The Linux Foundation: It’s not just the Linux operating system
The Linux Foundation permits its projects to concentrate on the daily business of software development, while also allowing the administrative overhead to be managed by seasoned professionals that can provide the necessary legal and financial oversight at scale.The growth of the Linux Foundation over the past two decades, and most recently, the last seven years, can be attributed to the diversity of value-added support programs that make it unique among organizations enabling technical collaboration.Whether a collaboration covers software, hardware designs, standards, or open data, the Linux Foundation has developed templates, models, and best practices to support an open community model.The Linux Foundation’s adherence to core principles of neutrality, transparent governance, intellectual property clarity, and its fostering of a vibrant commercial support ecosystem has enabled it to work with some of the most innovative communities developing technology the entire world depends on every day.That’s an amazing opportunity and responsibility — we hope you will consider working with us on your next open community project.Security Security updates for Monday
Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive).PSA: jQuery is bad for the security of your project
For some time I thought that jQuery was a thing of the past, only being used in old projects for legacy reasons.I mean, there are now so much better frameworks, why would anyone stick with jQuery and its numerous shortcomings? Then some colleagues told me that they weren’t aware of jQuery’s security downsides.
And I recently discovered two big vulnerabilities in antivirus software 1 2 which existed partly due to excessive use of jQuery.So here is your official public service announcement: jQuery is bad for the security of your project.
By that I don’t mean that jQuery is inherently insecure.You can build a secure project on top of jQuery, if you are sufficiently aware of the potential issues and take care.However, the framework doesn’t make it easy.
It’s not secure by default, it rather invites programming practices which are insecure.You have to constantly keep that in mind and correct for it.
And if don’t pay attention just once you will end up with a security vulnerability.
[…]
You might have noticed a pattern above which affects many jQuery functions: the same function will perform different operations depending on the parameters it receives.You give it something and the function will figure out what you meant it to do.
The jQuery() function will accept among other things a selector of the element to be located and HTML code of an element to be created.How does it decide which one of these fundamentally different operations to perform, with the parameter being a string both times? The initial logic was: if there is something looking like an HTML tag in the contents it must be HTML code, otherwise it’s a selector.
And there you have the issue: often websites want to find an element by selector but use untrusted data for parts of that selector.So attackers can inject HTML code into the selector and trick jQuery into substituting the safe “find element” operation by a dangerous “create a new element.” A side-effect of the latter would be execution of malicious JavaScript code, a typical client-side XSS vulnerability.
It took until jQuery 1.9 (released in 2013) for this issue to be addressed.In order to be interpreted as HTML code, a string has to start with < now.Given incompatible changes, it took websites years to migrate to safer jQuery versions.
In particular, the Addons.Mozilla.Org website still had some vulnerabilities in 2015 going back to this 1 2.
The root issue that the same function performs both safe and dangerous operations remains part of jQuery however, likely due to backwards compatibility constrains.It can still cause issues even now.Attackers would have to manipulate the start of a selector which is less likely, but it is still something that application developers have to keep in mind (and they almost never do).
This danger prompted me to advise disabling jQuery.parseHTML some years ago.FuzzBench: Google Gets Into Fuzzer Benchmarking
Google’s latest work on the code fuzzing front for improving code security is FuzzBench, a benchmark for fuzzers.
Google has made many contributions to code fuzzing and improving open-source security from continually fuzzing the Linux kernel to acquiring GraphicsFuzz to developing OSS-Fuzz.By Google’s own numbers, they say they have found tens of thousands of bugs thanks to code fuzzers.FuzzBench: Fuzzer Benchmarking as a Service
Fuzzing is an important bug finding technique.
At Google, we’ve found tens of thousands of bugs (1, 2) with fuzzers like libFuzzer and AFL.There are numerous research papers that either improve upon these tools (e.g.
MOpt-AFL, AFLFast, etc) or introduce new techniques (e.g.Driller, QSYM, etc) for bug finding.However, it is hard to know how well these new tools and techniques generalize on a large set of real world programs.Though research normally includes evaluations, these often have shortcomings—they don’t use a large and diverse set of real world benchmarks, use few trials, use short trials, or lack statistical tests to illustrate if findings are significant.This is understandable since full scale experiments can be prohibitively expensive for researchers.
For example, a 24-hour, 10-trial, 10 fuzzer, 20 benchmark experiment would require 2,000 CPUs to complete in a day.
Wi-Fi kit spilling data with bad crypto – Huawei, eh? No, it’s Cisco.US giant patches Krook spy-hole bug in network gear
It looks like Switchzilla is moving swiftly to clear up the Krook bug discovered by ESET.
Just hours after the researchers delivered their findings in a report, Cisco gave its own advisory on the Wi-Fi data snooping flaw.
“Multiple Cisco wireless products are affected by this vulnerability,” the advisory stated.
“Cisco will release software updates that address this vulnerability.There are no workarounds that address this vulnerability.” Privacy/Surveillance New study quantifies how much Americans value their private information: about $3.50
A new study by the Technology Policy Institute (TPI) has identified how much money a Facebook user would want to be paid in exchange for having their contact information shared by Facebook: $3.50 per month.Across the pond, German users indicated that they would require $8 per month for the privacy violation of having their contact information and ad preferences sold.It isn’t too surprising to see that European Facebook users value their internet privacy more.After all, that’s why there’s a GDPR in Europe whereas North America is still floundering about enacting privacy protections at a state by state level.
The President of TPI, Scott Wallsten, commented about the geoically based differences in findings to Reuters: Hundreds of New Yorkers Demand a Ban on NYPD Face Surveillance
Over two hundred New York City residents—including workers, parents, students, business owners, and technologists—have signed a petition calling to end government use of face surveillance in New York City.This morning, EFF and a coalition of over a dozen civil liberties groups delivered that petition to New York’s City Council.
In the letter accompanying the petition, the groups commend the City Council members (more than thirty of them) that have signed on as cosponsors of the long overdue, and much needed, POST Act.The push continues to convince City Council Speaker Corey Johnson to allow the POST Act to be presented for a vote, and the groups insist on prompt action against the persistent threat that government use of face surveillance presents to New Yorker’s privacy and safety.Clearview Is Handing Out Access To Dozens Of UK Entities, Setting Up Accounts For Congressional Reps
Clearview continues to make itself unpopular with the general public even as it increases its user base.Supposedly, it has worked with over 900 law enforcement agencies at this point, although it’s unclear how many are actually using the software and how many have just been given trial logins.A deluge of data is giving rise to a new economy
Finally, the geopolitics of data will not be simple, either.
Online giants in particular have assumed that the data economy will be a global affair, with the digital stuff flowing to where processing is best done for technical and cost reasons.
Yet governments are increasingly asserting their “digital sovereignty”, demanding that data not leave their country of origin.
This special report will tackle these topics in turn.It will conclude by discussing what is perhaps the biggest conundrum of the mirror world: the risk is that the wealth it creates will be even more unequally distributed than in its terrestrial twin.Tech Companies Are Helping Bosses Monitor Everything You Do at Work
There’s nothing special about Sapience; it joins a crowded field of tech companies peddling their wares to corporations determined to increase profitability and worker productivity.
Teramind, StaffCop, and ActivTrak are just a few of the companies selling software to employers that allows them to track when workers are completing their TPS reports and when they’re scrolling through their Twitter feeds.
Twenty-first-century scientific managers promise complete control over digital workspaces.Computers can be loaded up with hidden software designed to monitor workers’ application, web, and network usage.Live feeds, timed screenshots, and screen capture with playback are bundled with advanced keystroke logging (which capture everything from IM chats to passwords) and keyword alerts to quickly flag “deviant” behavior.
Office jobs are already ripe for surveillance, but digital advances over the past decade have given bosses unprecedented scope to track and control the productivity of workers in all sectors.Confidentiality Project Rubicon: The NSA Secretly Sold Flawed Encryption For Decades
There have been a few moments in the past few years, when a conspiracy theory is suddenly demonstrated to be based in fact.
Once upon a time, it was an absurd suggestion that the NSA had data taps in AT&T buildings across the country.Just like Snowden’s revelations confirmed those conspiracy theories, a news in February confirmed some theories about Crypto AG, a Swiss cryptography vendor.
The whole story reads like a cold-war era spy thriller, and like many of those novels, it all starts with World War II.As a result of a family investment, Boris Hagelin found himself at the helm of Aktiebolaget Cryptograph, later renamed to Crypto AG (1952), a Swedish company that built and sold cipher machines that competed with the famous Enigma machine.At the start of the war, Hagelin decided that Sweden was not the place to be, and moved to the United States.
This was a fortuitous move, as it allowed Hagelin to market his company’s C-38 cipher machine to the US military.That device was designated the M-209 by the army, and became the standard in-the-field encryption machine.Defence/Aggression Venezuela Embassy Protectors on Trial
US Government Suppresses Information on Illegal Regime Change Activities ‘They come, they shoot, they burn’: How escalating horror in the Sahel has left more than a million displaced
Communities scattered throughout the vast stretches of the arid Sahel have lived in fragile harmony for generations.But when the jihadists came down from the Sahara, everything changed.
The extremists played off ethnic divisions and set villages against each other.
It has created one of the world’s fastest-growing humanitarian crises.Last year, more than 5,000 people were killed across Mali, Burkina Faso and Niger.The number of people forced to flee their homes increased fourfold to 1.1 million.
The crisis can be traced back to the jihadists’ invasion of northern Mali in 2012.French troops drove them back into the desert in 2013, but the fighters and guns slowly spread southwards into central Mali and across the border into Burkina Faso.
The United States Wants Peace.The Taliban Wants an Emirate.
Meanwhile, some of the Taliban representatives in Doha inadvertently gave credence to fears of eventual backsliding of Afghan political freedoms.
Ahmadullah Wasiq, a former Taliban fighter who flew in from Kandahar, spoke in positive terms with Foreign Policy about the education received by his daughters at an Islamic madrassa.He also professed to see nothing wrong with child marriage—including older men marrying girls under 14 years old—as long it has not been “forced” on the child.
There were, of course, no women in the 100-plus group of Taliban representatives that attended the signing ceremony.There was just one cleanshaven man, a Taliban lobbyist in the West who refused to reveal his identity, saying he wanted to be able to speak his mind without upsetting the bosses.“We are a very disciplined force,” he said.“The Taliban is not and will never be ready for elections or women’s rights as in the West.” Our history sinks before our eyes
However, the fate of this place seems to be sealed.For the place is sinking, despite worldwide protests of civil society in the economically nonsensical and only for war purpose oriented Ilisu dam.With its dam system, Turkey is putting pressure on its neighboring countries, especially Iraq and Northern Syria, on the one hand, and on the other hand, the ways of the Kurdish freedom movement are intended to be cut off.
Quite incidentally, more than 80,000 people have also been displaced from their land.In the meantime, only the roofs of the houses and the trees in the gardens of the displaced persons from this fertile region are still sticking out of the ground.‘Erdogan Is Turning Libya Into a Terrorist Base’ Mesmari Warns
On Feb.22, Erdogan admitted that his country had sent Syrian mercenaries “after they were promised the Turkish citizenship and salaries of up to US$2,000 per month, to fight alongside militias loyal to the GNA,” as reported by local outlet AdressLibya.
“Mercenaries in Libya is Erdogan’s card to blackmail Europe,” explained the Arab Post and added that “the Turkish president has turned to rely on mercenaries to plunge Libya into chaos and spread violence.” Environment High Tide Bulletin: Spring 2020
The rising and falling of the sea is a phenomenon upon which we can always depend.Tides are the regular rise and fall of the sea surface caused by the gravitational pull of the moon and sun and their position relative to the earth.There are some factors that cause the tides to be higher than what is “normally” seen from day to day.This bulletin tells you when you may experience higher than normal high tides for the period of time between March and May 2020.
How DuPont may avoid paying to clean up a toxic ‘forever chemical’
Known as “forever chemicals” because they don’t break down easily in the body, PFAS increasingly have been linked to conditions experienced by Andrews, 65, as well as birth defects, cancer, obesity and diabetes.People have been exposed to the chemicals by direct contact and from polluted ground and surface water and soil.Potential liabilities associated with the chemicals — both environmental cleanup and ongoing healthcare costs — have been estimated in the tens of billions of dollars.
Now, however, there’s a risk that Andrews and other people with illnesses linked to the chemicals could end up with no compensation for their health problems.That’s because a major manufacturer, DuPont, recently unloaded its PFAS obligations to smaller companies that do not have the money to pay for them.Hunger threat as tropical fish seek cooler waters
As climate heating drives tropical fish to seek survival elsewhere, humans will be left without the protein they need.Guests Robert Manning, Arnie Gundersen, and Andrew Kodama Discuss Climate Change and a Possible Low-Emissions Economy – The Project Censored Show
Mickey and Chase host an hour dedicated to climate change, and how the world can move toward a low-emissions economy.This week’s guests are climate organizer Robert Manning, nuclear-energy expert Arnie Gundersen, and Andrew Kodama, director of the Mt Diablo Peace & Justice Center.
In the dark early morning on February 6, 2020, the RCMP violently raided Wet’suwet’en territory in Northern British Columbia, Canada.
Energy NZ blacklists fossil fuels from super
Commerce and Consumer Affairs Minister Kris Faafoi said the changes reflect the NZ government’s stance on climate change.
“This reflects the government’s commitment to addressing the impacts of climate change and transitioning to a low-emissions economy,” he said.
“It also makes sense for the funds themselves given that there is a risk of investing in stranded assets as the world moves to reduce emissions.” Wildlife/Nature.
