Security Leftovers

• [Attackers] Target California University Leading Covid-19 Research

  UCSF confirmed it was the target of an “illegal intrusion” but declined to explain which portion of its IT network may have been compromised. Researchers at the university are among those leading American antibody testing and clinical trials for possible coronavirus treatments, including a recent study on anti-malarial drugs touted by President Donald Trump as a possible remedy, then refuted by scientists.

• NSA flags email vulnerability

• Improve your security with two-factor authentication [Ed: But Google is not security but a MITM with close ties to NSA]

  Two-factor authentication (or simply 2FA) is a way of authentication where a user must provide additional verification after username and password login. The form of verification can be a string of characters delivered via text message or generated with TOTP client. Two-factor authentication improves security because compromised username and password are not enough to get the account breached. This article will explain how to use TOTP clients for two-factor authentication and why TOTP is better than many other two-factor methods. As an example, I will show how to enable and set up TOTP client Google Authenticator in Google’s services. [...] Next, I will show you how to enable two-factor authentication in Google services. After that, we will install Google Authenticator and enable 2FA with Google account. In this guide, I will log in to a Google account with a desktop browser, which is very similar to how the process works for other services. Login to your Google Account and proceed in the menu to Security> Signing into Google > 2-step verification. If two-step verification is enabled on your Google account, you should already see an option for Google Authenticator on this page, and you can continue to the next part of this article (Installing Google Authenticator). Otherwise, continue this part. Google has now opened a window where is introduced two-step verification. You can read it through and then click forward.

• Linux security: Protect your systems with fail2ban

  Security, for system administrators, is an ongoing struggle because you must secure your systems enough to protect them from unwanted attacks but not so much that user productivity is hindered. It's a difficult balance to maintain. There are always complaints of "too much" security, but when a system is compromised, the complaints range from, "There wasn't enough security" to "Why didn't you use better security controls?" The struggle is real. There are controls you can put into place that are both effective against intruder attack and yet stealthy enough to allow users to operate in a generally unfettered manner. Fail2ban is the answer to protect services from brute force and other automated attacks.

• Security updates for Thursday

  Security updates have been issued by Debian (firefox-esr), Fedora (firefox and prboom-plus), Oracle (bind), Red Hat (firefox), and SUSE (osc).

GNU Linux-Libre 5.7

• GNU Linux-Libre 5.7 Released - Drops Intel iGPU Security Fix Over Arrays Of Numbers

  The GNU Linux-libre 5.7-gnu kernel was released following last weekend's Linux 5.7 kernel release. But the info-gnu mailing list was slow and thus just hitting the wire today for the latest version of this sanitized version of the Linux kernel. One interesting change in GNU Linux-libre 5.7-gnu is dropping the Intel Gen7 "iGPU Leak" security mitigation over not liking the sources.

• GNU Linux-libre 5.7-gnu

  GNU Linux-libre 5.7-gnu cleaning-up scripts, cleaned-up sources, and
  cleaning-up logs (including tarball signatures) are now available from
  our git-based release archive git://linux-libre.fsfla.org/releases.git/
  tags {scripts,sources,logs}/v5.7-gnu.
  
  Tarballs and incremental patches were still slowly getting compressed as
  I started writing this.  It took me so long to write this up that by now
  they are probably ready to be published, along with scripts and logs, at
  <https://www.fsfla.org/selibre/linux-libre/download/releases/5.7-gnu/>.
  
  We will not create or publish binary xdeltas any more: tarballs and
  patches are now created with git archive and git diff, respectively.
  So, even if you want a tarball, you don't have to wait for the
  compression to complete on our end.  Update the git repo, and run:
  
    git checkout logs/v5.7-gnu &&
    git archive --format tar --prefix=linux-5.7/ \
      sources/v5.7-gnu > linux-libre-5.7-gnu.tar &&
    gpg --verify linux-libre-5.7-gnu.tar.sign
  
  This will get you the same tarball and signature that, once compressed,
  will be published at the usual place.  Note that the --prefix= was
  maintained like that of the corresponding upstream release, so that
  anyone already used to downloading our tarballs and dealing with the
  unusual prefix doesn't have to make any changes.
  
  
  No changes were required to the cleaning up scripts since -rc7-gnu,
  already published under the new release procedure, though a little too
  late for it to be useful.
  
  The git repository is already populated with scripts, sources and logs
  for past releases since Linux-libre became a GNU project; earlier
  releases might be added at a later time.  The imported sources, scripts,
  logs and signatures are the result of long-time hard work by Jason Self,
  in the git repo https://jxself.org/git/linux-libre.git.  Nearly all of
  the branches, tags and commits in the new repo are taken directly from
  there, though I've verified all of the sources/ and scripts/ tags and
  corrected a few mismatches that AFAICT followed from errors in the SVN
  repository.  The main exception is the storage of logs and tarball
  signatures; he'd used git notes, but those didn't quite work for me, so
  I turned them into a separate tree of tags with logs and tarball
  signatures.  Alas, I failed to bring the .log signatures into it.  Will
  fix, and move the tags.
  
  
  The 5.7 upstream release removed the i1480 uwb driver, that we used to
  clean up, but added a crypto driver for the Marvell OcteonTX CPT, for
  Mediatek MT7622 WMAC, for Qualcomm IPA, for the Azoteq
  IQS620A/621/622/624/625 Multi-function device, for IDT 82P33xxx PTP
  clock, and a Modem Host Interface (MHI) bus driver, all of which
  required cleaning up.  Actually, the MHI bus one is tentative: I
  couldn't quite figure out what it is that it loads, so I've
  conservatively blocked it in the likely case it is a piece of non-Free
  Software.
  
  Some further adjustments were required on account of the introduction of
  the function firmware_request_platform to the firmware-loading
  interface, of the usual assortment of false positives all over, and blob
  adjustments in AMD GPU, Arm64 DTS files, Meson VDec, Realtek Bluetooth,
  m88ds3103 dvb frontend, Mediatek mt8173 VPU, Qualcomm Venus, Broadcom
  FMAC, Mediatek 7622 and 7663 wifi, silead x86 touchscreen; of the
  movement of the cleaned-up mscc phy driver (and new blob names in it)
  and wd719x documentation within the source tree; and of something very
  unexpected: the introduction of binary blobs as arrays of numbers in
  source code for gen7 i915 gpus.
  
  
  I unfortunately could not find correspoding sources for the new binary
  blobs introduced in such an old-fashioned way, and they're big enough
  and not regular enough that I could just assume them to be data rather
  than code, so I've removed them.  If you come across source code for
  those bits, or can explain to me how transparent and trivial they are
  once they're disassembled with existing Free tools, I'll be very glad to
  restore them.
  
  
  Other relevant changes were made to the deblob-check script:
  
  - its self-test now uses a safer $echo instead of echo to feed itself
  the test patterns, and to complain in case they fail; some of the
  patterns got mangled (unintended backslash transformations) by /bin/sh's
  echo in Trisquel 8.  That's a well-known shell portability issue that we
  had a fix for, but that somehow hadn't come up before in the context of
  the testsuite.
  
  - I moved the block of default suspicious patterns after the Linux- or
  patch-specific ones.  This enables these default patterns to be
  overridden by longer matches (e.g., cleaning up a trailing comma along
  with the new Intel presumed blobs).  In Non-Deterministic Automata-based
  regular expression engines, such as those in GNU awk and GNU sed, this
  doesn't make a difference, because the longest match is always
  preferred, but in engines that process alternatives left-to-right and
  take the first match, like Python's and Perl's, there was no way to
  override the blob sequence as needed.  Now there is.
  
  
  For up-to-the-minute news, join us on #linux-libre of irc.gnu.org
  (Freenode), or follow me (@lxoliva) on Twister <http://twister.net.co/>,
  Secure Scuttlebutt, GNU social at social.libreplanet.org, Diaspora* at
  pod.libreplanetbr.org or pump.io at identi.ca.  Check the link in the
  signature for direct links.
  
  
  Be Free! with GNU Linux-libre.
  
  
  What is GNU Linux-libre?
  ------------------------
  
    GNU Linux-libre is a Free version of the kernel Linux (see below),
    suitable for use with the GNU Operating System in 100% Free
    GNU/Linux-libre System Distributions.
    http://www.gnu.org/distros/
  
    It removes non-Free components from Linux, that are disguised as
    source code or distributed in separate files.  It also disables
    run-time requests for non-Free components, shipped separately or as
    part of Linux, and documentation pointing to them, so as to avoid
    (Free-)baiting users into the trap of non-Free Software.
    http://www.fsfla.org/anuncio/2010-11-Linux-2.6.36-libre-debait
  
    Linux-libre started within the gNewSense GNU/Linux distribution.
    It was later adopted by Jeff Moe, who coined its name, and in 2008
    it became a project maintained by FSF Latin America.  In 2012, it
    became part of the GNU Project.
  
    The GNU Linux-libre project takes a minimal-changes approach to
    cleaning up Linux, making no effort to substitute components that
    need to be removed with functionally equivalent Free ones.
    Nevertheless, we encourage and support efforts towards doing so.
    http://libreplanet.org/wiki/LinuxLibre:Devices_that_require_non-free_firmware
  
    Our mascot is Freedo, a light-blue penguin that has just come out
    of the shower.  Although we like penguins, GNU is a much greater
    contribution to the entire system, so its mascot deserves more
    promotion.  See our web page for their images.
    http://linux-libre.fsfla.org/
  
  What is Linux?
  --------------
  
    Linux is a clone of the Unix kernel [...]
  
  (snipped from Documentation/admin-guide/README.rst)
  

Android Leftovers

• Galaxy Fold now getting June 2020 Android security update

• Here is how you can change your number on Truecaller: Android

• Com Hem upgrades Android TV service

• [Update: 43-inch] Nokia-branded Android TV arrives in India w/ 4K, Pie, JBL audio, more

• Tens of thousands of malicious Android apps flooding user devices

• CarbonROM teams drops Android Oreo support and adds 5 new Android 10 devices

• Best Android phones in 2020: Samsung Galaxy S20 Ultra, LG V60 ThinQ 5G, OnePlus 8 Pro, and more

NexDock Touch Laptop Shell Features a Touchscreen Display, an Optional Magnetic Mount for Your Phone

NexDock is a Motorola Lapdock alternative launched in 2016 with a 14.1″ non-touch display, a built-in battery, and a Bluetooth keyboard. It was followed by NexDock 2 last year with a Full HD display and a USB-C port. The company has now announced they had started manufacturing NexDock Touch based on NexDock 2 but adding a touchscreen display and some other features, and the company has also developed a magnetic mount – compatible with all NexDock models – to conveniently attach your phone to the side of the display. Also: Rikomagic DS02 Android Digital Signage Player Supports 4G LTE or WiFi Connectivity