Security Leftovers

Security
  • Security updates for Friday [LWN.net]

    Security updates have been issued by Gentoo (freetype), openSUSE (mailman), Red Hat (firefox, java-11-openjdk, OpenShift Container Platform 3.11.306 jenkins, and rh-maven35-jackson-databind), SUSE (kernel, mercurial, openldap2, python-pip, and xen), and Ubuntu (firefox, netty-3.9, and python-pip).

  • An Analysis of 5 Million OpenPGP Keys

    In July I finished my Bachelor’s Degree in IT Security at the University of Applied Sciences in St. Poelten. During the studies I did some elective courses, one of which was about Data Analysis using Python, Pandas and Jupyter Notebooks. I found it very interesting to do calculations on different data sets and to visualize them. Towards the end of the Bachelor I had to find a topic for my Bachelor Thesis and as a long time user of OpenPGP I thought it would be interesting to do an analysis of the collection of OpenPGP keys that are available on the keyservers of the SKS keyserver network.

    So in June 2019 I fetched a copy of one of the key dumps of the one of the keyservers (some keyserver publish these copies of their key database so people who want to join the SKS keyserver network can do an initial import). At that time the copy of the key database contained 5,499,675 keys and was around 12GB. Using the hockeypuck keyserver software I imported the keys into an PostgreSQL database. Hockeypuck uses a table called keys to store the keys and in there the column doc stores the OpenPGP keys in JSON format (always with a data field containing the original unparsed data).

    For the thesis I split the analysis in three parts, first looking at the Public Key packets, then analysing the User ID packets and finally studying the Signature Packets. To analyse the respective packets I used SQL to export the data to CSV files and then used the pandas read_csv method to create a dataframe of the values. In a couple of cases I did some parsing before converting to a DataFrame to make the analysis step faster. The parsing was done using the pgpdump python library.

    Together with my advisor I decided to submit the thesis for a journal, so we revised and compressed the whole paper and the outcome was now

  • Exploring 8chan's hosting infrastructure | Netcraft News

    In a recent post, Brian Krebs discussed a technique for disrupting 8chan, a controversial message board. Ron Guilmette, a security researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s current operator, no longer has the right to transact business as it is in the “administrative hold” state. ARIN, the Internet registry N.T. Technology obtained its IP address allocation from, would be within its rights to reclaim the IP address space.

    Ron Guilmette is an expert in this type of analysis - last year he discovered the theft of $50 million worth of IP addresses in AFRINIC’s service region.

    However, taking down 8chan is unlikely to be as simple as requesting that ARIN deallocates its IP adddress space. After deallocation, the IP addresses may continue to be advertised as fullbogons - netblocks that are used on the Internet despite not being assigned to an end user. While some Internet service providers do block fullbogons, this is by no means universal.

  • 23 Extensions to Enhance your Security and Privacy on Google Chrome and Chromium-based Browser

    According to a statistical report published by Statista in July 2020, Google Chrome accounted for 69% of the global desktop web-browser market share by June 2020, with 11% increase from the last year.

    Google Chrome is mostly based on Chromium which is an open-source web-browser released and maintained by Google. Chromium itself is the base for a dozen other browsers that are compatible with Google Chrome Web store.

    In this article we will guide you through the best privacy and security browser extensions for Google Chrome and Chromium-based web browsers that support Google Chrome Web store.

Single Points of Failure and Proprietary Entrapment (Microsoft GitHub)

  • Ahmad Haghighi: GitLab blocked Iranians’ access.

    On 3rd Oct. 2020 GitLab blocked Iranians’ access (based on IP) without any prior notice! and five days later (8th Oct.) my friend’s account blocked and still he doesn’t have any access to his projects! even after creating a ticket and asks for a temporary access to only export his projects! GitLab refused to unblock him! (screenshot in appendix). My friend is not the only one who blocked by GitLab, with a simple search on the web you can find a growing list of blocked accounts. So I decided to move from GtiLab and EVERY Free Software based/hosted/managed on/in USA. When it comes to USA policies, Free Software is a Joke :) GitLab is not the only actor in this discrimination against Persian/Iranian people, we also blocked by GitHub, Docker, NPM, Google Developer, Android, AWS, Go, Kubernetes and etc.

  • ‘youtube-dl’ downloading software removed from GitHub by RIAA takedown notice

    This takedown notice does not necessarily spell the permanent end of youtube-dl. GitHub always immediately takes down any source code project that receives a DMCA notice like this, but the project’s creators will have an opportunity to file a counterclaim in the hopes of restoring youtube-dl’s status on GitHub. We’ll be keeping an eye on the situation as it develops.

  • RIAA DMCAs GitHub into nuking popular YouTube video download tool, says it can be used to slurp music

    YouTube-DL is pretty simple to use: you give the command-line program the URL of any YouTube video, and it will fetch the material and save it to your computer for future playback.

  • Recording Industry Association of America Gets Youtube-dl Kicked Off GitHub

    Microsoft GitHub has removed all traces of the very useful youtube-dl utility for downloading videos from YouTube and other websites, including this one, following a questionable DMCA request from the Recording Industry Association of America.

    youtube-dl is a simple command-line utility that lets you easily download audio adn videos from just about any website with a file file embedded in it. It works on sites like this one. A lot of software, including the popular video player mpv, can use it to download video fragments on the fly so videos embedded in web pages can be opened and played as if they were local files.

    The Recording Industry Association of America submitted a DMCA request to Microsoft GitHub demanding that youtube-dl gets removed from the Internet on October 23rd, 2020. The complaint contains this rather misleading claim: [...]

today's howtos

  • How to install NotepadQQ on Linux

    NotepadQQ is an exciting application that attempts to bring Linux users what Notepad++ does on Windows: an impressive, Microsoft Notepad-like text editor that supports various programming languages and other useful features. Here’s how to get it installed on your Linux system.

  • How to Install and Configure Squid Proxy on Ubuntu 20.04 | Linuxize

    Squid is a full-featured caching proxy supporting popular network protocols like HTTP, HTTPS, FTP, and more. It can be used to improve the web server’s performance by caching repeated requests, filter web traffic, and access geo-restricted content. This tutorial explains how to set up a Squid Proxy on Ubuntu 20.04 and configure Firefox and Google Chrome web browsers to use it.

  • How to set up the Jellyfin media server on Linux

    The Jellyfin developers offer up a myriad of ways to install the media server on the Linux platform. From Docker to downloadable DEBs and custom packages in the Arch Linux AUR. In this guide, we’ll focus on downloadable packages. However, if you are an advanced Linux user and know how to use Docker, click here to get your hands on it. To start installing Jellyfin on your Linux server, open up a terminal window via SSH or by physically sitting in front of it. After that, follow the command-line installation instructions outlined below.

  • libtraceevent>=5.9-1 update requires manual intervention

    The libtraceevent package prior to version 5.9-1 was missing a soname link. This has been fixed in 5.9-1, so the upgrade will need to overwrite the untracked files created by ldconfig.

  • Parabola GNU/Linux-libre: [From Arch] libtraceevent>=5.9-1 update requires manual intervention
  • How to Install and Configure FreeNAS 11.3 U5 Storage on VMware Workstation - SysAdmin

    This video tutorial shows how to install and configure FreeNAS 11.3 U5 Storage on VMware Workstation step by step.

  • How to check the sshd Logs on Linux? – Linux Hint

    sshd stands for Secure SHell Daemon. It is a hidden process that silently listens to all the authentication and login attempts of the Linux operating system. It is especially helpful if you are trying to figure out any unauthorized login attempts to your system. In this article, how to check the sshd Logs on Linux is explained.

  • How to Check If a Port Is in Use in Linux – Linux Hint

    At any single instance, multiple ports can be open in your system, so it can be useful to determine which ports are open. This article shows you four possible methods to use to check whether a port is in use in Linux.

  • Best Books for Learning Linux – Linux Hint [Ed: Caution for spammy links in the referrer spam sense]

    Books are important learning resources for both beginners and experts, but with all the books available on the market, it may be difficult to choose just one. Here, we review five books on Linux to help you choose.

  • How to change Chrome profile name

    Chrome has support for multiple profiles. What differentiates one profile from the other is the Google account that is (or isn’t) connected to a profile. Users can create a new Chrome profile and sync it with their Google account, or they can skip adding an account and keep everything local. What a user cannot do is create a profile that has no name.

Android Leftovers

Audiocasts/Shows: Noodlings, Python Bytes, Going Linux, Linux in the Ham Shack and Hackaday

  • Noodlings | Inspiration Is Around You – CubicleNate's Techpad

    This is the 21st hot-pocket-sized podcast that won’t scorch roof of your mouth. I have a small collection of vintage or near vintage gaming consoles. I lean mostly in the Nintendo party as I think they have a great grasp on what is fun. I don’t always agree with many of their business practices but the entertainment they have provided is multi-generationally successful. In order to lower the wasted time of hooking these systems up to enjoy and better organize their presentation, I built a Gaming Rack that was inspired by watching a YouTube channel called Retro Recipes. Seeing how nicely laid out and easily enjoyed they were set up, I made the decision that I must adapt this idea to my little world.

  • Episode #204 Take the PSF survey and Will & Carlton drop by - [Python Bytes Podcast]

    Python Bytes podcast delivers headlines directly to your earbuds.

  • Going Linux #398

    In our second of two parts on editing and managing photos on Linux we describe a few additional applications for you to try. We share what they do but the trying is up to you! We also reveal what we are doing for our 400th episode.

  • LHS Episode #374: The Weekender LVIV | Linux in the Ham Shack

    It's time once again for The Weekender. This is our bi-weekly departure into the world of amateur radio contests, open source conventions, special events, listener challenges, hedonism and just plain fun. Thanks for listening and, if you happen to get a chance, feel free to call us or e-mail and send us some feedback. Tell us how we're doing. We'd love to hear from you.

  • Hackaday Podcast 090: DIY Linux SBC, HDMI CEC, Fake Bluepills, And SCARA Arms | Hackaday

    Hackaday editors Elliot Williams and Mike Szczys chat about our favourite hacks from the past week. We start off with a bit of news of the Bennu asteroid and the new Raspberry Pi Compute Module. We drive ourselves crazy trying to understand how bobbin holders on sewing machines work, all while drooling over the mechanical brilliance of a bobbin-winding build. SCARA is the belt and pulley champion of robot arms and this week’s example cleverly uses redundant bearings for better precision. And we wrap up the show looking in on longform articles about the peppering of microcontrollers found on the Bluepill and wondering what breakthroughs are left to be found for internal combustion.

