Often, a kernel developer will try to reduce the size of an attack surface againstLinux, even if it can't be closed entirely. It's generally a toss-up whether such apatch makes it into the kernel. Linus Torvalds always prefers security patches thatreally close a hole, rather than just give attackers a slightly harder time of it.

“Linux is Linux is Linux,” is a direct quote I heard in a meeting I had recently with a major multi-national, critical-infrastructure company. Surprisingly and correctly, there was one intelligent and brave engineering executive who replied to this statement, made by one of his team members, with a resounding, “That’s not true.” Let’s be clear, selecting a commercial Linux is not like selecting corn flakes. This is especially true when you are targeting embedded systems.

Mike Rapoport from IBM launched a bid to implement address space isolation in the Linuxkernel. Address space isolation emanates from the idea of virtual memory—where thesystem maps all its hardware devices' memory addresses into a clean virtual space sothat they all appear to be one smooth range of available RAM. A system that implementsvirtual memory also can create isolated address spaces that are available only to partof the system or to certain processes.

An introduction to PKI, TLS and X.509, from the ground up.Public Key Infrastructure (PKI) provides a framework of encryption and datacommunications standards used to secure communications over public networks.At the heart of PKI is a trust built among clients, servers and certificateauthorities (CAs). This trust is established and propagated through thegeneration, exchange and verification of certificates.

If you use GPG keys, learn about the benefits to storing them on a smart card.

The Linux kernel stack is a tempting target for attack. This is because thekernel needs to keep track of where it is. If a function gets called, whichthen calls another, which then calls another, the kernel needs to rememberthe order they were all called, so that each function can return to thefunction that called it. To do that, the kernel keeps a "stack" of valuesrepresenting the history of its current context.

A look at the recently released YubiKey 5 hardwareauthenticator series and how web authentication with the newWebAuthn API leverages devices like the YubiKey for painless websiteregistration and strong user authentication.

Bareos (Backup Archiving Recovery OpenSourced) is a cross-network, open-sourcebackup solution that preserves, archives and recovers data from all majoroperating systems. The Bareos project started 2010 as a Bacula fork and is nowbeing developed under the AGPLv3 license.

Protect your code commits from malicious changes by GPG-signing them.

If you can remember all of your passwords, they're not good passwords.I used to teach people how to create "good" passwords. Those passwordsneeded to be lengthy, hard to guess and easy to remember. There were lotsof tricks to make your passwords better, and for years, that was enough.That's not enough anymore.

The Librem Key is a new hardware token for improving Linux securityby adding a physical authentication factor to booting, login and diskdecryption on supported systems. It also has some features that make ita good general-purpose OpenPGP smart card.This article looks at how the Librem Key stacks up againstother multi-factor tokens like the YubiKey 5 and also considers whatmakes the Librem Key a unique trusted-computing tool.

You've deployed Kubernetes, but now how are you going to get it into the hands ofyour developers and admins securely?

Spies worth their salt are generally expected to be good at keeping secrets. With dead drops, encryption, cyanide pills and the like, openly sharing useful information isn’t supposed to be a part of the job description.So it caught more than a few of us off guard when a couple years ago, some of the top spy agencies began contributing code to GitHub, making it available to the masses by open-sourcing some of their software.

Bugs happen.Every minute of every hour of every day, software bugs are hard at work,biting computer users in the proverbial posterior. Many of them gounnoticed (the bugs, not the posteriors). More still rise to the illustriouslevel of "bugs that are minor annoyances".Yet sometimes, when the stars align just so, a bug manifests itself in atruly glorious way. And when I say "glorious", I mean "utterly destructiveand soul-obliterating".Nowhere are these bugs more insidious than when they are within the operatingsystems (and key components) themselves.

Some kernel developers recently have been trying to work around themassive, horrifying, long-term security holes that have recentlybeen discovered in Intel hardware. In the course of doing so, therewere some interesting comments about coding practices.

Don't expose your system with sloppy scripts!

On January 13th, 2018—at 8:07 am—an emergency alert was issued inHawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TOHAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."Although this message—which showed up on smart phones across thestate—was, indeed, not a drill...it also was not a real threat. There was nomissile hurtling through the atmosphere towards Hawaii. It turns out someonehad simply clicked the wrong option from a very poorly designed userinterface and sent out a fake (but very real-looking) emergency alert.

Learn about how the cutting-edge, free software Heads project detectsBIOS and kernel tampering, all with keys under your control.Some of the earliest computer viruses attacked the boot sector—that bitof code at the beginning of the hard drive in the Master Boot Recordthat allowed you to boot into your operating system. The reasons for this haveto do with stealth and persistence. Viruses on the filesystem itselfwould be erased if users re-installed their operating systems, butif they didn't erase the boot sector as part of the re-install process,boot sector viruses could stick around and re-infect the operating system.

A recent IDC InfoBrief identified Linux as the only endpoint operating system growing globally. While Windows market share remains flat, at 39% in 2015 and 2017, Linux has grown from 30% in 2015 to 35% in 2017, worldwide. And the trend is accelerating.

It's one thing to give travel advice; it's another to follow it.In past articles, I've written about how to prepare for a vacation or othertravel when you're on call. And, I just got back from a vacation where Iput some of those ideas into practice, so I thought I'd write a follow-upand give some specifics on what I recommended, what I actually didand how it all worked.