Language Selection

English French German Italian Portuguese Spanish

Security

Security: Kali Linux, More FUD, Australian Incident and Debian LTS Work

Submitted by Roy Schestowitz on Sunday 10th of February 2019 03:44:10 AM Filed under
Security
»

Parrot Security OS: Product Review

Submitted by Roy Schestowitz on Sunday 10th of February 2019 01:40:10 AM Filed under
GNU
Linux
Reviews
Security

Generally, Parrot OS is pretty great user friendly and lightweight distro. While using it, you’ll find it nearly equal to Kali Linux except for some minor differences. It may not offer a lot of tools that are present in Kali Linux but overall collection of tools is amazing. It also offers some tools that are not present in Kali and other similar distros. Parrot Security OS isn’t just for Ethical Hacking and Pentesting, it is also for development, anonymity and privacy

Read more

»

Security: RDP and Free Software

Submitted by Roy Schestowitz on Saturday 9th of February 2019 04:21:35 PM Filed under
Security
  • Microsoft and Open Source RDP Clients Are Vulnerable to System Takeover Attacks [Ed: Microsoft protocols were all along designed to be vulnerable (for remote access by the state)]
  • Remote Desktop Protocols Riddled With Vulns: Check Point Finds 16 Modes of Pwnage [Ed: Remote Desktop Protocol (RDP) has long been known to be crap, but Microsoft still loves it.]
  • Open Source Software: How Good Is Its Overall Security?

    Open source software has been a boon to many individual users and businesses. Open source software development brought about the rise of the Linux and Ubuntu operating systems and the Firefox browser.

    [...]

    Although it’s possible for a rogue developer to insert malicious code into open source software, this behavior is discouraged by legitimate developers. Software developers form a close community and strive to create the best possible products, so they have a vested interest in keeping their software secure and free from problems.

    CEO Vlad Vorobiov of Ruby Garage notes, “Simply put, the more eyes are looking at code, the more bugs will be found and fixed in a stated period of time……the fact that the software has a strong community around it, which is interested to make it better and believes in its future potential, is a great security indicator on its own.”

  • The dangers of proprietary software

    Let us consider what would have happened if Apple was an open source software or project. First, you would not need to wait for the main developers to patch the issue. You could review the code, make changes and update them as you wish. You could also submit the change to the project’s repository – GitHub or GitLab – and if accepted, the updated code would be implemented for all people to benefit from.

    You wouldn’t need a resume or an interview to see if you are worthy to contribute. You would be judged based on your work. You could be a 10-year-old living in the Arctics, it would not matter.

    As for the reporting of bugs in an open source environment, you can use the available social media channels, messaging platforms or the repository management system to directly reach the main development team. A common practice within open source communities, whether it is involving public blockchains or open source software and projects.

    Such communities are openly available for collaboration, suggestions or participation via an array of social platforms – such as Telegram, Slack, Discord and IRC. This is why they are so powerful, adaptable and robust.

»

Security Updates and More FUD

Submitted by Roy Schestowitz on Saturday 9th of February 2019 10:15:33 AM Filed under
Security
»

Security: Lots of FUD This Past Week (About What Can Happen When Your GNU/Linux Server is Already Compromised)

Submitted by Roy Schestowitz on Friday 8th of February 2019 03:14:58 PM Filed under
Security
»

Security: The 'Bad of IOT', Overflows and Securing Privileged Access

Submitted by Roy Schestowitz on Friday 8th of February 2019 09:23:03 AM Filed under
Security
  • IOT: the good, the bad and the ugly

    It may come as a surprise that the 'bad of IOT' is not security, but service complexity. The security problems are as a result of the service complexity and SqwidNet is on a journey to simplify this to the ABC... D of IOT: that is, application + back-end + connectivity + device. In the industrial and enterprise sector, security provided by SqwidNet is not impacted by the security challenges that face the consumer sector. In the consumer sector, IOT rears its 'ugly' head with its security nightmares, solutions built on devices and applications that cannot be updated over time, and security vulnerabilities that cannot be addressed properly.

  • Your Android Phone Could Get Hacked Just By Opening A PNG Image [Ed: relies on maliciously-crafted files]
  • More Ghostscript vulnerabilities, more PostScript problems [Ed: relies on maliciously-crafted files]
  • Ten Tips for Securing Privileged Access

    Manage *NIX SSH keys. SSH keys are gold to an external attacker or malicious insider. With them, they can leverage unmanaged SSH keys to log in with root access and take over the *NIX (Linux and Unix systems) technology stack. These keys must also be secured in a vault, and subsequently be rotated regularly based on policy. Moreover, a solution that enables event notifications and automation to lessen the potential impact of human error should be deployed in all circumstances.

»

Security: Survey, Apple Holes and updates

Submitted by Roy Schestowitz on Friday 8th of February 2019 06:08:50 AM Filed under
Security
  • A third of companies are largely unprepared for cybersecurity attacks: eSecurity Planet Survey

    There are a number of measures organizations can and should take to help reduce the risk of cybersecurity attacks and data breaches. Unfortunately, about a third of organizations say they are largely unprepared for such attacks, according to eSecurity Planet's newly released 2019 State of IT Security survey.

    The survey asked about specific threats and how well organizations are prepared to defend against them.

    Among the most common and pervasive vulnerabilities found in applications is SQL injection, which can potentially lead to remote code execution and data breaches. Across organization of all sizes, over a quarter of respondents (26.8 percent) said they have doubts about their defenses against SQL injection attacks.

  • Researcher Refuses To Disclose Critical macOS Keychain Security Flaw

    Linus Henze, a security researcher, has uncovered a security flaw in macOS Mojave Keychain that can allow bad actors to steal the stored passwords without administrator privileges.

    In a video, Henze demoed how anybody can get access to your password stored in Apple’s secure vault. This isn’t the first time when Henze has discovered a critical security flaw in iOS and macOS.

  • Update Now to Fix Group FaceTime on Your iPhone, iPad, and Mac
  • Security updates for Thursday
»

Disk Encryption for Low-End Hardware

Submitted by Roy Schestowitz on Friday 8th of February 2019 03:30:34 AM Filed under
Linux
Security

Unfortunately, they were not able to find any existing encryption algorithm that was both fast and secure, and that would work with existing Linux kernel infrastructure. They, therefore, designed the Adiantum encryption mode, which they described in a light, easy-to-read and completely non-mathematical way.

Essentially, Adiantum is not a new form of encryption; it relies on the ChaCha stream cipher developed by D. J. Bernstein in 2008. As Eric put it, "Adiantum is a construction, not a primitive. Its security is reducible to that of XChaCha12 and AES-256, subject to a security bound; the proof is in Section 5 of our paper. Therefore, one need not 'trust' Adiantum; they only need trust XChaCha12 and AES-256."

Eric reported that Adiantum offered a 20% speed improvement over his and Paul's earlier HPolyC encryption mode, and it offered a very slight improvement in actual security.

Eric posted some patches, adding Adiantum to the Linux kernel's crypto API. He remarked, "Some of these patches conflict with the new 'Zinc' crypto library. But I don't know when Zinc will be merged, so for now, I've continued to base this patchset on the current 'cryptodev'."

Read more

»

Security: Apple Holes, Banks and Political Games

Submitted by Roy Schestowitz on Thursday 7th of February 2019 05:14:39 PM Filed under
Security
»

Security: FUD and RIP, RDP

Submitted by Roy Schestowitz on Thursday 7th of February 2019 09:51:37 AM Filed under
Security
»
Syndicate content

More in Tux Machines

qoob – excellent foobar-like music player for Linux

Are you debilitated by the countless music players that use web technologies with a massive RAM footprint? Maybe you want a lean yet slick audio player with a good range of features? You might be interested in qoob. It’s a music player written in the versatile and hugely popular Python programming language. The software uses Qt 5, a cross-platform application framework and widget toolkit for creating classic and embedded graphical user interfaces. qoob is similar to foobar2000, a freeware audio player respected for its highly modular design, breadth of features, and extensive user flexibility in configuration. Unlike foobar, qoob is available for Linux and it’s released under an open source license. Read more

Programming: GStreamer, Rust, Python and More

  • GStreamer 1.15.1 unstable development release
    The GStreamer team is pleased to announce the first development release in the unstable 1.15 release series. The unstable 1.15 release series adds new features on top of the current stable 1.16 series and is part of the API and ABI-stable 1.x release series of the GStreamer multimedia framework. The unstable 1.15 release series is for testing and development purposes in the lead-up to the stable 1.16 series which is scheduled for release in a few weeks time. Any newly-added API can still change until that point, although it is rare for that to happen. Full release notes will be provided in the near future, highlighting all the new features, bugfixes, performance optimizations and other important changes.
  • GStreamer: GStreamer Rust bindings 0.13.0 release
    A new version of the GStreamer Rust bindings, 0.13.0, was released. This new release is the first to include direct support for implementing GStreamer elements and other types in Rust. Previously this was provided via a different crate. In addition to this, the new release features many API improvements, cleanups, newly added bindings and bugfixes.
  • Niko Matsakis: Rust lang team working groups
    Now that the Rust 2018 edition has shipped, the language design team has been thinking a lot about what to do in 2019 and over the next few years. I think we’ve got a lot of exciting stuff on the horizon, and I wanted to write about it.
  • RVowpalWabbit 0.0.13: Keeping CRAN happy
    Another small RVowpalWabbit package update brings us version 0.0.13. And just like Rblpapi yesterday, we have a new RVowpalWabbit update to cope with staged installs which will be a new feature of R 3.6.0. No other changes were made No new code or features were added.
  • Test automation framework thoughts and examples with Python, pytest and Jenkins
    In this article I'll share some personal thoughts about Test Automation Frameworks; you can take inspiration from them if you are going to evaluate different test automation platforms or assess your current test automation solution (or solutions). Despite it is a generic article about test automation, you'll find many examples explaining how to address some common needs using the Python based test framework named pytest and the Jenkins automation server: use the information contained here just as a comparison and feel free to comment sharing alternative methods or ideas coming from different worlds. It contains references to some well (or less) known pytest plugins or testing libraries too.
  • Basics of Object-Oriented Programming
    In programming, an object is simply a 'thing'. I know, I know...how can you define something as a 'thing'. Well, let's think about it - What do 'things' have? Attributes, right? Let's take a Song for example. A song has attributes! It has a Title, an Artist, a Genre, etc. How about a Dog - A dog has four legs, a color, a name, an owner, and a breed. Though there are millions Dogs with countless names, owners, etc, the one thing that ties them all together are the very fact that every single one can be described as a Dog. Although this may seem like a not-very informative explanation, these types of examples are what ultimately made me understand Object-oriented programing. The set of activities that an object can perform is an Object's behavior. A dog can bark, wag it's tail, sit, and even shake if it's owner trains them. In the same way, a programmer can create an object and teach it tricks in order to achieve certain goals. In Ruby(my first programming language), EVERYTHING is an object. This means that every piece of code you encounter can perform certain tricks at your command, some are built into Ruby while others can be created at your disposal. Let's look at a common element in programming, a simple string. As you can see, after the string is defined, I'm able to call different 'methods' or functions on the string I created. Ruby has several built in methods on common objects(ie strings, integers, arrays, and hashes.
  • Hello pytest-play!
    pytest-play is a rec&play (rec not yet available) pytest plugin that let you execute a set of actions and assertions using commands serialized in JSON format. It tries to make test automation more affordable for non programmers or non Python programmers for browser, functional, API, integration or system testing thanks to its pluggable architecture and third party plugins that let you interact with the most common databases and systems.
  • Nikola v8.0.2 is out!
    Nikola is a static site and blog generator, written in Python. It can use Mako and Jinja2 templates, and input in many popular markup formats, such as reStructuredText and Markdown — and can even turn Jupyter Notebooks into blog posts! It also supports image galleries, and is multilingual. Nikola is flexible, and page builds are extremely fast, courtesy of doit (which is rebuilding only what has been changed).
  • Mu!
    In the past several days, I innaugurated a private Fediverse instance, "Mu", running Pleroma for now. Although Mastodon is the dominant implementation, Pleroma is far easier to install, and uses less memory on small, private instances. By doing this, I'm bucking the trend of people hating to run their own infrastructure. Well, I do run my own e-mail service, so, what the heck, might as well join the Fediverse. So far, it was pretty fun, but Pleroma has problem spots. For example, Pleroma has a concept of "local accounts" and "remote accounts": local ones are normal, into which users log in at the instance, and remote ones mirror accounts on other instances. This way, if users Alice@Mu and Bob@Mu follow user zaitcev@SLC, Mu creates a "remote" account UnIqUeStRiNg@Mu, which tracks zaitcev@SLC, so Alice and Bob subscribe to it locally. This permits to send zaitcev's updates over the network only once. Makes sense, right? Well... I have a "stuck" remote account now at Mu, let's call it Xprime@Mu and posit that it follows X@SPC. Updates posted by X@SPC are reflected in Xprime@Mu, but if Alice@Mu tries to follow X@SPC, she does not see updates that Xprime@Mu receives (the updates are not reflected in Alice's friends/main timeline) [1]. I asked at #pleroma about it, but all they could suggest was to try and resubscribe. I think I need to unsubscribe and purge Xprime@Mu somehow. Then, when Alice resubscribes, Pleroma will re-create a remote, say Xbis@Mu, and things hopefully ought to work. Well, maybe. I need to examine the source to be sure.
  • Django ORM optimization story on selecting the least possible
    This an optimization story that should not surprise anyone using the Django ORM. But I thought I'd share because I have numbers now! The origin of this came from a real requirement. For a given parent model, I'd like to extract the value of the name column of all its child models, and the turn all these name strings into 1 MD5 checksum string.
  • Reasons Mitogen sucks
    I have a particular dislike for nonspecific negativity, where nothing can be done to address its source because the reasons underlying it are never explicitly described. In the context of Mitogen, there has been a consistent stream of this sort originating from an important camp in public spaces, and despite efforts to bring specifics out into the open, still it continues to persist. For that reason I'd like to try a new strategy: justify the negativity and give it a face by providing all the fuel it needs to burn. Therefore in this post, in the interests of encouraging honesty, I will critique my own work.
  • The North Star of PyCascades, core Python developer Mariatta Wijaya, receives the 2018 Q3 Community Service Award
    At Montreal PyCon 2015, Guido Van Rossum delivered the closing keynote during which Guido issued a public ask, “I want at least two female Python core developers in the next year ... and I will try to train them myself if that's what it takes. So come talk to me." Consequently, Mariatta did just that, she reached out to Guido after PyCon 2016 to learn more about starting in Python core development. Mariatta recalls, “I hadn’t contributed to open source [yet] and I wanted to know how to start”. Guido recommended some ways for Mariatta to start including reviewing the dev guide, looking at open issues and joining and introducing herself on the Python dev mailing list .
  • Episode #118: Better Python executable management with pipx

NVIDIA: GTX 1660 and Linux

  • NVIDIA have released the 418.43 driver, includes support for the just released GeForce GTX 1660
    Two bits of NVIDIA news for you today, not only have they released a new stable driver, they've also put out their latest GPU with the GTX 1660. First up, the new stable driver 418.43 is out which you can find here. It follows on from the 418.30 beta driver, released last month. The big new feature of the driver is initial support for G-SYNC Compatible monitors! So those of you with a FreeSync monitor should be able to use it (if you weren't already using the beta driver). This new driver also adds in support for the just released GeForce GTX 1660 Ti, the GeForce RTX 2070 with Max-Q Design and the GeForce RTX 2080 with Max-Q Design. There's also NVIDIA optical flow support, NVIDIA Video Codec SDK 9.0, support for stereo presentation in Vulkan and more.
  • NVIDIA 418.43 Stable Linux Driver Released, Includes GTX 1660 Ti Support
    As expected given today's GeForce GTX 1660 Ti launch, NVIDIA has released a new Linux graphics driver supporting the 1660 Ti as well as the RTX 2070 with Max-Q Design and RTX 2080 with Max-Q Design, among other changes. This is actually the first stable release in the NVIDIA 418 series for Linux users and succeeds last month's NVIDIA 418.30 Linux driver beta. Most of the changes in today's NVIDIA 418.43 driver release were previously found in the 418.30 version, just now made official with this stable driver debut plus adding in the NVIDIA GeForce GTX 1660 Ti graphics card support.
  • NVIDIA 390.116 Legacy & 410.104 Long-Lived Linux Drivers Released
    In addition to NVIDIA christening the 418 driver series as stable today with the GeForce GTX 1660 Ti release, they also issued updates for their 390 legacy driver series as well as the 410 long-lived driver release series. The NVIDIA 390.116 driver is out for those still using NVIDIA Fermi graphics cards on Linux. This update is the first in a while and has a number of fixes to the Linux driver, on the FreeBSD side there is now 12.0 support, support for the Linux 5.0 kernel, X.Org Server 1.20 fixes, and other random fixes collected in the past few months. For those using this NVIDIA legacy driver can find out more information via this DevTalk thread.
  • GeForce GTX 1660 Ti Launch Today - Supported By The NVIDIA Linux Driver, No Nouveau Yet
    After weeks of leaks, the GeForce GTX 1660 Ti is expected to be formally announced in just a few hours. This is a ~$300 Turing graphics card but without any ray-tracing support as so far has been common to all Turing graphics cards. The GTX 1600 series family is expected to expand as well in the weeks ahead.

Betty – A Friendly Interface For Your Linux Command Line

All Linux experts might already know this statement “Command line mode is more powerful than GUI” but newbies are scared about CLI. Don’t think that working on Linux CLI is difficult as everything is opensource nowadays and you can get it in online whatever you want. If you have any doubt just google it and you will get many suggestion, select the suitable one and move forward. If you are looking for some virtual assistant tool instead of google. Yes, there is a tool is available for this and the tool name is Betty which helps you to get the information right from your terminal. Do you want to try? if so, go through the entire article for details. Read more

More on Tux Machines: AboutGalleryForumBlogsSearchNewsRSS Feed

Part of Bytes Media ● Sister sites below.

TechBytes Techrights button

Powered by Drupal, an open source content management system

Content available under CC-BY-SA CC

© by original authors

Powered by CentOS 6.5 (GNU/Linux), Varnish, and Drupal 6