Language Selection

English French German Italian Portuguese Spanish

Security: G+, SSH, GAO, Flatpak, Telecommunications (Interception and Access) Act 'Extended', More on China's Alleged Supply Chain Attacks

Filed under
Security
  • Pete Zaitcev: Ding-dong, the witch is dead

    One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

    Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

  • (SSH) Keys to Unix Security

    Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

  • Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

    Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

    [...]

    In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

    [...]

    When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

  • Flatpak - a security nightmare

    Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

    And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

    The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

  • Encryption bill will hit family violence victims: claim

    In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

    The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

  • Bloomberg says big US telco hit by hardware tampering

    Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

  • RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

    "If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

  • New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

    Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.

  • Security updates for Wednesday

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

KDE: digiKam Recipes, Krita and Calligra Boost From Handshake Foundation

  • digiKam Recipes 18.10.15 Released
    It’s time for another digiKam Recipes update. The most visible change in this update is the new book cover. All screenshots were also updated to reflect changes in the current version of digiKam.
  • [Krita] Interview with Sira Argia
    2014 is the year that I first started to try Linux on my laptop, and then I knew that Windows programs don’t run perfectly on Linux even using “wine”. My curiosity about Linux and the alternative programs led me to Krita. The more time I spent with Linux, the more I fell in love with it. And finally I thought that “I’ll choose Linux as a single OS on my laptop and Krita as a digital painting program for work someday after I get my first graphic tablet.”
  • And so the [Krita] Fundraiser Ends
    Yesterday was the last day of the developers sprint^Wmarathon, and the last day of the fundraiser. We’re all good and knackered here, but the fundraiser ended at a very respectable 26,426 euros! That’s really awesome, thanks everybody!
  • Sizeable donation from Handshake Foundation
    We’re glad to announce that we received donation of 100,000 USD, which is part of 300,000 USD offered to our KDE organization. Quite appropriate for a birthday present, as the KDE project just turned 22 this last weekend! It’s true recognition for KDE as one of the world’s largest open source project.

GNOME: Restyling, Geoclue and Outreachy

  • Restyling apps at scale
    Over the past few months we’ve had a lively debate about “theming” in GNOME, and how it affects our ecosystem. In this discussion I’ve found that there is a divide between people who design and/or develop apps, and people who don’t. I have yet to see an app developer who thinks the current approach to “theming” can work, while many people who aren’t app developers are arguing that it can. After a few long discussions I started to realize that part of the reason why there’s so little agreement and so much drama around this issue is that we don’t agree what the problem is. Those who don’t work on apps often can’t see the issues with theming and think we want to remove things for no reason, while those who do are very frustrated that the other side doesn’t want to acknowledge how broken everything is.
  • Geoclue 2.5 & repeating call for help
    Also, while I'm at it, I wanted to highlight the "call for help" at the end of that post by repeating it here again. I apologize of repeating to those who already read it but a friend pointed out that it's likely going to be missed by many folks: The future of Mozilla Location Service When Mozilla announced their location service in late 2013, Geoclue became one of its first users as it was our only hope for a reliable WiFi-geolocation source. We couldn't use Google's service as their ToC don't allow it to be used in an open source project (I recall some clause that it can only be used with Google Maps and not any other Map software). Mozilla Location Service (MLS) was a huge success in terms of people contributing WiFi data to it. I've been to quite a few places around Europe and North America in the last few years and I haven't been to any location, that is not already covered by MLS.
  • Making a first contribution in Outreachy usability testing
    If you want to join us in GNOME usability testing as part of the upcoming cycle in Outreachy, you'll need to make a first contribution as part of your application process. Every project in Outreachy asks for a first contribution; this is a requirement in Outreachy. Don't make too big of a deal about your first contribution in usability testing. We don't expect interns to know much about usability testing as they enter the internship. Throughout the internship, you'll learn about usability testing. So for this first contribution, we set a low bar.

Kali Linux: What You Must Know Before Using it

Kali Linux is the industry’s leading Linux distribution in penetration testing and ethical hacking. It is a distribution that comes shipped with tons and tons of hacking and penetration tools and software by default, and is widely recognized in all parts of the world, even among Windows users who may not even know what Linux is. Because of the latter, many people are trying to get alone with Kali Linux although they don’t even understand the basics of a Linux system. The reasons may vary from having fun, faking being a hacker to impress a girlfriend or simply trying to hack the neighbors’ WiFi network to get a free Internet, all of which is a bad thing to do if you are planning to use Kali Linux. Read more

Kernel: Qualcomm/Atheros "Ath10k", FUSE and Code of Conduct

  • Linux's Qualcomm Ath10k Driver Getting WoWLAN, WCN3990 Support
    The Qualcomm/Atheros "Ath10k" Linux driver coming up in the Linux 4.20~5.0 kernel merge window is picking up two prominent features. First up, the Ath10k driver is finally having WoWLAN support -- Wake on Wireless LAN. WoWLAN has been supported by the kernel for years and more recently is getting picked up by Linux networking user-space configuration utilities. Ath10k is becoming the latest Linux wireless driver supporting WoWLAN (WIPHY_WOWLAN_NET_DETECT) for automatically waking up the system when within range of an a known SSID.
  • FUSE File-Systems Pick Up Another Performance Boost With Symlink Caching
    FUSE file-systems in user-space are set to be running faster with the upcoming Linux 4.20~5.0 kernel thanks to several performance optimizations. The FUSE kernel code for this next Linux kernel cycle already has a hash table optimization and separately is copy file range support for efficient file copy operations. Staged today into the FUSE tree for the next cycle was yet another performance-boosting patch.
  • Another Change Proposed For Linux's Code of Conduct
    With the Linux 4.19-rc8 kernel release overnight, one change not to be found in this latest Linux 4.19 release candidate are any alterations to the new Code of Conduct. The latest proposal forbids discussing off-topic matters while protecting any sentient being in the universe. While some immediate changes to the Linux kernel Code of Conduct have been talked about by upstream kernel developers, for 4.19-rc8 there are no changes yet. We'll presumably see some basic changes land this week ahead of Linux 4.19.0 expected next Sunday as not to have an unenforceable or flawed CoC found in a released kernel version.