Difference between revisions of "Security"
(→Related news: The 773 Million Record "Collection #1" Data Breach) |
(→Security news: BootHole UEFI hack via GRUB2 buffer overrun) |
||
(13 intermediate revisions by the same user not shown) | |||
Line 13: | Line 13: | ||
Security starts with keeping the peace. While this might sound obvious it is nevertheless often forgotten. Keeping the peace means that one is active in not starting trouble and to stay out of harmʼs way before a conflict can start or escalate. We must refrain from provoking others to attack us by the behavior we display. It starts with not employing violence ourselves unless it happens in self-defense, not defrauding others, not breaking agreements, not bragging and challenging. Quietness, integrity and honesty combined with confidence reduces the risk of conflict greatly. | Security starts with keeping the peace. While this might sound obvious it is nevertheless often forgotten. Keeping the peace means that one is active in not starting trouble and to stay out of harmʼs way before a conflict can start or escalate. We must refrain from provoking others to attack us by the behavior we display. It starts with not employing violence ourselves unless it happens in self-defense, not defrauding others, not breaking agreements, not bragging and challenging. Quietness, integrity and honesty combined with confidence reduces the risk of conflict greatly. | ||
− | == | + | == Security news == |
+ | *2020-07-30: [https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/ BootHole UEFI hack via GRUB2 buffer overrun] | ||
+ | *2020-06-20: [https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/ The Internet’s New Arms Dealers: Malicious Domain Registrars] | ||
+ | *2020-04-22: [https://nakedsecurity.sophos.com/2020/03/02/siri-and-google-assistant-hacked-in-new-ultrasonic-attack/amp/ Voice assistants hacked via ultrasonic waves] | ||
+ | *2020-04-15: [https://mashable.com/article/zoom-500000-accounts-dark-web/ 500K Zoom accounts being sold on the darkweb] | ||
+ | *2020-03-06: [https://flatkill.org/ Flatpak - a security nightmare] | ||
+ | *2020-01-31: [https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/ Kraken identifies critical flaw in Trezor hardware wallets] | ||
+ | *2019-12-09: [https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wireguard to be shipped in Linux kernel 5.6 in 2020] | ||
+ | *2019-12-04: [https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ Two malicious Python libraries caught stealing SSH and GPG keys] ''- one library was available for only two days, but the second was live for nearly a year'' | ||
+ | *2019-09-07: [https://arstechnica.com/information-technology/2019/08/skype-slack-other-electron-based-apps-can-be-easily-backdoored/ Skype, Slack, other Electron-based apps can be easily backdoored] | ||
+ | *2019-01-22: [https://justi.cz/security/2019/01/22/apt-rce.html Remote Code Execution in apt/apt-get] | ||
*2019-01-17: [https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ The 773 Million Record "Collection #1" Data Breach] | *2019-01-17: [https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ The 773 Million Record "Collection #1" Data Breach] | ||
*2018-11-26: [https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/ Event-stream js library hacked by new "maintainer"] | *2018-11-26: [https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/ Event-stream js library hacked by new "maintainer"] | ||
Line 71: | Line 81: | ||
*[https://www.eff.org/deeplinks/2018/10/there-are-many-problems-mobile-privacy-presidential-alert-isnt-one-them There are Many Problems With Mobile Privacy but the Presidential Alert Isn’t One of Them] | *[https://www.eff.org/deeplinks/2018/10/there-are-many-problems-mobile-privacy-presidential-alert-isnt-one-them There are Many Problems With Mobile Privacy but the Presidential Alert Isn’t One of Them] | ||
*[https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/ Should we change our RSA keys to ed25519?] | *[https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/ Should we change our RSA keys to ed25519?] | ||
+ | *[https://nullsweep.com/http-security-headers-a-complete-guide/ HTTP Security Headers - A Complete Guide] | ||
+ | *[https://lwn.net/Articles/531114/ All about Linux namespaces] | ||
+ | *[http://loup-vaillant.fr/tutorials/128-bits-of-security Discussion about the meaning of 128 bits in various contexts] | ||
+ | *[https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172/21 Discussion on isolation applications in desktop environments on Linux and Android] ''- scroll down to SokPuppettes comments'' |
Latest revision as of 01:15, 31 July 2020
This few paragraphs from Bastiat's The Law is a good introduction to personal security; What, then, is law? It is the collective organization of the individual right to lawful defence.
Each of us has a natural right — from God — to defend his person, his liberty, and his property. These are the three basic requirements of life, and the preservation of any one of them is completely dependent upon the preservation of the other two. For what are our faculties but the extension of our individuality? And what is property but an extension of our faculties?
If every person has the right to defend — even by force — his person, his liberty, and his property, then it follows that a group of men have the right to organize and support a common force to protect these rights constantly. Thus the principle of collective right — its reason for existing, its lawfulness — is based on individual right. And the common force that protects this collective right cannot logically have any other purpose or any other mission than that for which it acts as a substitute. Thus, since an individual cannot lawfully use force against the person, liberty, or property of another individual, then the common force — for the same reason — cannot lawfully be used to destroy the person, liberty, or property of individuals or groups.
The assurance of physical security can be provided to members of a social mechanism in the same way as other aspects of the common vision are achieved - using a trust group based assurance system to avoid the need for a centralised institution. Members behave together as a group in alignment with the common vision to ensure fundamental shared values are maintained such as protecting them against harm and preventing them from harming others.
Informational security
Another important aspect of security concerns the assurance that our data is private and distributed. A huge population of people around the world are now realising the need to work together in alignment with the common vision, and realise that to do this we need to have full control over our information in our own hands, but at the same time we also need to take advantage of distributed storage. The only answer to really achieving this is peer-to-peer networks. The so called "cloud" services offered by centralised corporations are unable to offer true security or privacy.
Second Realm statement on Security
Security starts with keeping the peace. While this might sound obvious it is nevertheless often forgotten. Keeping the peace means that one is active in not starting trouble and to stay out of harmʼs way before a conflict can start or escalate. We must refrain from provoking others to attack us by the behavior we display. It starts with not employing violence ourselves unless it happens in self-defense, not defrauding others, not breaking agreements, not bragging and challenging. Quietness, integrity and honesty combined with confidence reduces the risk of conflict greatly.
Security news
- 2020-07-30: BootHole UEFI hack via GRUB2 buffer overrun
- 2020-06-20: The Internet’s New Arms Dealers: Malicious Domain Registrars
- 2020-04-22: Voice assistants hacked via ultrasonic waves
- 2020-04-15: 500K Zoom accounts being sold on the darkweb
- 2020-03-06: Flatpak - a security nightmare
- 2020-01-31: Kraken identifies critical flaw in Trezor hardware wallets
- 2019-12-09: Wireguard to be shipped in Linux kernel 5.6 in 2020
- 2019-12-04: Two malicious Python libraries caught stealing SSH and GPG keys - one library was available for only two days, but the second was live for nearly a year
- 2019-09-07: Skype, Slack, other Electron-based apps can be easily backdoored
- 2019-01-22: Remote Code Execution in apt/apt-get
- 2019-01-17: The 773 Million Record "Collection #1" Data Breach
- 2018-11-26: Event-stream js library hacked by new "maintainer"
- 2018-11-15: Hackers say they've collected months of passwords and decrypted emails from ProtonMail
- 2018-11-05: Now Samsung and Cruiser doing "secruity" - their SSD drive locking is little more than a marketing gimmick :-(
- 2018-11-05: More Microsoft "security" this time with BitLocker
- 2018-10-26: Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems - fixed in Debian with Xorg-2:1.19.2-1+deb9u4 and Ubuntu/Mint with Xorg-2:1.19.6-1ubuntu4.2
- 2018-10-06: Bloomberg not backing down, adding more fuel, Supermicro stock down 53%
- 2018-10-04: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - see also, this thread about it, also Supermicro, apple and amazon both deny it all
- 2018-05-14: Werner Koch from gnupg.org responds to recent PGP exploit news
- 2018-02-14: Vulnerability in desktop version of Telegram using right-to-left character in filenames
- 2018-01-03: Meltdown and Spectre, two new kernel side-channel attacks - more detail here, paper from 1995 explaining that instruction prefetching would cause this here!
- 2017-10-16: Practically all wifi is insecure due to an exploit in WPA2 called KRACK - details about KRACK here
- 2017-05-01: Intel patches remote hijacking vulnerability that lurked in chips for 7 years - flaw in remote management feature gives attackers a way to breach networks
- 2017-02-25: How used cars became a security nightmare
- 2017-02-23: Announcing the first SHA-1 collision
- 2017-02-11: A rash of invisible, fileless malware is infecting banks around the globe
- 2016-11-17: PoisonTap - $5 Pi-based hacking device (see also our local PoisonTap solution)
- 2016-09-25: IoT devices being used for massive DDoS attacks
- 2016-08-25: Keystroke Recognition Using WiFi Signals
- 2016-01-16: Client-side bug found in OpenSSH that exposes private keys
- 2015-02-26: Tails Linux adds a bitcoin wallet
- 2014-10-27: Researcher Discovers Tor Is Vulnerable To Malware Binaries Inserted By Exit Nodes
- 2014-10-15: POODLE - a fatal security flaw found in SSL 3.0
- 2013-12-31: Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic - latest batch of documents from Snowden shows NSA's power to pwn
- 2013-12-31: Sorry for letting them snoop? Dell apologizes for ‘inconvenience’ caused by NSA backdoor
- 2013-12-20: Major computer security firm RSA took $10 mln from NSA to weaken encryption
- 2013-12-11: “We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say - following NSA leaks from Snowden, engineers lose faith in hardware randomness
- 2013-08-04: Freedom Hosting Taken Down, Founder Arrested, Users fed Javascript Exploits
- 2013-07-27: New Zealanders protest national security bill
- 2012-11-20: Quantum cryptography done on standard broadband fibre
- 2013-06-25: SSL: Intercepted today, decrypted tomorrow - see also the Perfect Forward Secrecy setup in Install a new server
- 2012-12-09: Congressman calls for ban on 3D printed guns
- 2012-10-03: The Keccak sponge function family - NIST selects Keccak for SHA-3
- 2012-08-05: If You See This Google Warning, Act Fast: Big Brother is Watching
- 2012-08-03: Yes, I was hacked. Hard. - iCloud hack
- 2012-07-30: Attack against Microsoft scheme puts hundreds of crypto apps at risk
- 2012-06-25: Scientists crack RSA SecurID 800 tokens, steal cryptographic keys - in under 15 minutes
See also
- Privacy
- SSL
- SSH
- The social mechanism
- Governance
- Introduction To Capability Based Security
- Your Cellphone is Covered in Spiders - Pragmatic Android Security - by Cooper Quintin
- Random numbers, Encryption and Hashing
- Myths about urandom
- MovementMetric - authentication mechanism using simple body movements such as winking
- The story of AES done with stick-figures :-)
- Prime Number Hide-and-Seek: How the RSA Cipher Works
- Investigating Compromised Servers - article by the Rackspace community
- CACert on secret cells compromising security within organisations
- There are Many Problems With Mobile Privacy but the Presidential Alert Isn’t One of Them
- Should we change our RSA keys to ed25519?
- HTTP Security Headers - A Complete Guide
- All about Linux namespaces
- Discussion about the meaning of 128 bits in various contexts
- Discussion on isolation applications in desktop environments on Linux and Android - scroll down to SokPuppettes comments