PwOSS - News
11 members
4 photos
285 links
News and Update info channel - https://pwoss.org

PwOSS - Privacy with Open Source Software

Get rid of the data collector and become your own digital hoster
Download Telegram
to view and join the conversation
‌OpenWRT Update v19.07.4

Today I received an rss feed about the new version of openwrt. If you use it, keep an eye on your specific device.
GitHub
The following also reminds you to keep your packages up to date. The script is from kuketz-blog.de (German).
Update notification for packages
Packages
opkg update && opkg install msmtp nano
msmtp
nano /etc/msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile ~/.msmtp.log

# Your Provider
account your-provider
host smtp.your-provider.org
port 587
from user@your-provider.org
user user@your-provider.org
password your-password

# Set a default account
account default : your-provider

# Syslog logging with facility LOG_MAIL instead of the default LOG_USER.
syslog LOG_MAIL

Script
nano /root/update-notification
#!/bin/sh

opkg update
opkg list-upgradable > updates.txt

if [ -s updates.txt ]
then
sed -i '1i To: user@your-provider.org' updates.txt
sed -i '2i Subject: OpenWrt Updates' updates.txt
cat updates.txt | msmtp -a default user@your-provider.org
fi
rm updates.txt

chmod +x /root/update-notification
Crontab
crontab -e
# Update list of available packages | Send notification mail
45 06 * * * /root/update-notification


If there is no crontab defined (i.e. /etc/crontabs/ is empty), then cron won't start! Make sure you already defined cron jobs before trying to start cron.

/etc/init.d/cron start
/etc/init.d/cron enable

SSH login info
nano ~/.profile
#!/bin/sh

opkgInstalled="$(opkg list-installed 2> /dev/null | wc -l)" #silencing error output
opkgUpgradable="$(opkg list-upgradable 2> /dev/null | wc -l)" #silencing error output

echo "$opkgInstalled packages are installed." && echo "$opkgUpgradable packages can be upgraded." && echo
echo "Upgrade commands:"
echo "List available updates: opkg list-upgradable"
echo "Upgrade package: opkg upgrade "
echo "Upgrade all packages: opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade" && echo


https://pwoss.org/openwrt-update-v19-07-4/
‌Arch News – 2020-09-09 | Kill Arch Bugs: Help us on the 13th of September!

If you have some open tickets - close them if they are already fixed.
 

2020-09-09 - Frederik Schwan
We would like to hold a bug wrangling day on the 13th of September to reduce the large amount of open tickets. If you cannot take part in the bug wrangling day, then feel free to help us any time before that event.
 
How?
Please review all bugs that were reported by you and check if they are still valid. Please request a task closure on the bug tracker if the task may be closed. Otherwise please provide further information so that we can continue to work on the bug. We cannot fix bugs without your feedback.
 
Questions?
Join us at #archlinux-bugs channel on irc.freenode.net during 13th of September. As we live in different timezones not all devs and bug wranglers will be available at the same time, but feel free to report your issues to any dev available.
 
Also please check your mailboxes that may contain notifications about comments made on your tickets.

 
Link archlinux.org

https://pwoss.org/kill-arch-bugs-help-us-on-the-13th-of-september/
‌Monthly Server Update – September`20

That was a pretty easy month. No pacnew files, no this and that, great!
System update
pikaur -Syu --noconfirm
 
Reboot
The kernel has also been updated.
sudo reboot
 
 
If you run into any problems, just leave a comment below.
That's it. See you next month 😉

https://pwoss.org/monthly-server-update-september20/
‌Raccoon Attack: Researchers Find A Vulnerability in TLS 1.2 and lower

It is time to jump to TLS 1.3 only. But still too many are using even 1.0.
If you want to check few websites go to ssllabs.com and check

 
See our website. Some suggestions? Use the comments below.
I decided to hop on 1.3 only. Currently its 1.2 and 1.3. So, if you can't reached the site next week, you should update your browser. No updates available? Then install Arch - PwOSS ISO.
 

Dubbed "Raccoon Attack," the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.
 
"The root cause for this side channel is that the TLS standard encourages non-constant-time processing of the DH secret," the researchers explained their findings in a paper. "If the server reuses ephemeral keys, this side channel may allow an attacker to recover the premaster secret by solving an instance of the Hidden Number Problem."

 
More at thehackernews.com

https://pwoss.org/raccoon-attack-researchers-find-a-vulnerability-in-tls-1-2-and-lower/
‌A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

Do not use unsecured WLAN connections like in shopping malls, restaurants etc.
 

ESET security researcher Lukas Stefanko yesterday tweeted an alert demonstrating the exploitation of a recently disclosed high-risk remote command execution vulnerability affecting the Firefox app for Android.
 
Discovered originally by Australian security researcher Chris Moberly, the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed.
 
"The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe's Wi-Fi, and their device will start launching application URIs under the attacker's control," Moberly said.

 
More at thehackernews.com

https://pwoss.org/a-bug-could-let-attackers-hijack-firefox-for-android-via-wi-fi-network/
‌Vulnerability Disclosure 2020/09/17

PINE64 (both the business and the community around it) prides itself on transparency. Often, this transparency is used to give you a behind the scenes look into our operations.
 
But today, we’re afraid we must be transparent about something else.
 
As of approximately 4:30am GMT on 2020/09/17, we discovered an intrusion to our Pine Store web instance. This took on the form of spam/scam pages hidden on our web server, with scripting to only be visible to crawler bots. After discovering this, we immediately shutdown the web server and began investigation.
 
To our knowledge, this happened via an exploit in one of the WordPress plugins on the Pine Store, with initial attempts logged as early as 2020/09/05. It appears this was not an active malicious attack on our server, but merely automated bots tasked with placing scam store pages.
 
Needless to say, we remedied the situation and took extensive steps to prevent similar incidents from occurring in the future.
 
Due to the nature of the attacks we’ve reviewed, we do not suspect that customer information was a target, nor we expect any was exfiltrated. We can guarantee that, without a doubt, no credit card or other financial information was placed at any risk of being exposed.
 
We hope that this event does not damage your trust in us beyond repair, as we work to recover from this event.

 
See also the post at pine64.org

https://pwoss.org/vulnerability-disclosure-2020-09-17/
‌FreshRSS Update V 1.17.0

FreshRSS
New version of FreshRSS is available.
 
Update
 
pikaur -S freshrss --noconfirm
 

Go to your FreshRSS website (e.g. http://192.168.1.76:7666)
Click on the Checks button on the left
Scroll down and select Keep previous configuration and then Complete installation

 
Changelog at github.com

https://pwoss.org/freshrss-update-v-1-17-0/
‌Seafile Update V 7.1.5

Seafile
Another version of Seafile is available.
 
Update
pikaur -S seahub python-wsgidav-seafile

sudo systemctl stop seafile && sudo systemctl stop seahub
sudo -u seafile -s /bin/sh

cd
wget https://s3.eu-central-1.amazonaws.com/download.seadrive.org/seafile-server_7.1.5_x86-64.tar.gz
tar -xzf seafile-server_* && mv seafile-server_* installed
seafile-server-7.1.5/upgrade/minor-upgrade.sh
mv seafile-server-7.1.4/ installed/
rm -r installed/seafile-server-7.1.3/ && rm installed/seafile-server_7.1.3_x86-64.tar.gz
exit

sudo systemctl start seafile && sudo systemctl start seahub

 
Changelog at forum.seafile.com

https://pwoss.org/seafile-update-v-7-1-5/
‌Windows XP (and lower OSes) source code leaks online

So it could be that even more vulnerabilities are found in this code and who knows, maybe some are still available in Windows 10. If you are still using Windows 10, at least keep it up to date.
 

Microsoft’s source code for Windows XP and Windows Server 2003 has leaked online. Torrent files for both operating systems’ source code have been published on various file sharing sites this week. It’s the first time source code for Windows XP has leaked publicly, although the leaked files claim this code has been shared privately for years.
 
The Verge has verified the material is legitimate, and a Microsoft spokesperson tells us that the company is “investigating the matter.”
 
It’s unlikely that this latest source code leak will pose any significant threat to companies still stuck running Windows XP machines. Microsoft ended support for Windows XP back in 2014, although the company responded to the massive WannaCry malware attack with a highly unusual Windows XP patch in 2017.

 
More at theverge.com

https://pwoss.org/windows-xp-and-lower-oses-source-code-leaks-online/
‌Arch Conf 2020 schedule

This is really interesting. I hope I have enough time for it. The topics are really great!

Archiso - creating an installation medium
We already keep updating our archiso installations (desktop & server), still a little different, but it's working great. Well, I know, still no configurations .... But one day. Hopefully, one day it's all included.
What has mainly changed so far is the license and the command. build.sh and customize_airootfs.sh will be deprecated. I think this will happen in version 49. Not 100% sure.
What is next for Pacman? (Ideas that may never eventuate)
Protecting secrets and securing the boot process using a Trusted Platform Module (TPM)
Arch Linux: Past, Present and Future
Gaming
...

and so on.
 

On the 10th and 11th of October there is going to be an online edition of Arch Conf. The conference is going to have presentations from the Arch team along with community submitted presentations and lightning talks.
 
We are proud to announce the first revision of the schedule!
 
https://pretalx.com/arch-conf-online-2020/talk/
 
The conference timezone is CEST/UTC+2: https://everytimezone.com/s/40cc4784
 
Updates and additional information can be found on the conference page: https://conf.archlinux.org
 
See you there!
 
Cheers from the conference team.

 
Link - archlinux.org

https://pwoss.org/arch-conf-2020-schedule/
‌Hop on the Dendrite train!

Matrix currently released the next-generation of the Matrix homeserver called Dendrite.
It hits the beta status and I'm going to install it in the near future. I wanna change the structure of the servers anyway and if we are not able to merge the database (synapse) for whatever reason, just create a new user then. Shouldn't be a big problem but If you really need to keep your rooms/conversation, please let us know - team@pwoss.org.

In terms of comparison with Synapse, the main things you should get excited about are

Dendrite aims to provide an efficient, reliable and scalable alternative to Synapse:

Efficient: A small memory footprint with better baseline performance than an out-of-the-box Synapse
Reliable: Implements the Matrix specification as written, using the same test suite as Synapse as well as a brand new Go test suite
Scalable: can run on multiple machines and eventually scale to massive homeserver deployments

This means significantly less memory usage than Synapse (depends on joined rooms, often between 50MB - 400MB resident memory) - although we haven’t tuned this at all yet!
All-new database model, where every microservice instance has its own database tables, letting them scale arbitrarily wide
The ability to efficiently use all your available CPU cores without needing to split into separate processes, thanks to Go and our extensive use of goroutines. No more Python global interpreter lock! 🙂
Future experimental MSCs are likely to land in Dendrite before Synapse (e.g MSC2753 Peeking via /sync and MSC2444 Peeking over Federation are already being prototyped (#1370 and #1391) in Dendrite rather than Synapse!)


Whole news at matrix.org

https://pwoss.org/hop-on-the-dendrite-train/
‌Arch Conf 2020 is over

So, that was it and it was great ... what I've seen so far! I could not keep myself awake to see this all night long but I have seen a few records.
 
Arch Linux: Past, Present and Future
If you want to know a few things about Arch, watch:
Arch Linux: Past, Present and Future
 
Protecting secrets and securing the boot process using a Trusted Platform Module (TPM)
My plan was always to install Libreboot or Coreboot since I bought my laptop (4 years ago?). But I was always too lazy to do it or busy and then lazy.
Whatever, the TPM talk by Jonas Witschel reminded me of this again, and I will probably try TPM then. I had never heard of TPM before so I think it's really great. USB stick/s solve the "problem", but TPM seems to me to be a better solution. At least you won't forget your laptop (?), whereas the stick/s might sometimes not want to go with you...
Protecting secrets and securing the boot process using a Trusted Platform Module (TPM)
 
Rolling your own security team for fun and no profit at all
Seems to be a good team with a good working environment. I like that.
Rolling your own security team for fun and no profit at all
 
Archiso - creating an installation medium
This is of course interesting! Our Desktop and Server is created by archiso.
Archiso - creating an installation medium
 
How to organise your digital life in a privacy-preserving, machine-agnostic, and practical manner
This is definitely also interesting for all of us here. Most people will know most of it, but it's still worth to watch it.
RCLONE for example is a good mention. If you prever not to have your data at home. Or use backups between providers.
How to organise your digital life in a privacy-preserving, machine-agnostic, and practical manner
 
Full list
I have'nt seen more than the mentioned above. So here is the complete list of all talks:
https://streaming.media.ccc.de/archconf2020/relive
https://static.conf.archlinux.org/
https://media.ccc.de/c/archconf2020

https://pwoss.org/arch-conf-2020-is-over/
Monthly Server Update – October`20

Another easy month.
System update
pikaur -Syu --noconfirm

Seafile
See Seafile Update V 7.1.5

FreshRSS
See FreshRSS Update V 1.17.0

Reboot
The kernel has also been updated.
sudo reboot


If you run into any problems, just leave a comment below.
That's it. See you next month 😉

https://pwoss.org/monthly-server-update-october20/
‌India Witnessed Spike in Cyber Attacks Amidst Covid-19

As mentioned in the Atrikel, this is not mainly India at the moment, the tips from hackernews are probably relevant for some people.
However, this should generally be followed. Not only in relation to covid19. Probably the first advice is the most important one of all. I mean, they are all important, but the habits of clicking and sharing here and there and the ignorance of people is a very big deal.
 

The Pandemic Landscape Demands Modern Protection
 
Here are the golden tips to keep you away from these recent cybersecurity incidents:
 

Train your employees in security principles
Be cautious with attachments, links, or text received via emails, especially with a subject line related to COVID-19
Frame robust remote work policy
Use only trusted sources like legitimate websites for up-to-date information
Don't disclose your financial or personal information in an email or phone calls from unknown persons
Encourage the use of office devices only for official purpose
Don't reuse passwords between different accounts and applications
Take data backups and store it separately
Use multi-factor authentication
Modernize your stack with Cloud-based WAF, such as AppTrana, a next-generation cybersecurity protection suite that includes vulnerability assessments, virtual patching, zero false positives, DDoS attack prevention, and many more features.


 
More at thehackernews.com

https://pwoss.org/india-witnessed-spike-in-cyber-attacks-amidst-covid-19/
‌New Hacktober Gear

Here are some news from pine64.
I like the pinecil and the keyboard for the pinephone. I still haven't done much with the pinephone. I'm simply too overloaded with work ...
 
See pine64.org

https://pwoss.org/new-hacktober-gear/
‌Nope, you don’t own your Windows computer.

That's an intresting story... again. I've read similar things quite often and that's definetly a no go for me.
It should be my decision to install certain software when I want to, and not to be forced...
 

The craziest part: When my machine finished rebooting, it now contained the exact thing I’d been writing about before I was rudely interrupted. Microsoft had installed unsolicited, unwanted web app versions of Word, PowerPoint, Excel and Outlook onto my computer.

 
See theverge.com

https://pwoss.org/nope-you-dont-own-your-windows-computer/
‌Arch News – 2020-10-21 | nvidia 455.28 is incompatible with linux >= 5.9

If you've updated your Arch system and you're wondering why there are some problems with the graphics, you probably forgot to check the Arch website before updating, or you're just one of the first updaters before the news came out. Whatever the reason is, switch to the lts kernel as suggested until it is fixed.
 

2020-10-21 - Sven-Hendrik Haase
 
nvidia is currently partially incompatible with linux >= 5.9 [1] [2]. While graphics should work fine, CUDA, OpenCL, and likely other features are broken. Users who've already upgraded and need those features are advised to switch to the linux-lts kernel for the time being until a fix for nvidia is available.

 
Link archlinux.org

https://pwoss.org/arch-news-2020-10-21-nvidia-455-28-is-incompatible-with-linux-5-9/
‌Security Engineering – Third Edition

My brother sent me an info about this edition, which is probably worth reading.
 

I'm writing a third edition of Security Engineering, which will be published in November 2020.
 
With both the first edition in 2001 and the second edition in 2008, I put six chapters online for free at once, then added the others four years after publication. For the third edition, I negotiated an agreement with the publishers to put the chapters online for review as I wrote them. So the book came out by instalments, like Dickens' novels, from April 2019 to September 2020. On the first of November 2020, all except seven sample chapters will disappear for a period of 42 months. I'm afraid the publishers insist on that. But therearefter the whole book will be free online forever.

 
As usual, if it is good and/or you use it a lot - buy it.
Link cl.cam.ac.uk
Download - PDF (all at once)

https://pwoss.org/security-engineering-third-edition/
‌Pro1 X Smartphone

Nice!
Hopefully we will see more phones with a keyboard again. I have missed them very much. My last one was the HTC Touch Pro. It is much nicer to write with a keyboard.
 
Anyway, they have a few specials running, the good ones are already gone. The shipments are next year in March.
If you want to have it "cheap", you should hurry. Good luck!
 

Key Specifications
 
The Pro1-X might look familiar to you; we took the popular F(x)tec Pro1 that was launched last year and made a few key tweaks. The RAM and storage have both been increased – from 6GB and 128GB to 8GB and 256GB respectively – and the Pro1-X comes in this new Discovery Blue color that looks fantastic!
 
Beyond that, many of the Pro1 specs have remained the same. There’s a 66-key full QWERTY keyboard that slides out from beneath the display, a Qualcomm Snapdragon 835 processor, Dual SIM support, a fingerprint scanner, a dedicated camera button, USB-C, and HDMI out, and far more. There’s also an 8MP front camera, a 12MP primary camera, and a 5MP

 

Why we created the Pro1-X
 
For years, we’ve teased that we’re planning to create a phone. So why did we finally do it? This year especially, privacy has become more important than ever before, and LineageOS is known for letting you go beyond the controls you’d find on a traditional Android smartphone. In particular, the Privacy Guard – in LineageOS 16, which was replaced by AOSP’s Permissions Hub in LineageOS 17 – allows you to only share the data you want to share, and not share the data you don’t want to share.
We’ve also seen that the popularity of LineageOS and other platforms across our community has grown over the past few years and there’s more interest in these alternative Android distributions.
 
Beyond just LineageOS, there’s a large community of Ubuntu users who’ve always dreamed of having a smartphone running Ubuntu Touch, and the Pro1-X is the first Qualcomm-powered smartphone to run Ubuntu Touch. Not only that, we’ve also managed to get the HDMI-out feature working, so you can plug an HDMI cable in and connect it to a big screen, and use the display as a trackpad.

 
More at xda-developers.com
 
Straight to the special deals - indiegogo.com

https://pwoss.org/pro1-x-smartphone/
‌That’s it.

No updates, no news, no time.
I will turn off pwoss.
There are some changes in real life that I need more time for. I also changed the setup of my personal server because my old server was not running properly anymore.
Anyway, long story short, that's it.
Thanks!

https://pwoss.org/thats-it/