Tux Machines

Security and Windows TCO Leftovers

Posted by Roy Schestowitz on May 28, 2024

=> Ubuntu Leftovers | Applications: Bartib, Productivity Tools, and Ansible

Data Swamp ☛ Improve your SSH agent security

=> ↺ Improve your SSH agent security

If you are using SSH quite often, it is likely you use an SSH agent which stores your private key in memory so you do not have to type your password every time.

This method is convenient, but it comes at the expense of your SSH key use security, anyone able to use your session while the agent holds the key unlocked can use your SSH key. This scenario is most likely to happen when using a compromised build script.

However, it is possible to harden this process at a small expense of convenience, make your SSH agent ask for confirmation every time the key has to be used.

The tooling provided with OpenSSH comes with a simple SSH agent named ssh-agent. On OpenBSD, the agent is automatically started and ask to unlock your key upon graphical login if it finds a SSH key in the default path (like ~/.ssh/id_rsa).

LWN ☛ Security updates for Monday

=> ↺ Security updates for Monday

Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a "mini-mass-rebuild" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth).

LWN ☛ Huston: Calling Time on DNSSEC?

=> ↺ Huston: Calling Time on DNSSEC?

Geoff Huston suggests

that it is time to give up on DNSSEC and look for a better way to secure

the Internet namespace.

Hong Kong Free Press ☛ Website for anti-spam service HKJunkCall taken offline following hacking attempt

=> ↺ Website for anti-spam service HKJunkCall taken offline following hacking attempt

HKJunkCall – a service popular among Hongkongers looking to block spam and scam calls – has suffered a data breach attempt, it said in an email to users on Monday.

IT Wire ☛ Optus non-committal on releasing Deloitte report despite court ruling

=> ↺ Optus non-committal on releasing Deloitte report despite court ruling

Customer names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver's licence or passport numbers were revealed.

Optus claimed at the time that payment details and account passwords had not been compromised.

New Yorker ☛ Notice of Security Incident

=> ↺ Notice of Security Incident

Regrettably, a data breach occurred involving the part of our network that stores digital replicas of your nude abdomen after you’ve eaten beef pad Thai.

Windows TCO

SANS ☛ Files with TXZ extension used as malspam attachments, (Mon, May 27th)

=> ↺ Files with TXZ extension used as malspam attachments, (Mon, May 27th)

Malicious e-mail attachments come in all shapes and sizes.

=> gemini.tuxmachines.org