Language Selection

English French German Italian Portuguese Spanish

Security: G+, SSH, GAO, Flatpak, Telecommunications (Interception and Access) Act 'Extended', More on China's Alleged Supply Chain Attacks

Filed under
Security
  • Pete Zaitcev: Ding-dong, the witch is dead

    One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

    Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

  • (SSH) Keys to Unix Security

    Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

  • Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

    Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

    [...]

    In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

    [...]

    When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

  • Flatpak - a security nightmare

    Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

    And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

    The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

  • Encryption bill will hit family violence victims: claim

    In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

    The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

  • Bloomberg says big US telco hit by hardware tampering

    Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

  • RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

    "If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

  • New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

    Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.

  • Security updates for Wednesday

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Introducing GNOME Usage’s Storage panel

GNOME Usage is a new GNOME application to visualize system resources such as memory consumption and disk space. It has been developed by Petr Stetka, a high school intern in our Red Hat office in Brno. Petr is an outstanding coder for such a young fellow and has done a great job with Usage! Usage is powered by libgtop, the same library used by GNOME System Monitor. One is not a replacement for the other, they complement our user experience by offering two different use cases: Usage is for the everyday user that wants to check which application is eating their resources, and System Monitor is for the expert that knows a bit of operating system internals and wants more technical information being displayed. Besides, Usage has a bit of Baobab too. It contains a Storage panel that allows for a quick analysis of disk space. Read more

Android Leftovers

4 open source Android apps for writers

While I'm of two minds when it comes to smartphones and tablets, I have to admit they can be useful. Not just for keeping in touch with people or using the web but also to do some work when I'm away from my computer. For me, that work is writing—articles, blog posts, essays for my weekly letter, e-book chapters, and more. I've tried many (probably too many!) writing apps for Android over the years. Some of them were good. Others fell flat. Here are four of my favorite open source Android apps for writers. You might find them as useful as I do. Read more

How a trip to China inspired Endless OS and teaching kids to hack

Last year, I decided to try out Endless OS, a lightweight, Linux-based operating system developed to power inexpensive computers for developing markets. I wrote about installing and setting it up. Endless OS is unique because it uses a read-only root file system managed by OSTree and Flatpak, but the Endless company is unique for its approach to education. Late last year, Endless announced the Hack, a $299 laptop manufactured by Asus that encourages kids to code, and most recently the company revealed The Third Terminal, a group of video games designed to get kids coding while they're having fun. Since I'm so involved in teaching kids to code, I wanted to learn more about Endless Studios, the company behind Endless OS, The Third Terminal, The Endless Mission, a sandbox-style game created in partnership with E-Line Media, and other ventures targeted at expanding digital literacy and agency among children around the world. I reached out to Matt Dalio, Endless' founder, CEO, and chief of product and founder of the China Care Foundation, to ask about Endless and his charitable work supporting orphaned children with special needs in China. Read more