Language Selection

English French German Italian Portuguese Spanish

Security

Which Linux distro is best for privacy?

Filed under
GNU
Linux
Security

Linux Operating systems are better for privacy and security than their Mac and Windows counterparts. They are also open source, which means they are much less likely to be hiding backdoors for their developers, the NSA, or anybody else.

It is for this reason that Linux distros are the Operating System of choice for security professionals and privacy advocates as well as for the majority of computer servers around the globe.

There are plenty of Linux distros to choose from. And this can make it confusing for anybody wanting to move away from Windows in favor of something more secure. Even existing Linux users may be slightly unsure as to which Linux distro they ought to be using if they value privacy and security.

In this article, we will walk you through two of the best Linux distros for protecting your data and staying clear of hackers. All Linux distros have specific peculiarities and advantages, meaning that they all do slightly different things. However, there are two Linux distros that stand out where privacy is concerned...

Read more

My take on OpenPGP best practices

Filed under
Security
Debian

After having seen a few talks at DebConf on GnuPG and related things, I would like to document here how I currently manage my OpenPGP keys, in the hope they can be useful for other people or for discussion. This is not a tutorial, meaning that I do not give you the commands to do what I am saying, otherwise it would become way too long. If there is the need to better document how to implement these best practices, I will try to write another post.

I actually do have two OpenPGP certificates, D9AB457E and E535FA6D. The first one is RSA 4096 and the second one is Curve25519. The reason for having two certificates is algorithm diversity: I don't know which one between RSA and Curve25519 will be the first to be considered less secure or insecure, therefore I would like to be ready for both scenarios. Having two certificates already allows me to do signature hunting on both, in such a way that it is easy to transition from one to the other as soon as there is the need.

The key I currently use is the RSA one, which is also the one available in the Debian keyring.

(If you search on the keyservers you will find many other keys with my name; they are obsolete, meant for my internal usage or otherwise not in use; just ignore them!)

Even if the two primary keys are different, their subkeys are the same (apart from some older cruft now revoked), meaning that they have the same key material. This is useful, because I can use the same hardware token for both keys (most hardware token only have three key slot, one for each subkey capability, so to have two primary keys ready for use you need two tokens, unless the two keys share their subkeys). I have one subkey for each subkey capability (sign, encrypt and authentication), wich are Curve25519 keys and are stored in a Nitrokey Start token. I also have, but tend to not use, one RSA subkey for each capability, which are stored on a OpenPGP card. Thanks to some date tweaking, both certificates are configured in such a way that Curve25519 subkeys are always preferred over RSA subkeys, but I also want to retain the RSA keys for corner cases where Curve25519 is not available.

Read more

Security Leftovers

Filed under
Security
  • With ransomware on the rise, RCMP urging victims to 'be patient with police' [iophk: gross negligence in allowing use of Windows]

    But to get a real sense of the problem, Flynn said, you can multiply most online extortion stats by 20.

    "Numbers are hard to give because we also have a serious lack of reporting," he said.

    "There is a significant underreporting of cybercrime. Some of that comes from embarrassment, fear of reputational harm."

    Flynn said that major corporations don't want to lose customers and risk the public backlash.

  • Security updates for Friday

    Security updates have been issued by Debian (libssh2 and patch), Fedora (kernel and kernel-headers), Mageia (vlc), Red Hat (rh-redis32-redis), SUSE (libgcrypt, libsolv, libzypp, zypper, and rmt-server), and Ubuntu (exim4, firefox, libebml, linux, linux-aws, linux-kvm, linux-raspi2, and vlc).

  • Why you can’t backdoor cryptography

    Once again the topic of backdooring cryptography is in the news. The same people will fight the same fight. Again. So far sanity has prevailed every time we do this, but that doesn’t mean anyone should sit this one out. Make sure you tell everyone to pay attention and care. Trustworthy cryptography is too important.

    Given the language used it sounds a lot like what’s really being discussed is having the ability to view chat apps, view emails, and unlock phones. All things with a consumer focus. They’ve lost this fight more times than we can count now, no doubt this direction change is an attempt to spread confusion.

    I also want to look at this from a slightly different angle this time. Generally we talk about how the technology behind a backdoor doesn’t work. That’s still true, but let’s pretend the technology could work. Maybe some grad student is finishing up a paper and next month we’ll hear about a new form of cryptography that can be backdoored without any technical problems. It actually can’t because people are the problem. This is like insisting we build a rocketship out of cardboard to go to the moon. Just no. But in this post, we’re going to pretend we have a technical solution. Put on your cardboard space helmet, it’s time to get real.

  • Manage your passwords with Bitwarden and Podman

    You might have encountered a few advertisements the past year trying to sell you a password manager. Some examples are LastPass, 1Password, or Dashlane. A password manager removes the burden of remembering the passwords for all your websites. No longer do you need to re-use passwords or use easy-to-remember passwords. Instead, you only need to remember one single password that can unlock all your other passwords for you.

    This can make you more secure by having one strong password instead of many weak passwords. You can also sync your passwords across devices if you have a cloud-based password manager like LastPass, 1Password, or Dashlane. Unfortunately, none of these products are open source. Luckily there are open source alternatives available.

Security Leftovers

Filed under
Security
  • Original Cult of the Dead Cow Members Keep it "Wacky, Weird, and Wild" to Celebrate Joseph Menn's Newest Book

    On June 18, the Internet Archive hosted a reading and panel discussion in celebration of Joseph Menn's new book Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World.

    As the evening's event began, an archived video of Cult of the Dead Cow (cDc) interviews from 1996 played silently on a wall-mounted TV, featuring some of the very same original members who would be a part of that evening's panel. In addition to the strong turnout at the Internet Archive itself, those unable to attend in person were able to watch the event livestreamed on the Internet Archive's Youtube channel. Guests enjoyed light refreshments and mingled before moving into the main auditorium to be welcomed by Internet Archive founder Brewster Kahle. After sharing a brief history of the Internet Archive's mission, Executive Director of the Electronic Frontier Foundation Cindy Cohn took the stage as MC for the evening.

    Cohn expressed the importance of remembering the "wacky, weird, and wild" history of Internet security, and acknowledged the cDc's contributions to improving the community before introducing Joseph Menn to the stage. Menn recounted the beginning of cDc and cybersecurity by highlighting notable hackers and their contributions throughout the years, including crediting the cDc with coining the term "hacktivism" by "using it at every interview they could at DEFCON to get it into the English language." Looking forward, he went on to express how "the rank-and-file in Silicon Valley now are the most important heirs of the cDc's tradition of critical moral thinking."

  • Security updates for Thursday

    Security updates have been issued by CentOS (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Debian (exim4), Fedora (java-latest-openjdk), openSUSE (libsass, tomcat, and ucode-intel), Oracle (java-1.7.0-openjdk and thunderbird), SUSE (OpenEXR, spamassassin, and thunderbird), and Ubuntu (ansible and patch).

  • UTSA Launches Open Source Software To Protect Users On AWS

    The University of Texas at San Antonio (UTSA) has launched an open source user computer environment for Amazon Cloud called Galahad. UTSA is also working to expand its capabilities to support OpenStack software.

Security FUD

Filed under
Security
  • 1 Million+ ProFTPD Servers Vulnerable To Remote Code Execution Attacks [Ed: Nope. FOSSBytes now manages to make more misleading and dramatic headlines than even Bleeping Computer (which initially spread this misleading headline and then deleted it.)]
  • VideoLAN says VLC security flaw is fixed

    Update 7/24: VideoLAN took to Twitter earlier this morning to clarify that the security issue discovered by CERT-Bund is not as severe as reported.

  • You need to uninstall VLC player ASAP! (Updated) [Ed: They posted an update, but the headline has not been corrected. Deliberate FUD.]

    We’re not recommending uninstalling action just yet, because there’s a bit more to the story. The bug report for the issue has been open for four weeks, but VideoLAN president and lead VLC developer Jean-Baptiste Kempf left a series of comments today indicating that the alleged bug isn’t as big a deal as everyone is making it out to be. In three separate comments, he wrote: VideoLAN also took to Twitter to talk about the bug—or rather, the non-bug.

  • Alleged critical VLC flaw is nothing to worry about -- and is nothing to do with VLC [Ed: Some people did correct their articles or issued a standalone correction.]

    There has been a degree of confusion over the last few days after news spread of a supposed vulnerability in the media player VLC. Despite being labelled by security experts as "critical", VLC's developers, VideoLAN, denied there was a problem at all.

Security: Ransomware, GAO/IRS and VPN (Palo Alto Networks, Fortinet, and Pulse Secure)

Filed under
Security
  • After Blackouts, Johannesburg’s Power Company Hit by Ransomware

    The attack didn’t affect the grid but denied access to City Power’s website and online power purchases Thursday.

  • IRS missing basic IT security measures

    Eight of the 14 security shortfalls identified by the GAO relate to access management, while an additional four weaknesses pertain to configuration management. The final two shortfalls pertained to segregation of duties and a contingency plan deficiency.

  • VPN flaw enables [attackers] to easily infiltrate corporate network

    Researchers at Devcore claim to have discovered security flaws in three popular corporate VPNs that could enable attackers to steal confidential information from a company's network.

    The vulns affect three corporate virtual private networks (VPN) providers, namely, Palo Alto Networks, Fortinet, and Pulse Secure.

VLC FUD Galore (Misclassification of Bug and Threat)

Filed under
Movies
OSS
Security

Security Leftovers

Filed under
Security
  • EvilGnome: A New Backdoor Implant Spies On Linux Desktop Users

    EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops.

  • Security updates for Wednesday

    Security updates have been issued by Debian (kernel, linux-4.9, and neovim), Fedora (slurm), openSUSE (ImageMagick, libgcrypt, libsass, live555, mumble, neovim, and teeworlds), Oracle (java-1.7.0-openjdk, java-1.8.0-openjdk, and java-11-openjdk), Red Hat (java-1.7.0-openjdk), Scientific Linux (java-1.7.0-openjdk), SUSE (glibc and openexr), and Ubuntu (mysql-5.7 and patch).

  • why trust and honesty pays off – in the long run

    The „for the NSA“ placed in products backdoords are just one example – now exploited not only by the NSA – but by many other parties as well – putting modern life 2.0 at risk of blackouts and collapses.

Cloud Files Encryption App Cryptomator 1.4.12 Adds Password Saving On Linux, Custom Mount Flags

Filed under
Software
Security

Cryptomator, a free and open source client-side encryption tool for cloud files, got an update today and with it, some new features like password saving on Linux, and custom mount flags.

Cryptomator is a Java tool to encrypt cloud storage files for services that don't support client-side encryption, which runs on Windows, Mac, Linux, iOS and Android. It works with cloud storage services that synchronize with a local directory, like Dropbox or Google Drive (including using it with Insync).

Read more

Security: Updates, VLC FUD and LinuxSecurity Turning 20

Filed under
Security
  • Security updates for Tuesday

    Security updates have been issued by Debian (libsdl2-image and libxslt), Oracle (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (bzip2, microcode_ctl, and ucode-intel), and Ubuntu (clamav, evince, linux-hwe, linux-gcp, linux-snapdragon, and squid3).

  • Dodgy vids can hijack PCs via VLC security flaw, US, Germany warn. Software's makers not app-y with that claim

    In a bug-tracking ticket discussing CVE-2019-13615, VideoLAN lead developer Jean-Baptiste Kempf noted that he was unable to recreate the crash using a proof-of-concept .MP4 video, provided by a security researcher four weeks ago, that's supposed to knacker the latest version of VLC, 3.0.7.1. Nor was he able to crash the older 3.0.6 and work-in-progress releases, such as 3.0.8, he reported.

    "This does not crash a normal release of VLC 3.0.7.1," added Kempf. "Sorry, but this bug is not reproducible and does not crash VLC at all."

    VLC developer Francois Cartegnie was more blunt earlier today: "If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources."

  • Our Linux Sister Linuxsecurity.com are Celebrating their 20th Anniversary by Launching a New Website

    LinuxSecurity.com is the community’s central source for information on Linux and open source security. They follow the open source trends as they affect the community. Also they produce content that appeals to administrators, developers, home users, and security professionals.

    Having created a site that satisfies the needs of both IT professionals – including engineers, programmers, designers and system administrators – and those individuals seeking to learn more about security and open source, LinuxSecurity.com has grown to encompass not only their website but also two leading industry email newsletters, Linux Security Newsletter and Security Advisories Weekly.

Syndicate content

More in Tux Machines