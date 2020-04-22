today's leftovers
-
Starting today, every app you use to access your ProtonMail inbox is open source and has passed an independent security audit.
One of our guiding principles is transparency. You deserve to know who we are, how our products can and cannot protect you, and how we keep your data private. We believe this level of transparency is the only way to earn the trust of our community.
-
A team from Taiwan’s National Yang-Ming University has developed a videoconferencing platform with free access based on the open-source software Jitsi Meet.
Led by Chen Yu-chun (陳育群), an assistant professor at the university’s School of Medicine, the team has incorporated new features to the application for improved security. Through a one-time encryption key, users will be able to convene virtual meetings without the need to sign in.
-
OpenSSH is on a roll. In February, OpenSSH 8.2 introduced first-class support for FIDO2 (née U2F) security keys, making hardware backed keys accessible for less than $20.
This is not some complicated PAM setup, or some janky cryptographic trick, but a proper public key type, where the private key is protected by the hardware token.1 And it just works out of the box for USB security keys! No more tedious and unreliable gpg-agent setups, PKCS#11, or third-party agents.
I’m a big fan of hardware tokens because they allow a few things you can’t do with just software cryptography: compromise recovery, because an attacker can’t exfiltrate the key from the hardware to use it after losing access to it; explicit consent, where the user has to physically allow each operation by e.g. tapping the key; and short PINs that can’t be bruteforced, because the retry counters or delays are enforced in hardware.
Let’s cut to the chase, here’s how you generate an SSH key backed by your security key: [...]
-
I have to confess that aside from New Year and family birthdays, SUSECON is my favorite diary date.
Where else could I combine the job I love with renewing friendships, meeting new friends and immersing myself in a welcoming global community?
The difficult global circumstances we currently find ourselves in have caused me to look back a little wistfully at my great experiences at previous SUSECON events where I, like other attendees, have enjoyed the outstanding technical content, open access to subject matter experts, and a true feeling of community.
-
If you’re going to stare at a screen, you can binge-watch Netflix – or you could attend one of these online open source conferences, most of which are now free or at a significantly reduced price.
-
DeepSpeech 0.7 is the new release from Mozilla for this open-source speech-to-text engine. Among the many changes to find with this update are changes around their TensorFlow training code, support for TypeScript, multi-stream .NET support, a new format is available for training data that should be faster, support for transfer learning, ElectronJS 8.0 support, and numerous other changes.
-
More details: The Glean Python SDK, which mozregression now uses for telemetry, requires Python 3. This provided the impetus to port the GUI itself to Python 3 and PySide2 (the modern incarnation of PyQt), which brought with it a much easier installation/development experience for the GUI on platforms like Mac and Linux.
-
Vulnerabilities that can be exploited for zero-click attacks are rare and are prized by attackers because they don't require tricking targets into taking any action—an extra step that adds uncertainty in any hacking scheme. They’re also valuable, because less interaction means fewer traces of any malicious activity. Zero-click exploits are often thought of as highly reliable and sophisticated tools that are only developed and used by the most well-funded hackers, particularly nation state groups.
The ZecOps research suggests a different story, though: Perhaps attackers are willing to settle in some cases for using less reliable, but cheaper and more abundant zero-click tools.
"I think there are more zero-clicks out there. It doesn't have to be 'nation state-grade,’” says ZecOps founder and CEO Zuk Avraham. "Most wouldn't care if it's not 100 percent successful, or even 20 percent successful. If the user doesn't notice it, you can retry again."
-
Another software company, data graph vendor Apollo, based in San Francisco, is one of the founding members of the GraphQL Foundation and also has a commercial Data Graph Platform based on GraphQL.
-
Messaging app Telegram is developing a group video calling service that’s due to be launched later this year, the company announced today. It says that current options offer either security or usability, but that its version will offer both. Telegram announced the plans alongside news that it reached 400 million monthly active users, doubling its user base in two years.
Telegram’s claim that current group video calling services offer either security or usability is a not-so-subtle swipe at user-friendly Zoom, which has been hit by multiple security scandals in recent months. Critics pointed out that the service’s claims about offering end-to-end encryption were false, and that its default privacy settings made it easy for uninvited users to tap into video calls. That said, Telegram has also faced its share of criticism from the security community in part because its end-to-end encryption is not enabled by default.
-

LXQt 0.15 Released
-
Friday marked the release of LXQt 0.15, the first big update to this lightweight Qt5-based desktop environment since January 2019. There comes a fair number of improvements with this desktop that was born out of the LXDE and Razor-qt initiatives.
-
The LXQt project has released today the LXQt 0.15.0 update for their open-source and lightweight desktop environment for GNU/Linux distributions.
Arriving three months after version 0.14, the LXQt 0.15.0 release packs many improvements and new features. The most prominent one being LXQt Archiver, a brand-new and a fully functioning archive manager that integrates with the PCManFM-Qt by default and it’s based on its LibFM-Qt core library.
Talking about PCManFM-Qt, the default file manager of LXQt, it received several improvements. These include better keyboard navigation, support for single window mode, the ability to save mount passwords, richer file tooltips, as well as smarter extension handling on the LXQt file dialog.

