Language Selection

English French German Italian Portuguese Spanish

Security Leftovers

Filed under
  • Hacking Team’s Leak Helped Researchers Hunt Down a Zero-Day

    The vulnerability, which Microsoft called “critical” in a patch released to customers on Tuesday, would allow an attacker to infect your system after getting you to visit a malicious website where the exploit resides—usually through a phishing email that tricks you into clicking on a malicious link. The attack works with all of the top browsers except Chrome—but only because Google removed support for the Silverlight plug-in in its Chrome browser in 2014.


    In July 2015, a hacker known only as “Phineas Fisher” targeted the Italian surveillance firm Hacking Team and stole some 400 GB of the company’s data, including internal emails, which he dumped online. The hack exposed the company’s business practices, but it also revealed the business of zero-day sellers who were trying to market their exploits to Hacking Team. The controversial surveillance firm, which sells its software to law enforcement and intelligence agencies around the world—including to oppressive regimes like Sudan, Bahrain, and Saudi Arabia—uses zero-day exploits to help sneak its surveillance tools onto targeted systems.

  • Flexible, secure SSH with DNSSEC

    With version 6.2 of OpenSSH came a feature that allows the remote host to retrieve a public key in a customised way, instead of the typical authorized_keys file in the ~/.ssh/ directory. For example, you can gather the keys of a group of users that require access to a number of machines on a single server (for example, an LDAP server), and have all the hosts query that server when they need the public key of the user attempting to log in. This saves a lot of editing of authorized_keys files on each and every host. The downside is that it's necessary to trust the source these hosts retrieve public keys from. An LDAP server on a private network is probably trustworthy (when looked after properly) but for hosts running in the cloud, that’s not really practical.

More in Tux Machines

OSS Leftovers

  • LG Announces webOS Open-Source Edition
    What was Palm webOS nearly a decade ago is seeing its latest incarnation as LG webOS Open-Source Edition. The interesting history of webOS continues... While you probably recall HP acquired Palm in 2010 and with that there was webOS on the HP TouchPad. Around 2012 is when HP then announced they would publish the webOS source code as "Open webOS". WebOS was then acquired by LG Electronics where it's been in use for a few years now for smart TVs, IoT, and other LG devices. There's also been a few offshoots over the years like LuneOS as a fork of webOS.
  • Mi A1 Oreo Kernel source code released by Xiaomi
    Xiaomi’s first Android One phone, the Mi A1 was expected to receive Android 8.0 Oreo update by the end December, and the company did roll out the update to the device under the stipulated time. However, the kernel source for the upgrade was left covered with no access to it for third-party developers. This also violated the GNU General Public License, version 2 (GPLv2) and also hampered the advancement of developers who base their codes on source codes. Thankfully, after a delay of more than two months, Xiaomi has finally released the kernel source code of Android 8.1 for the Xiaomi Mi A1.
  • GSoC and Outreachy: Mentors don't need to be Debian Developers
    A frequent response I receive when talking to prospective mentors: "I'm not a Debian Developer yet". As student applications have started coming in, now is the time for any prospective mentors to introduce yourself on the debian-outreach list if you would like to help with any of the listed projects or any topics that have been proposed spontaneously by students without any mentor. It doesn't matter if you are a Debian Developer or not. Furthermore, mentoring in a program like GSoC or Outreachy is a form of volunteering that is recognized just as highly as packaging or any other development activity. When an existing developer writes an email advocating your application to become a developer yourself, they can refer to your contribution as a mentor. Many other processes, such as requests for DebConf bursaries, also ask for a list of your contributions and you can mention your mentoring experience there.
  • 11th Open Source Day Conference
    On May 23rd, Warsaw will host the 11th edition of Open Source Day. OSD is the largest conference about open source in Poland and CEE region, gathering every year nearly 1000 participants. The programme of the upcoming edition is focused mainly on practical sessions devoted to the most important directions of IT market development. Registration for the event is already open. For the first 600 attendees, participation in the conference is free-of-charge. Open Source Day is the biggest event in Poland and CEE region dedicated to open source. Over 6,000 people took part in previous editions, and several thousand followed the event online. Open Source Day is the knowledge exchange platform about open software, as one of the most important trends in the development of modern technologies, enabling creation of high-quality, stable IT solutions, which today are the basis for all branches of the economy.
  • March Add(on)ness: Tab Centre Redux (2) vs Tabby Cat (3)
  • March Add(on)ness: Reverse Image Search (2) Vs Unpaywall (3)
  • Facebook, Google and Big Switch Networks to Demonstrate Open Source Collaboration with Next-Gen Network Operating Systems During OCP Summit Keynote
  • 6 common questions about agile development practices for teams
    You’ve probably heard a speaker ask this question at the end of their presentation. This is the most important part of the presentation—after all, you didn't attend just to hear a lecture but to participate in a conversation and a community. Recently I had the opportunity to hear my fellow Red Hatters present a session called "Agile in Practice" to a group of technical students at a local university. During the session, software engineer Tomas Tomecek and agile practitioners Fernando Colleone and Pavel Najman collaborated to explain the foundations of agile methodology and showcase best practices for day-to-day activities.

Red Hat's GPL-Centric Initiative, Upcoming Fedora Test Day

GNU Mcron 1.1

Security: Bitwarden, Container Security, Windows at U.S. Power Plants, Firefox’s Weak Master Password Encryption

  • Behind the scenes with the Bitwarden password manager
    Having to remember passwords for web applications, email, banking, and more begat the password manager. And that begat such popular and proprietary services like LastPass and 1Password. A little over two years ago, software developer Kyle Spearrin decided the open source world needed its own web-based password manager. His company, 8Bit Solutions, develops and markets an open source alternative to services like LastPass and 1Password called Bitwarden. Recently I had the opportunity to ask Spearrin some questions about Bitwarden's origins, how it secures user information, where he sees Bitwarden going, and more.
  • Episode 88 - Chat with Chris Rosen from IBM about Container Security
  • Feds: Russian [Crackers] Are Attacking U.S. Power Plants

    The targets of these attacks include the country’s electric grid, including its nuclear power system, as well as “commercial facilities, water, aviation, and critical manufacturing sectors,” the statement said.  

    The report is damning confirmation of what has for months been suspected: that [crackers] in Russia are capable of infiltrating and compromising vital systems relied on by millions of Americans. According to the new report, the attacks began at least as early as March 2016, thriving on vulnerabilities in these systems’ online operations.

  • Firefox’s Weak Master Password Encryption Can Be Cracked In Just 1 Minute [Ed: If you have physical/remote access to a machine and an account, then you have a lot more power over it than just a list of passwords]
    You might rest assured after setting a Master Password in the Firefox web browser, but it’s not as secure as you think. Last year, Mozilla did a major overhaul of their browser in the form of Firefox Quantum. But the non-profit forgot to fix the security holes that exist in their ‘very fast’ web browser for nine years.