Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
Security
  • Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

    The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014.

    [...]

    In July 2015, a hacker known only as “Phineas Fisher” targeted the Italian surveillance firm Hacking Team and stole some 400 GB of the company’s data, including internal emails, which he dumped online. The hack exposed the company’s business practices, but it also revealed the business of zero-day sellers who were trying to market their exploits to Hacking Team. The controversial surveillance firm, which sells its software to law enforcement and intelligence agencies around the world—including to oppressive regimes like Sudan, Bahrain, and Saudi Arabia—uses zero-day exploits to help sneak its surveillance tools onto targeted systems.

  • Flexible, secure SSH with DNSSEC

    With version 6.2 of OpenSSH came a feature that allows the remote host to retrieve a public key in a customised way, instead of the typical authorized_keys file in the ~/.ssh/ directory. For example, you can gather the keys of a group of users that require access to a number of machines on a single server (for example, an LDAP server), and have all the hosts query that server when they need the public key of the user attempting to log in. This saves a lot of editing of authorized_keys files on each and every host. The downside is that it's necessary to trust the source these hosts retrieve public keys from. An LDAP server on a private network is probably trustworthy (when looked after properly) but for hosts running in the cloud, that’s not really practical.

More in Tux Machines

FLOSSophobia

I have seen it many times. "Linux is a cancer". "Open sauce". "Linuxtard". I even remember the teacher who did not bring a laptop for her presentation and, when I offered her my Linux netbook, she rejected it as if I had presented her something illegal. She tried to use an old Windows computer instead but, when the computer failed, she ended up displaying her presentation with my Linux netbook. Clearly, this teacher's position was not based on ignorance or lack of expertise because she knew Linux existed and all she had to do was to display slides. Her refusal was due to indoctrination: she had learned that Linux and non-Microsoft office suites had to be rejected. Read more

Today in Techrights

Hands on With elementary OS Powered Centurion Nano Laptop by Alpha Store

If you want to buy a new laptop, no doubt you should consider the Centurion line. It will be a good choice for you, Linux aficionado. As well as for your Windows-addicted husband/wife/employees. The Centurion Nano is certainly not a “gamer” laptop. However, besides that particular use case, and for an interesting price, you will get a very competent computer, 100% compatible with Linux and usable for a broad range of tasks. Read more

Tryton and Python Deprecation Warnings

  • Trying Tryton
    The quest to find a free-software replacement for the QuickBooks accounting tool continues. In this episode, your editor does his best to put Tryton through its paces. Running Tryton proved to be a trying experience, though; this would not appear to be the accounting tool we are searching for. Tryton is a Python 3 application distributed under the GPLv3 license. Its home page mentions that it is based on PostgreSQL, but there is support for MySQL and SQLite as well. Tryton, it is said, is "a three-tier high-level general purpose application platform" that is "the core base of a complete business solution providing modularity, scalability and security". The "core base" part of that claim is relevant: Tryton may well be a solid base for the creation of a small-business accounting system, but it is not, out of the box, such a system itself.
  • Who should see Python deprecation warnings?
    As all Python developers discover sooner or later, Python is a rapidly evolving language whose community occasionally makes changes that can break existing programs. The switch to Python 3 is the most prominent example, but minor releases can include significant changes as well. The CPython interpreter can emit warnings for upcoming incompatible changes, giving developers time to prepare their code, but those warnings are suppressed and invisible by default. Work is afoot to make them visible, but doing so is not as straightforward as it might seem. In early November, one sub-thread of a big discussion on preparing for the Python 3.7 release focused on the await and async identifiers. They will become keywords in 3.7, meaning that any code using those names for any other purpose will break. Nick Coghlan observed that Python 3.6 does not warn about the use of those names, calling it "a fairly major oversight/bug". In truth, though, Python 3.6 does emit warnings in that case — but users rarely see them.