Updated Fedora Lives Available (4.10.16-200) Memorial Weekend Run

 

We in the Respins SIG are pleased to mention the latest series of Updated Live Respins carrying the 4.10.16-200 Kernel.  These respins use the livemedia-creator tool packaged in the default Fedora repo and following the guide here as well as using the scripts located here.

As Always  there are available @  http://tinyurl.com/live-respins2

For those needing a non-shortened url that expands to https://dl.fedoraproject.org/pub/alt/live-respins/

This round will be noticeably missing from it’s usual gpg clearsigned CHECKSUM|HASHSUM files hosted on https://community.ameridea.net due to a key cycling operation.  This post will be updated with the  new KeyID|Fingerprint next week however, next run will be the first run with that key in play.

 

F24 Updated ISOs available. (Kernel with Dirty Cow Patched)

It is with great pleasure to announce that the Community run respin team has yet another Updated ISO round.  This round carries the 4.7.9-200 kernel along with over 800 MB of updates (avg,  some Desktop Environments more, some less) since the Gold release back in June.

Torrents will be available at the same link as usual alongside the .iso files.

You have heard about this nasty privilege escalation bug called ‘Dirty Cow’ , well rest assured the infected farm and farmer have been found and the vaccine has been applied to the kernel in these updates. More info on ‘Dirty Cow’  on my blog post on it here.

Below are the contents of Both CHECKSUM512-20161023 and HASHSUM512-20161023 (the later is torrent hashes):

cat CHECKSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

8d1c8b9637b1ccc16233ae740e6e0137485574a6f02ab05e66e5a6fb8d5c18a6671395e14341e2cb45f902cd20a4ef987bd83265b68932b8c2183ff2b5194e5e F24-source-20161023.iso
aee5e894dc6b34e207aaa0f23f7a4fd6d16577846d5f7ab3568a234f9e0b2bea1ae814a2291852cb2dbba3930b046ce31cffbcadaf5bff72208a36176eabbecd F24-x86_64-CINN-20161023.iso
6875a43e59a899e4520260e19fb28bb7ade59565b46fc6ad4f22ca8da01c57822ca7ed9373f795377dfaf750d28b6df6c1c083da5d5a0628f8d26553fb744ea0 F24-x86_64-KDE-20161023.iso
197ea70be8337f97f60e2558188e82f53eae0208d3166a7356267dc515e0b7c6204e4b5aae1ae4b44150ff59881a7c2b3d8c998e9dd715872d8c2fe1fe0485c3 F24-x86_64-LXDE-20161023.iso
7f4b48998cb716042a899089f1b292aa77ce5fca44c8d69ceb25f8769da5d9bbe2b29cef728630ae643ad4fc290c64adf270debb228454e620509f039294849c F24-x86_64-MATE-20161023.iso
ffb77a60e5895d4521c58efcbb41bb6afcca7a9a2b3320929cecb9422d00caa1cb7e5f23b04bae9644bf6ea0dae1ab2c9674f4f7ba243acd6250fd5e90221c1d F24-x86_64-WORK-20161023.iso
4ba2915a0ba51b870e7a51eb8d658464bac99f6d998f9f06c26ab8642fedd0212c2ab47c256c7fb5be060494dd6c8eb3279a0d84ca8516db199e45e612d2e502 F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cJVknYpjSJklEAQJ/JA/+MU/4Xrq8fXdLRbvA4OF62ppOgwaYndi+
iU2bLNACA8251FW8V/okP4zk0yq7s2kWJpjc/ULjmBUflXaUFQJM94C8/vzkhRBF
QDi08YddEhZwcWXO+0Xut+7i8omrvGlXtlgFC9MZrzug2ZMhFBFWs+i26tTlFrsQ
LF4P6GyBu7ozNSuQMUGFz26jmC2lxpWvJHXLqgoHdpKK/TvIlUSFzO5viB4nGfaH
MoUFR8f4pSvFXzo9j7/IbzDjR3j1/UHjT8TKmGIaVlAMhtxkEXUcbpwetvZ2xl3G
rYjFWibMkeW10IAsCLJ+zXPEg0CcBL/+PXjvKHBas/A2PgD0B8VbLgXOpk26wJHq
tMEcgTGNLZqukVysr2eWRNtnaDgWvngIEL8VgtfuYTAOWR4bnpuK30ll22mEA91N
ui8djInyd37nLzVpMdlSD1gnf/OkOu5BxH4Qslw7GNZZHXNyuV1bDIAOtC67CXk3
PRYUdb3/be9MLPYjuvNdsKlUBUBFE/zPHtTOdS1susCylqjJbIWNA8DEOo8pTWmv
+npkvAb647RV20c/5nr5TL0xZvD7dTj/geBPZ8xnf3vSp/p5uNUeBOJ+2JVWj117
4q4yhEb1bEPL0vStyyoFuDHCI8wEDJkwRrZG8PE0I1m6B19lXoA/nfYWd/h6OaQ3
w0tSYvcHqpQ=
=+BTN
—–END PGP SIGNATURE—–

cat HASHSUM512-20161023

(Clearsigned with 0xF59276298D2264944)

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

c45662c568ecb116fd18e8f2fae4dedb43a17bdd F24-x86_64-CINN-20161023.iso
379d63a42b3e218cc0aefebc176eabe4c508c622 F24-x86_64-KDE-20161023.iso
89cd48b48d4b1163ac0b81fa639b40ae11fc36ae F24-x86_64-LXDE-20161023.iso
9dfb8df60faa611178d430d897ea365f3df4bd00 F24-x86_64-MATE-20161023.iso
240f78a935d54ef5c92491ee14334b14ad4d5951 F24-x86_64-WORK-20161023.iso
4af163e1162642e8d2a2632878106b94c58ac22a F24-x86_64-XFCE-20161023.iso
—–BEGIN PGP SIGNATURE—–

iQIVAwUBWA4cRlknYpjSJklEAQIbKw//U9SbHay3ma/wo1fz1atkVmabYqsAHUZP
NA4iF1iJuFIfgkDIxlnoF8cAHAnxymp13oeA5jd5Mrx8m3TsLkFlv8XRG9tSjyXp
zGtrkxCrqSMNlE71FrU7iicAhOhDa0MvX14o76Zvn03oLfeWCI+Rjl2XTHDwnxPf
vcKKrRR7QSOfD8LjbzaIm1HmnRD83uU2ZEWixdrFwcf0Ris1iiaXffnWLyi11Y0M
TYtu2UWSot/FNsa0tprqh/w0Pb1EOJz6xCjOHbUAlZg0K2WzQd8k+be3AzIaZRUs
r8HmN6xW8RqUnoojk0sbeA3uMAg6UkECbhmI//RLw89g24WBfOGE2bJpBCRIHmZp
aXohVaR9vOpUvjcovg8Ux1UzI01u8C9ncXoAfSLpouaE3iecafNswkGC5NzTKUE+
T6ipz8ORJ14dgnXW0piztf1+tg3uy+P86qcLj2cAX1UKsYPCR6/oUlAt3iO0BPbA
KJxwTNzITIZIA0V83qGQyyiPYH9vv4oP9D/bZjomOpyGchI0BlpA+ldQYXIXtXFv
o697JA8gBzYIjjdqgKZn6srRjHoWDMyLv9qKFShjtadnaKcc2zU1Z3+JA9Bshuhu
LB0ER9kVDhrAblZZZ2GqXhUvSVvZYv86qt6Jg1x/HouLHD0AaOT8oJ/9sdbJyZZl
l5Lt7JcoMH8=
=Vk0T
—–END PGP SIGNATURE—–

NGA Hackathon series: AngelHacks w/ Blue Compass to host two Hackathons in Sept & Nov

NGA Hackathon / Demothons in Sept & Nov 2016

This back to school season, look at these two prize money / possible job placement Hackathons/Demothons.

The NGA ( National Geo-Spatial Intelligence Agency  — https://nga.gov ) is looking for new fresh ideas for big data analysis and dataset collection and has opened the Disparate Data Challenge.  This Hackathon & Demothon is a 2 stage engagement with stage 1 open to US citizens and stage 2 only open to stage 1 winners. Stage 1 submissions due by Sept 19, 2016.

Also part of NGA’s Hackathon series and backed by the AngelHack as well as Blue Compass LLC, is  ExpeditionHacks, hosted at Hunter College, NYC On  Nov 12-13,2016. This Event is more of the traditional 24 hr hackathon. Where teams of UP TO 5 can show their merit on a Geo-spatial conservation and efficiency hack session.  Show you can provide a sustainability, or ‘come-up’ solutions for indigenous communities.

 

 

 

F24-20160815 Updated ISOS Available NOW.

Today we have the newest installment of the  F24 Updated Lives, carrying on average 580 Mb of updates over the Gold Images from two months ago.

Some great news for intel cpu / gpu users: 4.6.6-300 has patch fixes for the screen tearing.

You will notice this round there is HASHSUM512-20160815 AND HASHSUMS-20160815,  the 512 are the sha512sums of the torrents and HASHSUMS are straight torrent hashes (fully searchable type).

F24 Updated Lives

CHECKSUM512-20160815:

NO Source Torrent is made if you have a need for one contact me either via email or in a comment here.

daa06ee7a8e277fc39b7b614dfce0e581823f95e68c7d6491cbffc1504e9a998a43c50da98400ba16af1be69d7ab6f9515adbe7f682eb6d3549853b4b8a7ba0e F24-source-20160815.iso

2439b2fb5f2c1b260ebaf560b9b680cec774bd890baebfb1d35fd6e8ed10e6b787bd2c978505a91f30de9757984ddff140d13ce0a9a41d1dbff2c38e8be8ba1c F24-x86_64-CINN-20160815.iso

914b61c3bb2524420239b1d0adea1c986f726e9eac135f3ba49dda7c1b1f1dc6d21b69541172e33a2ae4617461041cfe13ac09f7e30faae4c4b2584bc4b9e4fc F24-x86_64-KDE-20160815.iso

e2cb9cbb7b72a1bfb90c3de4f495fc45351d0121ba27e6cb4a0715e25a2123f8324862579105c839fd72ed52a790c6571afcffb2b0bd0058e8058b909d6e6d76 F24-x86_64-LXDE-20160815.iso

c50fd8e41b2a738eb6b0c8cfb7bed5f1e98d9504b6b65a8eb1930c075c502e30c64cb384b1316f9de240eb33258389d4c40eb0efabd902396dc8f9592895ea64 F24-x86_64-MATE-20160815.iso

bd808438d9ee0b4171490719d54fa3172440fd664b1187bf3e8a569cf73eefbc3b3cde36b113d43084565481b6f51a74ba58cbf99b29062b16f35c914e0f9a19 F24-x86_64-WORK-20160815.iso

01b97737fcfd709db3461026cd7705d957d93e196a80c97d200510c868c63ee34c9896b02499294bc216cf238af6fd1dbbde667a281cbaebf374b16bc7c7331a F24-x86_64-XFCE-20160815.iso

HASHSUM512-20160815:

b66a07ac15a1a0f148b3dade7bd17520f0fd123bb8801786ff628b4b89ed02325c52052790ca02400bc8d143a3e3ae2d827dca2a49f09acdeec2ea028c844811 /seedbox/F24-x86_64-CINN-20160815.torrent

f8ebaba5a0271b33519d71b4adf6ede4c13e76bc9e5a0f7c63bc108b2d7ca1e65b2a7753b565bd5d3efaedb0b8870c6e46fe336ae9cfa695d9d5ed9699f21e2c /seedbox/F24-x86_64-KDE-20160815.torrent

55eadd80a7eec36ed2ca3f535edb668ea398bd3d00eb1645d22d80db0b6d96670c6ab16c26ed405c3153718b9ff433e46fc1b879eeca84114002c2c3fd3d54f8 /seedbox/F24-x86_64-LXDE-20160815.torrent

b2c2dc103f149e54292feefb3de94e3d106d18361c73f9e499ed72165d8084d02084623c7cdb656c0aaa181aa539f759cb83d84aee5405e77f5dcca5c14eec1b /seedbox/F24-x86_64-MATE-20160815.torrent

35f0404f181164612c1ca641ca3faf86f36c226fb568fbf61ff801d824bad9107bdda76a546c54ac049a824e26a56d4936fa13a6bee294d9acffdf604fa2288a /seedbox/F24-x86_64-WORK-20160815.torrent

fa05a9a713266e01796bc80d34391081477e74425b2fbe0ee135ee794a1a10a6ee038879efc7ab3839201506c79f41a03981b213aae6cb10b58c404d380cf983 /seedbox/F24-x86_64-XFCE-20160815.torrent

7f231fa325578fd52a7b9315fa589bbb3b469b7efe988e9a383a9fbd26cab8ecca5b73d782ddc9d146c96a223e6d73ddd3695cb6abb70f128714ed2da08566de /seedbox/HASHSUMS-20160815

LastPass 0Day — Why Using cleartext tokens in the URL is bad practice.

Source: lastpass password manager tell all

This is yet another reason why sanitizing OpenAuth or  other token urls to the minimal allowed to resolve (the hostname) is good practice.

So exactly what is the issue at hand?

Well LastPass as with most password managers that in some way connect to a sync or cloud mechanism,  uses a  cookie of sorts on all sites you setup with autofill ( no typing needed,  great defense against keyloggers),  however the issue is that the parser to determine if such a site is accessed / logged in leaves cleartext tokens in the url and takes a malformed url as username:password @ foo.tld i.e. johndoe/mypassword@facebook.com which allows an attacker on a machine that is logged in (without 2fa –more on this later) to spill the beans about all passwords in 2 ways.

Method 1:  log in or access a machine that is logged in and not locked out (Lock screens are useful folks) to access without any further password/credential prompts the password store and click ‘show password’ and then jig is up.  As alluded to earlier if 2fa (two factor auth) is enabled this is thwarted as it requires that secondary challenge for anything account or password store related.

Method 2: Typing in the username (in plaintext in password store) and the target site and the password becomes visible in plaintext in the url.

The really scary part is that now 2  security researchers have exposed these attacks and its still unpatched.

Original article courtesy of https://www.thehackernews.com