Language Selection

English French German Italian Portuguese Spanish

Security: SKS, YouTube, Malware and More

Filed under
Security
  • Impact of SKS keyserver poisoning on Gentoo

    The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

    The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

    The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

  • YouTube's latest ban? Infosec instructional videos are outlawed

    Google's video-sharing site YouTube has started to ban videos that show users how to get past software restrictions and provide instructions on information security.

  • Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube

    Youtube banning security disclosures doesn't make products more secure, nor will it prevent attackers from exploiting defects -- but it will mean that users will be the last to know that they've been trusting the wrong companies, and that developers will keep on making the same stupid mistakes...forever.

  • TN men use Bluetooth-enabled tablet to steal cars

    During the interrogation, one of the accused –a car mechanic- said he bought a Bluetooth-enabled tablet online used by car showroom staff to access the vehicles.

  • Kaspersky reinforce collaboration with INTERPOL in the fight against cybercrime

    This cooperation strengthens the existing relationship between the two organizations, ensuring information and technology sharing can support INTERPOL in cybercrime-related investigations. Within the new agreement, Kaspersky will share information about its cyberthreat research and provide the necessary tools to assist with full digital forensics, aimed at strengthening efforts on the prevention of cyberattacks.

  • China Is Forcing Tourists to Install Text-Stealing Malware at its Border

    The malware downloads a tourist’s text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

  • Chinese border guards reportedly install spy apps on tourists' Android phones

    Border guards reportedly took tourists' phones and secretly installed an app on them which could extract emails, texts and contacts, along with information about the handset; basically a mother-load of privacy-sapping stuff.

    There are reports that in some cases Android phones are returned to those entering the region with an app called Fēng cǎi installed. Apple's iPhones don't appear to come back with the app, but they could have been scanned by border control guards in a separate area after travellers were forced to hand them over.

  • China Snares Tourists’ Phones in Surveillance Dragnet by Adding Secret App

    The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

More in Tux Machines

Android Leftovers

After South Korea, Polish Government Increases Use Of Linux

In addition to the recent full-scale shift to Linux by South Korea, the Polish state organization has also signed a three-year support contract with Linux Polska for its IT systems. Poland’s social insurance company, ZUS (Zakład Ubezpieczeń Społecznych), announced the agreement with Linux Polska to obtain 24×7 support for integrated Linux server virtualization. Read more

today's howtos

Programming: Golang, Perl, Python and the GCC Story

  • 9 Reasons You Should Use Golang Language

    Golang is the open-source programming language developed by Google in the year 2007. Several programming languages are present in the market with advantages and disadvantages. We cannot predict which language is better, it would take months to discuss. However, the most sensible thing that helps choose a better language is the one that suits a specific purpose more reliably than the others. Thus, Golang development will be most suitable for those who are willing to combine simplicity, concurrency, and safety of the code. Different programming languages are less memory efficient and are unable to communicate with the hardware. Therefore, Golang is one of the most preferred languages for developers that help build software. It is also the open-source and procedural language that is advantageous to deploy simple, effective, and reliable software. Go language aids the environment to adopt different patterns that are similar to dynamic languages. Go language has several advantages that are responsible to quicken the development process. Moreover, Golang is the language that makes the process of software development easy and simple for programmers. These days, Golang is gaining popularity amongst the developers as it has a plethora of advantages than the other programming languages. So, the use of Golang has been adopted by mobile app development companies.

  • Demonstrating PERL with Tic-Tac-Toe, Part 1

    PERL is a procedural programming language. A program written in PERL consists of a series of commands that are executed sequentially. With few exceptions, most commands alter the state of the computer’s memory in some way. Line 00 in the Tic-Tac-Toe program isn’t technically part of the PERL program and it can be omitted. It is called a shebang (the letter e is pronounced soft as it is in the word shell). The purpose of the shebang line is to tell the operating system what interpreter the remaining text should be processed with if one isn’t specified on the command line. Line 02 isn’t strictly necessary for this program either. It makes available an advanced command named state. The state command creates a variable that can retain its value after it has gone out of scope. I’m using it here as a way to avoid declaring a global variable. It is considered good practice in computer programming to avoid using global variables where possible because they allow for action at a distance. If you didn’t follow all of that, don’t worry about it. It’s not important at this point.

  • Perl Weekly Challenge 048: Survivor and Palindrome Dates

    I tried two different approaches to the problem. The first one uses an array of living people and a variable $sword that stores the index of the person holding the sword. In each iteration of the loop, the next person is removed from the array, and the sword is passed to the next person. The “next person” has a special cyclic meaning: at the end of the array, the sword must return to the beginning. This is achieved by using the modulo operator %. Note that we use it twice, once to find the person to kill, and once to find the person to pass the sword to—and each case uses a different array size in the modulo operation, as killing a person changes the size of the array.

  • My Unexpected Dive into Open-Source Python

    I'm very happy to announce that I have joined Quansight as a front-end developer and designer! It was a happy coincidence how I joined- the intersection of my skills and the open source community's expanded vision. I met Ralf Gommers, the director of Quansight Labs, at the PyData Conference in New York City last year after giving a Lightning Talk. However, as cool and confident as this may sound, I sure didn't start off that way. At that point, it's been a few months since I graduated from a coding bootcamp. I was feeling down in the job-search funk. I hadn't even done much in Python, since my focus was in Javascript.

  • Reposurgeon defeats all monsters!

    On January 12th 2020, reposurgeon performed a successful conversion of its biggest repository ever – the entire history of the GNU Compiler Collection, 280K commits with a history stretching back through 1987. Not only were some parts CVS, the earliest portions predated CVS and had been stored in RCS. I waited this long to talk about it to give the dust time to settle on the conversion. But it’s been 5 weeks now and I’ve heard nary a peep from the GCC developers about any problems, so I think we can score this as reposurgeon’s biggest victory yet. The Go port really proved itself. Those 280K commits can be handled on the 128GB Great Beast with a load time of about two hours. I have to tell the Go garbage collector to be really aggressive – set GOGC=30 – but that’s exactly what GOGC is for.