Language Selection

English French German Italian Portuguese Spanish

Login

Enter your Tux Machines username.
Enter the password that accompanies your username.

More in Tux Machines

Security Leftovers

  • Kaspersky's Secur'IT hacking competition attracts entrants from 24 universities

    Four university students, competing as ByteMe, have won the first prize in the Secur'IT Cup, an annual hacking competition jointly organised by security outfit Kaspersky and Hackathons Australia.

  • Hackers Use Billboards to Trick Self-driving Cars into Slamming on the Brakes

    “The attacker just shines an image of something on the road or injects a few frames into a digital billboard, and the car will apply the brakes or possibly swerve, and that’s dangerous,” Ben Gurion University researcher Yisroel Mirsky told the magazine. “The driver won’t even notice at all. So somebody’s car will just react, and they won’t understand why.”

  • File Exfiltration via Libreoffice in BigBlueButton and JODConverter

    BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on Golem.de (German). I want to share the most significant findings here. BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups. One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file. This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here. (I will publish the exploit later.) I reported this to the developers of BigBlueButton in May. Unfortunately my experience with their security process was not very good. At first I did not get an answer at all. After another mail they told me they plan to sandbox the Libreoffice process either via a chroot or a docker container. However that still has not happened yet. It is planned for the upcoming version 2.3 and independent of this bug this is a good idea, as Libreoffice just creates a lot of attack surface. Recently I looked a bit more into this. The functionality to include external files only happens after a manual user confirmation and if one uses Libreoffice on the command line it does not work at all by default. So in theory this exploit should not have worked, but it did. It turned out the reason for this was another piece of software that BigBlueButton uses called https://github.com/sbraconnier/jodconverter JODConverter. It provides a wrapper around the conversion functionality of Libreoffice. After contacting both the Libreoffice security team and the developer of JODConverter we figured out that it enables including external URLs by default.

  • New Gitjacker tool lets you find .git folders exposed online

    A new open-source tool called Gitjacker can help developers discover when they've accidentally uploaded /.git folders online and have left sensitive information exposed to attackers. Gitjacker is available as a free download on Github.

Debian donation for Peertube development

The Debian project is happy to announce a donation of 10,000 USD to help Framasoft reach the fourth stretch-goal of its Peertube v3 crowdfunding campaign -- Live Streaming. This year's iteration of the Debian annual conference, DebConf20, had to be held online, and while being a resounding success, it made clear to the project our need to have a permanent live streaming infrastructure for small events held by local Debian groups. As such, Peertube, a FLOSS video hosting platform, seems to be the perfect solution for us. We hope this unconventional gesture from the Debian project will help us make this year somewhat less terrible and give us, and thus humanity, better Free Software tooling to approach the future. Read more

ExTiX Deepin 20.10 Live based on Deepin 20 (latest) with Skype, Spotify, Refracta Snapshot and kernel 5.9.1-exton :: Build 201021

I’ve released a new version of ExTiX Deepin today (201021). This ExTiX Build is based on Deepin 20 released by Deepin Technology 200911. Read more

IBM/Red Hat Leftovers

  • Deconstructing an Ansible playbook | Enable Sysadmin

    A straightforward explanation of the sections of an Ansible playbook, including packages, modules, and variables.

  • Kubernetes basics for sysadmins | Enable Sysadmin

    Learn when Kubernetes can be effectively used and how the containers it manages might be better than virtual machines.

  • Start your Red Hat training and certification journey with a skills path that's right for you

    When we talk to our customers they are often engaged in digital transformation projects where they have trouble finding employees with the right skills to drive the projects to success. If you want to prove you have the knowledge needed to lead these projects, a skills path can guide you through the right training and certification programs to develop and demonstrate those abilities. The Red Hat Training and Certification team has restructured its curriculum around 23 new skills paths to prepare you and your team to complete digital transformation projects successfully. Each new skills path provides a curated guide for learning industry leading, open hybrid cloud technologies, whether you’re in the beginning of your journey to becoming a Red Hat Certified Professional or you’re already an expert in your discipline. We offer skills paths that help prepare for the future of open hybrid cloud for administrators, developers, engineers, or architects.

  • How IBM's Massive POWER9 UNIX Servers Benefit from InfluxDB and Grafana Technology

    IBM has been innovating to create new products for its clients and the world for over a century. Customers look to IBM Power Systems to address their hybrid multicloud infrastructure needs. Larger POWER9 servers can have up to 192 CPU cores, 64 TB of memory, dozens of PB of SAN storage and typically run a mixture of AIX (UNIX) and Enterprise Linux (RHEL or SLES) workloads. As part of its sales process, IBM is always benchmarking its new hardware and software which clients use to monitor their systems.

  • National Information Resources Service Daegu Center and Orange Life Named Winners of the Red Hat APAC Innovation Awards 2020 for Korea

    Red Hat, Inc., the world's leading provider of open source solutions, today announced the winners of the Red Hat APAC Innovation Awards 2020 for South Korea. The National Information Resources Service (NIRS) Daegu Center and Orange Life were honored at the Red Hat Forum Asia Pacific 2020 today for their exceptional and innovative use of Red Hat solutions.

  • ANZ Named Winner of the Red Hat APAC Innovation Awards 2020 for Australia and New Zealand Region

    Red Hat, Inc., the world's leading provider of open source solutions, today announced the winner of the Red Hat APAC Innovation Awards 2020 for the Australia and New Zealand region. Australia and New Zealand Banking Group Limited (ANZ) was honored at the Red Hat Forum Asia Pacific 2020 today for its exceptional and innovative use of Red Hat solutions.