to describe the sensitive nuclear discussions, said that demonstrating to Moscow and Beijing that the United States could "rapid test" could prove useful from a negotiating standpoint as Washington seeks a trilateral deal to regulate the arsenals of the biggest nuclear powers. The meeting did not conclude with any agreement to conduct a test, but a senior administration official said the proposal is "very much an ongoing conversation." Another person familiar with the meeting, however, said a decision was ultimately made to take other measures in response to threats posed by Russia and China and avoid a resumption of testing... During the meeting, serious disagreements emerged over the idea, in particular from the National Nuclear Security Administration, according to two people familiar with the discussions. The Post points out that since 1945 "at least eight countries have collectively conducted about 2,000 nuclear tests, of which more than 1,000 were carried out by the United States. "The environmental and health-related consequences of nuclear testing moved the process underground, eventually leading to near-global moratorium on testing in this century with the exception of North Korea."

Read more of this story at Slashdot.

America Makes a Big Investment In Next-Gen Nuclear Power

Slashdot.org - Sat, 05/23/2020 - 16:34
America's Department of Energy "has started a new Office of Nuclear Energy projects called the Advanced Reactor Demonstration Program" (or ARDP) reports Popular Mechanics: "The $230 million program will give $160 million to scientists working on two reactor designs that 'can be operational' in the very near future." The "Advanced" part of ARDP is an industry term for the generation of reactors we have today... Generation IV — the super advanced reactors? — are in the research phase, but the ARDP statements mention development into the mid 2030s and likely includes generation IV. So the technical difference may be arbitrary, but the advanced reactors are often safer, smaller in overall form factor, and more standardized in order to be easier to install and scale. Most existing power plants are idiosyncratic, built on a case-by-case basis to suit individual communities or use cases. A more uniform process means plants that are easier to secure, support, and regulate. One of the leading projects the Nuclear Energy Institute (NEI) mentions may sound familiar: "NuScale Power LLC is expected to receive the first small modular reactor design certification from the U.S. Nuclear Regulatory Commission later this year," the NEI reports. NuScale's tiny modular reactor is designed to be deployed for small communities with lower power needs and embodies advanced reactor values. (NuScale received previous funding and is not eligible for this program.)

Read more of this story at Slashdot.

Syndicate content
Comment