1_r/devopsish

Google said it will engage with the web and AI communities with public discussions during this process.

OpenAI has made GPT-4, its latest text-generating AI model, generally available to customers using its paid API.

If there wasn't enough Red Hat drama happening in recent weeks, the Red Hat Display Systems Team is now considering to implement privacy-preserving telemetry beginning with Fedora Workstation 40.

Local Law 144 requires all NYC businesses to use AI tools in their hiring processes to prove their selections are free from sexism and racism.

Two great new indie iOS apps launched today, and I'm enjoying both of them. One is Rebecca Owen's new app, Chronicling. Built with fancy new tools like Swift Charts, Chronicling makes it easy to track things over times. Here's a bit from OTJ at MacStories: Trackers like Chronicling are the perfect fit for the iPhone. [...]

Cybersecurity experts from Proofpoint attributed the campaign to a group they call TA453 but also is known as Charming Kitten, Mint Sandstorm or APT42.

New Linux Kernel Vulnerability Uncovered. StackRot (CVE-2023-3269) opens doors to unauthorized elevated privileges.

Taiwan's TSMC , the world's largest contract chipmaker, said on Thursday it does not expect any direct impact on its production from China's decision to restrict exports of two metals widely used in semiconductors and electric vehicles.

A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants.

SELinux is the most popular Linux Security Module used to isolate and protect system components from one another. Learn about different access control systems and Linux security as I introduce the foundations of a popular type system.

The introduction of a "minimal install" mode in the Ubuntu installer has been one of the distro's best-received features in years. When selected during

Cybersecurity experts are raising the alarm about a new vulnerability that leaves hundreds of thousands of Fortinet customers vulnerable to attack.

The Cyber Partisans said they originally had no plans to breach the Belarusian State University's networks, but recent actions against students motivated them to attack.

A leading medical society says that the commonly used body mass index falls short, and it is time for alternative measures

Apple said on Monday it will ask the U.S. Supreme Court to hear its challenge to a judge's order in an antitrust case brought by "Fortnite" maker Epic Games that could force the iPhone maker to change payment practices in its App Store.

Joe "Zonker" Brockmeier has been a part of the Linux community for decades; he is now using that experience to write a series on "Red Hat and the Clone Wars". The first two episodes were Red Hat and the Clone Wars and A history of the early 2000s Linux landscape; the latest is The dawn of CentOS:

You’ll have to pay to use TweetDeck very soon.

“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.

Footguns are features or designs more likely to be misused, often leading to self-inflicted problems or bugs (“shooting yourself in the foot”). See a list of C functions banned in the git codebase for being footguns. Some more examples: * Inconsistent naming * Manual garbage collection for connections or open files * Race conditions with async code * Multiple sources of truth * Long argument lists * Shadowing variables in deep scopes Avoiding footguns comes with experience — often, the f

An update to Google's privacy policy suggests that the entire public internet is fair game for it's AI projects. If Google can read your words, assume they belong to the company now, and expect that they’re nesting somewhere in the bowels of a chatbot.

A new misinformation quiz shows that, despite the stereotype, younger Americans have a harder time discerning fake headlines, compared with older generations

Streaming has ruined media preservation for an entire generation, and older games aren’t faring so well either. Piracy is the only way to save them

As a Linux server administrator, you may have already learned the basics of Linux commands. However, to manage your server more efficiently, you need to dive deeper into the lesser-known, but equally important intermediate-level commands. In this article, we will cover some of the intermediate-level Linux commands that will help you become a more proficient Linux sysadmin.

With the ASUS ROG Ally gaming handheld that began shipping last month I've so far looked at the Linux support for this device as well as looking at the Windows 11 vs.

Authors: Fabian Kammel (Edgeless Systems), Mikko Ylinen (Intel), Tobin Feldman-Fitzthum (IBM) In this blog post, we will introduce the concept of Confidential Computing (CC) to improve any computing environment's security and privacy properties. Further, we will show how the Cloud-Native ecosystem, particularly Kubernetes, can benefit from the new compute paradigm. Confidential Computing is a concept that has been introduced previously in the cloud-native world. The Confidential Computing Consortium (CCC) is a project community in the Linux Foundation that already worked on Defining and Enabling Confidential Computing . In the Whitepaper , they provide a great motivation for the use of Confidential Computing: Data exists in three states: in transit, at rest, and in use. …Protecting sensitive data in all of its states is more critical than ever. Cryptography is now commonly deployed to provide both data confidentiality (stopping unauthorized viewing) and data integrity (preventing or detecting unauthorized changes). While techniques to protect data in transit and at rest are now commonly deployed, the third state - protecting data in use - is the new frontier. Confidential Computing aims to primarily solve the problem of protecting data in use by introducing a hardware-enforced Trusted Execution Environment (TEE). Trusted Execution Environments For more than a decade, Trusted Execution Environments (TEEs) have been available in commercial computing hardware in the form of Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs). These technologies provide trusted environments for shielded computations. They can store highly sensitive cryptographic keys and carry out critical cryptographic operations such as signing or encrypting data. TPMs are optimized for low cost, allowing them to be integrated into mainboards and act as a system's physical root of trust. To keep the cost low, TPMs are limited in scope, i.e., they provide storage for only a few keys and are capable of just a small subset of cryptographic operations. In contrast, HSMs are optimized for high performance, providing secure storage for far more keys and offering advanced physical attack detection mechanisms. Additionally, high-end HSMs can be programmed so that arbitrary code can be compiled and executed. The downside is that they are very costly. A managed CloudHSM from AWS costs around $1.50 / hour or ~$13,500 / year. In recent years, a new kind of TEE has gained popularity. Technologies like AMD SEV , Intel SGX , and Intel TDX provide TEEs that are closely integrated with userspace. Rather than low-power or high-performance devices that support specific use cases, these TEEs shield normal processes or virtual machines and can do so with relatively low overhead. These technologies each have different design goals, advantages, and limitations, and they are available in different environments, including consumer laptops, servers, and mobile devices. Additionally, we should mention ARM TrustZone , which is optimized for embedded devices such as smartphones, tablets, and smart TVs, as well as AWS Nitro Enclaves , which are only available on Amazon Web Services and have a different threat model compared to the CPU-based solutions by Intel and AMD. IBM Secure Execution for Linux lets you run your Kubernetes cluster's nodes as KVM guests within a trusted execution environment on IBM Z series hardware. You can use this hardware-enhanced virtual machine isolation to provide strong isolation between tenants in a cluster, with hardware attestation about the (virtual) node's integrity. Security properties and feature set In the following sections, we will review the security properties and additional features these new technologies bring to the table. Only some solutions will provide all properties; we will discuss each technology in further detail in their respective section. The Confidentiality property ensures that information cannot be viewed while it is in use in the TEE. This provides us with the highly desired feature to secure data in use . Depending on the specific TEE used, both code and data may be protected from outside viewers. The differences in TEE architectures and how their use in a cloud native context are important considerations when designing end-to-end security for sensitive workloads with a minimal Trusted Computing Base (TCB) in mind. CCC has recently worked on a common vocabulary and supporting material that helps to explain where confidentiality boundaries are drawn with the different TEE architectures and how that impacts the TCB size. Confidentiality is a great feature, but an attacker can still manipulate or inject arbitrary code and data for the TEE to execute and, therefore, easily leak critical information. Integrity guarantees a TEE owner that neither code nor data can be tampered with while running critical computations. Availability is a basic property often discussed in the context of information security. However, this property is outside the scope of most TEEs. Usually, they can be controlled (shut down, restarted, …) by some higher level abstraction. This could be the CPU itself, the hypervisor, or the kernel. This is to preserve the overall system's availability, not the TEE itself. When running in the cloud, availability is usually guaranteed by the cloud provider in terms of Service Level Agreements (SLAs) and is not cryptographically enforceable. Confidentiality and Integrity by themselves are only helpful in some cases. For example, consider a TEE running in a remote cloud. How would you know the TEE is genuine and running your intended software? It could be an imposter stealing your data as soon as you send it over. This fundamental problem is addressed by Attestability . Attestation allows us to verify the identity, confidentiality, and integrity of TEEs based on cryptographic certificates issued from the hardware itself. This feature can also be made available to clients outside of the confidential computing hardware in the form of remote attestation. TEEs can hold and process information that predates or outlives the trusted environment. That could mean across restarts, different versions, or platform migrations. Therefore Recoverability is an important feature. Data and the state of a TEE need to be sealed before they are written to persistent storage to maintain confidentiality and integrity guarantees. The access to such sealed data needs to be well-defined. In most cases, the unsealing is bound to a TEE's identity. Hence, making sure the recovery can only happen in the same confidential context. This does not have to limit the flexibility of the overall system. AMD SEV-SNP's migration agent (MA) allows users to migrate a confidential virtual machine to a different host system while keeping the security properties of the TEE intact. Feature comparison These sections of the article will dive a little bit deeper into the specific implementations, compare supported features and analyze their security properties. AMD SEV AMD's Secure Encrypted Virtualization (SEV) technologies are a set of features to enhance the security of virtual machines on AMD's server CPUs. SEV transparently encrypts the memory of each VM with a unique key. SEV can also calculate a signature of the memory contents, which can be sent to the VM's owner as an attestation that the initial guest memory was not manipulated. The second generation of SEV, known as Encrypted State or SEV-ES, provides additional protection from the hypervisor by encrypting all CPU register contents when a context switch occurs. The third generation of SEV, Secure Nested Paging or SEV-SNP, is designed to prevent software-based integrity attacks and reduce the risk associated with compromised memory integrity. The basic principle of SEV-SNP integrity is that if a VM can read a private (encrypted) memory page, it must always read the value it last wrote. Additionally, by allowing the guest to obtain remote attestation statements dynamically, SNP enhances the remote attestation capabilities of SEV. AMD SEV has been implemented incrementally. New features and improvements have been added with each new CPU generation. The Linux community makes these features available as part of the KVM hypervisor and for host and guest kernels. The first SEV features were discussed and implemented in 2016 - see AMD x86 Memory Encryption Technologies from the 2016 Usenix Security Symposium. The latest big addition was SEV-SNP guest support in Linux 5.19 . Confidential VMs based on AMD SEV-SNP are available in Microsoft Azure since July 2022. Similarly, Google Cloud Platform (GCP) offers confidential VMs based on AMD SEV-ES . Intel SGX Intel's Software Guard Extensions has been available since 2015 and were introduced with the Skylake architecture. SGX is an instruction set that enables users to create a protected and isolated process called an enclave . It provides a reverse sandbox that protects enclaves from the operating system, firmware, and any other privileged execution context. The enclave memory cannot be read or written from outside the enclave, regardless of the current privilege level and CPU mode. The only way to call an enclave function is through a new instruction that performs several protection checks. Its memory is encrypted. Tapping the memory or connecting the DRAM modules to another system will yield only encrypted data. The memory encryption key randomly changes every power cycle. The key is stored within the CPU and is not accessible. Since the enclaves are process isolated, the operating system's libraries are not usable as is; therefore, SGX enclave SDKs are required to compile programs for SGX. This also implies applications need to be designed and implemented to consider the trusted/untrusted isolation boundaries....

Follow us on Twitter @Hackread - Facebook @ /Hackread

While Twitter is busy limiting the number of readable tweets and breaking its TweetDeck app, Mastodon is launching a significant refresh of its Android app.

On Monday, I reported that Google stopped crawling and indexing Twitter content after Twitter made it so that unregistered (signed-out) users were not able to see tweets. Well, Twitter made a change i