Language Selection

English French German Italian Portuguese Spanish

Security: NotSoSecure, Security Keys, Reproducible Builds and Hyped Malware

Filed under
Security
  • Claranet Buys NotSoSecure

    Claranet, a managed service provider with services focused on western Europe and Brazil, has purchased NotSoSecure, a firm specializing in penetration testing and ethical hacker training.

    The purchase follows Claranet's 2017 acquisition of SEC-1, a security firm based in the United Kingdom. According to a Claranet statement announcing the purchase, the security acquisitions, together with the opening of a security operations center in Portugal, are part of the company's intention to increase their overall security services capabilities.

  • Firefox, Security Keys, U2F, and Google Advanced Protection

    Advanced Protection for Google Accounts uses a legacy web technology that is only partially supported in Firefox. Here is how you get started with physical security keys and extra protections for your Google Account in Firefox.

    [...]

    Before you can enroll in the Google Advanced Protection program, you must have at least two security keys at the ready. You can use the same keys for multiple Google Accounts, and even reuse the same keys with different U2F-enabled web services.

    You should keep a record of which of your keys are registered with which websites. If you loose a key or want to decommission one, you’ll need this record to know all the accounts you’ll need to update.

    You can use any FIDO U2F security keys as long as they’re compatible with your devices. Google recommend you get one regular key with USB as your backup token, and one mobile-capable with wireless Bluetooth and NFC as the primary key you carry around with you. Specifically, Google recommends the YubiKey U2F (USB) and either the Feitan Multipass (Bluetooth/NFC/USB) or YubiKey Neo (NFC/USB). Bluetooth is more compatible with a wider range of devices, but the Bluetooth capabilities requires you to charge the key. NFC is less compatible with cheaper smartphones and other devices. However, neither NFC nor USB modes require you to charge the keys for them to operate.

  • Reproducible Builds: Weekly report #167
  • WellMess: This Go-based Malware Attacks Both Linux And Windows Machines [Ed: If the user actually needs to install it, then the threat is the user, not the program]

More in Tux Machines

FSFE Resignation and Parabola GNU/Linux-libre Needs Hardware

  • Daniel Pocock: Resigning as the FSFE Fellowship's representative
    I've recently sent the following email to fellows, I'm posting it here for the benefit of the wider community and also for any fellows who don't receive the email.
  • Parabola GNU/Linux-libre: Server loss
    However, that sponsorship has come to an end. We are alright for now; the server that 1984 Hosting is sponsoring us with is capable of covering our immediate needs. We are looking for a replacement server and are favoring a proprietor that is a "friend of freedom," if anyone in the community has a suggestion.

Red Hat: News and Financial Results

KDE and GNOME: Krita, Bionic and AppStream/AppData

  • Let’s Tally Some Votes!
    We’re about a week into the campaign, and almost 9000 euros along the path to bug fixing. So we decided to do some preliminary vote tallying! And share the results with you all, of course! On top is Papercuts, with 84 votes. Is that because it’s the default choice? Or because you are telling us that Krita is fine, it just needs to be that little bit smoother that makes all the difference? If the latter, we won’t disagree, and yesterday Boudewijn fixed one of the things that must have annoyed everyone who wanted to create a custom image: now the channel depths are finally shown in a logical order!
  • Almost Bionic
    Maybe it’s all the QA we added but issues kept cropping up with Bionic. All those people who had encrypted home folders in xenial soon found they had no files in bionic because support had been dropped so we had to add a quirk to keep access to the files. Even yesterday a badly applied patch to the installer broke installs on already partitioned disks which it turns out we didn’t do QA for so we had to rejig our tests as well as fix the problem. Things are turning pleasingly green now so we should be ready to launch our Bionic update early next week. Do give the ISO images one last test and help us out by upgrading any existing installs and reporting back. Hasta pronto.
  • Speeding up AppStream: mmap’ing XML using libxmlb
    AppStream and the related AppData are XML formats that have been adopted by thousands of upstream projects and are being used in about a dozen different client programs. The AppStream metadata shipped in Fedora is currently a huge 13Mb XML file, which with gzip compresses down to a more reasonable 3.6Mb. AppStream is awesome; it provides translations of lots of useful data into basically all languages and includes screenshots for almost everything. GNOME Software is built around AppStream, and we even use a slightly extended version of the same XML format to ship firmware update metadata from the LVFS to fwupd.

Security: Updates, NewEgg Breach, "Master Password" and CLIP OS

  • Security updates for Thursday
  • NewEgg cracked in breach, hosted card-stealing code within its own checkout

    The popular computer and electronics Web retailer NewEgg has apparently been hit by the same payment-data-stealing attackers who targeted TicketMaster UK and British Airways. The attackers, referred to by researchers as Magecart, managed to inject 15 lines of JavaScript into NewEgg's webstore checkout that forwarded credit card and other data to a server with a domain name that made it look like part of NewEgg's Web infrastructure. It appears that all Web transactions over the past month were affected by the breach.

  • "Master Password" Is A Password Manager Alternative That Doesn't Store Passwords
    Master Password is a different way of using passwords. Instead of the "know one password, save all others somewhere" way of managing passwords used by regular password managers, Master Password's approach is "know one password, generate all the others".
  • French cyber-security agency open-sources CLIP OS, a security hardened OS
    The National Cybersecurity Agency of France, also known as ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information), has open-sourced CLIP OS, an in-house operating system its engineers had developed to address the needs of the French government administration. In a press release, ANSSI described CLIP OS as a "Linux-based operating system [that] incorporates a set of security mechanisms that give it a very high level of resistance to malicious code and allow it to protect sensitive information."