Language Selection

English French German Italian Portuguese Spanish

Security: One More Steam Windows Client Local Privilege Escalation 0day, New FOSS Patches, Major Metapackage Makeover in Kali and Securing Crypto Wallets

Filed under
Security
  • One more Steam Windows Client Local Privilege Escalation 0day

    Not long ago I published an article about Steam vulnerability. I received a lot of feedback. But Valve didn’t say a single word, HackerOne sent a huge letter and, mostly, kept silence. Eventually things escalated with Valve and I got banned by them on HackerOne — I can no longer participate in their vulnerability rejection program (the rest of H1 is still available though).

    You can read the story in more detail in previous article, here is a couple of words about current situation.

    And it’s sad and simple — Valve keeps failing. Last patch, that should have solved the problem, can be easily bypassed (https://twitter.com/general_nfs/status/1162067274443833344) so the vulnerability still exists. Yes, I’ve checked, it works like a charm.

    But this article is not about an old vulnerability, it’s about new one. Since Valve decided to read a public report instead of private report one more time, I won’t take that pleasure away from them.

  • Security updates for Thursday

    Security updates have been issued by Fedora (nginx), openSUSE (ImageMagick and putty), Red Hat (Ansible, atomic-openshift-web-console, ceph, and qemu-kvm-rhev), SUSE (kvm, libssh2_org, postgresql96, qemu, and wavpack), and Ubuntu (libzstd and openjpeg2).

  • Major Metapackage Makeover

    With our 2019.3 Kali release imminent, we wanted to take a quick moment to discuss one of our more significant upcoming changes: our selection of metapackages. These alterations are designed to optimize Kali, reduce ISO size, and better organize metapackages as we continue to grow.

    Before we get into what’s new, let’s briefly recap what a metapackage is. A metapackage is a package that does not contain any tools itself, but rather is a dependency list of normal packages (or other metapackages). This allows us to group related tools together. For instance, if you want to be able to access every wireless tool, simply install the kali-tools-wireless metapackage.

  • Securing Your Crypto Wallet

    When it came time to create my CryptocurrencyOS, based on Linux Mint I wanted to solve some practical user and security issues. The end result was for people to have their own crypto wallets in a secure, opensource, environment and encourage more adoption of cryptocurrency. I applied some of my experience with some of the products I developed for compevo and Techrich.

    The first problem is that a lot of people don’t even know how to find or download a wallet (at least safely, since there are a lot of fake / malware wallets that steal people’s coins). If they don’t know how to avoid the above, then how would they be able to secure their computer?

More in Tux Machines

today's howtos

Games; CHOP, LeClue - Detectivu, Nantucket, MOTHERGUNSHIP

  • Brutal local co-op platform brawler CHOP has released

    CHOP, a brutal local co-op platform brawler recently left Early Access on Steam. If you like fast-paced fighters with a great style and chaotic gameplay this is for you. There's multiple game modes, up to for players in the standard modes and there's bots as well if you don't have people over often. Speaking about the release, the developer told me they felt "many local multiplayer games fall into a major pitfall : they often lack impact and accuracy, they don't have this extra oomph that ensure players will really be into the game and hang their gamepad like their life depends on it." and that "CHOP stands out in this regard". I've actually quite enjoyed this one, the action in CHOP is really satisfying overall.

  • Mystery adventure game Jenny LeClue - Detectivu is releasing this week

    Developer Mografi has confirmed that their adventure game Jenny LeClue - Detectivu is officially releasing on September 19th. The game was funded on Kickstarter way back in 2014 thanks to the help of almost four thousand backers raising over one hundred thousand dollars.

  • Seafaring strategy game Nantucket just had a big patch and Masters of the Seven Seas DLC released

    Ahoy mateys! Are you ready top set sail? Anchors aweigh! Seafaring strategy game Nantucket is now full of even more content for you to play through. Picaresque Studio and Fish Eagle just released a big new patch adding in "100+" new events, events that can be triggered by entering a city, the Resuscitation command can now heal even if someone isn't dead during combat, the ability to rename crew to really make your play-through personal, minor quests give off better rewards and more. Quite a hefty free update!

  • MOTHERGUNSHIP, a bullet-hell FPS where you craft your guns works great on Linux with Steam Play

    Need a fun new FPS to try? MOTHERGUNSHIP is absolutely nuts and it appears to run very nicely on Linux thanks to Steam Play. There's a few reasons why I picked this one to test recently: the developers have moved onto other games so it's not too likely it will suddenly break, there's not a lot of new and modern first-person shooters on Linux that I haven't finished and it was in the recent Humble Monthly.

GNU community announces ‘Parallel GCC’ for parallelism in real-world compilers

Yesterday, the team behind the GNU project announced Parallel GCC, a research project aiming to parallelize a real-world compiler. Parallel GCC can be used in machines with many cores where GNU cannot provide enough parallelism. A parallel GCC can be also used to design a parallel compiler from scratch. Read more

today's leftovers

  • 3 Ways to disable USB storage devices on Linux
  • Fedora Community Blog: Fedocal and Nuancier are looking for new maintainers

    Recently the Community Platform Engineering (CPE) team announced that we need to focus on key areas and thus let some of our applications go. So we started Friday with Infra to find maintainers for some of those applications. Unfortunately the first few occurrences did not seem to raise as much interest as we had hoped. As a result we are still looking for new maintainers for Fedocal and Nuancier.

  • Artificial Intelligence Confronts a 'Reproducibility' Crisis

    Lo and behold, the system began performing as advertised. The lucky break was a symptom of a troubling trend, according to Pineau. Neural networks, the technique that’s given us Go-mastering bots and text generators that craft classical Chinese poetry, are often called black boxes because of the mysteries of how they work. Getting them to perform well can be like an art, involving subtle tweaks that go unreported in publications. The networks also are growing larger and more complex, with huge data sets and massive computing arrays that make replicating and studying those models expensive, if not impossible for all but the best-funded labs.

    “Is that even research anymore?” asks Anna Rogers, a machine-learning researcher at the University of Massachusetts. “It’s not clear if you’re demonstrating the superiority of your model or your budget.”

  • When Biology Becomes Software

    If this sounds to you a lot like software coding, you're right. As synthetic biology looks more like computer technology, the risks of the latter become the risks of the former. Code is code, but because we're dealing with molecules -- and sometimes actual forms of life -- the risks can be much greater.

    [...]

    Unlike computer software, there's no way so far to "patch" biological systems once released to the wild, although researchers are trying to develop one. Nor are there ways to "patch" the humans (or animals or crops) susceptible to such agents. Stringent biocontainment helps, but no containment system provides zero risk.

  • Why you may have to wait longer to check out an e-book from your local library

    Gutierrez says the Seattle Public Library, which is one of the largest circulators of digital materials, loaned out around three million e-books and audiobooks last year and spent about $2.5 million to acquire those rights. “But that added 60,000 titles, about,” she said, “because the e-books cost so much more than their physical counterpart. The money doesn’t stretch nearly as far.”

  • Libraries are fighting to preserve your right to borrow e-books

    Libraries don't just pay full price for e-books -- we pay more than full price. We don't just buy one book -- in most cases, we buy a lot of books, trying to keep hold lists down to reasonable numbers. We accept renewable purchasing agreements and limits on e-book lending, specifically because we understand that publishing is a business, and that there is value in authors and publishers getting paid for their work. At the same time, most of us are constrained by budgeting rules and high levels of reporting transparency about where your money goes. So, we want the terms to be fair, and we'd prefer a system that wasn't convoluted.

    With print materials, book economics are simple. Once a library buys a book, it can do whatever it wants with it: lend it, sell it, give it away, loan it to another library so they can lend it. We're much more restricted when it comes to e-books. To a patron, an e-book and a print book feel like similar things, just in different formats; to a library they're very different products. There's no inter-library loan for e-books. When an e-book is no longer circulating, we can't sell it at a book sale. When you're spending the public's money, these differences matter.

  • Nintendo's ROM Site War Continues With Huge Lawsuit Against Site Despite Not Sending DMCA Notices

    Roughly a year ago, Nintendo launched a war between itself and ROM sites. Despite the insanely profitable NES Classic retro-console, the company decided that ROM sites, which until recently almost single-handedly preserved a great deal of console gaming history, need to be slayed. Nintendo extracted huge settlements out of some of the sites, which led to most others shutting down voluntarily. While this was probably always Nintendo's strategy, some sites decided to stare down the company's legal threats and continue on.

  • The Grey Havens | Coder Radio 375

    We say goodbye to the show by taking a look back at a few of our favorite moments and reflect on how much has changed in the past seven years.

  • 09/16/2019 | Linux Headlines

    A new Linux Kernel is out; we break down the new features, PulseAudio goes pro and the credential-stealing LastPass flaw. Plus the $100 million plan to rid the web of ads, and more.

  • Powering Docker App: Next Steps for Cloud Native Application Bundles (CNAB)

    Last year at DockerCon and Microsoft Connect, we announced the Cloud Native Application Bundle (CNAB) specification in partnership with Microsoft, HashiCorp, and Bitnami. Since then the CNAB community has grown to include Pivotal, Intel, DataDog, and others, and we are all happy to announce that the CNAB core specification has reached 1.0. We are also announcing the formation of the CNAB project under the Joint Development Foundation, a part of the Linux Foundation that’s chartered with driving adoption of open source and standards. The CNAB specification is available at cnab.io. Docker is working hard with our partners and friends in the open source community to improve software development and operations for everyone.

  • CNAB ready for prime time, says Docker

    Docker announced yesterday that CNAB, a specification for creating multi-container applications, has come of age. The spec has made it to version 1.0, and the Linux Foundation has officially accepted it into the Joint Development Foundation, which drives open-source development. The Cloud Native Application Bundle specification is a multi-company effort that defines how the different components of a distributed cloud-based application are bundled together. Docker announced it last December along with Microsoft, HashiCorp, and Bitnami. Since then, Intel has joined the party along with Pivotal and DataDog. It solves a problem that DevOps folks have long grappled with: how do you bolt all these containers and other services together in a standard way? It’s easy to create a Docker container with a Docker file, and you can pull lots of them together to form an application using Docker Compose. But if you want to package other kinds of container or cloud results into the application, such as Kubernetes YAML, Helm charts, or Azure Resource Manager templates, things become more difficult. That’s where CNAB comes in.