Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

More in Tux Machines

Red Hat: Application Migration, Departure, OpenShift Commons Gathering and More

  • Application Migration with Container-native virtualization

    More and more frequently, modern applications are choosing a container-first development and deployment paradigm built on the foundation of Kubernetes. However, not all applications are fully modernized and containerized micro services. Many applications are a hybrid of architectures and technology which have existed for years, even decades. This can add complexity, both to the application architecture and management overhead, when a container-based, cloud-native application component needs to access existing functionality which is virtual machine based. Container-native virtualization provides flexibility during the modernization process so that you can focus on the most critical aspects first, while still being able to access, manage, and consume VM-based aspects using the new Kubernetes-centric tools. Based on the KubeVirt project, recently accepted by the CNCF, Container-native virtualization manages both virtual machines and containers through a single control plane saving time, resources, and budget. Red Hat Container-native virtualization delivers KubeVirt functionality directly to OpenShift customers and helps to manage both virtual machines and OpenShift deployments from a single platform. This single platform simplifies the management of virtual machines and containers with a common Kubernetes interface that standardizes orchestration, networking, and storage management while also supporting the long term move to containers.

  • Alberto Ruiz: Hanging the Red Hat

    After 6+ wonderful years at Red Hat, I’ve decided to hang the fedora to go and try new things. For a while I’ve been craving for a new challenge and I’ve felt the urge to try other things outside of the scope of Red Hat so with great hesitation I’ve finally made the jump. I am extremely proud of the work done by the teams I have had the honour to run as engineering manager, I met wonderful people, I’ve worked with extremely talented engineers and learned lots. I am particularly proud of the achievements of my latest team from increasing the bootloader team and improving our relationship with GRUB upstream, to our wins at teaching Lenovo how to do upstream hardware support to improvements in Thunderbolt, Miracast, Fedora/RHEL VirtualBox guest compatibility… the list goes on and credit goes mostly to my amazing team. Thanks to this job I have been able to reach out to other upstreams beyond GNOME, like Fedora, LibreOffice, the Linux Kernel, Rust, GRUB… it has been an amazing ride and I’ve met wonderful people in each one of them.

  • Recap: OpenShift Commons Gathering at Kubecon/NA San Diego [Videos Uploaded]

    The OpenShift Commons Gathering in San Diego brought together over 550+ Kubernetes and Cloud Native experts from all over the world to discuss container technologies, best practices for cloud native application developers and the open source software projects that underpin the OpenShift ecosystem.

  • IBM Kicks Up Kubernetes Compatibility With Open Source

Antoine Beaupré: a quick review of file watchers

File watchers. I always forget about those and never use then, but I constantly feel like I need them. So I made this list to stop searching everywhere for those things which are surprisingly hard to find in a search engine. Read more

Solaris/UNIX: New Solaris Update/Release, Mystery of Unix History

  • Announcing Oracle Solaris 11.4 SRU15

    Today we are releasing SRU 15, the November 2019 SRU, for Oracle Solaris 11.4. It is available via 'pkg update' from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1.

  • Oracle Solaris 11.4 SRU15 Has A Number Of Package Updates

    While there is no sign of Solaris 11.5 or Solaris.Next (last year was a road-map pointing to Solaris 11.Next in H2'19 or H1'20 that has since been removed), Oracle does continue putting out more updates to the Solaris 11.4 series. Oracle Solaris 11.4 SRU 15 was released on Tuesday as the latest monthly update to the Solaris stable series. With Solaris 11.4 SRU 15 are more Python 3 modules being added along with other Python updates, updating the GCC compiler against v9.2, updates to other toolchain bits like CMake, and a wide range of security updates.

  • A Mystery of Unix History

    The two most popular historic editors on Unix, vi and emacs, both make heavy use of these features (Emacs using Esc when Alt or Meta is unavailable). Some of the later entries in the DEC terminal line, especially the vt510, supported key remapping or alternative keyboards, which can address the Esc issue, but not entirely. According to the EmacsOnTerminal page and other research, at least the vt100 through the vt420 lacked Esc by default. Ctrl-3 and Ctrl-[ could send the character. However, this is downright terrible for both vi and Emacs (as this is the only way to trigger meta commands in Emacs). What’s more, it seems almost none of these old serial terminal support hardware flow control, and flow control is an absolute necessity on many. That implies XON/XOFF, which use Ctrl-S and Ctrl-Q — both of which are commonly used in Emacs.

Mesa 19.2.5

Hi list,

I'd like to announce mesa 19.2.5. This is a return to our regularly scheduled
release cadence, featuring a reasonable number of fixes. In general things are
slowing down on the 19.2 branch, and things are starting to look pretty nice.

There's a little bit over everything in here, with anv and radeonsi standing out
as the two biggest components getting changes, but core mesa, core gallium,
llvmpipe, nir, egl, i965, tgsi, st/mesa, spirv, and the Intel compiler also
fixes in this release.

Dylan


Shortlog
========

Ben Crocker (1):
      llvmpipe: use ppc64le/ppc64 Large code model for JIT-compiled shaders

Brian Paul (1):
      Call shmget() with permission 0600 instead of 0777

Caio Marcelo de Oliveira Filho (1):
      spirv: Don't leak GS initialization to other stages

Danylo Piliaiev (1):
      i965: Unify CC_STATE and BLEND_STATE atoms on Haswell as a workaround

Dylan Baker (4):
      docs: Add SHA256 sum for for 19.2.4
      cherry-ignore: Update for 19.2.4 cycle
      docs: Add relnotes for 19.2.5
      VERSION: bump for 19.2.5

Eric Engestrom (1):
      egl: fix _EGL_NATIVE_PLATFORM fallback

Ian Romanick (2):
      nir/algebraic: Add the ability to mark a replacement as exact
      nir/algebraic: Mark other comparison exact when removing a == a

Illia Iorin (1):
      mesa/main: Ignore filter state for MS texture completeness

Jason Ekstrand (1):
      anv: Stop bounds-checking pushed UBOs

Lepton Wu (1):
      gallium: dri2: Use index as plane number.

Lionel Landwerlin (3):
      anv: invalidate file descriptor of semaphore sync fd at vkQueueSubmit
      anv: remove list items on batch fini
      anv/wsi: signal the semaphore in the acquireNextImage

Marek Olšák (3):
      st/mesa: fix Sanctuary and Tropics by disabling ARB_gpu_shader5 for them
      tgsi_to_nir: fix masked out image loads
      tgsi_to_nir: handle PIPE_FORMAT_NONE in image opcodes

Paulo Zanoni (1):
      intel/compiler: fix nir_op_{i,u}*32 on ICL

Pierre-Eric Pelloux-Prayer (3):
      radeonsi: disable sdma for gfx10
      radeonsi: tell the shader disk cache what IR is used
      radeonsi: fix shader disk cache key


git tag: mesa-19.2.5

Read more Also: Mesa 19.2.5 Released With Intel Vulkan + RadeonSI Driver Fixes