Your browser does not support the audio element. Reality 2.0 - Episode 19: Democratizing Cybersecurity

Katherine Druckman and Doc Searls talk to Alex Gounares of Polyverse Linux about Cybersecurity for everyone.

• Download in ogg format

News briefs for May 24, 2019.

ZFS On Linux 0.8 has been released. This new version supports up through the 5.1 stable series. Phoronix reports that "ZFS On Linux 0.8 adds native encryption support as well as raw encrypted ZFS send/receive support. Other prominent feature additions for this ZFS Linux file-system code include support for device removal, pool checkpoints, TRIM/discard for solid-state drives is finally here, pool initialize support, Python 3 compatibility with its tools, the ability to tap the Linux kernel's direct I/O interfaces, various performance improvements, and much more." See GitHub for more details.

BlackArch Linux 2019.06.01 is now available. This version of the Arch-based distro for penetration testing and security researchers includes more than 150 new tools, updated vim plugins, Linux kernel 5.1.4, updated all system packages and much more. You can download ISOs or OVA images here.

Canonical has released updated intel-microcode firmware in response to new MDS security vulnerabilities discovered on systems running Intel Cherry Trail and Intel Bay Trail processors. According to Softpedia News, "If you are using Ubuntu 19.04 (Disco Dingo), Ubuntu 18.10 (Cosmic Cuttlefish), Ubuntu 18.04 LTS (Bionic Beaver), Ubuntu 16.04 LTS (Xenial Xerus), or Ubuntu 14.04 ESM (Trusty Tahr) on a computer powered by an Intel CPU, you must update the intel-microcode packages to version 3.20190514.0 as soon as possible, as well as to install the latest available Linux kernel package for your Ubuntu version."

Peppermint 10 was released recently. The main changes include kernel 4.18.0-18 (which will eventually roll onto the 5.xx kernel automatically), updated xorg stack, proprietary NVIDIA drivers are now installed automatically, and more. See the full release notes for more information. You can download Peppermint from here.

Guardian Digital, the open-source email security provider, is celebrating "20 years of revolutionizing email security using the power of Open Source". In honor of this anniversary, it is "offering 20% off EnGarde Email Security Gateway to businesses that sign up for a free trial during June 2019." Go here for more information on the Guardian Digital EnGarde Email Security Gateway.

News ZFS On Linux BlackArch Linux Security Canonical Intel Ubuntu Peppermint email Guardian Digital

by Thomas Golden

How to install and minimally configure Knot to act as your home lab's local domain master and slave servers.

If you were a regular viewer of the original Saturday Night Live era, you will remember the Festrunks, two lewd but naïve Czech brothers who were self-described "wild and crazy guys!" For me, Gyorg and Yortuk (plus having my binomial handed to me by tests designed by a brilliant Czech professor at the local university's high-school mathematics contests) were the extent of my knowledge of the Czech Republic.

I recently discovered something else Czech, and it's not wild and crazy at all, but quite tame and sane, open-source and easy to configure. Knot DNS is an authoritative DNS server written in 2011 by the Czech CZ.NIC organization. They wrote and continue to maintain it to serve their national top-level domain (TLD) as well as to prevent further extension of a worldwide BIND9 software monoculture across all TLDs. Knot provides a separate fast caching server and resolver library alongside its authoritative server.

Authoritative nameserver and caching/recursive nameserver functions are separated for good reason. A nameserver's query result cache can be "poisoned" by queries that forward to malicious external servers, so if you don't allow the authoritative nameserver to answer queries for other domains, it cannot be poisoned and its answers for its own domain can be trusted.

A software monoculture means running identical software like BIND9 everywhere rather than different software providing identical functionality and interoperability. This is bad for the same reasons we eventually will lose our current popular species of banana—being genetically identical, all bananas everywhere can be wiped out by a single infectious agent. As with fruit, a bit of genetic diversity in critical infrastructure is a good thing.

In this article, I describe how to install and minimally configure Knot to act as your home lab's local domain master and slave servers. I will secure zone transfer using Transaction Signatures (TSIG). Although Knot supports DNSSEC, I don't discuss it here, because I like you and want you to finish reading before we both die of old age. I assume you already know what a DNS zone file is and what it looks like.

Go to Full Article

News briefs for May 23, 2019.

GitHub launches a new tool called Sponsors that lets you make payments to open-source developers. Tech Crunch reports, that "Developers will be able to opt into having a 'Sponsor me' button on their GitHub repositories and open source projects will also be able to highlight their funding models, no matter whether that's individual contributions to developers or using Patreon, Tidelift, Ko-fi or Open Collective.

Feral Interactive announces that Total War: THREE KINGDOMS is out on Linux and macOS, the same day as the Windows release. The game was developed by Creative Assembly and is the first in the Total War series to be set in ancient China. It's available now from the Feral Interactive Store for $59.99, and you can watch the trailer here.

IBM announces global expansion of its IBM Watson Decision Platform for Agriculture. From the press release: "For the first time, IBM is providing a global agriculture solution that combines predictive technology with data from The Weather Company, an IBM Business, and IoT data to help give farmers around the world greater insights about planning, plowing, planting, spraying and harvesting."

Elisa 0.4.0 has been released. This version of the KDE community-developed music player has several new features, including improved grid views elements, support for libVLC and more. You can get it via the flathub package or the source code tarball.

NASA has deployed three "Astrobee" robots on the International Space Station to do house-keeping tasks. According to Linux Gizmos "the bots run Ubuntu/ROS and Android 7.1 on Snapdragon-based Inforce modules and a Wandboard and feature 3x payload bays, 6x cameras, and a touchscreen." The Astrobees are named Honey, Queen and Bumble. Linux Gizmos writes that their chief job "is to let astronauts remotely monitor equipment via the bots' cameras and mic while the they're working elsewhere on the ISS. They can also perform inventory and do other housekeeping chores, or act as a general-purpose floating touchscreen computer."

News GitHub gaming Feral Interactive IBM IOT AI Elisa KDE multimedia NASA Ubuntu Android

by Zack Brown

Kernel development is always strange. Andrea Parri recently posted a patch to change the order of memory reads during multithreaded operation, such that if one read depended upon the next, the second could not actually occur before the first.

The problem with this was that the bug never could actually occur, and the fix made the kernel's behavior less intuitive for developers. Peter Zijlstra, in particular, voted nay to this patch, saying it was impossible to construct a physical system capable of triggering the bug in question.

And although Andrea agreed with this, he still felt the bug was worth fixing, if only for its theoretical value. Andrea figured, a bug is a bug is a bug, and they should be fixed. But Peter objected to having the kernel do extra work to handle conditions that could never arise. He said, "what I do object to is a model that's weaker than any possible sane hardware."

Will Deacon sided with Peter on this point, saying that the underlying hardware behaved a certain way, and the kernel's current behavior mirrored that way. He remarked, "the majority of developers are writing code with the underlying hardware in mind and so allowing behaviours in the memory model which are counter to how a real machine operates is likely to make things more confusing, rather than simplifying them!"

Still, there were some developers who supported Andrea's patch. Alan Stern, in particular, felt that it made sense to fix bugs when they were found, but that it also made sense to include a comment in the code, explaining the default behavior and the rationale behind the fix, even while acknowledging the bug never could be triggered.

But, Andrea wasn't interested in forcing his patch through the outstretched hands of objecting developers. He was happy enough to back down, having made his point.

It was actually Paul McKenney, who had initially favored Andrea's patch and had considered sending it up to Linus Torvalds for inclusion in the kernel, who identified some of the deeper and more disturbing issues surrounding this whole debate. Apparently, it cuts to the core of the way kernel code is actually compiled into machine language. Paul said:

We had some debates about this sort of thing at the C++ Standards Committee meeting last week.

Pointer provenance and concurrent algorithms, though for once not affecting RCU! We might actually be on the road to a fix that preserves the relevant optimizations while still allowing most (if not all) existing concurrent C/C++ code to continue working correctly. (The current thought is that loads and stores involving inline assembly, C/C++ atomics, or volatile get their provenance stripped. There may need to be some other mechanisms for plain C-language loads and stores in some cases as well.)

Go to Full Article

News briefs for May 22, 2019.

The Antergos Linux distro is calling it quits. The developers of the Arch-based distro say they no longer have time to maintain it properly, and are taking the action now while the code is still working in case other developers want to start their own projects with it. From the Antergos blog: "For existing Antergos users: there is no need to worry about your installed systems as they will continue to receive updates directly from Arch. Soon, we will release an update that will remove the Antergos repos from your system along with any Antergos-specific packages that no longer serve a purpose due to the project ending. Once that is completed, any packages installed from the Antergos repo that are in the AUR will begin to receive updates from there."

HP Linux Imaging and Printing (HPLIP) software has been updated to version 3.19.5 for Linux-based OSes. According to Softpedia News, this new release of the open-source and free print, scan and fax driver solution for HP printers and scanners supports "a plethora of new HP printers" (too many to list here), and it also brings support for several new distros, such as "Ubuntu 19.04 (Disco Dingo), Debian GNU/Linux 9.8, and Fedora 30". See the official HPLIP 3.19.5 Release Notes for more information.

Kali Linux announces its second release of the year, Kali Linux 2019.2. This release "brings our kernel up to version 4.19.28, fixes numerous bugs, includes many updated packages, and most excitingly, features a new release of Kali Linux NetHunter!" You can download it from here.

Tails 3.14 has been released. The release fixes many security issues, so you are urged to update as soon as possible. Some changes include an update to kernel 4.19.37, enabling "all available mitigations for the MDS (Microarchitectural Data Sampling) attacks and disable SMT (simultaneous multithreading) on all vulnerable processors to fix the RIDL, Fallout and ZombieLoad security vulnerabilities" and updating the Tor Browser to 8.5, among others.

openSUSE 15.1 Leap has been released. This release includes a huge number of new features, such as improved YaST functionality, an entirely new graphics stack update and much more. Go here to download the ISO image and see the openSUSE Wiki for more details on all of the new features in 15.1

News Antergos Distributions HP Kali Linux Tails openSUSE

by Pavan Singh

Linux container technology was introduced more than a decade ago and has recently jumped in adoption in IT environments. However, the OT (operational technology) environments, typically made up of heterogenous embedded systems, have lagged in the adoption of container technologies, due to both the unique technology requirements and the business models that relied on proprietary systems. In this article, I explore recent innovation in open-source offerings that are enabling the use of containers in OT use cases, such as industrial control systems, IoT gateways, medical devices, Radio Access Network (RAN) products and network appliances.

Enterprise IT leaders have adopted “cloud-native” computing architectures because of the innovation velocity and cost benefits derived by the approach. To leverage containers, developers segment applications into modular micro-services that enable flexible development and deployment models. These micro-services are then deployed as containers where the service itself is integrated with the required libraries and functions. On containerization, these application components have small footprints and fast speeds of deployment. The applications become highly portable across compute architectures due to the abstraction away from the hardware and the operating system.

The benefits of flexibility and the modularity offered by container-based architectures are fully realized when leveraged in conjunction with higher-level orchestration systems that can manage the containers throughout their entire lifecycle. Kubernetes, the leading open-source orchestration system for containers, has gained a lot of traction over the last few years. Initially developed by Google, the Kubernetes project is now maintained by the Cloud Native Compute Foundation (CNCF). CNCF is dedicated to reducing the friction around the adoption of cloud-native technologies and brings to bear a few key cloud-native projects, such as Kubernetes, Prometheus and Envoy. This is an example of an open-source organization that has fostered collaboration among the entire value chain – developers, end-users and vendors. Today’s CNCF membership includes significant technology brands, such as Amazon, Cisco, Google, Microsoft, Oracle, SAP and many others.

Containers and other cloud-native paradigms were initially developed with IT environments in mind. And as these technologies have matured and the capability of the cloud-native technologies increased, the OT decision-makers have taken notice. And as more developers get access to container technology, they are going through a journey of their own, albeit one that is different from the journey of the IT developers over the last decade.

Go to Full Article

News briefs for May 21, 2019.

Firefox 67.0 was released today. From the Mozilla blog: "Today's new Firefox release continues to bring fast and private together right at the crossroads of performance and security. It includes improvements that continue to keep Firefox fast while giving you more control and assurance through new features that your personal information is safe while you're online with us." You can download it from here, and see the release notes for details.

ownCloud announces its new server version 10.2, which introduces advanced sharing permissions, a secure view feature and automatic synchronization between federated clouds. From the press release: "the new server version of ownCloud focuses on more freedom and security in file distribution. The "Advanced Sharing Permissions" feature in particular provides developers with far-reaching options for implementing individual release functions at user and group level as well as providing data with special security settings."

Google has launched a "Glass Enterprise Edition 2" headset. According to Linux Gizmos, the new device has a "faster processor, longer battery life, improved camera and wireless features, and a reduced $999 price" compared with the previous Glass Enterprise Edition. It "runs Android Oreo on a faster, quad-core, 1.7GHz Snapdragon XR1 SoC with an 8MP camera, WiFi-ac, BT 5.x, a USB Type-C port, and longer battery life."

Ubuntu has expanded its Kernel Uploader Team. Phoronix reports that it's "a sign of the times with the Linux kernel being affected by an increasing number of CVEs (and particularly high profile ones at that), there are now more Ubuntu developers with upload rights for sending down new kernel upgrades." New to the Kernel Uploaders Team are Tyler Hicks, Juerg Haefliger and Khalid Elmously.

Kenna Security reports that "nearly 20% of the 1000 most popular Docker containers have no root password". Researcher Jerry Gamblin built a script to find null root Docker containers, available on GitHub that found some well known names: "govuk/governmentpaas, hashicorp, microsoft, monsanto, and mesosphere. kylemanna/openvpn is the most popular container on the list and it has over 10,000,000 pulls." He also notes that "The findings are interesting, but I don't want to be overly alarmist. Just because a container has no root password does not mean that it is automatically vulnerable. These findings could lead to configuration-based vulnerabilities in certain situations, as was the case with this the Alpine Linux vulnerability."

News Firefox Mozilla Privacy OwnCloud Google Ubuntu kernel Docker

by Todd A. Jacobs

A look at the recently released YubiKey 5 hardware authenticator series and how web authentication with the new WebAuthn API leverages devices like the YubiKey for painless website registration and strong user authentication.

I covered the YubiKey 4 in the May 2016 issue of Linux Journal, and the magazine has published a number of other articles on both YubiKeys and other forms of multi-factor authentication since then. Yubico recently has introduced the YubiKey 5 line of products. In addition to the YubiKey's long-time support of multiple security protocols, the most interesting feature is the product's new support for FIDO2 and WebAuthn.

WebAuthn is an application programming interface (API) for web authentication. It uses cryptographic "authenticators", such as a YubiKey 5 hardware token to authenticate users, in addition to (or even instead of) a typical user name/password combination. WebAuthn is currently a World Wide Web Consortium (W3C) candidate recommendation, and it's already implemented by major browsers like Chrome and Firefox.

This article provides an overview of the YubiKey 5 series, and then goes into detail about how the WebAuthn API works. I also look at how hardware tokens, such as the YubiKey 5 series, hide the complexity of WebAuthn from users. My goal is to demonstrate how easy it is to use a YubiKey to register and authenticate with a website without having to worry about the underlying WebAuthn API.

About the YubiKey 5 Series

The YubiKey 5 series supports a broad range of two-factor and multi-factor authentication protocols, including:

• Challenge-response (HMAC-SHA1 and Yubico OTP).
• Client to Authenticator Protocol (CTAP).
• FIDO Universal 2nd-Factor authentication (U2F).
• FIDO2.
• Open Authorization, HMAC-Based One-Time Password (OATH-HOTP).
• Open Authorization, Time-Based One-Time Password (OATH-TOTP).
• OpenPGP.
• Personal Identity Verification (PIV).
• Web Authentication (WebAuthn).
• Yubico One-Time Password (OTP).

In addition, the entire YubiKey 5 series (with the exception of the U2F/FIDO2-only Security Key model) now supports OpenPGP public key cryptography with RSA key sizes up to 4096 bits. This is a notable bump from the key sizes supported by some earlier models. Yubico's OpenPGP support also includes an additional slot for an OpenPGP authentication key for use within an SSH-compatible agent, such as GnuPG's gpg-agent.

Figure 1. YubiKey 5 Series

Go to Full Article

News briefs for May 20, 2019.

Linux kernel 5.2-rc1 is out. Linus Torvalds writes: "Things look fairly normal. Just about two thirds of the patch is drivers (all over), with the bulk of the rest being arch updates, tooling, documentation and vfs/filesystem updates, of which there were more than usual (the unicode tables for ext4 case insensitivity do end up being a big part of the "bulk" side). But there's core networking, kernel and vm changes too - it's just that the other areas tend to simply be much bulkier."

The the first pre-release of Xfce 4.14 is now available. Simon Steinbeiß's blog post covers only the changes in the latest development release, as the Xfce 4.12 was four years ago. Highlights include FailSafeSession has been fixed, improvements to vertical blanking support, a new colord front end was added, and much more.

Microsoft recently released its SPTAG algorithm as MIT-licensed open source on GitHub. Ars Technica reports that this algorithm is part of what gives Bing its smarts, noting that "Developers can use this algorithm to search their own sets of vectors and do so quickly: a single machine can handle 250 million vectors and answer 1,000 queries per second." This release is part of the company's effort to "Democratize AI".

The South Korean government plans to switch to Linux as the end of Windows 7 support nears. According to ZDNet, "the nation's Interior Ministry last week announced plans for a potentially major Linux deployment as part of a plan to cut tech costs and reduce its reliance on a single operating system. It's not known what mix of Windows 7 and Windows 10 the Korean government currently uses, however the plan to adopt Linux more widely comes as organizations around the world prepare for the end of Windows 7 support on January 14, 2020."

The Arduino team announced the launch of four new Nano boards: Arduino Nano Every, "perfect for everyday projects"; Arduino Nano 33 IoT, "small, secure, and Internet-connected"; Arduino Nano 33 BLE, "small, low-power, and Bluetooth-connected"; and Arduino Nano BLE Sense, "small, low-power, and Bluetooth-connected with a wide range of on-board sensors". The boards start at just $9.90 for the Nano Every. Arduino co-founder Massimo Banzi commented that the new Nanos "are for those millions of makers who love using the Arduino IDE for its simplicity and open source aspect, but just want a great value, small and powerful board they can trust for their compact projects".

News kernel XFCE Microsoft Machine Learning AI Arduino Government open source

by Petros Koutoupis

By design, NVMe drives are intended to provide local access to the machines they are plugged in to; however, the NVMe over Fabric specification seeks to address this very limitation by enabling remote network access to that same device.

This article puts into practice what you learned in Part I and shows how to use NVMe drives in a Linux environment. But, before continuing, you first need to make sure that your physical (or virtual) machine is up to date. Once you verify that to be the case, make sure you're able to see all connected NVMe devices:

$ cat /proc/partitions |grep -e nvme -e major major minor #blocks name 259 0 3907018584 nvme2n1 259 1 3907018584 nvme3n1 259 2 3907018584 nvme0n1 259 3 3907018584 nvme1n1

Those devices also will appear in sysfs:

$ ls /sys/block/|grep nvme nvme0n1 nvme1n1 nvme2n1 nvme3n1

If you don't see any connected NVMe devices, make sure the kernel module is loaded:

petros@ubu-nvme1:~$ lsmod|grep nvme nvme 32768 0 nvme_core 61440 1 nvme

Next, install the drive management utility called nvme-cli. This utility is defined and maintained by the very same NVM Express committee that defined the NVMe specification. The nvme-cli source code is hosted on GitHub. Fortunately, some operating systems offer this package in their internal repositories. Installing it on the latest Ubuntu looks something like this:

petros@ubu-nvme1:~$ sudo add-apt-repository universe petros@ubu-nvme1:~$ sudo apt update && sudo apt install ↪nvme-cli

Using this utility, you're able to list more details of all connected NVMe drives (note: the tabular output below has been reformatted and truncated to better fit here):

Go to Full Article

News briefs for Friday, May 17, 2019.

Hewlett Packard Enterprise to buy Supercomputer-maker Cray. Bloomberg reports that the deal is "valued at about $1.4 billion as the firm works to become more competitive in high-end computing", and "Cray investors will get $35 a share in cash".

ManagedKube launches k8sBot, "an app that provides a point-and-click user interface for Kubernetes in Slack", available on the Google Cloud Platform (GCP) Marketplace. From the press release: "Companies can now ensure that all their team members have access to Kubernetes information. ManagedKube's k8sBot provides an easy-to-use interface in Slack so users can retrieve pod status, get pod logs, and get real-time troubleshooting recommendations with just one click. DevOps teams can get more done with k8sBot by easily sharing Kubernetes information in Slack, where team discussions are already happening, and automating DevOps support by democratizing access to Kubernetes information." You can install ManagedKube's k8sBot from here.

Purism's Librem One Suite surpasses its Crowdfunding goal after two weeks, demonstrating the "demand for ethical alternatives to Big Tech as data privacy snafus continue to plague users on a weekly basis". The Librem One Suite includes "end-to-end encrypted chat, end-to-end encrypted mail, and end-to-end encrypted VPN, as well as an open public social network. More services, such as end-to-end encrypted cloud storage, payments, and phone service, will be built in the future and added to the bundle. All current and future services in Librem One have no ads, do not track users, do not look at, sell, or share anything people create or send, and are available on popular platforms like Android and iOS." See Founder and CEO Todd Weaver's blog post 5000 Happy Librem One Users!" for more details.

Cloudflare this morning announces its support of BinaryAST. From the press release: "BinaryAST is a new over-the-wire format for JavaScript proposed and actively developed by Mozilla that aims to speed up parsing while keeping the semantics of the original JavaScript intact." See also the Cloudflare blog post "Faster script loading with BinaryAST" and VentureBeat's "Cloudflare-supported BinaryAST promises dramatically faster JavaScript apps" for more information.

Researchers have discovered another Intel processor vulnerability called Zombieload. According to ZDNet, "The researchers have shown a Zombieload exploit that can look over your virtual shoulder to see the websites you're visiting in real-time. Their example showed someone spying on another someone using the privacy-protecting Tor Browser running inside a virtual machine (VM)." But there's some good news: "To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled. When Meltdown and Spectre showed up, the Linux developers were left in the dark and scrambled to patch Linux. This time, they've been kept in the loop."

News Hewlett Packard Enterprise supercomputing Cray ManagedKube k8sBot Kubernetes Purism Librem One Security Privacy Cloudflare BinaryAST Mozilla Zombieload Intel

by Heike Jurzik a…

Bareos (Backup Archiving Recovery Open Sourced) is a cross-network, open-source backup solution that preserves, archives and recovers data from all major operating systems. The Bareos project started 2010 as a Bacula fork and is now being developed under the AGPLv3 license.

The client/server-based backup solution is actually a set of computer programs (Figure 1) that communicate over the network: the Bareos Director (BD), one or more Storage Dæmons (SD) and the File Dæmons (FD). Due to this modular design, Bareos is scalable—from single computer systems (where all components run on one machine) to large infrastructures with hundreds of computers (even in different geographies).

Figure 1. A Typical Bareos Setup: Director (with Database), File Dæmon(s), Storage Dæmon(s) and Backup Media

The director is the central control unit for all other dæmons. It manages the database (catalog), the connected clients, the file sets (they define which data Bareos should back up), the configuration of optional plugins, before and after jobs (programs to be executed before or after a backup job), the storage and media pool, schedules and the backup jobs. Bareos Director runs as a dæmon.

The catalog maintains a record of all backup jobs, saved files and volumes used. Current Bareos versions support PostgreSQL, MySQL and SQLite, with PostgreSQL being the preferred database back end.

The File Dæmon (FD) must be installed on every client machine. It is responsible for the backup as well as the restore process. The FD receives the director's instructions, executes them and transmits the data to the Bareos Storage Dæmon. Bareos offers pre-packed file dæmons for many popular operating systems, such as Linux, FreeBSD, AIX, HP-UX, Solaris, Windows and macOS. Like the director, the FD runs as a dæmon in the background.

The Storage Dæmon (SD) receives data from one or more File Dæmons (at the director's request). It stores the data (together with the file attributes) on the configured backup medium. Bareos supports various types of backup media, as shown in Figure 1, including disks, tape drives and even cloud storage solutions. During the restore process, the SD is responsible for sending the correct data back to the FD(s). The Storage Dæmon runs as a dæmon on the machine handling the backup device(s).

Backup Jobs

A backup job defines what to back up (FileSet directive for the client), when to back up (schedule) and where to back up (for example, on a disk, tape, etc.). Bareos is quite flexible, and you can mix different directives. So you can have different job definitions (resources), backing up different machines, but using the same schedule, the same FileSet and even the same backup medium.

Go to Full Article

News briefs for May 16, 2019.

IPFire 2.23 - Core Update 131 has been released. This release brings a new Intrusion Prevention System that makes your networks "more secure by deeply inspecting packets and trying to identify threats". See the IPFire blog for more details and instructions on how to migrate to the new IPS.

The Linux Foundation announces the formation of the Urban Computing Foundation "to accelerate open source software that improves mobility, safety, road infrastructure, traffic congestion and energy consumption in connected cities. Initial contributors include developers from Uber, Facebook, Google, HERE Technologies, IBM, Interline Technologies, Senseable City Labs, StreetCred Labs and University of California San Diego (UCSD)." The Foundation's first project is kepler.gl, "an open-source geospatial analysis tool created by Uber for building large-scale data sets".

The Atomic Pi has recently hit retail channels after its successful Kickstarter campaign (although it's currently sold out). Phoronix reports that the $35 Atomic Pi "offers an Intel Atom x5-Z8350 quad-core, 2GB DDR3L-1600 memory, 16GB eMMC, SD slot, USB 3.0/2.0 ports, 802.11ac WiFI, Bluetooth 4.0, and Gigabit Ethernet". The article also notes that "It's quite a board for the price and to compete with the likes of the Raspberry Pi." Go to Digital Loggers for more information.

IBM announces it will expand its "New Collar" program into France, "s part of a commitment to help prepare the French workforce for the business and social transformation being driven by hybrid cloud, digital and AI technologies." IBM plans to launch P-TECH schools in France to "provide technical and professional educational opportunities to young people, primarily from disadvantaged backgrounds". It also is launching "SkillsBuild, a new digital platform, which provides job seekers—including those returning to work after leave, the long-term unemployed, migrants, veterans and those changing professions—with the digital content, personalized coaching and experiential learning they need to gain technical and professional skills required to re-enter the workforce." Read the press release for more details.

In other IBM news, IBM this week announced new services and capabilities for IBM Z. One new feature is Tailored Fit Pricing, which is "pricing adjusts with usage, removing the need for complex and restrictive capping, and includes aggressive pricing for growth". The other new feature is IBM z/OS Container Extensions: "With z/OS Container Extensions, customers will be able to access the most recent development tools and processes available in Linux on the Z ecosystem, giving developers the flexibility to build new, cloud-native containerized apps and deploy them on z/OS without requiring Linux or a Linux partition."

News IPFire Security The Linux Foundation Urban Computing Foundation Atomic Pi SBCs IBM

by Kyle Rankin

Protect your code commits from malicious changes by GPG-signing them.

Often when people talk about GPG, they focus on encryption—GPG's ability to protect a file or message so that only someone who has the appropriate private key can read it. Yet, one of the most important functions GPG offers is signing. Where encryption protects a file or message so that only the intended recipient can decrypt and read it, GPG signing proves that the message was sent by the sender (whomever has control over the private key used to sign) and has not been altered in any way from what the sender wrote.

Without GPG signing, you could receive encrypted email that only you could open, but you wouldn't be able to prove that it was from the sender. But, GPG signing has applications far beyond email. If you use a modern Linux distribution, it uses GPG signatures on all of its packages, so you can be sure that any software you install from the distribution hasn't been altered to add malicious code after it was packaged. Some distributions even GPG-sign their ISO install files as a stronger form of MD5sum or SHA256sum to verify not only that the large ISO downloaded correctly (MD5 or SHA256 can do that), but also that the particular ISO you are downloading from some random mirror is the same ISO that the distribution created. A mirror could change the file and generate new MD5sums, and you may not notice, but it couldn't generate valid GPG signatures, as that would require access to the distribution's signing key.

Why Sign Git Commits

As useful as signing packages and ISOs is, an even more important use of GPG signing is in signing Git commits. When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else.

Being able to prove who wrote a snippet of code isn't so you know who to blame for bugs so the person can't squirm out of it. Signing Git commits is important because in this age of malicious code and back doors, it helps protect you from an attacker who might otherwise inject malicious code into your codebase. It also helps discourage untrustworthy developers from adding their own back doors to the code, because once it's discovered, the bad code will be traced to them.

How to Sign Git Commits

The simplest way to sign Git commits is by adding the -S option to the git commit command. First, figure out your GPG key ID with:

Go to Full Article

News briefs for May 15, 2019.

Nextcloud this morning announced a new partnership with Nitrokey, maker of highly secure, open-source encryption USB keys. From the press release: "The Nitrokey Pro 2 and Nitrokey Storage 2 devices have been verified to work easily with Nextcloud's one-time passwords for secure two-factor authentication (2FA). This protects users' accounts in the event of compromised passwords. Furthermore the USB keys feature a password manager, a cryptographic key store for email encryption and SSH administration. In addition the Nitrokey Storage 2 contains an encryption mass storage drive with the option of hidden volumes." In addition, Nextcloud and Nitrokey will explore further collaboration "especially in the area of end-to-end encryption and secure storage of cryptographic keys". See the Nextcloud blog for more details.

An unauthorized version of Arch Linux for WSL is now available from the Microsoft Store. Bleeping Computer reports that "an Arch Linux team member has also pointed out that the distribution on the Microsoft Store added an unknown repository to the pacman.conf file, so if you install packages through it, it is not known if they have been tampered with."

VirtualBox 6.0.8 has been released. According to Softpedia News, this is a maintenance and stability release, but it does fix some important problems, such as saved state resume failures and mouse click pass-through issues. For Linux platforms, this release also adds "support for shared folders on systems powered by Linux kernel 3.16.35 LTS, support for correctly handling the read-only flag of shared folders, and support for successfully building the VirtualBox kernel module in both non-default and debug build setups." See the full changelog for more information.

KDE needs your help with testing Plasma Theme switching: "Please get one of the Live images with latest code from the Plasma developers hands (or if you build manually yourself from master branches, last night's code should be fine) and give the switching of Plasma Themes a good test, so we can be sure things will work as expected on arrival of Plasma 5.16: KDE neon Unstable Edition and openSUSE Krypton. If you find glitches, please report them here in the comments, or better on the #plasma IRC channel.

Intel announces a major update to Clear Linux and a new developer edition. ZDNet reports that "In the new developer edition, besides giving developers a Linux designed to make the most of Intel hardware, its basic programmer bundles are curated to provide all the relevant developer tools with one installation command." With this update, Clear Linux also includes "Intel hardware optimized programmer software stacks for Deep Learning and Data Analytics".

News Nextcloud Security Nitrokey Privacy Arch Linux Microsoft VirtualBox KDE Plasma Intel Clear Linux

by Petros Koutoupis

Puppet has long been regarded as nothing more than an open-source software configuration management tool. The company has become a standard for automating the delivery and operation of the software that powers everything around us. Well, this is about to change. Puppet has evolved and has positioned itself to tackle enterprise-grade problems. All of this and more, was announced on May 2, 2019.

So what makes this announcement so exciting? I sat down with Matt Waxman, Puppet's Head of Products to learn more.

Petros Koutoupis: Please introduce yourself to our readers.

Matt Waxman: I have been the Head of Products at Puppet since 2017. I have been in the Product space for at least 20 years, largely focused on infrastructure. Before coming to Puppet, I was in data storage backup, replication and disaster recovery. I am the guy who deals with roadmaps and user experience across our product portfolio.

Petros: What can you tell us about this announcement?

Matt Waxman: Automation of more than just the state of your virtual machines, containers and so on is extremely important. How do you enable more teams? It is all about service, safety and quality of delivery. This is what we are doing with Puppet to serve those exact needs. And with our latest release 2019.1, we simplify the experience in automation to meet those demands.

We enhanced our agentless and agent-based capabilities, such as supporting the automation of network devices (for example, Cisco and Palo Alto) and giving users the ability to automate anything and anywhere quickly, efficiently, safely and at scale. But some of our most notable changes are centered around our agentless task runner, Bolt. We introduced it about a year and a half ago. Bolt is an automation tool built to automate anything in your infrastructure without the hassle. It was very well received by the Open Source community. What is new here though is we have found that more and more customers and users are starting to automate from a development perspective. Developers have a constant need to stand up an infrastructure quickly for both testing and support. Not only did we make Bolt more user-friendly for the broader community, but we also added YAML support.

Petros: Why is this announcement so exciting?

Matt Waxman: The demand for infrastructure-focused automation is growing, and many companies are unable to scale to meet that demand. With release 2019.1, we made a lot of investment in not only addressing this challenge but also in simplifying the experience.

Go to Full Article

News briefs for May 14, 2019.

A vulnerability in WhatsApp allows spyware to be installed from a single unanswered phone call. The Verge reports that the "spyware, developed by Israel's secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp. Once installed, the spyware can turn on a phone's camera and mic, scan emails and messages, and collect the user's location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole."

Adobe warns Creative Cloud users with older apps. According to Engadget, "The software company has sent out emails to customers warning them of being "at risk of potential claims of infringement by third parties" if they continue using outdated versions of CC apps, including Photoshop and Lightroom. These emails even list the old applications installed on the subscribers' systems, and in some cases, they mention what the newest available versions are." Users are being told they are no longer licensed to use the apps and that they need to update to the latest authorized version.

Linux systems running distros with kernels older than 5.0.8 are vulnerable to remote code execution. From Bleeping Computer: "Potential attackers could exploit the security flaw found in Linux kernel's rds_tcp_kill_sock TCP/IP implementation in net/rds/tcp.c to trigger denial-of-service (DoS) states and to execute code remotely on vulnerable Linux machines. The attacks can be launched with the help of specially crafted TCP packets sent to vulnerable Linux boxes which can trigger use-after-free errors and enable the attackers to execute arbitrary code on the target system." The vulnerability is being tracked as CVE-2019-11815.

Schools in the Indian state of Kerala have chosen Linux as their OS, which will save them roughly $428 million. According to It's FOSS, Kerala is "the first 100% literate Indian state". IT classes have been mandatory since 2003, and the schools started adopting free and open-source software a few years later, with the plan of getting rid of proprietary software in the schools. "As a result, the state claimed to save around $50 million per year in licensing costs in 2015. Further expanding their open source mission, Kerala is going to put Linux with open source educational software on over 200,000 school computers."

MakeOpenStuff is launching a Crowd Supply campaign for HestiaPi Touch, "an open source, smart thermostat for controlling HVAC and water systems". Linux Gizmos writes that the thermostat "runs a Linux-based openHAB stack on an RPI Zero W along with relays, a 3.5-inch display, and temperature, humidity, and pressure sensors". The HestiaPi Touch will cost $95 (without a case) or $145 (with case), and it's expected to ship in October or November. Linux Gizmos notes that "The hackable device competes directly with the $249 Google Nest Learning Thermostat. Unlike the Nest devices, it does not require a cloud connection thereby ensuring privacy and offering full control to the user."

News Security WhatsApp Adobe kernel Education HestiPi Touch Raspberry Pi Privacy

by Zack Brown

CGroups are under constant development, partly because they form the core of many commercial services these days. An amazing thing about this is that they remain an unfinished project. Isolating and apportioning system elements is an ongoing effort, with many pieces still to do. And because of security concerns, it never may be possible to present a virtual system as a fully independent system. There always may be compromises that have to be made.

Recently, Andrey Ryabinin tried to fix what he felt was a problem with how CGroups dealt with low-memory situations. In the current kernel, low-memory situations would cause Linux to recuperate memory from all CGroups equally. But instead of being fair, this would penalize any CGroup that used memory efficiently and reward those CGroups that allocated more memory than they needed.

Andrey's solution to this was to have Linux recuperate unused memory from CGroups that had it, before recuperating any from those that were in heavy use. This would seem to be even less fair than the original behavior, because only certain CGroups would be targeted and not others.

Andrey's idea garnered support from folks like Rik van Riel. But not everyone was so enthralled. Roman Gushchin, for example, pointed out that the distinction between active and unused memory was not as clear as Andrey made it out to be. The two of them debated this issue quite a bit, because the whole issue of fair treatment hangs in the balance. If Andrey's whole point is to prevent CGroups from "gaming the system" to ensure more memory for themselves, then the proper approach to low-memory conditions depends on being able to identify clearly which CGroups should be targeted for reclamation and which should be left alone.

At the same time, the situation could be seen as a security concern, with an absolute need to protect independent CGroups from each other. If so, something like Andrey's patch would be necessary, and many more security-minded developers would start to take an interest in getting the precise details exactly right.

Note: if you're mentioned above and want to post a response above the comment section, send a message with your response text to ljeditor@linuxjournal.com.

Go to Full Article

by Bryan Lunduke

Do you have l33t ASCII/ANSI art skillz? Your work could grace the cover of Linux Journal!

That's right—your ASCII art on the cover of the longest-running Linux publication on the planet.

What the artwork is depicting is, really, up to you. But, since this is Linux Journal, here are a few good ideas:

• Something involving Tux the Penguin.
• Something involving Linux in general.
• Something involving terminals or computers in general.
• Something else entirely, so long as it makes us think, "Gee, Linux is awesome."

How to submit your entry:

1. Make sure your ASCII or ANSI artwork is saved as an image file (jpg or png) that is roughly 1600 x 1600 (give or take—larger is fine as well).
2. Email that image, along with how you want your name to appear, to ljeditor@linuxjournal.com.
3. Make sure it's postmarked (yeah, I know, that's not really a thing with email, but I felt like using that word today) by July 1, 2019.

FAQ:

• Q: Should my ASCII/ANSI art use colors?
• A: Up to you!
• Q: Should I also include the raw text version of the ASCII art when I submit it?
• A: Sure! That'd be groovy!
• Q: How awesome will I feel when I see my ASCII art on the cover of Linux Journal?
• A: Very.

Go to Full Article