Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, Bugs, RMS Talk and NG Firewall 15.0

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by CentOS (firefox, java-1.7.0-openjdk, ksh, and sudo), Debian (php7.0 and python-django), Fedora (cacti, cacti-spine, mbedtls, and thunderbird), openSUSE (chromium, re2), Oracle (firefox, java-1.7.0-openjdk, and sudo), Red Hat (openjpeg2 and sudo), Scientific Linux (java-1.7.0-openjdk and sudo), SUSE (dbus-1, dpdk, enigmail, fontforge, gcc9, ImageMagick, ipmitool, php72, sudo, and wicked), and Ubuntu (clamav, linux, linux-aws, linux-aws-hwe, linux-azure, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws-5.0, linux-azure, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-azure, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-lts-xenial, linux-aws, and qemu).

  • Certificate validity and a y2k20 bug

    One of the standard fields of an SSL certificate is the validity period. This field includes notBefore and notAfter dates which, according to RFC5280 section 4.1.2.5, indicates the interval "during which the CA warrants that it will maintain information about the status of the certificate"

    This is one of the fields that should be inspected when accepting new or unknown certificates.

    When creating certificates, there are a number of theories on how long to set that period of validity. A short period reduces risk if a private key is compromised. The certificate expires soon after and can no longer be used. On the other hand, if the keys are well protected, then there is a need to regularly renew those short-lived certificates.

  • Free Software is protecting your data – 2014 TEDx Richard Stallman Free Software Windows and the NSA

    Libre booted (BIOS with Linux overwritten) Thinkpad T400s running Trisquel GNU/Linux OS. (src: https://stallman.org/stallman-computing.html)

    LibreBooting the BIOS?

    Yes!

    It is possible to overwrite the BIOS of some Lenovo laptops (why only some?) with a minimal version of Linux.

  • NG Firewall 15.0 is here with better protection for SMB assets

    Here comes the release of NG Firewall 15.0 by Untangle with the creators claiming top-notch security for SMB assets. Let’s thoroughly discuss the latest NG Firewall update.

    With that being said, it only makes sense to first introduce this software to the readers who aren’t familiar with it. As the name ‘NG Firewall’ suggests, it is indeed a firewall but a very powerful one. It is a Debian-based and network gateway designed for small to medium-sized enterprises.

    If you want to be up-to-date with the latest firewall technology, your best bet would be to opt for this third-generation firewall. Another factor that distinguishes the NG Firewall from other such products in the market is that it combines network device filtering functions and traditional firewall technology.

Unsigned Firmware Puts Windows, Linux Peripherals at Risk

Filed under
Security

Researchers at firmware security company Eclypsium on Tuesday released new research that identifies and confirms unsigned firmware in WiFi adapters, USB hubs, trackpads and cameras used in Windows and Linux computer and server products from Lenovo, Dell, HP and other major manufacturers.

Eclypsium also demonstrated a successful attack on a server via a network interface card with unsigned firmware used by each of the big three server manufacturers.

The demonstration shows the exposed attack vector once firmware on any of these components is infected using the issues the report describes. The malware stays undetected by any software security controls.

Unsigned firmware provides multiple pathways for malicious actors to compromise laptops and servers. That leaves millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware, warned Eclypsium.

Read more

Proprietary Software and Security

Filed under
Software
Security
  • TurboTax Is Still Tricking Customers With Tax Prep Ads That Misuse the Word “Free”

    On Dec. 30, the IRS announced it was revamping a long-standing agreement with the online tax preparation industry in which companies offer free filing to people with incomes below certain levels, a category that includes 70% of filers. The change in what’s known as the Free File program came in the wake of multiple ProPublica articles that revealed how the companies in the program steered customers eligible for free filing to their paid offerings. Under the updated agreement, the companies are now prohibited from hiding their Free File webpages from Google searches, and the IRS was allowed to create its own online tax-filing system.

    So far, it seems, the companies are abiding by their promise to make their Free File webpages visible in online searches. But the updated agreement appears to have a loophole: It doesn’t apply to advertising. Nothing in it, the agreement states, “limits or changes the rights” of participating companies to advertise “as if they were not participating in the Free File program.”

  • Ransomware Shuts Gas Compressor for 2 Days in Latest Attack [iophk: Windows TCO]

    It appears likely that the attacker explored the facility’s network to “identify critical assets” before executing the ransomware attack, according to Nathan Brubaker, a senior manager at the cybersecurity firm FireEye Inc. This tactic -- which has become increasingly popular among hackers -- makes it “possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators,” he said.

  • Twitter says Olympics, IOC accounts [cracked]

    Twitter (TWTR.N) said on Saturday that an official Twitter account of the Olympics and the International Olympic Committee’s (IOC) media Twitter account had been [cracked] and temporarily locked.

    The accounts were [cracked] through a third-party platform, a spokesperson for the social media platform said in an emailed statement, without giving further details.

  • Olympics, IOC accounts were [cracked], Twitter says

    The social media company Twitter on Saturday said that the official Twitter accounts for the Olympics as well as the International Olympic Committee (IOC) have both been [cracked] and temporarily locked.

  • Apple warns revenue will be lower than expected because of coronavirus impact

    In a rare investor update on Monday, Apple said the global effects of the coronavirus outbreak are having have a material impact on the company bottom line. The company does not expect to meet its own revenue guidance for the second quarter due to the impact of the virus, and warns that “worldwide iPhone supply will be temporarily constrained.” Store closures and reduced retail traffic in China are also expected to have a significant impact.

    All of Apple’s iPhone manufacturing partner sites have been reopened but are “ramping up more slowly than we had anticipated,” which means that fewer iPhones than expected will be manufactured. As a result, “[t]hese iPhone supply shortages will temporarily affect revenues worldwide,” says Apple.

  • We decided to leave AWS

    For past adventures, I mostly use third-party email delivery services like Postmark, SendGrid, SES, etc. Unfortunately their pricing models are based on the number of emails, which are not compatible with the unlimited forwards/sends that SimpleLogin offers. In addition, we want SimpleLogin to be easily self-hosted and its components fit on a single server. For these reasons, we decide to run our MTA (Mail Transfer Agent) on EC2 directly.

  • [Old] Kerberos (Sleepy: How does Kerberos work? – Theory

    The objective of this series of posts is to clarify how Kerberos works, more than just introduce the attacks. This due to the fact that in many occasions it is not clear why some techniques works or not. Having this knowledge allows to know when to use any of those attacks in a pentest.

    Therefore, after a long journey of diving into the documentation and several posts about the topic, we’ve tried to write in this post all the important details which an auditor should know in order to understand how take advantage of Kerberos protocol.

    In this first post only basic functionality will be discussed. In later posts it will see how perform the attacks and how the more complex aspects works, as delegation.

  • [Old] Kerberos (II): How to attack Kerberos?

    These attacks are sorted by the privileges needed to perform them, in ascending order. Thus, to perform the first attacks only connectivity with the DC (Domain Controller) is required, which is the KDC (Key Distribution Center) for the AD (Active Directory) network. Whereas, the last attack requires a user being a Domain Administrator or having similar privileges.

  • Kerberos (III): How does delegation work?

    In this article, we will focus on understand how the different kinds of delegation work, including some special cases. Additionally, some scenarios where it could be possible to take advantage of these mechanisms in order to leverage privilege escalation or set persistence in the domain will be introduced.

    Before starting with the explanations, I will assume that you already understand Kerberos’ basic concepts. However, if expressions like TGT, TGS, KDC or Golden ticket sound strange to you, you should definitely check the article “How does Kerberos works?” or any related Kerberos’ introduction.

GNOME 3.34.4 Released with Various Improvements and Bug Fixes

Filed under
GNOME
Security

Released on September 2019, the GNOME 3.34 “Thessaloniki” desktop environment is the first to adopt a new release cycle with extended maintenance updates. Previous GNOME releases only received two maintenance updates during their support cycle.

Therefore, GNOME 3.34.4 is here as a minor bugfix release to GNOME 3.34, addressing various issues, as well as updating translations across several components and applications. Among the changes, there’s a big GTK update with better Wayland support, VP8 encoding for the built-in screen-recorder, and another major Vala update.

Read more

Critical Sudo Vulnerability Now Patched in CentOS 7 and RHEL 7

Filed under
Red Hat
Security

A critical vulnerability (CVE-2019-18634) was discovered earlier this month by Joe Vennix in the Sudo package, a program that lets users run programs in a UNIX system with the security privileges of another user. The flaw could allow an unprivileged user to obtain full root privileges.

Affected Sudo versions included all releases from v1.7.1 to v1.8.25p1. However, it was discovered that it doesn’t affect systems that did not had the pwfeedback option enabled in the /etc/sudoers file. For more details you can check out our previous report.

Read more

Linux and Security

Filed under
Linux
Security
  • Why Not WireGuard

    The latest thing that is getting a lot of attention is WireGuard - the new shooting star in terms of VPN. But is it as great as it sounds? I would like to discuss some thoughts, have a look at the implementation and tell you why WireGuard is not a solution that will replace IPsec or OpenVPN.

    In this article I would like to debunk the myths. It is a long read. If you are in need of a tea of coffee, now is the time to make it. Thanks to Peter for proof-reading my chaotic thoughts.

    I do not want to discredit the developers of WireGuard for their efforts or for their ideas. It is a working piece of technology, but I personally think that it is being presented as something entirely different - as a replacement for IPsec and OpenVPN which it simply is not.

    As a side-note, I think that the media is responsible for this and not the WireGuard project itself.

    There has not been much positive news around the Linux kernel recently. They have reported of crushing processor vulnerabilities that have been mitigated in software, Linus Torvalds using too harsh language and just boring developer things. The scheduler or a zero-copy network stack are not very approachable topics for a glossy magazine. WireGuard is.

  • Kees Cook: security things in Linux v5.4

    Linux kernel v5.4 was released in late November. The holidays got the best of me, but better late than never!

Security: Patches, Core Infrastructure Initiative (CII), Crypto AG, More Issues

Filed under
Linux
Security
  • Security updates for Tuesday

    Security updates have been issued by Arch Linux (systemd and thunderbird), Debian (clamav, libgd2, php7.3, spamassassin, and webkit2gtk), Fedora (kernel, kernel-headers, and sway), Mageia (firefox, kernel-linus, mutt, python-pillow, sphinx, thunderbird, and webkit2), openSUSE (firefox, nextcloud, and thunderbird), Oracle (firefox and ksh), Red Hat (curl, java-1.7.0-openjdk, kernel, and ruby), Scientific Linux (firefox and ksh), SUSE (sudo and xen), and Ubuntu (clamav, php5, php7.0, php7.2, php7.3, postgresql-10, postgresql-11, and webkit2gtk).

  • The Linux Foundation and Harvard’s Lab for Innovation Science Release Census for Open Source Software Security

    The Linux Foundation’s Core Infrastructure Initiative (CII), a project that helps support best practices and the security of critical open source software projects, and the Laboratory for Innovation Science at Harvard (LISH), today announced the release of ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.`

    This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.

    “The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation. “The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software.”

  •                    

  • [Attackers] are demanding nude photos to unlock files in a new ransomware scheme targeting women

                         

                           

    The malware doesn’t appear to be the first to demand explicit images: In 2017, security firm Kaspersky reported another type of ransomware that demanded nude photos in exchange for unlocking access to infected computers. In other cases, scammers on dating apps have requested nude photos from would-be suitors, then held them for ransom by threatening to leak the photos.

  • Alarming ‘Hidden’ Cyber Attack Leaves Millions Of Windows And Linux Systems Vulnerable [Ed: Misleading headline from decades-long Microsoft booster. This isn't an OS level issue.]

    Vulnerabilities that can be hidden away out of sight are amongst the most-coveted by cyber-criminals and spooks alike. That's why zero-day vulnerabilities are deemed so valuable, and cause so much high-level concern when they are exposed. It's also why the CIA secretly purchased an encryption equipment provider to be able to hide backdoors in the products and spy upon more than 100 governments.

    While we are almost accustomed to reading government warnings about vulnerabilities in the Windows operating system, Linux cybersecurity threat warnings are less common. Which is partly why this report on the hidden exploit threat within both Linux and Windows systems caught my eye. The Eclypsium researchers concentrated on unsigned firmware as this is a known attack vector, which can have devastating implications, yet one in which vendors have appeared to be slow taking seriously enough. The unsigned firmware in question was found in peripherals used in computers from Dell, Lenovo and HP as well as other major manufacturers. They also demonstrated a successful attack using a network interface card with, you guessed it, unsigned firmware that is used by the big three server manufacturers. "Despite previous in-the-wild attacks," the report said, "peripheral manufacturers have been slow to adopt the practice of signing firmware, leaving millions of Windows and Linux systems at risk of firmware attacks that can exfiltrate data, disrupt operations and deliver ransomware."

    The truth is that, as far as cybersecurity is concerned, much of the defensive effort is focused on the operating system and applications. Hardly surprising, given these are the most visible attack surfaces. By not adding firmware into the threat prevention model, however, organizations are leaving a gaping hole just waiting to be filled by threat actors. "This could lead to implanted backdoors, network traffic sniffing, data exfiltration, and more," says Katie Teitler, a senior analyst at TAG Cyber. "Unfortunately, though, firmware vulnerabilities can be harder to detect and more difficult to patch," she says, "best practice is to deploy automated scanning for vulnerabilities and misconfigurations at the component level, and continuously monitor for new issues or exploits."

  • The Week in Internet News: CIA Had Encryption Backdoor for Decades

    The U.S. CIA secretly had an ownership stake in Swiss encryption company Crypto AG for decades and was able to read encrypted messages sent using the company’s technology, the Washington Post reports. West German intelligence agencies worked with the CIA. Forbes columnist Jody Westby called for a congressional investigation.

  • Insights from Avast/Jumpshot data: Pitfalls of data anonymization

    There has been a surprising development after my previous article on the topic, Avast having announced that they will terminate Jumpshot and stop selling users’ data. That’s not the end of the story however, with the Czech Office for Personal Data Protection starting an investigation into Avast’s practices. I’m very curious to see whether this investigation will confirm Avast’s claims that they were always fully compliant with the GDPR requirements. For my part, I now got a glimpse of what the Jumpshot data actually looks like. And I learned that I massively overestimated Avast’s success when anonymizing this data.

    [...]

    The data I saw was an example that Jumpshot provided to potential customers: an excerpt of real data for one week of 2019. Each record included an exact timestamp (milliseconds precision), a persistent user identifier, the platform used (desktop or mobile, which browser), the approximate geographic location (country, city and ZIP code derived from the user’s IP address), a guess for user’s gender and age group.

    What it didn’t contain was “every click, on every site.” This data sample didn’t belong to the “All Clicks Feed” which has received much media attention. Instead, it was the “Limited Insights Pro Feed” which is supposed to merely cover user’s shopping behavior: which products they looked at, what they added to the cart and whether they completed the order. All of that limited to shopping sites and grouped by country (Germany, UK and USA) as well as product category such as Shoes or Men’s Clothing.

    This doesn’t sound like there would be all too much personal data? But there is, thanks to a “referrer” field being there. This one is supposed to indicate how the user came to the shopping site, e.g. from a Google search page or by clicking an ad on another website. Given the detailed information collected by Avast, determining this referrer website should have been easy – yet Avast somehow failed this task. And so the supposed referrer is typically a completely unrelated random web page that this user visited, and sometimes not even a page but an image or JSON data.

    If you extract a list of these referrers (which I did), you see news that people read, their web mail sessions, search queries completely unrelated to shopping, and of course porn. You get a glimpse into what porn sites are most popular, what people watch there and even what they search for. For each user, the “limited insights” actually contain a tiny slice of their entire browsing behavior. Over the course of a week this exposed way too much information on some users however, and Jumpshot customers watching users over longer periods of time could learn a lot about each user even without the “All Clicks Feed.”

  • Byos Cautions RSA Conference 2020 Attendees, Travelers and General Public to “Dirty Half-Dozen” Public Wi-Fi Risks

    Byos, Inc., an endpoint security company focused on concept of Endpoint Microsegmentation through Hardware-Enforced Isolation, recommends caution for attendees of major conferences and events such as the RSA Conference 2020, a leading cybersecurity conference in San Francisco, February 24-28, and travelers in general risks of Free Wi-Fi. Many attendees will access the Internet via multiple free Wi-Fi connection points from Hotels, Airports, Coffee Shops and the Conference itself, and every free Wi-Fi access presents security risks for users that Byos calls “The Dirty Half-Dozen.”

    [...]

    The Dirty Half-Dozen risks are:

    Scanning, enumerating, and fingerprinting
    Eavesdropping
    Evil-Twin Wi-Fi
    Exploits
    Lateral network infections
    DNS hijacking

Gpg4KDE & GPG4win Approved for Transmission & Processing of National Classified Information

Filed under
KDE
Security

Something that may have slipped you by: Back in November, the German Federal Office for Information Security approved Gpg4KDE and Gpg4win for the transmission and processing of national classified information.

Gpg4KDE is the encryption system that you use each time you encrypt and sign messages in KMail. Gpg4win, used for encrypting and signing emails on Windows, is built upon KDE's certificate manager Kleopatra. The German Government has now ranked both secure enough to be used when transmitting messages with VS-ONLY FOR SERVICE USE (VS-NfD), EU RESTRICTED and NATO RESTRICTED levels of confidentiality.

In view of the recent Rubicon/Crypto AG/CIA scandal, this is further evidence that FLOSS encryption technology is the only reliable encryption technology.

Read more

Security and FUD Leftovers

Filed under
Linux
Security
  • Fwupd 1.3.8 Brings More Improvements For Firmware Updating On Linux Systems

    Red Hat's Richard Hughes has released Fwupd 1.3.8 as the latest version of this Linux utility for performing firmware updates of various system components.

    With the meteoric rise of Fwupd and LVFS, more Fwupd releases are having to deal with quirks and other peculiarities of different hardware components seeing Fwupd support and v1.3.8 is no different. Fwupd 1.3.8 adds a plug-in to support updating the power delivery controllers by Fresco Logic, a fix for Synaptics multi-stream transport devices, various EFI fixes/improvements, more parent devices are detected for different Lenovo USB hubs, support for GNUEFI file locations, and other fixes.

  • Cyber-gangs using SSH identities to sell on the black market [Ed: How to associate secure shell, SSH, with "black market", skull and bones, just because of machines that are already cracked because of something totally unrelated]

    Malware campaigns equipped with the capability to exploit powerful, hidden backdoors are becoming commoditised, researchers from Venafi have warned.

    The research shows several high-profile hacker campaigns are integrating the misuse of SSH machine identities capabilities into their attacks.

    Now, any attacker with access to the dark web can gain access to the same techniques that took down the Ukrainian power grid against every business and government agency.

    Malware can target common SSH machine identities used to access and automate Windows, Linux and MacOS in the enterprise and out to the cloud.

  • SAMM v2 – OWASP releases revamped security assurance framework

    A revamped version of OWASP’s Software Assurance Maturity Model (SAMM) adds automation along with maturity measurements to the open source security-related framework.

    OWASP SAMM v2 – released on Tuesday after three years of refinement – is geared towards helping organizations that develop software to travel down the path towards becoming more secure.

    The approach is based on a community-led open source framework that “allows teams and developers to assess, formulate, and implement strategies for better security which can be easily integrated into an existing organizational software development lifecycle”.

    [...]

    The OWASP SAMM community includes security knowledgeable volunteers from both businesses and educational organizations. The global community works to create “freely-available articles, methodologies, documentation, tools, and technologies”.

  • Smack: Some more busy nights and 12 bytes of IV

    Anu brought up the fact that the OMEMO XEP is not totally clear on the length of initialization vectors used for message encryption. Historically most clients use 16 bytes length, while normally you would want to use 12. Apparently some AES-GCM libraries on iOS only support 12 bytes length, so using 12 bytes is definitely desirable. Most OMEMO implementations already support receiving 12 bytes as well as 16 bytes IV.

Security/Fear, Uncertainty, Doubt/Fear-mongering

Filed under
Security
  • HackIllinois 2020 introduces new software, workshops

    This hackathon has grown to become one of the largest and most well-regarded in the country, with attendees from around the country traveling to Illinois to test and build their hacking skills.
    According to Opensource.com, open-source software is “software with source code that anyone can inspect, modify and enhance,” thereby allowing participants to focus on open exchange and collaboration during the one-of-a-kind event.

  • Hacking Group Outlaw Upgrades Malware for Illicit Income Sources: Report

    Cybersecurity firm Trend Micro has detected that hacking group Outlaw has been updating its toolkit for stealing enterprises’ data for nearly half a year at this point.
    Outlaw — who had ostensibly been silent since last June — became active again in December, with upgrades on their kits’ capabilities, which now target more systems, according to an analysis from Trend Micro published on Feb. 10. The kits in question are designed to steal data from the automotive and finance industries.

  • What happens when all the tiny satellites we’re shooting into space get hacked?
  • Hackers Could Shut Down Satellites—or Turn Them into Weapons

    Last month, SpaceX became the operator of the world’s largest active satellite constellation. As of the end of January, the company had 242 satellites orbiting the planet with plans to launch 42,000 over the next decade. This is part of its ambitious project to provide internet access across the globe. The race to put satellites in space is on, with Amazon, U.K.-based OneWeb and other companies chomping at the bit to place thousands of satellites in orbit in the coming months.

  • DevOps Alert: 12,000 Jenkins Servers Exposed to DoS Attacks [Ed: The ‘logic’ of this clickbait headline? Same as “1,000 MILLION browser users exposed to x, y, z…”]

    Security researchers are warning that 12,000 cloud automation servers around the world could be hijacked to launch denial of service (DoS) attacks.

Syndicate content

More in Tux Machines

This is my shoestring photography setup for image editing

Saving money is not the only major benefit of using inexpensive hardware and free open-source software. Somewhat surprisingly, the more important benefit for me personally is peace of mind. My primary machine is a 9-year old ThinkPad X220 with 4GB RAM and 120GB SSD. I bought it on eBay for around 200 euros, plus about 30 euros for a 120GB SSD. The digiKam application I use for most of my photo management and processing needs cost exactly zero. (I’m the author of the digiKam Recipes book.) I store my entire photo library on a USB 3.0 3TB Toshiba Canvio hard disk I bought for around 113 euros. If any component of my hardware setup fails, I can replace it without any significant impact on my budget. I don’t have to worry about a company deciding to squeeze more money out of me by either forcing me into a paid upgrade or a subscription plan, and I sleep better knowing that I own the software crucial for my photographic workflow. You might think that managing and processing RAW files and photos on a relatively old machine with a paltry amount of RAM is unbearably slow, but it’s not. While Windows would bring the ThinkPad X220 to its knees, the machine briskly runs openSUSE Linux with the KDE graphical desktop environment. The word Linux may send some photographers away screaming, but a modern Linux system is hardly more complicated in use than Windows. Read more

elementary OS: Hera Updates for March, 2020

Fresh on the heels of the AppCenter for Everyone Remote Sprint, we still managed to push out a good amount of updates over the course of March (and early April), bundled up in an OS 5.1.3 update. Let’s dive into what’s new. We continued our quest to make Code the best editor for elementary OS this month. A file’s Git status now shows in its tooltip in the project sidebar, making it easier to understand what the status icons mean—especially if you’re colorblind or just don’t remember. We also added an option for explicit case-sensitive find/replace for those times when you want to find or replace the word foo but not Foo. Read more Also: elementary OS 5.1.3 New Features Revealed

Kaidan 0.5.0 released!

After more than half a year the next release is here, but the waiting was worth it! It includes the all new onboarding, which aims at better usability for new XMPP users and improved security, while minimizing additional effort by the user. For further information look at the blog post dedicated to this topic. And even more! Now recording and sending audio and video is possible with Kaidan, as well as searching for contacts and messages. Additionally, many smaller features and fixes are included in this release. But have a look at the changelog yourself. We sadly have to inform you that we encountered difficulties building Kaidan for Windows and building the Flatpak as one option to use Kaidan on Linux. But we are already working on fixing it and Kaidan 0.5 will hopefully be available on Windows and as a Flatpak for Linux soon™. Read more

Chrome OS Terminal App Gains New Features, Makes Working with Linux Easier

As spotted by the focally-blessed hawks at Android Police, Chrome OS 83 (currently on the developer channel) ships with an updated terminal app boasts a solid set of welcome new features. If you’re unfamiliar with it, the Chrome OS terminal app is available to users of Chrome OS on compatible Chromebooks who opt-in to the Linux (beta) feature. The feature (through the power of containers) provides a full Linux development environment in which they can apt install popular open software like GIMP, LibreOffice, and, yes, even Mozilla Firefox on a Chromebook and run them alongside other software, native software. Read more