Tor Project loses a third of staff in coronavirus cuts: Unlucky 13 out as nonprofit hacks back to core ops

Also, Zoom assembles security dream team to fix its ongoing woes

Roundup This week in The Reg's security roundup of the notable bits beyond what we've already covered, the Tor Project has cut back to its core team, Zoom has called in the big security guns, US tech firms are taking on its Congress – and more.

First off, it has been a bad weekend for 13 staffers at the nonprofit Tor Project after they were let go as the team was reduced to core operations only.

"Like many other nonprofits and small businesses, the crisis has hit us hard, and we have had to make some difficult decisions," it said in a statement.

"We had to let go of 13 great people who helped make Tor available to millions of people around the world. We will move forward with a core team of 22 people, and remain dedicated to continuing our work on Tor Browser and the Tor software ecosystem."

Such drastic cuts are surprising, given Tor's relatively small overheads and prominent supporters, including the US government and DARPA. Tor hasn't released any more details at the moment.

Zoom calls in the big guns to fix security woes

After spending the last month or so as the clown atop the dunk tank in the IT security world, Zoom has called in some help with its bug bounty program.

Luta Security has been tapped to help the videoconferencing giant set up a bug bounty program so that it can get its future security lapses cleaned up and rewarded before they go public. Actually, this has been in the works for some time - Luta founder and CEO Katie Moussouris told The Register the project began months before the Coronavirus outbreak.

This is not just an empty gesture, either. Luta boss Moussouris is something of a legend in the bug bounty space, having helped launched the programs at Microsoft and the US Department of Defense. She also does not do half-assed bounty programs, so you can bet there will be a well-trained team on Zoom's end to deal with the bug reports and get issues fixed.

Earlier in the month Zoom also recruited Alex Stamos, the former CSO of Yahoo! and Facebook, as well as noted security mavens Matthew Green, professor of Computer Science at the Johns Hopkins Information Security Institute and Lea Kissner, the former head of privacy tech at Google.

Tech firms ask for infosec funding with next US stimulus package

A group of tech advocacy groups are asking the US Congress to earmark money for IT spending in the next Coronavirus pandemic stimulus bill. Local, state and federal government's IT systems are in desperate need of modernization, they argue.

"The COVID19 pandemic exposes the need to redouble efforts to digitize federal forms and reduce reliance on hand-processing paperwork for high priority response and relief efforts," the letter [PDF] reads.

"In addition, the rapid transition to remote telework during the pandemic has also created new challenges for many government agencies, including increased cybersecurity threats, an inability to leverage commercial capabilities (which reduces program effectiveness), and important continuity of government operations."

Equifax settles with Massachusetts and Indiana

Two of the states who opted to go it alone in their suits over the Equifax data theft will be getting a combined $37.7m in settlement payouts.

The states of Massachusetts and Indiana separately announced this week that they had settled their claims for $18.2m and $19.5m, respectively.

Indiana says the settlement cash will be paid out to citizens as restitution, while Massachusetts says it plans to carve off a portion for consumer aid programs.

Taiwan's chipmakers under attack from foreign hackers

Semiconductor manufacturers in Taiwan are being targeted by an organized foreign hacking operation aimed at lifting intellectual property.

Security company CyCraft says it was called in to investigate the matter, and soon concluded that what was going on was a sophisticated, highly-organized APT operation that used, among other things, a particularly nasty "skeleton key" attack to infiltrate the networks and get to sensitive documents.

"The main objective of these attacks was the exfiltration of intellectual property, such as documents on integrated circuits (IC), software development kits (SDKs), IC designs, source code, etc," the company writes.

"The motive behind these attacks likely stems from competitors (or possibly even nation-states due to the advanced nature of the attacks) seeking to gain a competitive advantage."

Clearview exposes code in security lapse

As misconfigured database left a Clearview AI database containing, among other things, source code and secret keys, was left accessible to the general public.

Middle Eastern security shop SpiderSilk spotted the database, which was protected by a password. However, the firm claims, anyone could log in as a new user and get access to the crown jewels of the company, including access to its online storage buckets.

The exposure was spotted by a researcher and was since taken down, though the researchers and ClearView seem to be at odds over how the disclosure was handled.

Docker image security dissected

Akamai security research ace Larry Cashdollar (yes that is his real name) delivered a sobering look at what sort of attacks will target your typical Docker image in a given day.

Cashdollar's Docker image honeypot, left out for 24 hours, was exposed to a number of automated intrusion attempts and was infected with things like a Mirai botnet payload and a crypto-mining malware.

Crash stop on Windows security

A recent update to Windows Defender is said to be causing some problems, as users are reporting their security software is crashing while trying to perform scans.

The security software can be restarted manually and hopefully an update from Microsoft to fix the bug is already in the works.

Inside look at a Linux bug

Ever wonder what does into a Linux kernel flaw? The security team at ZDI has provided an inside look at CVE-2020-8835, a kernel privilege escalation flaw.

Fortunately, there shouldn't be much in the way of risk to users and admins, as the flaw has been known of for months and was patched some time ago. But it's worth checking out how easy it is to subvert systems sometimes. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • We can unify HPC and AI software environments, just not at the source code level

    Compute graphs are the way forward

    Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

    This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

    Arguing today FOR the motion is Rob Farber, a global technology consultant and author with an extensive background in HPC and in developing machine-learning technology that he applies at national laboratories and commercial organizations. Rob can be reached at

    Continue reading
  • But why that VPN? How WireGuard made it into Linux

    Even the best of ideas can take their own sweet time making it into the kernel

    Maybe someday – maybe – Zero Trust will solve many of our network security problems. But for now, if you want to make sure you don't have an eavesdropper on your network, you need a Virtual Private Network (VPN).

    There's only one little problem with commercial VPNs: many of them are untrustworthy. So, what can you do? Well, run your own of course is the open-source answer. And, today, your VPN of choice is Linux's built-in VPN: WireGuard.

    Why WireGuard rather than OpenVPN or IKEv2? Because it's simpler to implement while maintaining security and delivering faster speeds. And, when it comes to VPNs, it's all about balancing speed and security.

    Continue reading
  • Boffins demonstrate a different kind of floppy disk: A legless robot that hops along a surface

    This is fine

    Those us who fear future enslavement by robot overlords may have one more reason not to sleep at night: engineers have demonstrated a few of the legless, floppy variety making some serious leaps.

    Animated pancake-like droids have demonstrated their ability to execute a series of flops in a fashion their creators – soft robotics engineers based in China – describe as "rapid, continuous, and steered jumping."

    "Jumping is an important locomotion function to extend navigation range, overcome obstacles, and adapt to unstructured environments," Rui Chen of Chongqing University and Huayan Pu of Shanghai University said.

    Continue reading

Biting the hand that feeds IT © 1998–2021