Language Selection

English French German Italian Portuguese Spanish

Security

Security: Patches, Nostromo, PureBoot and Microsoft's Latest DRM Lock-down (Locking GNU/Linux Out for 'Security')

Filed under
Security
  • Security updates for Monday

    Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell).

  • Nostromo web servers exposed by resurrected RCE vulnerability

    A security researcher has disclosed the existence of a remote code execution (RCE) vulnerability in the open source Nostromo web server software.

    On Monday, a threat analyst and bounty hunter with the online handle Sudoka published a technical analysis of the bug, tracked as CVE-2019-16278.

    The vulnerability impacts Nostromo, also known as nhttpd, a niche web server used by some in the Unix and open source community but altogether dwarfed in popularity by Apache.

    In a blog post, Sudoka said the vulnerability stems from shortcomings in how the path of URLs are verified. Inadequate URL checks mean that an unauthenticated attackers is able to force a server to point to a shell file, resulting in the potential execution of arbitrary code.

  • PureBoot Best Practices

    Recently we started offering the PureBoot Bundle–PureBoot installed and configured on your laptop at the factory and bundled with a pre-configured Librem Key so you can detect tampering from the moment you unbox your laptop. It’s been great to see so many customers select the PureBoot Bundle and now that PureBoot is on so many more customer laptops, we felt it was a good time to write up a post to describe some best practices when using PureBoot.

    If you are just getting started with PureBoot and want to know the basics, check out our Getting Started Guide for pointers on what to do when you start up your PureBoot Bundle for the first time. In this post I’ll assume you have already gone through the first boot and first reboot of your laptop and have settled into daily use.

  •                

  • Secured-core PCs offer new defense against firmware attacks

                     

                       

    Microsoft, chipmakers, and several PC makers on Monday announced Secured-core PCs, which use hardware-based defense mechanisms to combat firmware-level security attacks.

  •                

  • Microsoft's New Plan to Defend the Code Deep Within PCs

                     

                       

    The idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what's trustworthy on a system. Instead of relying on firmware, Microsoft has worked with AMD, Intel, and Qualcomm to make new central processing unit chips that can run integrity checks during boot in a controlled, cryptographically verified way. Only the chip manufacturers will hold the encryption keys to broker these checks, and they're burned onto the CPUs during manufacturing rather than interacting with the firmware's amorphous, often unreliable code layer.

  •              
                 

Security Leftovers

Filed under
Security
  • 6 top OSINT tools: Find sensitive public info before hackers do

    The same OSINT tactics used for spycraft can now be applied to cybersecurity. Most organizations have vast, public-facing infrastructures that span many networks, technologies, hosting services and namespaces. Information can be stored on employee desktops, in legacy on-prem servers, with employee-owned BYOD devices, in the cloud, embedded inside devices like webcams, or even hidden in the source code of active apps and programs.

  • 3 steps toward improving container security

    As developers increasingly make use of containers, securing them becomes more and more important. Gartner has named container security one of its top 10 concerns for this year in this report, which isn’t surprising given their popularity in producing lightweight and reusable code and lowering app dev costs.

    In this article, I’ll look at the three basic steps involved in container security: securing the build environment, securing the underlying container hosts, and securing the actual content that runs inside each container. To be successful at mastering container security means paying attention to all three of these elements.

    If you step back a moment, container security isn’t all that different from ordinary application security. If you replace the appropriate words in the above paragraph, you could have written this post 10, 20, or even 30 years ago with a few other modifications. But containers do have a few oddities and new twists that are worth highlighting. To get started, I suggest you listen to the recorded talk by Red Hat’s Dan Walsh about general container security considerations.

  • Good guy, Microsoft: Multi-factor auth outage gives cloudy Office, Azure users a surprise three-day weekend

    Microsoft is battling to fix its knackered multi-factor authentication system that today blocked customers from logging into their Microsoft 365 and Azure services.

    The Redmond giant confirmed on Friday an unspecified glitch prevented customers in North America from receiving the multi-factor auth (MFA) codes they need to sign into their cloud-based accounts. Obviously, those not using MFA are not affected.

    Though Azure and Microsoft 365 MFA users initially were locked out, by mid-day US Pacific Time, Azure was said to be working again, leaving 365 subscribers trying to log in high and dry.

    "We've taken multiple actions to mitigate impact and are working to validate service restoration," Microsoft told Microsoft 365 aka Office 365 customers. "In parallel, we're continuing to review system logs and service telemetry to better understand the underlying root cause."

  • Update Warning Issued For Millions Of Microsoft Windows 10 Users

    At this stage, it isn’t clear what is the cause with users citing BSOD failures with cldflt.sys, Affinity applications and more but all have found that uninstalling KB4517389 fixes the problem, which pins the source squarely on this already troubled update. Needless to say, the problem with a BSOD bug is you may not be lucky enough to get back to your desktop to do this.

    If you are, then navigate to Control Panel > Programs > Programs and Features > Installed updates > KB4517389 > Uninstall

    KB4517389 has already rolled out to millions of users but for hundreds of millions who have not received it yet, use Microsoft’s Show or Hide updates tool to block it from installing on your PC.

Security: Red Teaming, Zero-day Vulnerabilities and Trump Campaign Website

Filed under
Security
  • Best open-source tools for Red Teaming

    A good starting point for building a Red Team toolkit is downloading and installing Kali Linux, as many of the tools mentioned here are included in the default distribution. From there, additional tools can be acquired and added to address specific use cases. When building a toolkit, it’s important not to focus on the network side of the assessment to the exclusion of the physical aspects. A Red Team is also likely expected to try physical attack vectors against the customer’s security and needs to have the appropriate tools for that part of the work as well.

  • What is a zero-day vulnerability?

    Chances are pretty good you've heard the term zero-day vulnerability. The term conjures up images of post-apocalyptic landscapes, where technology has either hit a singularity-level madness, or has reverted back to the days of CRT monitors and green screens. Max Headroom has returned and sand is the new currency.

    Or not.

    Truth be told, zero day is not even remotely as ominous. It is, however, quite serious. In fact, of all the known vulnerabilities, zero day can often pose the most risk. Why? The reason is in the very definition.

  • Trump Campaign Website Left Open to Email Server Hijack

    “The problem is that many developers fail to disable the debug mode after going live, exposing back-end website details like database locations, passwords, secret keys and other sensitive info,” they said.

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

Can Linux improve ATM security?

Filed under
Linux
Security

While ATM security is not necessarily "life critical" as with many other industries (think transportation, medical and some industrial applications) there are certainly financial and identity theft risks associated with these devices.

Plenty of info is available on the web regarding various ATM attack vectors, estimated number of annual hacks and the cost to the industry. The question we will ponder here is very specific: Would replacing the Windows operating system in an ATM with a Linux-based one improve security? Most experts believe the answer is yes.

Today's ATM looks much like a personal computer on your desk. It runs the world's most popular desktop operating system — Windows —on the world's most popular hardware: Intel motherboards.

But therein lies part of the problem. Being "most popular" means there are few barriers to keeping the bad guys from simulating the internals of a typical ATM. This fact alone makes Windows more prone to attack than alternatives.

Read more

Security: Linux, Docker and Guix

Filed under
Security
  • Unpatched Linux bug may open devices to serious attacks over Wi-Fi

    The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013.

  • Docker Attack Worm Mines for Monero
  • Insecure permissions on profile directory (CVE-2019-18192)

    We have become aware of a security issue for Guix on multi-user systems that we have just fixed (CVE-2019-18192). Anyone running Guix on a multi-user system is encouraged to upgrade guix-daemon—see below for instructions.

    Context

    The default user profile, ~/.guix-profile, points to /var/guix/profiles/per-user/$USER. Until now, /var/guix/profiles/per-user was world-writable, allowing the guix command to create the $USER sub-directory.

    On a multi-user system, this allowed a malicious user to create and populate that $USER sub-directory for another user that had not yet logged in. Since /var/…/$USER is in $PATH, the target user could end up running attacker-provided code. See the bug report for more information.

    This issue was initially reported by Michael Orlitzky for Nix (CVE-2019-17365).

Canonical Outs Linux Kernel Security Update for Ubuntu 19.04 to Patch 9 Flaws

Filed under
Linux
Security
Ubuntu

The new security update for Ubuntu 19.04 is here to patch a total of seven security flaws affecting the Linux 5.0 kernel used by the operating system, including an issue (CVE-2019-15902) discovered by Brad Spengler which could allow a local attacker to expose sensitive information as a Spectre mitigation was improperly implemented in the ptrace susbsystem.

It also fixes several flaws (CVE-2019-14814, CVE-2019-14815, CVE-2019-14816) discovered by Wen Huang in the Marvell Wi-Fi device driver, which could allow local attacker to cause a denial of service or execute arbitrary code, as well as a flaw (CVE-2019-15504) discovered by Hui Peng and Mathias Payer in the 91x Wi-Fi driver, allowing a physically proximate attacker to crash the system.

Read more

Purism Partners with Halo Privacy to Bring Extra Security to Its Linux Devices

Filed under
Linux
Security

Purism is already known for providing top notch security and privacy for its Linux laptops and phones, but with the new partnership with Halo Privacy, the company wants to bring strong cryptography and custom managed attribution techniques to secure communications from direct attacks.

These new, unique security stack provided by Halo Privacy works together with Purism's state-of-the-art security implementations for its Linux devices, including the Librem Key USB security token with tamper detection and PureBoot secure UEFI replacement, to cryptographically guarantee signing of the lowest level of firmware and user's privacy.

Read more

Security Leftovers

Filed under
Security
  • Security updates for Wednesday

    Security updates have been issued by Debian (apache2 and unbound), Fedora (opendmarc, runc, and sudo), openSUSE (epiphany, GraphicsMagick, and libopenmpt), Oracle (kernel and sudo), Red Hat (java-1.8.0-openjdk, jss, kernel, kernel-rt, and kpatch-patch), SUSE (crowbar-core, crowbar-openstack, grafana, novnc, openstack-keystone, openstack-neutron, openstack-neutron-lbaas, openstack-nova, openstack-tempest, python-pysaml2, python-urllib3, rubygem-chef, rubygem-easy_diff, sleshammer, libpcap, sudo, and tcpdump), and Ubuntu (aspell and libsdl1.2).

  • Cybersecurity Awareness Month: Increasing our self-awareness so we can improve security

    October has been National Cybersecurity Awareness Month since 2004. According to staysafeonline.org, this initiative was started by the National Cybersecurity Alliance and the US Department of Homeland Security to help all Americans stay safe and secure when online. This month is usually marked with a significant uptick in cybersecurity outreach and training. It’s also the one month of the year when you can get a significant amount of cybersecurity swag such as webcam covers, mugs, and pens. This event has an outward focus to raise awareness of security globally,

    Many other events have come into existence along with this. For example, there are numerous electronics recycling events that now occur in October where people can securely dispose of their old computers. Some municipalities have extended this to include safe disposal of old prescription medications, paints, and other hazardous materials.

    Recent events in the greater technology community, specifically the resignation of Richard Stallman from both MIT and the Free Software Foundation, have become character foils that show us that while we have come a long way, we still have a long way ahead of us to improve.

  • Michael Tremer/IPFire: On quadrupling throughput of our Quality of Service

    There have been improvements to our Quality of Service (or QoS) which have made me very excited.

    Our QoS sometimes was a bottleneck. Enabling it could cut your bandwidth in half if you were unlucky. That normally was not a problem for larger users of IPFire, because if you are running a 1 Gigabit/s connection, you would not need any QoS in the first place, or your hardware was fast enough to handle the extra load.

    For the smaller users this was, however, becoming more and more of a problem. Smaller systems like the IPFire Mini Appliance are designed to be small (the clue is in the name) and to be very energy-efficient. And they are. They are popular with users with a standard DSL connection of up to 100 Megabit/s which is very common in Germany. You have nothing to worry about here. But if you are lucky to have a faster Internet connection, then this hardware and others that we have sold before might be running out of steam. There is only so much you can get out of them.

  • The City Of Baltimore Blew Off A $76,000 Ransomware Demand Only To Find Out A Bunch Of Its Data Had Never Been Backed Up [Ed: Windows]

    The City of Baltimore was hit with a ransomware attack in May of this year. Criminals using remodeled and rebranded NSA exploits (EternalBlue) knocked out a "majority" of the city's servers and crippled many of its applications. More details didn't surface until September when the city's government began reshuffling the budget to cover the expenses of recovering from the attack.

Google: Replacing Google Chrome, AMP and Titan Security Keys

Filed under
Google
Security
Web
  • The top 5 alternatives to Google Chrome

    Google Chrome is the most popular web browser on the market. It provides a user-friendly, easy-to-use interface, with a simple appearance featuring a combined address and search bar with a small space for extensions.

    Chrome also offers excellent interconnectivity on different devices and easy syncing that means that once a user installs the browser on different devices, all their settings, bookmarks and search history come along with it. Virtually all a user does on Google chrome is backed up to Google Cloud.

    Chrome also offers easy connectivity to other Google products, such as Docs, Drive, and YouTube via an “Apps” menu on the bookmarks bar, located just below the address/search bar. Google Translate, one of the best translation applications currently available on the internet, is also included.

  • Google unplugs AMP, hooks it into OpenJS Foundation after critics turn up the volume [Ed: Microsoft Tim on Google passing a bunch of EEE to a foundation headed by a Microsoft ‘mole’, 'open'JS ]

    AMP – which originally stood for Accelerated Mobile Pages though not any more – was launched in 2015, ostensibly to speed up page loading on smartphones. The technology includes AMP HTML, which is a set of performance-optimized web components, and the AMP Cache, which serves validated AMP pages. Most AMP pages are served by Google’s AMP Cache.

  • Google USB-C Titan Security Keys Begin Shipping Tomorrow

    Google announced their new USB-C Titan Security Key will begin shipping tomorrow for offering two-factor authentication support with not only Android devices but all the major operating systems as well.

    The USB-C Titan Security Key is being manufactured by well known 2FA key provider Yubico. This new security key is using the same chip and firmware currently used by Google's existing USB-A/NFC and Bluetooth/NFC/USB Titan Security Key models.

Syndicate content

More in Tux Machines

Fedora, Red Hat and IBM Leftovers

  • Feora: How to setup an anonymous FTP download server

    Sometimes you may not need to set up a full FTP server with authenticated users with upload and download privileges. If you are simply looking for a quick way to allow users to grab a few files, an anonymous FTP server can fit the bill. This article shows you show to set it up.

  • Kubernetes networking, OpenStack Train, and more industry trends

    As part of my role as a senior product marketing manager at an enterprise software company with an open source development model, I publish a regular update about open source community, market, and industry trends for product marketers, managers, and other influencers. Here are five of my and their favorite articles from that update.

  • How collaboration fueled a development breakthrough at Greenpeace

    We'd managed to launch a prototype of Planet 4, Greenpeace's new, open engagement platform for activists and communities. It's live in more than 38 countries (with many more sites). More than 1.75 million people are using it. We've topped more than 3.1 million pageviews. To get here, we spent more than 650 hours in meetings, drank 1,478 litres of coffee, and fixed more than 300 bugs. But it fell short of our vision; it still wasn't the minimum lovable product we wanted and we didn't know how to move it forward. We were stuck. Planet 4's complexity was daunting. We didn't always have the right people to address the numerous challenges the project raised. We didn't know if we'd ever realize our vision. Yet a commitment to openness had gotten us here, and I knew a commitment to openness would get us through this, too.

  • After Seven Quarters Of Growth, Power Systems Declines

    The tough compares have hit home on IBM’s Power Systems business, but the good news is that this has happened after seven consecutive quarters of growth for the Power-based server business that Big Blue owns lock, stock, and barrel. Even with this decline, which was quite steep because of the triple whammy of tough compares (more on that in a moment), there is still a healthy underlying Power Systems business that is much better off than the last time it was hit by similar declines. Let’s take a look at the numbers for IBM’s Power Systems division and then work our way up through its Systems group and to the company at large. According to the presentation put together by IBM’s chief financial officer, Jim Cavanaugh, to go over the numbers for the third quarter of 2019, the Power Systems division had a decline of 27 percent in constant currency (meaning growth in local currencies aggregated across those economies), with as-reported sales also being down 27 percent. In other words, currency had no effect on the overall Power Systems business even if it did impact IBM’s sales, as reported in U.S. dollars, by 1.3 percent in the period ended in September.

  • Red Hat Government Symposium: Transforming culture and creating open innovation powerhouses

    For state, local and federal government agencies, digital transformation means much more than just migrating away from legacy technology systems. It involves inspiring ideas, encouraging communication and collaboration, and empowering government employees to forge their organizations’ innovation pathways.  That’s why we are focusing on cultural transformation at our upcoming Red Hat Government Symposium. This year’s one-day event—Open transforms: A future built on open source—will be on Nov. 12, 2019, in Washington, D.C., and will feature a stellar lineup of keynotes and panels, as well as fantastic networking opportunities with industry peers.  

  • Journey to the Future of Money with Red Hat at Money 20/20

    Event season is in full swing for the Red Hat Financial services team, and this time, we are headed to the bright lights of Las Vegas to attend Money 20/20 USA, being held from October 27 - 30th. Red Hat will be attending to sponsor a number of activities and discuss the important role open source technologies play in the future of payments, money and banking activities. 

SUSE Leftovers

  • Digital Transformation – it’s dead, Jim?

    However, digital transformation is like life – it’s an ongoing process, not something you just do once and then it’s done and dusted. A large part of digital transformation is your cloud strategy, which I wrote about fairly recently. That is also something that isn’t a one-off task, but is instead an evolving, transformational process. It was interesting to see, after speaking to attendees at the Gartner event in Frankfurt, that a number of them still hadn’t defined their cloud strategy outside of “we need to move everything to the cloud for cost savings and agility”, while some hadn’t even begun writing a cloud strategy. Looking at a chart showing the trends in Google searches for digital transformation in the US (the global trend is the same) over the past 5 years, you can see that while it trends up and then down fairly regularly, it still continues to grow on the whole. So if it’s been around for a while, why does it continue to grow, and is it still relevant?

  • New Security Tools for Application Delivery

    What if you could shut down cybercriminals’ most frequently used method of attack? At SUSE we’ve recently made a move to help you get closer to that goal. As you may know, SUSE recently released new versions of our application delivery solutions, SUSE CaaS Platform 4 and SUSE Cloud Application Platform 1.5. The releases contain a number of important updates and features, but the one most exciting in terms of protecting your organization is the addition of Cilium to SUSE CaaS Platform.

Security: Patches, Nostromo, PureBoot and Microsoft's Latest DRM Lock-down (Locking GNU/Linux Out for 'Security')

  • Security updates for Monday

    Security updates have been issued by Debian (aspell, graphite-web, imagemagick, mediawiki, milkytracker, nfs-utils, and openjdk-11), Fedora (kernel, kernel-headers, kernel-tools, mediawiki, and radare2), openSUSE (dhcp, libpcap, lighttpd, and tcpdump), Scientific Linux (java-1.8.0-openjdk), Slackware (python), SUSE (bluez, kernel, and python-xdg), and Ubuntu (aspell).

  • Nostromo web servers exposed by resurrected RCE vulnerability

    A security researcher has disclosed the existence of a remote code execution (RCE) vulnerability in the open source Nostromo web server software. On Monday, a threat analyst and bounty hunter with the online handle Sudoka published a technical analysis of the bug, tracked as CVE-2019-16278. The vulnerability impacts Nostromo, also known as nhttpd, a niche web server used by some in the Unix and open source community but altogether dwarfed in popularity by Apache. In a blog post, Sudoka said the vulnerability stems from shortcomings in how the path of URLs are verified. Inadequate URL checks mean that an unauthenticated attackers is able to force a server to point to a shell file, resulting in the potential execution of arbitrary code.

  • PureBoot Best Practices

    Recently we started offering the PureBoot Bundle–PureBoot installed and configured on your laptop at the factory and bundled with a pre-configured Librem Key so you can detect tampering from the moment you unbox your laptop. It’s been great to see so many customers select the PureBoot Bundle and now that PureBoot is on so many more customer laptops, we felt it was a good time to write up a post to describe some best practices when using PureBoot. If you are just getting started with PureBoot and want to know the basics, check out our Getting Started Guide for pointers on what to do when you start up your PureBoot Bundle for the first time. In this post I’ll assume you have already gone through the first boot and first reboot of your laptop and have settled into daily use.

  •                
  • Secured-core PCs offer new defense against firmware attacks
                     
                       

    Microsoft, chipmakers, and several PC makers on Monday announced Secured-core PCs, which use hardware-based defense mechanisms to combat firmware-level security attacks.

  •                
  • Microsoft's New Plan to Defend the Code Deep Within PCs
                     
                       

    The idea of secured-core PC is to take firmware out of that equation, eliminating it as a link in the chain that determines what's trustworthy on a system. Instead of relying on firmware, Microsoft has worked with AMD, Intel, and Qualcomm to make new central processing unit chips that can run integrity checks during boot in a controlled, cryptographically verified way. Only the chip manufacturers will hold the encryption keys to broker these checks, and they're burned onto the CPUs during manufacturing rather than interacting with the firmware's amorphous, often unreliable code layer.

  •                            

Games: Remote Play Together, OpenRA, The Coma 2, Humble Store and Shiver

  • Steam 'Remote Play Together' is now in Beta, allowing local multiplayer games over the net

    Today, Valve have released an exciting update to the Steam Beta Client which adds in Remote Play Together, allowing you to play local co-op, local multiplayer and shared/split screen games over the net with your friends. From what Valve said, it will allow up to four players "or even more in ideal conditions", meaning if you all have reasonable internet connections you might be able to play with quite a few people. Something that has of course been done elsewhere, although the advantage here is no extra payments or software needed as it runs right from the Steam client. It's very simply done too. Just like you would invite friends to join your online game, you invite them to Remote Play Together from the Steam Friends list and if they accept…away you go. Only the host needs to own the game too, making it easy to get going.

  • Another OpenRA preview build is up needing testing, Tiberian Sun support is coming along

    Work continues on the open source game engine OpenRA which allows you to play Command & Conquer, Red Alert and Dune 2000 on Linux and other modern platforms with support for Tiberian Sun progressing well. [...] One issue they've been dealing with is deployable units in Tiberian Sun, while OpenRA had basic support for the feature due to the Construction Yards in classic C&C it wasn't suitable for Tiberian Sun. Now though? They've overhauled it and expanded it. You can now queue up deploy commands between other orders, deployable units can be ordered to pack up and then move somewhere else as a single action too. Additionally, the code for aircraft and helicopter movement has also been given an overhaul to add in many of the extra features and dynamics needed for Banshees, Orcas, and Carryalls. The transport behaviour for the Carryall was also updated, with unit pick-up behaviour closer to the original game and allowing you to queue up multiple transport runs.

  • Devespresso Games join with Headup for Western release of The Coma 2: Vicious Sisters

    The Korean survival horror-adventure The Coma 2: Vicious Sisters from Devespresso Games is now getting a helping hand from publisher Headup for Western audiences. Also confirmed through the press emails is that The Coma 2 will be entering Steam Early Access on November 5th, with a full release expected in "Q1 2020".

  • Humble Store is doing a Female Protagonist Sale, plus the upcoming Steam sale dates leaked

    The week has only just begun and there's plenty of sales going on, with even more coming up. Let's have a little look. First up, Humble Store is doing a Female Protagonist Sale celebrating various heroines across multiple genres.

  • Kowai Sugoi Studios close up so they've made their point & click horror 'Shiver' free

    Times are tough for indies, with Kowai Sugoi Studios announcing they're closing up shop and so they've set their point and click horror title Shiver free for everyone. Kowai Sugoi Studios said in a blog post on the official site that this month they're shutting down, no reason for it was given but they gave their "sincere appreciation to our friends, family, and fans" for supporting them along the way. Shiver seems to be their only game, released originally back in 2017.