Linux distros and desktop environments have been moving toward Wayland, X11’s more modern and secure replacement for years, with the last year seeing a marked acceleration. Fedora has long had a reputation of pushing new technologies forward, and already defaults to Wayland, so it’s no surprise that it would be among the first to stop installing X11 by default.

The change was proposed on the Fedora working group mailing list by Jens Petersen:

I was wondering if we should not stop installing gnome-session-xsession by default in F40 Workstation. I guess if we want to do that it should really happen before the Beta release.
Alternatively it could be done more formally as a Fedora Change for F41, and first in Rawhide.

After quite a bit of discussion, it was decided that Fedora 40’s release was too close to make such a big change, so it was pushed to Fedora 41, as Peterson confirmed two days ago:

Fedora Workstation WG discussed this today and we agreed we should do this for Fedora 41,
since it is really too late already for F40 and it should really be handled as a System Wide Change anyway.

Those whose workflows still depend on X11 will be able to install it from the repos.

Containers are packages containing all the apps, code, libraries and dependencies necessary to run. Containers can be easily moved from one host to another, without worrying about the underlying OS and environment. Containers can also be managed to prevent any one app or process from hogging a system’s resources, making them the ideal way to scale cloud, hosting and IT systems.

Bottlerocket is a new Linux distribution that AWS designed and optimized specifically to work with containers.

“Bottlerocket reflects much of what we have learned over the years,” writes Jeff Barr, Chief Evangelist for AWS. “It includes only the packages that are needed to make it a great container host, and integrates with existing container orchestrators. It supports Docker image and images that conform to the Open Container Initiative (OCI) image format.

“Instead of a package update system, Bottlerocket uses a simple, image-based model that allows for a rapid & complete rollback if necessary. This removes opportunities for conflicts and breakage, and makes it easier for you to apply fleet-wide updates with confidence using orchestrators such as EKS.

“In addition to the minimal package set, Bottlerocket uses a file system that is primarily read-only, and that is integrity-checked at boot time via dm-verity. SSH access is discouraged, and is available only as part of a separate admin container that you can enable on an as-needed basis and then use for troubleshooting purposes.”

AWS is launching a public preview of the OS and inviting others to try it.

Mark Sunday, CIO of Oracle, discussed the increasing need for enterprises to take a holistic, comprehensive, and automated approach towards information security in an interview with Michael Krigsman of CXOTALK:

Security is Increasingly a Big Part of the Discussion

It’s really been interesting to see the dramatic change in the awareness around security. Quite frankly, the threats have gotten much greater. Security is increasingly a big part of the discussion. If I look at the one area that my organization has increased year on year on year, it’s what we’re investing in security. We’re the norm in that. We’re not the exception. Then also the increased sophistication of the threats, the increased sophistication of the tooling, and so forth required, is putting more and more focus on this. It really becomes job one.

I think that boards have now become aware and that they are accountable to assure that the people, the processes, the technology, that all the steps that one needs to do in order to ensure the integrity, confidentially, privacy, and security, of not only a customer’s data, the company’s data, but in fact the employees data as well.

Security is Not Just the Role of the CIO

Security is getting its place at the table, whether it’s within the IT organizations, at the corporate level, or at the board level. Security has always been something that’s been out there, something that we’ve had to take into account, but more recently there have certainly been more high profile incidents that have highlighted just what the impact of security can have. But also it’s been highlighted that you need to have the focus that security is not just the role of the CIO, not just the role of the CISO, but it’s everyone’s responsibility.

It begins with making people aware of what they need to do, what the threats and the vulnerabilities are, and what their role is in defending against that. Security needs to be built into every line of code we write, every configuration we enable, every computer that we manage the configuration asset the patching level on and the updates on. It affects essentially most roles within the organization.

Every Enterprise Has the Security it Deserves

Just given the scale, size, complexity, and the opportunity for human error, you really need to take a holistic, comprehensive, and automated approach towards how you deal with configuration management, change management, and vulnerability management. All of these are key aspects. It’s very difficult if it’s done you know manually. You have to look at a comprehensive program that allows you to simplify, standardize, centralize, and automate all the aspects of how you deal with those things that you know could expose your company to security and privacy concerns.

Every Enterprise has the security it deserves. It begins at the very top. It truly begins with the board, CEO, the Executive Committee, to set the culture and to ensure that the people, process, technology, and the governance processes are in place to ensure the security of customers, companies, and employees information.

Related Articles:

Huge Volume of IoT Data Managed via AI Creates Real Value, Says Oracle VP

Oracle CEO: Applications Market Changes Significantly As It Moves to Cloud

Oracle CEO: Three Big Things in the Gen 2 Cloud… Security, Security, Security

The developers announced the OpenCore 1.0 release on GitHub, paving the way for users to install macOS Sonoma on Macs that would otherwise be left out in the cold.

With the release of OpenCore Legacy Patcher 1.0.0, we’re proud to announce macOS Sonoma support! And with it, 83 unsupported Mac models will be able to run Apple’s latest OS!

With it, we’ve finally made the jump to 1.0.0! Going forward, we’ll be following the semantic versioning system to help streamline releases.

With macOS Sonoma, we spent many months working tirelessly to get these old machines running. And because of the sheer number of different hardware we support and the challenges of working on a closed-source operating system, not all features are currently available.

Users interested in OpenCore can learn more here.

Cloudflare is one of the leading content delivery networks (CDN), used by companies in a range of industries. The company’s Richard Boulton said it originally built its platform on native Linux services, but outlined some of the challenges the company faced:

The structure of the code limits the ease of making changes. While some changes are easy to make, other things run into surprising limits due to the underlying platform. For example, it is not possible to perform I/O in many parts of the code which handle HTTP response processing, leading to complex workarounds to preload resources in case they are needed.

Deploying updates to the software is high risk, so is done slowly and with care. Massive improvements have been made in the past years to our processes here, but it’s not uncommon to have to wait a week to see changes reach production, and changes tend to be deployed in large batches, making it hard to isolate the effect of each change in a release.

Finally, the code has a modular structure, but once in production there is limited isolation and sandboxing, so tracing potential side effects is hard, and debugging often requires knowledge of the whole system, which takes years of experience to obtain.

Boulton says the company is taking a cautious approach to the rebuild, tackling those parts of its infrastructure that make the most sense to swap out:

Our systems are a lot more complicated than they were in 2013. The approach we’re taking is one of gradual change. We will not rebuild our systems as a new, standalone reimplementation. Instead, we will identify separable parts of our systems, where we can have a concrete benefit in the immediate future, and migrate these to new architectures. We’ll then learn from these experiences, feed them back into improving our platform and tooling, and identify further areas to work on.

Modularity of our code is of key importance; we are designing a system that we expect to be modified by many teams. To control this complexity, we need to introduce strong boundaries between code modules, allowing reasoning about the system to be done at a local level, rather than needing global knowledge.

The entire blog post is extremely detailed and a recommended read for anyone interested in better understanding the ins and outs of CDN infrastructure design.

According to Hacker News, six of the vulnerabilities are rated Critical and 32 are Important. The most important is CVE-2023-29336, which is being actively exploited in the wild, although just how much is still unknown:

What privileges could be gained by an attacker who successfully exploited this vulnerability?

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

All users should update immediately to protect their systems.

In a blog post outlining Microsoft’s Windows roadmap, the company says there will be no more major updates to Windows 10:

As documented on the Windows 10 Enterprise and Education and Windows 10 Home and Pro lifecycle pages, Windows 10 will reach end of support on October 14, 2025. The current version, 22H2, will be the final version of Windows 10, and all editions will remain in support with monthly security update releases through that date. Existing LTSC releases will continue to receive updates beyond that date based on their specific lifecycles.

For organizations that want to remain on Windows 10 as long as they can, the company recommends updating to the 22H2 release as soon as possible to continue to get the latest security and bug fixes.

• We highly encourage you to transition to Windows 11 now as there won’t be any additional Windows 10 feature updates.
• If you and/or your organization must remain on Windows 10 for now, please update to Windows 10, version 22H2 to continue receiving monthly security update releases through October 14, 2025. See how you can quickly do this via a servicing enablement package in How to get the Windows 10 2022 Update.

Wing Security analyzed more than 550 companies to gain insight into the state of SaaS application usage. A disturbing issue was the prevalence of “Shadow IT,” a term used for when employees use apps and services that are not provided or vetted by the company’s IT department.

According to the study, in large part as a result of Shadow IT, “in a staggering 84% of companies, employees were using an average of 3.5 SaaS applications that were breached in the past 3 months.”

Wing Security attributes this to the decentralized, easy access to SaaS apps:

This occurs because of the decentralized and ungoverned nature of SaaS applications. When an employee needs a quick fix to a problem or a tool to help them do their job, chances are they will “Google it” and find a SaaS application, often a free one or with a free version, to help them. These “quick fixes” often completely by-pass company procedures. It is important to keep in mind that as small and benign as an application may seem, it can still be connected (with high permissions) to one of the organization’s major SaaS applications such as Salesforce, Slack, Zoom and others.

Another major concern was the number of data permissions apps had, including apps that were not even in use. According to the company, some “76% of all permissions that were given to applications by the users were not in use for over 30 days.”

In many cases, the need for SaaS applications is in question, with a slight majority of such apps only being used by a single employee. According to Wing Security, “55% of SaaS applications are used by only one employee, raising questions about their necessity – and making it unlikely that they were known and protected by the security team.”

Another major concern is outside access. According to the company, “20% of SaaS users to be external to the organization. These are contractors, freelancers or agencies that your employees work with and have received access to your SaaS applications.”

SaaS use is on the rise, with many companies seeing it as a way to keep costs down while scaling to meet demand. Unfortunately, it appears the industry still has a long way to go before SaaS deployment matches the security of other options.

LinuxONE Bare Metal Servers are based on the s390x processor architecture. The company says that customers “can select from a set of pre-configured profiles with corresponding amounts of memory and storage to run workloads that are highly performant on the LinuxONE platform.”

IBM has been transforming itself into a hybrid cloud company, and the new LinuxONE servers fit perfectly into that model. The servers can be deployed on-site or off, giving customers the necessary flexibility to meet their needs.

Flexible consumption options are available in both an on-premises and off-premises environment. Companies choose to use LinuxONE for a variety of Linux-based workloads, such as database scalability or application modernization with Red Hat OpenShift Container Platform.

IBM also emphasizes the environmental benefits of using LinuxONE Bare Metal Servers.

LinuxONE is designed to help support green IT efforts. For example, consolidating Linux workloads on five IBM LinuxONE Emperor 4 systems instead of running them on compared x86 servers under similar conditions can reduce energy consumption by 75%, space by 50% and the CO2e footprint by over 850 metric tons annually.

Interested parties can get started via the IBM Bare Metal Servers provisioning page, or learn more via the documentation.

Nextcloud is the open source cloud platform that provides powerful alternatives to commercial products. EU governments, ever eager to reduce reliance on Big Tech, are increasingly looking to the platform as an option. In fact, the European Data Protection Supervisor recently migrated to Nextcloud:

Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly.”

Wojciech Wiewiórowski, EDPS

The upcoming end of SharePoint Server support has created a situation where governments are eager to avoid vendor lock-in, making Nextcloud an even more appealing proposition.

As a result, Nextcloud has received a significant increase in interest from EU governments, with German state Schleswig-Holstein already making the switch from SharePoint to Nextcloud, and many others beginning to follow suit.

Nextcloud’s initiative to offer a digitally sovereign, open-source alternative to Microsoft Sharepoint is to be welcomed. That’s why we work together with Nextcloud to optimize Nextcloud Tables.

Ralf Sutorius, Leitender IT-Architekt, Stadt Köln

It’s a refreshing turn of events to see a powerful, open source alternative gain more widespread use.

According to Windows Latest, the problem has been going on for months, but seems to be impacting the most recent security and essential updates. It is impacting some optional updates as well.

KB5022303, the mandatory security update and essential for Windows 11 users, is failing with mysterious error messages, with 0x800f0831 being the most common error code. This bug is also hitting KB5022360, which is the latest optional update for Windows 11.

While failed updates are bad enough, cryptic error messages that do not provide any assistance make it that much more difficult to troubleshoot.

While Microsoft is aware of the situation, there has been no word yet on a possible fix.

Ubuntu is the most widely-used Linux distro, providing excellent hardware support and ease of use. Canonical releases interim releases every six months, with LTS (long-term support) releases every two years. LTS releases offer five years of support and security patches.

The new Ubuntu Pro subscription extends LTS support to a full ten years while also improving security. In particular, Ubuntu Pro adds security patch support for the 23,000 packages in the Ubuntu Universe repo, outside of the 2,300 packages in the Ubuntu Main repo.

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available. Ubuntu Pro, released in beta in October last year, helps teams get timely CVE patches, harden their systems at scale and remain compliant with regimes such as FedRAMP, HIPAA and PCI-DSS.

The new plan also features optional phone/ticket support.

“I manage my own compute cluster leveraging MAAS and other Canonical tools to support my research. The open source security patches delivered through Ubuntu Pro give my team peace of mind, and ensure my servers are secure. Canonical is continuously delivering timely CVE patches covering a broad portfolio of open source applications for the entire ten-year lifetime of an Ubuntu LTS. This brings much needed stability and compliance”, said David A Gutman, MD PhD, Associate Professor of Pathology, Emory University School of Medicine.

The subscription is available for free to personal and small-scale commercial users for up to five machines. The standard subscription is available for $25 per workstation per year or $500 per server per year.

Patch Tuesday is Microsoft’s term for when it releases updates and security fixes for Windows. The first Patch Tuesday of 2023 fixes a slew of issues, including 11 critical and 87 important issues. One of them, CVE-2023-21674, is currently being exploited.

Microsoft offers the following description of the zero-day exploit:

This vulnerability could lead to a browser sandbox escape.

Once the vulnerability is exploited, an attacker can achieve the following:

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

All users should update immediately.

Microsoft has issued a knowledge base article detailing possible data loss issues as a result of the latest Vector Advanced Encryption Standard (AES). The impacted hardware will have either AES XEX-based tweaked-codebook mode with ciphertext stealing (AES-XTS) or AES with Galois/Counter Mode (GCM) (AES-GCM).

The company says a recent change in Windows caused the issue.

We added new code paths to the Windows 11 (original release) and Windows Server 2022 versions of SymCrypt to take advantage of VAES (vectorized AES) instructions. SymCrypt is the core cryptographic library in Windows. These instructions act on Advanced Vector Extensions (AVX) registers for hardware with the newest supported processors.

Microsoft recommends customers upgrade to the latest preview releases.

To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

To prevent further data damage, we addressed this issue in the May 24, 2022 preview release and the June 14, 2022 security release. After applying those updates, you might notice slower performance for almost one month after you install them on Windows Server 2022 and Windows 11 (original release).

More information can be found here.

Windows updates are already one of the most frustrating part of many users’ daily lives. The process is long and involved, and happens far more often than many users would like. To make matters worse, updates fail at times, leading to a whole slew of additional issues.

According to David Guyer, on the company’s Windows IT Pro Blog, users should be allocating at least eight hours for updates.

“Microsoft has invested significant effort into understanding why Windows devices are not always fully up to date,” writes Guyer. “One of the most impactful things we explored was how much time a device needs to be powered on and connected to Windows Update to be able to successfully install quality and feature updates. What we found is that devices that don’t meet a certain amount of connected time are very unlikely to successfully update. Specifically, data shows that devices need a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably update. This allows for a successful download and background installations that are able to restart or resume once a device is active and connected.”

It’s a safe bet no one is going to be happy with this recommendation, from home users to IT managers.

On Linux, Unix, macOS, and other Unix-style operating systems, the root account has ultimate access to the system. As a result, when a user account is set up, it doesn’t have root access as a way of protecting the system from accidental damage.

Unfortunately, according to security firm Qualys, there is a major flaw in the popular polkit’s pkexec utility that is included in every major Linux distro. Qualsys’ Bharat Jogi, Director, Vulnerability and Threat Research, describes the role polkit plays in Unix-style systems.

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

When the vulnerability is exploited, a regular user is able to gain root privileges, completely compromising the system. Unfortunately, Qualsys says the vulnerability has been in existence for 12+ years, since at least May 2009.

Qualsys has already notified all vendors and recommends users install security patches for their distro immediately.

Linux and FreeBSD are being targeted by the latest version of Hive ransomware.

Hive ransomware was first observed in June 2021, with the FBI warning about it in late August. Initially the ransomware targeted Windows only, but the creators are looking to expand that.

According to security firm ESET, the hackers behind Hive have been working on a Linux and FreeBSD version.

#ESETresearch has identified Linux and FreeBSD variants of the #Hive #Ransomware. Just like the Windows version, these variants are written in #Golang, but the strings, package names and function names have been obfuscated, likely with gobfuscate. 1/6 pic.twitter.com/dBw0E5pj6r

— ESET Research (@ESETresearch) October 29, 2021

For the time being, the Linux and FreeBSD versions are not very effective. The ransomware tries to run as root but, unless it has root privileges, it fails to trigger encryption.

The malware also tries to write the ransom note and key information file to the filesystem root, so unless executed with root privileges, it fails and the encryption is not even triggered. These facts lead us to believe that the Linux variant is still in development phase. 5/6 pic.twitter.com/tuwQKJpFml

— ESET Research (@ESETresearch) October 29, 2021

While it’s good news that the Linux and FreeBSD versions of Hive don’t effectively work yet, “yet” is the operative word. It’s likely only a matter of time until the bugs are worked out, opening the Linux and FreeBSD communities to attack.

Writing for the New York Times, Brian X. Chen makes the case that it’s time to stop paying for VPNs.

Virtual private networks (VPN) are popular tools people use to protect their privacy online. Theoretically, a VPN masks a person’s activity by routing their traffic through the VPN’s network. As a result, it’s much more difficult for third parties to track a person’s movement online. The individual’s ISP can’t see what websites they’re visiting, and the websites can’t easily track their activity.

Unfortunately, the world of VPNs can be among the most mysterious and opaque in the software industry. Many companies’ ownership is obscured, making it difficult for customers to have any real sense of accountability. Still others engage in activities and practices that are questionable at best — such as ExpressVPN knowingly hiring a former US intelligence operative that worked as a hacker-for-hire for the United Arab Emirates.

Even worse, as Chen points out, a number of high-profile and popular VPN services have been purchased by shady companies. Kape Technologies is one such company, and has been accused of developing malware by Google and the University of California. Unfortunately, Kape has bought CyberGhost VPN, Zenmate and ExpressVPN, the latter a service that routinely receives high scores and recommendations from a slew of publications.

Chen makes the case that the current state of the web, where the vast majority of websites are using HTTPS, makes VPNs unnecessary for most users. In addition, for Apple users, iCloud Private Relay is specifically designed to provide a layer privacy, although it doesn’t truly compete with a VPN.

As Chen points out, there are some situations where a VPN is useful, specifically when a user needs to mask their location in order to access certain content.

All-in-all, Chen’s piece is a thought-provoking look at an industry that, while once invaluable, may no longer be meeting the vast majority of its users’ needs.

Remembering passwords has always been a challenge for many, one that grows with the number of services, apps and platforms a person uses. Add in some passwords being caught in data breaches and needing to be replaced, and keeping up with one’s passwords quickly becomes a chore.

Microsoft is trying to help ease that frustration by making passwordless login a reality. CEO Satya Nadella tweeted about it Wednesday, September 15:

Vasu Jakkal Corporate Vice President, Security, Compliance and Identity, expanded on how the feature will work.

For the past couple of years, we’ve been saying that the future is passwordless, and today I am excited to announce the next step in that vision. In March 2021, we announced that passwordless sign in was generally available for commercial users, bringing the feature to enterprise organizations around the world.

Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more. This feature will be rolled out over the coming weeks.

Cloudflare’s content delivery network (CDN) and security services are used by some of the biggest names on the web. The company’s servers handle some 25 million HTTP requests every second. As result, Cloudflare chooses the technology it uses very carefully.

When the company evaluated processors for its 11th generation servers, it evaluated Intel, AMD and the Ampere Altra ARM architecture. Cloudflare found that Intel’s latest Ice Lake Xeon processors matched AMD in performance, but their “power consumption was several hundred watts higher per server – that’s enormous. This meant that Intel’s Performance per Watt was unattractive.”

In contrast both AMD and Ampere both made the company’s shortlist. Cloudflare ultimate went with AMD’s 64 core EPYC 7713, which provided roughly 29% better performance, while maintaining similar power consumption and thermal levels as the previous generation.

Cloudflare’s revelation is a blow to Intel as the company is struggling to regain its former dominance in the semiconductor industry.