Language Selection

English French German Italian Portuguese Spanish

today's howtos

More in Tux Machines

Today in Techrights

Security: NSA, Microsoft Debacles, and FOSS Updates

  • Script Recovers Event Logs Doctored by NSA Hacking Tool
    Security researchers have found a way to reverse the effects of an NSA hacking utility that deletes event logs from compromised machines. Last week, Fox-IT published a Python script that recovers event log entries deleted using the "eventlogedit" utility that's part of DanderSpritz, a supposed NSA cyber-weapon that was leaked online by a hacking group known as the Shadow Brokers. According to Fox-IT, they found a flaw in the DanderSpritz log cleaner when they realized the utility does not actually delete event log entries, but only unreferences them, merging entries together.
  • Pre-Installed Keylogger Discovered on Hundreds of HP Laptop Models
    A keylogger that can help record pretty much every keystroke on the computer has been discovered on HP’s devices, with a security researcher revealing that hundreds of laptop models come with this hidden software pre-installed. Michael Myng says in an analysis of the keylogger that the malicious code is hiding in the Synaptics Touchpad software and he actually discovered it when looking into ways to control the keyboard backlight on his laptop. According to his findings, the keylogger isn’t activated by default, but it can be turned on by any cybercriminals that get access to the system. The list of affected models includes hundreds of laptops like EliteBook, ProBook, Spectre, Zbook, Envy, and Pavilion.
  • Laptop touchpad driver included extra feature: a keylogger [Ed: This is the second time in recent times HP gets caught with keyloggers; This is no accident, it's intentional.]
    Flaws in software often offer a potential path for attackers to install malicious software, but you wouldn't necessarily expect a hardware vendor to include potentially malicious software built right into its device drivers. But that's exactly what a security researcher found while poking around the internals of a driver for a touchpad commonly used on HP notebook computers—a keystroke logger that could be turned on with a simple change to its configuration in the Windows registry.
  • Microsoft Needed 110 Days to Fix Critical Security Bug After First Ignoring It
    Microsoft needed more than 100 days to fix a critical credential leak in Dynamics 365 after the company originally ignored the bug report and only reacted after being warned that details could go public. Software engineer Matthias Gliwka explains in a long blog post that he discovered and reported a security flaw in Microsoft’s Customer Relationship Manager and Enterprise Resource Planning software in August, but the software giant refused to fix it on claims that administrator credentials would be required. Gliwka says he came across a wildcard transport layer security (TLS) certificate that also included the private key, which would in turn expose communications by anyone who could decrypt traffic. The developer says that extracting the certificate grants access to any sandbox environment, with absolutely no warning or message displayed to clients.
  • UK Spy Agency Finds Severe Flaw in Microsoft Antivirus in Kaspersky Bye-Bye Push
  • Security updates for Monday

OSS Leftovers

  • What is a blockchain smart contract?
    Now, in a blockchain, the important thing is that once the state has changed, you then ensure it's recorded on the blockchain so that it's public and nobody can change or challenge it. But there are other uses for blockchain technology, as I explained in "Is blockchain a security topic?" Permissionless systems, often referred to as distributed ledger technologies (DLTs) are a great fit for non-transactional state models, largely because the sort of people who are interested in them are closed groups of organisations that want to have complex sets of conditions met before they move to the next state. These aren't, by the tightest definition, blockchains. Banks and other financial institutions may be the most obvious examples where DLTs are gaining traction, but they are very useful in supply chain sectors, for instance, where you may have conditions around changing market rates, availability, and shipping times or costs, which may all play into the final price of the commodity or service being provided.
  • Running a successful open source project
    Running an open source project is easy. All you have to do is make your source code available and you’re open source, right? Well, maybe. Ultimately, whether or not an open source project is successful depends on your definition of success. Regardless of your definition, creating an open source project can be a lot of work. If you have goals regarding adoption, for example, then you need to be prepared to invest. While open source software is “free as in beer”, it’s not really free: time and energy are valuable resources and these valuable resources need to be invested in the project. So, how do you invest those resources?
  • New package repositories are now enabled by default
    During this year’s coding sprint in Toulouse (which I was able to attend, thanks to being in Europe on a study-abroad program), I spent a lot of time massaging HaikuPorts to generate a consistent-enough state of packages for us to switch to them by default, and then making the in-tree changes necessary for the switch. Thanks to this and mmlr’s comprehensive overhaul of the HaikuPorter Buildmaster over the past couple months, we have finally switched to the new repositories by default as of hrev51620. If you’ve installed a nightly image from after this, you should be able to just pkgman full-sync and upgrade away.
  • Haiku OS Is Very Close To Their Long Awaited Beta, New Repository Working
    The BeOS-inspired Haiku operating system should be issuing its long-awaited beta release by early 2018. For months there has been talk of the long-awaited beta for Haiku OS while it looks like roughly within the next month we should be actually seeing this milestone.
  • DeepVariant: Tool to call out variants in sequencing data goes open source
    Megan Molteni, Wired, decoded, at least, the very nature of the challenge to know more about our human puzzle. "Today, a teaspoon of spit and a hundred bucks is all you need to get a snapshot of your DNA. But getting the full picture—all 3 billion base pairs of your genome—requires a much more laborious process. One that, even with the aid of sophisticated statistics, scientists still struggle over." DeepVariant was developed by researchers from the Google Brain team, focused on AI techniques, and Verily, the Alphabet subsidiary focused on life sciences. It is based on the same neural network for image recognition, but DeepVariant, is now making headlines not for cat IDs but as a way to scan a genetic code for mutations. DeepVariant has gone open source. The GitHub definition of DeepVariant: "an analysis pipeline that uses a deep neural network to call genetic variants from next-generation DNA sequencing data."
  • Open source VPN clients vs VPN provider apps: which is better?
    Power users love open source software for its transparency and flexibility – but what about open source VPN software? Are there any open source VPN clients that can stand up to being compared with the more popular VPN apps from premium providers like ExpressVPN, VyprVPN, IPVanish or NordVPN? The short answer is... not really. But the long answer depends a lot on your level of technical know-how, patience, and where you’re willing to place your trust.
  • Coreboot Conference 2017 Videos Now Available
    For those interested in the open-source Coreboot project that serves as a replacement to proprietary UEFI/BIOS, the videos from their European Coreboot Conference are now available. The European Coreboot Conference 2017 (ECC'17) was held in Bochum, Germany back at the end of October.
  • Election night hackathon supports civic engagement
    On November 7, 2017, members of the Rochester Institute of Technology (RIT) community came together for the annual Election Night Hackathon held in the Simone Center for Student Innovation. This marked the seventh anniversary of a civic tradition for the FOSS @ MAGIC community, in which students and faculty analyze civic problems in the local community, state, or country and propose a project to address them. MAGIC Center faculty and event organizers are on hand to help students choose open source licenses and publish and share their code.
  • What is a blockchain smart contract?
    Now, in a blockchain, the important thing is that once the state has changed, you then ensure it's recorded on the blockchain so that it's public and nobody can change or challenge it. But there are other uses for blockchain technology, as I explained in "Is blockchain a security topic?" Permissionless systems, often referred to as distributed ledger technologies (DLTs) are a great fit for non-transactional state models, largely because the sort of people who are interested in them are closed groups of organisations that want to have complex sets of conditions met before they move to the next state. These aren't, by the tightest definition, blockchains. Banks and other financial institutions may be the most obvious examples where DLTs are gaining traction, but they are very useful in supply chain sectors, for instance, where you may have conditions around changing market rates, availability, and shipping times or costs, which may all play into the final price of the commodity or service being provided.
  • Running a successful open source project
    Running an open source project is easy. All you have to do is make your source code available and you’re open source, right? Well, maybe. Ultimately, whether or not an open source project is successful depends on your definition of success. Regardless of your definition, creating an open source project can be a lot of work. If you have goals regarding adoption, for example, then you need to be prepared to invest. While open source software is “free as in beer”, it’s not really free: time and energy are valuable resources and these valuable resources need to be invested in the project. So, how do you invest those resources?
  • New package repositories are now enabled by default
    During this year’s coding sprint in Toulouse (which I was able to attend, thanks to being in Europe on a study-abroad program), I spent a lot of time massaging HaikuPorts to generate a consistent-enough state of packages for us to switch to them by default, and then making the in-tree changes necessary for the switch. Thanks to this and mmlr’s comprehensive overhaul of the HaikuPorter Buildmaster over the past couple months, we have finally switched to the new repositories by default as of hrev51620. If you’ve installed a nightly image from after this, you should be able to just pkgman full-sync and upgrade away.
  • Haiku OS Is Very Close To Their Long Awaited Beta, New Repository Working
    The BeOS-inspired Haiku operating system should be issuing its long-awaited beta release by early 2018. For months there has been talk of the long-awaited beta for Haiku OS while it looks like roughly within the next month we should be actually seeing this milestone.
  • DeepVariant: Tool to call out variants in sequencing data goes open source
    Megan Molteni, Wired, decoded, at least, the very nature of the challenge to know more about our human puzzle. "Today, a teaspoon of spit and a hundred bucks is all you need to get a snapshot of your DNA. But getting the full picture—all 3 billion base pairs of your genome—requires a much more laborious process. One that, even with the aid of sophisticated statistics, scientists still struggle over." DeepVariant was developed by researchers from the Google Brain team, focused on AI techniques, and Verily, the Alphabet subsidiary focused on life sciences. It is based on the same neural network for image recognition, but DeepVariant, is now making headlines not for cat IDs but as a way to scan a genetic code for mutations. DeepVariant has gone open source. The GitHub definition of DeepVariant: "an analysis pipeline that uses a deep neural network to call genetic variants from next-generation DNA sequencing data."
  • Open source VPN clients vs VPN provider apps: which is better?
    Power users love open source software for its transparency and flexibility – but what about open source VPN software? Are there any open source VPN clients that can stand up to being compared with the more popular VPN apps from premium providers like ExpressVPN, VyprVPN, IPVanish or NordVPN? The short answer is... not really. But the long answer depends a lot on your level of technical know-how, patience, and where you’re willing to place your trust.
  • KDE: Randa Meetings and KDE Edu Sprint 2017

    • Looking Back at Randa Meetings 2017: Accessibility for Everyone
      Randa Meetings are a yearly collection of KDE Community contributor sprints that take place in Randa, Switzerland. With origins dating back to a Plasma meeting in 2009, Randa is one of the most important developer-related events in the community.
    • KDE Edu Sprint 2017
      Two months ago I attended to KDE Edu Sprint 2017 at Berlin. It was my first KDE sprint (really, I send code to KDE software since 2010 and never went to a sprint!) so I was really excited for the event. KDE Edu is the an umbrella for specific educational software of KDE. There are a lot of them and it is the main educational software suite in free software world. Despite it, KDE Edu has received little attention in organization side, for instance the previous KDE Edu sprint occurred several years ago, our website has some problems, and more. Therefore, this sprint was an opportunity not only for developers work in software development, but for works in organization side as well. In organization work side, we discuss about the rebranding of some software more related to university work than for “education” itself, like Cantor and Labplot. There was a wish to create something like a KDE Research/Science in order to put software like them and others like Kile and KBibTex in a same umbrella. There is a discussion about this theme.