Language Selection

English French German Italian Portuguese Spanish

Security: SKS, YouTube, Malware and More

Filed under
Security
  • Impact of SKS keyserver poisoning on Gentoo

    The SKS keyserver network has been a victim of certificate poisoning attack lately. The OpenPGP verification used for repository syncing is protected against the attack. However, our users can be affected when using GnuPG directly. In this post, we would like to shortly summarize what the attack is, what we did to protect Gentoo against it and what can you do to protect your system.

    The certificate poisoning attack abuses three facts: that OpenPGP keys can contain unlimited number of signatures, that anyone can append signatures to any key and that there is no way to distinguish a legitimate signature from garbage. The attackers are appending a large number of garbage signatures to keys stored on SKS keyservers, causing them to become very large and cause severe performance issues in GnuPG clients that fetch them.

    The attackers have poisoned the keys of a few high ranking OpenPGP people on the SKS keyservers, including one Gentoo developer. Furthermore, the current expectation is that the problem won’t be fixed any time soon, so it seems plausible that more keys may be affected in the future. We recommend users not to fetch or refresh keys from SKS keyserver network (this includes aliases such as keys.gnupg.net) for the time being. GnuPG upstream is already working on client-side countermeasures and they can be expected to enter Gentoo as soon as they are released.

  • YouTube's latest ban? Infosec instructional videos are outlawed

    Google's video-sharing site YouTube has started to ban videos that show users how to get past software restrictions and provide instructions on information security.

  • Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube

    Youtube banning security disclosures doesn't make products more secure, nor will it prevent attackers from exploiting defects -- but it will mean that users will be the last to know that they've been trusting the wrong companies, and that developers will keep on making the same stupid mistakes...forever.

  • TN men use Bluetooth-enabled tablet to steal cars

    During the interrogation, one of the accused –a car mechanic- said he bought a Bluetooth-enabled tablet online used by car showroom staff to access the vehicles.

  • Kaspersky reinforce collaboration with INTERPOL in the fight against cybercrime

    This cooperation strengthens the existing relationship between the two organizations, ensuring information and technology sharing can support INTERPOL in cybercrime-related investigations. Within the new agreement, Kaspersky will share information about its cyberthreat research and provide the necessary tools to assist with full digital forensics, aimed at strengthening efforts on the prevention of cyberattacks.

  • China Is Forcing Tourists to Install Text-Stealing Malware at its Border

    The malware downloads a tourist’s text messages, calendar entries, and phone logs, as well as scans the device for over 70,000 different files.

  • Chinese border guards reportedly install spy apps on tourists' Android phones

    Border guards reportedly took tourists' phones and secretly installed an app on them which could extract emails, texts and contacts, along with information about the handset; basically a mother-load of privacy-sapping stuff.

    There are reports that in some cases Android phones are returned to those entering the region with an app called Fēng cǎi installed. Apple's iPhones don't appear to come back with the app, but they could have been scanned by border control guards in a separate area after travellers were forced to hand them over.

  • China Snares Tourists’ Phones in Surveillance Dragnet by Adding Secret App

    The app gathers personal data from phones, including text messages and contacts. It also checks whether devices are carrying pictures, videos, documents and audio files that match any of more than 73,000 items included on a list stored within the app’s code.

More in Tux Machines

Events: DevCon (Mauritius), FOSDEM and Linux Plumbers Conference

  • DevCon 2020 is just about a month away

    The annual Developers Conference of Mauritius is happening on 2 - 4 April. That leaves us like about a month of final preparations.

  • (pre-)FOSDEM +++ ILoveFS +++ Community

    Every year, at the beginning of February, FOSDEM brings together thousands of Free Software enthusiasts for one weekend in Brussels to discuss current topics and developments in the Free Software world. The FSFE used this occasion to invite key Free Software groups of Europe one day before the FOSDEM festivities to participate in our "pre-FOSDEM meeting". This was an event for everyone to network and get an overview of the activities of different Free Software groups from all over Europe. The event was kicked off by a presentation from Marcel Kolaja, Vice President of the European Parliament, which was then followed by insights and presentations from diverse Free Software organisations from all over Europe, from Portugal to Greece. After the presentations, we concluded with a dinner and a social meeting.

  • Linux Plumbers Conference: Videos for microconferences

    The videos for all the talks in microconferences at the 2019 edition of Linux Plumbers are now linked to the schedule. Clicking on the link titled “video” will take you to the right spot in the microconference video. Hopefully, watching all of these talks will get you excited for the 2020 edition which we are busy preparing! Watch out for our call for microconferences and for our refereed track both of which are to be released soon. So now’s the time to start thinking about all the exciting problems you want to discuss and solve.

Go 1.14 is released

Today the Go team is very happy to announce the release of Go 1.14. You can get it from the download page. Read more Also: Go 1.14 Released - Performance Improvements, Go's Module Support Production-Ready

IBM/Red Hat Leftovers

  • Open source marketing: Hacking our technology and process problems

    The teams that make up the Red Hat Open Studio are stewards of the Red Hat brand and identity. We are also makers, because Red Hat is an open source company, and open source is all about creating things. Open source is also about hacking together solutions when there isn’t an easy way to solve a problem.

  • Enterprise Kubernetes with OpenShift (Part one)

    The question “What’s the difference between Kubernetes and OpenShift?” comes up every now and then, and it is quite like asking: “What’s the difference between an engine and a car?” To answer the latter, a car is a product that immediately makes you productive: it is ready to get you where you want to go. The engine, in return, won’t get you anywhere unless you assemble it with other essential components that will form in the end a … car. As for the first question, in essence, you can think of it as Kubernetes being the engine that drives OpenShift, and OpenShift as the complete car (hence platform) that will get you where you want to.

  • Rules for product managers at open source companies

    Product management is an interesting career. It's immensely rewarding to be the interface between users, business strategy, engineering, and product design. And it's also a highly lucrative career with increasing demand for ambitious and empathetic practitioners. It's also a role with no single path. You might see various certifications and courses emerging to help address the serious skills shortage. The good news is that these are starting to contribute to the talent pipeline, but they struggle to address the wider demands of the role. This is especially the case where roles require direct experience across the enormous range of what it takes to build and ship successful products.

  • Red Hat simplifies container development and redistribution of RHEL packages

    Now, application developers in the Red Hat Technology Partner program can build their container apps and redeploy from the full set of Red Hat Enterprise Linux (RHEL) user space packages (non-kernel). This nearly triples the number of packages over UBI only. When we introduced Red Hat Universal Base Images (UBI) in May 2019, we provided Red Hat partners the ability to freely use and redistribute a substantial number of RHEL packages that can be deployed on both Red Hat and non-Red Hat platforms. This gave developers the ability to build safe, secure, and portable container-based software that could then be deployed anywhere. The feedback on this has been overwhelmingly positive and we thank you for it, but we learned that you needed more, so we’re sharing this advanced preview with Red Hat Partner Connect members to help you with your planning.

Linux Laptop Buyer’s Guide 2020

You can visit any online Linux discussion board, and you’re guaranteed to find the same question posted over and over again: What’s the best Linux laptop that I can buy? In 2020, this question is both easy and difficult to answer at the same time. On the one hand, the Linux kernel has made great strides in improving compatibility with hardware components, and it’s now very rare for a laptop to not work with Linux at all. On the other hand, the sheer number of attractive laptops that work with Linux can be overwhelming and make the buying process feel tiring. To make it easier for you, we selected the best Linux-friendly laptop brands in 2020 and picked one laptop for each brand. All there’s left for you to do is choose the laptop that best matches your requirements. Read more