Language Selection

English French German Italian Portuguese Spanish

November 2019

Proprietary Software and Digital Jails

Filed under
Hardware
Software
  • checkra1n on Linux nearing release, Apple TV DFU helper coming too

    Despite being a closed ecosystem, iDevice users enjoy an advanced level of control over the OS through jailbreaking. But, not many opt for it because the Cupertino tech giant denies warranty claims for jailbroken gadgets.

    Moreover, one has to choose the jailbreaking tool so carefully that an incompatible selection will make your iPhone/iPad a fiasco. Owing to the frequent vulnerability fixes released by Apple, we can’t use a single tool for every iOS iteration.

  •                    

  • Jony Ive is no longer on Apple's leadership page

                         

                           

    His new firm is called LoveForm, which sounds an awful lot like LoveFilm - right down to the fact that both will score you 16 in a Scrabble match, assuming you're competing without someone that plays fast and loose with the ‘no brand names' rule. That's where the similarities end though: it's more focused on design than posting DVDs to people.

                           

    Unlike most people starting their own business, Ive won't have to hustle for new clients right away. Apple led the press release announcing Ive's exit by saying it would be one of LoveForm's clients, which is kind of like writing a blank cheque. But, hey, if anybody can write a blank cheque and not worry about the consequences then it's Cook & Co.

  •                    

  • Security firm Prosegur hit by Windows Ryuk ransomware

                         

                           

    Well-known British security researcher Kevin Beaumont was one of the first to point to a statement on on the Spain-based company's website in which it said that there had been "a security information incident on its telecommunications platforms".

                           

    Prosegur is the largest security firm in Spain and listed on Madrid Stock Exchange in 1987.

Entrapment in Microsoft GitHub

Filed under
Microsoft
  • Alibaba Cloud makes available its self-developed algorithm via open source on Github [Ed: Outsourcing one's code to a proprietary spying and censorship platform of a foreign firm and foreign regime]

    Launched in 2009 and headquartered in Singapore, the cloud subsidiary of Alibaba Group offers cloud computing services to enterprises.

  • Alibaba Publishes AI Algorithms on Github [Ed: Alibaba gives its code to Microsoft to further facilitate surveillance]
  • GitHub Seeks Security Dominance With Developers [Ed: GitHub is proprietary software in NSA PRISM, so assume back doors. Ignore these Forbes puff pieces of Microsoft (lots of them).]
  • Rav1e Picks Up More Speed Optimizations For Rust-Written AV1 Encoding [Ed: Still stuck inside GitHub]

    The Rust-based "rav1e" AV1 video encoder continues picking up performance optimizations. 

    During the month of November we've seen SSE4.1 and various x86 Assembly optimizations, other CPU performance optimizations, and also happening recently was the initial tagged release of rav1e (v0.1). 

  • Daniel Stenberg: curl: 25000 commits [Ed: Unhealthy dependence on GitHub]

    The first ever public release of curl was uploaded on March 20, 1998. 7924 days ago.

    3.15 commits per day on average since inception.

    These 25000 commits have been authored by 751 different persons.

    Through the years, 47 of these 751 authors have ever authored 10 commits or more within a single year. In fact, the largest number of people that did 10 commits or more within a single year is 13 that happened in both 2014 and 2017.

    19 of the 751 authors did ten or more changes in more than one calendar year. 5 of the authors have done ten or more changes during ten or more years.

Openwashing by Microsoft and the US Air Force

Filed under
Microsoft
  • Microsoft Teams spurs open source in Aussie channel [Ed: Gross case of openwashing. How on Earth did Microsoft manage to have proprietary software that's mass surveillance inside businesses framed as "open source"?

    Qbot is the brainchild of UNSW senior lecturer David Kellermann. Antares helped bring Qbot to life and, as it is the bot's primary developer, supports the code.

  • US Air Force says they are developing an Open Source Jet Engine

    The Responsive Open Source Engine (ROSE) is designed to be cheap enough that it can be disposable, which has obvious military applications for the Air Force such as small jet-powered drones or even missiles. But even for the pacifists in the audience, it’s hard not to get excited about the idea of a low-cost open source turbine. Obviously an engine this small would have limited use to commercial aviation, but hackers and makers have always been obsessed with small jet engines, and getting one fired up and self-sustaining has traditionally been something of a badge of honor.

    The economies of scale generally dictate that anything produced in large enough numbers will eventually become cheap. But despite the fact that a few thousand of them are tearing across the sky above our heads at any given moment, turbine jet engines are still expensive to produce compared to other forms of propulsion. The United States Air Force Research Laboratory is hoping to change that by developing their own in-house, open source turbine engine that they believe could reduce costs by as much as 75%.

Red Hat, IBM and SUSE

Filed under
Red Hat
SUSE
  • Raytheon Leans on Red Hat to Advance DevSecOps

    Jon Check, senior director for cyber protection solutions for Raytheon Intelligence, Information and Services, said Raytheon has developed a set of DevSecOps practices for organizations building applications deployed in highly secure environments, involving government contracts.

    Raytheon and these customers have been challenged by a chronic shortage of IT professionals with the appropriate level of clearance to work on these classified projects. To overcome that issue, Check said Raytheon developed what it describes as a “code low, deploy high” approach to DevSecOps. Developers who lack security clearances can still build applications; however, those applications can only be deployed by IT professionals having the appropriate security clearance.

    In addition, Check said Raytheon has developed integrations between its DevSecOps framework and various IT tools based on the ITIL framework, which so many IT operations teams depend on to foster collaboration across the application development and deployment process. For example, he said, whenever code gets checked into a repository, an alert can be sent to an IT service management application from ServiceNow.

  •                    

  • [Older] IBM: ‘Mac users are happier and more productive’ [iophk: duh]

                         

                           

    IBM CIO Fletcher Previn talked up fresh IBM findings that show those of its employees who use Macs are more likely to stay with IBM and exceed performance expectations compared to [Windows] users.

  •                    

  • [Older] IBM: Mac users perform better at work and close larger high-value sales compared to [Windows] users

                         

                           

    Today, IBM announced some major news showing the benefits of using a Mac over a [Windows machine] at work. According to IBM research, there are 22% more macOS users who exceed expectations in performance reviews compared to Windows users. High-value sales deals also tend to be 16% higher for Mac users compared to [Windows] users.

  •                    

  • [Older] IBM: Our Mac-Using Employees Outperform Windows Users in Every Way

                         

                           

    According to IBM, one staff member can support 5,400 Mac users, while the company needed one staff member per 242 [Windows] users. Only 5 percent of Mac users called the help desk for assistance, compared with 40 percent of [Windows] users. This Mac-IBM love affair has been ongoing for a few years, and the same IBM PR points out that in 2016, IBM CIO Fletcher Previn declared that IBM saves anywhere from $273 to $543 when its end users choose Mac over [Windows].

  • Centiq receives highest SUSE Solution Partner certification to bolster best-in-class enterprise cloud application migration and implementation expertise for SAP projects
  • Noop now named none

    Lately more and more people approached me with saptune warnings regarding ‘noop’ being an invalid scheduler.
    With new Servie Packs we see a transition from non-multiqueue schedulers (noop, cfq, deadline) to multiqueue schedulers (none, mq-deadline, bfq, kyber).
    This transition will be finished with kernel 5.x (SLES 15 SP2). Only multiqueue schedulers will remain.
    Even if you do not have upgraded lately, new hardware like NVMe’s can come with multiqueue support only.

Games and Programming: Epic Games, Godot, Haskell and Python

Filed under
Development
Gaming
  • Epic Games have awarded the FOSS game manager Lutris with an Epic MegaGrant

    The Lutris team announced yesterday that Epic Games have now awarded them a sum of money from the Epic MegaGrants pot.

    In the Patreon post, the Lutris team announced they've been awarded $25,000. While this might be quite a surprise to some, Tim Sweeney the CEO of Epic Games, did actually suggest they apply for it which we covered here back in April. To see it actually happen though, that's seriously awesome for the team building this free and open source game manager.

  • Play-ing with Godot

    I’ve finally come to a point where I have a project that is useful, and at a good enough quality (anyone with graphics skills who wants to help?) to be shared with the broader world: Mattemonster. What I’m trying to say is that I just went through the process of publishing a Godot app to the Google Play store.

    There is already good documentation for how you export a Godot app for Android, and detailed guides how to publish to Google Play. This blog is not a step by step tutorial, but instead mentioning some of the things I learned or noticed.

    First of all, when setting up the Android tooling, you usually have an android-tools package for your distro. This way, you don’t have to install Android Studio provided by Google.

    The configuration settings that you use to export your app goes into the export_presets.cfg file. Once you put the details for your release key in, you should avoid storing this file in a public git, as it contains sensitive data. But even before then, it contains paths that are local to your machine, so I would recommend not storing it in a public git anyway, as it makes merging with others painful.

  •      

  • Haskell
  • Python 3.7.5 : Script install and import python packages.

    This script will try to import Python packages from a list.
    If these packages are not installed then will be installed on system.

Security: Updates, Ken Thompson's Chess Secret, Healthcare Breaches Spike in October, "Private Internet Access Sold Out!" and Undercover Mode for the Fedora Security Lab

Filed under
Security
  • Security updates for Friday

    Security updates have been issued by Debian (libvpx and vino), Fedora (grub2 and nss), and SUSE (cloud-init, libarchive, libtomcrypt, ncurses, and ucode-intel).

  • Friday Fluff: Chess password cracked after four decades

    A good password paired with strong encryption protects data against unexpected loss. No password is unbreakable, but some can last for quote a long time. After 39 years, recently a few old Unix passwords were cracked. Computer pioneer Ken Thompson had hidden his access behind a chess opening.

  • ThreatList: Healthcare Breaches Spike in October

    October experienced a 44.44 percent month-over-month increase in healthcare data breaches, resulting in 661,830 healthcare records exposed or stolen during the month.

    That’s according to the Health and Human Services (HHS) Office for Civil Rights’ monthly report reported via HIPAA Journal. The department said that hospitals and other healthcare organizations reported 52 breaches to HHS during the month. Year-to-date, the total number of breached healthcare records stands at 38 million, affecting 11.64 percent of the population of the United States.

  • Private Internet Access Sold Out! | Choosing A New VPN

    This video goes over the purchase of Private Internet Access and Choosing a new VPN. I also layout the 3 points you NEED when choosing a new VPN.

  • Undercover mode for the Fedora Security Lab

    Every time when there is a new release of Kali Linux it doesn’t take long till people start to ask when a feature or tool will be added to the Fedora Security Lab.

    This time the most asked feature is the “undercover mode”.

    To make it short: Never.

    The reason is that the Fedora Security Lab live media doesn’t need this. We are running Xfce (in the meantime for several years now) with the default Fedora wallpaper and a default theme. It pretty hard to tell (reading impossible if you don’t have the menu open) for a person who only get a quick look at your desktop that you have a lot of specialized tools at your disposal.

    You are even stealthier if you only add the Fedora Security Lab toolset to your default Fedora installation. This make the Fedora Security Lab the perfect tool to perform security-related tasks in an office environment at customer’s sites.

Debian and Canonical/Ubuntu: Debian's Outreachy Interns, Debian LTS and Mir/Ubuntu Core Promotion

Filed under
Debian
Ubuntu
  • Debian welcomes its new Outreachy interns

    Debian continues participating in Outreachy, and we'd like to welcome our new Outreachy interns for this round, lasting from December 2019 to March 2020.

    Anisa Kuci will work on Improving the DebConf fundraising processes, mentored by Karina Ture and Daniel Lange.

    Sakshi Sangwan will work on Packaging GitLab's JS Modules, mentored by Utkarsh Gupta, Sruthi Chandran and Pirate Praveen.

    Congratulations, Anisa and Sakshi! Welcome!

  • Mike Gabriel: My Work on Debian LTS/ELTS (November 2019)

    In November 2019, I have worked on the Debian LTS project for 15 hours (of 15 hours planned) and on the Debian ELTS project for 5 hours (of 5 hours planned) as a paid contributor.

    For LTS, I, in fact, pulled over 1.7 hours from October, so I realy only did 13.3 hours for LTS in November.

    (This is only half-true, I worked a considerable amount of hours on this libvncserver code bundle audit, but I am just not invoicing all of it).

  • Build smart display devices with Mir: fast to production, secure, open-source

    Mir is a library for writing graphical shells for Linux and similar operating systems. Compared to traditional display servers, it offers numerous benefits that are important for IoT devices: efficiency, speed of development, security, performance, and flexibility. All are required by the devices of today, and even more so for the devices of tomorrow. In this whitepaper we’ll explain how Mir, alongside Ubuntu Core and Snapcraft, lets developers build devices that are ready for the future of IoT, while offering stable, secure and performant solutions to the problems the industry faces today.

More in Tux Machines

Android Leftovers

All about Kubernetes

Kubernetes is an enterprise-grade container-orchestration system designed from the start to be cloud-native. It has grown to be the de-facto cloud container platform, continuing to expand as it has embraced new technologies, including container-native virtualization and serverless computing. Kubernetes manages containers and more, from micro-scale at the edge to massive scale, in both public and private cloud environments. It is a perfect choice for a "private cloud at home" project, providing both robust container orchestration and the opportunity to learn about a technology in such demand and so thoroughly integrated into the cloud that its name is practically synonymous with "cloud computing." Read more Also: Provision Kubernetes NFS clients on a Raspberry Pi homelab A beginner's guide to Kubernetes container orchestration

Security and Proprietary Issues

  • Surprise Capital One court decision spells trouble for incident response

    Break in case of emergency: Language is everything. Delineate clearly in all written comms between a ‘potential incident’ - and an actual one. Don’t start turning one of the hundreds of security events you see into a ‘security incident’ before the most essential facts are understood. Halpert’s threshold for incidents that need to be covered by legal privilege are: a) An incident that gives rise to an obligation to notify a regulator, or a contractual obligation to notify a business partner; or b) An incident that exposed trade secrets or otherwise would affect the share price of a company; or c) An incident that would cause significant reputational hit to the company; or d) An incident in which a crime is committed.

  • Judge rules Capital One must hand over Mandiant's forensic data breach report

    It’s a significant ruling that effectively affords the attorneys suing Capital One with a breakdown of which bank behaviors were successful, and which failed. It’s common for Fortune 500 companies to keep incident response firms like Mandiant on retainer, though it’s rare for those firms’ insights on high profile breaches to be made public. Similar rulings in the future could provide aggrieved customers with ammunition to seek higher pay-outs in court.

  • Retrotech: The Novell NetWare Experience

    In the simplest terms possible, NetWare was a dedicated network operating system. It was designed around fast and reliable network operations at the expense of almost everything else. Novell had invested massive amounts of research in figuring out how to do fast I/O and minimizing any delays from hardware related sources. The end result was a very lean system that remained stable and performant with a large number of clients attached. As networking was Novell's bread and butter, NetWare had excellent support for everything: clients were available for DOS, Windows, UNIX, Macintosh, OS/2 and probably other platforms I've never even heard of.

    The early history of NetWare is very muddled, and pre-2.0 versions have been lost to time. This compounded with poor documentation has made it very difficult to trace the early history of the product. However, while NetWare was not the first (or only) network product for IBM PCs, it quickly became the largest, displacing IBM's PC Network, and laughed at Microsoft's LAN Manager, and IBM OS/2 LAN Server.

    While NetWare did compete on UNIX, Sun had already gotten their foot in the door by porting NFS and making it the de-facto solution for all UNIXs of the era, as well as Linux. Meanwhile, Apple held onto AppleTalk which itself survived well into the early 2000s when NetWare had already disappeared into the aether. The explosion of Wintel PCs throughout the 90s had given NetWare a market position that should have been very difficult to dislodge.

    The full story of NetWare's fall from grace is a story for another time, but I do want to go into the more technical aspects that were both the boon and bane of NetWare. Much of NetWare's success can be attributed to its own IPX protocol which made networking plug and play and drastically lowered latencies compared to NetBIOS or even TCP/IP.

  • Polish malspam pushes ZLoader malware

    When enabling macros on the malicious Excel spreadsheet, the victim host retrieved the ZLoader DLL as shown in the previous section, saved the DLL to the victim's Documents folder, and ran it using rundll32.exe.

  • Microsoft Defender SmartScreen is hurting independent developers

    But what is SmartScreen?

    SmartScreen collects installation data from all Windows users in order to establish “reputation”. If the program does not have an established good reputation, you get this big warning message. By this time most users have deleted the .exe already thinking it is a malware, but SmartScreen can be bypassed by clicking on “More info” then “Run anyway”.

    The digital signature racket

    But let’s say you bite the bullet, you buy yourself an overpriced piece of prime numbers generated by a computer, sign your code and re-publish your application. You can now start getting users to install your app right? Wrong.

    But how do you build reputation? First of all, Microsoft needs to be able to gather information on who has published the app, and this is done by a code signing certificate. The most obvious implication is that unsigned apps will always trigger SmartScreen. The more insidious implication is that acquiring a code signing certificate is a big expense for an individual developer. There is currently no “Let’s Encrypt” equivalent to code signing certificates; so you have to purchase it from trusted authorities. The price range is wide but a certificate only valid for a year will typically go for about $100.

  • #Privacy: Michigan State University struck by ransomware attack

    It remains unclear as to how and when the attack happened, and what the ransom demand is.

    NetWalker is one of twelve ransomware gangs who threaten to publish data in revenge if organisations refuse to pay the ransom demand.

    MSU have not official disclosed the incident, however, an MSU spokesperson, Dan Olsen shared the following statement to EdScoop: “We are aware of a possible intrusion and we are actively looking into it.”

  • MSU: We won't pay [attacker] demanding ransom, threatening university over records

    University officials believe the latest breach occurred on Memorial Day and took relevant computer systems offline within hours of the intrusion, according to a news release. It compromised data associated with the Department of Physics and Astronomy, and information technology teams are coordinating with law enforcement to understand the scope of the breach. Investigators are notifying and providing support to affected MSU affiliates as they are identified.

    The cybersecurity breach, known as a ransomware attack, first became public May 27 when a [cr]acker-affiliated blog posted screenshots of files allegedly belonging to MSU affiliates. Images circulating on social media include a redacted passport and a list of transactions related to physics and astronomy projects. They also show a countdown clock that warns of “secret data publication” less than one week from when the screenshots were taken.

  • Michigan State target of ransomware attack threatening to release university data

    The ransom demanded was not specified, but the ransomware gang is prepared to release the university's documents.

    The NetWalker, a newer form of ransomeware sometimes labeled as Mailto, blog post threatened publication of 'secret' documents dated with a countdown clock with close to a week remaining.

  • Malware Team NetWalker Launches Ransomware Attack Against Weiz

    The Malware team NetWalker launched a new ransomware attack against the Austrian village of Weiz which affected the public service system and leaked a lot of the stolen data from building applications as we are about to read more in the following latest cryptocurrency news.

    According to the cybersecurity firm Panda Security, the Malware team managed to enter the town’s public network through phishing emails related to the Coronavirus pandemic. The subject of the emails which was ‘’information about the coronavirus’’ was used to bait the employees of the public infrastructure of the city into clicking on malicious links which triggered the ransomware.

    Panda Security claims that the ransomware attack belongs to a new version of a ransomware family that spreads by using VBScripts. If the infection is successful, it will spread through the entire windows network to which the infected machine is related. The report details that the ransomware terminates and services under Windows which encrypts files on all available disks thus eliminating the backups.

  • Inside a ransomware gang’s attack toolbox

    The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim’s network, plus a VM file containing a pirated copy of Windows XP, just to have a “walled garden” for their ransomware to sit inside while it did its cryptographic scrambling.

    But that’s far from everything that today’s crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.

  • Researchers Dive Into Evolution of Malicious Excel 4.0 Macros

    For more than five months, Lastline security researchers have tracked the evolution of malicious Excel 4.0 (XL4) macros, observing the fast pace at which malware authors change them to stay ahead of security tools.

    A central part of many organizations’ productivity tools, Excel opens the door for phishing attacks where victims are tricked into enabling macros in malicious documents, which can results in the attackers gaining a foothold on the network, in preparation for additional activities.

    During their five-month research, Lastline observed thousands of malicious samples, clustered into waves that provide a comprehensive picture of how the threat has evolved in both sophistication and evasiveness.

  • MSU won't pay ransom to [cr]acker who stole financial documents, personal information

    EdScoop reported the ransomware attack on May 27 and provided screenshots from a blog on the dark web, showing what appear to be a student's passport, MSU financial documents and files from the MSU network, as well as a countdown that had about one week remaining as of May 27.

  • Attackers Target 1M+ WordPress Sites To Harvest Database Credentials

    Attackers were spotted targeting over one million WordPress websites in a campaign over the weekend. The campaign unsuccessfully attempted to exploit old cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes, with the goal of harvesting database credentials.

    The attacks were aiming to download wp-config.php, a file critical to all WordPress installations. The file is located in the root of WordPress file directories and contains websites’ database credentials and connection information, in addition to authentication unique keys and salts. By downloading the sites’ configuration files, an attacker would gain access to the site’s database, where site content and credentials are stored, said researchers with Wordfence who spotted the attack.

    Between May 29 and May 31, researchers observed (and were able to block) over 130 million attacks targeting 1.3 million sites.

  • Denial of service attacks against advocacy groups skyrocket

    Distributed denial-of-service attacks against advocacy organizations increased by 1,120% since a Minneapolis police officer killed George Floyd by kneeling on his neck, sparking demonstrations throughout the U.S.

    In figures published Tuesday, the internet security firm Cloudflare said it blocked more than 135 billion malicious web requests against advocacy sites, compared to less than 30 million blocked requests against U.S. government websites, such as police and military organizations. The company did not disclose which websites were affected, specifically.

Reading about open source in French

English speakers have so many wonderful open source resources that it's easy to forget that communications in English aren't accessible to everyone everywhere. Therefore, I've been looking for great open source resources in Spanish and French, so I can recommend them when the need arises. One I've been looking at recently is LinuxFr.org, which seems to be a fine "agora" for all sorts of interesting conversations in French about open source specifically and open everything else as well. Read more