Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Alas, Poor PGP

    The first is an assertion that email is inherently insecure and can’t be made secure. There are some fairly convincing arguments to be made on that score; as it currently stands, there is little ability to hide metadata from prying eyes. And any format that is capable of talking on the network — as HTML is — is just begging for vulnerabilities like EFAIL.

    But PGP isn’t used just for this. In fact, one could argue that sending a binary PGP message as an attachment gets around a lot of that email clunkiness — and would be right, at the expense of potentially more clunkiness (and forgetfulness).

    What about the web-of-trust issues? I’m in agreement. I have never really used WoT to authenticate a key, only in rare instances trusting an introducer I know personally and from personal experience understand how stringent they are in signing keys. But this is hardly a problem for PGP alone. Every encryption tool mentioned has the problem of validating keys. The author suggests Signal. Signal has some very strong encryption, but you have to have a phone number and a smartphone to use it. Signal’s strength when setting up a remote contact is as strong as SMS. Let that disheartening reality sink in for a bit. (A little social engineering could probably get many contacts to accept a hijacked SIM in Signal as well.)

    How about forward secrecy? This is protection against a private key that gets compromised in the future, because an ephemeral session key (or more than one) is negotiated on each communication, and the secret key is never stored. This is a great plan, but it really requires synchronous communication (or something approaching it) between the sender and the recipient. It can’t be used if I want to, for instance, burn a backup onto a Bluray and give it to a friend for offsite storage without giving the friend access to its contents. There are many, many situations where synchronous key negotiation is impossible, so although forward secrecy is great and a nice enhancement, we should assume it to be always applicable.

    [...]

    My current estimate is that there’s no magic solution right now. The Sequoia PGP folks seem to have a good thing going, as does Saltpack. Both projects are early in development, so as a privacy-concerned person, should you trust them more than GPG with appropriate options? That’s really hard to say.

  • Armadillo Is An Open-Source “USB Firewall” Device To Protect You Against USB Attacks

    Exchanging data using USB devices is something that we do on a daily basis. But how often do you think that the next USB device that you’ll plug into your PC’s port could be malicious? In the past, researchers have unveiled 29 types of USB attacks that could compromise your sensitive data by simply plugging in a USB device.

    Globotron’s Armadillo is a device that you could use to protect yourself from USB attacks.

  • Open source solutions in autonomous driving: safety is more than an afterthought [Ed: A lot less likely to contain back doors, unlike proprietary software where this has become rather 'standard' a 'feature']

    In the automotive industry, in-vehicle infotainment (IVI) systems were one of the early adopters of open source operating systems, namely Linux. Today’s innovation and success with IVIs can largely be attributed to this approach.

    Collaborative efforts such as the GENIVI Alliance and Automotive Grade Linux—where automakers, suppliers, and their competitors agree to share common elements of the IVI software stack—are enabling rapid development in this area.

  • New open source solution reduces the risks associated with cloud deployments [Ed: This is an inherently flawed kind of logic because if you handed over control to AWS, then the Pentagon already controls everything and thus you have zero security, you're 'pwned' by definition]

    The Galahad software will be deployed to AWS and provides a nested hypervisor on AWS instances. There, it will monitor role-based virtual machines virtually across all levels of the application stack including the docker container: the basic unit of software that packages an application to run quickly between computing environments.

  • Open-Source Exploit: Private Keys in MyDashWallet Exposed for Two Months- Users Should Move Funds Immediately [Ed: Highly misleading headline. This has nothing to do with "Open Source"; it's about some fool who uploaded private keys]

    The private keys of Dash crypto coins being held in online software “hot wallet” called MyDashWallet have been exposed to hackers for two months, and anyone using the wallet should immediately move funds out.

    A “hot wallet” is any cryptocurrency software “wallet” connected to the Internet.

More in Tux Machines

KDE Frameworks 5.61, Applications 19.08 in FreeBSD

Recent releases were KDE Frameworks 5.61 and KDE Applications 19.08. These have both landed in the official FreeBSD ports tree, after Tobias did most of the work and I pushed the big red button. Your FreeBSD machine will need to be following current ports – not the quarterly release branches, since we don’t backport to those. All the modern bits have arrived, maintaining the KDE-FreeBSD team’s commitment to up-to-date software for the FreeBSD desktop. The one thing we’re currently lagging on is Qt 5.13. There’s a FreeBSD problem report tracking that update. Read more

Dev branch moving towards Qt 6

As you know, Qt 5.14 will be branched pretty soon. After that I would expect that most new development work would start to be aimed towards Qt 6. As it looks right now, 5.15 will be a smaller release where we polish what we have in 5.14, and prepare some things for Qt 6. To reflect that and help us all understand that the development focus is now towards Qt 6, I would like to propose that dev becomes the Qt 6 branch after we branched away 5.14 (and we merge wip/qt6 back into dev). We can then either create a 5.15 branch at the same time, or slightly later, once 5.14 has stabilised a bit more (e.g. after the beta or RC). Read more Also: Qt's Development Branch To Begin Forming Qt 6

Today in Techrights

How to Check Which Debian Version are you Running

Wondering which Debian version are you running? This tutorial teaches you several ways to check Debian version in the terminal. Read more