Language Selection

English French German Italian Portuguese Spanish

Security

Open Hardware Boost for Libre RISC-V

Filed under
Hardware
OSS
Security
  • First NLNet Grant Approved to Fund Development

    The application for funding from NLnet and the Next Generation Internet initiative from the European Commission, from back in November of last year, has been approved. It means that we have EUR $50,000 to pay for full-time engineering work to be carried out over the next year, and to pay for bounty-style tasks. For the right people, with the right skills, there is money now available.

    More plans from our community are in the pipeline. We can apply for additional grants (also up to EUR $50,000). In the next couple of days, we will put in an application for “Formal Mathematical Proofs” of the processor design.

    There are several reasons for doing so. The primary one is down to the fact that we anticipate this (commercial, libre) product to be closely and independently examined by third parties, to verify for themselves that it does not contain spying backdoor co-processors, as well as the usual security and correctness guarantees. If there exist formal mathematical proofs that the processor and its sub-components operate correctly, that independent third-party verification task is a lot easier.

    In addition, it turns out that when writing unit tests, using formal mathematical proofs makes for complete code coverage - far better than any other “comprehensive” multiple unit test technique could ever hope to achieve - with less code and not just better accuracy but 100% provable accuracy. Additional, much simpler unit tests can then be written which are more along the lines of “HOWTOs” - examples on how to use the unit.

  • Libre RISC-V Snags $50k EUR Grant To Work On Its RISC-V 3D GPU Chip

    In case you haven't followed the previous articles on Libre RISC-V, this is the latest open-source GPU hardware effort that is taking the approach of using a RISC-V chip running a Rust-written Vulkan software renderer (similar to what LLVMpipe is to OpenGL on CPUs) for providing libre 3D graphics. They hope to have something ready in 2020 but their goal is just 1280 x 720 25 fps, 100 Mpixels/sec, 30 Mtriangles/sec, 5-6 GFLOPs and they think they can accomplish that with just about a 2.5 Watt power draw. But less than 30 FPS for 720p content really isn't much especially in 2020, but they are trumpeting it for its open-source/libre hardware potential.

Canonical Outs Linux Kernel Security Updates for All Supported Ubuntu Releases

Filed under
Linux
Security
Ubuntu

Available for Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), and Ubuntu 16.04 LTS (Xenial Xerus), the new security patches are here to fix several issues affecting the Linux kernels of these releases, especially a security vulnerability (CVE-2019-11191) that only affects the i386 (32-bit) kernels of Ubuntu 18.10, Ubuntu 18.04 LTS, and Ubuntu 16.04 LTS, as Ubuntu 19.10 and Ubuntu 19.04 are not affected.

"Federico Manuel Bento discovered that the Linux kernel did not properly apply Address Space Layout Randomization (ASLR) in some situations for setuid a.out binaries. A local attacker could use this to improve the chances of exploiting an existing vulnerability in a setuid a.out binary. As a hardening measure, this update disables a.out support," reads the security advisory.

Read more

Security: Librem and PayID Fluke

Filed under
Security
  • Control, Freedom and Harm

    Control is the best measurement of both freedom and harm. If freedom can be summarized as not being under the control of another, harm can be summarized as being under the control of another.

    The darker side of “control vs. freedom” or “control + harm” casts a shadow on every facet of technology—and it is a digital civil rights issue, where control over you by corporations is causing you harm, all the time, on all your devices.

    The answer is rather simple: Don’t. Control. People.

  • Details of 100,000 Australians leaked through PayID

     

    The inherent weakness at the heart of the real-time payments platform PayID has been exposed, with the details of about 100,000 Australians being leaked through an attack on the Westpac bank.  

  • Almost 100,000 Australians' private details exposed in attack on Westpac's PayID

     

    The private details of almost 100,000 Australian bank customers have been exposed in a cyber attack on the real-time payments platform PayID, which allows the instant transfer of money between banks using either a mobile number or email address.

10 Most Secured Linux Distros For Advanced Privacy & Security

Filed under
GNU
Linux
Security

Alpine Linux is an independent, non-commercial, general purpose Linux distribution designed for power users who appreciate security, simplicity and resource efficiency. It is built around musl libc and busybox which makes it moreresource efficient than the traditional GNU/Linux distributions. In this distro, all uderland binaries are compiled as Position Independent Executable (PIE) with stack smashing protection which helps in preventing exploitation of entire classes of zero-day and other such vulnerabilities.

Read more

Security: Updates, Email, Microsoft Back Doors, Adafruit's Kinect Hacking Story and Coreboot Project Leveraging NSA Software

Filed under
Security
  • Security updates for Tuesday
  • Email Still a Major Attack Vector: Security Research [Ed: And if they use Windows, it might be enough for them to just open a message]

    While modern cyber threats can take different forms and delivery methods, email continues to be one of the primary approaches cyber attackers are using to exploit organizations, according to multiple research reports released in May 2019.

    In this monthly roundup, eSecurity Planet summarizes findings from seven different research reports — and the key lessons that enterprises can learn to protect themselves against current and emerging security risks.

  • POC – EternalBlue and Doublepulsar in Kali[Ed: NSA back doors]

    On April 14, 2017, the ShadowBrokers team leaked a new hacking toolkit that has put many organizations in check; this is the five that is done by the hacking team called “Lost in Translation.” To better understand the situation, below we will see a summary of the leaks that have been occurring through this group of hackers.

    Shadow Brokers is a group of hackers that first appeared in the summer of 2016. They were responsible for making several leaks that contained some of the hacking tools that the National Security Agency (NSA) used internally, including several 0days. In this leak, the products that were affected were the firewall, antivirus products, and Microsoft products.

  • Meet Adafruit Founder Limor Fried: Open-Source Hardware Revolution

    In 2010, Adafruit offered a US$1,000 (equivalent to $1,149 in 2018) reward for whoever could hack Microsoft’s Kinect to make its motion sensing capabilities available for use for other projects. This reward was increased to $2000 and then $3000 following Microsoft’s concerns about tampering.

  • Coreboot Project Is Leveraging NSA Software To Help With Firmware Reverse Engineering

    It's not often the National Security Agency (NSA) can be thanked for their contributions to society, but in the case of one of their public open-source projects it's going to be used to help the Coreboot folks in reverse-engineering system firmware.

    Ghidra is an open-source project maintained by the National security Agency as a reverse engineering tool that was originally outed by WikiLeaks only to be declassified earlier this year by the agency. The code was just open-sourced earlier this year as an alternative to IDA Pro and other disassemblers/decompilers. Those interested in this NSA software reverse engineering suite can find it hosted at Ghidra-SRE.org.

Stop all* malware!

Filed under
GNU
Linux
Security

Does Linux need an antivirus? I was asked this by a reader and didn’t quite know how to answer. They were moving from a Windows background where standard practice is to constantly run anti-malware, as generally everything can be seen as a threat to a Windows user. Never did we need any less of an excuse to throw Jonni once more into the deep end, let him flounder around for a bit and see what nuggets of useful information he can drag back to shore.
So that’s what Jonni’s been doing, trying his best to get his Linux boxes infected with all manner of online nasties, without much luck as it turns out. You can read his guide to Linux malware this issue. As we’ve often alluded to, it’s more about good practice than running constantly outdated anti-malware software.
The other big news for this issue is that Ubuntu 19.04 has been released. We have the full 64-bit release on the DVD alongside the equally exciting Fedora 30. If you’re looking to try Linux in a friendly form, or want a simple environment to play with some of the latest open source technology like the Wayland display server, either of these offers a friendly and stable system.

Read more

Also: Devs slam Microsoft for injecting tech-support scam ads into their Windows Store apps

Security: WPA3, Django, Hacking and Debian LTS Work

Filed under
Security

Popular Linux Distributions for Security Testing

Filed under
GNU
Linux
Security

Kali was first introduced in 2012 as a Debian-based distribution, released with over 300 specialized tools for penetration testing and digital forensics. It uses the rolling release model that makes sure that any tool you use for security testing will always be up to date. It is a rewrite of BackTrackand maintained and funded by Offensive Security Ltd.
Kali is free to use and can run natively as a virtual machine or even as a live boot. The live boot is an exceptional advantage when using Kali for penetration testing and digital forensics. Kali supports a plethora of devices and hardware platforms, including VMware and ARM. It is rightly considered as one of the best and sophisticated penetration testing platforms available today, with a large and active community helping to make it better and more advanced.

Read more

Security: Firmware, 2FA, Microsoft Partners, FUD and KeePassXC 2.4.2

Filed under
Security
  • Why open source firmware is important for security

    I gave a talk recently at GoTo Chicago on Why open source firmware is important and I thought it would be nice to also write a blog post with my findings. This post will focus on why open source firmware is important for security.

  • How much is good online security worth to you? How about $100,000? [iophk: "except that 2FA is used to lock people into Google's proprietary mail clients, as they do not support 2FA on IMAP and probably never will since it is an open protocol which allows free choice of mail clients, not just Google's"

    Google’s research indicates that spear phishing emails impersonating family members, colleagues, government officials, or even Google itself, are the main ways to break into accounts. Attacks can persist for several weeks, and involve sophisticated man-in-the-middle techniques that prompt users to enter not just their password, but also authentication codes sent by SMS or from devices running software like Google Authenticator. Because of this weakness – and those deriving from the SIM swap attack – Google recommends that “high-risk users” enrol in its Advanced Protection Program, which requires the use of hardware 2FA keys.

    The cost of these is very low now – typically around $25. Of course, the downside with such hardware keys is that they require setting up, carrying around and using. Whether the undoubted extra security is worth the extra effort will depend on individual circumstances. For those who manage to minimise how much about their personal lives appears online, it may be enough to use weaker forms of 2FA. But given the central importance of email accounts in our digital lives, and how gaining control of them makes taking over other online services much easier, it is certainly something that people should seriously consider. Buying hardware keys could prove one of the best investments they ever make. Just ask someone who didn’t, and paid the price. In the case of Sean Coonce, that price turned out to be $100,000.

  • Open Source Security - How to Defend at the Speed of Attack

    On the sixth stop of a multi-city tour, ISMG and Sonatype visited San Francisco for an engaging discussion on how to mitigate risks introduced by open source software. Sonatype CMO Matt Howard discusses the relevance and value of this application security conversation.

    The reason why this topic resonates so well across sectors and regions? "Because software is the last path for differentiation in every industry," Howard says, "and whether you know it or not, every business in the world today is largely a software company."

  • Venafi: Four Ways Open Source Libraries Leave Organizations at Risk [Ed: of course proprietary software is absolutely perfect and comes with no risks, holes, back doors and so on]
  • WordPress Slick Popup plugin could leave backdoor open to hackers [Ed: This is a really sloppy case of programming or intentional malice caught thanks to the source being available. "The login credentials for the administrative accounts are the same for all of the sites."]
  • Netgate® Progresses TNSR™ Open Source Secure Networking with Release 19.05
  • KeePassXC 2.4.2 released

    We are happy to announce KeePassXC 2.4.2, the second maintenance release of the 2.4 series!

    This release fixes several bugs and introduces a memory wiping feature that will reduce the risk of secrets remaining in memory after a database is locked or being swapped to disk. Combined with the existing restrictions on memory access by non-administrators, this feature increases the security of KeePassXC.

    Other notable changes are fixes to entry editing, prevention of infinite save loops, ability to open non-http url’s, and preventing data loss when opening a database with duplicated attachment binaries.

  • KeePassXC Password Manager 2.4.2 Released (Howto Install)

    KeePassXC, cross-platform community fork of KeePassX, released version 2.4.2 a few days ago with many improvements and security fixes.

Authenticator, a 2FA Token Generator for Linux, Gets Updated

Filed under
Software
Security

If you’re big into two-factor authentication — and in this merciless rag-tag world of the internet, you dang well should be — keeping an app like Authenticator within easy reach is a smart move.

As the name should already tell you, Authenticator is a desktop 2FA code generator for Linux desktops, like Ubuntu.

Using it you can generate 2FA tokens for over 500 well-known providers, including Github, Gitlab, Twitter, Facebook, Google, Dropbox, and Twitch.

This week a new version of Authenticator arrived. It adds a wealth of welcome improvements. Read on to find out more!

Read more

Syndicate content

More in Tux Machines

AMD Releases Firmware Update To Address SEV Vulnerability

A new security vulnerability has been made public over AMD's Secure Encrypted Virtualization (SEV) having insecure cryptographic implementations. Fortunately, this AMD SEV issue is addressed by a firmware update. CVE-2019-9836 has been made pulic as the AMD Secure Processor / Secure Encrypted Virtualization having an insecure cryptographic implementation. Read more

today's howtos and programming bits

  • How to get the latest Wine on Linux Mint 19
  • How to Install KDE Plasma in Arch Linux (Guide)
  • 0 bytes left

    Around 2003–2004, a friend and I wrote a softsynth that was used in a 64 kB intro. Now, 14 years later, cTrix and Pselodux picked it up and made a really cool 32 kB tune with it! Who would have thought.

  • A month full of learning with Gnome-GSoC

    In this month I was able to work with Libgit2-glib where Albfan mentored me on how to port functions from Libgit2 to Libgit2-glib. Libgit2-glib now has functionality to compare two-buffers. This feature I think can now benefit other projects also which requires diff from buffers, for example Builder for it’s diff-view and gedit.

  • Google Developers Are Looking At Creating A New libc For LLVM

    As part of Google's consolidating their different toolchains around LLVM, they are exploring the possibility of writing a new C library "libc" implementation.  Google is looking to develop a new C standard library within LLVM that will better suit their use-cases and likely others within the community too. 

  • How We Made Conda Faster in 4.7

    We’ve witnessed a lot of community grumbling about Conda’s speed, and we’ve experienced it ourselves. Thanks to a contract from NASA via the SBIR program, we’ve been able to dedicate a lot of time recently to optimizing Conda.  We’d like to take this opportunity to discuss what we did, and what we think is left to do.

  • TensorFlow CPU optimizations in Anaconda

    By Stan Seibert, Anaconda, Inc. & Nathan Greeneltch, Intel Corporation TensorFlow is one of the most commonly used frameworks for large-scale machine learning, especially deep learning (we’ll call it “DL” for short). This popular framework has been increasingly used to solve a variety of complex research, business and social problems. Since 2016, Intel and Google have worked together to optimize TensorFlow for DL training and inference speed performance on CPUs. The Anaconda Distribution has included this CPU-optimized TensorFlow as the default for the past several TensorFlow releases. Performance optimizations for CPUs are provided by both software-layer graph optimizations and hardware-specific code paths. In particular, the software-layer graph optimizations use the Intel Math Kernel Library for Deep Neural Networks (Intel MKL-DNN), an open source performance library for DL applications on Intel architecture. Hardware specific code paths are further accelerated with advanced x86 processor instruction set, specifically, Intel Advanced Vector Extensions 512 (Intel AVX-512) and new instructions found in the Intel Deep Learning Boost (Intel DL Boost) feature on 2nd generation Intel Xeon Scalable processors. Let’s take a closer look at both optimization approaches and how to get these accelerations from Anaconda.

  • PyCoder’s Weekly: Issue #374 (June 25, 2019)

VIdeo/Audio: Linux in the Ham Shack, How to install OpenMandriva Lx 4.0 and "Debian Package of the Day"

  • LHS Episode #290: Where the Wild Things Are

    Welcome to Episode 290 of Linux in the Ham Shack. In this short format show, the hosts discuss the recent ARRL Field Day, LIDs getting theirs, vandalism in Oregon, a Canonical flip-flop, satellite reception with SDR and much more. Thank you for tuning in and we hope you have a wonderful week.

  • How to install OpenMandriva Lx 4.0

    In this video, I am going to show how to Install OpenMandriva Lx 4.0.

  • Jonathan Carter: PeerTube and LBRY

    I have many problems with YouTube, who doesn’t these days, right? I’m not going to go into all the nitty gritty of it in this post, but here’s a video from a LBRY advocate that does a good job of summarizing some of the issues by using clips from YouTube creators: I have a channel on YouTube for which I have lots of plans for. I started making videos last year and created 59 episodes for Debian Package of the Day. I’m proud that I got so far because I tend to lose interest in things after I figure out how it works or how to do it. I suppose some people have assumed that my video channel is dead because I haven’t uploaded recently, but I’ve just been really busy and in recent weeks, also a bit tired as a result. Things should pick up again soon.

Games: Steam Summer Sale, Last Moon, Ubuntu-Valve-Canonical Faceoff

  • Steam Summer Sale 2019 is live, here’s what to look out for Linux fans

    Another year, another massive sale is now live on Steam. Let’s take a look at what Valve are doing this year and what you should be looking out for. This time around, Valve aren’t doing any special trading cards. They’re trying something a little different! You will be entering the "Steam Grand Prix" by joining a team (go team Hare!), earning points for rewards and having a shot at winning some free games in the process. Sounds like a good bit of fun, the specific-game challenges are a nice touch.

  • Last Moon, a 2D action-RPG with a gorgeous vibrant style will be coming to Linux next year

    Sköll Studio managed to capture my attention recently, with some early footage of their action-RPG 'Last Moon' popping up in my feed and it looks gorgeous. Taking inspiration from classics like Legend of Zelda: A link to the past, Secret of Mana, Chrono Trigger and a ton more you can see it quite clearly. Last Moon takes in place in a once peaceful kingdom, where an ancient and powerful mage put a curse on the moon, as Lunar Knight you need to stop all this insanity and bring back peace.

  • Ubuntu Takes A U-Turn with 32-Bit Support

    Canonical will continue to support legacy applications and libraries. Canonical, the maker of the world’s most popular Linux-based distribution Ubuntu, has revived support for 32-bit libraries after feedback from WINE, Ubuntu Studio and Steam communities. Last week Canonical announced that its engineering teams decided that Ubuntu should not continue to carry i386 forward as an architecture. “Consequently, i386 will not be included as an architecture for the 19.10 release, and we will shortly begin the process of disabling it for the eoan series across Ubuntu infrastructure,” wrote Will Cooke, Director of Ubuntu Desktop at Canonical.

  • Steam and Ubuntu clash over 32-bit libs

    It has been a tumultuous week for gaming on Linux. Last Tuesday afternoon, Canonical's Steve Langasek announced that 32-bit libs would be frozen (kept as-is, with no new builds or updates) as of this October's interim 19.10 release, codenamed "Eoan Ermine." Langasek was pretty clear that this did not mean abandoning support for running 32-bit applications, however.

  • Linux gamers take note: Steam won’t support the next version of Ubuntu

    Valve has announced that from the next version of Ubuntu (19.10), it will no longer support Steam on Ubuntu, the most popular flavor of Linux, due to the distro dropping support for 32-bit packages, This all kicked off when Canonical, developer of Ubuntu, announced that it was seemingly completely dropping support for 32-bit in Ubuntu 19.10. However, following a major outcry, a further clarification (or indeed, change of heart) came from the firm stating that there will actually be limited support for 32-bit going forward (although updates for 32-bit libraries will no longer be delivered, effectively leaving them in a frozen state).

  • Valve killing Steam Support for some Ubuntu users

    A few years ago the announcement that Steam would begin supporting Linux was a big deal: it meant that anyone who preferred to rock an open-source operating system over Mac OS or Windows 10 would have instant buy-it-and-play-it access to a large catalog of game titles that would have otherwise taken a whole lot of tweaking to get up and running or wouldn't have worked for them at all. For some, at least, the party may be coming to an end.

  • Steam is dropping support for Ubuntu, but not Linux entirely

    The availability of Steam on Linux has been a boom for gaming on the platform, especially with the recent addition of the Steam Play compatibility layer for running Windows-only games. Valve has always recommended that gamers run Ubuntu Linux, the most popular desktop Linux distribution, but that's now changing.

  • Canonical (sort of) backtracks: Ubuntu will continue to support (some) 32-bit software

    A few days after announcing it would effectively drop support for 32-bit software in future versions of the Ubuntu operating system, Canonical has decided to “change our plan and build selected 32-bit i386 packages.” The company’s original decision sparked some backlash when it became clear that some existing apps and games would no longer run on Ubuntu 19.10 if the change were to proceed as planned. Valve, for example, announced it would continue to support older versions of Ubuntu, allowing users to continue running its popular Steam game client. But moving forward, the company said it would be focusing its Steam for Linux efforts on a different GNU/Linux distribution.

  • Just kidding? Ubuntu 32-bit moving forward, no word yet from Valve

    Due in part to the feedback given to the group over the weekend and because of their connections with Valve, Canonical did an about-face today. They’ve suggested that feedback from gamers, Ubuntu Studio, and the WINE community led them to change their plan and will “build selected 32-bit i386 packages for Ubuntu 19.10 and 20.04 LTS. Whether this will change Valve’s future with Ubuntu Steam, we’ll see.

  • Canonical backtracks on 32-bit Ubuntu cull, but warns that on your head be it

    CANONICAL HAS CONFIRMED a U-Turn on the controversial decision to drop 32-bit support for Ubuntu users later this year. The company has faced criticism from users who aren't happy with the plan to make Ubuntu purely 64-bit, which culminated at the weekend with Steam announcing it would pull support for Ubuntu. Many Steam games were never made in 64-bit and it would, therefore, devalue the offer. However, Canonical confirmed on Monday that following feedback from the community, it was clear that there is still a demand, and indeed a need for 32-bit binaries, and as such, it will provide "selected" builds for both Ubuntu 19.10 and the forthcoming Ubuntu 20.04. Canonical's announcement spoke of the highly passionate arguments from those who are in favour of maintaining both versions, thus forcing the team to take notice. However, it has made it clear that it's doing so under the weight of expectation, not because it agrees. "There is a real risk to anybody who is running a body of software that gets little testing. The facts are that most 32-bit x86 packages are hardly used at all," the firm said.