Language Selection

English French German Italian Portuguese Spanish

Security: G+, SSH, GAO, Flatpak, Telecommunications (Interception and Access) Act 'Extended', More on China's Alleged Supply Chain Attacks

Filed under
Security
  • Pete Zaitcev: Ding-dong, the witch is dead

    One thing that comes across very strongly is how reluctant people are to run their own infrastructure. For one thing, the danger of a devastating DDoS is absolutely real. And then you have to deal with spam. Those who do not have the experience also tend to over-estimate the amount of effort you have to put into running "dnf update" once in a while.

    Personally, I think that although of course it's annoying, the time wasted on the infra is not that great, or at least it wasn't for me. The spam can be kept under control with a minimal effort. Or, could be addressed in drastic ways. For example, my anime blog simply does not have comments at all. As far as DoS goes, yes, it's a lottery. But then the silo platform can easily die (like G+), or ban you. This actually happens a lot more than those hiding their heads in the sand like to admit. And you don't need to go as far as to admit to your support of President Trump in order to get banned. Anything can trigger it, and the same crazies that DoS you will also try to deplatform you.

  • (SSH) Keys to Unix Security

    Root accounts are the keys to powerful IT systems, the backbone of your entire infrastructure. They use privileged credentials to control shell access, file transfers, or batch jobs that communicate with other computers or apps, often accessed remotely, with local configuration. They can be the trickiest of all types of privileged accounts to secure, particularly if they are based on Unix or Linux.

  • Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says [iophk: "Windows TCO"]

    Still, the tests cited in the report found "widespread examples of weaknesses in each of the four security objectives that cybersecurity tests normally examine: protect, detect, respond, and recover."

    [...]

    In several instances, simply scanning the weapons' computer systems caused parts of them to shut down.

    [...]

    When problems were identified, they were often left unresolved. The GAO cites a test report in which only one of 20 vulnerabilities that were previously found had been addressed. When asked why all of the problems had not been fixed, "program officials said they had identified a solution, but for some reason it had not been implemented. They attributed it to contractor error," the GAO says.

  • Flatpak - a security nightmare

    Let's hope not! Sadly, it's obvious Red Hat developers working on flatpak do not care about security, yet the self-proclaimed goal is to replace desktop application distribution - a cornerstone of linux security.

    And it's not only about these security problems. Running KDE apps in fakepak? Forget about desktop integration (not even font size). Need to input Chinese/Japanese/Korean characters? Forget about that too - fcitx has been broken since flatpak 1.0, never fixed since.

    The way we package and distribute desktop applications on Linux surely needs to be rethinked, sadly flatpak is introducing more problems than it is solving.

  • Encryption bill will hit family violence victims: claim

    In a submission to the public consolation on the draft bill, Carolyn Worth, the manager of SECASA, said the broadening of the Telecommunications (Interception and Access) Act 1979 was unwarranted and would be detrimental to all citizens, especially those with a background of family violence and/or sexual assault.

    The period for public comment on the bill, which is officially known as the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, ended on 10 September after the draft was released on 14 August.

  • Bloomberg says big US telco hit by hardware tampering

    Apparently undeterred by strong criticism of a supply chain attack story it published last week, Bloomberg has put out another yarn, dealing with a similar theme, this time about a "major US telecommunications company" that allegedly encountered doctored hardware made by the US company Supermicro Computer.

  • RiskIQ Detects and Mitigates New Magecart Supply Chain Attack

    "If you own an e-commerce company, it's best to remove the third-party code from your checkout pages whenever possible," said Yonathan Klijnsma, Head Researcher at RiskIQ. "Many payment service providers have already taken this approach by prohibiting third-party code from running on pages where customers enter their payment information."

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

  • New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom

    Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.

  • Security updates for Wednesday

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Managing Servers: Appaserver and Cockpit

  • FOSS Project Spotlight: Appaserver
    Assume you are tasked to write a browser-based, MySQL user interface for the table called CITY. CITY has two columns. The column names are city_name and state_code—each combined are the primary key.
  • Cockpit 184
    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from version 184.
  • Video: Using Cockpit for KVM Virtual Machine Management
    Cockpit has been in development for a few years now and it appears it is going to be default in the upcoming RHEL8 release. I've recently started using it for managing and accessing KVM virtual machines via the cockpit-machines package. I made a short screencast showing the basics.

Audiocasts: Linux in the Ham Shack, Ubuntu Podcast, Full Circle Weekly News and Python

  • LHS Episode #263: Better Than Brexit
    Welcome to Episode 263 of Linux in the Ham Shack. In this episode, the hosts touch on a wide range of amateur radio and computing topics including net neutrality, satellite launches, CWops Awards, AI6TK, alternatives to Adobe Creative Cloud in the open-source world and much more. Thank you for being a listener of our show!
  • Ubuntu Podcast S11E40 – North Dallas Forty
    This week we’ve been playing on the Nintendo Switch. We review our tech highlights from 2018 and go over our 2018 predictions, just to see how wrong we really were. We also have some Webby love and go over your feedback.
  • Full Circle Weekly News #116
  • Full Circle Weekly News #117
  • Testing REST APIs with Docker containers and pytest
    Let's say you've got a web application you need to test. It has a REST API that you want to use for testing. Can you use Python for this testing even if the application is written in some other language? Of course. Can you use pytest? duh. yes. what else? What if you want to spin up docker instances, get your app running in that, and run your tests against that environment? How would you use pytest to do that? Well, there, I'm not exactly sure. But I know someone who does.

GNOME Development Leftovers

  • Nightly GNOME Apps and New Adwaita GTK Theme Run Through
    In this video, we are quickly looking at Nightly GNOME Apps and a sneak peek at New Adwaita GTK Theme.
  • Emmanuele Bassi: And I’m home
    Of course I couldn’t stay home playing video games, recording podcasts, and building gunplas forever, and so I had to figure out where to go to work next, as I do enjoy being able to have a roof above my head, as well as buying food and stuff. By a crazy random happenstance, the GNOME Foundation announced that, thanks to a generous anonymous donation, it would start hiring staff, and that one of the open positions was for a GTK developer. I decided to apply, as, let’s be honest, it’s basically the dream job for me. I’ve been contributing to GNOME components for about 15 years, and to GTK for 12; and while I’ve been paid to contribute to some GNOME-related projects over the years, it was always as part of non-GNOME related work. The hiring process was really thorough, but in the end I managed to land the most amazing job I could possibly hope for.
  • Opera Launches Built-in Cryptocurrency Wallet for Android, ManagedKube Partners with Google Cloud to Provide a Monitoring App for Kubernetes Cluster Costs, QEMU 3.1 Released, IoT DevCon Call for Presentations and GNOME 3.31.3 Is Out
    GNOME 3.31.3 is out, and this will be the last snapshot of 2018. Note that this is development code meant for testing and hacking purposes. For a list of changes, go here, and the source packages are here.
  • Firmware Attestation
    When fwupd writes firmware to devices, it often writes it, then does a verify pass. This is to read back the firmware to check that it was written correctly. For some devices we can do one better, and read the firmware hash and compare it against a previously cached value, or match it against the version published by the LVFS. This means we can detect some unintentional corruption or malicious firmware running on devices, on the assumption that the bad firmware isn’t just faking the requested checksum. Still, better than nothing. Any processor better than the most basic PIC or Arduino (e.g. even a tiny $5 ARM core) is capable of doing public/private key firmware signing. This would use standard crypto using X.509 keys or GPG to ensure the device only runs signed firmware. This protects against both accidental bitflips and also naughty behaviour, and is unofficial industry recommended practice for firmware updates. Older generations of the Logitech Unifying hardware were unsigned, and this made the MouseJack hack almost trivial to deploy on an unmodified dongle. Newer Unifying hardware requires a firmware image signed by Logitech, which makes deploying unofficial or modified firmware almost impossible.
  • Robert Ancell: Interesting things about the GIF image format
  • GIFs in GNOME
  • About ncurses Colors
    These colors go back to CGA, IBM's Color/Graphics Adapter from the earlier PC-compatible computers. This was a step up from the plain monochrome displays; as the name implies, monochrome could display only black or white. CGA could display a limited range of colors. CGA supports mixing red (R), green (G) and blue (B) colors. In its simplest form, RGB is either "on" or "off". In this case, you can mix the RGB colors in 2x2x2=8 ways. Table 1 shows the binary and decimal representations of RGB.

Mozilla: Rust and WebAssembly, WebRender, MDN Changelog for November 2018, Things Gateway and Firefox 65 Beta 6 Testday

  • Rust and WebAssembly in 2019
    Compiling Rust to WebAssembly should be the best choice for fast, reliable code for the Web. Additionally, the same way that Rust integrates with C calling conventions and libraries on native targets, Rust should also integrate with JavaScript and HTML5 on the Web. These are the Rust and WebAssembly domain working group’s core values. In 2018, we made it possible to surgically replace performance-sensitive JavaScript with Rust-generated WebAssembly.
  • rust for cortex-m7 baremetal
  • WebRender newsletter #33
    Yes indeed. In order for picture caching to work across displaylists we must be able to detect what did not change after a new displaylist arrives. The interning mechanism introduced by Glenn in #3075 gives us this ability in addition to other goodies such as de-duplication of interned resources and less CPU-GPU data transfer.
  • MDN Changelog for November 2018
    Potato London started work on this shortly after one-time payments launched. We kicked it off with a design meeting where we determined the features that could be delivered in 4 weeks. Potato and MDN worked closely to remove blockers, review code (in over 25 pull requests), and get it into the staging environment for testing. Thanks to everyone’s hard work, we launched a high-quality feature on schedule. We’ve learned a lot from these payment experiments, and we’ll continue to find ways to maintain MDN’s growth in 2019.
  • K Lars Lohn: Things Gateway - a Virtual Weather Station
    Today, I'm going to talk about creating a Virtual Weather Station using the Things Gateway from Mozilla and a developer account from Weather Underground. The two combined enable home automation control from weather events like temperature, wind, and precipitation.
  • Taskgraph Like a Pro
    Have you ever needed to inspect the taskgraph locally? Did you have a bad time? Learn how to inspect the taskgraph like a PRO. For the impatient skip to the installation instructions below.
  • Firefox 65 Beta 6 Testday, December 21th
    We are happy to let you know that Friday, December 21th, we are organizing Firefox 65 Beta 6 Testday. We’ll be focusing our testing on: and changes and UpdateDirectory. Check out the detailed instructions via this etherpad.