Security: Certificates, Spectre, Switzerland and Dark Overlord

• Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else

  Browsers rely on this list of authorities, which are trusted to verify and issue the certificates that allow for secure browsing, using technologies like TLS and HTTPS. Certificate Authorities are the basis of HTTPS, but they are also its greatest weakness. Any of the dozens of certificate authorities trusted by your browser could secretly issue a fraudulent certificate for any website (such as google.com or eff.org.) A certificate authority (or other organization, such as a government spy agency,) could then use the fraudulent certificate to spy on your communications with that site, even if it is encrypted with HTTPS. Certificate Transparency can mitigate some of the risk by requiring public logging of all issued certificates, but is not a panacea.

• This is bad: the UAE's favorite sleazeball cybermercenaries have applied for permission to break Mozilla's web encryption

  Now Darkmatter has applied to Mozilla to become a "Certificate Authority," which means they'd get the ability to produce cryptographically signed certificates that were trusted by default by Firefox and its derivatives, giving them the power to produce cyberweapons that could break virtually any encrypted web session (though Certificate Transparency might expose them if they're careless about it).

  And since Moz's root of trust is used to secure Linux updates, this could affect literally billions of operating systems.

• Spectre is here to stay: An analysis of side-channels and speculative execution

  As a result of our work, we now believe that speculative vulnerabilities on today's hardware defeat all language-enforced confidentiality with no known comprehensive software mitigations, as we have discovered that untrusted code can construct a universal read gadget to read all memory in the same address space through side-channels.

• Experts Find Serious Problems With Switzerland's Online Voting System Before Public Penetration Test Even Begins

  The public penetration test doesn’t begin until next week, but experts who examined leaked code for the Swiss internet voting system say it’s poorly designed and makes it difficult to audit the code for security and configure it to operate securely.

• A Decryption Key for Law Firm Emails in Hacked 9/11 Files Has Been Released

  The release of the files was part of an extortion scheme against The Dark Overlord’s hacking victims, and followed the group’s established technique of stealing information and then approaching media outlets with the files in an attempt to exert further pressure on the group’s targets. The Dark Overlord also distributed a set of encrypted folders, ready to be unlocked at a later date, and which they claimed contained more 9/11-linked material.

  Now, around two months after the first data dump, someone has released another encryption key for the third layer of stolen material, which appears to contain thousands of emails, at least some of which are between different law firms.

Today in Techrights

• Bristows is Still Hoping to ‘Overthrow’ the Courts and Throw Out Ingve Stjerna’s Complaint (About the Likes of Bristows)
• Video: Alexandre Benalla Speaks About His Relationship With Battistelli
• Hallmark of Corruption: Benalla and Fellow Thugs Paid Roughly the Same Salary as Battistelli (Each!) and There’s a New Chinese Contract Worth €7.2 Million
• EPO Insider Video: Nouvel an Architectural Hazard, Not Just a Fire Hazard
• Links 23/2/2019: GNU/Linux Server Domination and GCC 8.3 is Out

today's leftovers

• Postgresql major version upgrade (gentoo)

  Just did an upgrade from postgres 10.x to 11.x on a test machine.. The guide on the Gentoo Wiki is pretty good, but a few things I forgot at first: First off when initializing the new cluster with "emerge --config =dev-db/postgresql-11.1" making sure the DB init options are the same as the old cluster. They are stored in /etc/conf.d/postgresql-XX.Y so just make sure PG_INITDB_OPTS collation ,.. match - if not delete the new cluster and re-run emerge --config ;)

• Redis Labs Looks to Grow Database Technology for Next Generation Applications

  Despite some open source licensing issues, Redis is moving forward. Database technology provides a foundational role in modern applications, and one of the emerging database technologies of the last few years has been Redis.

• Mozilla Open Innovation Team: Sustainable tech development needs local solutions: Voice tech ideation in Kigali

  Developers, researchers and startups around the globe working on voice-recognition technology face one problem alike: A lack of freely available voice data in their respective language to train AI-powered Speech-to-Text engines. Although machine-learning algorithms like Mozilla’s Deep Speech are in the public domain, training data is limited. Most of the voice data used by large corporations is not available to the majority of people, expensive to obtain or simply non-existent for languages not globally spread. The innovative potential of this technology is widely untapped. In providing open datasets, we aim to take away the onerous tasks of collecting and annotating data, which eventually reduces one of the main barriers to voice-based technologies and makes front-runner innovations accessible to more entrepreneurs. This is one of the major drivers behind our project Common Voice. Common Voice is our crowdsourcing initiative and platform to collect and verify voice data and to make it publicly available. But to get more people involved from around the world and to speed up the process of getting to data sets large enough for training purposes, we rely on partners — like-minded commercial and non-commercial organizations with an interest to make technology available and useful to all.

• Mozilla B-Team: happy bmo push day!

• What if everything you know is wrong?

  In interesting intellectual design challenge is to take a working thing (library, architecture, etc) and then see what would happen if you would reimplement it with the exact opposite way. Not because you'd use the end result anywhere, but just to see if you can learn something new.

• Qt Roadmap for 2019

  It’s around this time of the year I sit down to write a blog post about our plans and roadmap for the coming year. Typically, some of the items have already been cooking for a while, but some are still plans in the making. If you want to look into the previous roadmap blog posts, here are the ones I wrote for 2016, 2017 and 2018. There is always more to tell than what would reasonably fit in a blog post, but I’ll try to talk about the most interesting items. Before diving any further into the new items planned for 2019, I would like to thank each and every Qt developer for their contribution. We have a great ecosystem with many contributors who have provided multiple extremely valuable contributions throughout the years and continue to shape Qt in the future, too. In addition to those contributing code, we also have many active people in the Qt Project forums, on mailing lists, as well as reviewing code and testing the Qt development releases.

• Qt Publishes A 2019 Public Roadmap: More Work On WebAssembly, Tooling

  The Qt Company has published a 2019 roadmap of sorts for areas they plan on focusing their resources this 2019 calendar year. Their 2019 roadmap doesn't come as a big surprise if considering the areas where they have been focusing a lot of attention recently. For instance, they'll work on maturing the Qt WebAssembly support that was recently introduced for offering Qt access within web browsers via this high-performance, sandbox-secured technology.