Valve, creators of the newest Steam Deck handheld to release this year, is financing further continuous integration (CI) testing of Mesa commits and Radeon Drivers testing. This information is welcoming for Linux users but also for Steam Deck players.

Charlie Turner, a programming consultant for Igalia, created a merge request today on FreeDesktop's Mesa site for more additional dEQP runners. Igalia is an open-source consultant agency that "specializes in the growth of innovative projects and solutions." The request shows Valve's involvement in overseeing further AMD Radeon Linux driver testing. Valve uses Radeon graphics in their system, and it would stand that Valve would want to make sure their newest handheld would be as compatible as possible.

AMD Ryzen 7 5800X3D: The Worlds First CPU With 3D V-Cache Specs, Price, Performance & Availability Everything You Need To Know

The dEQP runners, or the drawElements Quality Program, incorporate tests for numerous graphics APIs, including OpenGL ES, EGL, and Vulkan. The testing of graphic APIs has been crucial for Mesa's continuous integration testing for securing unstable commits that don't reach mainline Mesa for retrogressing OpenGL/Vulkan graphics API actions.

The below statement was Turner's explanation of Valve's request for additional testing on Freedesktop.

This series proposes to add more dEQP bare-metal runners, sponsored by Valve. For now the runners are conditioned on a selection of users (similar to how freedreno's restricted traces work), since there are not enough machines to hit the runtime targets required for inclusion in the automatic pre-merge pipelines. There's nothing secret about the test loads, the restriction is purely practical for now and any interested user may request access to the runners.

A follow-up series will add trace testing runners to the CI, using a similar approach to the above.

Mesa's CI testing for the AMD Radeon Linux graphics driver has shown restraint by the number of hardware systems they have committed, including ones capable of testing new Mesa merge requests and creating fixes immediately. Valve's backing will assist in forwarding the process in detecting further issues efficiently and effectively. This process allows for efficiency without slowing the creation of patches that may still be waiting for testing before releasing the driver publicly.

Valve's new CI bare metal runners are fully Radeon-based, so, understandably, the company is requesting additional tests. Especially that Valve's direction with the new Steam Deck gaming system, featuring AMD Radeon graphics, includes open-source drivers that focus on RADV Vulkan work. The continuing testing now features Navi and Navi 2 systems, Kabini, Stoney, Polaris, Vega, and Renoir series.

Source: Phoronix, Freedesktop.org

Continued here:
Steam Deck creators fund further testing on open-source Radeon Linux GPU driver - Wccftech

Press Releases

01/27/2022

(HARTFORD, CT) Governor Ned Lamont and Attorney General William Tong today announced that they will seek legislative approval for a historic investment in educational opportunities for Hartford students that will end more than 30 years of litigation and court oversight in the Sheff v. ONeill case.

The agreement will require presentation first to the Connecticut Superior Court for preliminary approval, then to the Connecticut General Assembly for its approval, and then back to the court for final approval. If approved, the agreement would avoid the potential for a court-ordered plan and keep overall decisions about educational policy and finance in the hands of those elected to do so the governor and legislature.

A previous agreement reached in January 2020 resulted in approximately 202 new magnet school seats and additional capacity for Hartford students, as well as significant improvements in the application process and transparency for Hartford region families. That agreement required further negotiation of a final settlement to meet demand for choice school seats for all Hartford students who want them, and an end to court jurisdiction. If finalized, this agreement would achieve those goals.

Every child deserves access to an education that provides them the best opportunity at the starting line of life, regardless of their zip code, family income level, race, or creed, Governor Lamont said. The skills needed to succeed as an adult are best obtained during the critical years when a child begins their development. The parents, students, and education advocates who have been fighting this case for these many years are to be commended for their unyielding efforts and unbreakable focus on doing what is best for the children of Hartford. This agreement will make school choice programs for families in the Hartford region more accessible and transparent as we continue our work to improve quality and equity for students in all schools. I thank everyone for their hard work in getting all involved parties to this point and bringing us closer to our shared goal of equal access to a quality education.

This historic agreement would end over 30 years of litigation and court oversight while ensuring Hartford students have the opportunity to attend excellent schools in diverse settings, Attorney General Tong said. I want to thank the attorneys in my office both past and present Darren Cunningham, Erik Lohr, Henry Salton, Ralph Urban, and especially Joe Rubin who dedicated years of their careers to achieving this resolution. I also want to thank Elizabeth Horton Sheff, who has been leading this fight for Hartford students since I was in school. Generations of Hartford students will have brighter futures because she had the courage to stand up and demand more for her son and her community.

The Connecticut State Department of Education and State Board of Education remain committed to delivering excellence and equity in education, Connecticut Education Commissioner Charlene Russell-Tucker said. The implementation of this settlement will ensure the continuance of our unwavering dedication to bringing students together in diverse environments and to expanding access to high-quality, educational options that reflect the multicultural world in which we live.

The racial and socioeconomic isolation that so troubled the court in Sheff a quarter century ago is a reflection of the profound disparities that still remain among municipalities in Connecticut, and no Sheff settlement can offer a perfect answer to that fundamental challenge, Hartford Mayor Luke Bronin said. That said, this agreement represents important progress because it will open up thousands of seats for Hartford students in the years ahead and responds to the demand of so many Hartford students and their families for placements in the inter-district magnet schools and Open Choice placements offering diverse educational settings. The City of Hartford and the Hartford Public Schools will remain focused on strengthening neighborhood schools as well, so that every child in Hartford has a genuine choice about where to receive a quality education in an educational setting worthy of their talents and promise, and we look forward to working with the state as partners to help make that a reality. I thank Attorney General Tong, Governor Lamont, Commissioner Russell-Tucker, plaintiffs counsel, and the organizations, parents, and advocates, like Elizabeth Horton Sheff, who worked together to reach this agreement.

The Connecticut Supreme Court ruled in 1996 that the racial and ethnic isolation of Hartford school children violated the states constitutional obligation to provide a substantially equal educational opportunity and access to an unsegregated education environment. The court directed the legislature and executive branch to implement remedial measures. Since then, the parties in the case have entered into a series of agreements, with a further court order issued in 2017.

Since 1996, the legislature and executive branch have created an extensive Choice interdistrict magnet school system, as well as additional voluntary school desegregation measures that have resulted in a major reduction in the racial isolation of Hartford students. As a result of these measures, more than half of Hartford students, and more than 20,000 Hartford and suburban students, collectively, are enrolled in a Sheff School Choice program in the Greater Hartford Region.

Highlights of the settlement include:

Because certain current Choice schools are not presently meeting diversity and reduced racial isolation goals, the agreement also provides for $12.6 million to operators over 3 years, beginning in FY23, to reformulate those schools to make them sufficiently attractive to appeal to a more diverse student body.

Among other things, those efforts will include:

In total, the agreement commits $1.24 million in additional magnet school funding for fiscal year 2022, with commitments increasing to $32 million annually by fiscal year 2032. Capital costs associated with renovation of the new magnet schools are estimated at $48.7 million.

Visit link:
Governor Lamont and Attorney General Tong Seek Legislative Authorization to End 32 Years of Sheff v. O'Neill Litigation - CT.gov

This work takes an important step in the right direction, says Douwe Kiela, a researcher at Hugging Face, an AI company working on open-source language models. He suggests that the feedback-driven training process could be repeated over many rounds, improving the model even more. Leike says OpenAI could do this by building on customer feedback.

InstructGPT still makes simple errors, sometimes producing irrelevant or nonsensical responses. If given a prompt that contains a falsehood, for example, it will take that falsehood as true. And because it has been trained to do what people ask, InstructGPT will produce far more toxic language than GPT-3 if directed to do so.

Ehud Reiter, who works on text-generation AI at the University of Aberdeen, UK, welcomes any technique that reduces the amount of misinformation language models produce. But he notes that for some applications, such as AI that gives medical advice, no amount of falsehood is acceptable. Reiter questions whether large language models, based on black-box neural networks, could ever guarantee user safety. For that reason, he favors a mix of neural networks plus symbolic AI, hard-coded rules constrain what a model can and cannot say.

Whatever the approach, much work remains to be done. Were not even close to solving this problem yet, says Kiela.

Visit link:
The new version of GPT-3 is much better behaved (and should be less toxic) - MIT Technology Review

Here are how three Connecticut social program agencies the Connection, the Downtown Evening Soup Kitchen and the Youth Continuum have been helping the homeless population in New Haven.

Brian Zhang 1:30 am, Jan 28, 2022

Staff Reporter

Sylvan Lebrun, Contributing Photographer

As winter comes and temperatures drop, the onslaught of cold winter months have presented new hurdles for New Havens homeless community, prompting some community organizations to ramp up programming to address the crisis.

Connecticut is home to a number of social services agencies and nonprofit organizations that implement a multifaceted approach to helping the citys homeless population. From providing temporary housing to connecting residents with diversion resources, the network of services caters to a community that is particularly vulnerable to issues like incarceration, mental health problems and substance abuse. During the winter, many organizations have even expanded the capacity of their services while they continue to grapple with greater demand for shelter and food amid a pandemic.

The landscape of homelessness has changed in the past two years, said Steve Werlin, executive director of the Downtown Evening Soup Kitchen. We find that winter has been a more challenging time than it has ever been. We have a lot more people experiencing homelessness in New Haven.

Here are how three Connecticut social program agencies have been helping.

The Connection

With programs all throughout Connecticut, the Connection is a nonprofit human services agency that works with individuals from a number of disadvantaged backgrounds not just homelessness.

Teresa Ferraro, the service area director of behavioral health at the agency, explained that the services offered are made possible by the various types of state and federal funding. The Department of Mental Health and Addiction Services has allowed the organization to cater to the homeless and to those struggling with psychiatric disorders, the Department of Correction enables the development of services for those at high risk of incarceration or who have just been released and the Department of Children and Families drives a therapeutic foster care program that matches youth with foster parents, according to Ferraro.

Specific services are broadened during the winter months. Our emergency homeless center in Middletown expand by at least 10 beds between Nov. 1 and Feb. 1 to accommodate individuals during the cold months, Ferraro said. She also mentioned other providers in Connecticut that open warming centers for the homeless only in the wintertime.

Ferraro described a number of ways that an individual at risk can start accessing the Connections resources. The person can call 211, the national hotline for essential community resources, where operators can refer them to the Connection, she said. Otherwise, mental health and substance use counseling providers along with other community partners can refer someone to any one of the given residential programs at the Connection.

For services, community members can also dial 855-Help-955 855-435-7955 during regular business hours to speak with staff.

The Downtown Evening Soup Kitchen

Over the pandemic, the Downtown Evening Soup Kitchen, or DESK, has changed its dinner program to giving grab-and-go meals, where residents wait in outdoor lines for their meal package.

We have our flagship program, which is an evening meal dinner program, Werlin said.

Prepared meals are not the only thing that the organization offers, however. Werlin also described a weekly food pantry program that offers fresh produce, toiletries and clothing, as well as a new drop-in center on 266 State St. that started last April. In addition to being a hub where homeless residents can hang out during the day and access free Wi-Fi, this is a place that people can get connected to services, case managers and outreach workers, Werlin said.

This winter, however, Werlin and other staff members at DESK realized that there was not only a need for resources to gradually lift people off the streets and into a new life, but also an immediate need that required a purely lifesaving approach. As a result, the organization started overseeing an overnight warming center earlier this month allowing the homeless to access short-term emergency shelter.

DESK currently offers nightly dinners at 311 Temple St. on Thursdays to Sundays from 5 to 6 p.m. and at 323 Temple St. at the Yale Community Kitchen on Fridays and Saturdays at the same time.

Youth Continuum

At the Youth Continuum, CEO Paul Kosowsky said that the teams mission is to to prevent and address youth homelessness.

The community-based, nonprofit agency currently consists of two major wings: child welfare and homeless services. The former features two therapeutic group homes for youth boys, ages 14 to 21. These boys are usually about to re-enter the community after exiting the Department of Children and Families, and staff at the Youth Continuum works with them to find apartments and develop various facets of independent living. Examples of skills that the boys would learn are navigating emergencies, taking public transportation, preparing nutritious meals and managing finances and shopping, according to Kosowsky. An additional youth navigator program works to divert youth off the streets by providing one-time emergency monetary funds for things like utility bills, as well as case management resources.

Meanwhile, two street outreach teams in the homeless wing strive to support both homeless youth up to age 21 as well as those who are at a high risk of human trafficking. Kosowsky mentioned that these services are supported by a mental health clinician and by counseling programs that specialize in addiction and substance usage.

This wing also has a drop-in center where youth can get emergency needs met, from food to clothing to diapers for parenting youth, Kosowsky said.

Youth who find themselves in a situation in which they need housing for longer periods of time, however, are usually put in one of two crisis housing programs. The first, with four bed availabilities, is for children under the age of 18, allowing a maximum stay-period of 21 days before staff members at the Youth Continuum work to connect them with foster care agencies. The second, with 12 bed availabilities, is for youth from the ages of 18 to 24. They usually stay for no more than 60 days, though they can request an extension of 30 days, according to Kosowsky.

Moreover, there are seven bed availabilities for 18 to 24 year olds who are chronically homeless, which the organization defines as having been on the streets for at least a year, collectively. These individuals must also have a disability.

For more information on the services offered by the Youth Continuum, community members can call 203-777-8445.

Brian Zhang covers COVID-19 and Yale New Haven Health, as well as housing and homelessness. Originally from Brooklyn, New York, he is a first-year in Davenport studying biology and journalism.

See the original post:
The landscape of homelessness in New Haven is changing. Here are some ways the city is trying to help. - Yale Daily News

In what's believed to be the first known use of the tactic, an advanced persistent threat actor is leveraging Microsoft OneDrive services for command-and-control (C2) purposes in a sophisticated cyberespionage campaign aimed athigh-ranking government and defense industry officials of a West Asian nation.

Researchers from Trellix who have been tracking the campaign have attributed it with a low to moderate degree of confidence to APT28, aka Fancy Bear, a threat actor that the US government previously has linked to Russia's military intelligence service. Trellix's analysis of data related to the campaign shows that the threat actors also have their sights on defense and government entities in Poland and other Eastern European nations.

The infection chain for the multistage, likely APT28 campaign that Trellix observed began like many other APT campaigns with the execution of a malicious Excel file likely sent to the target via a phishing email. The file contained an exploit for CVE-2021-40444, a critical remote code execution vulnerability in MSHTML or "Trident," Microsoft's proprietary browser engine. The vulnerability was a zero-day flaw meaning no patch was available for it when Microsoft disclosed it last September amid reports of active exploit activity.

The threat actor's exploit for the MSHTML flaw resulted in a malicious dynamic link library (DLL) file executing in the compromised system's memory and downloading a third-stage malware component that Trellix has dubbed "Graphite." The security vendor's analysis of Graphite showed it to be using Microsoft OneDrive accounts as a C2 server via the Microsoft Graph API a Web application programming interface for accessing Microsoft Cloud services.

Trellix found the Graphite malware itself was a DLL executable based on the Empire open source, post-exploitation remote administration framework and designed to run entirely in memory and never written to disk. The malware was part of a multistage infection chain that finally resulted in an Empire agent being downloaded on the comprised system and being used to control it remotely.

Christiaan Beek, lead scientist at Trellix, says the threat actor's new C2 mechanism using a cloud service was an interesting move and something the company's researchers have not observed before."Using Microsoft OneDrive as a command-and-control server mechanism was a surprise, a novel way of quickly interacting with the infected machines," he says.

The tactic allowed attackers to drag encrypted commands into the victims folders. OneDrive would then sync with the victims machines and the encrypted commands would be executed, after which any requested information would be encrypted and sent back to the OneDrive of the attacker, Beek says.

Ties to Russia's APT28The multistage attack and the way it was executed was designed to make it hard for defenders to spot what was going on. Even so, organizations with properly configured detection systems should be able to spot malicious activity. "Although all kinds of living-off-the-land techniques are being used to stay below the radar, attackers need to communicate with systems internally and execute commands that should trigger properly configured XDR technology," Beek says.

Lure documents and other telemetry associated with the APT28 campaign showed the attacker was interested in government and military targets. One document for instance was named "parliament_rew.xlsx" and appears to have been aimed at employees working for the government of the targeted country. Another had a name and contained text pertaining to military budgets for 2022 and 2023.

Trellix's researchers were able to identify two host computers that were used in APT28's attacks. One of the hosts had an IP address that resolved to Serbia while the other appeared to be based in Sweden. Trellix found the C2 server with the Serbian IP address was used to host the exploit for the MSHTML vulnerability and installation data for the second-stage DLL. The server in Sweden, meanwhile, served as a host for the Empire server framework for remotely controlling agents installed in compromised systems.

Trellix's analysis shows that preparations for the attack began in July 2021 and the attacks themselves happened between September and November 2021. The timing of the campaign coincided with a period of political tensions around the Armenian and Azerbaijani border, which means the attacks were likely geopolitically motivated, Trellix said. The security vendor said it has informed victims of the attacks and provided information to them on how to remove all known attack components from their network.

Go here to see the original:
Threat Actors Use Microsoft OneDrive for Command-and-Control in Attack Campaign - DARKReading

You might feel like youve heard these imperatives a million times: You need to encrypt your data. Your information isnt secure unless you encrypt it. You need to eat your fruits and vegetables.

But if youre like a lot of people, you roll your eyes because you have the good intention of taking care of them later. The problem is that ignoring this advice or doing it with half measures can cause irreversible damage. In the matters of data encryption, the damage can be to your companys reputation, customer trust and financial bottom line. It can also wreak havoc with privacy controls and cause you to run afoul of regulators and auditors.

The problem with such an important security measure becoming trite is that its in danger of becoming a simple check box item. Organizations with an immature understanding of security may think that the basic encryption capabilities provided by their storage devices or by cloud service providers is enough to keep their data protected and that going further is just falling for the fear, uncertainty and doubt (FUD) stoked by the media and vendors that stand to benefit. Information technology (IT) and security teams are generally short-staffed and overburdened, so its all too often the attitude of check the box, move on to the next task.

But the reality is more complex than that. Data encryption is essential to protecting sensitive information and privacy, for meeting compliance with regulations and audits, and for ensuring proper data governance. All the IT investment in mobile apps, customer experience and competitive advantage can be squandered in an unforeseen data breach.

Unencrypted information, like this blog post youre currently reading, is written in plaintext. At its most basic, data encryption involves using an encryption algorithm to scramble or disguise plaintext, rendering it in whats known as ciphertext, which appears as alphanumeric gibberish to a human. An encryption algorithm uses a crucial piece of information, known as an encryption key, to encode or decode the data. Without the encryption key, the algorithm is incomplete and cannot convert plaintext to ciphertext and vice versa.

Most encryption algorithms are publicly known there are only so many effective ways to obscure sensitive data so the crucial element of a data encryption strategy is the management and control of the encryption key. Indeed, the key is essential. Encrypted data can be rendered useless forever simply by deletion of the key.

Asymmetric encryption, also known as public-key encryption or public-key cryptography, uses the combination of a public key and a private key to create and decode ciphertext. The most common types of asymmetric encryption are:

Symmetric encryption uses a single secret key shared between the parties prior to encryption. Its considered faster and more inexpensive than asymmetric encryption, but to be secure it required encrypting the key itself, which can cause a terminal dependency on yet another key. Popular symmetric encryption types include Data Encryption Standards (DES), Triple DES, Advanced Encryption Standard (AES), and Twofish.

When data is stored on a hard drive or on a server, it is considered data at rest. When data is sent for tasks such as email or over instant messaging applications, it becomes data in transit, or data in motion. Historically, data at rest was the target of breaches so techniques like full-disk encryption and file-level encryption were used to protect the data in the equivalent of a fortress, often with the protection of a firewall.

Data in transit continues to grow in parallel with the explosion of mobile devices, the internet of things (IoT), 5G networks and hybrid multicloud environments. As a result, it has been a growing target of cybercriminals and poses greater challenges to securing it, especially when doing so can negatively impact performance of daily tasks or slow financially sensitive transactions like trading or ecommerce. The common techniques for protecting data in transit involve using secure network protocols like HTTPS, secure socket layers (SSL), FTPS and wireless protocols like WPA2.

Just like a forgotten combination to a safe or a lost password to a cryptocurrency account, losing an encryption key can mean losing access to what it was designed to protect. Key lifecycle management (KLM) was developed to avoid losing keys or having them stolen. One founding principle of KLM is that keys must be managed separately from the data they are protecting.

A typical key management lifecycle will include the following steps:

While both the value of data and the attendant criminal activity continue to grow at impressive rates, there are well-established practices for protecting data that have evolved to meet todays challenges. Here are some of the data protection methods and tools employed by enterprise security teams beyond basic full-disk and file-level encryption:

Whichever way you go about it, encryption is critical to protecting your organizations most prized asset its data. And as data privacy, data governance and compliance standards become increasingly important, so too will the keys that hold the power in securing that data.

See the rest here:
What You Need to Know About Data Encryption Right Now - Security Intelligence

There are three things you can be sure of in life: death, taxes and new CVEs. For organizations that rely on CentOS 8, the inevitable has now happened, and it didn't take long. Just two weeks after reaching the official end of life, something broke spectacularly, leaving CentOS 8 users at major risk of a severe attack and with no support from CentOS.

You'd think that this issue no longer affects a significant number of organizations because by now, companies would have migrated away from CentOS 8 to an OS that is actively supported by vendors. After all, vendor support is critical for security and compliance.

But as it always is with these things, you can count on the fact that a big chunk of CentOS 8 users are soldiering on with an unsupported OS, despite being aware of the risks. With that risk now crystallizing we're using this article to examine CVE-2021-4122, the newly discovered vulnerability in LUKS encryption, and to discuss your options for mitigating it.

So what is LUKS? LUKS stands for Linux Unified Key Setup and is a mechanism used in Linux-powered systems to support, amongst other things, full disk encryption. It is recommended in many "best practice" guides as an essential system hardening option for security-minded IT teams.

How does LUKS work? Well, during system deployment, you can create a partition that is only readable i.e. the data within it is only understandable with a user-supplied password. LUKS is quite complex and many security systems interact with LUKS, but a comprehensive LUKS guide is not the goal for this article.

Having a fully encrypted disk (block device in Linux "speak") ensures that the data is safe from prying eyes even when at rest, meaning that an attacker that steals a laptop, for example, is still unable to view the confidential data contained in it.

You can further build on security by tying a specific block device to a specific computer through TPM (Trusted Platform Module). That adds another hurdle for an attacker, making it harder to physically pull encrypted data from a machine and plug it into a high-performance system with the goal of brute-forcing access to the data. Though, as always, how likely that is to succeed depends on computing power, selected encryption algorithm, and just sheer luck.

Overall, LUKS provides excellent protection and for that reason, it's frequently relied on to secure systems across a variety of organizations.

CVE-2021-4122 was assigned late last year, but a full understanding of the security risks around LUKS has only recently emerged. As it turns out it is possible to, at least partially, decrypt a LUKS-encrypted disk and access the data on it without owning the password used to configure encryption.

A key LUKS feature is the ability to change, on the fly, the key that is used to encrypt a given device. You would do this, for example, for scheduled key rotations in high security environments.

This on-the-fly re-encryption feature means that the device remains available during the key change process. It's called "online re-encryption" which refers to the ability to re-encrypt a disk with a different key while it is online and in active use.

It's within this process that a vulnerability was identified. It turns out that if you know what you're doing you can perform this operation without owning the original, current, password. Even without a password, you can request a re-encryption.

Exploiting the flaw, this process would then appear to be aborted and some of the data would be made available unencrypted. At no point does the device experience any anomalous behavior, so it would be hard to spot an attacker doing the operation just by looking at the block device status.

Sysadmins are being strongly advised to upgrade cryptsetup, the package supporting LUKS, on all systems under their control, as the vulnerability can lead to information disclosure.

Exactly. That is what every single system administrator should do on their systems replacing the affected package. But for some sysadmins this will be easier said than done. Which sysadmins will have a hard time? You guessed right those still reliant on CentOS 8.

Most vendors had early warning of the bug and are already providing updated packages for their distros. And just the same with Red Hat, which backs CentOS. But, with CentOS 8 now no longer officially supported, a CentOS 8 patch for the LUKS flaw is not going to appear.

For CentOS 8 users things are therefore quite bleak. Unpatched systems are vulnerable to data theft due to a published, widely known flaw. It is a serious situation and one way or another you should deploy up-to-date patched versions of the affected package.

Doing nothing is not an option when confidential data is at risk. And, essentially, all your data is confidential and not for public disclosure (otherwise it would already have been made public), and you're relying on a full disk encryption solution like LUKS precisely to avoid disclosure.

There are two paths available to sysadmins relying on affected Linux systems operating past their end-of-life. One option is to download the upstream project source and to compile it locally, creating a replacement system package. The other option is to sign with an extended support vendor that will provide the patches no longer released by the original vendor.

The build-it-locally approach has drawbacks. First, the original project source code does not make any special allowances for a specific distribution. Each distribution or family of distributions all have their own quirks. The RHEL family, which includes CentOS, will have these quirks too.

That includes things like binary locations, service start configurations, settings, and so on. Your local team will have to manually adjust these. Whether your local IT team has the necessary expertise is a different question. Similarly, with tech teams generally under pressure to get things done, there is a risk that your DIY patching effort is delayed. Also, on the LUKS project page itself, there is this ominous "Please always prefer distro specific build tools to manually configuring cryptsetup".

Your alternative is to think about extended support vendors as a reliable, cost effective and easier approach to addressing this issue. TuxCare's Extended Lifecycle Support service does just that. TuxCare delivers high quality patches for end of life distributions such as CentOS 8 and does so on time.

What's more you get full support for patches too. Deployment is simple, you deploy TuxCare patches just as easily as vendor-supported patches.

If you decide not to go for external support, you must nonetheless do something right now to protect your systems against the new vulnerability. You could decide to bite the bullet and compile cryptsetup and its dependencies locally, and perform the deployment across all your systems.

But it's definitely not the last CVE to come out that affects CentOS 8. To give you some idea of the scope of what we're talking about: even today there are still vulnerabilities coming out that affect CentOS 6 systems. How viable is it in the long run to keep dealing with a continuous stream of CVEs affecting CentOS 8?

You may be running CentOS 8 at this time because you were prevented from migrating to an alternative for one reason or another. It could be compatibility, support, or any one of multiple reasons.

Vulnerabilities won't stop at EOL date, so make life easier for your IT teams, more secure for your security professionals, and meet compliance requirements around patching for your business - check out TuxCare's family of services, and specifically Extended Lifecycle Support. It's a solid way to obtain ongoing protection against new CVEs that affect CentOS 8 buying you time to migrate to another OS.

Go here to see the original:
Patching the CentOS 8 Encryption Bug is Urgent What Are Your Plans? - The Hacker News

Britain's controversial Online Safety Bill will leave Britons more exposed to internet harms than ever before, the Internet Society has said, while data from other countries suggests surveillance mostly isn't used to target child abusers online, despite this being a key cited rationale of linked measures.

Government efforts to depict end-to-end encryption as a harm that needs to be designed out of the internet as it exists today will result in "fraud and online harm" increasing, the Internet Society said this week.

Founded by Vint Cerf and Bob Kahn, the Internet Society is one of the oldest and most well-respected institutions guiding the path of the public internet today. Its cry against the draconian Online Safety Bill (aka Online Harms Bill) should cause policymakers to sit up and pay attention.

Robin Wilton, the society's director of internet trust, said in a statement: "Today, encryption is an essential component of digitally connected objects like cars, doorbells, home security cameras and even children's toys, otherwise known as the 'Internet of Things' (IoT). It's also essential for national security by protecting highly sensitive systems like the power grid, citizen databases, and financial institutions such as the stock market."

Government has been explicit about wanting to ban end-to-end encryption, co-opting willing and eager police forces into a public campaign demonising the safety and security technology.

The Internet Society's Wilton rubbished these calls, saying: "Despite having access to the world's leading cryptographic expertise, the government has been unable to suggest a credible, safe back door that meets their requirements because it does not exist. Instead, the government is trying to make companies design insecurity in by default."

Quoting government publicity around the Online Harms Bill, he added: "That is not the way to 'harness the benefits of a free, open and secure internet', it's a recipe for fraud and online harm."

"It prevents spies, terrorists and hostile governments from accessing and exploiting confidential communications of government officials, and protects highly sensitive systems intrinsically tied to national security, including the power grid, databases, and financial institutions, from being hacked," he concluded.

Meanwhile, more figures emerged tending to show that online surveillance tends to be used by Western governments against drugs gangs rather than child abusers, despite the Online Safety Bill and police campaigns claiming end-to-end encryption (E2EE) will turn social media into a paedophiles' paradise.

Encrypted email firm Tutanota, headquartered in Germany, published research this week suggesting surveillance orders are deployed to target drugs offenders first and foremost.

"Most orders issued to telecommunications providers are in connection with drug offences," Tutanota told The Register. Looking at published data, the company said about 80 per cent of wire-tapping orders granted in the US, one of the more heavily surveilled Western countries, were for drug-related crimes.

"In recent years, child sexual abuse and child pornography have played only a marginal role in telecommunications surveillance in practice," blogged Tutanota founder Matthias Pfau.

The same held true in Germany, where a specifically broken-out category of warrants granted for child abuse image offences made up just 0.2 per cent of surveillance applications for 2019 having remained at that insignificant level for 10 years.

In snoop-happy Australia the situation was only slightly different, with warrants granted under that country's Telecommunications Interception Access Act 1979 being 50 per cent focused on drugs: in 2020 surveillance against child abuse imagery offenders made up just 0.4 per cent of applications, said Tutanota.

"The UK Home Office unfortunately does not provide figures on this," added Pfau, but there is little reason to assume the UK is much different from its sister democracies.

The Online Harms Bill continues its Parliamentary journey.

Original post:
Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic - The Register

Dear blog readers,

Ive decided to share with everyone an article that Ive been recently working on namely the rise of the OMEMO real-time Jabber/XMPP encryption protocol and also discuss in-depth the security risks involved in OMEMO type of communications including to offer practical security and privacy recommendation advice which I originally wrote for my ex-employer Armadillo Phone.

In a modern and vibrant secure and encrypted mobile device ecosystem facing various hardware and physical security type of threats including the general rise of insecure WiFi hotspots and various other factors including the rise of various nation-state and rogue and malicious advanced persistent threat type of malicious and fraudulent campaigns a new protocol has recently emerged called OMEMO basically limiting the burden of online ID verification mechanisms and adding a new set of privacy and security enhancing features to modern instant messaging applications making it hard potentially virtually impossible for a malicious attacker to eavesdrop and intercept an OMEMO users personal private including sensitive and personally identifiable information further aiming to commit financial fraud and launch a variety of social engineering campaigns aimed at targeting the victims address book and the confidentiality availability and integrity of their devices further exposing the mobile device to a multi-tude of malicious and fraudulent software and rogue and malicious campaigns.

Protocol Introduction

What exactly is OMEMO? Long story short its an OTR and OpenPGP-based communication protocol that actually has a lot of new improvements in terms of privacy and security including interoperability between multiple IM clients and mobile applications courtesy of different vendors. Compared to OTR (Off-the-Record) which basically allows single-user type of secure and encrypted communication the OMEMO protocol actually allows multi-user type of data and information exchange further strengthening the protocols position on the market for secure mobile IM (instant messaging) applications.

Basic OTR Protocol Overview in the context of the global growing cybercrime trend

Throughout the years Jabbers OTR (Off-the-Record) plugin and feature quickly became the de-facto communication channel for a huge portion of Eastern European and Russia-based cybercriminals looking for ways to properly offer and present their cybercrime-friendly services including to actively communicate with each other for the purpose of managing and launching cybercrime-friendly online communities including to actually offer a newly launched cybercrime-friendly service or a tool and actually reach out to current and potential customers in a secure fashion. It should be worth pointing out over 98% of Russian and Eastern European cybercrime-friendly propositions actively rely on the use of public and private proprietary Jabber-based servers and active OTR (Off-the-Record) type of communications. How does the process work in terms of Russian and Eastern European cybercrime gangs and groups? Pretty simple. Basically the cybercriminal in question would either use a custom-made and set up proprietary Jabber-server or a publicly accessible one in combination with a popular off-the-shelf or proprietary offshore VPN service provider to actually attempt to hide the actual metadata from law enforcement and would then include the actual contact details in terms of user ID within the actual cybercrime-friendly proposition which on the majority of occasions is a newly launched stolen and compromised credit card shop or a newly launched cybercrime-friendly service aiming to assist novice or experienced cybercriminals on their way to commit financial fraud online.

The following mobile device IM clients are known be currently compatible with the OMEMO secure and privacy-enhancing protocol:

Possible Threat Modelling Scenarios

It should be worth pointing out that on the vast majority of occasions the majority of IM-based encryption protocols are perfectly suited to respond and actually protect against a large portion of modern eavesdropping and surveillance campaigns. It should be also noted that a direct compromise of the actual mobile device or a device in question might be successfully acting as the weakest link in the entire secure and privacy-conscious communication chain including the actual impersonation attacks launched against a specific participant in the actual communication next to good old fashioned social engineering type of campaigns.

Possible physical security and network-based attack scenarios:

physical device compromise

A possible device compromise through device stealing or actually obtaining a physical copy of the device for digital forensic examination by third-parties. Users interested in protecting their personal including sensitive IM communication should definitely look into using time-expiring messages with a short period of time and actually take advantage of Armadillo Phones built-in advanced physical protection features including the availability of anti-theft token and NRC physical authentication card including heavy reliance on off-the-shelf and heavily modified going beyond industry-standards implementation of popular encryption ciphers.

network communication provider compromise

Among the key factors to consider when attempting to actually launch an encrypted IM conversation with a colleague or a friend including possible third-party that also includes a journalist or a free speech writer is to ensure that the network infrastructure provider has taken all the necessary measures to protect its network from external and internal cyber attacks including plain simple social engineering attempts and active network-based reconnaissance and actual network-based infrastructure compromise. A possible attack surface mitigation scenario here would be the use of a vendor-specific VPN (Virtual Private Network) further ensuring that the actual metadata including actual traffic obfuscation will prevent possible man-in-the-middle attacks launched through the use of insecure WiFi hotspots or the actual GSM-based 3G/4G/5G type of network connectivity infrastructure.

The Armadillo Phone has a built-in VPN (Virtual Private Network) service built-in which is free of charge and can heavily assist in possible network-based metadata obfuscation including actual network-traffic obfuscation making it harder for a malicious attacker including rogue actors to actually attempt to launch a possible eavesdropping or active traffic interception or surveillance campaign.

A rather practical and often neglected privacy-conscious advice would be to periodically verify the actual participants fingerprint by asking a very specific question that only he knows the answer to.

Stay tuned!

*** This is a Security Bloggers Network syndicated blog from Dancho Danchev's Blog - Mind Streams of Information Security Knowledge authored by Dancho Danchev. Read the original post at: http://ddanchev.blogspot.com/2022/01/the-evolution-of-encrypted-im.html

View post:
The Evolution of Encrypted IM Messenging Platforms The Rise and Future of the OMEMO Protocol ... - Security Boulevard

Early bird pledges are now available for the innovative project from roughly $159 or 119 (depending on current exchange rates), offering a considerable discount of approximately 38% off the retail price, while the Indiegogo crowd funding is under way.

Airmini is a complete solution for all your data storage needs. This slim, tiny, and portable storage device unlocks must-have features and advanced features as well. These features include 2,200 MB/s data transfer speed and a modest 4TB storage capacity. Furthermore, this state-of-the-art external SSD can be an ideal companion if your interest lies in professional photography, videography, or content creation, as this pocket-size, lightweight device is easy-to-carry.

AES 256-Bit Encryption: With Airmini you can enjoy AES 256-Bit encryption to secure your data. Wireless and multi-users: You can connect up to 12 devices wirelessly with Airmini. Ultra Sleek and Portable Design: With minimalistic design and super portable Airmini you can relentlessly enjoy your data on the go. Up to 2200mbps/ Read & Write Speed: Transfer your data without wasting any time with high-speed data transfer. Multi-device Compatibility: Now you can share a large file with your multiple friends at a time. 10 hours of continuous use battery power: Enjoy 10 hours battery life without any stoppage that can be charged up to 100% in just one hour. Waterproof and dustproof: Reap the benefits of its waterproof and dustproof characteristics that make it super durable. Airmini can easily pass the 2-meter drop test. Watch 4K videos: Airmini supports high-quality 4 K videos. One-touch backup: One-touch backup allows you to store your data through a single click. Vast storage options up to 4TB: Airmini offers you an extensive data storage capacity of up to 4 TB. Compatible with Mobile/Computer/TV/Camera: Airmini is compatible with all sorts of devices so that you can avail maximum benefits out of it.

If the AIRmini campaign successfully raises its required pledge goal and production progresses smoothly, worldwide shipping is expected to take place sometime around April 2022. To learn more about the AIRmini Thunderbolt SSD project view the promotional video below.

Airmini offers you up to 4 TB storage. So you can store all your data in a single device. With 10 hours of continuous battery life, you can carry it for your long adventures. Also, you can enjoy wireless streaming of 4K videos and wireless connectivity with 12 devices simultaneously.

For a complete list of all available special pledges, stretch goals, extra media and more features for the Thunderbolt SSD, jump over to the official AIRmini crowd funding campaign page by clicking the link below.

Source : Indiegogo

Read more here:
AIRmini Thunderbolt SSD with AES 256-Bit Encryption from $159 - Geeky Gadgets