Skip to main content

Linux News

A Line in the Sand

Linux Journal - Wed, 02/13/2019 - 08:00
by Doc Searls

There's a new side to choose. It helps that each of us is already on it.

Linux Journal was born in one fight and grew through a series of others.

Our first fight was for freedom. That began in 1993, when Phil Hughes started work toward a free software magazine. The fight for free software was still there when that magazine was born as Linux Journal in April 1994. Then a second fight began. That one was against all forms of closed and proprietary software, including the commercial UNIX variants that Linux would eventually defeat. We got in the fight for open source starting in 1998. (In 2005, I got a ribbon for my own small part in that battle.) And last year, we began our fight against what Shoshana Zuboff calls surveillance capitalism, and Brett Frischmann and Evan Selinger call re-engineering humanity.

This new fight is against actual and wannabe corporate and government overlords, all hell-bent on maintaining the caste system that reduces each of us to mere "consumers" and "data subjects" in a world Richard Brautigan described perfectly half a century ago in his poem "All Watched Over By Machines of Loving Grace". You know, like The Matrix, only for real.

They'll fail, because no machine can fully understand human beings. Each of us is too different, too original, too wacky, too self-educating, too built for gaming every system meant to control us. (Discredit where due: we also suck in lots of ways. For example, Scott Adams is right that we're easy to hack with a good con.)

But why wait for nature to take its course when surveillance capitalists are busy setting civilization back decades or more—especially when we can obsolesce their whole business in the short term?

Here at Linux Journal, we're already doing our part by not participating in the surveillance business that digital advertising has mostly become, and by doing pioneering work in helping the online publishing business obey the wishes of its readers.

Go to Full Article
Categories: Linux News

PyPy v7.0.0, Vulernability Affecting runc and Container Technologies, Ubuntu for ARM-based Windows Laptops, antiX MX v18.1

Linux Journal - Tue, 02/12/2019 - 09:38

PyPy, the alternative implementation to the Python programming language announced the release of version 7.0.0. It includes 3 different interpreters that support Python versions 2.7, 3.5 and 3.6-alpha.

A vulnerability was just discovered (CVE-2019-5736) affecting runc and the management of container technologies which include Docker, cri-o, containerd, Kubernetes, etc. Learn more about this security hole and the ways it is being patched here.

A small group of programmers and hackers are working diligently to bring support for Ubuntu on ARM-based Windows laptops. Prebuilt images for the Asus NovaGo TP370QL, HP Envy x2, and the Lenovo Mixx 630 can be found on the official GitHub project page.

The Debian-based Linux distribution, antiX MX, just announced the release of version 18.1. The release is based off of Debian 9.7 "Stretch." You can obtain the ISO image here.

Categories: Linux News

Removing Profanity from the Source Tree

Linux Journal - Tue, 02/12/2019 - 07:45
by Zack Brown

Warning: this article contains profanity.

Linus Torvalds recently stepped away from kernel development temporarily in order to think about how to be less harsh with developers in certain situations. Simultaneous with his departure was a patch introducing a new Code of Conduct into the kernel source tree. The effects of this are beginning to be felt.

Jarkko Sakkinen recently posted a patch to change a kernel comment containing the word "fuck" to use the word "hug" instead. So the code comment, "Wirzenius wrote this portably, Torvalds fucked it up" would become "Wirzenius wrote this portably, Torvalds hugged it up".

Steven Rostedt replied to this, saying that the code in question had changed so much that the original comment was out of date, and it should just be removed entirely. He said, "that will be an accurate change with or without CoC."

Jonathan Corbet remarked, "I'd much rather see either deletion or a rewrite over bleeping out words that somebody might not like." And Jiri Kosina agreed, saying, "turning comments into something that often doesn't make sense to anybody at all is hardly productive."

Sergey Senozhatsky pointed out that Linus was the author of the original self-deprecating comment. He asked, "Linus has made a comment, in his own words, about his own code. Why would anyone be offended by this?"

And Tobin C. Harding remarked of the original code comment, "This is my favourite comment to date in the kernel source tree. Surely there are still some people working on the kernel that do so for fun. I actually laughed out loud when I first stumbled upon this file."

In a different thread, Kees Cook said he agreed with removing "fuck" from the source tree, but felt that the word "hug" was not a good replacement, since it didn't maintain the original meaning. He said:

"This API is hugged" doesn't make any sense to me. "This API is hecked" is better, or at least funnier (to me). "Hug this interface" similarly makes no sense, but "Heck this interface" seems better. "Don't touch my hecking code", "What the heck were they thinking?" etc...."hug" is odd.

He added, "Better yet, since it's only 17 files, how about doing context-specific changes? 'This API is terrible', 'Hateful interface', 'Don't touch my freakin' code', 'What in the world were they thinking?' etc.?"

Go to Full Article
Categories: Linux News

Episode 15: Learning Python

Linux Journal - Mon, 02/11/2019 - 12:02
Your browser does not support the audio element. Reality 2.0 - Episode 15: Learning Python

Katherine Druckman and Doc Searls talk to Linux Journal Senior Columnist, Reuven Lerner, about learning new languages such as Python.

Categories: Linux News

Linux 5.0, Canonical Update, openSUSE Board Elections, Woman and Girls in Science, European Astro-Pi Challenge

Linux Journal - Mon, 02/11/2019 - 11:43

The release candidate 6 for the highly anticipated 5.0 Linux kernel was just released. You can view the changeset for 5.0-rc6 here.

Canonical issued an update (USN-3878-3) and a formal apology for a recent kernel update regression that prevented systems with certain graphics chipsets from booting.

A stable version of Chrome OS 72 was just released on Friday which introduces better access to external storage, touchscreen optimizations for tablet mode and more.

There are only a few days left to cast your ballot in the 2018-2019 openSUSE board elections. Be sure to get your vote in.

Today, the Raspberry Pi Foundation and ESA Education are celebrating the International Day of  Women and Girls in Science and to support the occasion, astronaut Jenni Sidey is helping to kick off the European Astro-Pi challenge. While the challenge itself is not limited to female contestants, it will hopefully encourage more to participate.

Categories: Linux News

Easier Python paths with pathlib

Linux Journal - Mon, 02/11/2019 - 07:30
by Reuven M. Lerner

A look at the benefits of using pathlib, the "object-oriented way of dealing with paths".

Working with files is one of the most common things developers do. After all, you often want to read from files (to read information saved by other users, sessions or programs) or write to files (to record data for other users, sessions or programs).

Of course, files are located inside directories. Navigating through directories, finding files in those directories, and even extracting information about directories (and the files within them) might be common, but they're often frustrating to deal with. In Python, a number of different modules and objects provide such functionality, including os.path, os.stat and glob.

This isn't necessarily bad; the fact is that Python developers have used this combination of modules, methods and files for quite some time. But if you ever felt like it was a bit clunky or old-fashioned, you're not alone.

Indeed, it turns out that for several years already, Python's standard library has come with the pathlib module, which makes it easier to work with directories and files. I say "it turns out", because although I might be a long-time developer and instructor, I discovered "pathlib" only in the past few months—and I must admit, I'm completely smitten.

pathlib has been described as an object-oriented way of dealing with paths, and this description seems quite apt to me. Rather than working with strings, instead you work with "Path" objects, which not only allows you to use all of your favorite path- and file-related functionality as methods, but it also allows you to paper over the differences between operating systems.

So in this article, I take a look at pathlib, comparing the ways you might have done things before to how pathlib allows you to do them now.

pathlib Basics

If you want to work with pathlib, you'll need to load it into your Python session. You should start with:

import pathlib

Note that if you plan to use certain names from within pathlib on a regular basis, you'll probably want to use from-import. However, I strongly recommend against saying from pathlib import *, which will indeed have the benefit of importing all of the module's names into the current namespace, but it'll also have the negative effect of importing all of the module's names into the current namespace. In short, import only what you need.

Now that you've done that, you can create a new Path object. This allows you to represent a file or directory. You can create it with a string, just as you might do a path (or filename) in more traditional Python code:

Go to Full Article
Categories: Linux News

Weekend Reading: Containers

Linux Journal - Sat, 02/09/2019 - 07:37
by Carlie Fairchild

The software enabling this technology comes in many forms, with Docker as the most popular. The recent rise in popularity of container technology within the data center is a direct result of its portability and ability to isolate working environments, thus limiting its impact and overall footprint to the underlying computing system. To understand the technology completely, you first need to understand the many pieces that make it all possible. Join us this weekend as we learn about Containers.

Before we get started, many ask what the difference is between a container and virtual machines? Editor Petros Koutoupis explains: Both have a specific purpose and place with very little overlap, and one doesn't obsolete the other. A container is meant to be a lightweight environment that you spin up to host one to a few isolated applications at bare-metal performance. You should opt for virtual machines when you want to host an entire operating system or ecosystem or maybe to run applications incompatible with the underlying environment.

Everything You Need to Know about Linux Containers, Part I: Linux Control Groups and Process Isolation

Truth be told, certain software applications in the wild may need to be controlled or limited—at least for the sake of stability and, to some degree, security. Far too often, a bug or just bad code can disrupt an entire machine and potentially cripple an entire ecosystem. Fortunately, a way exists to keep those same applications in check. Control groups (cgroups) is a kernel feature that limits, accounts for and isolates the CPU, memory, disk I/O and network's usage of one or more processes.

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Go to Full Article
Categories: Linux News

Microsoft Joins the OpenChain Project, Google Open-Sources ClusterFuzz, New Android Vulnerability, FSF Gives the Vikings D8 Mainboard and Workstation Its "Respect Your Freedom" Endorsement, and Fedora Is Redesigning Its Logo

Linux Journal - Fri, 02/08/2019 - 09:37

News briefs for February 8, 2019.

Microsoft has joined the OpenChain Project, "which builds trust in open source by making open source license compliance simpler and more consistent". Uber, Google and Facebook joined it last month. According to the announcement, "By joining OpenChain, Microsoft will help create best practices and define standards for open source software compliance, so that its customers have even greater choice and opportunity to bridge Microsoft and other technologies together in heterogeneous environments."

Google today announced it is open-sourcing ClusterFuzz and making it available for anyone to use. Fuzzing is "an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program", and it's "effective at finding memory corruption bugs". ClusterFuzz is "a fuzzing infrastructure running on over 25,000 cores" was written to aid in the Chrome development process. You can check it out at the ClusterFuzz GitHub repository.

A security vulnerability discovered in Android gives attackers access to your phone if you open a .png file. ZDNet reports that "All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered." This bug affects Android versions 7.0–9.0.

The Free Software Foundation has certified new hardware with its "Respect Your Freedom" endorsement: the Vikings D8 mainboard and D8 workstation. According to Phoronix, "The Vikings D8 is a re-branded ASUS KCMA-D8 but flashed with Libreboot+Coreboot to free the hardware down to the BIOS." In addition, "the D8 Workstation also ships with the FSF-approved Trisquel operating system that is free of any Linux binary blobs and proprietary software." See also the FSF post on the Respects Your Freedom certification.

Fedora is redesigning its logo due to issues with its current logo, including "the lack of a single colour variant", "the logo not working well on dark backgrounds", "confusion with other well-known brands, and the use of a proprietary font." See this article by Máirín Duffy for more on the history of the Fedora logo and other details on the change, and also see this post to join the discussion on the new options.

News Microsoft OpenChain Project Google ClusterFuzz Android Security FSF Hardware Fedora
Categories: Linux News

The Taloflow Instance Manager (Tim)

Linux Journal - Fri, 02/08/2019 - 08:00
by Petros Koutoupis

For years, modern workloads have shifted to the cloud, with AWS being the most popular. And although this shift has cut down operating costs significantly, millions, if not billions, of dollars still are wasted to maintain all those virtual instances—even when they are not in use.

To help alleviate both the burden and headache of managing your cloud-hosted virtual machines, Taloflow built the Taloflow Instance Manager (Tim), which can reduce your expenditures by as much as 40%. Tim monitors your AWS resources and suggests automations that effortlessly save you money in real time.

Taloflow is a Vancouver- and California-based startup, offering a Software-as-a-Service (SaaS) platform that seamlessly integrates into your preferred cloud service provider to set up alerts, capture metrics and automate a list of useful actions. The company is focused solely on bringing artificial intelligence (AI) automation and intelligence to cloud services. Currently, Taloflow is an operation of at least eight talented engineers coming from all business backgrounds (from startups to enterprises).

Figure 1. The Taloflow Team

One of the key differences with Tim is that it works in real time. Unlike its competition, which is focused primarily on accountants and finance departments, Tim takes a bottoms-up approach and shifts that focus onto the engineers and operators pulling the levers on these cloud virtual instances. Think of it as bot or tool helping developers manage their resources and monitor their workflows. Tim will provide recommendations to those same engineers on how to optimize the performance, as well as the cost in the cloud.

The current implementation of Tim is available under a freemium model. This is intended to encourage early adoption, and it also allows users to hit the ground running and get started quickly. Depending on usage, number of users and the required performance, a paid tier or Enterprise Model eventually will be offered by March 2019.

Tim's basic model runs on Taloflow's own cloud, and depending on the customer's security preferences, the company will offer and provision private instances for each user (under the Enterprise subscription model). This will look like a Kubernetes image running on-premises at the customer site.

Go to Full Article
Categories: Linux News

LibreOffice 6.2 Officially Available, Raspberry Pi Opens a Store in the UK, Purism Announces Partnership with GDQuest to Create Games for the Librem 5, Three New Snapshots for openSUSE Tumbleweed and Document Your DNA with an RPi Gel Imager

Linux Journal - Thu, 02/07/2019 - 10:37

News briefs for February 7, 2019.

The Document Foundation today announces the official release of LibreOffice 6.2 with NotebookBar. This is a major new release that "features a radical new approach to the user interface—based on the MUFFIN concept—and provides user experience options capable of satisfying all users'preferences, while leveraging all screen sizes in the best way." This version has many new and features, including substantial changes to icon themes, context menus are tidied up and interoperability with proprietary file formats has been improved. See this video for details on all the new features. Note that LibreOffice 6.1.5 also was released today for enterprise-class deployments. You can download LibreOffice 6.2 or LibreOffice 6.1.5 from here.

Raspberry Pi has opened a store in the Grand Arcade, Cambridge, UK. See this video for details and follow #RPiStore for more photos and info.

Purism recently announced a partnership with GDQuest to teach people how to create games for the Librem 5 smartphone using the free/libre Godot game engine. GDQuest founder and game design expert/teacher Nathan Lovato's video series will show how to create and release games on the Librem 5 and then submit them to the PureOS store. See also GDQuest's crowdfunding campaign for information on other tutorial videos and to help support the project.

Three new snapshots were released this week for openSUSE Tumbleweed with updates for ImageMagick, Mesa, Apache, Ceph, Flatpak Builder, Python and more. Bash, glusterfs, libvirt and openconnect got updates this week as well.

You can now document your DNA with a Raspberry Pi gel imager. Make magazine published a step-by-step how-to by Dr. Lindsay V. Clark, so you can make your own imager from a styrofoam box and RPi for around $150, because "Any genetics lab or DIY biohacker needs to be able to visualize DNA and RNA, and a common technique for doing so is agarose gel electrophoresis."

News LibreOffice Raspberry Pi Purism gaming Godot GDQuest openSUSE
Categories: Linux News

Disk Encryption for Low-End Hardware

Linux Journal - Thu, 02/07/2019 - 08:15
by Zack Brown

Eric Biggers and Paul Crowley were unhappy with the disk encryption options available for Android on low-end phones and watches. For them, it was an ethical issue. Eric said:

We believe encryption is for everyone, not just those who can afford it. And while it's unknown how long CPUs without AES support will be around, there will likely always be a "low end"; and in any case, it's immensely valuable to provide a software-optimized cipher that doesn't depend on hardware support. Lack of hardware support should not be an excuse for no encryption.

Unfortunately, they were not able to find any existing encryption algorithm that was both fast and secure, and that would work with existing Linux kernel infrastructure. They, therefore, designed the Adiantum encryption mode, which they described in a light, easy-to-read and completely non-mathematical way.

Essentially, Adiantum is not a new form of encryption; it relies on the ChaCha stream cipher developed by D. J. Bernstein in 2008. As Eric put it, "Adiantum is a construction, not a primitive. Its security is reducible to that of XChaCha12 and AES-256, subject to a security bound; the proof is in Section 5 of our paper. Therefore, one need not 'trust' Adiantum; they only need trust XChaCha12 and AES-256."

Eric reported that Adiantum offered a 20% speed improvement over his and Paul's earlier HPolyC encryption mode, and it offered a very slight improvement in actual security.

Eric posted some patches, adding Adiantum to the Linux kernel's crypto API. He remarked, "Some of these patches conflict with the new 'Zinc' crypto library. But I don't know when Zinc will be merged, so for now, I've continued to base this patchset on the current 'cryptodev'."

Jason A. Donenfeld's Zinc ("Zinc Is Not crypto/") is a front-runner to replace the existing kernel crypto API, and it's more simple and low-level than that API, offering a less terrifying coding experience.

Jason replied to Eric's initial announcement. He was very happy to see such a good disk encryption alternative for low-end hardware, but he asked Eric and Paul to hold off on trying to merge their patches until they could rework them to use the new Zinc security infrastructure. He said, "In fact, if you already want to build it on top of Zinc, I'm happy to work with you on that in a shared repo or similar."

He also suggested that Eric and Paul send their paper through various academic circles to catch any unanticipated problems with their encryption system.

But Paul replied:

Go to Full Article
Categories: Linux News

Vivaldi 2.3 Has Arrived, Security Flaw Discovered in LibreOffice and OpenOffice, Firefox 66 to Stop Loud Videos from Playing Automatically, Red Hat CodeReady Workspaces Released and Flowblade 2.0 Is Now Available

Linux Journal - Wed, 02/06/2019 - 09:53

News briefs for February 6, 2019.

Vivaldi's first release of 2019 arrived this morning. Version 2.3 introduces "a unique way to 'auto-stack' tabs that streamline your workflow even more. We've also added new ways to access websites in the Address Field and made overall improvements to navigate and interact with the Web quicker". You can download Vivaldi from here.

Security researchers have discovered a remote code execution vulnerability in LibreOffice on both Linux and Windows, Softpedia News reports. Evidently "the flaw can be exploited with just a malicious ODT document that includes code for running a macro with a mouse-hover action." Patches have been released, so update to the latest versions now (6.0.7 and 6.1.3). OpenOffice is vulnerable to the attack as well—specifically OpenOffice 4.1.6, and according to the Softpedia post, there is no fix yet.

Firefox 66 will stop videos containing audio from playing automatically. According to Ars Technica, "by default, any site that tries to play video with audio will have that video playback blocked", and "Firefox users will be able to override this block on a site-by-site basis, so those sites where autoplay is inoffensive can have it re-enabled." Mozilla plans to release Firefox 66 on March 19th.

Red Hat has released Red Hat CodeReady Workspaces, "a Kubernetes-native, browser-based IDE". ZDNet reports that "CodeReady is based on the open-source Eclipse Che IDE. It also includes formerly proprietary features from Red Hat's Codenvy acquisition." In addition, the IDE is optimized for Red Hat OpenShift, and Red Hat claims that "CodeReady Workspaces is the first IDE, which runs inside a Kubernetes cluster."

Flowblade 2.0, the open-source GTK3-based Linux video editor, was released this week. According to Phoronix, version 2.0 comes with "a new custom GTK3 theme and configurable workflow items to better cater to different users, a number of tools from keyframes to cut. Flowblade 2.0 also features better tool-tip coverage, various GUI updates, a transform compositor, and other changes." See the release notes and the GitHub repo for more information.

News Vivaldi Security LibreOffice OpenOffice Firefox Red Hat Kubernetes Flowblade multimedia
Categories: Linux News

What Is “Surveillance Capitalism?” And How Did It Hijack the Internet?

Linux Journal - Wed, 02/06/2019 - 09:08
by Augustine Fou

Shoshana Zuboff's new book The Age of Surveillance Capitalism goes into gory details of how companies collect, use, buy and sell your data for profit, often without consent or even the consumer knowing it was happening, until disasters reveal some of the dark underbelly—like the Cambridge Analytica scandal. But, I’m a marketer, so I will focus on the subset of “surveillance marketing”—also known as “digital marketing”—where companies profit off of you, because they are set up to do so. Digital ad-tech companies were built to extract as much value as possible from the trust transaction that used to be the user going to a publisher’s site that carries an advertiser’s ad.

Surveillance Marketing Was Built on the Foundation of Three Myths

Digital marketing as we know it today can be traced all the way back to Chris Anderson’s book The Long Tail, published in 2006. Before that, digital media was primarily purchased from large sites that had large human audiences. The Long Tail promulgated the idea that collectively a large number of small sites could rival the scale of a small number of large sites. This simple premise alone led digital marketing down a dark and dangerous path to the hell we now know is surveillance marketing. But most marketers don’t even know they are in this hell. They were looking for scale in digital—and they got it. They were looking for data in digital—and they got it. And, they were looking for more granular targeting in digital—and they got it. But how?

Herein lies the three myths: 1) the long tail, 2) behavioral targeting and 3) hypertargeting.

The Myth of the Long Tail

Go to Full Article
Categories: Linux News

February 2019 Security Bulletin for Android Released, New Patches Needed for Ubuntu 18.04, EU Recalls ENOX Safe-KID-One Smartwatches Due to Security Flaws, Raspberry Pi to Celebrate Its 7th Birthday with Jams March 2-3 and Some Fresh Snaps

Linux Journal - Tue, 02/05/2019 - 09:38

News briefs for February 5, 2019.

Google yesterday released its February 2019 security bulletin for Android. Source code patches should be released to the Android Open Source Project (AOSP) repository soon. The most severe vulnerability is in Framework "that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process."

Evidently the patches released for Ubuntu 18.04 last week caused other inadvertent problems, and Canonical has released a new patch to fix those issues. ZDNet quotes the Ubuntu security team: "Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systems with the meta_bg option enabled." This bug also could effect Kubuntu, Xubuntu, Lubuntu, Linux Mint 19 and Linux Mint 19.1. The new patch replaces linux-image 4.15.0-44.47 with the fixed linux-image 4.15.0-45.48 kernel.

The EU orders a recall of ENOX Safe-KID-One smartwatches due to significant security flaws that allow third parties to track and call the watches, ZDNet reports. From the Rapid Alert System for Non-Food Products (RAPEX) alert: "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed." In addition, "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

To celebrate its seventh birthday next month, the Raspberry Pi Foundation is coordinating several "Jams" all over the world: "Whether you're a Raspberry Pi user, club volunteer, avid forum question answerer, regular blog commenter, or brand-new community member, we want you to feel welcome! Look at the map, find a Jam near you, and meet the real-world Raspberry Pi community on 2 or 3 March."

The Ubuntu blog published a list of fresh snaps from January 2019. New snaps include OpenToonz, Eureka DOOM Editor, HexChat, Blender and much more. (All are available from the Snap store.)

News Google Android Security Mobile Privacy Ubuntu Canonical EU Raspberry Pi Snap
Categories: Linux News

Writing Secure Shell Scripts

Linux Journal - Tue, 02/05/2019 - 07:30
by Dave Taylor

Don't expose your system with sloppy scripts!

Although a Linux desktop or server is less susceptible to viruses and malware than a typical Windows device, there isn't a device on the internet that isn't eventually attacked. The culprit might be the stereotypical nerd in a bedroom testing his or her hacker chops (think Matthew Broderick in War Games or Angelina Jolie in Hackers). Then again, it might be an organized military, criminal, terrorist or other funded entity creating massive botnets or stealing millions of credit cards via a dozen redirected attack vectors.

In any case, modern systems face threats that were unimaginable in the early days of UNIX development and even in the first few years of Linux as a hobbyist reimplementation of UNIX. Ah, back in the day, the great worry was about copyrighted code, and so useful tools constantly were being re-implemented from scratch to get away from the AT&T Bell Labs licenses and so forth.

I have personal experience with this too. I rewrote the Hunt the Wumpus game wumpus from scratch for BSD 4.2 when the Berkeley crowd was trying to get away from AT&T UNIX legal hassles. I know, that's not the greatest claim to fame, but I also managed to cobble together a few other utilities in my time too.

Evolution worked backward with the internet, however. In real life, the lawless Wild West was gradually tamed, and law-abiding citizens replaced the outlaws and thugs of the 1850s and the Gold Rush. Online, it seems that there are more, smarter and better organized digital outlaws than ever.

Which is why one of the most important steps in learning how to write shell scripts is to learn how to ensure that your scripts are secure—even if it's just your own home computer and an old PC you've converted into a Linux-based media server with Plex or similar.

Let's have a look at some of the basics.

Know the Utilities You Invoke

Here's a classic trojan horse attack: an attacker drops a script called ls into /tmp, and it simply checks to see the userid that invoked it, then hands off its entire argument sequence to the real /bin/ls. If it recognizes userid = root, it makes a copy of /bin/sh into /tmp with an innocuous name, then changes its permission to setuid root.

This is super easy to write. Here's a version off the top of my head:

#!/bin/sh if [ "$USER" = "root" ] ; then /bin/cp /bin/sh /tmp/.secretshell /bin/chown root /tmp/.secretshell /bin/chmod 4666 root /tmp/.secretshell fi exec /bin/ls $*

I hope you understand what just happened. This simple little script has created a shell that always grants its user root access to the Linux system. Yikes. Fancier versions would remove themselves once the root shell has been created, leaving no trace of how this transpired.

Go to Full Article
Categories: Linux News

ZaReason Debuts New Gamerbox 9400, Google Announces Live Transcribe and Sound Amplifier Android Apps, Microsoft Bringing Xbox Live to Android, Kernel 5.0-rc5 Is Out and Mallard 1.1 Released

Linux Journal - Mon, 02/04/2019 - 09:41

News briefs for February 4, 2019.

ZaReason debuted its new Gamerbox 9400, "the ultimate Linux gaming PC". And, the Gamebox is just the beginning, ZDNet reports, quoting ZaReason CEO Cathy Malmrose: "Our current team is mostly gamers so, not surprisingly, that is the direction we are going. We have a full line of gaming machines in R&D." The Gamebox runs Ubuntu 18.04, with a 64-bit Pentium 3.8Ghz G5500 Coffee Lake processor and 8GB of DDR4 memory.

Google announces two new audio apps for Android to help people who are deaf or hard of hearing: Live Transcribe and Sound Amplifier. Live Transcribe "takes real-world speech and turns it into real-time captions using just the phone's microphone". Starting today, Live Transcribe will rollout gradually as a limited beta via the Play Store and pre-installed on Pixel 3 devices. You can sign up here to be notified when it's more widely available. Sound Amplifier makes "audio is more clear and easier to hear. You can use Sound Amplifier on your Android smartphone with wired headphones to filter, augment and amplify the sounds in your environment. It works by increasing quiet sounds, while not over-boosting loud sounds." Sound Amplifier is available now via the Play Store and supports Android 9 Pie or later and comes pre-installed on Pixel 3.

Microsoft is bringing Xbox Live to Android, macOS and Nintendo Switch. According to The Verge, "Some iOS and Android games already have Xbox Live Achievements, but they're only enabled in titles from Microsoft Studios and there's not many of them available right now. Microsoft describes this new push as much bigger. 'Xbox Live is expanding from 400 million gaming devices and a reach to over 68 million active players to over 2 billion devices with the release of our new cross-platform XDK,' says the GDC listing."

Linux kernel 5.0-rc5 is out. Linus writes, "I'm happy to report that things seem to be calming down nicely, and rc5 is noticeably smaller than previous rcs. Let's hope the trend continues."

Mallard 1.1 was released recently. Mallard is a "markup language for dynamic topic-oriented help. It is designed to be as simple as possible, while still providing the features needed for a modern help system. Mallard features a unique reciprocal linking system that helps writers create flexible help frameworks that are easy to extend with new content. Writers can create an outline-like structure, and as they add new help topics, the reciprocal linking mechanism will neatly integrate the new help topics with the existing help topics." To see the list of what's new, go here.

News gaming Hardware ZaReason Google Android Mobile Accessibility Microsoft kernel Mallard
Categories: Linux News

If Software Is Funded from a Public Source, Its Code Should Be Open Source

Linux Journal - Mon, 02/04/2019 - 08:00
by Glyn Moody

If we pay for it, we should be able to use it.

Perhaps because many free software coders have been outsiders and rebels, less attention is paid to the use of open source in government departments than in other contexts. But it's an important battleground, not least because there are special dynamics at play and lots of good reasons to require open-source software. It's unfortunate that the most famous attempt to convert a government IT system from proprietary code to open source—the city of Munich—proved such a difficult experience. Although last year saw a decision to move back to Windows, that seems to be more a failure of IT management, than of the code itself. Moreover, it's worth remembering that the Munich project began back in 2003, when it was a trailblazer. Today, there are dozens of large-scale migrations, as TechRepublic reports:

Most notable is perhaps the French Gendarmerie, the country's police force, which has switched 70,000 PCs to Gendbuntu, a custom version of the Linux-based OS Ubuntu. In the same country 15 French ministries have made the switch to using LibreOffice, as has the Dutch Ministry of Defence, while the Italian Ministry of Defence will switch more than 100,000 desktops from Microsoft Office to LibreOffice by 2020 and 25,000 PCs at hospitals in Copenhagen will move from Office to LibreOffice.

More are coming through all the time. The Municipality of Tirana, the biggest in Albania, has just announced it is moving thousands of desktops to LibreOffice, and nearly 80% of the city of Barcelona's IT investment this year will be in open source.

One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.

Go to Full Article
Categories: Linux News

February 2019, #295: The Security Issue

Linux Journal - Fri, 02/01/2019 - 11:00
by Bryan Lunduke

On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."

Although this message—which showed up on smart phones across the state—was, indeed, not a also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.

This is officially known as a "whoopsie daisy".

As the story spread around the globe, obviously all the news reports were going to need a picture to run along with it. As luck would have it, the Associated Press had published a picture taken inside the Hawaii Emergency Management Agency—showing computer workstations where they watch for such possible threats. This picture was spread far and wide.

On that picture, people noticed something. Something amusing. Something, for many of us, relatable.

On one of the monitors was a sticky note. With the password written on it.

(There were actually two sticky notes on the monitors in the picture. The second sticky note contained the message "SIGN OUT". Because, you know, security is important.)

While the accidental, non-real emergency alert was not caused by any sort of security breach (sticky-note-based or otherwise), this picture served as a great reminder to the entire world that we probably shouldn't write down our passwords on sticky notes. Not even a government agency tasked with Emergency Management is immune to this sort of weak security.

It reminds me of a scene from the Mel Brooks' film Spaceballs. In the film, an advanced security barrier had been constructed around a planet. The dastardly space-villains forced the king of the planet to give up the code that would open that barrier. That code? 12345. Upon learning of the code, one of the characters was shocked. "Remind me to change the code on my luggage."

Any of this sound familiar? Perhaps it's time to get rid of the sticky notes—and the passwords that are no more complex than "password123"—and get yourself a good password manager.

In this issue, Shawn Powers provides a good "Password Manager Roundup", laying out the pros and cons of various options.

Then, while you're in a security frame of mind, familiarize yourself with a good set of guidelines (based on the Linux Foundation's Security Checklist) for how to keep your system secure with Mike McCallister's "Everyday Security Tips".

Following these suggestions will make you far more secure than that Emergency Agency in Hawaii or that planet in Spaceballs, but what if you want to take things a step further? What if you want to dive into the world of encryption and hardware security keys?

Go to Full Article
Categories: Linux News

Qt 5.12.1 Is Now Available, Tor Browser 8.0.5 and Tails 3.12 Both Released with Important Security Fixes, Virt2real Launches StereoPi and Chrome Update for Android

Linux Journal - Fri, 02/01/2019 - 09:48

News briefs for February 1, 2019.

Qt 5.12.1 was released today, marking the first patch release of the Qt 5.12 LTS series. It contains nearly 300 bug fixes and other improvements. See the Change Files for all the changes. Use the online installer's maintenance tool to make the update, or for new installations, download the latest installer from the Qt Account Portal or the Download page.

Tor Browser 8.0.5 was released this week. This release includes important security updates to Firefox and also updates Tor to the first stable release in the 0.3.5 series. NoScript and HTTPS Everywhere also were updated to their latest versions. You can view the full changelog here and download from here.

Tails 3.12 was released this week. The release fixes many security vulnerabilities, but the biggest change is to the installation method: "In short, instead of downloading an ISO image (a format originally designed for CDs), you now download Tails as a USB image: an image of the data as it needs to be written to the USB stick." This release also updates Linux to 4.19, the Tor Browser to 8.0.5 and Thunderbird to 60.4.0.

Virt2real has launched a Crowd Supply campaign for its $89 "StereoPi" stereoscopic camera board designed to work with the RPi Compute Module and dual RPi cameras. According to Linux Gizmos, the StereoPi is open-spec and "supports spatial awareness, 3D depth maps, and 3D video livestreaming". In addition, "The StereoPi can capture, save, livestream, and process real-time stereoscopic video and images for robotics, AR/VR, computer vision, drone instrumentation, and panoramic video".

The Chrome team announced an update for Android this week. Chrome 72 (72.0.3626.76) is now available on Google Play, and the release includes several stability and performance improvements. In addition, Softpedia News reports that "To tackle various security and privacy issues that users have reported since previous updates, Google decided to update the built-in Incognito Mode of the Chrome web browser by making the media player controls and notifications incognito as well, which means that they're now invisible to the naked eye." See the Git log for all the changes.

News qt Tor Tails Raspberry Pi Chrome Privacy
Categories: Linux News

Ubuntu 18.04 Needs to Patching, Alpine 3.9 Released, Three New openSUSE Tumbleweed Snapshots, Latest Version of Red Hat Infrastructure Migration Solution Now Available and Electric Cloud Announces ElectricAccelerator 11.0

Linux Journal - Thu, 01/31/2019 - 09:28

News briefs for January 31, 2019.

Ubuntu 18.04 needs to be patched to fix several security bugs. ZDNet reports that Canonical is updating Ubuntu 18.04 to a new kernel, 4.15.0-44.47, which contains 11 security fixes. The most important of these addresses problems with the ext4 filesystem. If you use Ubuntu 18.04, patch your system as soon as possible. See also the Ubuntu security notice for more information and instructions on how to update.

Alpine 3.9 was released this week—the first release of the v3.9 stable series of the "security-oriented, lightweight Linux distribution based on musl libc and busybox". New features include support for armv7, a switch from LibreSSL to OpenSSL and improved GRUB support. Go here to download.

Three new openSUSE Tumbleweed snapshots were released this week that contained new versions of PHP7, poppler, GTK3 and LibreOffice. The first of the snapshots also included all the package upgrades for KDE Applications.

Red Hat this morning announced the latest version of the Red Hat infrastructure migration solution. New capabilities provide "greater customer choice, helping to further reduce infrastructure complexity and facilitating a pathway to open hybrid cloud environments". The two new target platforms are the Red Hat OpenStack Platform and the Red Hat Hyperconverged Infrastructure for Virtualization.

Electric Cloud yesterday announced a new version of its software build and test acceleration platform, ElectricAccelerator 11.0. The press release notes that "the platform now offers new plug-and-play support for Android Open Source Project, accelerated embedded Linux builds based on the Yocto project, and cloud bursting for AWS and Kubernetes help businesses shrink development cycles and improve software quality."

News Ubuntu Canonical Security Alpine Linux openSUSE Red Hat Electric Cloud Cloud
Categories: Linux News
Syndicate content