Language Selection

English French German Italian Portuguese Spanish

Security

Security Leftovers

Submitted by Roy Schestowitz on Friday 16th of August 2019 09:28:21 AM Filed under
Security
  • Bluetooth BR/EDR supported devices are vulnerable to key negotiation attacks

    The encryption key length negotiation process in Bluetooth BR/EDR Core v5.1 and earlier is vulnerable to packet injection by an unauthenticated, adjacent attacker that could result in information disclosure and/or escalation of privileges. This can be achieved using an attack referred to as the Key Negotiation of Bluetooth (KNOB) attack, which is when a third party forces two or more victims to agree on an encryption key with as little as one byte of entropy. Once the entropy is reduced, the attacker can brute-force the encryption key and use it to decrypt communications.

  • Security updates for Thursday

    Security updates have been issued by openSUSE (irssi, ledger, libheimdal, libmediainfo, libqb, and libsass) and Slackware (mozilla).

  • Inspect PyPI event logs to audit your account's and project's security

    To help you check for security problems, PyPI is adding an advanced audit log of user actions beyond the current (existing) journal. This will, for instance, allow publishers to track all actions taken by third party services on their behalf.

»

Guix Makes Bitcoin Core Development More Trustless

Submitted by Roy Schestowitz on Thursday 15th of August 2019 03:05:11 AM Filed under
GNU
Security

According to Dong, “Guix allows users to verify that the Bitcoin Core client they download corresponds exactly to the code that Bitcoin Core developers write. It mitigates attacks that target the way we turn our codebase into the client executables we release.”

In spite of the clear focus on the needs of developers, Guix is also something that users may need and want to use if they choose to be cautious about the software that they run.

At press time, Guix is only available for Ubuntu builds.

Read more

»

Security Leftovers

Submitted by Roy Schestowitz on Wednesday 14th of August 2019 06:37:41 PM Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (kernel, linux-4.9, otrs2, and tomcat8), Fedora (igraph and jhead), openSUSE (ansible, GraphicsMagick, kconfig, kdelibs4, live555, mumble, phpMyAdmin, proftpd, python-Django, and znc), Oracle (kernel and openssl), Red Hat (kernel, openssl, and rh-mysql80-mysql), Scientific Linux (kernel and openssl), Slackware (kernel), SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork and mariadb-100), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-aws-hwe, linux-lts-xenial, linux-aws, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux-snapdragon, php5, php7.0, php7.2, and wpa).

  • He tried to prank the DMV. Then his vanity license plate backfired big time.

    It seemed like a good idea at the time.

  • Thoughts from Defcon 27 – This is why I do what I do

    Every year, thousands of security professionals descend upon Las Vegas to take part in a series of conferences known as Hacker Summer Camp. This year, Black Hat, BSides Las Vegas, Defcon 27 and the Diana Initiative took up the majority of the conference space. So, what makes this one of the most relevant and successful security conferences?

»

Best Chromebook laptops for school

Submitted by Roy Schestowitz on Wednesday 14th of August 2019 03:42:22 PM Filed under
GNU
Linux
Hardware
Security

You might think a Chromebook is limited because it can only run programs when it's online. That's not true. For example, you can still work with Google Docs when you're offline.

Also, you can now run many Android apps on Chromebooks. And, these days you can run a full Linux desktop on your new Intel-based Chromebook. Indeed, as my tech buddy Mike Elgan points out, today's high-end Chromebook laptops "run more apps without dual- or multi-booting than any other computing platform. Chromebook laptops can run apps from Android, Linux, and Windows concurrently in the same session."

In addition, as FutureSource points out, when it comes to school work, Chromebook laptops combine "affordable devices, productivity tools via G-Suite, easy integration with third-party platforms/tools, task management/distribution via Google Classroom, and easy device management remains extremely popular with US teachers and IT buyers alike."

One unsung advantage of Chromebook laptops is that, if your dog ate the Chromebook, you wouldn't have lost your work. All you need do is get another one, log on, and you're back in business with all your e-mail, documents, and calendars intact and ready to go. Another sweet deal that comes when you buy a Chromebook is that you can get 100GB of free Google One cloud storage for a year. That's more than enough room for your homework.

And, since it's easy to erase a Chromebook and then reset it to your account, this is safer than using a used Windows laptop.

Read more

»

LibreOffice 6.2.6 is ready, all users should update for enhanced security

Submitted by Roy Schestowitz on Wednesday 14th of August 2019 02:36:36 PM Filed under
LibO
Security

The Document Foundation announces LibreOffice 6.2.6, the sixth minor release of the LibreOffice 6.2 family, targeted at users in production environments. All users of LibreOffice 6.1.x and LibreOffice 6.2.x versions should upgrade immediately for enhanced security, as the software includes both security fixes and some months of back-ported fixes.

Read more

»

Pi-Hole - The DNS Triangle

Submitted by Roy Schestowitz on Wednesday 14th of August 2019 02:27:49 PM Filed under
GNU
Linux
Security
HowTos

At the end of the day, I had Pi-hole running, but the setup was far from trivial. There were four or five cardinal problems, and none of these should have happened, because the installation wizard could have gone through separate checks to make sure things were working. Part of the first-time run could be the service check, and if there are issues there, some sort of self-diagnosis to make sure FTL is up and running. The same applies to the Web service. Then, there's the password reset and list update. All of these would make the experience much more streamlined.

As a product, Pi-Hole is a very nice and powerful tool. It does its job extremely well, it's fast, effective and robust, and the Web UI is nicely designed. You also gain some on the traffic side, as there's less content that needs to be served, and fewer queries to be resolved, hence performance improvement for the stuff that matters. The setup isn't trivial but it is achievable, and you have a lot of flexibility in how you wire up your network. You could have Pi-Hole as a standalone system, or it could serve all the different devices in your home. All in all, this is the doomsday weapon for if and when the Internet turns rogue on you. Well worth testing, but remember the second rule of thermodynamics. You can't have trivial and complex at the same time.

Read more

»

Security: PGP & GPG, Flaws, and Nmap 7.80

Submitted by Roy Schestowitz on Wednesday 14th of August 2019 07:06:17 AM Filed under
Security
  • The Impending Demise of “PGP & GPG”

    My No Starch books normally sell out their print run, get reprinted a few times, and fade into Out Of Print status. But PG3 never sold out its initial print run.

  • Down the Rabbit-Hole...

    It took a lot of effort and research to reach the point that I could understand enough of CTF to realize it’s broken. These are the kind of hidden attack surfaces where bugs last for years. It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed.

    Now that there is tooling available, it will be harder for these bugs to hide going forward.

  • Flaws in 4G Routers of various vendors put millions of users at risk

    “Those manufacturers who are going to be selling 5G routers are currently selling 3G and 4G routers. Which – and I really cannot stress this enough – are mainly bad.”

  • Hack in the box: Hacking into companies with “warshipping”

    Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."

    Using less than $100 worth of gear—including a Raspberry Pi Zero W, a small battery, and a cellular modem—the X-Force Red team assembled a mobile attack platform that fit neatly within a cardboard spacer dropped into a shipping box or embedded in objects such as a stuffed animal or plaque. At the Black Hat security conference here last week, Ars got a close look at the hardware that has weaponized cardboard.

  • These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

  • Nmap Defcon Release! 80+ improvements include new NSE scripts/libs, new Npcap, etc.

    Nmap 7.80 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: [...]

»

Stable release: HardenedBSD-stable 12-STABLE v1200059.3

Submitted by Roy Schestowitz on Tuesday 13th of August 2019 11:40:06 PM Filed under
Security
BSD

HardenedBSD-12-STABLE-v1200059.3

Read more

»

Linux Stressed in Fedora, Red Hat/IBM and Security

Submitted by Roy Schestowitz on Tuesday 13th of August 2019 03:32:10 PM Filed under
Red Hat
Security
  • Fedora Developers Discuss Ways To Improve Linux Interactivity In Low-Memory Situations

    While hopefully the upstream Linux kernel code can be improved to benefit all distributions for low-memory Linux desktops, Fedora developers at least are discussing their options for in the near-term improving the experience. With various easy "tests", it's possible to easily illustrate just how poorly the Linux desktop responds when under memory pressure. Besides the desktop interactivity becoming awful under memory pressure, some argue that an unprivileged task shouldn't be able to cause such behavior to the system in the first place.

  • How open source can help banks combat fraud and money laundering

    Jump ahead a few years to the Fourth EU AML Directive - a regulation which required compliance by June 2017 - demanding enhanced Customer Due Diligence procedures must be adhered to when cash transactions reach an aggregated amount of more than $11,000 U.S. dollars (USD). (The Fifth EU AML Directive is on the way, with a June 2020 deadline.) In New Zealand’s Anti-Money Laundering and Countering Financing of Terrorism Amendment Act of 2017 it is stated that banks and other financial entities must provide authorities with information about clients making cash transactions over $6,500 USD and international monetary wire transfers from New Zealand exceeding $650 USD. In 2018, the updated open banking European Directive on Payment Services (PSD2) that requires fraud monitoring also went into effect. And the Monetary Authority of Singapore is developing regulations regarding the use of cryptocurrencies for terrorist funding and money laundering, too.

  • Automate security in increasingly complex hybrid environments

    As new technologies and infrastructure such as virtualization, cloud, and containers are introduced into enterprise networks to make them more efficient, these hybrid environments are becoming more complex—potentially adding risks and security vulnerabilities.

    According to the Information Security Forum’s Global Security Threat Outlook for 2019, one of the biggest IT trends to watch this year is the increasing sophistication of cybercrime and ransomware. And even as the volume of ransomware attacks is dropping, cybercriminals are finding new, more potent ways to be disruptive. An article in TechRepublic points to cryptojacking malware, which enables someone to hijack another's hardware without permission to mine cryptocurrency, as a growing threat for enterprise networks.

    To more effectively mitigate these risks, organizations could invest in automation as a component of their security plans. That’s because it takes time to investigate and resolve issues, in addition to applying controlled remediations across bare metal, virtualized systems, and cloud environments -- both private and public -- all while documenting changes.

  • Josh Bressers: Appsec isn’t people

    The best way to think about this is to ask a different but related question. Why don’t we have training for developers to write code with fewer bugs? Even the suggestion of this would be ridiculed by every single person in the software world. I can only imagine the university course “CS 107: Error free development”. Everyone would fail the course. It would probably be a blast to teach, you could spend the whole semester yelling at the students for being stupid and not just writing code with fewer bugs. You don’t even have to grade anything, just fail them all because you know the projects have bugs.

    Humans are never going to write bug free code, this isn’t a controversial subject. Pretending we can somehow teach people to write bug free code would be a monumental waste of time and energy so we don’t even try.

    Now it’s time for a logic puzzle. We know that we can’t train humans to write bug free code. All security vulnerabilities are bugs. So we know we can’t train humans to write vulnerability free code. Well, we don’t really know it, we think we can if you look at history. The last twenty years has had an unhealthy obsession with getting humans to change their behaviors to be “more secure”. The only things that have come out of these efforts are 1) nobody likes security people anymore 2) we had to create our own conferences and parties because we don’t get invited to theirs 3) they probably never liked us in the first place.

»

Security Leftovers

Submitted by Roy Schestowitz on Tuesday 13th of August 2019 09:59:03 AM Filed under
Security
  • To equip tomorrow's cybersecurity experts, we'll need an open approach

    Today's world—marked by an increase of Internet-connected devices, digital assets, and information systems infrastructure—demands more cybersecurity professionals. Cybersecurity is the practice of defending these devices, assets, and systems against malicious cyberattacks from both internal and external entities. Often these cyberattacks are linked to cybercrimes, or crimes committed using a computer to generate profit or to affect the integrity, availability, and confidentiality of the data or system. In 2016, cybercrimes cost the global economy more than $450 billion.

    [...]

    It's critical for students to not only become acquainted with the advantages of open source software but also to develop strong skills working openly, since open source software is not only common in the IT industry in general, but is specifically necessary in the field of cybersecurity. With this approach, students can learn within the safety and guidance of the classroom while also naturally acquiring research and troubleshooting skills by facing challenges that are presented or arise during exercises.

  • Cloud-native Java, open source security, and more industry trends

    As part of my role as a senior product marketing manager at an enterprise software company with an open source development model, I publish a regular update about open source community, market, and industry trends for product marketers, managers, and other influencers.

  • Indian Counseling Company Files Criminal Complaint Against Blogger Who Informed It About A Sensitive Data Leak

    As Doe notes, it appears 1to1Help's lawyers made a number of self-serving omissions when filing this complaint. First, they failed to point out the article had already been published, which would have allowed the court to review the content and see if it actually violated the law.

    Second, the lawyers claimed Doe's site was "rogue," due to it containing no contact information for Doe. They were either wrong or lying, as Doe's site does contain a contact number and she is reachable via social media and other venues, having spent more than a decade covering security breaches.

    Finally, 1to1Help claimed in its filing that Doe tried to blackmail it by giving Anil Bisht deadlines to respond for comment before publication. That's called journalism, not blackmail, and either its lawyers can't comprehend that or willfully misportrayed this extremely common process to the court.

    The problem isn't the person reporting the leak. The problem is the leak and the company that took its time responding to the problem and then decided to take legal action when the person reporting the leak refused to cover it up.

»
Syndicate content

More in Tux Machines

today's leftovers: OpenSUSE Tumbleweed, Fedora Program Management, Security and More

  • Dominique Leuenberger: openSUSE Tumbleweed – Review of the week 2019/33

    Week 2019/33 ‘only’ saw three snapshots being published (3 more were given to openQA but discarded).

  • FPgM report: 2019-33

    Here’s your report of what has happened in Fedora Program Management this week. I have weekly office hours in #fedora-meeting-1. Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. (Just not this week because I will be traveling)

  • Security updates for Friday

    Security updates have been issued by Debian (freetype, libreoffice, and openjdk-7), Fedora (edk2, mariadb, mariadb-connector-c, mariadb-connector-odbc, python-django, and squirrelmail), Gentoo (chromium, cups, firefox, glibc, kconfig, libarchive, libreoffice, oracle-jdk-bin, polkit, proftpd, sqlite, wget, zeromq, and znc), openSUSE (bzip2, chromium, dosbox, evince, gpg2, icedtea-web, java-11-openjdk, java-1_8_0-openjdk, kconfig, kdelibs4, mariadb, mariadb-connector-c, nodejs8, pdns, polkit, python, subversion, and vlc), Oracle (ghostscript and kernel), Red Hat (mysql:8.0 and subversion:1.10), SUSE (389-ds, libvirt and libvirt-python, and openjpeg2), and Ubuntu (nginx).

  • A compendium of container escapes

    My name is Brandon Edwards, I’m Chief Scientist at Capsule8. Today we’ll be talking about a compendium of container escapes in the podcast. We’ve previously talked about escaping containers and the sorts of vulnerabilities people should be concerned with a while back. In particular we’re discussing how the RunC vulnerability had engendered all this interest, or concern, or almost shock, the trust the people are placing in containers was broken. Oh wow, an escape could happen! I think it’s really valuable to be able to communicate and show all the other ways that that sort of thing can happen, either from misconfiguration, or over granting privileges, or providing host mounts into the container, or having kernel vulnerabilities that could somehow compromise any of the elements of the security model of container, which is both fragile and complex.

  • Apollo data graph brings managed federation to enterprises

    Data graph vendor Apollo is aiming to help overcome several obstacles to enterprises using graph databases with its latest Apollo Data Graph Platform update, which became generally available on July 16. Among the key new features in the platform are federated management capabilities that enable more scalability across different GraphQL data graph instances. GraphQL is an open source query language for APIs, originally created by Facebook that is used to enable data graph capabilities.

Videos: Pardus and Linux Action News

today's howtos, LibreOffice development, 'DevOps' and programming leftovers

  • How to use apt Command in Linux
  • FreeBSD Display Information About The System Hardware
  • btLr text direction in Writer, part 4

    You can get a snapshot / demo of Collabora Office and try it out yourself right now: try unstable snapshot. Collabora is a major contributor to LibreOffice and all of this work will be available in TDF’s next release, too (6.4).

  • LibreOffice Community at FrOSCon 2019

    LibreOffice development takes place mostly via the internet: volunteers, certified developers and other community members collaborate on programming, design, quality assurance, documentation and other tasks. But we also like to meet up in person, to share information, bring new people into the project, and have fun! So on the weekend of 10 and 11 August, we attended FrOSCon 2019 in Sankt Augustin, a town just outside Bonn, Germany. FrOSCon is one of the largest free and open source software (FOSS) conferences in the country, with around 2,000 attendees. Most of the visitors know about FOSS already, but some had only learnt about it recently, and were eager to discover more.

  • 10 ways DevOps helps digital transformation

    DevOps helps organizations succeed with digital transformation by shifting the cultural mindset of the business, breaking down detrimental silos, and paving the way for continuous change and rapid experimentation: All those elements help organizations meet evolving customer demands, experts point out. This helps organizations “self-steer” toward better solutions to continually improve, says Matthew Skelton, head of consulting at Conflux and co-author of Team Topologies.

  • CloudBees Advances State of the DevOps World

    At its annual user conference, CloudBees previews a new Software Delivery Management platform as the DevOps vendor celebrates 15 years of Jenkins.

  • How do you verify that PyPI can be trusted?

    Now Go's packaging story is rather different from Python's since in Go you specify the location of a module by the URL you fetch it from, e.g. github.com/you/hello specifies the hello module as found at https://github.com/you/hello. This means Go's module ecosystem is distributed, which leads to interesting problems of caching so code doesn't disappear off the internet (e.g. a left-pad incident), and needing to verify that a module's provider isn't suddenly changing the code they provide with something malicious. But since the Python community has PyPI our problems are slightly different in that we just have to worry about a single point of failure (which has its own downsides). Now obviously you can run your own mirror of PyPI (and plenty of companies do), but for the general community no one wants to bother to set something up like that and try to keep it maintained (do you really need your own mirror to download some dependencies for the script you just wrote to help clean up your photos from your latest trip?). But we should still care about whether PyPI has been compromised such that packages hosted there have not been tampered with somehow between when the project owner uploaded their release's files and from when you download them.

  • Spyder 4.0 beta4: Kite integration is here

    As part of our next release, we are proud to announce an additional completion client for Spyder, Kite. Kite is a novel completion client that uses Machine Learning techniques to find and predict the best autocompletion for a given text. Additionally, it collects improved documentation for compiled packages, i.e., Matplotlib, NumPy, SciPy that cannot be obtained easily by using traditional code analysis packages such as Jedi.

Events: DebConf19, PyBay 2019, IndieWeb Summit 2019, Cloud Foundry Summit and Open Infrastructure Summit

  • DebConf19: Brazil

    My first DebConf was DebConf4, held in Porte Alegre, Brazil back in 2004. Uncle Steve did the majority of the travel arrangements for 6 of us to go. We had some mishaps which we still tease him about, but it was a great experience. So when I learnt DebConf19 was to be in Brazil again, this time in Curitiba, I had to go. So last November I realised flights were only likely to get more expensive, that I’d really kick myself if I didn’t go, and so I booked my tickets. A bunch of life happened in the meantime that mean the timing wasn’t particularly great for me - it’s been a busy 6 months - but going was still the right move. One thing that struck me about DC19 is that a lot of the faces I’m used to seeing at a DebConf weren’t there. Only myself and Steve from the UK DC4 group made it, for example. I don’t know if that’s due to the travelling distances involved, or just the fact that attendance varies and this happened to be a year where a number of people couldn’t make it. Nonetheless I was able to catch up with a number of people I only really see at DebConfs, as well as getting to hang out with some new folk. Given how busy I’ve been this year and expect to be for at least the next year I set myself a hard goal of not committing to any additional tasks. That said DebConf often provides a welcome space to concentrate on technical bits. I reviewed and merged dkg’s work on WKD and DANE for the Debian keyring under debian.org - we’re not exposed to the recent keyserver network issues due to the fact the keyring is curated, but providing additional access to our keyring makes sense if it can be done easily. I spent some time with Ian Jackson talking about dgit - I’m not a user of it at present, but I’m intrigued by the potential for being able to do Debian package uploads via signed git tags. Of course I also attended a variety of different talks (and, as usual, at times the schedule conflicted such that I had a difficult choice about which option to chose for a particular slot).

  • PyBay 2019: Talking about Python in SF

    We are back to San Francisco! Our team will be joining PyBay's conference, one of the biggest Python events in the Bay Area. For this year, we'll be giving the talk: Building effective Django queries with expressions. PyBay has been a fantastic place to meet new people, connect with new ideas, and integrate this thriving community.

  • Tantek Çelik: IndieWebCamps Timeline 2011-2019: Amsterdam to Utrecht

    While not a post directly about IndieWeb Summit 2019, this post provides a bit of background and is certainly related, so I’m including it in my series of posts about the Summit. Previous post in this series: Reflecting On IndieWeb Summit: A Start [...] I don’t know of any tools to take something like this kind of locations vs years data and graph it as such. So I built an HTML table with a cell for each IndieWebCamp, as well as cells for the colspans of empty space. Each colored cell is hyperlinked to the IndieWebCamp for that city for that year.

  • Meet SUSE at Cloud Foundry Summit in The Hague

    If you’re looking for a great excuse to visit the Netherlands, learn about Cloud Foundry and Kubernetes, and hang out with a cool and interesting community, come meet the SUSE Cloud Application Platform team at the Cloud Foundry Summit EU in The Hague. SUSE is a gold sponsor of the event, so we’ll have a booth complete with live demos and plenty of the cool chameleons that you’ve come to expect of us. 

  • Helping The Hispanic/Latinx Community With Open Source | Open Infrastructure Summit, 2019

    At the Open Infrastructure Summit, 2019, we sat down with Joseph Sandoval, SRE Manager for the Adobe Advertising Cloud platform, to talk about the work he is doing with the Hispanic/Latinx Community.

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6