Attack on CCleaner Highlights the Importance of Securing Downloads and Maintaining User Trust
-
Some of the most worrying kinds of attacks are ones that exploit users’ trust in the systems and softwares they use every day. Yesterday, Cisco’s Talos security team uncovered just that kind of attack in the computer cleanup software CCleaner. Download servers at Avast, the company that owns CCleaner, had been compromised to distribute malware inside CCleaner 5.33 updates for at least a month. Avast estimates that over 2 million users downloaded the affected update. Even worse, CCleaner’s popularity with journalists and human rights activists means that particularly vulnerable users are almost certainly among that number. Avast has advised CCleaner Windows users to update their software immediately.
This is often called a “supply chain” attack, referring to all the steps software takes to get from its developers to its users. As more and more users get better at bread-and-butter personal security like enabling two-factor authentication and detecting phishing, malicious hackers are forced to stop targeting users and move “up” the supply chain to the companies and developers that make software. This means that developers need to get in the practice of “distrusting” their own infrastructure to ensure safer software releases with reproducible builds, allowing third parties to double-check whether released binary and source packages correspond. The goal should be to secure internal development and release infrastructure to that point that no hijacking, even from a malicious actor inside the company, can slip through unnoticed.
The harms of this hack extend far beyond the 2 million users who were directly affected. Supply chain attacks undermine users’ trust in official sources, and take advantage of the security safeguards that users and developers rely on. Software updates like the one Avast released for CCleaner are typically signed with the developer’s un-spoof-able cryptographic key. But the hackers appear to have penetrated Avast’s download servers before the software update was signed, essentially hijacking Avast’s update distribution process and punishing users for the security best practice of updating their software.
Despite observations that these kind of attack are on the rise, the reality is that they remain extremely rare when compared to other kinds of attacks users might encounter. This and other supply chain attacks should not deter users from updating their software. Like any security decision, this is a trade-off: for every attack that might take advantage of the supply chain, there are one hundred attacks that will take advantage of users not updating their software.
For users, sticking with trusted, official software sources and updating your software whenever prompted remains the best way to protect yourself from software attacks. For developers and software companies, the attack on CCleaner is a reminder of the importance of securing every link of the download supply chain.
https://www.eff.org/deeplinks/2017/09/attack-ccleaner-highlights-importance-securing-downloads-and-maintaining-user

screen and tmux
A comparison of the features (or more-so just a table of notes for accessing some of those features) for GNU screen and BSD-licensed tmux.
The formatting here is simple enough to understand (I would hope). ^ means ctrl+, so ^x is ctrl+x. M- means meta (generally left-alt or escape)+, so M-x is left-alt+x It should be noted that this is no where near a full feature-set of either group. This - being a cheat-sheet - is just to point out the most very basic features to get you on the road. Trust the developers and manpage writers more than me. This document is originally from 2009 when tmux was still new - since then both of these programs have had many updates and features added (not all of which have been dutifully noted here). |
||
Action | tmux | screen |
start a new session | tmux OR tmux new OR tmux new-session |
screen |
re-attach a detached session | tmux attach OR tmux attach-session |
screen-r |
re-attach an attached session (detaching it from elsewhere) | tmux attach -d OR tmux attach-session -d |
screen -dr |
re-attach an attached session (keeping it attached elsewhere) | tmux attach OR tmux attach-session |
screen -x |
detach from currently attached session | ^b d OR ^b :detach |
^a ^d OR ^a :detach |
rename-window to newname | ^b , <newname> OR ^b :rename-window <newn> |
^a A <newname> |
list windows | ^b w | ^a w |
list windows in chooseable menu | ^a " | |
go to window # | ^b # | ^a # |
go to last-active window | ^b l | ^a ^a |
go to next window | ^b n | ^a n |
go to previous window | ^b p | ^a p |
see keybindings | ^b ? | ^a ? |
list sessions | ^b s OR tmux ls OR tmux list-sessions |
screen -ls |
toggle visual bell | ^a ^g | |
create another window | ^b c | ^a c |
exit current shell/window | ^d | ^d |
split window/pane horizontally | ^b " | ^a S |
split window/pane vertically | ^b % | ^a | |
switch to other pane | ^b o | ^a <tab> |
kill the current pane | ^b x OR (logout/^D) | |
collapse the current pane/split (but leave processes running) | ^a X | |
cycle location of panes | ^b ^o | |
swap current pane with previous | ^b { | |
swap current pane with next | ^b } | |
show time | ^b t | |
show numeric values of panes | ^b q | |
toggle zoom-state of current pane (maximize/return current pane) | ^b z | |
break the current pane out of its window (to form new window) | ^b ! | |
re-arrange current panels within same window (different layouts) | ^b [space] | |
Kill the current window (and all panes within) | ^b killw [target-window] |