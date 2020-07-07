Security Leftovers How a Fake WordPress Plugin Can Kill Your Site A nulled plugin is a copy of a premium WordPress plugin that’s distributed illegally online. People who do this argue it’s OK to do so because WordPress and its derivative works (like plugins) are licensed under a General Public License (GPL). According to them, that makes it OK to copy and distribute plugins how they like. While that’s technically true, pirating premium plugins comes with a cost. Legitimate WordPress plugin developers lose money and, more importantly, it compromises the security and integrity of WordPress websites using these nulled plugins. When you hear of a WordPress site being hacked, it’s often because they’re using a nulled plugin.

Security updates for Friday Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen).

Reproducible Builds (diffoscope): diffoscope 155 released The diffoscope maintainers are pleased to announce the release of diffoscope version 155. This version includes the following changes: [ Chris Lamb ] * Bump Python requirement from 3.6 to 3.7 - most distributions are either shipping3.5 or 3.7, so supporting 3.6 is not somewhat unnecessary and also more difficult to test locally. * Improvements to setup.py: - Apply the Black source code reformatter. - Add some URLs for the site of PyPI.org. - Update "author" and author email. * Explicitly support Python 3.8. [ Frazer Clews ] * Move away from the deprecated logger.warn method logger.warning. [ Mattia Rizzolo ] * Document ("classify") on PyPI that this project works with Python 3.8.

Open source tool Infection Monkey allows security pros to test their network like never before Guardicore unveiled new capabilities for Infection Monkey, its free, open source breach and attack simulation (BAS) tool that maps to the MITRE ATT&CK knowledge base and tests network adherence to the Forrester Zero Trust framework.

The archaeology of GNOME accessibility There are many people in the world who cannot make full use of their computers without some sort of accessibility support. Developers, though, have a tendency not to think about accessibility issues themselves; they don't (usually) need those features and cannot normally even see them. In a talk at the 2020 GUADEC virtual conference, Emmanuele Bassi discussed the need for accessibility features, their history in GNOME, and his effort to rethink about how GNOME supports assistive technology. He began by defining "accessibility" as usability by people with disabilities; this usability is often provided through the use of assistive technology of some sort. When one thinks about who benefits from accessibility, it is natural to picture people like Stephen Hawking, who clearly needed a lot of assistive technology. But that is not what the most common consumers of assistive technology look like; instead, they look like his parents, who are active people in their late 60s. They are computer-literate, but they are getting older and need more affordances than they once did. [...] Much of the accessibility implementation is maintained outside of the GTK source tree, which brings problems of its own. The end result is that GNOME's accessibility support never worked all that well. But it lets managers check the "accessibility" box, which is all many of them need. Unfortunately, accessibility is not a box that can be checked and forgotten about; it is a process that must be constantly kept up with. But the GNOME project ended up mostly forgetting about it. In the intervening years the world has changed. CORBA has been replaced by D-Bus, for example. Patience for out-of-tree modules is mostly gone. The move to Wayland is creating problems for existing assistive technology, as is the sandboxing that is increasingly being used for GNOME applications. AT-SPI has been ported to D-Bus, he said, but the architecture of the accessibility subsystem as a whole is the same. It remains in the X11 world, where every application expects to have access to the entire system. This is a design that dates back to the days when applications were installed by the system administrator and could (hopefully) be trusted; they certainly were not acquired from random places on the Internet. The world has changed, he said, so accessibility support in GNOME needs to change with it. The system is "stuck" and needs a redesign. But this is hard because, unlike the situation with other desktop features, it is not possible to ask users of assistive technology to contribute. To a great extent, they simply cannot perceive what is not available to them, so it's hard to even ask them to report regressions. The first thing that needs to happen is to consolidate the various pieces, many of which have been untouched for years. Some new functionality has been added, mostly to match new features provided by browsers, but as a whole GNOME accessibility support just doesn't really work. The abstraction layer doesn't really abstract anything, so changes typically have to be made in many places. The toolkit needs to be simplified; as things stand now, application developers expect GTK to take care of everything, but that is not the case. There is also a need for funding; this work is not trivial and it's not reasonable to expect it to be done by volunteers.