Language Selection

English French German Italian Portuguese Spanish

Login

Enter your Tux Machines username.
Enter the password that accompanies your username.

More in Tux Machines

Best Open Source Games in 2020

There’s no reason to spend $60 on a new AAA release just to bring some variety into your gaming diet when there are many fantastic open source games that are completely free and just as engaging as their big-budget counterparts. It’s true that open source games seldom give you the graphical fidelity you may be used to from the most technically advanced games of this console generation, they give you something many best-selling titles today desperately miss: captivating gameplay. Read more

Best Open Source Secure Email Gateway Packages

Secure Email Gateways or Email security gateways are gateways designed to filter mail traffic. Some mail providers and other types of organizations implement this solution to fight attacks like phishing, email-borne attacks, viruses, malwares and more attacks which can be filtered by an email gateway, but it also can prevent information leak by infidel members of the organization, etc. It is a controller of mail content which rules according to the specified rules and policies. Email Secure Gateways are available as a cloud service, as virtual appliance, locally at the mail server and there are both software and hardware solutions but this article focuses on 5 Email Security Gateways: MailScanner, MailCleaner, Proxmox, Hermes Secure Email Gateway and OrangeAssasin, all them include free versions while some offer additional paid versions with extra features. Read more

FerenOS (2020) | Review from an openSUSE User

FerenOS undoubtedly focuses on visual aesthetics, user interface and user experience. The last time I looked at FerenOS, it was built on the Cinnamon Desktop Environment. At the time, the Plasma version was called “Feren Next” and and initially I was disappointed I didn’t use the Plasma version, but now I am very glad I did as I can compare this experience with my last FerenOS experience. This is my review as an openSUSE User. To say this will be completely objective would essentially be a big giant lie. This will be quite biased as I enjoy openSUSE Tumbleweed with the Plasma desktop, day in and day out on multiple machines, including my daily driver, low end laptops and more powerful workstations and servers. I am happily entrenched but that doesn’t mean I don’t like to look over the fences from time to time to see what other parts of the community are doing. Plus, you can’t go anywhere without bumping in to “FerenOS Dev” on some YouTube chat, Telegram or Discord announcing his enhancements. Bottom Line Up Front: FerenOS (2020) is simply fantastic. The way you are greeted and guided through your setup is brilliant. I am not keen on every design decision but that matters not as I am never keen on every design decision presented in any other distribution, to include my own. FerenOS is going for a look that is uniquely its own and is not afraid to experiment, cross toolkit boundaries and stray from the normal. I appreciate the design decisions, more than any other “boutique” distribution I have seen in a long while. Do I like all of them? No. Would I choose many of these? Also, No. But I think they do look great make for an enjoyable experience, just not one I would prefer. Read more

Security Leftovers

  • The Idealistic Future of HardenedBSD

    In the last status report, we stood up our own git server. Since then, we've migrated our entire infrastructure to point to our self-hosted git as the source-of-truth repo.

  • Leaked Documents Expose the Secretive Market for Your Web Browsing Data
  • Wladimir Palant: Avast's broken data anonymization approach

    Avast used to collect the browsing history of their users without informing them and turn this data into profits via their Jumpshot subsidiary. After a public outcry and considerable pressure from browser vendors they decided to change their practices, so that only data of free antivirus users would be collected and only if these explicitly opt in. Throughout the entire debacle Avast maintained that the privacy impact wasn’t so wild because the data is “de-identified and aggregated,” so that Jumpshot clients never get to see personally identifiable information (PII). [...] How Amazon would deanonymize this data The example used by Ondřej Vlček makes it very obvious who Avast tries to protect against. I mean, the address identifier they removed there is completely useless to me. Only Amazon, with access to their data, could turn that parameter value into user’s identity. So the concern is that Jumpshot customers (and Amazon could be one) owning large websites could cross-reference Jumpshot data with their own to deanonymize users. Their patent confirms this concern when explaining implicit private information. But what if Amazon cannot see that addressID parameter any more? They can no longer determine directly which user the browsing history belongs to. But they could still check which users edited their address at this specific time. That’s probably going to be too many users at Amazon’s scale, so they will have to check which users edited their address at time X and then completed the purchase at time Z. That should be sufficient to identify a single user. And if Jumpshot doesn’t expose request times to their clients or merely shows the dates without the exact times? Still, somebody like Amazon could for example take all the products viewed in a particular browser history and check it against their logs. Each individual product has been viewed by a large number of users, yet the combination of them is a sure way to identify a single user. Mission accomplished, anonymization failed. How everybody else could deanonymize this data Not everybody has access to the same amounts of data as Amazon or Google. Does this mean that in most scenarios Jumpshot data can be considered properly anonymized? Unfortunately not. Researchers already realized that social media contain huge amounts of publicly accessible data, which is why their deanonymization demonstrations such as this one focused on cross-referencing “anonymous” browsing histories with social media. And if you think about it, it’s really not complicated. For example, if Avast were collecting my data, they would have received the web address https://twitter.com/pati_gallardo/status/1219582233805238272 which I visited at some point. This address contains no information about me, plenty of other people visited it as well, so it would have been passed on to Jumpshot clients unchanged. And these could retrieve the list of likes for the post. My Twitter account is one of the currently 179 who’s on that list.

  • Mushtik botnet now shopping for Tomato routers

    A new variant of the Mushtik botnet has been found attacking routers using the open-source Tomato router firmware with about 4.600 routers currently exposed on the internet. Musthtik has been operating since March 2018 using a worm-like propagating ability to infect and harvest Linux servers and IoT devices. The good news is the new variant uses its botnet for only a few tasks, cryptocurrency mining as to launch DDoS attacks and it has not been spotted injecting any additional malware onto a system, said Palo Alto Networks Unit 42. [...] “Botnet developers are increasingly compromising IoT devices installed with the open source firmware, which often lack the security updates and maintenance patches necessary to keep devices safeguarded. End users should be cautious when installing open source firmware and must follow the security guidelines in the firmware manual,” Unit 42 said.

  • Fugue open sources Regula, security and compliance tool for Terraform

    Working with Terraform infrastructure-as-code can sometimes be a bit of a headache when it comes to tracking security misconfigurations and compliance violations, but now Fugue has open sourced their Regula tool to assist engineers with maintaining vigilance. Let’s take a closer look. Last week, cloud infrastructure security and compliance solution provider Fugue open sourced one of their tools called Regula. From the press release, it “is a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment. Regula rules are written in Rego, the open source policy language employed by the Open Policy Agent project and can be integrated into CI/CD pipelines to prevent cloud infrastructure deployments that may violate security and compliance best practices.”

  • More 2020 Trends for Open Source and SCA [Ed: In order to sell its proprietary software, Flexera is -- as usual -- badmouthing FOSS security]

    A review of the National Vulnerability Database (NVD) shows the number of vulnerabilities contributed to the database is increasing year over year. Let’s be clear. This doesn’t mean that code development is getting worse. To the contrary, the industry is doing a better job of paying attention to finding and reporting issues and, in addition, to finding fixes that address problems. We see this as a trend that will continue into 2020 and beyond. Likewise, developers are spending a significant amount of time both reviewing and remediating vulnerabilities as opposed to innovating and improving their applications. Technical debt is more than ever moving to the forefront of application development as engineers are dealing with security issues that were once dormant or unknown but because of raised awareness are now being discovered.