Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • People Think Their Passwords Are Too Awesome For Two Factor Authentication. They’re Wrong.
  • Security updates for Thursday
  • Let's Encrypt Now Trusted by All Major Root Programs

    Now, the CA’s root is directly trusted by almost all newer versions of operating systems, browsers, and devices. Many older versions, however, still do not directly trust Let’s Encrypt.

    While some of these are expected to be updated to trust the CA, others won’t, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let’s Encrypt will continue to use a cross signature.

  • WPA2 flaw lets attackers easily crack WiFi passwords

    The security flaw was found, accidentally, by security researcher Jens Steube while conducting tests on the forthcoming WPA3 security protocol; in particular, on differences between WPA2's Pre-Shared Key exchange process and WPA3's Simultaneous Authentication of Equals, which will replace it. WPA3 will be much harder to attack because of this innovation, he added.

  • ​Linux kernel network TCP bug fixed

    Another day, another bit of security hysteria. This time around the usually reliable Carnegie Mellon University's CERT/CC, claimed the Linux kernel's TCP network stack could be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)."

  • State of Security for Open Source Web Applications 2018

    ach year, we publish a set of statistics summarizing the vulnerabilities we find in open source web applications. Our tests form part of Netsparker's quality assurance practices, during which we scan thousands of web applications and websites. This helps us to add to our security checks and continuously improve the scanner's accuracy.

    This blog post includes statistics based on security research conducted throughout 2017. But first, we take a look at why we care about open source applications, and the damage that can be caused for enterprises when they go wrong.

  • New Actor DarkHydrus Targets Middle East with Open-Source Phishing [Ed: Headline says "Open-Source Phishing," but this is actually about Microsoft Windows and Office (proprietary and full of serious bugs)]

    Government entities and educational institutions in the Middle East are under attack in an ongoing credential-harvesting campaign.

    Government entities and educational institutions in the Middle East are under attack in an ongoing credential-harvesting campaign, mounted by a newly-named threat group known as DarkHydrus. In a twist on the norm, the group is leveraging the open-source Phishery tool to carry out its dark work.

    The attacks follow a well-worn pattern, according to Palo Alto Networks’ Unit 42 group: Spear-phishing emails with attached malicious Microsoft Office documents are leveraging the “attachedTemplate” technique to load a template from a remote server.

More in Tux Machines

Software, apps are surveillance tools: Privacy activist Richard M Stallman

Richard M Stallman, a US-based free software and privacy activist, said on Friday that modern mobile phones are a dream tool that Joseph Stalin would have loved to have, as they allow indiscriminate surveillance of every user. Delivering a public lecture at RV College of Engineering here, Stallman said: “They never go off. There is no button to switch them off. At best, they pretend to turn off but they are always listening and sending back information to servers owned by the manufacturers of the operating systems. They would’ve been (Joseph) Stalin’s dream, but unfortunately for him the technology didn’t exist then, but sadly for us, it does now.” He warned students from uploading his photographs or videos from the lecture on Facebook, WhatsApp or Instagram—all social messaging/networking sites/applications—claiming that they were “the three big mouths of the surveillance monster.” Read more

Programming: NetBSD/Clang, C-Reduce, Rust, Python and More

  • NetBSD Exploring LLVM's LLD Linker For Lower Memory Footprint
    The NetBSD project has been making good progress in utilizing the LLVM compiler stack not only for the Clang C/C++ compiler but also for the different sanitizers, the libc++ standard library for C++, and other improvements most of which are working their way into the upstream code-bases. One area of NetBSD's LLVM support being explored most recently is using the LLD linker. NetBSD is exploring the use of the LLVM LLD linker over GNU's ld linker due to the lower memory footprint. LLD generally goes through far less RAM than the current GNU ld linker.
  • Finding Compiler Bugs With C-Reduce
    Support for a long awaited GNU C extension, asm goto, is in the midst of landing in Clang and LLVM. We want to make sure that we release a high quality implementation, so it’s important to test the new patches on real code and not just small test cases. When we hit compiler bugs in large source files, it can be tricky to find exactly what part of potentially large translation units are problematic. In this post, we’ll take a look at using C-Reduce, a multithreaded code bisection utility for C/C++, to help narrow done a reproducer for a real compiler bug (potentially; in a patch that was posted, and will be fixed before it can ship in production) from a real code base (the Linux kernel). It’s mostly a post to myself in the future, so that I can remind myself how to run C-reduce on the Linux kernel again, since this is now the third real compiler bug it’s helped me track down.
  • Structuring Rust Transactions
  • Tidy up the user interface of the video editing application
  • Intel Vulkan Linux Driver Adds Conditional Rendering, Draw Indirect Count
    First up, the Intel Vulkan driver now supports VK_EXT_conditional_rendering after a lengthy review/revision process. VK_EXT_conditional_rendering was added to Vulkan 1.1.80 last July and allows for rendering commands to be made selective based upon a value in the buffer memory, in order to allow discard rendering commands based upon a result in GPU memory without having to wait on the application/engine. The conditional rendering can be used with Vulkan draws, compute dispatches, and clearing of attachments. VK_EXT_conditional_rendering is supported by Haswell "Gen 7.5" graphics and newer with the upcoming Mesa 19.0.
  • Episode #113: Python Lands on the Windows 10 App Store
  • Lambda Functions in Python
  • Find Your System's Biggest CPU Hogs

today's howtos

Get started with Roland, a random selection tool for the command line

There seems to be a mad rush at the beginning of every year to find ways to be more productive. New Year's resolutions, the itch to start the year off right, and of course, an "out with the old, in with the new" attitude all contribute to this. And the usual round of recommendations is heavily biased towards closed source and proprietary software. It doesn't have to be that way. Here's the seventh of my picks for 19 new (or new-to-you) open source tools to help you be more productive in 2019. Read more