LWN.net

Arch Linux has updated chromium (information disclosure).Debian has updated cyrus-sasl2(denial of service from 2013).Debian-LTS has updated eglibc(multiple vulnerabilities) and nss (two vulnerabilities).Fedora has updated firefox (F22:multiple vulnerabilities), pdns (F22; F21:denial of service), rolekit (F22: information leak), xen (F22; F21: two vulnerabilities), and xpra (F22; F21: information disclosure).Mageia has updated pixman (MG5:buffer overflow), rpcbind (MG5: denial ofservice), and unzip (MG5: two vulnerabilities).SUSE has updated Xen (SLES10SP4: multiple vulnerabilities).Ubuntu has updated NVIDIA graphicsdrivers (15.04, 14.04, 12.04: privilege escalation) and simplestreams (15.04, 14.04: regression inprevious update).

The 4.3-rc3 prepatch is out."So as usual, rc3 is actually bigger than rc2 (fixes are starting totrickle in), but nothing particularly alarming stands out.Everything looks normal: the bulk is drivers (all over, but gpu andnetworking are the biggest parts) and architecture updates. There'salso networking and filesystem updates, along with documentation."

Earlier this week, pump.io creator Evan Prodromou announcedthat, due to budget and time pressures, he was looking to move pump.iointo a community-governed project structure. "Ideally, what I'dlike to do is transfer the copyrights, domains and data to anon-profit that could collect donations to keep the serversrunning. Budget-wise, it's about $5K/year, including servers, domainregistration, and SSL certs. It'd also be great if some of the peoplewho have been sending in pull requests could start working on thesoftware directly. There are a lot of PRs backed up."Subsequently, interested community members met to hash out a plan, andhave now reportedtheir plans. Pump.io will apply to be a member project of theSoftware Freedom Conservancy, and Prodromou has started grantingadministrative and commit privileges to several other developers. Itis not yet clear how maintenance for Prodromou's current crop ofpump.io servers will be handled, but the community does appear to becoalescing into a more active project.

Arch Linux has updated rpcbind (denial of service).Debian has updated wireshark(multiple vulnerabilities).Debian-LTS has updated cups(code execution).Fedora has updated php-ZendFramework2 (F22; F21:code execution)and wordpress (F22; F21: multiple vulnerabilities).Gentoo has updated adobe-flash (multiple vulnerabilities), cacti (multiple vulnerabilities), curl (multiple vulnerabilities), git (code execution), libtasn1 (multiple vulnerabilities), networkmanager (denial of service), and ntp (multiple vulnerabilities).openSUSE has updated mysql-community-server (13.1, 13.2: multiple vulnerabilities) and php5 (13.1, 13.2: multiple vulnerabilities).Red Hat has updated firefox(RHEL 5, 6, 7: multiple vulnerabilities).SUSE has updated php5(SLE12: multiple vulnerabilities).Ubuntu has updated qemu,qemu-kvm (12.04, 14.04, 15.04: multiple vulnerabilities), simplestreams (14.04, 15.04: denial of service),and unity-firefox-extension,webapps-greasemonkey, webaccounts-browser-extension (12.04, 14.04, 15.04: denial of service).

The Electronic Frontier Foundation (EFF) Deeplinks blog has an almost amusing account of a patent holder trying to define "integer" as a whole number greater than one. It seems that this strategy is likely to fail, but there is, of course, a cost associated with refuting such a ridiculous definition. "To be clear: the law allows patent applicants to redefine words if they want. But the law also says they have to be clear that they are doing that (and in any event, they shouldn't be able to do it years after the patent issues, in the middle of litigation). In Core Wireless' patent, there is no indication that it used the word "integer" to mean anything other than what we all learn in high school. (Importantly, the word "integer" doesn’t appear in the patent anywhere other than in the claims.)It appears that Core Wireless is attempting to redefine a word—a word the patent applicant freely chose—because presumably otherwise its lawsuit will fail."

Debian has updated iceweasel (multiple vulnerabilities)and rpcbind (denial of service).Fedora has updated bind99 (F22:two denial of service flaws), groovy (F22:code execution), libvdpau (F22: threevulnerabilities), and libvpx (F22: denialof service).Mageia has updated firefox (M5:multiple vulnerabilities), moodle (M5: multiple vulnerabilities), and shutter (M5: code execution).openSUSE has updated cyrus-imapd (13.1; 13.2:largely unspecified).Ubuntu has updated apport(privilege escalation).

The LWN.net Weekly Edition for September 24, 2015 is available.

The GNOME Project has announced the release of GNOME 3.18. "Thisrelease brings significant improvements to many of our core applications, from better Google Drive integration in Files to a listview in Boxes to firmware updates in Software, and several entirelynew applications: Calendar, Characters, Todo.Improvements to our platform include automatic screen brightnesshandling and improved typography." See the release notesfor details.

Arch Linux has updated firefox (multiple vulnerabilities).CentOS has updated firefox (C7; C6; C5: multiple vulnerabilities) and qemu-kvm (C6: information leak).Fedora has updated kernel (F21:privilege escalation) and unzip (F22: two vulnerabilities).openSUSE has updated flash-player(13.2, 13.1: multiple vulnerabilities).Oracle has updated firefox (OL7; OL6; OL5: multiple vulnerabilities) and qemu-kvm (OL6: information leak).Red Hat has updated firefox(RHEL5,6,7: multiple vulnerabilities) and qemu-kvm (RHEL6: information leak).Scientific Linux has updated firefox (SL5,6,7: multiple vulnerabilities)and qemu-kvm (SL6: information leak).Slackware has updated firefox (multiple vulnerabilities).SUSE has updated flash-player (SLE12; SLED11SP3,4: multiple vulnerabilities) and kernel (SLE11SP3: multiple vulnerabilities).Ubuntu has updated firefox(15.04, 14.04, 12.04: multiple vulnerabilities) and ubufox (15.04, 14.04, 12.04: multiple vulnerabilities).

The release of Firefox 41 has been announced."This release includes minor updates to personalize your FirefoxAccount and adds a new functionality to Firefox Hello Beta." The releasenotes contain more information.

In September 2014 a serious securityvulnerability that became known as Shellshock was found in Bash, whichis the default shell in most Linux distributions. But it quickly turned outthat the initial fix for Shellshock was incomplete. Various other relatedbugs were found only days after the publication, amongst them twosevere vulnerabilities discovered by Michał Zalewski from the Googlesecurity team. In the blog post, Zalewski mentioned that he had found thesebugs with a fuzzing tool that he wrote, which almost nobody knew back then: american fuzzy lop (afl).Subscribers can click below for the full article by guest author Hanno Böck.

Fedora 23 beta has been released. "Fedora 23 includes a number ofchanges that will improve all of the editions. For example, Fedora 23 makes use of compiler flags toimprove security by "hardening" the binaries against memorycorruption vulnerabilities, buffer overflows, and so on. This is a"behind the scenes" change that most users won't notice throughnormal use of a Fedora edition, but will help provide additionalsystem security." The final release is scheduled for late October.Fedora 23 beta is also available forAARCH64 and POWER architectures.

Arch Linux has updated flashplugin (multiple vulnerabilities).Debian has updated kernel (multiple vulnerabilities).Debian-LTS has updated linux-2.6 (multiple vulnerabilities).Fedora has updated icedtea-web(F21: applet execution).Mageia has updated flash-player-plugin (MG5: multiple vulnerabilities).openSUSE has updated bind (13.2,13.1: denial of service), criu (13.2: twovulnerabilities), icedtea-web (13.2, 13.1:multiple vulnerabilities), libgcrypt (13.2,13.1: information disclosure), and python-django (13.1: multiple vulnerabilities).Red Hat has updated flash-plugin(RHEL5,6: multiple vulnerabilities).SUSE has updated kernel(SLE11SP3: multiple vulnerabilities).

The4.2.1,4.1.8,3.14.53, and3.10.89stable kernel updates have been release. Each contains a relatively largeset of important fixes.

As the introduction to Tom Herbert's kernelconnection multiplexer (KCM) patch set notes, TCP is often used formessage-oriented communication protocols even though, as a streamingtransport, it has no native support for message-oriented communications.KCM is an effort to make it easier to send and receive messages over TCPwhich adds a couple of other interesting features as well.Click below (subscribers only) for the full story from this week's KernelPage.

The Free Software Foundation Europe and Open Invention Network, with theparticipation of the Legal Network and the Asian Legal Network, arepresentingtwo round table events with presentations and panel discussion ofindustry and community speakers, titled "Open Source and Software PatentNon-Aggression, European Context". The events will be held in Berlin,Germany on October 21 and in Warsaw, Poland on October 22.

Arch Linux has updated wordpress (multiple vulnerabilities).Debian has updated owncloud-client (man-in-the-middle attack), qemu (multiple vulnerabilities), and qemu-kvm (multiple vulnerabilities).Debian-LTS has updated libtorrent-rasterbar (code execution) and rpcbind (denial of service).Fedora has updated icedtea-web(F22: multiple vulnerabilities), pcs (F22; F21:privilege escalation), php-pecl-zip (F22; F21:directory traversal), and qemu (F22: code execution).Mageia has updated owncloud (MG5:multiple vulnerabilities).openSUSE has updated Chromium(13.2, 13.1: multiple vulnerabilities), python-Django (13.2: denial of service), andremind (13.2, 13.1: buffer overflow).SUSE has updated openssh(SLE11SP3: multiple vulnerabilities).

The second 4.3 prepatch is now availablefor testing. "As has beenthe trend for a while now, rc2 tends to be reasonably small, probablybecause it takes a while for regression reports to start trickling in(and some people probably actively wait for rc2 to even start testing- you scaredy-cats, you)."

Version 2.3.0 of the GeoClue geolocation service has beenreleased. The most notable change in this update is support for sharingand accessing GPS devices over a network connection. Aproof-of-concept implementation of this feature is available in theGeoclue Shareapp for Android, which lets users relay GPS data from their device toa GNOME desktop system. Other new features include support fordigital compasses and updated documentation.

Fedora has updated ipython (F22; F21:cross-site scripting).Mageia has updated icedtea-web (M5: multiple vulnerabilities) and wordpress (M4: multiple vulnerabilities).openSUSE has updated sblim-sfcb (13.1, 13.2: denial of service).

Version 1.3 of the Rust language has been released.The announcement listed API stabilization and increased performance work asthe most notable changes. Specifically, there is a newsubstring-matching algorithm, a faster zero-filling methodfor initializing and resizing vectors, and speed-ups to theRead::read_to_end function. The releasenotes provide more detail. Also new in this release is the firstedition of a new Rust programming guide, the Rustinomicon.

Fedora has updated vorbis-tools (F22: denial of service).Mageia has updated ganglia-web (M4, M5: authentication bypass).openSUSE has updated spice(13.2: code execution).Oracle has updated kernel (O7; O6:multiple vulnerabilities).Red Hat has updated rubygem-openshift-origin-console(RHOSE2.2: code execution).Ubuntu has updated icu(12.04, 14.04, 15.04: multiple vulnerabilities),openldap (12.04, 14.04, 15.04: multiple vulnerabilities), and unity-settings-daemon (14.04, 15.04:lock-screen bypass).

Bryce Harrington writes about thecurrent and future state of Wayland. "A lot of people areanticipating Wayland on their desktops. For now, we remain in a holdingpattern while the DE developers roll out their Wayland support, but some ofthese efforts are reasonably mature enough now. The question starts tobecome whether there is an adequate ecosystem of Wayland enabled clientapplications. For things that can’t simply be moved to Wayland, thequestion is if Xwayland will be up to snuff. Exploring this space will takesome pioneering spirits."

The LWN.net Weekly Edition for September 17, 2015 is available.

Debian's decision to move to systemd as the default init system wasa famously contentious (and rather public) debate. Once all the chaosregarding the decision itself had died down, however, it was left toproject members to implement the change. At DebConf 2015 inHeidelberg, Martin Pitt and Michael Biebl gave a down-to-earth talkabout how that implementation work had gone and what was still ahead.

Last week we reported that the KiltonPublic Library in Lebanon, New Hampshire suspended its Tor node deploymentdue to criticism by the local police department. Ars Technica nowreportsthat the Tor relay has been restored. "As Ars reported earlier, the goal of the Library Freedom Project is to set up Tor exit relays in as many of these ubiquitous public institutions as possible. As of now, only about 1,000 exit relays exist worldwide. If this plan is successful, it could vastly increase the scope and speed of the famed anonymizing network. For now, Kilton has a middle relay but has plans to convert it to an exit relay. A middle relay passes traffic to another relay before departing the Tor network on the exit relay."

There are various types of random number generators (RNGs) that targetdifferent use cases, but a programming language can only have one default.For high-security random numbers (e.g. cryptographic keys and the like), itis a grievous error to use the wrong kind of RNG, while other use cases aretypically more forgiving. The Python community is in the middle of adebate about how it should be handling random numbers within the language'sstandard library.<p>Click below (subscribers only) for the full report.

CentOS has updated kernel (C7:multiple vulnerabilities).Debian has updated icu (denial of service).Fedora has updated moodle (F22; F21: multiple vulnerabilities).Oracle has updated kernel (OL7:multiple vulnerabilities) and qemu-kvm(OL7: information leak).Red Hat has updated kernel(RHEL7: multiple vulnerabilities), kernel-rt (RHEL7; RHEMRG:multiple vulnerabilities), and qemu-kvm(RHEL7: information leak).Scientific Linux has updated kernel (SL7: multiple vulnerabilities) and qemu-kvm (SL7: information leak).

A bit far afield, perhaps, but Lawrence Lessig is the co-founder ofCreative Commons and a proponent of reduced legal restrictions on copyrightand trademark. Ars Technica talkswith Lawrence about his bid for the US presidency."Ars: Does your copyleft past help or hurt your presidential bid?Lessig: Whatever you call it, I have the right position on copyright—namely, that it is essential, but needs to be updated to the digital age. If people want to challenge that position, then I’d have to make fair use of the words of Harry Callahan: “Go ahead, make my day.”"

Debian-LTS has updated openldap (denial of service).Fedora has updated php (F22; F21: multiple vulnerabilities), php-doctrine-annotations (F22; F21: privilege escalation), php-doctrine-cache (F22; F21: privilege escalation), and php-doctrine-doctrine-bundle (F22; F21: privilege escalation).Mageia has updated ipython(MG4,5: cross-site scripting), openldap(MG4,5: denial of service), php-ZendFramework (MG5; MG4: XMLexternal entity attack), qemu (MG5;MG4: multiple vulnerabilities), and spice (MG4,5: code execution).

The Linux Plumbers Android microconference was held in Seattle on August20th. It included discussions of a variety of topics, many of whichneed to be coordinated within the Android ecosystem. The microconferencewas split up into two separate sessions; this summary covers the secondsession, which was held for three hours in the evening. Topics were toyboxin Android, improving AOSP vendor trees, providing per-task quality ofservice, and improving big.LITTLE on Android.

Arch Linux has updated icedtea-web (applet execution), libvdpau lib32-libvdpau (multiple vulnerabilities), and openldap (denial of service).Debian has updated openldap (denial of service), php5 (multiple vulnerabilities), virtualbox (unspecified vulnerability), and vzctl (insecure ploop-based containers).Fedora has updated kernel (F22: privilege escalation), pcre (F22; F21: code execution), and phpMyAdmin (F22; F21: guessable user credentials).Mageia has updated conntrack-tools (MG4,5: denial of service), freetype2 (MG4: denial of service), gnupg (MG4: two vulnerabilities), libgcrypt (MG4: information leak), libvdpau (MG4,5: multiple vulnerabilities), mariadb (MG4,5: unspecified vulnerabilities),php (MG4: multiple vulnerabilities), phpmyadmin (MG4,5: guessable usercredentials), and xfsprogs (MG5: information disclosure).Red Hat has updated qemu-kvm-rhev(RHEL OSP5,6,7: code execution).

The 4.1.7,3.14.52, and3.10.88stable kernel updates have been released. Each contains the usualcollection of important fixes.

The Python 3.5.0 release is out. "Python 3.5.0 is the newest version of the Python language, and it contains many exciting new features and optimizations." See the what's newpage and this LWN article for detailson the new features in this release.

Linus has released 4.3-rc1 and closed the4.3 merge window one day ahead of the usual schedule. "I decidedthat I'm not interested in catering to anything that comes in tomorrow, andI might as well just close the merge window and do the -rc1release." In the end, 10,756 non-merge changesets were pulledduring this merge window.

The Electronic Frontier Foundation (EFF) is running a storyon its DeepLinks blog that the Kilton Public Library in Lebanon, NewHampshire has suspended its Tor node deployment—at leasttemporarily—due to criticism by the local police department (wecovered the launch of the Kiltonlibrary's Tor node in August). The EFF post says that the criticismoriginated when "a regionalDepartment of Homeland Security office contacted the local policeto spread fear, uncertainty, and doubt about Tor. The police got intouch with the library board, who suspended the program until theycould vote on it on September 15." The EFF has set up a pageat which interested parties can sign a petition showing support forthe library, and has written its own letter of support to the Lebanonlibrary board. The Library Freedom Project, which is handling thedetails of running Kilton's Tor node, has also writtenabout the incident and promises further updates after the libraryboard meeting.

Debian-LTS has updated libvdpau (multiple vulnerabilities).Fedora has updated onionshare (F21; F22:denial of service).openSUSE has updated libvdpau (13.1, 13.2: multiplevulnerabilities) and squid (13.1,13.2: certificate validation bypass).Red Hat has updated libunwind (RHEL7 OSP; RHEL6 OSP: buffer overflow)and python-django (RHEL7 OSP; RHEL6 OSP: multiple vulnerabilities).SUSE has updated MozillaFirefox,mozilla-nss (SLE11: multiple vulnerabilities).Ubuntu has updated freetype(12.04, 14.04, 15.04: multiple vulnerabilities).

The OpenWrt 15.05 release is out. This release includes a number of newfeatures, including improved package signing, support for hardened buildsand jails, a lot of new hardware support, and much more. (See also: LWN's review of the 15.05 release from July).

The LWN.net Weekly Edition for September 11, 2015 is available.

On his blog, QEMU developer Amit Shah gathered up information on the recent QEMU 2.4 release from the maintainers. It takes the form of a video made at KVM Forum, as well as some email comments from those who were not present. "Many contributors to the QEMU and KVM projects meet at the annual KVM Forum conference to talk about new features, new developments, what changed since the last conference, etc.The QEMU project released version 2.4 just a week before the 2015 edition of KVM Forum. I thought that was a good opportunity to gather a few developers and maintainers, and get them on video where we can see them speak about the improvements they made in the 2.4 release, and what we can expect in the 2.5 release."

Debian has updated libvdpau(three vulnerabilities).Debian-LTS has updated bind9(denial of service).Fedora has updated bind (F22:denial of service).SUSE has updated qemu (SLE12: twovulnerabilities).

Some languages pride themselves on providing many ways to accomplish anygiven task. Python, instead, tends to focus on providing a single solutionto most problems. There are exceptions, though; the creation of formattedstrings would appear to be one of them. Despite the fact that there are(at least) three mechanisms available now, Python's developers have justadopted a plan to add a fourth. With luck, this new formatting mechanism (slated for Python 3.6) willimprove the traditionally cumbersome string-formatting facilities availablein Python.

Opensource.com takesa look at the AXIOM Beta camera, a new professional digital imagecapturing platform. "The goal of the AXIOM camera, and theglobal-community-driven apertus° project, is to create a variety ofpowerful, affordable, open source licensed and sustainable digital cinematools. The apertus° project was started by filmmakers who felt limited bythe available proprietary tools. AXIOM Beta will provide full and opendocumentation, the ability to add new features and change the behavior ofexisting features, and the option to add custom accessories." AXIOMBeta is intended primarily for software and hardware developers.

CentOS has updated haproxy (C7; C6:information leak) and subversion (C7: multiple vulnerabilities).Debian has updated spice (code execution).Mageia has updated chromium-browser (MG4,5: multiplevulnerabilities), libidn (MG5: informationdisclosure), libxml2 (MG4,5: denial ofservice), ntp (MG4,5: multiplevulnerabilities), pcre (MG4,5: multiplevulnerabilities), php (MG5: multiplevulnerabilities), pure-ftpd (MG4,5: denialof service), ruby-rack (MG4,5: denial ofservice), ruby-RubyGems (MG4,5: DNShijacking), screen (MG4,5: denial ofservice), squid (MG5: security bypass), struts (MG4,5: input validation bypass), util-linux (MG5: file name collision), vorbis-tools (MG4,5: buffer overread), webmin (MG4,5: cross-site scripting), and xmltooling (MG4,5: denial of service).Oracle has updated haproxy (OL7:information leak) and subversion (OL7: multiple vulnerabilities).Scientific Linux has updated haproxy (SL6,7: information leak) and subversion (SL7: multiple vulnerabilities).Ubuntu has updated kernel (15.04:privilege escalation), linux-lts-vivid(14.04: privilege escalation), and oxide-qt(15.04, 14.04: multiple vulnerabilities).

Samba 4.3.0 is out. This release has a lot of new features, including areworked logging system, a new FileChangeNotify subsystem, better trusteddomains support, SMB 3.1.1 support, and more.

Jono Bacon interviewsJohn Sullivan, executive director of the FSF, at Opensource.com."What we have been focusing on now are the challenges I highlighted in the first question. We are in desperate need of hardware in several different areas that fully supports free software. We have been talking a lot at the FSF about what we can do to address this, and I expect us to be making some significant moves to both increase our support for some of the projects already out there—as we having been doing to some extent through our Respects Your Freedom certification program—and possibly to launch some projects of our own. The same goes for the network service problem. I think we need to tackle them together, because having full control over the mobile components has great potential for changing how we relate to services, and decentralizing more and more services will in turn shape the mobile components."

The Linux Plumbers Android microconference was held in Seattle on August20th and looked at a number of topics needingcoordination between various players in the Android ecosystem. It was splitup into two separate sessions; this summary covers thefirst three-hour session.Topics covered the state of the staging tree, USB gadgets and ConfigFS,running mainline on consumer devices, partitions and customization, asingle binary image for multiple devices, Project Ara, and kdbus.<p>Click below (subscribers only) for the full report from LPC 2015.

Arch Linux has updated powerdns (denial of service).Debian has updated openslp-dfsg (denial of service).Debian-LTS has updated php5 (multiple vulnerabilities) and screen (denial of service).Fedora has updated drupal6 (F22; F21:multiple vulnerabilities), drupal6-ctools (F22; F21:multiple vulnerabilities), drupal6-views_bulk_operations (F22; F21:access bypass), drupal7 (F22; F21: multiple vulnerabilities),gdk-pixbuf2 (F22; F21: code execution), mingw-gdk-pixbuf(F22; F21:code execution), and php-twig (F21: code execution).Mageia has updated bind (MG4,5:denial of service), freeimage (MG4,5:integer overflow), hplip (MG4,5:man-in-the-middle attack), iceape (MG4,5:multiple vulnerabilities), jsoup (MG5:cross-site scripting), lighttpd (MG4,5: loginjection), openafs (MG4,5: multiplevulnerabilities), and squashfs-tools(MG4,5: two vulnerabilities).openSUSE has updated gdk-pixbuf(13.2: code execution), gnutls (13.2, 13.1:denial of service), net-snmp (13.2, 13.1:code execution), perl-XML-LibXML (13.2,13.1: information disclosure), libgcrypt(13.2, 13.1: two vulnerabilities), and tor(13.2, 13.1: respect SafeLogging).Red Hat has updated haproxy(RHEL6,7: information leak) and subversion(RHEL7: multiple vulnerabilities).SUSE has updated bind (SLE11SP1:denial of service), firefox (SLE11SP2,SP1:two vulnerabilities), and java-1_6_0-ibm(SLE11SP3,SP2,SP1: multiple vulnerabilities).Ubuntu has updated spice (15.04,14.04: code execution).

It's time to figure out who will be organizing the Linux PlumbersConference in 2016, which is planned to be held in Santa Fe, New Mexico, atthe beginning of November, alongside the Kernel Summit. Interestedorganizers should put together a bid and submit it to the LinuxFoundation's Technical Advisory Board by October 5; see this page for details onhow the process works. "This is your chance to putyour stamp on one of our community's most important gatherings in ayear when we will be celebrating 25 years of the Linux kernel."

The Mozilla blog has disclosedthat the official Mozilla instance of Bugzilla was recentlycompromised by an attacker who stole "security-sensitiveinformation" related to unannounced vulnerabilities inFirefox—in particular, the PDFViewer exploit discovered on August 5. The blog post explains thatMozilla has now taken several steps to reduce the risk of futureattacks using Bugzilla as a stepping stone. "As an immediatefirst step, all users with access to security-sensitive informationhave been required to change their passwords and use two-factorauthentication. We are reducing the number of users with privilegedaccess and limiting what each privileged user can do. In other words,we are making it harder for an attacker to break in, providing feweropportunities to break in, and reducing the amount of information anattacker can get by breaking in."