This week Jonathan and Rob chat with Cody Zuschlag about the Xen project! It’s the hypervisor that runs almost everywhere. Why is it showing up in IoT devices and automotive? And what’s coming next for the project? Watch to find out!
Continue reading “FLOSS Weekly Episode 853: Hardware Addiction; Don’t Send Help”
This week, a US federal court has ruled that NSO Group is no longer allowed to use Pegasus spyware against users of WhatsApp. And for their trouble, NSO was also fined $4 million. It’s unclear how much this ruling will actually change NSO’s behavior, as it intentionally stopped short of applying to foreign governments.
There may be an unexpected source of leverage the US courts can exert over NSO, with the news that American investors are acquiring the company. Among the requirements of the ruling is that NSO cannot reverse engineer WhatsApp code, cannot create new WhatsApp accounts, and must delete any existing WhatsApp code in their possession. Whether this actually happens remains to be seen.
Continue reading “This Week In Security: Court Orders, GlassWorm, TARmageddon, And It Was DNS”
This week Jonathan talks to Robert Wolff about DevEco! How did this developer group come to be, and what is its purpose? What are the lessons learned about building communities and working with others? Watch to find out!
Continue reading “FLOSS Weekly Episode 852: Sir, This Is A Wendy’s”
F5 is unintentionally dabbling in releasing the source code behind their BIG-IP networking gear, announcing this week that an unknown threat actor had access to their internal vulnerability and code tracking systems. This security breach was discovered on August 9th, and in the time since, F5 has engaged with CrowdStrike, Mandiant, and NCC Group to review what happened.
So far it appears that the worst result is access to unreleased vulnerabilities in the F5 knowledge management system. This means that any unpatched vulnerabilities were effectively 0-days, though the latest set of patches for the BIG-IP system has fixed those flaws. There aren’t any reports of those vulnerabilities being exploited in the wild, and F5 has stated that none of the leaked vulnerabilities were critical or allowed for remote exploitation.
Slightly more worrying is that this access included the product development environment. The problem there isn’t particularly the leak of the source code — one of the covered projects is NGINX, which is already open source software. The real danger is that changes could have been surreptitiously added to those codebases. The fact that NGINX is Open Source goes a long way to alleviate that danger, and when combined with the security built into tools like git, it seems very unlikely that malicious code could be sneaked into the NGINX public code base. A thorough review of the rest of the F5 codebases has similarly come up negative, and so far it looks like the supply-chain bullet has been dodged. Continue reading “This Week In Security: F5, SonicWall, And The End Of Windows 10”
This week Jonathan talks to James Cole about Firefly III, the personal finance manager! This one itches James’ own itch, but brings great visualization and management tools for your personal finances!
Continue reading “FLOSS Weekly Episode 851: Buckets Of Money”
Discord had a data breach back on September 20th, via an outsourced support contractor. It seems it was a Zendesk instance that was accessed for 58 hours through a compromised contractor user account. There have been numbers thrown around from groups claiming to be behind the breach, like 1.6 Terabytes of data downloaded, 5.5 million user affected, and 2.1 million photos of IDs.
Discord has pushed back on those numbers, stating that it’s about 70,000 IDs that were leaked, with no comments on the other claims. To their credit, Discord has steadfastly refused to pay any ransom. There’s an interesting question here: why were Discord users’ government issued IDs on record with their accounts?
The answer is fairly simple: legal compliance. Governments around the world are beginning to require age verification from users. This often takes the form of a scan of valid ID, or even taking a picture of the user while holding the ID. There are many arguments about whether this is a good or bad development for the web, but it looks like ID age verification is going to be around for a while, and it’ll make data breaches more serious.
In similar news, Salesforce has announced that they won’t be paying any ransoms to the group behind the compromise of 39 different Salesforce customers. This campaign was performed by calling companies that use the Salesforce platform, and convincing the target to install a malicious app inside their Saleforce instance. Continue reading “This Week In Security: ID Breaches, Code Smell, And Poetic Flows”
This week Jonathan and Aaron chat with Piers Finlayson about One ROM! Why does the retro-computing world need a solution for replacement ROMs? How difficult was it to squeeze a MCU and layout into the original ROM footprint? And what’s next for the project? Listen to find out!
Continue reading “FLOSS Weekly Episode 850: One ROM To Rule Them All”
