Language Selection

English French German Italian Portuguese Spanish

Security

Purism Says Its Linux Laptops Aren’t Affected by the Latest Intel Vulnerability

Filed under
Linux
Security

Needless to say, the security flaw, which is tracked as CVE-2019-0090, is worrying for everyone whose devices might be impacted, especially as the number of exploits launched by attackers with local access could grow in the short term.

But if you’re using a Librem Linux laptop launched by Purism, you’re perfectly safe, as the company says its implementation of the Intel ME doesn’t allow an attacker to exploit the flaw on its Intel-based computers.

Read more

Hidden Costs of Microsoft Windows

Filed under
Microsoft
Security
  • Freight forwarding firm Henning Harders hit by Windows ransomware

    Australian freight forwarding and logistics firm Henning Harders has been hit by Windows ransomware, with the company saying that customer data may have been accessed, but that there was no evidence to show such data had been misused.

  • Security News This Week: Ransomware Groups Promise Not to Hit Hospitals Amid Pandemic [iophk: Windows TCO]

    Well, this is... nice? It's definitely something. BleepingComputer reached out to the operators of multiple strains of ransomware, asking if they had plans to stop hitting hospitals during the coronavirus pandemic. Two of them actually wrote back to say yes, absolutely, they'll take it easy on the health care industry (except pharmaceutical companies) until the Covid-19 situation improves. Please take this with gigantic boulders of salt, especially given that ransomware attackers historically love to go after hospitals. And even if the proprietors of DoppelPaymer and Maze—the two who responded to BleepingComputer–do keep to their word, lots of prolific ransomware remains in play. In fact, hackers hit a Czech hospital earlier this week.

GnuPG 2.2.20 released

Filed under
GNU
Security

Hello!

We are pleased to announce the availability of a new GnuPG release:
version 2.2.20.  This is maintenace release fixing a minor security
problem and adding a new OpenPGP feature.  See below for details.


About GnuPG
===========

The GNU Privacy Guard (GnuPG, GPG) is a complete and free implementation
of the OpenPGP and S/MIME standards.

GnuPG allows to encrypt and sign data and communication, features a
versatile key management system as well as access modules for public key
directories.  GnuPG itself is a command line tool with features for easy
integration with other applications.  The separate library GPGME provides
a uniform API to use the GnuPG engine by software written in common
programming languages.  A wealth of frontend applications and libraries
making use of GnuPG are available.  As an universal crypto engine GnuPG
provides support for S/MIME and Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom).  It can
be freely used, modified and distributed under the terms of the GNU
General Public License.


Noteworthy changes in version 2.2.20
====================================

  * Protect the error counter against overflow to guarantee that the
    tools can't be tricked into returning success after an error.

  * gpg: Make really sure that --verify-files always returns an error.

  * gpg: Fix key listing --with-secret if a pattern is given.  [#4061]

  * gpg: Fix detection of certain keys used as default-key.  [#4810]

  * gpg: Fix default-key selection when a card is available.  [#4850]

  * gpg: Fix key expiration and key usage for keys created with a
    creation date of zero.  [#4670]

  * gpgsm: Fix import of some CR,LF terminated certificates.  [#4847]

  * gpg: New options --include-key-block and --auto-key-import to
    allow encrypted replies after an initial signed message.  [#4856]

  * gpg: Allow the use of a fingerprint with --trusted-key. [#4855]

  * gpg: New property "fpr" for use by --export-filter.

  * scdaemon: Disable the pinpad if a KDF DO is used.  [#4832]

  * dirmngr: Improve finding OCSP certificates.  [#4536]

  * Avoid build problems with LTO or gcc-10. [#4831]

  Release-info: https://dev.gnupg.org/T4860


Getting the Software
====================

Please follow the instructions found at <https://gnupg.org/download/> or
read on:

GnuPG 2.2.20 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found at
<https://gnupg.org/download/mirrors.html>.  Note that GnuPG is not
available at ftp.gnu.org.

The GnuPG source code compressed using BZIP2 and its OpenPGP signature
are available here:

 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.20.tar.bz2 (6627k)
 https://gnupg.org/ftp/gcrypt/gnupg/gnupg-2.2.20.tar.bz2.sig

An installer for Windows without any graphical frontend except for a
very minimal Pinentry tool is available here:

 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.20_20200320.exe (4144k)
 https://gnupg.org/ftp/gcrypt/binary/gnupg-w32-2.2.20_20200320.exe.sig

The source used to build the Windows installer can be found in the same
directory with a ".tar.xz" suffix.

A new version of GnuPG's full installer for Windows (aka Gpg4win)
featuring several frontends and plugins will be released shortly.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.2.20.tar.bz2 you would use this command:

     gpg --verify gnupg-2.2.20.tar.bz2.sig gnupg-2.2.20.tar.bz2

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See the end of this mail for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.2.20.tar.bz2, you run the command like this:

     sha1sum gnupg-2.2.20.tar.bz2

   and check that the output matches the next line:

d5290f0781df5dc83302127d6065fb59b35e53d7  gnupg-2.2.20.tar.bz2
a8b47222875b31661f79c1e7414657b02b44da78  gnupg-w32-2.2.20_20200320.tar.xz
e6547a9bd2cdca3264ccb36d64f755ba6c8da2ba  gnupg-w32-2.2.20_20200320.exe


Internationalization
====================

This version of GnuPG has support for 26 languages with Chinese
(traditional and simplified), Czech, French, German, Japanese,
Norwegian, Polish, Russian, and Ukrainian being almost completely
translated.


Documentation and Support
=========================

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete reference manual of the system.
Separate man pages are included as well but they miss some of the
details available only in thee manual.  The manual is also available
online at

  https://gnupg.org/documentation/manuals/gnupg/

or can be downloaded as PDF at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

You may also want to search the GnuPG mailing list archives or ask on
the gnupg-users mailing list for advise on how to solve problems.  Most
of the new features are around for several years and thus enough public
experience is available.  https://wiki.gnupg.org has user contributed
information around GnuPG and relate software.

In case of build problems specific to this release please first check
https://dev.gnupg.org/T4860 for updated information.

Please consult the archive of the gnupg-users mailing list before
reporting a bug: <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  If you need commercial
support go to <https://gnupg.com> or <https://gnupg.org/service.html>.

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gnupg-devel mailing list for
discussion.


Thanks
======

Maintenance and development of GnuPG is mostly financed by donations.
The GnuPG project currently employs two full-time developers and one
contractor.  They all work exclusively on GnuPG and closely related
software like Libgcrypt, GPGME and Gpg4win.

We have to thank all the people who helped the GnuPG project, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.

Many thanks to our numerous financial supporters, both corporate and
individuals.  Without you it would not be possible to keep GnuPG in a
good shape and to address all the small and larger requests made by our
users.  Thanks.


Happy hacking,

   Your GnuPG hackers



p.s.
This is an announcement only mailing list.  Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

p.p.s
List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these three keys:

  rsa2048 2011-01-12 [expires: 2021-12-31]
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048 2014-10-29 [expires: 2020-10-30]
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa3072 2017-03-17 [expires: 2027-03-15]
  Key fingerprint = 5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
  Andre Heinecke (Release Signing Key)

The keys are available at <https://gnupg.org/signature_key.html> and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.

Read more

Also: GNU PG 2.2.20 Released Today! What New in GNU PG 2.2.20?

Debian Testing Is Enabling WireGuard Within Their Linux Kernel Build

Filed under
GNU
Linux
Security
Debian

Debian is the latest Linux distribution flipping on WireGuard within their kernel builds.

WireGuard is one of many prominent additions to the Linux 5.6 kernel. After being in development for years and being available as an out-of-tree DKMS module, Linux 5.6 and moving forward now have the code mainlined. The likes of Ubuntu 20.04 LTS are also shipping with WireGuard back-ported to their kernel.

Adding to the momentum for this open-source secure VPN tunnel, WireGuard is now enabled within Debian testing's kernel build. Up to now the WireGuard module was not being built as part of their kernel configuration. But now it's flipped on within their Kconfig that landed in Debian's Linux kernel tree overnight.

Read more

Security and Proprietary Software Leftovers

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted).

  • Phishing in the Time of COVID-19: How to Recognize Malicious Coronavirus Phishing Scams

    For malicious people, preying on collective fear and misinformation is nothing new. Mentioning national headlines can lend a veneer of credibility to scams. We've seen this tactic time and again, so it's no surprise that COVID-19 themed social media and email campaigns have been popping up online. This blogpost provides an overview to help you fight against phishing attacks and malware, examples of phishing messages we’ve seen in the wild related to coronavirus and COVID-19, and specific scenarios to look out for (such as if you work in a hospital, are examining maps of the spread of the virus, or are using your phone to stay informed).

    The COVID-19 themed scam messages are examples of "phishing," or when an attacker sends a message, email, or link that looks innocent, but is actually malicious and designed to prey on fears about the virus. Phishing often involves impersonating someone you know or impersonating a platform that you trust. Your day-to-day diligence is the best preventative measure. Consider these points before you click: Is it an enticing offer? Is there a sense of urgency? Have you interacted with the sender before over this platform?

  • Librem Hardware and the Intel CSME Vulnerability

    Whenever a security vulnerability comes out one of the first questions that come to many peoples’ minds is: am I affected? The last couple of years in particular have seen a lot of hardware-based vulnerabilities in Intel processors and in those cases generally it’s a matter of looking at the affected list of hardware and comparing it against your own hardware.

    More recently a vulnerability (CVE-2019-0090) was announced in the Intel CSME that can allow an attacker with local access to potentially extract secret Intel hardware signing keys from a system. There are a number of different analyses out there on this vulnerability from the very dry CVE report itself to “sky is falling” reports that contain a lot more hype. If you want more technical details on the vulnerability itself, I’ve found this report to have a good balance of measured technical information on impact without the hype.

  • Hackers leak internal documents showing the FSB’s quest for a cyber-weapon that can take whole nations offline

    The hacker group “Digital Revolution” has released documents describing a procurement order from a division of Russia’s Federal Security Service (FSB) for the development of “Fronton” software that would enable cyberattacks using infected Internet-of-Things (IoT) devices. The BBC’s Russian-language service was the first media outlet to report this story.

    [...]

    In total, according to the hackers’ data, there are three versions of the software: Fronton, Fronton-3D, and Fronton-18. The programs can infect any smart device (from digital assistants to “smart” homes), connecting them into a network and then attacking the servers responsible for the stability of online services and the Internet itself in entire countries.

    Based on the documents, FSB contractors recommended creating botnets 95-percent comprising IP cameras and digital video recorders (cameras that receive control data and send image data via the Internet). “If they transmit video,” the leaked materials state, “they have a big enough communication channel to perform DDoS attacks effectively.” The project suggests hacking these devices by using a dictionary of typical passwords used for IoT devices.

  • Windows, Ubuntu, macOS, VirtualBox fall at Pwn2Own hacking contest

    The 2020 spring edition of the Pwn2Own hacking contest has come to a close today.

    This year's winner is Team Fluoroacetate -- made up of security researchers Amat Cama and Richard Zhu -- who won the contest after accumulating nine points across the two-day competition, which was just enough to extend their dominance and win their fourth tournament in a row.

    But this year's edition was a notable event for another reason. While the spring edition of the Pwn2Own hacking contest takes place at the CanSecWest cyber-security conference, held each spring in Vancouver, Canada, this year was different.

  • Once upon a time there was a WebSocket

    This is the story from one of our recent penetration testing engagements. Still, the story is a familiar one for those who are testing newer web applications that use one of the multitudes of evolving web app platforms built on a poorly understood technology stack. In this case, we ran into a WebSocket-based application that was thought to be relatively secure; however, the use of web sockets in the application was misunderstood, resulting in a significant set of authentication and authorization flaws.

  • ESET Releases Latest Version of ESET Endpoint Antivirus for Linux

    ESET has launched the latest version of ESET Endpoint Antivirus for Linux, ensuring all organizations are protected to the highest standard, no matter the operating system. Endpoint Antivirus for Linux joins ESET's extensive product range, which already caters extensively to Windows and MacOS.

    ESET Endpoint Antivirus for Linux is designed to provide advanced protection from threats to organizations' general desktops. Powered by the advanced ESET LiveGrid technology, the solution combines speed, accuracy and minimal system impact, leaving more system resources for the desktops' vital tasks in order to maintain business continuity.

  •                    

  • ‘Zoombombing’: When Video Conferences Go Wrong

                         

                           

    Zoom has become the default social platform for millions of people looking to connect with friends, family, students and colleagues while practicing social distancing during the new coronavirus pandemic.

                           

    But the trolls of the internet are under quarantine, too, and they’re looking for Zooms to disrupt.

                           

    They are jumping into public Zoom calls and using the platform’s screen-sharing feature to project graphic content to unwitting conference participants, forcing hosts to shut down their events.

  •                    

  • Zyxel Flaw Powers New Mirai IoT Botnet Strain

                         

                           

    A joint advisory on CVE-2020-9054 from the U.S. Department of Homeland Security and the CERT Coordination Center rates this vulnerability at a “10” — the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.

                           

    My advice? If you can’t patch it, pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.

  •                    

  • Discord says it’s banning millions of accounts to tackle spam

                         

                           

    Discord banned 5.2 million accounts between April and December last year, the company revealed today in its second transparency report. The most common reasons for account bans were spam and exploitative content, which includes nonconsensual pornography (so-called “revenge porn”) as well as sexual content related to minors.

                           

    The report reveals a stark difference in the kinds of violations that most users are likely to report, versus the actions that are most likely to get people and servers banned. The most common reports Discord receives from users relate to harassment, however only a relatively small proportion of these reports actually result in action being taken. Discord says that in many cases it will teach people how to block the offending user without taking any further action.

  •                    

  • Server Outages and Increased API Errors: Incident Report for Discord

                         

                           

    Discord was unavailable for most users for a period of an hour. The root cause is well understood and fixed. The bug was in our service discovery system, which is used by services within our infrastructure to discover one another. In this instance, service discovery is used by our real time chat services services in order to discover the RPC endpoint that they use to load data from our databases when you connect to Discord, or when a Discord server (or "guild") is created for the first time, or needs to be re-loaded from the database.

  •                    

  • Google suspends Chrome upgrades as COVID-19 impacts software schedules

                         

                           

    According to a now-outdated Chrome release schedule, Google was supposed to upgrade the browser to version 81 on Tuesday, March 17. Chrome OS was to shift to version 81 on March 24. Google had both on a metronomic schedule that delivered new features every six to eight weeks.

                           

    Also on Wednesday, Google updated Chrome 80 — the version that debuted Feb. 4 — to build 80.0.3987.149, which contained fixes for 13 security vulnerabilities. The nine that Google called out in a separate post were all rated as "High," the second-most-serious threat ranking in a four-step scoring system. Only one of the nine noted a bug bounty amount — $8,500 — and five other bug listings said that a cash reward would be determined later.

  •                    

  • Apple Briefly Dips Below $1 Trillion Level It Held Since October

                         

                           

    Coronavirus-related weakness has already evicted two names from the thirteen-digit club: Amazon.com Inc. and Google-parent Alphabet Inc. Both rose above the threshold earlier this year but fell back below $1 trillion in late February.

Security Leftovers

Filed under
Security
  • Open-source security tools for cloud and container applications

    The use of containers is becoming increasingly popular, and container security is more critical than ever. Luckily, there are various tools that can help keep your business safe! This article covers some popular open-source tools that your DevOps team can use to secure your container environment.

    As the use of containers is becoming more popular and streamlined, the security aspects related to containers have also become more critical for businesses. Containerization has particular structural and operational elements that need special attention. The architectural differences like a shared kernel for containers demand a different security approach altogether, in comparison to traditional security approaches. This makes it very important to understand and perform container-specific security scanning at the earlier stages of the build process. To meet these dynamic requirements of the DevOps teams, several open-source security tools are available in the market. This article covers some popular open-source security tools your DevOps teams can use to ensure the security of your container environment.

  • Top 5 Open Source Serverless Security Tools

    The growing popularity of serverless architecture has led to its massive adoption. My organization has jumped on the serverless bandwagon and it lives up to expectations. The advantages have been tremendous—we have more time to focus on the development, marketing and deployment of the software now that we need not spend much time on infrastructure maintenance.

  • How technical debt is risking your security

    Everyone knows they shouldn't take shortcuts, especially in their work, and yet everyone does. Sometimes it doesn't matter, but when it comes to code development, though, it definitely does.

    As any experienced programmer knows, building your code the quick and dirty way soon leads to problems down the line. These issues might not be disastrous, but they incur a small penalty every time you want to develop your code further.

    This is the basic idea behind technical debt, a term first coined by well-known programmer Ward Cunningham. Technical debt is a metaphor that explains the long-term burden developers and software teams incur when taking shortcuts, and has become a popular way to think about the extra effort that we have to do in future development because of the quick and dirty design choice.

  • Linux Developers Discuss Flushing L1 Cache On Context Switches In Light Of Vulnerabilities

    In light of data sampling vulnerabilities like MDS, engineers from Amazon, Google, and other organizations are discussing a proof-of-concept implementation that would optionally flush the L1 data cache on context switches.

    Flushing out the L1 data cache on each context switch would result in yet another performance hit so it isn't being taken lightly. At least based upon public information at this point doesn't appear necessary but an extra step to enhance the system security following Intel's data sampling vulnerability disclosures. The "request for comments" patch by an Amazon engineer describes it as an optional feature for those that are "paranoid due to the recent snoop assisted data sampling vulnerabilites, to flush their L1D on being switched out. This protects their data from being snooped or leaked via side channels after the task has context switched out."

    The discussed means are ensuring data left in the L1d would be cleared out and a second avenue being explored is clearing the L1 cache should any untrusted (potentially malicious) process be starting up so to clear out the L1 cache before hand.

IoT Hype

Filed under
GNU
Linux
Security
  • Monnit’s New Edge Gateway Elevates Sensor-to-Server IoT Security

    Robust processing — Linux® UBUNTU™ single-board computer with a 32-bit ARM

  • Thousands Of Internet-Connected Satellites Above Us, What Could Possibly Go Wrong!

    Our skies are full of satellites, more full than they have been, that is, because SpaceX’s Starlink and a bevvy of other soon-to-launch operators plan to fill them with thousands of small low-earth-orbit craft to blanket the Earth with satellite Internet coverage. Astronomers are horrified at such an assault on their clear skies, space-watchers are fascinated by the latest developments, and in some quarters they’re causing a bit of concern about the security risk they might present. With a lot of regrettable overuse use of the word “hacker”, the concern is that such a large number of craft in the heavens might present an irresistible target for bad actors, who would proceed to steer them into each other can cause chaos.

    [...]

    Decades ago, to be involved in space technology you had to be a government. The average Joe might just be able to listen to some satellite traffic, but the investment required to set up any kind of ground station was not in any way trivial. Thus satellites were not built with security in mind because it was deemed unlikely that anyone would have the means to access them. This led to many craft carrying open transponders, making them effectively always-on analogue repeaters in the sky.

    As technology progressed it became possible to build or acquire ground station components for some of these transponders, and by the 1980s there were tales of shady companies selling transatlantic data links using illicit narrow-bandwidth carriers hidden amid the wideband TV feeds on commercial relays. This type of open-transponder hijack reached a mass-market in Brazil, where the US Navy’s Fleet Satellite Communications System dating from the late 1970s became so widely used as to become almost akin to a CB radio for the vast interior of that country. Even as satellite communications moved into the digital domain it was believed that the high barrier to entry would be enough of a deterrent, so for example the Iridium satellite phone system launched in the 1990s lacked encryption and could easily be eavesdropped upon with an SDR in 2015.

    In 2020 though, even the most novice of satellite engineers will be aware of security, and we expect that the likes of SpaceX will not have employed novices. Just as you could steal a 1980s Cosworth Ford Sierra with rudimentary tools but their latest quick Mondeo model has a formidable engine immobiliser built-in, so is it likely to be no walk in the park to compromise any of the current crop of spacecraft. Their citing a satellite hijack story from 1999 as reason to be worried in 2020 is about as valid as worrying about the Mondeo because a child could nick the Sierra; it simply isn’t credible. It’s not that there are not legitimate concerns to be expressed with relation to satellite security, it is simply that inflamatory and shoddy journalism is hardly the way to approach them.

  • The IT and Security Teams: Buddies or Rivals?
  • AIoT Has a Nice Ring To It

    The Artificial Intelligence of Things (AIoT) is a relatively new term for the evolution of a domain Wind River has been playing in for a very long time. If we think of many of the first applications of Artificial Intelligence in connected devices, it is adding autonomy to previously human controlled systems. Think advanced autonomous drones, automated driver assistance features in vehicles, or even autonomous factory robots. These autonomous systems tend to still interact with humans, and as such they are safety critical. More so, they’re connected and have associated security risks. Importantly, you can have a secure device that doesn’t deliver safety critical functionality, but you cannot have an insecure safety critical device.

    These connected autonomous systems are incredibly complex, and require an intelligent systems platform from the device edge to the infrastructure edge to the cloud; and in the device they require real-time operating systems (RTOS) with guaranteed performance, coupled with AI/ML algorithms that are mostly associated with Linux. The use cases and requirements span the complete system. The systems may require containerized applications running in the cloud and on edge devices. The systems may require AI/ML frameworks that span the RTOS and Linux on the device. Wind River can offer the complete package with its comprehensive software portfolio.

LibreOffice 6.4.2 Released with More Than 90 Fixes

Filed under
LibO
Security

Available for GNU/Linux, macOS, and Windows platforms, the LibreOffice 6.4.2 release is here three weeks after the first point release to address more than 90 bug fixes across various of its core components as detailed here and here.

This update is recommended to everyone who has the latest LibreOffice 6.4 office suite installed on their personal computers as it will probably improve the stability and reliability of the software.

However, The Document Foundation doesn’t recommend the deployment of the LibreOffice 6.4 series on enterprise environments as it represents the bleeding edge in term of features.

Read more

Security: Real Cost of Windows, New Patches, NordPass and GrSecurity

Filed under
Security
    Health groups vulnerable to cyberattacks as coronavirus crisis ramps up [iophk: Windows TCO]

    [Attackers] are zeroing in on government health agencies and hospitals, who are already struggling to keep pace with the coronavirus pandemic, as a way to make money and cause disruptions in the midst of a global crisis.

    These concerns were highlighted Monday when Bloomberg News reported that the Department of Health and Human Services (HHS), one of the agencies on the front lines of the outbreak, had been breached by [attackers].

  • Security updates for Wednesday

    Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im).

  • NordPass – A Powerful Password Manager for Linux [Ed: "FOSS"Mint again pushing proprietary software instead of FOSS]

    NordPass is a password manager that exists to enable users to remember all their complex login credentials, to autofill forms online, and to generate strong passwords. It offers a free account no credit card required and the ability to store data across multiple devices.

  • GrSecurity Linux Kernel To Focus More On Performance This Year

    The GrSecurity patches to the Linux kernel have long focused on security enhancements but this year they are said to be taking on a larger focus of performance optimizations.

    GrSecurity patches include PaX and various other security-based features, some of which items have ended up in the mainline Linux kernel years later in varying forms. In recent years, however, GrSecurity has just made their kernel patches and binaries only available to paying customers.

Security Leftovers

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

  • Feature Highlights: Kernel Rootkit Protection in Core Update 142

    Another exciting feature is landing in Core Update 142: Improved Kernel Rootkit Protection using code signing. This way, IPFire will protect itself against attackers trying to load third-party kernel modules.

  • How can I trust this git repository?

    Important part: Can't check signature: No public key. No public key. Because of course you would see that. Why would you have my key lying around, unless you're me. Or, to put it another way, why would that server I'm installing from scratch have a copy of my OpenPGP certificate? Because I'm a Debian developer, my key is actually part of the 800 keys in the debian-keyring package, signed by the APT repositories. So I have a trust path.

    But that won't work for someone who is not a Debian developer. It will also stop working when my key expires in that repository, as it already has on Debian buster (current stable). So I can't assume I have a trust path there either. One could work with a trusted keyring like we do in the Tor and Debian project, and only work inside that project, that said.

    But I still feel uncomfortable with those commands. Both git log and git show will happily succeed (return code 0 in the shell) even though the signature verification failed on the commits. Same with git pull and git merge, which will happily push your branch ahead even if the remote has unsigned or badly signed commits.

Syndicate content

More in Tux Machines

Programming Literature: Jussi Pakkanen on Meson, Shing Lyu on Rust and "25 Best JavaScript Books for Newbie and Professional"

  • Jussi Pakkanen: Meson manual sales status and price adjustment

    The second part (marked with a line) indicates when I was a guest on CppCast talking about Meson and the book. As an experiment I created a time limited discount coupon so that all listeners could buy it with €10 off. As you can tell from the graph it did have an immediate response, which again proves that marketing and visibility are the things that actually matter when trying to sell any product. After that we have the "new normal", which means no sales at all. I don't know if this is caused by the coronavirus isolation or whether this is the natural end of life for the product (hopefully the former but you can never really tell in advance).

  • Shing Lyu: Lessons learned in writing my first book

    You might have noticed that I didn’t update this blog frequently in the past year. It’s not because I’m lazy, but I focused all my creative energy on writing this book: Practical Rust Projects. The book is now available on Apress, Amazon and O’Reilly. In this post, I’ll share some of the lessons I learned in writing this book. Although I’ve been writing Rust for quite a few years, I haven’t really studied the internals of the Rust language itself. Many of the Rust enthusiasts whom I know seem to be having much fun appreciating how the language is designed and built. But I take more joy in using the language to build tangible things. Therefore, I’ve been thinking about writing a cookbook-style book on how to build practical projects with Rust, ever since I finished the video course Building Reusable Code with Rust. Out of my surprise, I received an email from Steve Anglin, an acquisition editor from Apress, in April 2019. He initially asked me to write a book on the RustPython project. But the project was still growing rapidly thanks to the contributors. I’ve already lost grip on the overall architecture, so I can’t really write much about it. So I proposed the topic I have in mind to Steve. Fortunately, the editorial board accepted my proposal, and we decided to write two books: one for general Rust projects and one for web-related Rust projects. Since this is my first time writing a book that will be published in physical form (or as The Rust Book put it, “dead tree form”), I learned quite a lot throughout the process. Hopefully, these points will help you if you are considering or are already writing your own book.

  • The 25 Best JavaScript Books for Newbie and Professional

    JavaScript is a programming language that is object-oriented and used to make dynamic web pages by adding interactive effects. This client-side scripting language is used by almost 94.5% web pages available on the internet. The language is very easy but also known as one of the most misunderstood programming languages. You should choose the right guidelines so that you can get all the answers to your questions related to JavaScript. Here we will provide you with a list of the best Javascript books so that you can learn JavaScript and never become confused.

today's howtos

This is my shoestring photography setup for image editing

Saving money is not the only major benefit of using inexpensive hardware and free open-source software. Somewhat surprisingly, the more important benefit for me personally is peace of mind. My primary machine is a 9-year old ThinkPad X220 with 4GB RAM and 120GB SSD. I bought it on eBay for around 200 euros, plus about 30 euros for a 120GB SSD. The digiKam application I use for most of my photo management and processing needs cost exactly zero. (I’m the author of the digiKam Recipes book.) I store my entire photo library on a USB 3.0 3TB Toshiba Canvio hard disk I bought for around 113 euros. If any component of my hardware setup fails, I can replace it without any significant impact on my budget. I don’t have to worry about a company deciding to squeeze more money out of me by either forcing me into a paid upgrade or a subscription plan, and I sleep better knowing that I own the software crucial for my photographic workflow. You might think that managing and processing RAW files and photos on a relatively old machine with a paltry amount of RAM is unbearably slow, but it’s not. While Windows would bring the ThinkPad X220 to its knees, the machine briskly runs openSUSE Linux with the KDE graphical desktop environment. The word Linux may send some photographers away screaming, but a modern Linux system is hardly more complicated in use than Windows. Read more

elementary OS: Hera Updates for March, 2020

Fresh on the heels of the AppCenter for Everyone Remote Sprint, we still managed to push out a good amount of updates over the course of March (and early April), bundled up in an OS 5.1.3 update. Let’s dive into what’s new. We continued our quest to make Code the best editor for elementary OS this month. A file’s Git status now shows in its tooltip in the project sidebar, making it easier to understand what the status icons mean—especially if you’re colorblind or just don’t remember. We also added an option for explicit case-sensitive find/replace for those times when you want to find or replace the word foo but not Foo. Read more Also: elementary OS 5.1.3 New Features Revealed