Lawrence’s List 061316

Editor’s Note: We’ll feature Lawrence’s List every week.  It will include interesting things he’s come across during the week as he’s an avid consumer of internet garbage and follows a lot of mailing lists, forums, and news sites. Some of it may be narrow in terms of who may be interested (LKML) but, occasionally there’s a gem in there. Some list items will be big news, some small news, some dumb news, some so esoteric it’s hard to imagine anyone would care. Who knows, it might stick.

The Tor Project has announced release of Tor Browser series 6.0 which includes upgrades to allow the Tor Browser to work with version 45-ESR of Firefox, which should make HTML5 and YouTube perform better. Other improvements include code signing for OS X, removal of SHA1 certificate support, and a fix for a potential DLL hijacking vulnerability in Windows.

https://blog.torproject.org/blog/tor-browser-60-released

 

Linus Torvalds released a pre patch for Linux 4.7 rc-1 containing a swath of improvements coming in from over 1400 authors. A noteworthy new feature coming up in the 4.7 release is LoadPin. LoadPin ensures that all kernel modules are loaded from a trusted file system and is Chrome OSs solution to kernel module signing. (Consider the possibility of only allowing your kernel to load modules from write only media, like a CD-Rom). There is a boot time option to unset the feature, so physical access still means access.

https://lkml.org/lkml/2016/3/28/405

 

The court proceedings between Google and Oracle came to a temporary close on the 26th when a jury unanimously found that Google’s use of the Java API fell under “fair use.” This did not directly affect the circuit court’s decision that APIs are copyrightable. The Electronic Frontier Foundation feels that the circuit court’s ruling (which overthrew a previous ruling on the issue) about copyright and APIs is in error. While this is a win for Google in the short term Oracle has announced that they will be appealing.

https://www.eff.org/deeplinks/2016/05/eff-applauds-jury-verdict-favor-fair-use-oracle-v-google

https://www.eff.org/cases/oracle-v-google

https://www.theguardian.com/technology/2016/may/31/google-fair-use-victory-oracle-software-androids

 

Cisco has issued a warning that it believes the ‘ping of death’, an IPv6 DoS vulnerability which can cause routing equipment to stop routing IPv6 traffic, may be a problem for everyone.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6

 

BIAS notice: I don’t trust advertising to begin with. I found this article a fun read, it follows a diversion down the rabbit hole of an interesting (and sneaky) ad found on Facebook.

https://medium.com/@hunchly/bait-and-switch-the-failure-of-facebook-advertising-an-osint-investigation-37d693b2a858#.asvbapzg5

 

A while back I was working on a front end for a project and posed the question to some of my colleagues “How would you rate browser local storage in terms of security?” This week the PortSwigger blog had an article that tackled that question.

http://blog.portswigger.net/2016/05/web-storage-lesser-evil-for-session.html