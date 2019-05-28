Security: Firmware, 2FA, Microsoft Partners, FUD and KeePassXC 2.4.2 Why open source firmware is important for security I gave a talk recently at GoTo Chicago on Why open source firmware is important and I thought it would be nice to also write a blog post with my findings. This post will focus on why open source firmware is important for security.

How much is good online security worth to you? How about $100,000? [iophk: "except that 2FA is used to lock people into Google's proprietary mail clients, as they do not support 2FA on IMAP and probably never will since it is an open protocol which allows free choice of mail clients, not just Google's" Google’s research indicates that spear phishing emails impersonating family members, colleagues, government officials, or even Google itself, are the main ways to break into accounts. Attacks can persist for several weeks, and involve sophisticated man-in-the-middle techniques that prompt users to enter not just their password, but also authentication codes sent by SMS or from devices running software like Google Authenticator. Because of this weakness – and those deriving from the SIM swap attack – Google recommends that “high-risk users” enrol in its Advanced Protection Program, which requires the use of hardware 2FA keys. The cost of these is very low now – typically around $25. Of course, the downside with such hardware keys is that they require setting up, carrying around and using. Whether the undoubted extra security is worth the extra effort will depend on individual circumstances. For those who manage to minimise how much about their personal lives appears online, it may be enough to use weaker forms of 2FA. But given the central importance of email accounts in our digital lives, and how gaining control of them makes taking over other online services much easier, it is certainly something that people should seriously consider. Buying hardware keys could prove one of the best investments they ever make. Just ask someone who didn’t, and paid the price. In the case of Sean Coonce, that price turned out to be $100,000.

Open Source Security - How to Defend at the Speed of Attack On the sixth stop of a multi-city tour, ISMG and Sonatype visited San Francisco for an engaging discussion on how to mitigate risks introduced by open source software. Sonatype CMO Matt Howard discusses the relevance and value of this application security conversation. The reason why this topic resonates so well across sectors and regions? "Because software is the last path for differentiation in every industry," Howard says, "and whether you know it or not, every business in the world today is largely a software company."

Venafi: Four Ways Open Source Libraries Leave Organizations at Risk [Ed: of course proprietary software is absolutely perfect and comes with no risks, holes, back doors and so on]

WordPress Slick Popup plugin could leave backdoor open to hackers [Ed: This is a really sloppy case of programming or intentional malice caught thanks to the source being available. "The login credentials for the administrative accounts are the same for all of the sites."]

Netgate® Progresses TNSR™ Open Source Secure Networking with Release 19.05

KeePassXC 2.4.2 released We are happy to announce KeePassXC 2.4.2, the second maintenance release of the 2.4 series! This release fixes several bugs and introduces a memory wiping feature that will reduce the risk of secrets remaining in memory after a database is locked or being swapped to disk. Combined with the existing restrictions on memory access by non-administrators, this feature increases the security of KeePassXC. Other notable changes are fixes to entry editing, prevention of infinite save loops, ability to open non-http url’s, and preventing data loss when opening a database with duplicated attachment binaries.

