WireGuard VPN makes it to 1.0.0—and into the next Linux kernel

Enlarge / WireGuard will be in tree for Ubuntu 20.04 LTS (pictured), as well as the upcoming 5.6 kernel. (credit: WireGuard)
We’ve been anticipating WireGuard’s inclusion into the mainline Linux kernel for quite some time—but as of Sunday afternoon, it’s official. Linus Torvalds released the Linux 5.6 kernel, which includes (among other things) an in-tree WireGuard. Phoronix has a great short list of the most interesting new features in the 5.6 kernel, as well as a longer “everything list” for those who want to make sure they don’t miss anything.
If this is the first time you’re hearing about WireGuard, the TL;DR is that it’s a relatively new VPN (Virtual Private Network) application that offers a leaner codebase, easier configuration, faster connect times, and the latest and most thoroughly peer-reviewed and approved encryption algorithms. You can find a more detailed introduction in our initial August 2018 coverage.
Can I use this on Windows? Mac? BSD?


Original URL: https://arstechnica.com/?p=1664228

Original article

The exFAT filesystem is coming to Linux—Paragon software’s not happy about it

Enlarge / Proprietary filesystem vendor Paragon Software seems to feel threatened by the pending inclusion of a Microsoft-sanctioned exFAT in the Linux 5.7 kernel. (credit: MTV / Geffen / Paramount Pictures)
When software and operating system giant Microsoft announced its support for inclusion of the exFAT filesystem directly into the Linux kernel back in August, it didn’t get a ton of press coverage. But filesystem vendor Paragon Software clearly noticed this month’s merge of the Microsoft-approved, largely Samsung-authored version of exFAT into the VFS for-next repository, which will in turn merge into Linux 5.7—and Paragon doesn’t seem happy about it.
Yesterday, Paragon issued a press release about European gateway-modem vendor Sagemcom adopting its version of exFAT into an upcoming series of Linux-based routers. Unfortunately, it chose to preface the announcement with a stream of FUD (Fear, Uncertainty, and Doubt) that wouldn’t have looked out of place on Steve Ballmer’s letterhead in the 1990s.
Breaking


Original URL: https://arstechnica.com/?p=1663118

Original article

Let’s Encrypt discovers CAA bug, must revoke customer certificates

Enlarge / Unfortunately, most if not all Let’s Encrypt users will need to manually force-renew their certificates before Wednesday. It’s at least an easy process. (credit: Adobe)
On Leap Day, Let’s Encrypt announced that it had discovered a bug in its CAA (Certification Authority Authorization) code.
The bug opens up a window of time in which a certificate might be issued even if a CAA record in that domain’s DNS should prohibit it. As a result, Let’s Encrypt is erring on the side of security and safety rather than convenience and revoking any currently issued certificates it can’t be certain are legitimate, saying:
Unfortunately, this means we need to revoke the certificates that were affected by this bug, which includes one or more of your certificates. To avoid disruption, you’ll need to renew and replace your affected certificate(s) by Wednesday, March 4, 2020. We sincerely apologize for the issue.
If you’re not able to


Original URL: https://arstechnica.com/?p=1657790

Original article

Amazon made a bigger camera-spying store—so we tried to steal its fruit

Enlarge / Amazon Go Grocery’s first location in the Seattle neighborhood of Capitol Hill. (credit: Sam Machkovech)
SEATTLE—For how far and wide Amazon’s digital footprint reaches, the company clearly wants to advance into real-world space as much as possible. And to that end, Amazon runs some of its most ambitious experiments in its headquarters’ city before rolling them out nationwide.
As our staff’s sole Seattle resident, I pull the short straw of testing these by default.
In 2015, I shopped at Amazon’s first stab at a brick-and-mortar bookstore (you know, those old things Amazon has been accused of putting out of business in the first place) before that chain’s eventual nationwide launch. In 2016, I delivered Amazon packages as a gig-economy driver, before this kind of contract employee became a commonplace part of the nationwide Amazon Prime Now network. And in 2018, I picked through the first “cashierless,” camera-filled Amazon Go convenience store


Original URL: https://arstechnica.com/?p=1656322

Original article

Anatomy of a dumb spear-phish: Hitting librarians up for Zelle, CashApp cash

Enlarge (credit: Sarah Shuda / Flickr)
Here’s a clue for would-be Internet financial scammers: do not target librarians. They will catch on fast, and you will have wasted your time.
Yesterday, the former outgoing chair of the Young Adult Library Services Association’s Alex Awards Committee (and my wife) Paula Gallagher got a very odd email that purported to be from a colleague within her library system who is a member of YALSA’s board. The email asked, “Are you available to complete an assignment on behalf of the Board, And get reimbursed? Kindly advise.”

There were a few things off about the email. First of all, while the first half of the email address that the message came from matched the email address of her colleague, the domain name was very phishy: Reagan.com, a site that offers “secure private email” to users who want to “keep President Ronald Reagan’s legacy alive.” The purported


Original URL: https://arstechnica.com/?p=1654948

Original article

Signal is finally bringing its secure messaging to the masses

Enlarge (credit: Getty Images)
Last month, the cryptographer and coder known as Moxie Marlinspike was getting settled on an airplane when his seatmate, a midwestern-looking man in his 60s, asked for help. He couldn’t figure out how to enable airplane mode on his aging Android phone. But when Marlinspike saw the screen, he wondered for a moment if he was being trolled: Among just a handful of apps installed on the phone was Signal.
Marlinspike launched Signal, widely considered the world’s most secure end-to-end encrypted messaging app, nearly five years ago, and today heads the nonprofit Signal Foundation that maintains it. But the man on the plane didn’t know any of that. He was not, in fact, trolling Marlinspike, who politely showed him how to enable airplane mode and handed the phone back.
“I try to remember moments like that in building Signal,” Marlinspike told Wired in an interview over a Signal-enabled


Original URL: https://arstechnica.com/?p=1654057

Original article

A Georgia election server was vulnerable to Shellshock and may have been hacked

(credit: Jason Riedy / Flickr)
Forensic evidence shows signs that a Georgia election server may have been hacked ahead of the 2016 and 2018 elections by someone who exploited Shellshock, a critical flaw that gives attackers full control over vulnerable systems, a computer security expert said in a court filing on Thursday.
Shellshock came to light in September 2014 and was immediately identified as one of the most severe vulnerabilities to be disclosed in years. The reasons: it (a) was easy to exploit, (b) gave attackers the ability to remotely run commands and code of their choice, and (c) opened most Linux and Unix systems to attack. As a result, the flaw received widespread news coverage for months.
Patching on the sly
Despite the severity of the vulnerability, it remained unpatched for three months on a server operated by the Center for Election Systems at Kennesaw State University, the group that was responsible


Original URL: https://arstechnica.com/?p=1645597

Original article

Researchers find serious flaws in WordPress plugins used on 400k sites

Enlarge (credit: Frank Lindecke / Flickr)
Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected.
The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.
People exploiting the vulnerability need only know the user name of a valid account and include a malicious payload in a POST request that’s sent to a vulnerable site. According to Web application firewall provider Wordfence, the vulnerability stems from a feature that allows legitimate users to automatically


Original URL: https://arstechnica.com/?p=1645061

Original article

In 2019, multiple open source companies changed course—is it the right move?

Enlarge / Stock photos continue to be a gift to the world. Maybe it’s sometimes on par with open-source software. (credit: cnythzl / Getty Images)
Free and open source software enables the world as we know it in 2019. From Web servers to kiosks to the big data algorithms mining your Facebook feed, nearly every computer system you interact with runs, at least in part, on free software. And in the larger tech industry, free software has given rise to a galaxy of startups and enabled the largest software acquisition in the history of the world.
Free software is a gift, a gift that made the world as we know it possible. And from the start, it seemed like an astounding gift to give. So astounding in fact that it initially made businesses unaccustomed to this kind of generosity uncomfortable. These companies weren’t unwilling to use free software, it was simply


Original URL: https://arstechnica.com/?p=1503799

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: