Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Thursday, 29 Sep 16 - Tux Machines is a community-driven public service/news site which has been around for over a decade and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Type Title Author Replies Last Postsort icon
Story Linux Mint's XApps to Get Screen Blanking, Sublime-like Search Bar Lands for Xed Rianne Schestowitz 29/09/2016 - 12:14pm
Story Canonical Releases Snapcraft 2.18 Tool for Creating Snaps in Ubuntu 16.04 LTS Rianne Schestowitz 29/09/2016 - 12:13pm
Story The Tiny Internet Project, Part I Rianne Schestowitz 29/09/2016 - 12:11pm
Story Today in Techrights Roy Schestowitz 29/09/2016 - 11:59am
Story Don’t be a stranger to GIMP, be GIMP… Rianne Schestowitz 29/09/2016 - 10:03am
Story Node.js 6.x LTS coming to EPEL 7 Rianne Schestowitz 29/09/2016 - 9:44am
Story Microsoft is no longer Russia’s first choice of technology provider Rianne Schestowitz 29/09/2016 - 9:40am
Story Alphabet's Plans to Create Android PCs Should Make Microsoft a Little Nervous Rianne Schestowitz 29/09/2016 - 9:38am
Story Servers/Networks Roy Schestowitz 29/09/2016 - 9:15am
Story Games for GNU/Linux Roy Schestowitz 29/09/2016 - 9:12am

Software Company Red Hat banks on India to hit $ 5 billion turnover in 5 years

Filed under
Red Hat

Red Hat, the open-source software company, said its India business was growing at more than double the rate of the overall company and would be an important contributor to its target of reaching $5 billion in the next five years.

Red Hat has over $2 billion in annual revenue currently and grew over 21% in constant currency last year. Open-source software is freely available, so Red Hat’s business model depends on customers paying for the support and service it offers and not on license fees, making the company’s offerings typically cheaper than proprietary software. “India is one of our fastest growing markets. Red Hat does really when there is net new infrastructure to be set up. And the rapid pace of development that India is seeing sets really well with our offerings,” James Whitehurst, CEO of Red Hat, told ET.

Read more

Docker 1.12.2 Linux App Container Engine Enters Development, Improves Swarm Mode

Filed under
Server
Software

Docker's Victor Vieux announced the other day the release and immediate availability for download of the first RC (Release Candidate) snapshot of the upcoming Docker 1.12.2 open-source application container engine.

The first point release of Docker 1.12, a major branch that introduced built-in orchestration and routing mesh, a brand new Swarm Mode, as well as numerous networking security improvements, Docker 1.12.1, was announced last month on the 18th, and since then the development team never stopped improving the software.

Read more

FreeBSD Delaaays and OpenBSD Founder Theo de Raadt Upset

Filed under
BSD
  • FreeBSD 11.0-RELEASE Needs To Be Respun Due To Security Issues

    The delayed FreeBSD 11.0 release just suffered another last-minute set-back. While "FreeBSD 11.0-RELEASE images" were distributed to FTP mirrors and the official announcement expected today, these images need to be re-spun to contain some security fixes and thus pushing back the official release.

    Glen Barber noted today on the mailing list, "Although the FreeBSD 11.0-RELEASE has not yet been officially announced, many have found images on the Project FTP mirrors. However, please be aware the final 11.0-RELEASE will be rebuilt and republished on the Project mirrors as a result of a few last-minute security fixes we feel are imperative to include in the final release."

  • FreeBSD 11.0 Operating System Lands October 5 Due to Last-Minute Security Issues

    A few minutes ago, Glen Barber informed the FreeBSD community that they should not hurry and install the ISO images of the FreeBSD 11.0 operating system made available a few days ago on the official FTP mirrors.

    These images aren't safe to use and contain various security vulnerabilities that need to be fixed before the FreeBSD Project will officially unveil the final release of the FreeBSD 11.0 operating system in the coming days. According to the release schedule, FreeBSD 11.0 should hit the streets later today, September 29, 2016.

    However, until then the FreeBSD development team is hard at work patching those nasty security issues and rebuilding the final ISO images, which will be made available on the respective FTP mirrors later today as FreeBSD 11.0-RELEASE-p1. If you're already running FreeBSD 11.0-RELEASE, you will soon be provided with instructions to safely update your system

  • OpenBSD Founder Calling For LLVM To Face A Cataclysm Over Its Re-Licensing

    For over one year there's been talk of LLVM pursuing a mass relicensing from its University of Illinois/NCSA Open Source License, which is similar to the three-clause BSD license, to the Apache 2.0 license with explicit mention of GPLv2 compatibility. As mentioned in that aforelinked article, this re-licensing is moving ahead.

Ubuntu Studio 16.10 to Offer an Up-to-Date Multimedia Oriented Linux Distro

Filed under
GNU
Linux
Ubuntu

We reported earlier today, September 28, 2016, on the availability of the Final Beta (Beta 2) development milestone of the upcoming Ubuntu 16.10 (Yakkety Yak) operating system and its official derivatives.

We've already talked here about what's new in the Beta 2 of Ubuntu MATE 16.10, Lubuntu 16.10, and Kubuntu 16.10, and now we would like to tell you a little bit about Ubuntu Studio 16.10, which promises to offer users an up-to-date multimedia oriented Linux-based operating system.

That's right, it looks like today's Ubuntu Studio 16.10 (Yakkety Yak) Beta 2 snapshot comes with all the latest software releases and a bunch of new apps that you might need for audio, video, or graphics processing jobs. But first, we need to tell you that Ubuntu Studio 16.10 is powered by a low-latency Linux 4.8 kernel.

Read more

Also: Ubuntu GNOME 16.10 Beta 2 Released with Many Apps from the GNOME 3.22 Stack

Raspberry Pi Announces PIXEL Desktop Environment

Filed under
GNU
Linux

Today the Raspberry Pi Foundation formally announced the Raspberry Pi PIXEL, their own desktop that will be used in future Raspbian spins.

PIXEL is short for Pi Improved Xwindows Environment, Lightweight desktop. PIXEL is derived from the LXDE desktop environment but with both appearance and fundamental changes, including some new applications.

Read more

today's leftovers

Filed under
Misc
  • 'Do you really need to do that?'

    A new postdoc student arrived at our department this semester, and after learning that he uses GNU/Linux for all his computing, I invited him along to TFUG. During some of our meetings people asked “how could I do X on my GNU/Linux desktop?” and, jokingly, the postdoc would respond “the answer to your question is ‘do you really need to do that?’” Sometimes the more experienced GNU/Linux users at the table would respond to questions by suggesting that the user should simply give up on doing X, and the postdoc would slap his thigh and laugh and say “see? I told you that’s the answer!”

    The phenomenon here is that people who have at some point made a commitment to at least try to use GNU/Linux for all their computing quickly find that they have come to value using GNU/Linux more than they value engaging in certain activities that only work well/at all under a proprietary operating system. I think that this is because they get used to being treated with respect by their computer. And indeed, one of the reasons I’ve almost entirely given up on computer gaming is that computer games are non-free software. “Are you sure you need to do that?” starts sounding like a genuine question rather than simply a polite way of saying that what someone wants to do can’t be achieved.

  • Highlights of YaST development sprint 25

    Another development sprint is over. Time flies! In our previous post we already reported about the branching of Tumbleweed and the upcoming releases and about the expected consequences: the landing of some cool features in a less conservative Tumbleweed.

  • Mintbox Mini Pro is a little Linux PC with big specs for $395
  • PepeLine is a 3D puzzle game that will get you addicted instantly
  • GNU Tools Cauldron 2016, ARMv8 multi-arch edition

    That is what my England trip for the GNU Tools Cauldron was, but that only seemed to add to the pleasure of meeting friends again. I flewin to Heathrow and started on an almost long train journey to Halifax,with two train changes from Reading. I forgot my phone on the trainbut the friendly station manager at Halifax helped track it down andgot it back to me. That was the first of the many times I forgotstuff in a variety of places during this trip. Like I discovered thatI forgot to carry a jacket or an umbrella. Or shorts. Or full lengthpants for that matter. Like I purchased an umbrella from Sainsbury’s but forgot to carry it out. I guess you got the drift of it.

Networking and Security

Filed under
Server
Security
Web
  • FAQ: What's so special about 802.11ad Wi-Fi?

    Here are the broad strokes about 802.11ad, the wireless technology that’s just starting to hit the market.

  • 2.5 and 5 Gigabit Ethernet Now Official Standards

    In 2014, multiple groups started efforts to create new mid-tier Ethernet speeds with the NBASE-T Alliance starting in October 2014 and MGBASE-T Alliance getting started a few months later in December 2014. While those groups started out on different paths, the final 802.3bz standard represents a unified protocol that is interoperable across multiple vendors.

    The promise of 2.5 and 5 Gbps Ethernet is that they can work over existing Cat5 cabling, which to date has only been able to support 1 Gbps. Now with the 802.3bz standard, organizations do not need to rip and replace cabling to get Ethernet that is up to five times faster.

    "Now, the 1000BASE-T uplink from the wireless to wired network is no longer sufficient, and users are searching for ways to tap into higher data rates without having to overhaul the 70 billion meters of Cat5e / Cat6 wiring already sold," David Chalupsky, board of directors of the Ethernet Alliance and Intel principal engineer, said in a statement. "IEEE 802.3bz is an elegant solution that not only addresses the demand for faster access to rapidly rising data volumes, but also capitalizes on previous infrastructure investments, thereby extending their life and maximizing value."

  • A quick fix for stupid password reset questions

    It didn’t take 500 million hacked Yahoo accounts to make me hate, hate, hate password reset questions (otherwise known as knowledge-based authentication or KBA). It didn't help when I heard that password reset questions and answers -- which are often identical, required, and reused on other websites -- were compromised in that massive hack, too.

    Is there any security person or respected security guidance that likes them? They are so last century. What is your mother’s maiden name? What is your favorite color? What was your first pet’s name?

  • French hosting provider hit by DDoS close to 1TBps

    A hosting provider in France has been hit by a distributed denial of service attack that went close to one terabyte per second.

    Concurrent attacks against OVH clocked in at 990GBps.

    The attack vector is said to be the same Internet-of-Things botnet of 152,464 devices that brought down the website of security expert Brian Krebs.

    OVH chief technology officer Octave Klaba tweeted that the network was capable of attacks up to 1.5TBps.

  • Latest IoT DDoS Attack Dwarfs Krebs Takedown At Nearly 1Tbps Driven By 150K Devices

    If you thought that the massive DDoS attack earlier this month on Brian Krebs’ security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via network of over 152,000 IoT devices.

    According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these types devices' network settings are improperly configured, which leaves them ripe for the picking for hackers that would love to use them to carry our destructive attacks.

Android Leftovers

Filed under
Android
  • Goodbye QWERTY: BlackBerry stops making hardware

    BlackBerry CEO John Chen has been hinting at this move for almost a year now: today BlackBerry announced it will no longer design hardware. Say goodbye to all the crazy hardware QWERTY devices, ultra-wide phones, and unique slider designs.

    Speaking to investors, BlackBerry CEO John Chen described the move as a "pivot to software," saying, "The company plans to end all internal hardware development and will outsource that function to partners. This allows us to reduce capital requirements and enhance return on invested capital." The "Outsourcing to partners" plan is something we've already seen with the "BlackBerry" DTEK50, which was just a rebranded Alcatel Idol 4.

    Chen is now betting the future of the company on software, saying, "In Q2, we more than doubled our software revenue year over year and delivered the highest gross margin in the company's history. We also completed initial shipments of BlackBerry Radar, an end-to-end asset tracking system, and signed a strategic licensing agreement to drive global growth in our BBM consumer business."

    BlackBerry never effectively responded to the 2007 launch of the iPhone and the resulting transition to modern touchscreen smartphones. BlackBerry took swings with devices like the BlackBerry Storm in 2008, its first touchscreen phone; and the BlackBerry Z10 in 2013, the first BlackBerry phone with an OS designed for touch, but neither caught on. BlackBerry's first viable competitor to the iPhone didn't arrive until it finally switched to Android in 2015 with the BlackBerry Priv. It was the first decent BlackBerry phone in some time, but the high price and subpar hardware led to poor sales.

  • Oracle's 'Gamechanger' Evidence Really Just Evidence Of Oracle Lawyers Failing To Read

    Then on to the main show: Oracle's claim that Google hid the plans to make Android apps work on Chrome OS. Google had revealed to Oracle its "App Runtime for Chrome" (ARC) setup, and it was discussed by Oracle's experts, but at Google I/O, Google revealed new plans for apps to run in Chrome OS that were not using ARC, but rather a brand new setup, which Google internally referred to as ARC++. Oracle argued that Google only revealed to them ARC, but not ARC++ and that was super relevant to the fair use argument, because it showed that Android was replacing more than just the mobile device market for Java. But, here's Oracle's big problem: Google had actually revealed to Oracle the plans for ARC++. It appears that Oracle's lawyers just missed that fact. Ouch.

  • Understanding Android's balance between openness and security

    At the 2016 Structure Security conference, Google's Adrian Ludwig talked about the balance between keeping Android as open as possible, while also keeping it secure.

  • Google's Nougat Android update hits the sweet spot: Software 'isn't flashy, but still pretty handy'

    Nougat, Google's latest update of its Android smartphone software, isn't particularly flashy; you might not even notice what's different about it at first.

    But it offers a number of practical time-saving features, plus a few that could save money — and perhaps even your life.

    Nougat is starting to appear on phones, including new ones expected from Google next week.

  • How to change the home screen launcher on Android
  • Andromeda: Chrome OS and Android will merge
  • Sale of Kodi 'fully-loaded' streaming boxes faces legal test
  • Android boxes: Middlesbrough man to be first to be prosecuted for selling streaming kits

Endless OS 3.0 is out!

Filed under
GNU
Linux
GNOME

So our latest and greatest Endless OS is out with the new 3.0 version series!
The shiny new things include the use of Flatpak to manage the applications; a new app center (GNOME Software); a new icon set; a new Windows installer that gives you the possibility of installing Endless OS in dual-boot; and many bug fixes.

Read more

Expandable, outdoor IoT gateway runs Android on i.MX6

Filed under
Android
Linux

VIA’s “Artigo A830” IoT gateway runs Android on an i.MX6 DualLite SoC and offers HDMI, GbE, microSD, numerous serial and USB ports, plus -20 to 60° operation.

As the name suggests, the VIA Technologies Artigo A830 Streetwise IoT Platform is designed for outdoor Internet of Things gateway applications. These are said to include smart lockers, vending machines, information kiosks, and signage devices that run “intensive multimedia shopping, entertainment, and navigation applications.” The outdoors focus is supported with an extended -20 to 60°C operating range, as well as surge and ESD protection for surviving challenges such as a nearby lightning strike.

Read more

Mercedes and Kia add new Android Auto models

Buying a new car comes with myriad of considerations. Is it fuel efficient? Is it safe? Will it play nicely with my phone? People sometimes neglect the last one, but you're going to be carrying the phone literally every time you get in the car, so why not make sure? Mercedes and Kia seem to get that. They've added support for Android Auto to a ton of new cars today.

Read more

Linux Kernel News

Filed under
Linux

Server Administration

Filed under
Server

Security News

Filed under
Security
  • Security advisories for Wednesday
  • Facebook, Uber, Slack, and Pandora Pros Praise Free Security Tools

    Proponents of open source software argue that by letting passionate developers get involved and tweak underlying code, the tools they create are stronger and more reliable. Plus, for companies looking to bolster their digital defenses, the software has the added benefit of being free.

  • LibreSSL 2.5
  • LibreSSL 2.5 Released With New Features, iOS Support

    LibreSSL 2.5.0 is available today as the newest version of this growing fork of OpenSSL led by the OpenBSD project.

    LibreSSL 2.5's libtls implementation now supports ALPN and SNI while handling four cipher suite groups, there is tightened error handling in some areas, support for OCSP intermediate certificates, initial support for Apple's iOS platform, and a variety of other fixes and functionality improvements.

OSS Leftovers

Filed under
OSS
  • Open source storage hits the mainstream

    Open source storage has gained mainstream acceptance in high performance computing, analytics, object storage, cloud (OpenStack) and NAS use, but can it crack the enterprise?

  • Rogue Wave Improves Support for Open Source Software with IBM
  • Rogue Wave Software to improve open-source software support with IBM

    Rogue Wave Software announces it is working with IBM to help make open source software (OSS) support more available. This will help provide comprehensive, enterprise-grade technical support for OSS packages.

  • Vendors and Customers Gettin' Open Sourcey With It

    Basically, “open source enablement" seems to be about teaching customers how to embrace open source principles, both in terms of internal processes as well as external communities and ecosystems. As I've worked with many engineering and product teams over the years, I've seen many open source initiatives fail to reach their potential because of ingrained cultural obstacles that usually manifest in the form of corporate inertia that blocks forward progress.

  • Digium Announces Asterisk 14 Open Source Communications Software

    Digium®, Inc., the Asterisk® Company, today at its annual AstriCon users and developers conference, announced Asterisk 14, the next major release of the world's most popular open source communications platform. Asterisk 14 continues the track of previous major releases, such as Asterisk 12 and Asterisk 13, by offering developer- and administrator-focused features and capabilities to simplify the scaling and deployment of Asterisk within large, service-based ecosystems.

  • Announcing the open source release of MORI, from Chalkbeat

    In 2014, Chalkbeat developed and started using a WordPress plugin for tracking impact. We called it MORI — Measures of Our Reporting’s Influence. As we wrote then, MORI grew out of one of our key beliefs: Journalists can make a difference, but the ability to measure the difference we make can multiply our impact over time. If we can document how, why, when, and where we made a difference, we are more likely to repeat our success.

    The quantitative data we track in MORI lets us see the big picture of how our work affects the world, beyond raw readership analytics; the qualitative narrative we record helps us tell the story. Our editorial teams can put important impacts in the hands of our fundraising team and others to turn around and share with the broader education community.

  • ODL: Open Source Hastens Software Usability

    Open Daylight Summit -- Open source is connecting users and developers more intimately, and that's a good thing, OpenDaylight Executive Director Neela Jacques said here today.

    In kicking off the OpenDaylight Summit, Jacques said the ability of users and developers to work side-by-side is evolving, and helping drive the faster pace at which open source can bring solutions to the industry.

    "Users can sit next to the developers of the code they use, and the interaction doesn't go one way," he said. "The real difference is the way users interact with developers. This is why we are able to get production-grade solutions so much faster than you ever would in proprietary world."

  • General Electric and Bosch announce IIoT collaboration
  • GE and Bosch to create open-source industrial IoT platform

Apache Spot

Filed under
OSS

Linaro and FOSS

Filed under
Linux
Hardware
OSS
  • Linaro organisation, with ARM, aims for end-end open source IoT code
  • Linaro start open-source development for IoT on ARM Cortex-M
  • ARM open source group address IoT software confusion

    Linaro has worked with ARM, Canonical, Huawei, NXP, RDA, Red Hat, Spreadtrum, STMicroelectronics, Texas Instruments and ZTE on the new IoT software, as part of what it calls the Linaro IoT and Embedded (LITE) Segment Group.

    Group says it wants to address the design problems created by the proliferation of choices for IoT device operating systems, security infrastructure, identification, communication, device management and cloud interfaces.

    It hopes to be able to reduce fragmentation in operating systems, middleware and cloud connectivity software, through the creation of open source device reference platforms.

    Initial technical work will be focused on delivering an end to end, cross­vendor solution for secure IoT devices using the ARM Cortex-­M architecture.

Ubuntu Leftovers

Filed under
Ubuntu
Syndicate content

More in Tux Machines

LibreOffice Office Suite Celebrates 6 Years of Activity with LibreOffice 5.2.2

Today, September 29, 2016, Italo Vignoli from The Document Foundation informs Softpedia via an email announcement about the general availability of the first point release of the LibreOffice 5.2 open-source and cross-platform office suite. On September 28, the LibreOffice project celebrated its 6th anniversary, and what better way to celebrate than to push a new update of the popular open source and cross-platform office suite used by millions of computer users worldwide. Therefore, we would like to inform our readers about the general availability of LibreOffice 5.2.2, which comes just three weeks after the release of LibreOffice 5.2.1. "Just one day after the project 6th anniversary, The Document Foundation (TDF) announces the availability of LibreOffice 5.2.2, the second minor release of the LibreOffice 5.2 family," says Italo Vignoli. "LibreOffice 5.2.2, targeted at technology enthusiasts, early adopters and power users, provides a number of fixes over the major release announced in August." Read more

OSS Leftovers

  • But is it safe? Uncork a bottle of vintage open-source FUD
    Most of the open source questioners come from larger organisations. Banks very rarely pop up here, and governments have long been hip to using open source. Both have ancient, proprietary systems in place here and there that are finally crumbling to dust and need replacing fast. Their concerns are more oft around risk management and picking the right projects. It’s usually organisations whose business is dealing with actual three dimensional objects that ask about open source. Manufacturing, industrials, oil and gas, mining, and others who have typically looked at IT as, at best, a helper for their business rather than a core product enabler. These industries are witnessing the lighting fast injection of software into their products - that whole “Internet of Things” jag we keep hearing about. Companies here are being forced to look at both using open source in their products and shipping open source as part of their business. The technical and pricing requirements for IoT scale software is a perfect fit for open source, especially that pricing bit. On the other end - peddling open source themselves - companies that are looking to build and sell software-driven “platforms” are finding that partners and developers are not so keen to join closed source ecosystems. These two pulls create some weird clunking in the heads of management at these companies who aren’t used to working with a sandles and rainbow frame of mind. They have a scepticism born of their inexperience with open source. Let’s address some of their trepidation.
  • Real business innovation begins with open practices
    To business leaders, "open source" often sounds too altruistic—and altruism is in short supply on the average balance sheet. But using and contributing to open source makes hard-nosed business sense, particularly as a way of increasing innovation. Today's firms all face increased competition and dynamic markets. Yesterday's big bang can easily become today's cautionary tale. Strategically, the only viable response to this disruption is constantly striving to serve customers better through sustained and continuous innovation. But delivering innovation is hard; the key is to embrace open and collaborative innovation across organizational walls—open innovation. Open source communities' values and practices generate open innovation, and working in open source is a practical, pragmatic way of delivering innovation. To avoid the all-too-real risk of buzzword bingo we can consider two definitions of "innovation": creating value (that serves customer needs) to sell for a profit; or reducing what a firm pays for services.
  • This Week In Servo 79
    In the last week, we landed 96 PRs in the Servo organization’s repositories. Promise support has arrived in Servo, thanks to hard work by jdm, dati91, and mmatyas! This does not fully implement microtasks, but unblocks the uses of Promises in many places (e.g., the WebBluetooth test suite). Emilio rewrote the bindings generation code for rust-bindgen, dramatically improving the flow of the code and output generated when producing Rust bindings for C and C++ code. The TPAC WebBluetooth standards meeting talked a bit about the great progress by the team at the University of Szeged in the context of Servo.
  • Servo Web Engine Now Supports Promises, Continues Churning Along
    It's been nearly two months since last writing about Mozilla's Servo web layout engine (in early August, back when WebRender2 landed) but development has kept up and they continue enabling more features for this next-generation alternative to Gecko. The latest is that Servo now supports JavaScript promises. If you are unfamiliar with the promise support, see this guide. The latest Servo code has improvements around its Rust binding generator for C and C++ code plus other changes.
  • Riak TS for time series analysis at scale
    Until recently, doing time series analysis at scale was expensive and almost exclusively the domain of large enterprises. What made time series a hard and expensive problem to tackle? Until the advent of the NoSQL database, scaling up to meet increasing velocity and volumes of data generally meant scaling hardware vertically by adding CPUs, memory, or additional hard drives. When combined with database licensing models that charged per processor core, the cost of scaling was simply out of reach for most. Fortunately, the open source community is democratising large scale data analysis rapidly, and I am lucky enough to work at a company making contributions in this space. In my talk at All Things Open this year, I'll introduce Riak TS, a key-value database optimized to store and retrieve time series data for massive data sets, and demonstrate how to use it in conjunction with three other open source tools—Python, Pandas, and Jupyter—to build a completely open source time series analysis platform. And it doesn't take all that long.
  • Free Software Directory meeting recap for September 23rd, 2016

Security News

  • security things in Linux v4.5
  • Time to Kill Security Questions—or Answer Them With Lies
    The notion of using robust, random passwords has become all but mainstream—by now anyone with an inkling of security sense knows that “password1” and “1234567” aren’t doing them any favors. But even as password security improves, there’s something even more problematic that underlies them: security questions. Last week Yahoo revealed that it had been massively hacked, with at least 500 million of its users’ data compromised by state sponsored intruders. And included in the company’s list of breached data weren’t just the usual hashed passwords and email addresses, but the security questions and answers that victims had chosen as a backup means of resetting their passwords—supposedly secret information like your favorite place to vacation or the street you grew up on. Yahoo’s data debacle highlights how those innocuous-seeming questions remain a weak link in our online authentication systems. Ask the security community about security questions, and they’ll tell you that they should be abolished—and that until they are, you should never answer them honestly. From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords. They’re meant to be a reliable last-ditch recovery feature: Even if you forget a complicated password, the thinking goes, you won’t forget your mother’s maiden name or the city you were born in. But by relying on factual data that was never meant to be kept secret in the first place—web and social media searches can often reveal where someone grew up or what the make of their first car was—the approach puts accounts at risk. And since your first pet’s name never changes, your answers to security questions can be instantly compromised across many digital services if they are revealed through digital snooping or a data breach.
  • LibreSSL and the latest OpenSSL security advisory
    Just a quick note that LibreSSL is not impacted by either of the issues mentioned in the latest OpenSSL security advisory - both of the issues exist in code that was added to OpenSSL in the last release, which is not present in LibreSSL.
  • Record-breaking DDoS reportedly delivered by >145k hacked cameras
    Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there's word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger. The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. The first one reached 1.1 Tbps while a follow-on was 901 Gbps. Then, last Friday, he reported more attacks that were in the same almost incomprehensible range. He said the distributed denial-of-service (DDoS) attacks were delivered through a collection of hacked Internet-connected cameras and digital video recorders. With each one having the ability to bombard targets with 1 Mbps to 30 Mbps, he estimated the botnet had a capacity of 1.5 Tbps. On Monday, Klaba reported that more than 6,800 new cameras had joined the botnet and said further that over the previous 48 hours the hosting service was subjected to dozens of attacks, some ranging from 100 Gbps to 800 Gbps. On Wednesday, he said more than 15,000 new devices had participated in attacks over the past 48 hours.

Android Leftovers