Language Selection

English French German Italian Portuguese Spanish

Security

Security: Kerberos, Various Updates, and FUD

Filed under
Security

Security: Various Updates, Kerberos, Samba

Filed under
Security

Security: Libgcrypt, Verizon, and BlackSuse/BlackMonitor

Filed under
Security
  • [Older but no more paywall] Breaking Libgcrypt RSA via a side channel

    A recent paper [PDF] by a group of eight cryptography researchers shows, once again, how cryptographic breakthroughs are made. They often start small, with just a reduction in the strength of a cipher or key search space, say, but then grow over time to reach the point of a full-on breaking of a cipher or the implementation of one. In this case, the RSA implementation in Libgcrypt for 1024-bit keys has been fully broken using a side-channel attack against the operation of the library—2048-bit keys are also susceptible, but not with the same reliability, at least using this exact technique.

    The RSA cryptosystem involves lots of exponentiation and modular math on large numbers with sizable exponents. For efficiency reasons, these operations are usually implemented by a square-and-multiply algorithm. Libgcrypt is part of the GNU Privacy Guard (GnuPG or GPG) project and underlies the cryptography in GPG 2.x; it uses a sliding window mechanism as part of its square-and-multiply implementation. It is this sliding window technique that was susceptible to analysis of the side channel and, thus, allowed for the break.

  • All Your Accounts Are Belong to Us

    It turns out someone called in to Verizon claiming to be me. The individual claimed his phone (my phone) had been stolen, and he wanted to transfer service to another device. He had enough information about me to pass whatever verification Verizon required, and if he'd been a little smoother on the phone, he'd have likely gotten my number. It turned out that the Verizon employee felt the call was suspicious and disabled the account instead of transferring service. (I know that only because the employee made a note on the account.) After a stressful day of back and forth, the company I work for was able to get my phone turned back on, and I still have the same phone number I've always had—thank goodness.

  • Explanation of what BlackSuse is for me

    BlackSuse OS is an opensuse-based system.
    Focused on security penetration testing and other small things
    Our repository is ready.
    The system is 80% functional.

Security: CIA Cracks Android, Kaspersky Shunned, Slackware Patch for Proprietary Software

Filed under
Security
  • Highrise

    Today, July 13th 2017, WikiLeaks publishes documents from the Highrise project of the CIA. HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. It provides a redirector function for SMS messaging that could be used by a number of IOC tools that use SMS messages for communication between implants and listening posts. HighRise acts as a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured internet communication.

  • How CIA Agents Covertly Steal Data From Hacked Smartphones (Without Internet)

    WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.

    Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.

  • Trump administration has removed Kaspersky from approved suppliers list

    Kaspersky Lab, a private company, seems to be caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.

  • [Slackware] Adobe Flash security update July ’17

    This month’s security update for the Flash Player plugin has arrived. The new version is 26.0.0.137 for both the PPAPI (Google Chrome and friends) and the NPAPI (Mozilla Firefox and friends) based plugins.

    I know… Flash is a monster and should be killed. But as long as people need it on Slackware, and as long as Adobe keeps releasing Linux plugin updates, I will package them and add them to my repository.

Security: Data Safety Code, Open Data Model, Microsoft Breaks Windows, Free Software Movement 'Hacking', and FUD From PVS Studio

Filed under
Security
  • Cracking The Data Safety Code

    Keeping our data safe online is something that we get told about a lot. That is because as members of the information generation, it's all too easy for our most valuable assets our identity and privacy to be compromised. But how can we keep our data safer? Read on to find out.

  • Fighting Cyber Threats with an Open Data Model

    From ABTA, to election hacking to WannaCry, it seems not a day goes by without a cyber-attack dominating the headlines. Cybercrime doesn’t discriminate; it affects organizations of all shapes and sizes. Added to this is the mounting pressure caused by the EU General Data Protection Regulation (GDPR) which will penalize organizations that do not comply with laws that aim to keep customer data safe. It’s imperative for organizations to re-evaluate their security posture and plan for the future.

  • Windows 7 and 8.1 receive Patch Tuesday Updates [Ed: Mind last paragraph. Microsoft breaks Vista 7 again with a security update.]

    If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is working on a resolution and will provide an update in an upcoming release.

  • Hacker Ethic and Free Software Movement

    Why the word hacking go along with computers? The computer gives us a vast area to explore our creativity. It’s huge code base, and their intricacies and the complicated machines offer us opportunities to HACK.

  • Become a Certified Pentester with Super-Sized Ethical Hacking Course
  • 27 000 errors in the Tizen operating system [Ed: PVS Studio 'article' (marketing) that's made by liars. They extrapolate number of POTENTIAL bugs, based on 3.3% of code, then come up with this scary headline.]

Security: Open Source Security Podcast, Reproducible Builds, and Security Updates for Wednesday

Filed under
Security

Security: FOSS Updates, Windows Phone Dies, Unikernels, and National Security

Filed under
Security
  • Security updates for Tuesday
  • Windows Phone dies today

    Microsoft is killing off Windows Phone 8.1 support today, more than three years after the company first introduced the update. The end of support marks an end to the Windows Phone era, and the millions of devices still running the operating system. While most have accepted that the death of Windows Phone occurred more than a year ago, AdDuplex estimates that nearly 80 percent of all Windows-powered phones are still running Windows Phone 7, Windows Phone 8, or Windows Phone 8.1.

    [...]

    Microsoft has shied away from officially killing off its phone OS efforts, but it’s been evident over the past year that the company is no longer focusing its efforts on Windows for phones. Microsoft gutted its phone business last year, resulting in thousands of job cuts.

  •  

  • Unikernels are secure. Here is why.

    There have been put forth various arguments for why unikernels are the better choice security wise and also some contradictory opinions on why they are a disaster. I believe that from a security perspective unikernels can offer a level of security that is unprecedented in mainstream computing.

  • 'Hacking' Of US Nuclear Facilities Appears To Be Little More Than The Sort Of Spying The US Approves Of

    This is where the DHS fell down in its "sharing" of internal documents with the New York Times. No one bothered to correct the Times when it went off on a Stuxnet tangent. This could give some government officials the wrong idea about what's happening -- both here and in foreign nations. There are many people in power who get much of their information from the press. This leads to bad bills being hurriedly crafted and public calls to action based on hearsay from a document someone else viewed. And that's just here in the US.

    On top of that, there's how we behave and how we expect others to behave. We're going to do this sort of thing. So are our adversaries. Both sides will continue to play defense. But going from 0-to-Stuxnet in the DHS's Ambermobile isn't a great idea. And it allows US officials to further distance themselves from actions we condone as part of our national security efforts.

  • Kaspersky under scrutiny after Bloomberg story claims close links to FSB

    Shortly after Bloomberg Businessweek published an explosive story under the headline: "Kaspersky Lab Has Been Working With Russian Intelligence," the security firm released a lengthy statement noting that the company does not have "inappropriate ties with any government."

    The article, which was published in the early morning hours on Tuesday, says that the Moscow-based firm "has maintained a much closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted. It has developed security technology at the spy agency's behest and worked on joint projects the CEO knew would be embarrassing if made public." Media organization McClatchy made seemingly similar claims in a July 3 report.

W3C DRM Backlash

Filed under
Security
Web
  • "W3C Embraces DRM - Declares War on Humanity" - Lunduke Hour

    The W3C has voted to standardize DRM for all of the Web -- in direct opposition to their own Mission Statement. What they are doing could have dire consequences for the entire Web. I yell about that for an hour. Because I'm mad.

  • DRM free Smart TV

    Libreboot is a free BIOS replacement which removes the Intel Management Engine. The Intel Management Engine is proprietary malware which includes a back door and some DRM functions. Netflix uses this hardware DRM called the Protected Audio/Video Path on Windows 10 when watching 4K videos. The Thinkpad T400 does not even have an HDMI port, which is known to be encumbered by HDCP, an ineffective DRM that has been cracked.

    Instead of using DRM encumbered streaming services such as Netflix, Entertain or Vodafone TV, I still buy DVDs and pay them anonymously with cash. In my home there is a DVB-C connector, which I have connected to a FRITZ!WLAN Repeater DVB-C which streams the TV signal to the ThinkPad. The TV set is switched on and off using a FRITZ!DECT 200 which I control using a python script running on the ThinkPad. I also reuse an old IR remote and an IRDuino to control the ThinkPad.

  • Over many objections, W3C approves DRM for HTML5

    A narrower covenant not to sue was proposed, but even this much narrower covenant was rejected. The various members of W3C appeared unlikely agree to any particular set of terms, and ultimately were never polled to see if consensus could be reached. Since the original EME proposal didn't include such a covenant, Berners-Lee decreed that failure to form one should not be allowed to block publication as an official W3C Recommendation.

Security: The .io Error, Security things in Linux v4.12, Avanti Cracked, Reliance Jio data Breach, NSE Down, Medicare Leak, and 2FA

Filed under
Security

Security and Encryption: Revenge, CIA Cracks, FUD, Black Hat, LinuxKit and Docker, GCHQ on e2, and DRM

Filed under
Security
  • Who's got your hack back?

    The topic of hacking back keeps coming up these days. There's an attempt to pass a bill in the US that would legalize hacking back. There are many opinions on this topic, I'm generally not one to take a hard stand against what someone else thinks. In this case though, if you think hacking back is a good idea, you're wrong. Painfully wrong.

    Everything I've seen up to this point tells me the people who think hacking back is a good idea are either mistaken about the issue or they're misleading others on purpose. Hacking back isn't self defense, it's not about being attacked, it's not about protection. It's a terrible idea that has no place in a modern society. Hacking back is some sort of stone age retribution tribal law. It has no place in our world.

    [...]

    So this has me really thinking. Why would anyone want to hack back? There aren't many reasons that don't revolve around revenge. The way most attacks work you can't reliably know who is doing what with any sort of confidence. Hacking back isn't going to make anything better. It would make things a lot worse. Nobody wants to be stuck in the middle of a senseless feud. Well, nobody sane.

  • CIA has hacking tools, says Wikileaks

    The leaked papers have revealed that the agency turned to software which is named BothanSpy and Gyrfalcon to steal user credentials.

  • Linux Malware and Attacks on the Rise [Ed: This whole thing is based on a Microsoft ally from Seattle. Microsoft FUD by proxy, to distract from WannaCry Armageddon?]
  • Black Hat Survey: Security Pros Expect Major Breaches in Next Two Years

    A major compromise of U.S. critical infrastructure will occur in the next couple of years, according to a majority of IT security professionals -- and most expect breaches of their own enterprise networks to occur even sooner.

    These serious concerns are among those registered by respondents to the 2017 Black Hat Attendee Survey, the results of which are being published Wednesday. The survey offers insights on the plans and attitudes of 580 experienced security professionals, including many cybersecurity leaders who work in critical-infrastructure industries.

  • LinuxKit and Docker Security

    Docker got its start not just as a container system, but also as a Linux container system. Since then, Docker has developed versions of its container management systems for other platforms, including widely used cloud service providers, as well as Windows and the Macintosh OS. Many of these platforms, however, either have considerable variation in the Linux features which are available, or do not natively supply a full set of Linux resources.

  • Former GCHQ boss backs end-to-end encryption

    Former GCHQ director Robert Hannigan has spoken out against building backdoors into end-to-end encryption (e2) schemes as a means to intercept communications by terrorists and other ne'er do wells.

    Home Secretary Amber Rudd has criticised mobile messaging services such as WhatsApp, that offer end-to-end encryption in the wake of recent terror outages, such as the Westminster Bridge attack, arguing that there should be no place for terrorists to hide.

    Hannigan, who led GCHQ between November 2014 and January 2017, struck a different tone in an interview with BBC Radio 4 flagship news programme Today on Monday morning, arguing there's no simple answer on the national security challenges posed by encryption.

  • How big is the market for DRM-Free?

     

    They reached a shocking conclusion: DVD players with even minimal circumvention features sell for about 50% more than similarly reviewed DVD players of similar vintage -- that means that in a commodity electronics category where the normal profit would be 2% or less, manufacturers that sell a model with just slightly different software (a choice that adds virtually nothing to the manufacturing costs) pocket 25 times the profits.  

Syndicate content

More in Tux Machines

Programming: Programming Skills, Beignet OpenCL Now Supports LLVM 5.0, DRUD Tech Releases DDEV Community

     
  • The Four Layers of Programming Skills
    When learning how to code for the first time, there's a common misconception that learning how to code is primarily about learning the syntax of a programming language. That is, learning how the special symbols, keywords, and characters must be written in the right order for the language to run without errors. However, focusing only on knowledge of syntax is a bit like practicing to write a novel by only studying grammar and spelling. Grammar and spelling are needed to write a novel, but there are many other layers of skills that are needed in order to write an original, creative novel. [...] This is the layer that is most often focused on in the early learning phase. Syntax skills essentially means how to read and write a programming language using the rules for how different characters must be used for the code to actually work.
  • Beignet OpenCL Now Supports LLVM 5.0
    For those making use of Beignet for Intel graphics OpenCL acceleration on Linux, it finally has added support for LLVM 5.0. Beignet doesn't tend to support new LLVM versions early but rather a bit notorious for their tardiness in supporting new LLVM releases. LLVM 5.0 has been out for two weeks, so Beignet Git has moved on to adding support for LLVM 5. There were Beignet changes to libocl and GBE for enabling the LLVM 5.0 support.
  • DRUD Tech Releases DDEV Community, the Premier Open Source Toolkit to Simplify End-to-End Web Development Processes

Microsoft EEE

  • Why the Windows Subsystem for Linux Matters to You – Even if You Don’t Use it [Ed: Microsoft pulling an EEE on GNU/Linux matters. Sure it does... while suing GNU/Linux with software patents Microsoft says it "loves Linux".]
  • Canonical Teams Up with Microsoft to Enable New Azure Tailored Ubuntu Kernel
    In a joint collaboration with Microsoft's Azure team, Canonical managed to enable a new Azure tailored Ubuntu kernel in the Ubuntu Cloud Images for Ubuntu 16.04 LTS on Azure starting today, September 21, 2017. The Azure tailored Ubuntu kernel is now enabled by default for the Ubuntu Cloud images running the Ubuntu 16.04 LTS (Xenial Xerus) operating system on Microsoft's Azure cloud computing platform, and Canonical vows to offer the same level of support as the rest of its Ubuntu kernels until the operating system reaches end of life.

Servers: Kubernetes, Cloud Native Computing Foundation (CNCF), and Sysadmin 101

  • Kubernetes Snaps: The Quick Version
    When we built the Canonical Distribution of Kubernetes (CDK), one of our goals was to provide snap packages for the various Kubernetes clients and services: kubectl, kube-apiserver, kubelet, etc. While we mainly built the snaps for use in CDK, they are freely available to use for other purposes as well. Let’s have a quick look at how to install and configure the Kubernetes snaps directly.
  • Kubernetes is Transforming Operations in the Enterprise
    At many organizations, managing containerized applications at scale is the order of the day (or soon will be). And few open source projects are having the impact in this arena that Kubernetes is. Above all, Kubernetes is ushering in “operations transformation” and helping organizations make the transition to cloud-native computing, says Craig McLuckie co-founder and CEO of Heptio and a co-founder of Kubernetes at Google, in a recent free webinar, ‘Getting to Know Kubernetes.’ Kubernetes was created at Google, which donated the open source project to the Cloud Native Computing Foundation.
  • Kubernetes gains momentum as big-name vendors flock to Cloud Native Computing Foundation
    Like a train gaining speed as it leaves the station, the Cloud Native Computing Foundation is quickly gathering momentum, attracting some of the biggest names in tech. In the last month and a half alone AWS, Oracle, Microsoft, VMware and Pivotal have all joined. It’s not every day you see this group of companies agree on anything, but as Kubernetes has developed into an essential industry tool, each of these companies sees it as a necessity to join the CNCF and support its mission. This is partly driven by customer demand and partly by the desire to simply have a say in how Kubernetes and other related cloud-native technologies are developed.
  • The Cloud-Native Architecture: One Stack, Many Options
    As the chief technology officer of a company specialized in cloud native storage, I have a first hand view of the massive transformation happening right now in enterprise IT. In short, two things are happening in parallel right now that make it radically simpler to build, deploy and run sophisticated applications. The first is the move to the cloud. This topic has been discussed so much that I won’t try to add anything new. We all know it’s happening, and we all know that its impact is huge.
  • Sysadmin 101: Leveling Up
    I hope this description of levels in systems administration has been helpful as you plan your own career. When it comes to gaining experience, nothing quite beats making your own mistakes and having to recover from them yourself. At the same time, it sure is a lot easier to invite battle-hardened senior sysadmins to beers and learn from their war stories. I hope this series in Sysadmin 101 fundamentals has been helpful for those of you new to the sysadmin trenches, and also I hope it helps save you from having to learn from your own mistakes as you move forward in your career.

Databases: PostgreSQL 10 RC1 and Greenplum

  • PostgreSQL 10 RC1 Released
    The PostgreSQL Global Development Group announces today that the first release candidate of version 10 is available for download. As a release candidate, 10 RC 1 should be identical to the final release of the new version. It contains fixes for all known issues found during testing, so users should test and report any issues that they find.
  • PostgreSQL 10 Release Candidate 1 Arrives
    PostgreSQL 10 has been queuing up improvements to declarative partitioning, logical replication support, an improved parallel query system, SCRAM authentication, performance speed-ups, hash indexes are now WAL, extended statistics, new integrity checking tools, smart connection handling, and many other promising improvements. Our earlier performance tests of Postgre 10 during its beta phase showed some speed-ups over PostgreSQL 9.
  • Pivotal Greenplum Analytic Database Adds Multicloud Support
    Pivotal’s latest release of its Greenplum analytic database includes multicloud support and, for the first time, is based entirely on open source code. In 2015, the company open sourced the core of Pivotal Greenplum as the Greenplum Database project. “This is the first commercially available release that we are shipping with the open source project truly at its core,” said Elisabeth Hendrickson, VP of data research and development at Pivotal.