P&O Ferries spent more than £47m summarily sacking hundreds of seafarers in 2022, helping it cut losses by more than £125m and putting it on a path to profitability, according to accounts due to be published in the coming days.

A union representing Post Office staff has lashed out at proposals that could result in 115 branch closures and significantly more than 1,000 workers losing their jobs, by describing them as "immoral".

The Range, the privately owned general merchandise retailer, is closing in on a deal to snap up a large chunk of Homebase which will save close to 1,500 jobs but raise doubts about at least 1,700 more.

The celebrity chef announced he was diagnosed with the mental health condition earlier this year.

The Post Office has announced that more than a hundred larger crown branches - those owned by the company directly - could close with the possible loss of hundreds of jobs.

Some people in Spain appear to have covered their cars in plastic wrap ahead of another approaching storm.

The court said authorities cannot demolish property of people just because they are accused of crimes.

A human head has been found washed up on a beach in Florida, according to police.

The Church of England's deputy lead bishop for safeguarding has said it is "not a safe institution" in some ways - and that others may need to step down following the Archbishop of Canterbury's resignation.

An American warship that was sunk by Japanese dive bombers during the Second World War has finally been found, more than 80 years later.

Sara Sharif's murder-accused father has told jurors he "takes full responsibility" for the death of his daughter.

A picnic cottage enjoyed by Queen Victoria during her visits to Balmoral has been restored to its former glory by the National Trust for Scotland.

Actor Timothy West has died peacefully in his sleep aged 90, "with his friends and family at the end".

New trenches and berms are being constructed along the frontier in the occupied Golan Heights.

Audrey F tells a court how a 13-year-old student's lie to her parents led to Samuel Paty's murder.

BAFTA will not revoke individual awards won by disgraced news presenter Huw Edwards, Sky News understands.

Several people have been injured after a bus carrying school children collided with a lorry in Leicestershire.

It’s the start of the work week, so for the IT administrators among us, I have another great article by friend of the website, Stefano Marinelli. This article covers migrating a Proxmox-based setup to FreeBSD with bhyve. The load is not particularly high, and the machines have good performance. Suddenly, however, I received a notification: one of the NVMe drives died abruptly, and the server rebooted. ZFS did its job, and everything remained sufficiently secure, but since it’s a leased server and already several years old, I spoke with the client and proposed getting more recent hardware and redoing the setup based on a FreeBSD host. ↫ Stefano Marinelli If you’re interested in moving one of your own setups, or one of your clients’ setups, from Linux to FreeBSD, this is a great place to start and get some ideas, tips, and tricks. Like I said, it’s Monday, and you need to get to work.

Another month lies behind us, so another monthly update from Redox is upon us. The biggest piece of news this time is undoubtedly that Redox now runs on RISC-V – a major achievement. Andrey Turkin has done extensive work on RISC-V support in the kernel, toolchain and elsewhere. Thanks very much Andrey for the excellent work! Jeremy Soller has incorporated RISC-V support into the toolchain and build process, has begun some refactoring of the kernel and device drivers to better handle all the supported architectures, and has gotten the Orbital Desktop working when running in QEMU. ↫ Ribbon and Ron Williams That’s not all, though. Redox on the Raspberry Pi 4 boots to the GUI login screen, but needs more work on especially USB support to become a fully usable target. The application store from the COSMIC desktop environment has been ported, and as part of this effort, Redox also adopted FreeDesktop standards to make package installation easier – and it just makes sense to do so, with more and more of COSMIC making its way to Redox. Of course, there’s also a slew of smaller improvements to the kernel, various drivers including the ACPI driver, RedoxFS, Relibc, and a lot more. The progress Redox is making is astounding, and while that’s partly because it’s easier to make progress when there’s a lot of low-hanging fruit as there inevitably will be in a relatively new operating system, it’s still quite an achievement. I feel very positive about the future of Redox, and I can’t wait until it reaches a point where more general purpose use becomes viable.

NetBSD is an open-source, Unix-like operating system known for its portability, lightweight design, and robustness across a wide array of hardware platforms. Initially released in 1993, NetBSD was one of the first open-source operating systems based on the Berkeley Software Distribution (BSD) lineage, alongside FreeBSD and OpenBSD. NetBSD’s development has been led by a collaborative community and is particularly recognized for its “clean” and well-documented codebase, a factor that has made it a popular choice among users interested in systems programming and cross-platform compatibility. ↫ André Machado I’m not really sure what to make of this article, since it mostly reads like an advertisement for NetBSD, but considering NetBSD is one of the lesser-talked about variants of an operating system family that already sadly plays second fiddle to the Linux behemoth, I don’t think giving it some additional attention is really hurting anybody. The article is still gives a solid overview of the history and strengths of NetBSD, which makes it a good introduction. I have personally never tried NetBSD, but it’s on my list of systems to try out on my PA-RISC workstation since from what I’ve heard it’s the only BSD which can possibly load up X11 on the Visualize FX10pro graphics card it has (OpenBSD can only boot to a console on this GPU). While I could probably coax some cobbled-together Linux installation into booting X11 on it, where’s the fun in that? Do any of you lovely readers use NetBSD for anything? FreeBSD and even OpenBSD are quite well represented as general purpose operating systems in the kinds of circles we all frequent, but I rarely hear about people using NetBSD other than explicitly because it supports some outdated, arcane architecture in 2024.

A long, long time ago, back when running BeOS as my main operating system had finally become impossible, I had a short stint running QNX as my one and only operating system. In 2004, before I joined OSNews and became its managing editor, I also wrote and published an article about QNX on OSNews, which is cringe-inducing to read over two decades later (although I was only 20 when I wrote that – I should be kind to my young self). Sadly, the included screenshots have not survived the several transitions OSNews has gone through since 2004. Anyway, back in those days, it was entirely possible to use QNX as a general purpose desktop operating system, mostly because of two things. First, the incredible Photon MicroGUI, an excellent and unique graphical environment that was a joy to use, and two, because of a small but dedicated community of enthousiasts, some of which QNX employees, who ported a ton of open source applications, from basic open source tools to behemoths like Thunderbird, the Mozilla Suite, and Firefox, to QNX. It even came with an easy-to-use package manager and associated GUI to install all of these applications without much hassle. Using QNX like this was a joy. It really felt like a tightly controlled, carefully crafted user experience, despite desktop use being so low on the priority list for the company that it might as well have not been on there at all. Not long after, I think a few of the people inside QNX involved with the QNX desktop community left the company, and the entire thing just fizzled out afterwards when the company was acquired by Harman Kardon. Not long after, it became clear the company lost all interest, a feeling only solidified once Blackberry acquired the company. Somewhere in between the company released some of its code under some not-quite-open-source license, accompanied by a rather lacklustre push to get the community interested again. This, too, fizzled out. Well, it seems the company is trying to reverse course, and has started courting the enthusiast community once again. This time, it’s called QNX Everywhere, and it involves making QNX available for non-commercial use for anyone who wants it. No, it’s not open source, and yes, it requires some hoops to jump through still, but it’s better than nothing. In addition, QNX also put a bunch of open source demos, applications, frameworks, and libraries on GitLab. One of the most welcome new efforts is a bootable QNX image for the Raspberry Pi 4 (and only the 4, sadly, which I don’t own). It comes with a basic set of demo application you can run from the command line, including a graphical web browser, but sadly, it does not seem to come with Photon microGUI or any modern equivalent. I’m guessing Photon hasn’t seen a ton of work since its golden days two decades ago, which might explain why it’s not here. There’s also a list of current open source ports, which includes chunks of toolkits like GTK and Qt, and a whole bunch of other stuff. Honestly, as cool as this is, it seems it’s mostly aimed at embedded developers instead of weird people who want to use QNX as a general purpose operating system, which makes total sense from QNX’ perspective. I hope Photon microGUI will make a return at some point, and it would be awesome – but I expect unlikely – if QNX could be released as open source, so that it would be more likely a community of enthusiasts could spring up around it. For now, without much for a non-developer like me to do with it, it’s not making me run out to buy a Raspberry Pi 4 just yet.

Earlier this year, a proposal was made to replace the primary edition of Fedora from the GNOME variant to the KDE variant. This proposal, while serious, was mostly intended to stir up discussion about the position of the Fedora KDE spin within the larger Fedora community, and it seems this has had its intended effect. A different, but related proposal, to make Fedora KDE equal in status to the Fedora GNOME variant, has been accepted. The original proposal read: After a few months of being live, the proposal has now been unanimously accepted, which means that starting with Fedora 42, the GNOME and KDE versions will have equal status, and thus will receive equal marketing and positioning on the website. Considering how many people really enjoy Fedora KDE, this is a great outcome, and probably the fairest way to handle the situation for a distribution as popular as Fedora. I use Fedora KDE on all my machines, so for me, this is great news.

More bad news from Mozilla. The Mozilla Foundation, the nonprofit arm of the Firefox browser maker Mozilla, has laid off 30% of its employees as the organization says it faces a “relentless onslaught of change.” Announcing the layoffs in an email to all employees on October 30, the Mozilla Foundation’s executive director Nabiha Syed confirmed that two of the foundation’s major divisions — advocacy and global programs — are “no longer a part of our structure.” ↫ Zack Whittaker at TechCrunch This means Mozilla will no longer be advocating for an open web, privacy, and related ideals, which fits right in with the organisation’s steady decline into an ad-driven effort that also happens to be making a web browser used by, I’m sorry to say, effectively nobody. I just don’t know how many more signs people need to see before realising that the future of Firefox is very much at stake, and that we’re probably only a few years away from losing the only non-big tech browser out there. This should be a much bigger concern than it seems to be to especially the Linux and BSD world, who rely heavily on Firefox, without a valid alternative to shift to once the browser’s no longer compatible with the various open source requirements enforced by Linux distributions and the BSDs. What this could also signal is that the sword of Damocles dangling above Mozilla’s head is about to come down, and that the people involved know more than we do. Google is effectively bankrolling Mozilla – for about 80% of its revenue – but that deal has come under increasing scrutiny from regulars, and Google itself, too, must be wondering why they’re wasting money supporting a browser nobody’s using. We’re very close to a web ruled by Google and Apple. If that prospect doesn’t utterly terrify you, I honestly wonder what you’re doing here, reading this.

Speaking of Steam, the Linux version of Valve’s gaming platform has just received a pretty substantial set of fixes for crashes, and Timothee “TTimo” Besset, who works for Valve on Linux support, has published a blog post with more details about what kind of crashes they’ve been fixing. The Steam client update on November 5th mentions “Fixed some miscellaneous common crashes.” in the Linux notes, which I wanted to give a bit of background on. There’s more than one fix that made it in under the somewhat generic header, but the one change that made the most significant impact to Steam client stability on Linux has been a revamping of how we are approaching the setenv and getenv functions. One of my colleagues rightly dubbed setenv “the worst Linux API”. It’s such a simple, common API, available on all platforms that it was a little difficult to convince ourselves just how bad it is. I highly encourage anyone who writes software that will run on Linux at some point to read through “RachelByTheBay”‘s very engaging post on the subject. ↫ Timothee “TTimo” Besset This indeed seems to be a specific Linux problem, and due to the variability in Linux systems – different distributions, extensive user customisation, and so on – debugging information was more difficult to parse than on Windows and macOS. After a lot of work grouping the debug information to try and make sense of it all, it turned out that the two functions in question were causing issues in threads other than those that used them. They had to resort to several solutions, from reducing the reliance setenv and refactoring it with exevpe, to reducing the reliance on getenv through caching, to introducing “an ‘environment manager’ that pre-allocates large enough value buffers at startup for fixed environment variable names, before any threading has started”. It was especially this last one that had a major impact on reducing the number of crashes with Steam on Linux. Besset does note that these functions are still used far too often, but that at this point it’s out of their control because that usage comes from the libraries of the operating system, like x11, xcb, dbus, and so on. Besset also mentions that it would be much better if this issue can be addressed in glibc, and in the comments, a user by the name of Adhemerval reports that this is indeed something the glibc team is working on.

Korzystając z zainfekowanych telefonów, przestępcy rozsyłają wiadomości SMS z informacją o konieczności podjęcia działań wraz z linkiem do złośliwej strony. Jeśli użytkownik zgodzi sie na pobranie i zainstalowanie aplikacji to po uzyskaniu odpowiednich uprawnień przejmuje ona kontrolę nad urządzeniem i wykradać dane z telefonu.

Przestępcy wykorzystują kilka metod propagowania oszustwa oraz zachęcania potencjalnej ofiary do podania poufnych danych związanych z portalem Facebook. Konta te też są wykorzystywane do wyłudzania środków finansowych od osób będących w kręgu znajomych przejętego konta.

Głównym celem tego oszustwa jest zachęcenie potencjalnej ofiary do podania danych logowania do swojego konta bankowości internetowej, aby następnie wyłudzić przechowywane pieniądze.

Sukcesywnie każdego roku CERT Polska rejestruje coraz większą liczbę zgłoszeń oraz incydentów cyberbezpieczeństwa. W 2021 r. CERT Polska zarejestrował 116 071 zgłoszeń. Spośród wszystkich zgłoszeń nasi specjaliści wytypowali 65 586, na podstawie których zarejestrowano łącznie 29 483 unikalnych incydentów cyberbezpieczeństwa.

Rynek urządzeń mobilnych z roku na rok powiększa się, a w raz z nim liczba ataków na urządzenia mobilne. W 2021 r. do zespołu zespołu CERT Polska trafiło ponad 17,5 tys. zgłoszeń dotyczących szkodliwych aplikacji na systemy operacyjne Android.

Nowy raport, stare techniki – tak w skrócie można ująć kluczowe obserwacje z 2021 r. Przestępcy udoskonalili znane sposoby oszustw i częściej zaczęli sięgać po metody wcześniej rzadko używane. Zapraszamy do lektury.

Ostrzegamy – nastąpił wyciek zaszyfrowanych haseł użytkowników menadżera LastPass. Podczas ataku zostały pobrane pliki z infrastruktury LastPass, zatem atakujący może mieć dostęp do: adresów email, nazwisk, zaszyfrowanych haseł czy niezaszyfrowanych pól.

Ostrzegamy - szkodliwe oprogramowanie z rodziny Hydra ponownie aktywne. Jako cel obiera dane logowania do aplikacji bankowych na systemach Android.

Nowy Rok przyniósł kolejne rozwiązania poprawiające bezpieczeństwo polskiego internetu. Jednym z nich jest Artemis – narzędzie rozwijane przez zespół CERT Polska, które pomaga sprawdzać poziom zabezpieczeń stron internetowych. Weryfikacji podlegają podmioty, w przypadku których, zgodnie z ustawą o krajowym systemie cyberbezpieczeństwa, obsługa incydentów koordynowana jest przez CSIRT NASK.

Spear phishing jest oszustwem o charakterze socjotechnicznym, wykorzystującym presję autorytetu i czasu, aby skłonić atakowanego do podjęcia niekorzystnego dla niego działania. Fakt, że zazwyczaj informacje potrzebne do przeprowadzenia ataku są publicznie dostępne lub łatwe do uzyskania, czyni to oszustwo popularnym wśród cyberprzestępców.

Ubiegły rok w polskiej cyberprzestrzeni możemy podsumować hasłami: znane techniki, nowe okoliczności i wzrost świadomości. Dodatkowo, nie da się ukryć, że na cyberbezpieczeństwo wpływ miała także wojna w Ukrainie. Jak duży był to wpływ? Czego możemy spodziewać się w kolejnych miesiącach w polskiej cyberprzestrzeni i jakie wnioski należy wyciągnąć z ostatnich 12 miesięcy? Odpowiedzi znajdziecie w raporcie rocznym z działalności naszego zespołu.

W tym tygodniu doszło do publikacji dużego zbioru danych wykorzystywanych do logowania przez polskich użytkowników. W ramach tego wycieku udostępniono ponad milion unikalnych rekordów z loginem oraz hasłem do różnych stron. W związku z tym jednostki odpowiedzialne za cyberbezpieczeństwo w Polsce, w tym CERT Polska, podjęły odpowiednie działania w celu ograniczenia skutków tej sytuacji.

Od początku sierpnia CERT Polska jako jedyna instytucja w kraju i jeden z 7 CERT-ów w Europie może nadawać numery CVE, które służą identyfikacji i katalogowaniu publicznie ujawnionych podatności.

Nasza Lista Ostrzeżeń obchodziła w tym roku swoje trzecie urodziny. W tym czasie udało nam się ograniczyć skutki wielu różnych kampanii phishingowych celujących w polskich użytkowników Internetu. W odpowiedzi na zmieniający się krajobraz zagrożeń postanowiliśmy wprowadzić parę zmian w działaniu naszej listy, które pozwolą nam lepiej chronić użytkowników. Zapraszamy do zapoznania się z proponowanymi zmianami oraz podzielenia się swoją opinią.

W module WebInteraface oprogramowania Telwin SCADA CERT Polska wykrył podatność typu Path Traversal (CVE-2023-0956).

Wakacje to czas wyjazdów przede wszystkim dzieci i młodzieży. Poza domem nietrudno o pechowe przygody z telefonem, takie jak zagubienie czy zniszczenie smartfona. Jeśli dziecko znajdzie się w takiej sytuacji, dość prawdopodobne jest, że będzie się kontaktować z rodzicami z innego numeru i na tym właśnie opiera się schemat opisywanego przez nas oszustwa. Bądźcie ostrożni i sprawdźcie zamieszczone przykładowe wiadomości wysyłane masowo przez cyberprzestępców!

CERT Polska otrzymał zgłoszenie o podatności w bibliotece lua-http i nadał jej numer CVE-2023-4540.

W CERT Polska stale pracujemy nad narzędziami które poprawiają bezpieczeństwo użytkowników internetu w Polsce. Właśnie dlatego stworzyliśmy serwis bezpiecznapoczta.cert.pl, którego celem jest ochrona użytkowników poczty elektronicznej i ułatwienie instytucjom sprawdzenia poprawności konfiguracji mechanizmów podnoszących jej bezpieczeństwo.

W oprogramowaniu SmodBIP wykryto podatność CSRF (CVE-2023-4837).

Zespół CERT Polska oraz Służba Kontrwywiadu Wojskowego wraz z zagranicznymi partnerami wykryły, że Rosyjska Służba Wywiadu Zagranicznego (SVR) wykorzystuje podatność CVE-2023-42793 (w JetBrains TeamCity) do szeroko zakrojonych działań, skierowanych przeciwko podmiotom wytwarzającym oprogramowanie.

W oprogramowaniu MegaBIP oraz SmodBIP wykryto podatność Stored XSS (CVE-2023-5378).

W otwartoźródłowej bibliotece class.upload.php wykryto podatność typu Stored XSS (CVE-2023-6551).

Okres świąteczny powoli dobiega końca, zatem najwyższy czas ostatecznie rozprawić się z cyberbombkami. W grudniu przygotowaliśmy dla Was cykl „Rozbrajamy cyberbombki”, w którym obalaliśmy najpopularniejsze mity dotyczące cyberbezpieczeństwa.

Jednym z kluczowych wyzwań związanych z europejskim cyberbezpieczeństwem jest zależność od danych pochodzących z krajów spoza UE. Projekt FETTA (Federated European Team for Threat Analysis, pol. Europejski Zespół Analizy Zagrożeń) ma na celu rozwiązanie tego problemu poprzez utworzenie międzynarodowego zespołu opracowującego produkty i narzędzia z zakresu Cyber Threat Intelligence (CTI).

W ostatnich tygodniach zespół CERT Polska obserwuje wzmożoną kampanię ataków z użyciem szkodliwego oprogramowania Balada Injector, które infekuje strony oparte na WordPressie korzystając z podatności w niektórych popularnych wtyczkach.

W oprogramowaniu BMC Control-M wykryto 3 podatności różnego typu (od CVE-2024-1604 do CVE-2024-1606).