Navigation

Language Selection

Search

Leftovers: Security

Submitted by Rianne Schestowitz on Friday 25th of September 2015 08:59:54 AM Filed under

Security

Security updates for Thursday
Microsoft puts a bullet in blundering D-Link's leaked key that made malware VIPs on PCs

Microsoft has finally revoked D-Link's leaked code-signing key, which gave malware the red carpet treatment on millions of Windows PCs.

Last week, it emerged that, for six months between February and September, D-Link exposed its private code-signing key to the world in a firmware download. Anyone who stumbled upon this key could use it to dress up malware as a legit-looking D-Link application, tricking Windows and users into trusting it.

The key expired at the start of this month, meaning it cannot be used to digitally sign new malware. But any software nasties signed using the key earlier in the year would still be trusted and run by Windows PCs.
Filling in the holes in Linux boot chain measurement, and the TPM measurement log

When I wrote about TPM attestation via 2FA, I mentioned that you needed a bootloader that actually performed measurement. I've now written some patches for Shim and Grub that do so.

The Shim code does a couple of things. The obvious one is to measure the second-stage bootloader into PCR 9. The perhaps less expected one is to measure the contents of the MokList and MokSBState UEFI variables into PCR 14. This means that if you're happy simply running a system with your own set of signing keys and just want to ensure that your secure boot configuration hasn't been compromised, you can simply seal to PCR 7 (which will contain the UEFI Secure Boot state as defined by the UEFI spec) and PCR 14 (which will contain the additional state used by Shim) and ignore all the others.
Would you trust Intel, Vodafone, Siemens et al with Internet of Things security? You'll have to

A new non-profit foundation dedicated to improving security in the "internet of things" launched on Wednesday.

More than 30 companies including Intel, Vodafone, Siemens, and BT are the founding members of the foundation, whose mission is to "make the Internet of Things secure, to aid its adoption, and maximize its benefits."

The IoTSF will focus on best practices and knowledge sharing. It will host a conference in London in December on IoT security.
Security wares like Kaspersky AV can make you more vulnerable to attacks

Login or register to post comments
Printer-friendly version
964 reads
PDF version

More in Tux Machines

Android Leftovers

Weston 10.0.1 - a bug-fix release

The latest release of Weston was made on February 1, 2022. Meanwhile, a few bugs were discovered and we decided to do a bug-fix release, which we haven't had in several years.

Videos: Dwm, GTK5, and The Linux Experiment on Privacy

Dwm Is a GREAT Window Manager (After It's Patched!) - Invidious

I've spent the last two days living in "dwm" again, mainly working a build for DTOS. I've patched it to include some important functionality that I think is critical--especially adding support for keychords!
GTK5 Might Be Wayland Only! Xorg Users Seething - Invidious

Wayland is the future and that's a fact whether it's a good future we'll have to see about and that future might come a little bit quicker for GTK because a discussion has been opened to decide whether that it will have X11 and Xorg support
The Linux Experiment: Privacy is DEAD, I have NOTHING TO HIDE, and other privacy myths and misconceptions - Invidious

today's howtos

How to install IntelliJ IDEA Community on Pop!_OS 22.04 - Invidious

In this video, we are looking at how to install IntelliJ IDEA Community on Pop!_OS 22.04.
How to install and configure Prometheus mysql exporter in linux

The Prometheus Mysql exporter is a tool that periodically runs configured queries against a Mysql Server and exports the result as prometheus gauge metrics. It can be configured to collect MySQL metrics like queries per second (QPS) and InnoDB buffer pool size MySQL. Prometheus is an open-source software application used for event monitoring and alerting. It can be used along with a visualization tool like Grafana to easily create and edit dashboards, query, visualize, alert on, and understand your metrics. We will configure Prometheus to scrape MySQL Exporter metrics and optionally ship them.
How to install Friday Night Funkin' ONLINE VS on a Chromebook

Today we are looking at how to install Friday Night Funkin' ONLINE VS on a Chromebook. Please follow the video/audio guide as a tutorial where we explain the process step by step and use the commands below.
How to Annotate Screenshots in Linux With Pensela

Capturing and annotating screenshots effectively requires the right software. Depending on your requirements, Linux has a wide selection of tools for this purpose. However, not all of them include the essential screenshot functions.
The role of name resolution in networking

Name resolution is the process of associating names and IP addresses, and it's one of the most essential services on a network. People understand descriptive names, but network communications require difficult-to-remember addresses. While it's simple enough for network administrators to connect to webserver3, a computer needs the destination server's IP address to establish communications. This article explains network host identities and the DNS name resolution process. The next two articles in this series cover troubleshooting from the perspective of both clients and DNS servers.
Write with a little help from a stylish friend
How Can Containers Help You Use Microservices in DevOps? - Container Journal

For many companies today, containers and microservices are both becoming a normal part of the industry landscape. According to a global survey put out by Statista in 2021, 19% of enterprise organizations today say they are already utilizing containers to achieve their business goals, while 92% of respondents claim microservices to be a success factor. That said, containers and microservices are not the same—and will ultimately affect the success of DevOps teams in different ways.
TrueNAS SCALE is a brilliant Network Attached Storage solution with a slight learning curve | TechRepublic

Your business or family probably uses something akin to Google Drive to store files and folders. That makes perfect sense, given how everyone needs ready access to data at all times. But there are some pieces of data you don’t want to be housed by a third-party service, such as sensitive information you don’t want to risk becoming public. When you have such information, or simply want easy access to file storage within your LAN, you should turn to open-source solutions such as TrueNAS.
How to Split Large Text File into Smaller Files in Linux

Linux has several utilities for breaking down large files into small files. Split and csplit are two of the popular commands which are used for this purpose. These utilities will help to break down big log files and even archive files to make it into a smaller size. This will make it convenient to split large files into smaller sizes so that it fits on smaller media storage devices like USB to meet our purpose. By this technique, we can even speed up network file transfers, because parallel transfers of small files are usually faster.

Latest News

Running the Steam Deck’s OS in a virtual machine using QEMU

The Steam Deck is a handheld gaming computer that runs a Linux-based operating system called SteamOS. The machine comes with SteamOS 3 (code name “holo”), which is in turn based on Arch Linux. Although there is no SteamOS 3 installer for a generic PC (yet), it is very easy to install on a virtual machine using QEMU. This post explains how to do it. The goal of this VM is not to play games (you can already install Steam on your computer after all) but to use SteamOS in desktop mode. The Gamescope mode (the console-like interface you normally see when you use the machine) requires additional development to make it work with QEMU and will not work with these instructions. A SteamOS VM can be useful for debugging, development, and generally playing and tinkering with the OS without risking breaking the Steam Deck. Running the SteamOS desktop in a virtual machine only requires QEMU and the OVMF UEFI firmware and should work in any relatively recent distribution.

today's leftovers

Dead Rising 1 and 2 Make it as Steam Deck Verified Titles

But not just Dead Rising! Valve has progressed in testing more games and we are at more than 3700 games validated (3719 games to be precise at the time of publication) on the Steam Deck – in two categories...
Linux is more popular than ever, thanks to Valve’s Steam Deck | PCGamesN

The Steam Deck is undeniably a popular handheld gaming PC, and its street cred is helping Linux grab a larger slice of the market pie. While Windows 10 still reigns supreme within the operating system scene, more Steam users than ever are playing games on versions of the Unix-like OS.
Behind open DORS – Conference organizers share their thoughts on Canonical, Ubuntu, snaps, and open-source | Ubuntu

A Linux conference almost as old as Linux itself. In mid-May, DORS/CLUC hosted its 29th event at the Faculty of Electrical Engineering and Computing in Zagreb, Croatia. With a long history of participation and contribution to open source communities, Canonical was one of the sponsors at the conference, with a busy schedule that included a presentation on snaps, an Ask Me Anything (AMA) session, and several interviews. Typically, at conference events, the conference presenters (and attendees) are the ones who get interviewed. This time, we decided to add a spin. I interviewed the event’s organizers. For a good hour and half, I spoke to Svebor Prstacic, the president of HrOpen and Vedran Lebo, the co-chair of the conference and president of HULK (an aptly acronymized organization that translates to The Croatian Linux Users Association). We discussed the origins of DORS, the value and importance of Linux and open source, the relation with Canonical, and the future.
KDE Dev-Vlog 4: Too Much Spectacle! – Felix Ernst

Sometimes it is the smallest thing that makes the biggest difference for our users. This video shows the cause and the thoughts behind such a small change on a small application.
Brenda is classic automata nightmare fuel | Arduino Blog

Art is a strange thing. Sometimes its purpose is purely aesthetic. Sometimes it makes a statement. And sometimes it exists to disturb. Kinetic art is no different and some robots fall into this category. Graham Asker’s art elicits pondering on the relationship between humans and robots, as well as the relationships between different robots. But as Brenda, a classical-style automaton, demonstrates, Asker’s art can also induce nightmares. Brenda and her companion Brian are strange, bodiless robots designed to mimic the aesthetics of automatons from myth and history. Each robot is a construction of beautiful brass, mechanical joints, linkages, and cables. Servos hidden inside the bases of the robots actuate the various joints, giving Brenda and Brian the ability to emote. Most of their “facial” movement is in their eyes. Lifelike eyeballs look around from within heavy eyelids, while pivoting eyebrows help to convey expressions.

Free, Libre, and Open Source Software/Events

SearXNG: The Open Source Metasearch Engine that puts your Privacy First

SearXNG is a free internet metasearch engine which aggregates results from various search services and databases. Users are neither tracked nor profiled. You can easily find dozens of secure and private instances for your search that are hosted securely for free on many servers. Furthermore, some of these servers are hosted on Tor, which grants more security and privacy.
The Apache Software Foundation Announces ApacheCon 2022 Schedule : The Apache Software Foundation Blog

– The Apache Software Foundation (ASF), the all-volunteer developers, stewards, and incubators of more than 350 open source projects and initiatives, announced today the initial schedule for ApacheCon North America 2022. ApacheCon is the annual convention of the Apache Software Foundation, showcasing content from many of the project communities at the ASF. ApacheCon will be held at the Canal Street Sheraton in New Orleans, LA, from October 3-6, 2022. ApacheCon this year will feature four days of sessions, with seven tracks each day. Tracks will focus on Search, Big Data, Internet of Things, Community, Geospatial, Cassandra, Financial Tech, and many other topics. For the full schedule, visit the ApacheCon North America 2022 website. Each evening will also feature Birds of a Feather (BoF) sessions, where communities will have an opportunity for freeform discussion and planning around our various projects.
Free Software Directory on IRC: Friday, July 8, starting at 12:00 EDT (16:00 UTC) — Free Software Foundation — Working together for free software

Join the FSF and friends Friday, July 8, from 12:00 to 15:00 EDT (16:00 to 19:00 UTC) to help improve the Free Software Directory.
MedPix: Free Open-Access to Thousands of Medical images, Real Cases and Medical Topics

MedPix® is a free open-access online database of medical images, teaching cases, and clinical topics, integrating images and textual metadata including over 12,000 patient case scenarios, 9,000 topics, and nearly 59,000 images.
TDF/LibreOffice QA/Dev Report: June 2022

LibreOffice 7.3.4 was released on June 9

Syndication & Social Media

Follow the site via RSS/Twitter.

Full RSS:

RSS feeds for particular topics are also available

Twitter:

Content (where original) is available under CC-BY-SA, copyrighted by original author/s.

Support Tux Machines

Help Support TM
Wall of Appreciation

Gizmoz

Debug Point

LXer

UbuntuBuzz

SparkyLinux

Linux Journal

Linux Today

System 76

Pop!_OS 22.04 LTS has landed!

Kernel Planet

Purism

LinuxSecurity.com Advisories

Debian

It's FOSS

OMG! Ubuntu!

GamingOnLinux

Slashdot

DW Latest Releases

DistroWatch

More on Tux Machines: About ● Gallery ● Forum ● Blogs ● Search ● News ● RSS Feed

Part of Bytes Media ● Sister sites below.

FSF

Ubuntu Buzz

LinuxLinks

Content available under CC-BY-SA