Tux Machines

Proprietary Software and Security Woes

Posted by Roy Schestowitz on Sep 16, 2022

Programming Leftovers

Gemini Articles of Interest

↺ CIO

Uber says responding to 'cybersecurity incident' after report of network breach

↺ Uber says responding to 'cybersecurity incident' after report of network breach

> The Slack system was taken offline on Thursday afternoon by Uber after employees received the message from the hacker, according to the Times report, citing two employees, who were not authorized to speak publicly.

Uber Investigating Breach of Its Computer Systems

↺ Uber Investigating Breach of Its Computer Systems

> The breach appeared to have compromised many of Uber’s internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times.

EU wants tough rules on 'internet of things' products

↺ EU wants tough rules on 'internet of things' products

> "Computers, phones, household appliances, virtual assistance devices, cars, toys... each and every one of these hundreds of million connected products is a potential entry point for a cyberattack," said Internal Market Commissioner Thierry Breton.

It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

↺ It's Time to PuTTY! DPRK Job Opportunity Phishing via WhatsApp

> The techniques used by UNC4034 in this compromise, along with the techniques used in countless intrusions investigated by Mandiant, are used to continuously develop and refine threat hunting hypotheses within Managed Defense. These provide high fidelity and actionable leads that are informed by evolving threat actor tradecraft.

Fully Oxidizing `ring`: Creating a Pure Rust TLS Stack Based on `rustls` + `ring`

↺ Fully Oxidizing `ring`: Creating a Pure Rust TLS Stack Based on `rustls` + `ring`

> I really want to understand all the software that runs on my secure devices.

> It’s a bit of a quixotic quest, but so far we’ve made pretty good progress towards this goal: I’ve been helping to write the Xous OS from the ground up in pure Rust – from the bootloader to the apps. Xous now has facilities like secure storage, a GUI toolkit, basic networking, and a password vault application that can handle U2F/FIDO, TOTP, and plaintext passwords.

> One of the biggest challenges has been keeping our SBOM (software bill of materials) as small as possible. I consider components of the SBOM to be part of our threat model, so we very selectively re-write crates and libraries that are too bloated. This trades off the risk of introducing new bugs in our hand-rolled code versus the risk of latent, difficult-to-discover bugs buried in more popular but bloated libraries. A side benefit of this discipline is that to this day, Xous builds on multiple platforms with nothing more than a default Rust compiler – no other tooling necessary. It does mean we’re putting a lot of trust in the intractably complicated `rustc` codebase, but better than also including, for example, `gcc`, `nasm`, and `perl` codebases as security-critical SBOM components.

EFF’s DEF CON 30 Puzzle—SOLVED

↺ EFF’s DEF CON 30 Puzzle—SOLVED

> For EFF’s lucky 13th member t-shirt at DEF CON 30, we had the opportunity to collaborate with iconic hacker artist Eddie the Y3t1 Mize and the esteemed multi-year winners of EFF’s t-shirt puzzle challenge: Elegin, CryptoK, Detective 6, and jabberw0nky of the Muppet Liberation Front.

gemini.tuxmachines.org