Post Syndicated from original https://lwn.net/Articles/918607/
Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).
Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=s3t0gnYTbDg
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html
Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse:
While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.
[…]
To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
That’s bad. It’s not an epic disaster, though.
These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.
So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)
Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:
I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.
If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)
My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.
If you’re changing password managers, look at my own Password Safe. Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.
News articles. Slashdot thread.
EDITED TO ADD: People choose lousy master passwords.
Post Syndicated from Techmoan original https://www.youtube.com/watch?v=e0kh9BXzAww
Post Syndicated from original https://lwn.net/Articles/918585/
Linus has released 6.2-rc1 and closed the
merge window for this release. “So it’s Christmas Day here, but it’s also Sunday afternoon two weeks
”
after the 6.2 merge window opened. So holidays or not, the kernel
development show must go on.
Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=md_0q0reTMM
Post Syndicated from original https://xkcd.com/2716/
Post Syndicated from Technology Connextras original https://www.youtube.com/watch?v=7hdJQkn8rtA
Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=LcdCvSFHQE4
Post Syndicated from original https://vasil.ludost.net/blog/?p=3460
Аз май не съм писал от известно време, та преди стандартния равносметъчен post да пробвам нещо по-малко скучно.
Преди има-няма 4 години си взех едно ново дъно от китайски оптимисти за T60. Машинката, в която го пъхнах ми случи вярно доста години, но вече взе да и идва много, да не мога да и намирам батерия и самата и пластмаса да сдава багажа. Като добавим и проблемите, които винаги съм имал с видео картата, си стана време за ново желязо.
Един друг оптимист беше тръгнал да прави ново дъно и да може да сглобява цели машини, ама lockdown-а му се отрази бая зле и в крайна сметка май нищо няма да излезе.
Та, реших да намеря нещо, което да е максимално поносимо, и стигах до thinkpad t14 gen3. Има средно поносима клавиатура, не е 16:9, а 16:10 (което е малко по-поносимо), и твърди, че батерията му държи над няколко часа. Взех го в петък, и сравнително лесно го инсталирах.
След няколко часа точене (да живее гигабитовата мрежа и nvme/ssd-тата, че правеха по 120MB/s) си пренесох данните, и с още половин ден ръчкане си пренесох работната среда (в момента пиша от него и не може да се познае, че е нещо друго). compiz-а си работи като слънце, след един BIOS update и външните монитори почнаха да се виждат, и определено е по-тих от старото желязо.
Най-голямото забавление беше един бъг на xfce. В началото, като го закачах тестово на docking станцията, то я разпозна като 52″ монитор, и нещо в xfce-то запомни, че дисплея е невероятно широк, съответно всичките кутийки на workspace switcher-а бяха станали ужасно широки, дотолкова, че на екрана се събираха само 3-4. Рових, рових, не намерих някой друг със същия проблем (или това, дето намерих се твърдеше, че е оправено), та накрая свалих source на xfce4-panel, намерих къде смята съотношението на височина към ширина и го hardcode-нах на 1 (тъкмо ще пасва на квадратния монитор). Та 20 минути работа по кода (с компилирането) реши проблем, на който бях отделил поне два часа ровене и четене. После как чукчата да не е писател…
Остана да видим как ще се разбере с носенето м/у вкъщи и офиса и смяната на монитори, но това вероятно няма да е голяма болка (famous last words)…
Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=Sa1wZWrpDjo
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2022/12/friday-squid-blogging-injured-giant-squid-and-paddleboarder.html
Here’s a video—I don’t know where it’s from—of an injured juvenile male giant squid grabbing on to a paddleboard.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Post Syndicated from Daniel Fuertes original https://aws.amazon.com/blogs/security/2022-pitukri-isae-3000-type-ii-attestation-report-available-with-154-services-in-scope/
Amazon Web Services (AWS) is pleased to announce the second issuance of the Criteria to Assess the Information Security of Cloud Services (PiTuKri) International Standard on Assurance Engagements (ISAE) 3000 Type II attestation report. The scope of the report covers a total of 154 services and 24 global AWS Regions.
The Finnish Transport and Communications Agency (Traficom) Cyber Security Centre published PiTuKri, which consists of 52 criteria that provide guidance when assessing the security of cloud service providers. The criteria are organized into the following 11 subdivisions:
It is our pleasure to announce the addition of 16 new services and two new Regions to our PiTuKri attestation scope. A few examples of the new security services included are:
The latest report covers the period from October 1, 2021 to September 30, 2022. It was issued by an independent third-party audit firm to assure customers that the AWS control environment is appropriately designed and implemented in accordance with PiTuKri requirements. This attestation demonstrates the AWS commitment to meet security expectations for cloud service providers set by Traficom.
Customers can find the full PiTuKri ISAE 3000 report on AWS Artifact. To learn more about the complete list of certified services and Regions, customers can also refer to AWS Compliance Programs and AWS Services in Scope for PiTuKri.
AWS strives to continuously bring new services into scope of its compliance programs to help customers meet their architectural and regulatory needs. Please reach out to your AWS account team for any questions about the PiTuKri report.
If you have feedback about this post, please submit them in the Comments section below.
Want more AWS Security news? Follow us on Twitter.
Post Syndicated from Daniel Fuertes original https://aws.amazon.com/blogs/security/2022-finma-isae-3000-type-ii-attestation-report-now-available-with-154-services-in-scope/
Amazon Web Services (AWS) is pleased to announce the third issuance of the Swiss Financial Market Supervisory Authority (FINMA) International Standard on Assurance Engagements (ISAE) 3000 Type II attestation report. The scope of the report covers a total of 154 services and 24 global AWS Regions.
The latest FINMA ISAE 3000 Type II report covers the period from October 1, 2021, to September 30, 2022. AWS continues to assure Swiss financial industry customers that our control environment is capable of effectively addressing key operational, outsourcing, and business continuity management risks.
The report covers the five core FINMA circulars regarding outsourcing arrangements to the cloud. FINMA circulars help Swiss-regulated financial institutions to understand the approaches FINMA takes when implementing due diligence, third-party management, and key technical and organizational controls for cloud outsourcing arrangements, particularly for material workloads.
The scope of the report covers the following requirements of the FINMA circulars:
It is our pleasure to announce the addition of 16 services and two Regions to the FINMA ISAE 3000 Type II attestation scope. The following are a few examples of the additional security services in scope:
Customers can continue to reference the FINMA workbooks, which include detailed control mappings for each FINMA circular covered under this audit report, through AWS Artifact. Customers can also find the entire FINMA report on AWS Artifact. To learn more about the list of certified services and Regions, see AWS Compliance Programs and AWS Services in Scope for FINMA.
As always, AWS is committed to adding new services into our future FINMA program scope based on your architectural and regulatory needs. If you have questions about the FINMA report, contact your AWS account team.
If you have feedback about this post, please submit them in the Comments section below.
Want more AWS Security news? Follow us on Twitter.
Post Syndicated from Ignasi Nogués original https://aws.amazon.com/blogs/big-data/clickedu-uses-amazon-quicksight-embedded-to-empower-school-administrators-with-key-educational-institution-health-insights/
This is a guest post by Ignasi Nogués and Georgina Valls from Clickedu.
With more than 1.5 million unique users across 700 schools and core values that include connectivity, reliability, and innovation, Clickedu is the leading educational platform in Spain. Offering both a school administration system and a digital learning environment, Clickedu is one of the most comprehensive education tools in the European market for K–12 schools. Founded in 2000, Clickedu was acquired by Finland-based Sanoma Learning Group, a leading European learning and media company, in 2019.
Having originally started as an IT company, Clickedu has always been focused on providing products and services designed specifically for the education sector. Through continuous partnership with school administrators and education professionals, our development process is firmly rooted in listening to feedback and making prioritization decisions based on what customers tell us is most important to them. Because schools are the central focus of our research and development efforts, our service and product quality standards remain high.
Our mission is to help schools invest their time in educational objectives, with as little time as possible dedicated to bureaucratic tasks. To help administrators in human resources (HR), finance, and academic departments make more strategic, data-driven decisions across networks of educational centers, we launched Clickedu Analytics. This product provides data analysis and presents insights in easy-to-understand dashboards with insightful visualizations. When researching business intelligence (BI) tools that would meet our needs for what we wanted Clickedu Analytics to do, we needed look no further than Amazon QuickSight.
In this post, we discuss why we chose QuickSight and will cover some of the post-implementation outcomes.
Clickedu provides a cloud-based school platform that includes academic, administrative, and economic management tools and a virtual learning management system (LMS) with a connection to digital books and free content. For administrators, Clickedu’s software provides an interface to manage teachers, tutors, and heads of studies, as well as a communication environment for messaging families.
With so many data points spanning the full scope of the platform’s centralized capabilities across HR, finance, and academics, the untapped potential in that data presented a huge opportunity. We set out with the goal of building a BI experience that would enable us to quickly and efficiently analyze that data, visualize the results, and use those insights to better serve our customers.
The following screenshot shows a dashboard visualization of student distribution based on several different factors.
With dashboards built specifically to surface helpful information, school administrators are better able to make informed decisions based on clear, easy-to-understand insights. Reports can be generated to show academic results, pre-registrations, absences, etc., and all of it can be filtered by school year, institution, center, stage, courses, and classes.
Thanks to the information QuickSight delivers via Clickedu Analytics, our HR teams can see how many teachers in a group are likely to retire soon, or academic teams can see how language qualifications are progressing. Having fast, easy access to key insights like these help us be more proactive in identifying areas that might need attention before they become issues that demand a reaction.
The biggest challenge our customers were facing was a lack of visibility into aggregate data points that impacted several schools within a group. Speed, agility, and responsiveness are crucial when it comes to spotting trends in data points that signal issues in need of attention or wins deserving of celebration. Prior to implementing QuickSight, it would take time and resources to research whether something identified at one school was also showing up in the data points for the others. Now, administrators have full visibility to all relevant data across an entire network of schools with just a few clicks on their Clickedu Analytics dashboards.
After reviewing several other BI vendor products and evaluating the pros and cons of each, Amazon QuickSight was chosen as our Clickedu Analytics BI tool for these reasons.
Being able to export reports into PDFs, add new datasets, and the ease of combining with third-party data all contributed to swaying our decision to QuickSight.
QuickSight has empowered us to bring our Clickedu Analytics platform to the next level in providing the visibility and scalability we need to best serve our customers. We’re very excited to continue to iterate on what we’ve built with plans to expand access from the school groups and institutions who are currently using Clickedu Analytics to have it available to all schools that are in need of data management solutions.
Looking to the future, we see potential to do more with QuickSight in the learning management system (LMS) space. We are considering Amazon QuickSight Q, a machine learning-powered natural language capability that gives anyone in an organization the ability to ask business questions in natural language and receive accurate answers with relevant visualizations instantly without needing to go back to the dashboard author. There is ample potential to implement QuickSight Q as a means of querying and receiving information on our digital content.
To learn more about how you can embed customized data visuals, interactive dashboards, and natural language querying into any application, visit Amazon QuickSight Embedded.
To learn more about Clickedu, Spain’s leading platform for school administration, visit www.clickedu.net.
Ignasi Nogués is the founder and the CTO of Clickedu. He is, by definition, a big entrepreneur and a dreamer. He drove the company since 2000 to success due to hard work. He always wants to take the next step.
Georgina Valls is the Marketing Manager of Clickedu. She is a hardworker, dedicated to letting others know about Clickedu and its capabilities. As the daughter of teachers, she is very passionate about creating a brighter future in education.
Post Syndicated from original https://lwn.net/Articles/918344/
The kernel project tries hard to avoid duplicating functionality within its
code base; whenever possible, a single subsystem is made to serve all use
cases. There is one notable exception to this rule, though: there are
three object-level memory allocators (“slab allocators”) in the kernel.
The desire to reduce the count has been growing stronger over the years,
and some steps have been taken in 6.2 to eliminate the least-loved
allocator — SLOB — in the relatively near future.
Post Syndicated from Crosstalk Solutions original https://www.youtube.com/watch?v=OgC-4KlKFYU
Post Syndicated from Michelle Mannering original https://github.blog/2022-12-23-whats-with-all-the-ducks/
Black eyes.
Orange beak.
Large yellow body.
Rubbery texture…
…often seen floating in baths.
What are we talking about? Rubber ducks, of course. Now the question you might be asking, “Why is everyone obsessed with rubber ducks?” You may have seen our new “What is GitHub?” video making its way around the internet. Outside of the famous comedian, whom you may recognize, you saw a new character floating around (literally). And if you were at GitHub Universe this year or tuned into the livestream, you probably saw lots of physical rubber ducks dispersed throughout.
So, what in the world do rubber ducks have to do with programming? And why were they everywhere? A lot of you asked, so I’m here to help explain.
Our story starts back in 1999, when a book was released, The Pragmatic Programmer by Andrew Hunt. The story describes a computer programmer who sat a rubber duck down one fine day, and explained his code to the duck—line by line!
The process of speaking the code out loud helped the developer understand the code and gain greater insight into his work. After all, rubber ducks don’t talk back!
The technique stuck. It’s now called rubber duck debugging or rubberducking. Of course, it doesn’t need to be only rubber ducks, but the term stuck and is part of developer lingo. So, in our effort to explain all the things GitHub can do for developers and businesses, we used this same technique, with our own special rubber duck. Our duck takes a journey through all the elements of GitHub that make it the most complete developer platform to build, scale, and deliver secure software.
If anyone missed the significance of rubber ducks, @film_girl and @anjuan explained it during the live stream at #GitHubUniverse
Sound (or subs) on! pic.twitter.com/p7G3eZwqBc
— Mish
If rubber duck debugging is new to you, try it out! It doesn’t just work with code, either. If you’re ever stuck, try talking through your problem or challenge out loud, whether it’s to that plant on your desk, a roommate, your family, or even your dog. In the meantime, your code on GitHub is waiting to be explained to your new yellow friend.
Post Syndicated from BeardedTinker original https://www.youtube.com/watch?v=S8nGS9nrQC0
Michelle Mannering (@MishManners)