Language Selection

English French German Italian Portuguese Spanish

Security: Class Action Lawsuit Against Microsoft, New Patches, KDE FUD/Hype, Local Password Managers Assessed

Filed under
Security
  • Class Action Lawsuits Hopes To Hold GitHub Responsible For Hosting Data From Capital One Breach

    Weird legal theory, but one that could possibly to be stretched to target some of the $7.5 billion Microsoft paid to acquire GitHub. But it takes a lot of novel legal arguments to hold a third party responsible for content posted by a user, even if the content contained a ton of sensitive personal info.

    The lawsuit [PDF] alleges GitHub knew about the contents of this posting since the middle of April, but did not remove it until the middle of July after being notified of its contents by another GitHub user. The theory the law firm is pushing is that GitHub was obligated to scan uploads for "sensitive info" and proactively remove third-party content. The lawsuit argues GitHub is more obligated than most because (gasp!) it encourages hacking and hackers.

  • Security updates for Monday

    Security updates have been issued by Debian (fusiondirectory, gosa, kconfig, kernel, pango1.0, and python-django), Fedora (aubio, icedtea-web, java-1.8.0-openjdk, kernel, kernel-headers, kernel-tools, libslirp, openqa, os-autoinst, and upx), Gentoo (JasPer, libvncserver, and redis), Mageia (cyrus-imapd and php), Oracle (kernel), Red Hat (chromium-browser, cockpit-ovirt, Red Hat Virtualization, and rhvm-appliance), SUSE (ImageMagick, libvirt, python, and wireshark), and Ubuntu (poppler).

  • KDE Linux Desktops Could Get Hacked Without Even Opening Malicious Files [Ed: Hacker News misleading. You actually do need to open a malicious file from an untrusted source. This is similar to the macros issue and to a lesser degree JavaScript.]

    If you are running a KDE desktop environment on your Linux operating system, you need to be extra careful and avoid downloading any ".desktop" or ".directory" file for a while.

    A cybersecurity researcher has disclosed an unpatched zero-day vulnerability in the KDE software framework that could allow maliciously crafted .desktop and .directory files to silently run arbitrary code on a user's computer—without even requiring the victim to actually open it.

  • Recognizing basic security flaws in local password managers

    If you want to use a password manager (as you probably should), there are literally hundreds of them to choose from. And there are lots of reviews, weighing in features, usability and all other relevant factors to help you make an informed decision. Actually, almost all of them, with one factor suspiciously absent: security. How do you know whether you can trust the application with data as sensitive as your passwords?

    Unfortunately, it’s really hard to see security or lack thereof. In fact, even tech publications struggle with this. They will talk about two-factor authentication support, even when discussing a local password manager where it is of very limited use. Or worse yet, they will fire up a debugger to check whether they can see any passwords in memory, completely disregarding the fact that somebody with debug rights can also install a simple key logger (meaning: game over for any password manager).

    Judging security of a password manager is a very complex task, something that only experts in the field are capable of. The trouble: these experts usually work for competing products and badmouthing competition would make a bad impression. Luckily, this still leaves me. Actually, I’m not quite an expert, I merely know more than most. And I also work on competition, a password manager called PfP: Pain-free Passwords which I develop as a hobby. But today we’ll just ignore this.

    So I want to go with you through some basic flaws which you might encounter in a local password manager. That’s a password manager where all data is stored on your computer rather than being uploaded to some server, a rather convenient feature if you want to take a quick look. Some technical understanding is required, but hopefully you will be able to apply the tricks shown here, particularly if you plan to write about a password manager.

More in Tux Machines

Programming: WebAssembly, Mozilla GFX, Qt and Python

  • WebAssembly for speed and code reuse

    Imagine translating a non-web application, written in a high-level language, into a binary module ready for the web. This translation could be done without any change whatsoever to the non-web application's source code. A browser can download the newly translated module efficiently and execute the module in the sandbox. The executing web module can interact seamlessly with other web technologies—with JavaScript (JS) in particular. Welcome to WebAssembly. As befits a language with assembly in the name, WebAssembly is low-level. But this low-level character encourages optimization: the just-in-time (JIT) compiler of the browser's virtual machine can translate portable WebAssembly code into fast, platform-specific machine code. A WebAssembly module thereby becomes an executable suited for compute-bound tasks such as number crunching. Which high-level languages compile into WebAssembly? The list is growing, but the original candidates were C, C++, and Rust. Let's call these three the systems languages, as they are meant for systems programming and high-performance applications programming. The systems languages share two features that suit them for compilation into WebAssembly. The next section gets into the details, which sets up full code examples (in C and TypeScript) together with samples from WebAssembly's own text format language.

  • Mozilla GFX: moz://gfx newsletter #47

    Hi there! Time for another mozilla graphics newsletter. In the comments section of the previous newsletter, Michael asked about the relation between WebRender and WebGL, I’ll try give a short answer here. Both WebRender and WebGL need access to the GPU to do their work. At the moment both of them use the OpenGL API, either directly or through ANGLE which emulates OpenGL on top of D3D11. They, however, each work with their own OpenGL context. Frames produced with WebGL are sent to WebRender as texture handles. WebRender, at the API level, has a single entry point for images, video frames, canvases, in short for every grid of pixels in some flavor of RGB format, be them CPU-side buffers or already in GPU memory as is normally the case for WebGL. In order to share textures between separate OpenGL contexts we rely on platform-specific APIs such as EGLImage and DXGI. Beyond that there isn’t any fancy interaction between WebGL and WebRender. The latter sees the former as a image producer just like 2D canvases, video decoders and plain static images.

  • The Titler Revamp: QML Producer in the making

    At the beginning of this month, I started testing out the new producer as I had a good, rough structure for the producer code, and was only facing a few minor problems. Initially, I was unclear about how exactly the producer is going to be used by the titler so I took a small step back and spent some time figuring out how kdenlivetitle worked, which is the producer in use. Initially, I faced integration problems (which are the ones you’d normally expect) when I tried to make use of the QmlRenderer library for rendering and loading QML templates – and most of them were resolved by a simple refactoring of the QmlRenderer library source code. To give an example, the producer traditionally stores the QML template in global variables which is taken as a character pointer argument (which is, again, traditional C) The QmlRenderer lib takes a QUrl as its parameters for loading the Qml file, so to solve this problem all I had to do was to overload the loadQml() method with one which could accommodate the producer’s needs – which worked perfectly fine. As a consequence, I also had to compartmentalise (further) the rendering process so now we have 3 methods which go sequentially when we want to render something using the library ( initialiseRenderParams( ) -> prepareRenderer( ) -> renderQml( ) ) [...] The problem was resolved (thank you JB) finally and it was not due to OpenGL but it was simply because I hadn’t created an QApplication for the producer (which is necessary for qt producers). The whole month’s been a steep curve, definitely not easy, but, I enjoyed it! Right now, I have a producer which is, now, almost complete and with a little more tweaking, will be put to use, hopefully. I’m still facing a few minor issues which I hope to resolve soon and get a working producer. Once we get that, I can start work on the Kdenlive side. Let’s hope for the best!

  • How to Make a Discord Bot in Python

    In a world where video games are so important to so many people, communication and community around games are vital. Discord offers both of those and more in one well-designed package. In this tutorial, you’ll learn how to make a Discord bot in Python so that you can make the most of this fantastic platform.

  • Qt Visual Studio Tools 2.4 RC Released

    The Visual Studio Project System is widely used as the build system of choice for C++ projects in VS. Under the hood, MSBuild provides the project file format and build framework. The Qt VS Tools make use of the extensibility of MSBuild to provide design-time and build-time integration of Qt in VS projects — toward the end of the post we have a closer look at how that integration works and what changed in the new release. Up to this point, the Qt VS Tools extension managed its own project settings in an isolated manner. This approach prevented the integration of Qt in Visual Studio to fully benefit from the features of VS projects and MSBuild. Significantly, it was not possible to have Qt settings vary according to the build configuration (e.g. having a different list of selected Qt modules for different configurations), including Qt itself: only one version/build of Qt could be selected and would apply to all configurations, a significant drawback in the case of multi-platform projects. Another important limitation that users of the Qt VS Tools have reported is the lack of support for importing Qt-related settings from shared property sheet files. This feature allows settings in VS projects to be shared within a team or organization, thus providing a single source for that information. Up to now, this was not possible to do with settings managed by the Qt VS Tools.

Screenshots/Screencasts: 10 GNU/Linux Distros (Screenshots) and New Screencast/Video of Endeavour OS 2019.08.17

  • 10 Linux distros: From different to dangerous

    One of the great benefits of Linux is the ability to roll your own. Throughout the years, individuals, organizations, and even nation states have done just that. In this gallery, we're going to showcase some of those distros. Be careful, though. You may not want to load these, or if you do, put them in isolated VMs. We're not kidding when we say they could be dangerous.

  • Endeavour OS 2019.08.17 Run Through

    In this video, we are looking at Endeavour OS 2019.08.17.

A Cycle of Renewal, Broken: How Big Tech and Big Media Abuse Copyright Law to Slay Competition

In 1950, a television salesman named Robert Tarlton put together a consortium of TV merchants in the town of Lansford, Pennsylvania to erect an antenna tall enough to pull down signals from Philadelphia, about 90 miles to the southeast. The antenna connected to a web of cables that the consortium strung up and down the streets of Lansford, bringing big-city TV to their customers — and making TV ownership for Lansfordites far more attractive. Though hobbyists had been jury-rigging their own "community antenna television" networks since 1948, no one had ever tried to go into business with such an operation. The first commercial cable TV company was born. The rise of cable over the following years kicked off decades of political controversy over whether the cable operators should be allowed to stay in business, seeing as they were retransmitting broadcast signals without payment or permission and collecting money for the service. Broadcasters took a dim view of people using their signals without permission, which is a little rich, given that the broadcasting industry itself owed its existence to the ability to play sound recordings over the air without permission or payment. The FCC brokered a series of compromises in the years that followed, coming up with complex rules governing which signals a cable operator could retransmit, which ones they must retransmit, and how much all this would cost. The end result was a second way to get TV, one that made peace with—and grew alongside—broadcasters, eventually coming to dominate how we get cable TV in our homes. By 1976, cable and broadcasters joined forces to fight a new technology: home video recorders, starting with Sony's Betamax recorders. In the eyes of the cable operators, broadcasters, and movie studios, these were as illegitimate as the playing of records over the air had been, or as retransmitting those broadcasts over cable had been. Lawsuits over the VCR continued for the next eight years. In 1984, the Supreme Court finally weighed in, legalizing the VCR, and finding that new technologies were not illegal under copyright law if they were "capable of substantial noninfringing uses." Read more

Software, HowTos and Storage

  • Pause Music When Locking The Screen And Resume On Unlock For Spotify, Rhythmbox, Others

    When you lock your computer screen (without suspending the system), most desktop audio players continue playback in the background, sometimes not emitting any sound ¹. Due to this you may unintentionally skip parts of podcasts or songs in a playlist, etc. Enter pause-on-lock, a Bash script that pauses your music player when you lock the screen and resumes playback once the screen is unlocked. pause-on-lock works on Unity, GNOME, Cinnamon and MATE desktop environments, and by default it supports Spotify and Rhythmbox. With the help of playerctl (a command line controller for controlling media players that support the MPRIS D-Bus interface), this script can extend its supported music players to many others, including Audacious, VLC, Cmus, and others.

  • Easy Way to Screen Mirroring Android on Ubuntu!

    Screen Mirroring is one of the features found on smartphones, one of which is on Android. This feature serves to display the smartphone to a computer. This is very useful for example when used for demo applications that you make, or maybe for other things related to smartphones. In Ubuntu, we can do screen mirroring with applications available on Android, for example is AirDroid which can be used for screen mirroring through a browser. But I feel less optimal when using this instant method. Because there is a lag between activity on the smartphone and on the monitor screen on the computer, and the results are less than optimal. What might be the cause because it is opened through a browser and uses wi-fi? (Personal question). I am looking for another application for screen mirroring on Ubuntu, and one of the very good applications is Scrcpy. This application can be used for screen mirroring without a root device.

  • Command line quick tips: Searching with grep
  • How to Install Cezerin on Debian 9
  • How to Create a Bootable USB Stick from the Ubuntu Terminal
  • How to Install Git on Debian 10
  • How to Copy/Move a Docker Container to Another Host
  • Six practical use cases for Nmap
  • The Next Stage of Flash Storage: Computational Storage
  • NAS upgrade

    At some point in the future I hope to spend a little bit of time on the software side of things, as some of the features of my set up are no longer working as they should: I can't remote-decrypt the main disk via SSH on boot, and the first run of any backup fails due to some kind of race condition in the systemd unit dependencies. (The first attempt does not correctly mount the backup partition; the second attempt always succeeds).

  • Storage Concepts And Technologies Explained In Detail