If your gpg key is too valuable for you to feel comfortable with backing it up to the cloud using keysafe, here's an alternative that might appeal more.
Keysafe can now back up some shares of the key to local media, and other shares to the cloud. You can arrange things so that the key can't be restored without access to some of the local media and some of the cloud servers, as well as your password.
For example, I have 3 USB sticks, and there are 3 keysafe servers. So let's make 6 shares total of my gpg secret key and require any 4 of them to restore it.
After nearly exactly two months, Linus Torvalds released kernel 4.8 into the wild on Sunday, October 2nd. Torvalds dubbed 4.8 Psychotic Stoned Sheep, probably inspired by the news that a flock of woolly ruminants ate some abandoned cannabis and, high as kites, run amok in rural Wales, striking terror into the hearts of the locals.
This has been one of the larger releases, with many patches being sent in before the first release candidate was published. However, Torvalds attributes many of the changes to the switch to a new documentation format -- instead of using the DocBook, documentation must now be submitted in the Sphinx doc format.
Two days after announcing the release of the Linux 4.8 kernel as the latest stable and most advanced kernel branch for GNU/Linux operating systems, Linus Torvalds apologizes on the kernel mailing list for the inclusion of bug.
According to Mr. Torvalds, the bug was left in the last RC8 (Release Candidate 8) build by kernel developer Andrew Morton, which caused problems when attempting to compile it, thus resulting in a dead kernel. If you're curious, the full report is attached to Linus Torvalds' mailing list announcement.
Midway through SUPERSEDE, the EU three-year project backed by €3.25m in funding to make software better, software still sucks.
It's always been thus, but now that computer code has a say in the driving of Teslas, confronts everyone daily on smartphones, and has crept into appliances, medical devices, and infrastructure, it's a more visible problem.
Robert Vamosi, security strategist at Synopsys, told The Register in a phone interview that software quality matters more than ever.
"We're seeing real-world examples of automobiles remotely attacked and medical devices being suspended when they need to keep functioning," he said. "It's becoming life-critical."
The organizations involved in SUPERSEDE – ATOS, Delta Informatica, SEnerCon, Siemens, Universitat Politècnica de Catalunya (UPC), the University of Applied Sciences and Arts Northwestern Switzerland (FHNW), and the University of Zurich (UZH) – aim to improve the user experience of their software products with a toolkit to provide better feedback and analytics data to application developers.
OAuth is an open standard in authorization that allows delegating access to remote resources without sharing the owner's credentials. Instead of credentials, OAuth introduces tokens generated by the authorization server and accepted by the resource owner.
In OAuth 1.0, each registered client was given a client secret and the token was provided in response to an authentication request signed by the client secret. That produced a secure implementation even in the case of communicating through an insecure channel, because the secret itself was only used to sign the request and was not passed across the network.
OAuth 2.0 is a more straightforward protocol passing the client secret with every authentication request. Therefore, this protocol is not backward compatible with OAuth 1.0. Moreover, it is deemed less secure because it relies solely on the SSL/TLS layer. One of OAuth contributors, Eran Hammer, even said that OAuth 2.0 may become "the road to hell," because:
"… OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result in a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations."
Despite this opinion, making a secure implementation of OAuth 2.0 is not that hard, because there are frameworks supporting it and best practices listed. SSL itself is a very reliable protocol that is impossible to compromise when proper certificate checks are thoroughly performed.
Of course, if you are using OAuth 1.0, then continue to use it; there is no point in migrating to OAuth 2.0. But if you are developing a new mobile or an Angular web application (and often mobile and web applications come together, sharing the same server), then OAuth 2.0 will be a better choice. It already has some built-in support in the OWIN framework for .NET that can be easily extended to create different clients and use different security settings.
Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low.
Medical device experts said they believe it was the first time a manufacturer had issued such a warning to patients about a cyber vulnerability, a hot topic in the industry following revelations last month about possible bugs in pacemakers and defibrillators.
J&J executives told Reuters they knew of no examples of attempted hacking attacks on the device, the J&J Animas OneTouch Ping insulin pump. The company is nonetheless warning customers and providing advice on how to fix the problem.
As KrebsOnSecurity observed over the weekend, the source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released. Here’s a look at which devices are being targeted by this malware.
The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.
Akin to locking your doors and closing your windows there’s some really basic things everyone should be doing with their Linux installs (This is of course written from a Fedora viewpoint, but I think this pretty much applies to all computer OSes).
Initially the lack of security on "smart" Internet of Things devices was kind of funny as companies rushed to make a buck and put device security on the back burner. And while hackable tea kettles and refrigerators that leak your Gmail credentials just seem kind of stupid on the surface, people are slowly realizing that at scale -- we're introducing millions of new attack vectors into homes and businesses annually. Worse, compromised devices are now being used as part of massive new DDoS attacks like the one we recently saw launched against Brian Krebs.
Unfortunately, companies that service the medical industry also decided a few years ago that it would be a good idea to connect every-damn-thing to networks without first understanding the security ramifications of the decision. As a result, we're seeing a rise in not only the number of ransomware attacks launched on hospitals, but a spike in hackable devices like pacemakers that could mean life and death for some customers.
EFF Asks Court to Block U.S. From Prosecuting Security Researcher For Detecting and Publishing Computer Vulnerabilities
The Electronic Frontier Foundation (EFF) asked a court Thursday for an order that would prevent the government from prosecuting its client, security researcher Matthew Green, for publishing a book about making computer systems more secure.
Green is writing a book about methods of security research to recognize vulnerabilities in computer systems. This important work helps keep everyone safer by finding weaknesses in computer code running devices critical to our lives—electronic devices, cars, medical record systems, credit card processing, and ATM transactions. Green’s aim is to publish research that can be used to build more secure software.
The government of Malta has unveiled a National Cyber Security Strategy. The strategy provides the legal context to defend the country’s computer networks infrastructure and its users from threats.
Last week, we wrote about a DDoS attack on well-known investigative cybercrime journalist Brian Krebs.
A DDoS attack is an aggressive sort of DoS attack, where DoS is short for denial of service.
A DoS is a bit like getting into the queue at the station to buy a ticket for the next train, only to have a time-waster squeeze in front of you and slow you down.
By the time the miscreant has asked, innocently enough, about the different sorts of ticket available, and whether it costs extra to take a bicycle, and how much longer it would take if he were to change trains in Manchester, only to walk off without buying a ticket at all…
…you’ve watched your train arrive, load up with passengers, and depart without you.
A DDoS attack is worse: it’s short for distributed denial of service attack, and it’s much the same thing as a DoS, except that the trouble-stirrer doesn’t show up on his own.
The Linux 4.8.0 kernel was officially release on October 2, becoming the fifth kernel release so far in 2016. The Linux 4.7 kernel was released on July 24.
As opposed to all the other kernel releases this year (and in fact in contrast to all kernel releases since 2.6) Torvalds really wasn't happy about this one, though the source of his displeasure didn't become apparent until after the release.
"So the last week was really quiet, which maybe means that I could probably just have skipped rc8 after all," Torvalds wrote in in his Linux 4.8 release announcement. "Oh well, no real harm done."
A day later on October 3, Torvalds addmits that he shouldn't have merged a late set of updates from kernel developer Andrew Morton.
Linus Torvalds gave the world Linux 4.8 earlier this week, but now appears to wish he didn't after spotting some code he says can “kill the kernel.”
When Torvalds announced Linux 4.8 on Sunday he said the final version added “a few stragging fixes since rc8.”
But by Tuesday he was back on the Linux Kernel Mailing list apologising for a bug fix gone bad.
Linux server security is a huge topic. After all, there isn’t a security checkbox. Why is that?
Every server is a little different, but the ideas to security each of them is the same, the OS doesn’t matter.
Depending on your level of expertise, the answers for each of these items will be different.
The IT security practices of some open source communities are exemplary, shows a study for the European Commission and European Parliament. Many communities use experts to ensure software security and to help their developers avoid security flaws. “These communities take security serious”, says Alberto Dominguez Serra, one of the authors working for Everis, a IT consultancy.
We are going into our third year of living in the Gardens of Taylor. When you come off of the city street and onto this property, you can sometimes get a creepy feeling, like this is familiar in an unpleasant sort of way. It can feel like you’ve just stepped into Stepford Village. Every yard has been manicured to match the ones on either side of it. The edging along all driveways and sidewalks is a perfect two inches across and if a weed or mushroom happens to grow within that etched space, it is gone the next time you look for it.
Stuff like that just vanishes. Spooky like.
Fact is, the property manager pays the lawn service to make a drive through every other day in order to take care of any anomalies. Once I got used to it, I became comfortable with living here, being that it’s for people with physical disabilities and age 55 or over.
On moving-in day, we hadn’t been there an hour before people began to take notice of us from across the street. They would stop just long enough to pretend they weren’t checking us out, then they would be on their way. Some even stopped to help.
Now Claude and Jane both run Linux. Their money is safe, and if anyone calls giving them instructions how to get a virus off of their Windows’ computer, they just laugh and hang up, but not before telling them they run Linux.
There will come a day, maybe sooner than any of us think, when a scam like this might actually work on a Linux machine. In the past two years we’ve seen stories of Linux servers being compromised, and there is constant news that this or that piece of malicious code might be making its way to Linux computers soon.
Being prudent, I run both Avast for day-to-day stuff and various Clam iterations for biweekly sweeps for rootkits. I exchange a lot of Windows stuff with my Reglue kids, so that’s only smart. Not that I expect anything to go south in the near future. Everything I’ve seen coming down the Linux pike demands hands-on the target computer to inject the badware.
Here’s a Helios Helpful Hint: Don’t let someone you don’t know have access to your computer, sans the repair guy.
However I do believe in preparedness. Jane’s Linux Mint install runs the same security as mine and I administrate it remotely (from home. I’ll get Claude up to speed on Wednesday.
How long ago was it that many of us gave up on the “disconnected generation?” For a while I didn’t work with people who were so set in their ways that they bucked any suggestion of having to learn something new. And honest-to-goodness, a lady in the neighborhood asked me to make her computer the same way it was when she bought it. That would be the Windows Vista release. Sigh.
“No ma’am. Not for any amount of money. Sorry.”
I’m not into any more stress than necessary these days.
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Security Design: Stop Trying to Fix the User [It says (scroll down) "Getting a virus simply by opening an email was an urban legend, a technically impossible but scary sounding thing to frighten normies with, as late as the 90s. ...Microsoft made that myth real with the first release of Outlook"]
We needed a router and wifi access point in the office, and simultaneously both I and my co-worker Ivan needed such a thing at our respective homes. After some discussion, and after reading articles in Ars Technica about building PCs to act as routers, we decided to do just that.
The PC solution seem to offer better performance, but this is actually not a major reason for us.
We want to have systems we understand and can hack. A standard x86 PC running Debian sounds ideal to use.
Why not a cheap commercial router? They tend to be opaque and mysterious, and can't be managed with standard tooling such as Ansible. They may or may not have good security support. Also, they may or may not have sufficient functionality to be nice things, such as DNS for local machines, or the full power if iptables for firewalling.
Why not OpenWRT? Some models of commercial routers are supported by OpenWRT. Finding good hardware that is also supported by OpenWRT is a task in itself, and not the kind of task especially I like to do. Even if one goes this route, the environment isn't quite a standard Linux system, because of various hardware limitations. (OpenWRT is a worthy project, just not our preference.)
Systemd maintainer David Strauss has published a response to my blog post about systemd. The first part of his post is replete with ad hominem fallacies, strawmen, and factual errors. Ironically, in the same breath that he attacks me for not understanding the issues around threads and umasks, he betrays an ignorance of how the very project which he works on uses threads and umasks. This doesn't deserve a response beyond what I've called out on Twitter.
In the second part of his blog post, Strauss argues that systemd improves security by making it easy to apply hardening techniques to the network services which he calls the "keepers of data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we have to harden the front lines against the real attacks we see every day." Although systemd does make it easy to restrict the privileges of services, Strauss vastly overstates the value of these features.