Software updates and TUF
You can no longer assume downloading unsigned software is safe. Between programs like FinFisher and the verified incidents of widespread BGP route hacking, it is best to assume that even if you are not targeted by attackers, you might get caught up in a widespread attack. Relying on HTTPS isn't a safe bet anymore, because certificate authorities can issue fake certificates to government departments so that they can intercept SSL communications. What is needed is end-to-end signing of the data, as well as signed metadata – all of which TUF provides.
- FinFisher: http://en.wikipedia.org/wiki/FinFisher
- OpenSSL website compromised: http://www.openssl.org/news/secadv_hack.txt
- TUF – The Update Framework: https://github.com/theupdateframework
- Tor: https://www.torproject.org/
- Survivable key compromise: http://freehaven.net/~arma/tuf-ccs2010.pdf
- OpenGPG card: http://www.g10code.de/p-card.html
- PEP 458: http://www.python.org/dev/peps/pep-0458/
- TUF interface for RubyGems: http://rubyforge.org/pipermail/rubygems-developers/2013-November/007044.html
- Targeted Internet traffic misdirection: http://www.renesys.com/2013/11/mitm-internet-hijacking/
- Further improving digital certificate security: http://googleonlinesecurity.blogspot.ca/2013/12/further-improving-digital-certificate.html
Buy this article as PDF
Weird data transfer technique avoids all standard security measures.
FIDO alliance declares the beginning of the end for old-style login authentication.
The Linux New Media Awards have honored the most significant products, projects, people, and organizations for open source/Linux every year since 2000.
Legendary Uber-distro splits over the systemd controversy.
New LTS version offers many refinements for the Cinnamon and Mate desktops and significant improvement under the hood.
One of CeBIT’s most successful forums returns in 2015.
A new study says it is possible to unmask 81% of TOR users.
Redmond joins the revolution by turning the .NET Core Runtime into a GitHub project.
Users only had 7 hours to update before the intrusions started.
It's official: The new web arrives