Language Selection

English French German Italian Portuguese Spanish

Security: SKS, YouTube, Malware and More

Filed under
Security
  • Impact of SKS keyserver poisoning on Gentoo

    The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

    The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

    The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

  • YouTube's latest ban? Infosec instructional videos are outlawed

    Google's video-sharing site YouTube has started to ban videos that show users how to get past software restrictions and provide instructions on information security.

  • Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube

    Youtube banning security disclosures doesn't make products more secure, nor will it prevent attackers from exploiting defects -- but it will mean that users will be the last to know that they've been trusting the wrong companies, and that developers will keep on making the same stupid mistakes...forever.

  • TN men use Bluetooth-enabled tablet to steal cars

    During the interrogation, one of the accused –a car mechanic- said he bought a Bluetooth-enabled tablet online used by car showroom staff to access the vehicles.

  • Kaspersky reinforce collaboration with INTERPOL in the fight against cybercrime

    This cooperation strengthens the existing relationship between the two organizations, ensuring information and technology sharing can support INTERPOL in cybercrime-related investigations. Within the new agreement, Kaspersky will share information about its cyberthreat research and provide the necessary tools to assist with full digital forensics, aimed at strengthening efforts on the prevention of cyberattacks.

  • China Is Forcing Tourists to Install Text-Stealing Malware at its Border

    The malware downloads a tourist’s text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

  • Chinese border guards reportedly install spy apps on tourists' Android phones

    Border guards reportedly took tourists' phones and secretly installed an app on them which could extract emails, texts and contacts, along with information about the handset; basically a mother-load of privacy-sapping stuff.

    There are reports that in some cases Android phones are returned to those entering the region with an app called Fēng cǎi installed. Apple's iPhones don't appear to come back with the app, but they could have been scanned by border control guards in a separate area after travellers were forced to hand them over.

  • China Snares Tourists’ Phones in Surveillance Dragnet by Adding Secret App

    The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

More in Tux Machines

Mozilla/WWW: TenFourFox, Markdown, DOM, Firefox Spying ("Glean") and Apple Monopoly

  • TenFourFox FPR20b1 available

    When using FPR20 you should notice ... absolutely nothing. Sites should just appear as they do; the only way you'd know anything changed in this version is if you pressed Command-I and looked at the Security tab to see that you're connected over TLS 1.3, the latest TLS security standard. In fact, the entirety of the debate was streamed over it, and to the best of my knowledge TenFourFox is the only browser that implements TLS 1.3 on Power Macs running Mac OS X. On regular Firefox your clue would be seeing occasional status messages about handshakes, but I've even disabled that for TenFourFox to avoid wholesale invalidating our langpacks which entirely lack those strings. Other than a couple trivial DOM updates I wrote up because they were easy, as before there are essentially no other changes other than the TLS enablement in this FPR to limit the regression range. If you find a site that does not work, verify first it does work in FPR19 or FPR18, because sites change more than we do, and see if setting security.tls.version.max to 3 (instead of 4) fixes it. You may need to restart the browser to make sure. If this does seem to reliably fix the problem, report it in the comments. A good test site is Google or Mozilla itself. The code we are using is largely the same as current Firefox's.

  • Moving to Markdown

    I'm writing this only for those who follows this blog via RSS feed and probably wonders why they had many notifications on their RSS reader. Sorry, this thing happen when upload a new version of my website. So, what's new on this new website? Not much, nothing changed visually... But everything changed under the hood!

  • Semantic markup, browsers, and identity in the DOM

    HTML was initially designed as a semantic markup language, with elements having semantics (meaning) describing general roles within a document. These semantic elements have been added to over time. Markup as it is used on the web is often criticized for not following the semantics, but rather being a soup of divs and spans, the most generic sorts of elements. The Web has also evolved over the last 25 years from a web of documents to a web where many of the most visited pages are really applications rather than documents. The HTML markup used on the Web is a representation of a tree structure, and the user interface of these web applications is often based on dynamic changes made through the DOM, which is what we call both the live representation of that tree structure and the API through which that representation is accessed. Browsers exist as tools for users to browse the Web; they strike a balance between showing the content as its author intended versus adapting that content to the device it is being displayed on and the preferences or needs of the user. Given the unreliable use of semantics on the Web, most of the ways browsers adapt content to the user rarely depend deeply on semantics, although some of them (such as reader mode) do have significant dependencies. However, browser adaptations of content or interventions that browsers make on behalf of the user very frequently depend on the persistent object identity in the DOM. That is, nodes in the DOM tree (such as sections of the page, or paragraphs) have an identity over the lifetime of the page, and many things that browsers do depend on that identity being consistent over time. For example, exposing the page to a screen reader, scroll anchoring, and I think some aspects of ad blocking all depend on the idea that there are elements in the web page that the browser understands the identity of over time.

  • Chris H-C: This Week in Glean: A Distributed Team Echoes Distributed Workflow

    I was recently struck by a realization that the position of our data org’s team members around the globe mimics the path that data flows through the Glean Ecosystem.

  • Apple May Soon Let You Set Third-Party Mail, Browser Apps as Default on iOS: Report

    Apple has always had its own apps set as defaults in cases like the music player and the browser, Apple Music and Safari respectively. But, this might change soon. Reportedly, Apple is considering allowing third party apps to be set as defaults on iOS. Apple is also debating whether to allow third-party music apps on the HomePod speaker, something would mean allowing users to stream music via Spotify, which is one of Apple Music's rivals. No decision has been made by the company as of now.

17 Cool Arduino Project Ideas for DIY Enthusiasts

You are here: Home / List / 17 Cool Arduino Project Ideas for DIY Enthusiasts 17 Cool Arduino Project Ideas for DIY Enthusiasts Last updated February 22, 2020 By Ankush Das Leave a Comment Arduino is an open-source electronics platform that combines both open source software and hardware to let people make interactive projects with ease. You can get Arduino-compatible single board computers and use them to make something useful. In addition to the hardware, you will also need to know the Arduino language to use the Arduino IDE to successfully create something. You can code using the web editor or use the Arduino IDE offline. Nevertheless, you can always refer to the official resources available to learn about Arduino. Read more

Android Leftovers

After South Korea, Polish Government Increases Use Of Linux

In addition to the recent full-scale shift to Linux by South Korea, the Polish state organization has also signed a three-year support contract with Linux Polska for its IT systems. Poland’s social insurance company, ZUS (Zakład Ubezpieczeń Społecznych), announced the agreement with Linux Polska to obtain 24×7 support for integrated Linux server virtualization. Read more