Tuesday, March 24th, 2015

Time	Event
12:00a	Google: Maintaining digital certificate security It seems it was about time for another certificate authority horror story; the Google Online Security Blog duly delivers. "CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system." (Comment on this)
4:53p	Security updates for Tuesday CentOS has updated openssl (C6: multiple vulnerabilities). Mageia has updated firefox (multiple vulnerabilities), libxfont (privilege escalation), and tcpdump (multiple vulnerabilities). openSUSE has updated kdebase4-runtime, kdelibs4, konversation, kwebkitpart, libqt4 (13.1: multiple vulnerabilities). Oracle has updated openssl (OL7; OL6: multiple vulnerabilities). Red Hat has updated firefox (RHEL5,6,7: multiple vulnerabilities) and openssl (RHEL7; RHEL6: multiple vulnerabilities). SUSE has updated compat-openssl097g (SLE11 SP2: multiple vulnerabilities) and kernel (SLE11 SP3: multiple vulnerabilities). Ubuntu has updated gnutls26, gnutls28 (multiple vulnerabilities), kernel (14.10; 14.04; 12.04: multiple vulnerabilities), linux-lts-trusty (12.04: multiple vulnerabilities), linux-lts-utopic (14.04: multiple vulnerabilities), linux-ti-omap4 (12.04: multiple vulnerabilities), mono (14.10, 14.04, 12.04: multiple vulnerabilities), and python-django (two vulnerabilities). (Comment on this)
8:46p	Van de Ven: Deprecating old crypto Worth a read: this post from Arjan van de Ven on the difficulty of removing old, insecure cryptographic algorithms from a Linux distribution. "But more, and this is a call to action: If you're working on an open source project that uses crypto, please please don't opencode crypto algorithm usage. The algorithm may be outdated at any time and might have to go away in a hurry." (Comment on this)
9:39p	Meet Cyanogen, The Startup That Wants To Steal Android From Google (Forbes) Forbes takes a look at Cyanogen, and its prospects in the phone market. "Cyanogen has a chance to snag as many as 1 billion handsets, more than the total number of iPhones sold to date, according to some analysts. Fifty million people already run Cyanogen on their phones, the company says. Most went through the hours-long process of erasing an Android phone and rebooting it with Cyanogen. [Kirt] McMaster is now persuading a growing list of phone manufacturers to make devices with Cyanogen built in, rather than Google’s Android. Their phones are selling out in record time. Analysts say each phone could bring Cyanogen a minimum of $10 in revenue and perhaps much more." (Comment on this)
10:17p	Two microconferences accepted for the Linux Plumbers Conference The 2015 Linux Plumbers Conference (LPC) has announced that two microconferences have been accepted for the event, which will be held August 19-21 in Seattle. The Checkpoint/Restart and Energy-aware scheduling and CPU power management microconferences will be held at LPC. Registration for the conference will open on March 27 and it will be co-located with LinuxCon North America, which will be held August 17-19. (Comment on this)

<< Previous Day

2015/03/24 [Calendar]

Next Day >>