Language Selection

English French German Italian Portuguese Spanish


Enter your Tux Machines username.
Enter the password that accompanies your username.

More in Tux Machines

Plasma 5.20 is an exceptionally refined desktop

There you go. I have to say, this is the best Plasma release in a long while. I would say since 5.12. In fact, this should have been the LTS. You get everything: speed, stability, consistency, beautiful looks, highly functional software. And now, the challenge: this ought to remain, without regressions, for three releases. There are some small niggles here and there, but all in all, there's nothing cardinally wrong with this edition. Quite the contrary, it brings massive improvements on many levels, and infuses joy into my jaded soul, a ray of hope that has been absent for many months now. If you're contemplating Linux, or contemplating replacing your desktop environment, then Plasma 5.20 offers the freshest, most elegant solution by a huge margin. Worth testing and using - and hopefully, there will be some long-term version available somewhere, so that people need stability and minimal change can settle in and enjoy a refined, pleasant desktop. That's my wish for the new year, and now off you go testing. Bottom line: awesome. Bye bye. Read more

Accessibility in GTK 4

The big news in last weeks GTK 3.99.3 release is that we have a first non-trivial backend for our new accessibility implementation. Therefore, now is a good time to take a deeper look at accessibility in GTK 4. Lets start with a quick review of how accessibility works on Linux. The actors in this are applications and assistive technologies (ATs) such as screen readers (for instance, Orca), magnifiers and the like. The purpose of ATs generally is to provide users with alternative ways to interact with the application that are tailored to their needs (say, an enlarged view, text read out aloud, or voice commands). To do this, ATs need a lot of detailed information about the applications UI, and this is where the accessibility stack comes into play—it is the connecting layer between the application (or its toolkit) and the ATs. Read more

Security Leftovers

  • Kaspersky's Secur'IT hacking competition attracts entrants from 24 universities

    Four university students, competing as ByteMe, have won the first prize in the Secur'IT Cup, an annual hacking competition jointly organised by security outfit Kaspersky and Hackathons Australia.

  • Hackers Use Billboards to Trick Self-driving Cars into Slamming on the Brakes

    “The attacker just shines an image of something on the road or injects a few frames into a digital billboard, and the car will apply the brakes or possibly swerve, and that’s dangerous,” Ben Gurion University researcher Yisroel Mirsky told the magazine. “The driver won’t even notice at all. So somebody’s car will just react, and they won’t understand why.”

  • File Exfiltration via Libreoffice in BigBlueButton and JODConverter

    BigBlueButton is a free web-based video conferencing software that lately got quite popular, largely due to Covid-19. Earlier this year I did a brief check on its security which led to an article on (German). I want to share the most significant findings here. BigBlueButton has a feature that lets a presenter upload a presentation in a wide variety of file formats that gets then displayed in the web application. This looked like a huge attack surface. The conversion for many file formats is done with Libreoffice on the server. Looking for ways to exploit server-side Libreoffice rendering I found a blog post by Bret Buerhaus that discussed a number of ways of exploiting such setups. One of the methods described there is a feature in Opendocument Text (ODT) files that allows embedding a file from an external URL in a text section. This can be a web URL like https or a file url and include a local file. This directly worked in BigBlueButton. An ODT file that referenced a local file would display that local file. This allows displaying any file that the user running the BigBlueButton service could access on the server. A possible way to exploit this is to exfiltrate the configuration file that contains the API secret key, which then allows basically controlling the BigBlueButton instance. I have a video showing the exploit here. (I will publish the exploit later.) I reported this to the developers of BigBlueButton in May. Unfortunately my experience with their security process was not very good. At first I did not get an answer at all. After another mail they told me they plan to sandbox the Libreoffice process either via a chroot or a docker container. However that still has not happened yet. It is planned for the upcoming version 2.3 and independent of this bug this is a good idea, as Libreoffice just creates a lot of attack surface. Recently I looked a bit more into this. The functionality to include external files only happens after a manual user confirmation and if one uses Libreoffice on the command line it does not work at all by default. So in theory this exploit should not have worked, but it did. It turned out the reason for this was another piece of software that BigBlueButton uses called JODConverter. It provides a wrapper around the conversion functionality of Libreoffice. After contacting both the Libreoffice security team and the developer of JODConverter we figured out that it enables including external URLs by default.

  • New Gitjacker tool lets you find .git folders exposed online

    A new open-source tool called Gitjacker can help developers discover when they've accidentally uploaded /.git folders online and have left sensitive information exposed to attackers. Gitjacker is available as a free download on Github.

Debian donation for Peertube development

The Debian project is happy to announce a donation of 10,000 USD to help Framasoft reach the fourth stretch-goal of its Peertube v3 crowdfunding campaign -- Live Streaming. This year's iteration of the Debian annual conference, DebConf20, had to be held online, and while being a resounding success, it made clear to the project our need to have a permanent live streaming infrastructure for small events held by local Debian groups. As such, Peertube, a FLOSS video hosting platform, seems to be the perfect solution for us. We hope this unconventional gesture from the Debian project will help us make this year somewhat less terrible and give us, and thus humanity, better Free Software tooling to approach the future. Read more