Language Selection

English French German Italian Portuguese Spanish

Security

Tor executive director hints at Firefox integration

Filed under
Moz/FF
Security

Tor, which is capable of of all that and more, crucially blocks websites from learning any identifying information about you and circumvents censorship. It also stymies eavesdroppers from discovering what you’re doing on the Web. For those reasons, it would be a powerful addition to the arsenal of privacy tools Firefox already possesses.

The Tor Browser is already a modified version of Firefox, developed over the last decade with close communication between the Tor developers and Mozilla on issues such as security and usability.

Read more

LibreSSL: More Than 30 Days Later

Filed under
Security
BSD

Instead, libressl is here because of a tragic comedy of other errors. Let's start with the obvious. Why were heartbeats, a feature only useful for the DTLS protocol over UDP, built into the TLS protocol that runs over TCP? And why was this entirely useless feature enabled by default? Then there's some nonsense with the buffer allocator and freelists and exploit mitigation countermeasures, and we keep on digging and we keep on not liking what we're seeing. Bob's talk has all the gory details.
But why fork? Why not start from scratch? Why not start with some other contender? We did look around a bit, but sadly the state of affairs is that the other contenders aren't so great themselves. Not long before Heartbleed, you may recall Apple dealing with goto fail, aka the worst bug ever, but actually about par for the course.

Read more

Secure Linux Systems Require Savvy Users

Filed under
Linux
Security

Patches are available to fix the bash vulnerability known as Shellshock, along with three additional security issues recently found in the bash shell. The patches are available for all major Linux distros as well as for Solaris, with the patches being distributed through the various distros.

Read more

Free Software Foundation statement on the GNU Bash "shellshock" vulnerability

Filed under
GNU
Security

Proprietary, (aka nonfree) software relies on an unjust development model that denies users the basic freedom to control their computers. When software's code is kept hidden, it is vulnerable not only to bugs that go undetected, but to the easier deliberate addition and maintenance of malicious features. Companies can use the obscurity of their code to hide serious problems, and it has been documented that Microsoft provides intelligence agencies with information about security vulnerabilities before fixing them.

Read more

Firejail – A Security Sandbox for Mozilla Firefox

Filed under
Moz/FF
Security

Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications. The core technology behind Firejail is Linux Namespaces, a virtualization technology available in Linux kernel. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table, IPC space.

Read more

Blackphone bug bounty programme aims to find flaws in 'surveillance-proof' smartphone

Filed under
Android
Security

SILENT CIRCLE has announced a bug bounty programme for its Blackphone venture designed to find security flaws in the "surveillance-proof" smartphone.

Blackphone is a joint venture of Silent Circle and Geeksphone, known as SGP Technologies. Running a secure PrivatOS operating system, it is what the companies call "a truly surveillance-proof smartphone" in the wake of the past year's NSA revelations.

Read more

Huawei Is New Official Smartphone Provider For Officials In China

Filed under
Android
Linux
Security

Huawei and their smartphone business have not exactly garnered good press in the past – especially when there were allegations of Huawei churning out spyphones for the China government, which the company vehemently denied. Subsequently, it is said that Huawei themselves decided to pull out from the U.S. market, where we then learned that the tables were turned afterwards with the NSA being accused of spying on Huawei instead. Having said that, it seems as though officials over in China will have a spanking new smartphone soon – and it will not hail from the likes of Samsung, LG, HTC or other big name players, but from Huawei themselves.

Read more

Bash specially-crafted environment variables code injection attack

Filed under
Security

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

Read more

Mozilla: Phasing Out Certificates with SHA-1 based Signature Algorithms

Filed under
Moz/FF
Security

We plan to add a security warning to the Web Console to remind developers that they should not be using a SHA-1 based certificate. We will display an additional, more prominent warning if the certificate will be valid after January 1, 2017, since we will reject that certificate after that date. We plan to implement these warnings in the next few weeks, so they should be appearing in released versions of Firefox in early 2015. We may implement additional UI indicators later. For instance, after January 1, 2016, we plan to show the “Untrusted Connection” error whenever a newly issued SHA-1 certificate is encountered in Firefox. After January 1, 2017, we plan to show the “Untrusted Connection” error whenever a SHA-1 certificate is encountered in Firefox.

Read more

My free software will respect users or it will be bullshit

Filed under
Security

The four freedoms are only meaningful if they result in real-world benefits to the entire population, not a privileged minority. If your approach to releasing free software is merely to ensure that it has an approved license and throw it over the wall, you're doing it wrong. We need to design software from the ground up in such a way that those freedoms provide immediate and real benefits to our users. Anything else is a failure.

Read more

Syndicate content

More in Tux Machines

Mozilla Wants to Save the Open Web, but is it Too Late?

Again, I think this is absolutely correct. But what it fails to recognise is that one of the key ways of making the Web medium "less free and open" is the use of legally-protected DRM. DRM is the very antithesis of openness and of sharing. And yet, sadly, as I reported back in May, Mozilla has decided to back adding DRM to the Web, starting first with video (but it won't end there...) This means Mozilla's Firefox is itself is a vector of attack against openness and sharing, and undermines its own lofty goals in the Open Web Fellows programme. Read more

Open source is starting to make a dent in proprietary software fortunes

Open source has promised to unseat proprietary competitors for decades, but the cloud may make the threat real. Read more

Chakra-2014.09-Euler released

The Chakra team is happy to announce the first release of the Chakra Euler series, which will follow the 4.14 KDE releases. A noticeable change in this release is the major face-lift of Kapudan, which now gives the option to users to enable the [extra] repository during first boot so they can easily install the most popular GTK-based applications. Kudos to george2 for the development and Malcer for the artwork. Read more

What Linux User Groups Can Do for FOSS

On a monthly basis — on the last Saturday each month — members of the Felton Linux Users Group drag their collective butts out of bed at the crack of 9:30, or possibly earlier, and make their way from various points in the sleepy little town just northeast of Santa Cruz to the solar-powered Felton Fire Station for their meeting. It’s a good group with core regulars hosting meetings since the Lindependence Project held three open houses to introduce the town to Linux in the summer of 2008. In those open houses, various distros like Debian, Fedora, Ubuntu and Mandriva, along with hardware maker ZaReason, and even an open-source stuffed penguin maker called Open Animals based in Phoenix, appeared to show their wares to the curious in the San Lorenzo Valley area. Around 600 people appeared over the three days and more than 300 live CDs went out the door. Read more