Language Selection

English French German Italian Portuguese Spanish


Antivirus Live CD 20.0-0.99.2 Uses ClamAV 0.99.2 to Protect Your PC from Viruses

Filed under

Today, September 25, 2016, 4MLinux developer Zbigniew Konojacki informs Softpedia about the immediate availability for download of a new, updated version of his popular, independent, free, and open source Antivirus Live CD.

Read more

Parsix GNU/Linux 8.10 "Erik" Gets the Latest Debian Security Fixes, Update Now

Filed under

A few minutes ago, the development team behind the Debian-based Parsix GNU/Linux computer operating system announced that new security fixes are now available for the Parsix GNU/Linux 8.10 "Erik" release.

Read more

Security Leftovers

Filed under
  • Krebs Goes Down, Opera Gets a VPN & More…

    Krebs on Security in record DDOS attack: Everybody’s go-to site for news and views of security issues, has been temporarily knocked offline in a DDOS attack for the record books. We first heard about the attack on Thursday morning after Brian Krebs reported that his site was being hit by as much as 620 Gbs, more than double the previous record which was considered to be a mind-blower back in 2013 when the anti-spam site Spamhaus was brought to its knees.

    Security sites such as Krebs’ that perform investigative research into security issues are often targets of the bad guys. In this latest case, Ars Technica reported the attack came after Krebs published the identity of people connected with vDOS, Israeli black hats who launched DDOS attacks for pay and took in $600,000 in two years doing so. Akamai had been donating DDoS mitigation services to Krebs, but by 4 p.m. on the day the attack began they withdrew the service, motivated by the high cost of defending against such a massive attack. At this point, Krebs decided to shut down his site.

  • Upgrade your SSH keys!

    When generating the keypair, you're asked for a passphrase to encrypt the private key with. If you will ever lose your private key it should protect others from impersonating you because it will be encrypted with the passphrase. To actually prevent this, one should make sure to prevent easy brute-forcing of the passphrase.

    OpenSSH key generator offers two options to resistance to brute-force password cracking: using the new OpenSSH key format and increasing the amount of key derivation function rounds. It slows down the process of unlocking the key, but this is what prevents efficient brute-forcing by a malicious user too. I'd say experiment with the amount of rounds on your system. Start at about 100 rounds. On my system it takes about one second to decrypt and load the key once per day using an agent. Very much acceptable, imo.

  • Irssi 0.8.20 Released
  • What It Costs to Run Let's Encrypt

    Today we’d like to explain what it costs to run Let’s Encrypt. We’re doing this because we strive to be a transparent organization, we want people to have some context for their contributions to the project, and because it’s interesting.

    Let’s Encrypt will require about $2.9M USD to operate in 2017. We believe this is an incredible value for a secure and reliable service that is capable of issuing certificates globally, to every server on the Web free of charge.

    We’re currently working to raise the money we need to operate through the next year. Please consider donating or becoming a sponsor if you’re able to do so! In the event that we end up being able to raise more money than we need to just keep Let’s Encrypt running we can look into adding other services to improve access to a more secure and privacy-respecting Web.

  • North Korean DNS Leak reveals North Korean websites

    One of North Korea’s top level DNS servers was mis-configured today (20th September 2016) accidentally allowing global DNS zone transfers. This allowed anyone who makes a zone transfer request (AXFR) to retrieve a copy of the nation’s top level DNS data.


    This data showed there are 28 domains configured inside North Korea, here is the list:

  • Yahoo’s Three Hacks

    As a number of outlets have reported, Yahoo has announced that 500 million of its users’ accounts got hacked in 2014 by a suspected state actor.

    But that massive hack is actually one of three interesting hacks of Yahoo in recent years.

Security News

Filed under
  • Friday's security updates
  • Impending cumulative updates unnerve Windows patch experts

    Microsoft's decision to force Windows 10's patch and maintenance model on customers running the older-but-more-popular Windows 7 has patch experts nervous.

    "Bottom line, everyone is holding their breath, hoping for the best, expecting the worst," said Susan Bradley in an email. Bradley is well known in Windows circles for her expertise on Microsoft's patching processes: She writes on the topic for the Windows Secrets newsletter and moderates the mailing list, where business IT administrators discuss update tradecraft.

  • Yahoo is sued for gross negligence over huge hacking

    Yahoo Inc (YHOO.O) was sued on Friday by a user who accused it of gross negligence over a massive 2014 hacking in which information was stolen from at least 500 million accounts.

    The lawsuit was filed in the federal court in San Jose, California, one day after Yahoo disclosed the hacking, unprecedented in size, by what it believed was a "state-sponsored actor."

    Ronald Schwartz, a New York resident, sued on behalf of all Yahoo users in the United States whose personal information was compromised. The lawsuit seeks class-action status and unspecified damages.

    A Yahoo spokeswoman said the Sunnyvale, California-based company does not discuss pending litigation.

  • Yahoo faces questions after hack of half a billion accounts

    Yahoo’s admission that the personal data of half a billion users has been stolen by “state-sponsored” hackers leaves pressing questions unanswered, according to security researchers.

    Details, including names, email addresses, phone numbers and security questions were taken from the company’s network in late 2014. Passwords were also taken, but in a “hashed” form, which prevents them from being immediately re-used, and the company believes that financial information held with it remains safe.

IPFire 2.19 - Core Update 105 released

Filed under

This is the official release announcement for IPFire 2.19 – Core Update 105 which patches a number of security issues in two cryptographic libaries: openssl and libgcrypt. We recommend installing this update as soon as possible and reboot the IPFire system to complete the update.

Read more

Security News

Filed under
  • A pile of security updates for Thursday
  • What this Yahoo data breach means for you

    On Thursday afternoon Yahoo confirmed a massive data leak of at least 500 million user accounts, which is a very big deal.

    Though the data breach obviously spells trouble for those with YahooMail accounts, users with hacked accounts need to keep in mind that the breach goes so much further.

    Yahoo owns a bunch of other major sites like Flickr, Tumblr and fantasy football site, which means the 500 million users affected by the data breach also have to worry about their personal information associated with all additional Yahoo services.

  • Hackers now have a treasure trove of user data with the Yahoo breach
  • Half! a! billion! Yahoo! email! accounts! raided! by! 'state! hackers!'

    Hackers strongly believed to be state-sponsored swiped account records for 500 million Yahoo! webmail users. And who knew there were that many people using its email?

    The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.

    This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.

  • Brian Krebs' blog banged in bloody massive DDoS

    YOU KNOW that Brian Krebs guy? Well, his website has been hit with a huge denial-of-service (DDoS) attack that he couldn't handle on his own.

    Krebs is that security guy. He is bound to have some enemies out there, so we expect that sooner or later someone will take the credit for ruining the pathway to his pages.

    For now we have Krebs to explain what happened and who helped him deal with it. The short version is that there was great big whack of an attack on him, and that he needed assistance from security firm Akamai.

Security Fallacies

Filed under
  • Matthew Garrett Explains How to Increase Security at Boot Time [Ed: Microsoft apologist Matthew Garrett is promoting UEFI again, even after the Lenovo debacle]

    Security of the boot chain is a vital component of any other security solution, said Matthew Garrett of CoreOS in his presentation at Linux Security Summit. If someone is able to tamper with your boot chain then any other security functionality can be subverted. And, if someone can interfere with your kernel, any amount of self-protection the kernel might have doesn’t really matter.

    “The boot loader is in a kind of intermediate position,” Garrett said. It can modify the kernel before it passes control to it, and then there’s no way the kernel can verify itself once it’s running. In the Linux ecosystem, he continued, the primary protection in the desktop and server space is UEFI secure boot, which is a firmware feature whereby the firmware verifies a signature on the bootloader before it executes it. The bootloader in turn verifies a signature on the next step of the boot process, and so on.

  • Is open source security software too much of a risk for enterprises? [Ed: inverses the truth; proprietary software has secret back doors that cannot be found and patched]

    Although free, there are many institutions that are reluctant to use open source software, for obvious reasons. Using open source software that is not controlled by the enterprise -- in production environments and in mission-critical applications -- introduces risks that could be detrimental to the basic tenants of cybersecurity, such as confidentiality, integrity and availability. This includes open source security software like the tools Netflix uses.

Security News

Filed under
  • Security advisories for Wednesday
  • Why we should just simply call ourselves Hackers

    Developers, Programmers, Engineers, Code Artists, Coders, Codesmiths, Code Warriors, Craftsmen … these are currently the labels we use to explain our profession. One can get an idea of how this can appear confusing to the outsider.

    Computers can enrich our lives, give focus, amplify our adventures, gauge our science and grow our business. Right now computing is being embedded into everything and it is now more than ever that we need to redefine our role and show. some. fucking. solidarity.

    Rather than confusing pre-existing labels and shoe-horning them to our profession, which makes use of synthetic intelligence more than any, I propose that we call ourselves Hackers instead of the myriad other ways.

  • Germany surveys cyber-attacks

    Germany’s Federal Office for Information Security (BSI) has launched a survey to obtain information about actual cyber-attacks on business and government, to assess potential risks, and to determine protective measures. The study should result in new ICT security recommendations.

FOSS in Government (US and UK)

Filed under
  • Dear The Sun: we need to talk about your understanding of open source

    I want to talk to you about this article, and the claims it makes about open source software. I would have liked to chat to your cited expert, whom you’ve listed only as Neil Doyle. Sadly, the article fails to specify his area of expertise and both messages and emails to author Ryan Sabey asking for further information have gone unanswered. So I’m responding to it here, supported by some brilliant, contactable experts in security and open source.

    After sitting open-mouthed at the misinformation in this article for some time, I began to reach out to fellow tech experts to see if they felt the same. I first contacted Dr. Jessica Barker, the independent cybersecurity authority behind I asked if she could address the concerns you raised that use of open source software in the public sector would pose security risks.


    “The Sun seems to be implying that open source software is more vulnerable to attack than closed source, which is a sweeping misunderstanding that fails to take the complex nature of cybersecurity into account.

    Both open source and closed source software can be vulnerable to exploit, however these vulnerabilities are arguably more likely to be discovered in open source rather than closed source software as more people (including security researchers) are able to look at it. By its nature, it is publicly available and so it’s harder to hide malicious vulnerabilities”.

  • DOD Aims to Make Cybersecurity a Fundamental Part of Its Tech Mission
  • The Department of Software?

    Well-developed software can make or break modern weapons systems. Software problems initially hindered F-35 production, for example. The Department of Defense (DOD) set up a Digital Service team last year to help the military solve its information technology problems. Future work on autonomous systems will heavily rely on software development. Most importantly, the DOD will have to protect its own data. To improve the DOD’s use of software, the Center for a New American Security (CNAS) looked at how the Pentagon could better use “open source software.” While the DOD uses some open source software, its full utilization for military software development will require deeper changes to how the DOD approaches code.

  • John Weathersby: Selling Open Source to the Federal Government

    John Weathersby founded and ran the Open Source Software Institute to “promote the development and implementation of open source software solutions within U.S. federal, state, and local government agencies.” A worthy goal!

    But why stick to nothing but software? In 2014, Weathersby founded The Open Technology Center at Camp Shelby Joint Forces Training Center (in Mississippi), which is a “non-profit research and development entity sponsored by the Mississippi National Guard and U.S. Department of Homeland Security whose mission is to innovate and integrate open source software technologies for use within national defense and security organizations.”

    The OTC is doing some neat stuff, ranging from autonomous vehicles to making it easier for local governments to request, receive, and account for disaster recovery funds in the wake of an emergency. It’s all good! And it’s all about open source, which is why it’s worth listening to what Weathersby has to say.

Security Leftovers

Filed under
  • DDoS attacks: For the hell of it or targeted – how do you see them off?

    Distributed Denial of Service (DDoS) attacks can be painful and debilitating. How can you defend against them? Originally, out-of-band or scrubbing-centre DDoS protection was the only show in town, but another approach, inline mitigation, provides a viable and automatic alternative.

    DDoS attacks can be massive, in some cases reaching hundreds of Gbits/sec, but those mammoths are relatively rare. For the most part, attackers will flood companies with around 1 Gbit/sec of traffic or less. They’re also relatively short affairs, with most attacks lasting 30 minutes or less. This enables attackers to slow down computing resources or take them offline altogether while flying under the radar, making it especially difficult for companies to detect and stop them.

  • IoT and a new type of threat for Linux

    Linux has played a significant role in establishing IoT devices as increasingly important parts of our everyday lives, both at home and in the enterprise. Linux based OSes make it easy for developers to create applications that can run on anything, from a fridge to a car, and as a result 73 percent of IoT developers use Linux to run applications on.

    Now, however, questions of security are arising. With IoT gesturing in a brave new world of connected devices, businesses must cope with a greater number of entry points and vulnerabilities, with security the top concern in the industry.

    By placing such a burden on Linux’s security capabilities, there are now real fears that IoT devices will be left exposed and businesses will pay the price.

  • NIST Seeks Comments on Cybersecurity Reports

    The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST's Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.

    Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.

  • Hackers Able To Control Tesla S Systems From Twelve Miles Away

    Over the last few years, we've well documented the abysmal security in the internet of things space. And while refrigerators that leak your Gmail credentials are certainly problematic, the rise in exploitable vehicle network security is exponentially more worrying. Reports emerge almost monthly detailing how easy it is for hackers to bypass vehicle security, allowing them to at best fiddle with in-car systems like air conditioning, and at worst take total control of a compromised vehicle. It's particularly problematic given these exploits may take years to identify and patch.

Syndicate content

More in Tux Machines

Leftovers: Ubuntu and Debian

  • This Is the Final Artwork of the Debian GNU/Linux 9 "Stretch" Operating System
    Today, October 25, 2016, Debian Project's Laura Arjona Reina and Niels Thykier proudly announced Juliette Taka Belin as the official artwork winner for the upcoming Debian GNU/Linux 9 "Stretch" operating system.
  • Rankings, Condorcet and free software: Calculating the results for the Stretch Artwork Survey
    We had 12 candidates for the Debian Stretch Artwork and a survey was set up for allowing people to vote which one they prefer. The survey was run in my LimeSurvey instance, LimeSurvey its a nice free software with a lot of features. It provides a “Ranking” question type, and it was very easy for allowing people to “vote” in the Debian style (Debian uses the Condorcet method in its elections). However, although LimeSurvey offers statistics and even graphics to show the results of many type of questions, its output for the Ranking type is not useful, so I had to export the data and use another tool to find the winner.
  • Reviews: Quirky Zorin and Boring Ubuntu
    Perhaps not so coincidentally, Joshua Allen Holm reached nearly the same conclusion today with Ubuntu 16.10. He began, "At first glance, little has changed in Ubuntu 16.10. It looks almost exactly like every other recent release of Ubuntu." He spent most of his article looking at Unity 8, which is still just a preview, and said it does show promise with its early "polish." Holm concluded there was little reason to recommend an upgrade unless you need a fix provided or wish the newer software. In addition, Chin Wong recently upgraded and came to nearly the same exact conclusions.
  • Canonical explains Ubuntu Advantage benefits -- could your business switch to Linux?
    Linux-based desktop operating systems are better than Windows because they are free, right? Whoa there, folks. Neither are necessarily better or worse -- it really depends on your needs. Cost-free operating systems, such as Ubuntu and Fedora, are definitely great for home consumers looking to breathe new life into old machines. With that said, the benefits of Linux extend beyond money and cost-savings. Linux being free is sort of misleading when it comes to business use too. While a small business with a few employees can get by with free support, larger companies would be crazy to go it entirely alone -- paid support is a necessity for success. Today, Canonical releases a well-designed infographic that explains the benefits of its paid support, called 'Ubuntu Advantage'. "Ubuntu Advantage is the commercial support package from Canonical. It includes Landscape, the Ubuntu systems management tool, and the Canonical Livepatch Service, which enables you to apply kernel fixes without restarting your Ubuntu 16.04 LTS systems", says Canonical.

Leftovers: OSS

  • How Walmart Is Embracing the Open-Source OpenStack Model
    Walmart wasn't always an open-source advocate, but now it's one of the biggest consumers of open-source technology and is actively building a culture that fosters open-source development. BARCELONA, Spain—Walmart, the world largest retailer and one the largest employers, aims to give back to the OpenStack community. In a session at the OpenStack Summit here, Andrew Mitry, lead architect for Walmart's OpenStack effort, and Megan Rossetti, part of the OpenStack Operations team at Walmart, detailed how the open-source model is working for the retail giant.
  • Chain Releases Open-Source Version of Chain Core Technology Powering Visa’s New B2B Connect
    On October 21, 2016, Visa announced a new partnership with blockchain enterprise company Chain that will develop “a simple, fast and secure way to process B2B payments globally.” Dubbed Visa B2B Connect, the system will offer participating pilot financial institutions a consistent process for managing settlement through Visa’s standard practices. “The time has never been better for the global business community to take advantage of new payment technologies and improve some of the most fundamental processes needed to run their businesses,” said McCarthy. “We are developing our new solution to give our financial institution partners an efficient, transparent way for payments to be made across the world.”
  • Chain Launches Open Source Developer Platform
    Chain, a provider of blockchain technology solutions, today released Chain Core Developer Edition, a free and open source version of its distributed ledger platform that enables organizations to issue and transfer assets on permissioned blockchain networks. For the first time, developers can download and install Chain Core to start or join a blockchain network, build financial applications, and access in-depth technical documentation and tutorials. Users have the option to run their prototypes on a test network, or “testnet,” operated by Chain, Microsoft, and the Initiative for Cryptocurrencies and Contracts (IC3), a collaboration of Cornell University, Cornell Tech, UC Berkeley, University of Illinois at Urbana-Champaign, and the Technion.
  • Open Source ERP Options For Small and Medium Businesses
    Open source ERP (enterprise resource planning) holds a small portion of the overall ERP market, which is mainly ruled by few commercial products provided by well-known enterprise software vendors such as Microsoft, Oracle, SAP, and Sage.
  • Steering Kubernetes Through Uncharted Territory
    Taylor Thomas is a Cloud Software Engineer for the Software Defined Infrastructure team at Intel working on Kubernetes, CI/CD, and the Snap open telemetry framework. The team also uses Kubernetes to run a large part of their services, and Thomas will describe this work in his upcoming talk "Off the Beaten Path: An Explorer’s Guide to Kubernetes " at KubeCon. In this article, however, he provides a preview of some challenges that the team has encountered.
  • PUFIN Open Source Blockchain Tech May Be Marketplace Lending Answer
  • Software Freedom Kosova 2016
    Software Freedom Kosova (SFK) 2016 took place in Prishtina from October 21-23, 2016. We were able to push a special Fedora badge for SFK to be awarded to SFK attendees who vist the Fedora booth. The badge was awarded 14 times out of which 12 were existing contributors while 2 new contributors were onboarded at the event ! Yaay – we look forward to seeing you in the community nafieshehu and marianab.
  • OpenStack Summit Barcelona

6 smart settings to make your Android phone anticipate your needs

There's no denying that our smartphones have made our lives so much easier, putting our contacts and schedules, our driving directions, the whole internet, right at our fingertips. But if you're using an Android phone you might be leaving even more convenience on the table. There are a bunch of super-smart settings in Nougat and Google Now that’ll make your Android device feel like it’s 10 steps ahead of you. Your Android phone can be proactively telling you how long it’ll take to get to work in the morning, and nudging you when your favorite team is about to take the field. Your device can keep itself unlocked whenever it’s on you, and those snapshots you just took can automatically be arranged into beautiful collages. Battery running low? Android can know to dial down background activity to keep your phone alive. And if you love the idea of asking Google questions without ever touching your phone, you can train your phone to do that, too. Read more

Android and Tizen Leftovers