all evolving systems … are composed of diverse components that can combine into configurational states that are then selected for or against based on function
Whoa. Does the addition of Thunderbolt imply that all USB4 host systems are exposed to DMA attacks[0]?
Doesn't this open up every USB system (all systems?) to arbitrary, uncontrolled memory access including silently flashing new firmware/microcode to system components?
That's what the IOMMU is for. USB4 being Thunderbolt could therefore be a good thing, because it will force operating system vendors to actually set that up correctly, making the hardware more secure generally.
The option also exists to require approving or whitelisting devices before they are allowed to work over Thunderbolt.
On my system (Dell XPS running Windows) I have to manually approve new Thunderbolt devices and cables. The driver prompts you to accept or ignore them. I assume this is implemented to prevent DMA attacks.
Just out of interest: How is this classified medium by Ubuntu? If someone manages to bypass ASLR this is a remote exploit on every SSH server running glibc out there? Or did I misunderstood something?
Out of the box SSH seems to use getaddrinfo:
reverse mapping checking getaddrinfo for <host> [<ip>] failed - POSSIBLE BREAK-IN ATTEMPT!
Does "DNE" mean there's no patch coming at all, or none yet? What about pending?
Also, why is all this important and useful information scattered all over the place? Ubuntu people, if you're reading, on this page: http://packages.ubuntu.com/trusty/libc6 I think you should have a history of updates to the package, and which security vulnerabilities it covers, with a link back to the above linked page. Looking at this page, looking at my system, looking at the news, I kind of have no idea what's going on.
I was going to complain that this people.canonical.com CVE page should also be linked from some sort of Ubuntu security bulletin, but I googled first and found that that's exactly where it's linked from. Still, I somehow reckon I would have never thought of that if not for this conversation. It should perhaps be linked from the packages page, though I'm not a UX guy, maybe that would just add confusion. But, this CVE page, with the domain "people.canonical.com", linking to launchpad pages, it doesn't look like it's made for users. You could make some improvements to make it more user friendly like the packages page. You could make it explicit: "Here's the packages you need to upgrade. here's the command to run to upgrade your whole system. Here's the command to upgrade just this package." As it stands, this doesn't even tell you what binary packages to get (libc6, I think? I'm still not even sure!), this just lists the source package (glibc). And, change "DNE" and "pending" to indicators that are more clear to us. Or, make a new page if this one is not meant for users.
For security stuff (not just Ubuntu by any means), all sorts of useful information is scattered all over the place. To name a few questions that I never determined clear answers to:
* What about this Android MMS attack that was supposed to be catastrophic and so easy to mount, that supposedly like half of all Android users are still vulnerable to? We've not heard of a single actual exploit in the wild. Where's some sort of official source downgrading its severity?
* If the libpng thing was such a fiasco, why were there no updates in Ubuntu for so long? Did it turn out not to be such a serious attack vector? Where's the documentation on that determination?
* For heartbleed: I recall having to poke around looking at the "built on" date for my openssl packages to see whether I was upgraded or not. That's not an acceptable state of affairs.
I'm not looking for answers to these particular questions now, I'm just wondering, why do we all have to rely on rumors and advice from random people in discussion forums for this stuff? There's a recent trend of understanding that improved UX can improve security (Signal, etc). Here's a good place to make some improvements, IMHO.
Sorry if I've come off as entitled here, it's just a source of irritation to me.
We've been using dnsmadeeasy[1] for years. There's something dated about their interface/presentation, but the service has been rock solid and fast since day one.
Came here to say the same. DNSMadeEasy doesn't feel _fancy_, but it has always worked great for us. Solid service. Highly recommended.
Edit: Not that it matters much, but it was Textdrive's (née Joyant) recommendation back in '04 that got me to sign up. If anything, they've been around a while.
If you use `configure --prefix=/usr/bin`, you'll end up with sudo installed in /usr/bin/bin/sudo. Instead, try
./configure --prefix=/usr
to use the /usr hierarchy (/usr/bin, /usr/sbin, /usr/share, etc...) instead of the /usr/local hierarchy.
Also, if you're able to run an executable in the current directory without specifying its location, as in configure instead of ./configure, then you have . (pwd) in your $PATH, which isn't recommended because a malicious executable might be in the directory you're in, and it might be named something like ls. Just listing the directory could have you owned.
