Language Selection

English French German Italian Portuguese Spanish

June 2019

Security Leftovers

Filed under
Security
  • Why cybersecurity has an open-source solution

    SHINN: Yeah. So you know, my colleagues in the open source community may have their own sort of different definitions about what they think open source is. But for me, open source has always been about the fact that if there’s something that I wanted to change in the software, I could do it. And that’s really the core. There are lots of other benefits of open source. It might be free, there might be a lot of people working on it, maybe there’s a community. But for me, it always started with the fact that I had a piece of software that I’m using, and I can make enhancements, changes and fixes

    ABERMAN: True hacker culture.

    SHINN: That’s right. And in cybersecurity, that’s really important. There’s lots of really smart people out there. It’s not possible for any cybersecurity vendor to understand every possible situation in which their product might be used. The people who are going to understand that are the people who are closest to the problem. And it’s great if you can make it possible for them to enhance your software, and hopefully contribute that back to you. All boats rise together. So in the security world, we see some of the more interesting or powerful cybersecurity technologies, like snort, it blew away all of the other network based IDS’s that were out there, all the proprietary ones.

  • The [Microsoft Windows] Worm That Nearly Ate the Internet [iophk: "Windows TCO"]

    Neither theory was correct. While some experts still disagree, most now believe that Conficker was the work of Ukrainian cybercriminals building a platform for global theft who succeeded beyond all expectation, or desire. The last thing a thief wants is to draw attention to himself. Conficker’s unprecedented growth drew the alarmed attention of cybersecurity experts worldwide. It became, simply, too hot to use.

    This explanation was detailed in an article published in December 2015 by The Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed publication issued by a federal interagency cybersecurity working group including the Pentagon, Department of Homeland Security and N.S.A. — and distributed to a small number of experts with the appropriate security clearances. The article itself was not classified, but reached only a small readership. I obtained a copy this year.

  • Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers

    The coders from HCL were typically designing to specifications set by Boeing. Still, “it was controversial because it was far less efficient than Boeing engineers just writing the code,” Rabin said. Frequently, he recalled, “it took many rounds going back and forth because the code was not done correctly.”

  • Hackers Have Been Stealing User Data From Global Cell Networks Since 2012

    We've noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry's treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry's refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

    This week, carriers were once again exposed for not being the shining beacons of security they tend to advertise themselves as. A new report emerged this week showcasing how, for years, hackers have been exploiting substandard security at more than 10 global wireless carriers to obtain massive troves of data on specific targets of interest. Researchers at Boston-based Cybereason, who first discovered the operation, say the hackers exploited a vulnerability on an internet-connected web server to gain a foothold into each cell providers internal network.

  • Here We Go Again: Trump Administration Considers Outlawing Encryption

    It's unclear what the final decision was, but if it was to back such a law, we'll know about it soon enough. There are some sensible folks on this issue -- including some from the intelligence communities who actually understand the security value of encryption. The State Department and Commerce Departments are both also said to support keeping encryption legal. It's mostly the law enforcement folks who are against encryption: including parts of the DOJ and FBI, ICE and the Secret Service. As if any of those need any more power. Homeland Security (of which ICE is a part) is apparently "internally divided."

    It's been said before, but this is not a debate. There is no debate. There is no "on the one hand, on the other hand." There is no "privacy v. security." This is "no privacy and weakened security v. actual privacy and actual security." There's literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe. While Senators Feinstein and Burr released a truly dangerous bill a few years back to outlaw encryption, who knows what sort of nonsense would come out of this and whether or not it could actually get enough support in Congress. Hopefully not.

  • Medtronic recalls some insulin pumps as FDA warns they can be hacked

    Medtronic is recalling some models of insulin pumps that are open to hacks, and the Food and Drug Administration warned consumers on Thursday that they cannot be patched to fix the holes.

    It’s a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years.

    The insulin pumps subject to the recall connect wirelessly to other insulin equipment, including glucose meters, a monitoring system and controls that pump insulin.

    “The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar ... or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis,” the FDA notice says.

  • EU to stage war games to prepare for hybrid threats

    Hybrid threats can be based on a wide variety of strategies, ranging from the spread of fake news to undermining trust and cyberattacks on energy or communication systems. Russia has often been blamed for using such tactics.

  • America’s Monopoly Crisis Hits the Military

    In historical terms, this is a shocking turnaround. Americans invented the telephone business and until recently dominated production and research. But in the last 20 years, every single American producer of key telecommunication equipment sectors is gone. Today, only two European makers—Ericsson and Nokia—are left to compete with Huawei and another Chinese competitor, ZTE.

    This story of lost American leadership and production is not unique. In fact, the destruction of America’s once vibrant military and commercial industrial capacity in many sectors has become the single biggest unacknowledged threat to our national security. Because of public policies focused on finance instead of production, the United States increasingly cannot produce or maintain vital systems upon which our economy, our military, and our allies rely. Huawei is just a particularly prominent example.

  • Felony Contempt of Business Model: Lexmark's Anti-Competitive Legacy

    Lexmark gave its customers the choice of paying extra for their cartridges (by buying refillable cartridges at a $50 premium), or paying extra for their toner (saving $50 on a cartridge whose "lock-out" chip prevented refilling, so that they would have to buy a whole cartridge when the non-refillable one ran dry). Customers, however, had a counteroffer for Lexmark: they wanted to save $50 on a "non-refillable" cartridge and then go ahead and refill it. After all, carbon is relatively abundant throughout the universe, and more locally, Earth has more carbon that it knows what to do with.

    Various competitors of Lexmark stepped up to help its customers with their counteroffer. One such company was Static Control Components, which reverse-engineered Lexmark's lock-out chip and found that its 55-byte program performed a relatively straightforward function that would be easy to duplicate: when a cartridge was newly filled, this chip signaled to the printer that the cartridge had available toner. Once the cartridge ran out, the chip would tell the printer that it had an empty cartridge. Refilling the cartridge did no good because the chip would still tell the printer that there was no toner available.

    After Static Control performed this bit of reverse engineering, it was able to manufacture its own chips, which it sold to remanufacturers, who would pour in fresh carbon, swap out the chip, and sell the cartridges. Lexmark had a strong objection to this. But like every business, Lexmark’s products should be subject to market pressures, including the possibility that customers will make uses (and re-uses) of your product that aren’t exactly what the manufacturer intended. Lexmark was in a position to create its own refilling business to compete with Static Control, of course. But it didn’t want to. Instead, it wanted to trap purchasers into the lucrative two-tier market it had dreamed up.

Programming Leftovers

Filed under
Development
  • Fedora 30 : The Pythonic tool.

    The tutorial for today is about Pythonic tool.
    Named Pythonic is a graphical programming tool that makes it easy for users to create Python applications using ready-made function modules.
    This tool providing the consistent features and characteristics of a trading bot with just a few clicks.
    The Pythonic tool is currently available in four languages: English, German, Spanish, and Chinese.
    The tool comes with basic functions such as a scheduler, if-branches, connectivity, and logging functions are available out of the box and can be parameterized using a corresponding GUI.
    Each graphical element is functionally processed individually.
    The base idea is: A unique graphical input mask to carry out the

  • Changelog podcast: me, double-dipping

    I had a great conversation with Jerod Santo on the Changelog podcast: The Changelog 351: Maintainer spotlight! Ned Batchelder. We talked about Open edX, and coverage.py, and maintaining open source software.

  • DocKnot 3.00

    This package started as only a documentation generator, but my goal for some time has been to gather together all of the tools and random scripts I use to maintain my web site and free software releases. This release does a bunch of internal restructuring to make it easier to add new commands, and then starts that process by adding a docknot dist command. This performs some (although not all) of the actions I currently use my release script for, and provides a platform for ensuring that the full package test suite is run as part of generating a distribution tarball.

  • Python Data Structures

    This post explains the data structures used in Python. It is essential to understand the data structures in a programming language. In python, there are many data structures available.

  • EuroPython 2019: Social event tickets available

    After the keynotes and talks on Thursday, July 11th, we’ve organized a social event at the workshop venue, the FHNW Muttenz. Starting at 19:00 CEST, you can join us for an evening party with finger food, drinks and music.

  • EuroPython 2019: SIM cards for attendees

    Switzerland is often not included in European cell provider’s roaming packages and also not covered by the EU roaming regulation, so you can potentially incur significant charges when going online with your mobile or notebook.

  • Dependencies between Python Standard Library modules

    Glyph’s post about a “kernel python” from the 13th based on Amber’s presentation at PyCon made me start thinking about how minimal standard library could really be. Christian had previously started by nibbling around the edges, considering which modules are not frequently used, and could be removed. I started thinking about a more extreme change, of leaving in only enough code to successfully download and install other packages. The ensurepip module seemed like a necessary component for that, so I looked at its dependencies, with an eye to cutting everything else.

  • Weekly Python StackOverflow Report: (clxxxiv) stackoverflow python report

KDE Usability & Productivity: Week 77

Filed under
KDE

We’re up to week 77 in KDE’s Usability & Productivity initiative! This week’s report encompasses the latter half of the Usability & Productivity sprint. Quite a lot of great work got done, and two features I’m particularly excited about are in progress with patches submitted and under review: image annotation support in Spectacle, and customizable sort ordering for wallpaper slideshows.

Read more

openSUSE Leap 42.3 Linux OS Reached End of Life, Upgrade to openSUSE Leap 15.1

Filed under
SUSE

Released two years ago, on July 26th, 2017, the OpenSuSE Leap 42.3 operating system was the third maintenance update to the openSUSE Leap 42 series, which is also the last to be based on the SUSE Linux Enterprise (SLE) 12 operating system series.

openSUSE Leap 42.3 was based on the packages from SUSE Linux Enterprise 12 Service Pack 3 and was powered by the long-term supported Linux 4.4 kernel series. It was initially supposed to be supported until January 2019, but the openSUSE and SUSE projects decided to give users more time to upgrade to the major openSUSE Leap 15 series.

Read more

News Sources

As of 2019, some of our news sources are listed below.

Lubuntu 19.04 Disco Dingo - Casus vitae

Filed under
Reviews
Ubuntu

Lubuntu 19.04 Disco Dingo feels ... raw. Unfinished. Half-baked. It has some perfectly decent functionality, like networking, media and phone support, but then it also comes with rudimentary package management, a jumbled arsenal of programs, a desktop that is too difficult to manage and tame, plus identity crisis. The truly redeeming factors are performance and battery life. This is a promise, and one well kept, and indeed, if there's one reason (or rather two reasons) to sample Lubuntu, there you have it.

I struggled with the overall purpose, though. As impressive as the speed and lightness are, they are only small improvements over what Plasma offers. But then, Plasma is much easier to customize and tweak, it offers a coherent, consistent experience, and it feels modern and relevant. With Lubuntu, I had no connection, and using the distro felt like a chore. I had to fight the weird defaults to try to create an efficient setup, and I wasn't able to do achieve that. So I always go back to the question of investment versus benefit. Lubuntu feels too pricey for what it gives. For example, MX Linux delivers wonderfully on my eeePC, and it's quite simple to handle. With Lubuntu, there needs to be more order, more consistency in how it works. At the moment, it's just a collection of ideas mashed together. While perfectly functional, it's not really fun. 6/10. You should test, especially if you have old hardware.

Read more

Games Leftovers

Filed under
Gaming
  • Your weekend look at what good stuff is currently on sale

    Another week is behind us, let's take a look at some seriously good deals that are going on right now across different stores.

  • Oaths, coalitions and betrayal — some thoughts on Total War: THREE KINGDOMS

    Total War: THREE KINGDOMS was released in its all-caps glory about a month ago and saw a same-day Linux release thanks to porters Feral Interactive. The action this time around is centered in China during its fractious Three Kingdoms period of history that saw the end of the Han dynasty and warlords and coalitions battle it out for supremacy. More specifically, this Total War title also takes inspiration from the Romance of the Three Kingdoms novel and its larger-than-life heroes and villains. Developer Creative Assembly has put in plenty of time and effort to capture the feeling of both novel and the historical conflict.

  • Supraland 2, a sequel to the highly rated first-person metroidvania is crowdfunding and coming to Linux

    While the original Supraland isn't on Linux (yet), Supraland 2 is coming and it's currently crowdfunding to make a bigger sequel to the very highly rated first-person metroidvania.

    The campaign doesn't really give the best idea of the actual gameplay, as it seems it's largely assuming you already know the first game. It's basically a big play area, full of puzzles, things to combat and this is going to be more of the same with a brand new area and improved combat.

More in Tux Machines

today's howtos

Games: Tannenberg, Project Zomboid and Jackbox Party Pack 6

  • Tannenberg the WWI FPS adds the new Ukraine map, still on sale in a bundle

    M2H and Blackmill Games have just release another pretty big update to Tannenberg, their impressive WWI first-person shooter. Today's update adds in the Ukraine map which the developers say has plenty of open ground for HMGs to get you in their sights, with extensive trench networks to give some cover.

  • Project Zomboid just had the biggest Beta release ever overhauling loads of features

    Move over 7 Days to Die, you're not the only Zombie survival game in town with a recent overhaul. Project Zomboid is another that just released an absolutely massive Beta update to try out. Included in their "IWBUMS" (I Will Back Up My Save) Beta branch on Steam (not on GOG until stable) is the first step towards Project Zomboid version 41. The amount of changes included is quite ridiculous. The Indie Stone even said it's the "most fundamental and wide-ranging update that Project Zomboid has ever had" and they're not wrong. This latest Beta is work towards making Project Zomboid feel a little more alive and have a wider variety for everything. It's a foundation to bring even more big changes to PZ, with the new animation work in this build helping to bring wild animals in the next major build. This Beta is expected to last a while, as they have more to add back into it.

  • The Jackbox Party Pack 6 has officially released with Linux support

    In the mood to have a party? Well you're in luck as The Jackbox Party Pack 6 is now available with Linux support. Continuing their great support of Linux gaming, all six packs have Linux versions which is excellent! What makes the Jackbox Party Pack (any of them) great is how you connect to play them. No need to hook up 4 or 5 gamepads, stretch wires across the floor or anything annoying like that. You load the game, tell everyone to pull out their phone or tablet and connect up to their website with a room code and—pop, you're in the game.

GhostBSD Reaffirms To Being TrueOS+BSD Desktop OS With Official MATE Desktop

With Project Trident moving away from a TrueOS/FreeBSD base to instead Void Linux, if you are looking for a good BSD-based desktop operating system it largely comes down to the likes of MidnightBSD and GhostBSD providing good out-of-the-box setups. As for GhostBSD, they are reaffirming their commitment to using TrueOS/FreeBSD and MATE as their official desktop. The project reaffirmed on Wednesday that they are sticking to their TrueOS with FreeBSD 12-STABLE base while being a "slow-moving rolling release' that will eventually migrate to TrueOS with FreeBSD 13-STABLE after it is available. Read more Direct: Dealing with the misunderstandings of what is GhostBSD Also: Codebase: Neck Deep | BSD Now 320

OpenBSD 6.6 Released

  • OpenBSD 6.6

    This is a partial list of new features and systems included in OpenBSD 6.6. For a comprehensive list, see the changelog leading to 6.6.

  • OpenBSD 6.6 Arrives: Disables GCC In Base For ARMv7/i386, SMP Improvements, AMDGPU Added

    Theo de Raadt released OpenBSD 6.6 today as the newest feature update to this popular BSD operating system known for its security focus. OpenBSD 6.6 has moved to disabling GCC in its base packages for i386 and ARMv7, LLVM Clang platform support has been expanded, various SMP improvements and more system calls being unlocked, improved Linux compatibility with ACPI interfaces, a number of new hardware drivers, wired and wireless networking stack improvements, various installation enhancements, and the never-ending work on improving the security. OpenBSD 6.6 ships with OpenSSH 8.1, LibreSSL 3.0.2, OpenSMTPD 6.6, and other updated packages.