SoylentNews is people
SoylentNews
Ars Technica is reporting that there are
critical PGP and S/MIME bugs which can reveal encrypted e-mails. Their advice is to uninstall the plugins, for the time being. More information will be released tomorrow (Tuesday at 07:00 UTC, 3:00 AM EDT, midnight PDT).
Little is publicly known about the flaws at the moment. Both Schinzel and the EFF blog post said they will be disclosed late Monday night California time in a paper written by a team of European security researchers. Schinzel's Twitter messages used the hashtag #efail, a possible indication of the name the researchers have given to their exploit.
The EFF also published a warning, Attention PGP Users: New Vulnerabilities Require You To Take Action Now:
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.
The full details will be published in a paper on Tuesday at 07:00 AM UTC (3:00 AM Eastern, midnight Pacific). In order to reduce the short-term risk, we and the researchers have agreed to warn the wider PGP user community in advance of its full publication.
The EFF also gives additional advice on disabling PGP in Thunderbird with Enigmail as well as other mail and mail-like clients.
takyon: The embargo is broken and the full details, including the paper (PDF), have been published.
(Score: 3, Interesting) by Anonymous Coward on Monday May 14 2018, @08:18AM (6 children)
Take these for example:
We have "top" reading .toprc from the current directory, then applying a vulnerable parser. We have mmap of a FUSE filesystem object over top of argv causing /proc/PID/cmdline access to hang. We have processes using inotify to evade detection, doing a fork/exit as /proc is scanned. We have Unicode /proc/PID/cmdline causing ps to crash. We can even cause a heap overflow via a broken allocator.
Nearly every x86 OS just got hit by a goof involving the SS register. Changing it suspends debug exceptions for an instruction, which could be one that enters the kernel and changes privilege level. The sysenter and syscall instructions can be lots of fun.
Remember that spectre isn't gone.
Another fine one is throwhammer, a remote version of rowhammer. That one will be loads of fun.
Oh well. Pwned you are.
(Score: 2) by kazzie on Monday May 14 2018, @08:26AM (5 children)
Sponsored by Thor?
(Score: 5, Funny) by c0lo on Monday May 14 2018, @08:32AM (4 children)
No, Thor sponsors .onihon.
Throwhammer is sponsored by Loki, hoping you will believe it is sponsored by Thor.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by kazzie on Monday May 14 2018, @01:49PM
And tangentially (now that the embargo's broken and we know the vulnerability's name):
"yr efail" is the Welsh for "the smithy", where hammers feature prominently.
(Score: 2) by DannyB on Monday May 14 2018, @04:32PM (2 children)
Forget Thor's hammer. I want Captain America's shield made of Vibranium!
Now which element is that on the periodic table ?
The people who rely on government handouts and refuse to work should be kicked out of congress.
(Score: 2) by c0lo on Monday May 14 2018, @04:45PM (1 child)
You want a vibrathor instead of the Real Thing™?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by DannyB on Monday May 14 2018, @06:24PM
I had to google that word. Now, I'm still not completely clear on what your question is.
The people who rely on government handouts and refuse to work should be kicked out of congress.