Skip to main content

Linux News

Tamper-Evident Boot with Heads

Linux Journal - Thu, 01/31/2019 - 09:08
by Kyle Rankin

Learn about how the cutting-edge, free software Heads project detects BIOS and kernel tampering, all with keys under your control.

Disclaimer: I work for Purism, and my experience with Heads began as part of supporting it on Purism's hardware. As a technical writer, I personally find ads that mask themselves as articles in technical publications disingenuous, and this article in no way is intended to be an advertisement for my employer. However, in writing this deep dive piece, I found that mentioning Purism was unavoidable in some places without leaving out important information about Heads—in particular, the list of overall supported hardware and an explanation of Heads' HOTP alternative to TOTP authentication, because it requires a specific piece Purism hardware.

Some of the earliest computer viruses attacked the boot sector—that bit of code at the beginning of the hard drive in the Master Boot Record that allowed you to boot into your operating system. The reasons for this have to do with stealth and persistence. Viruses on the filesystem itself would be erased if users re-installed their operating systems, but if they didn't erase the boot sector as part of the re-install process, boot sector viruses could stick around and re-infect the operating system.

Antivirus software vendors ultimately added the ability to scan the boot sector for known viruses, so the problem was solved, right? Unfortunately, as computers, operating systems and BIOSes became more sophisticated, so did the boot-sector attacks. Modern attacks take over before the OS is launched and infect the OS itself, so when you try to search for the attack through the OS, the OS tells you everything is okay.

That's not to say modern defenses to this type of attack don't exist. Most modern approaches involve proprietary software that locks down the system so that it can boot only code that's signed by a vendor (typically Microsoft, Apple, Google or one of their approved third-party vendors). The downside, besides the proprietary nature of this defense, is that you are beholden to the vendor to bless whatever code you want to run, or else you have to disable this security feature completely (if you can).

Fortunately, an alternative exists that is not only free software, but that also takes a completely different approach to boot security by alerting you to tampering instead of blocking untrusted code. This approach, Heads, can detect tampering not only in the BIOS itself but also in all of your important boot files in the /boot directory, including the kernel, initrd and even your grub config. The result is a trusted boot environment with keys fully under your own control.

In this article, I describe some of the existing boot security approaches in more detail, along with some of their limitations, and then I describe how Heads works, and how to build and install it on your own system.

Go to Full Article
Categories: Linux News

Is Software As A Service (SaaS) a bad thing?

Linux Journal - Thu, 01/31/2019 - 00:51

Please support Linux Journal by subscribing or becoming a patron.

Categories: Linux News

Game Review: Mage's Initiation: Reign of the Elements

Linux Journal - Wed, 01/30/2019 - 12:20
by Marcel Gagné

Welcome, young initiate. Do you have what it takes to become a full-fledged mage?

I've been playing a pre-release version of Mage's Initiation: Reign of the Elements, a classic role-playing game from Himalaya Studios, done in the style of Sierra On-Line's classic King's Quest series. This is only so surprising given that the people behind this new game worked on creating those classics and their remakes. Mage's Initiation is a medieval-style fantasy game with puzzles, treasures, labyrinthine settings, magic, spell-casting battles and monsters. Mage's Initiation began its life as a Kickstarter where it has been hotly anticipated. If you want to check into all that, I link to the Kickstarter page at the end, but right now, I just want to tell you about the game.

In Mage's Initiation, you play a student mage, taken from your family at the age of six to a mystical tower in Iginor, a seemingly idyllic land. In the Mage's Tower, you spend years studying the power of the elements. After ten years, it's Initiation Day, and you are ready to discover which of the elements has chosen you as its champion. In my case, I wound up following the path of water, but you can play (or replay) any of the four classic elements.

Figure 1. Initiation Day, Following the Path of Water

My young initiate's name is "D'Arc", which is, of course, an interesting name partly in what it might conceal. You find out that D'Arc dreams of demons which, he is told, means greatness. He also learns that the road to greatness is dangerous.

The colorful two-dimensional animation is reminiscent of games I played more than 20 years ago, and it's wonderful. I was taken in right away. There are plenty of characters, all with their own personalities, and the voice acting is varied and excellent. In the first part of the game, you'll wander the halls of the Mage's tower, taking in details, talking to other students, collecting various items, and most important, gathering information about what is to come next. This is, after all, the day of your initiation, and you will face a number of quite possibly, deadly trials before the day is out. Ask lots of questions. Pay attention. No detail is too small.

There are several halls that you access by an element-themed transport pad with a large gem in the center (pay attention, and don't forget the combinations). Each hall may be populated with different characters who will provide you with what you need to continue.

Go to Full Article
Categories: Linux News

Thunderbird 60.5.0 Released, System76 Introduces New "Darter Pro" Linux Laptop, Kodi 18.0 "Leia" Now Available, Slax 9.7.0 Is Out and Systemd Vulnerabilities Proof of Concept Published

Linux Journal - Wed, 01/30/2019 - 09:30

News briefs for January 30, 2019.

Mozilla Thunderbird 60.5.0 has been released. New features include FileLink provider WeTransfer for uploading large attachments, more search engines (DuckDuck Go and Google offered by default in some locations) and various security fixes. You can download Thunderbird from here.

System76 introduces its new "Darter Pro" Linux laptop, which provides a choice of Ubuntu or Pop!_OS. According to Beta News, the Darter Pro is 15.6", has two USB-A ports, a USB-C/Thunderbolt 3 port and is "expected to last a full work day without needing a charger". The laptop will be available starting February 5th from System76. You can sign up here to be notified when it's available. Pricing info coming soon.

Kodi 18.0 "Leia" is now available for all supported platforms. This is a major release, reflecting nearly 10,000 commits, 9,000 changed files and half a million lines of code added. This new release features support for gaming emulators, ROMs and controls; DRM decryption support; significant improvements to the music library; live TV improvements; and much more. See the changelog for more details, and go here to download.

Slax 9.7.0 was released yesterday. You can download it for free or purchase a USB drive with Slax pre-installed from slax.org. New to this version: usb-modeswitch was added, the slax activate command now copies module to RAM only if necessary, and now Slax is even smaller—255MB compared to 265MB previously.

Capsule8 yesterday posted the first of a multipart series detailing new research on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9, 2019. "Specifically, the vulnerabilities were: 1) a user-influenced size passed to alloca(), allowing manipulation of the stack pointer (CVE-2018-16865) and 2) a heap-based memory out-of-bounds read, yielding memory disclosure (CVE-2018-16866)." See the post for details on the two vulnerabilities—CVE-2018-16865 and CVE-2018-16866—that systemd-journald with Address Space Layout Randomization (ASLR) disabled.

News Mozilla Thunderbird System76 Laptops Slax Distributions Kodi systemd Security
Categories: Linux News

Why Linux Is Spelled Incorrectly

Linux Journal - Wed, 01/30/2019 - 08:15
by Bryan Lunduke

You ever see an injustice in the world—one so strong, so overwhelming—that, try as you might, you just can't ignore it? A crime that dominates your consciousness beyond all others? That drives you, even in the face of certain defeat, to action?

Mine is...Linux.

Not the existence of Linux. Linux is amazing. Linux powers the world. Linux is, as the kids say, totally tubular.

It's the name. It's the name that makes me Hulk out. Specifically, it's that confounded "X". It just plain should not be there.

Linux should be spelled L-I-N-U-C-S. Linucs.

Seriously.

That's not a joke.

To make my case for why I believe this, with every fiber of my being, let's start by understanding why "Linux" has that X in the first place. It happened back in the early 1990s, when the first snapshot of Linucs (ahem) code was first uploaded to an FTP server.

Back then, Linus Torvalds wanted to name his kernel "Freax" ("Free" + "Freak" + "Unix"). Linus felt naming the kernel after himself would be a bit, you know, weird. A friend of his disagreed, and when he uploaded the source, he named the folder "Linux".

See that "X" there at the end? It was meant to represent the "X" in UNIX. There's just one problem with that.

UNIX was never supposed to have an "X" in the name at all.

You see, "UNIX" originally was spelled U-N-I-C-S, which stands for UNiplexed Information and Computing Service. This was, itself, based off the name for an operating system made by some of the same folks—Multics (MULTiplexed Information and Computing Service).

(Note: neither Unics or Multics is spelled with an "X".)

The people that created, engineered and ran the project named it "Unics", and, here's the kicker, nobody is 100% sure where that X even came from. I cover the topic a bit further in my video "The Complete History of Linux (Abridged)" around the five-minute mark. But, the gist is this: the most viable, detailed theory for "the X" is that "maybe someone in PR did it?"

In other words, Linucs—possibly the most critical and valuable piece of software in human history—is incorrectly named "Linux" because an unknown person may or may not have accidentally written Unics as "UNIX" once. Maybe. We're not really sure.

But, because everyone else uses the X, so must I. In every article. Every video. Every presentation.

Whenever I write the word "Linux"—which is about 80 bajillion times every day—I let out a whisper-quiet, short, tortured scream, followed by a subtle wimper of defeated acceptance. If you've ever seen me at a conference, writing an article on my laptop, now you know why I look like a completely insane person.

It's that stupid, friggin' X.

So. There you have it.

Go to Full Article
Categories: Linux News

Firefox 65.0 Released, CO.LAB to Host First "Global Experience" at the Tate Modern, Electric Guitar with a Built-In RPi Synthesizer, Debian's Reproducible Builds Report and Update on Fedora's New Privacy System for User Stats

Linux Journal - Tue, 01/29/2019 - 09:59

News briefs for January 29, 2019.

Firefox 65.0 was released to Channel users today. New features include enhanced tracking protection, better experience for multilingual users, support for HandOff on macOS, better video streaming for Windows users, and improved performance and web compatibility, with support for the WebP image format. Go here to download Firefox.

CO.LAB to host its first "global experience" at the Tate Modern in London. On Wednesday, "students from two London schools will participate in an all-day session learning a bit about coding, a bit about music and a lot about open source. The program is a collaboration between Red Hat and Femi Owolade-Coombes, better known as Hacker Femo. Femi, a 13-year-old coder known for his Young Coder Workshops in London, worked with us to provide a curriculum that extends the capabilities of the micro:bit, a pocket-sized codeable computer of which one million were delivered to England and Wales year 7 students in 2016. Differing from previous CO.LAB events, the curriculum will be led by Femi, and mentors will be both Red Hat experts and middle school girls from the Young Coders program." For more info about Red Hat's CO.LAB initiative, go here.

Lucern Custom Instruments from the UK teamed up with Tracktion Corporation of Seattle to create Spirit Animal, an electric guitar with a Raspberry Pi synthesizer built in. According to the Raspberry Pi Blog, the guitar "boasts an onboard Li-ion battery granting about 8 hours of play time, and a standard 1/4" audio jack for connecting to an amp. To permit screen-sharing, updates, and control via SSH, the guitar allows access to the Pi's Ethernet port and wireless functionality." See also the Gear News website and the Lucern Instruments Facebook page for more information.

Debian published its Reproducible Builds report for the past week. There are many updates of note, including "There was considerable progress towards making the Debian Installer images reproducible with a number of rounds of code review, a subsequent merge of Chris Lamb's merge request and the closing of the corresponding bug report for the time being, pending further testing."

Fedora's new privacy system for user statistics is making progress. Phoronix reports that "Earlier this month there was a change proposal announced that would give Fedora system's a new unique UUID tracking identifier to count systems. The intention isn't to track users but rather to provide more statistics about the Fedora install base compared to the current system that is just tracking unique IP addresses, but a revised proposal would improve the privacy while still offering up much of the same statistics potential." The revised proposal will work like this: "Rather than relying upon a unique identifier that is transmitted to the Fedora update servers, the revised proposal is focusing upon just transmitting the 'variant' (indicating if you are running Fedora Workstation or one of the other spins) and then a new 'countme' variable. That countme variable would be managed client-side and under current thinking would increment weekly to reflect the age of the Fedora system: that would allow Fedora to see the age of the systems, new vs. updating installs to new releases, the number of users just running in Docker/cloud/other short-lived instances, and other metrics but without relying upon a per-system UUID."

News Firefox Privacy Fedora Education Raspberry Pi Music CO.LAB Red Hat Debian ReproducibleBuilds
Categories: Linux News

FOSS Project Spotlight: Mender.io, an Open-Source Over-the-Air Software Update Manager for IoT Devices

Linux Journal - Tue, 01/29/2019 - 08:00
by Ralph Nguyen

Mender is an open-source (Apache 2.0) project to address over-the-air (OTA) software update management for Linux-based IoT devices. When we researched this five years ago, there were no open-source end-to-end (device-to-server) options to manage the lifecycle of OTA updates for connected devices. Some open-source options were available, but they either had a proprietary management server, or they were client-only and required integration with another back-end server.

In short, the options available to IoT device-makers either had vendor lock-in or simply were too kludgy. Thus, we created Mender, which has two components: the runtime client integrated into the device and the management server with an intuitive user interface to manage updates at scale for large fleets.

Figure 1. The Mender Server's User Interface

We found in our initial research phase that many embedded systems developers created their own remote update mechanism, which usually took risky shortcuts around security and robustness. Embedded development traditionally has been a very diverse space, and the lack of technology standardization generates a lot of custom work for device-makers. Unlike web development and accepted standards, such as the LAMP stack, device-makers had to create much of their stack. This includes the fundamental capability of remote updates. And, most developers had no other choice but to build their own, given how exotic hardware and OS combinations could be for connected devices. We created a community repository called Mender Hub to allow developers to create and reuse tested and validated integrations to enable OTA updates for any combination of hardware and OS.

A consequence of the growth of IoT devices is the increase of easy targets for malicious actors, evident in the proliferation of malware targeting poorly secured IoT devices. There have been an increasing number of malware attacks infecting poorly secured connected devices. The 2016 Dyn DDoS attack was one of the clearest examples of the ramifications of poorly secured IoT devices, which was executed through the Mirai malware infecting a large number of IoT devices and enslaved them into a botnet. The IoT botnet attack caused major outages across internet platforms and services, including Amazon, GitHub and Netflix.

The increasing connectivity of cars, medical devices and more is making IoT security a serious public health issue. We created Mender to help with baseline security-hardening, and security patching is fundamental. But remote updates is quite challenging and has a lot of nuances to consider to establish a secure and robust OTA process.

Go to Full Article
Categories: Linux News

Episode 14: Digital Sovereignty

Linux Journal - Mon, 01/28/2019 - 14:21
Your browser does not support the audio element. Reality 2.0 - Episode 14: Digital Sovereignty

Katherine Druckman and Doc Searls talk to Elizabeth Renieris about digital identity, ethics, boiled frogs, and horses with lasers.

Categories: Linux News

Raspberry Pi Launches Computer Module 3+, MakuluLinux Core Is Now Live, Nextcloud Introduces Virtual Drive, Linux 5.0-rc4 Is Out and LXQt 0.14.0 Released

Linux Journal - Mon, 01/28/2019 - 09:36

News briefs for January 28, 2019.

Raspberry Pi announces its Computer Module 3+ (CM3+) is now available for $25. The CM3+ is the "newest version of our flexible board for industrial applications offers over ten times the ARM performance, twice the RAM capacity, and up to eight times the Flash capacity of the original Compute Module." The company also has released a refreshed Compute Module Development kit. The CM3+ will be available until at least January 2026.

MakuluLinux Core is now live. This marks the first release for 2019, and the OS is designed for "extreme ease of use and comfort". With this version, "The Optional Gesture System will let users navigate their computers with barely even having to touch a keyboard if that is their wish. The more Traditional users don't have to enable gestures, they can simply use the operating system in much the same way they are used to navigating Linux. Core Also offers many 'Instant Access' features like a one click wallpaper changer or one click 3D option, easily control every aspect of your OS with a simply few clicks." Go here for download links and more details.

Nextcloud introduces a Virtual Drive in the Nextcloud Desktop Client. According to the press release, the virtual drive "replaces the traditional files in a locally synchronized folder with a virtual view on all files the user has, available on demand and with a smart caching strategy." At this time, the virtual drive is available as a tech preview and is not recommended for daily use. In addition, Nextcloud today announced "it more than doubled its customer base amidst massive growth of website visits and interest in compliance solutions to secure and control data during the course of 2018." It also is launching a new Customer Advisory Board, which will be kickstarting on March 12, 2019, on Enterprise Day in Stuttgart.

Linux 5.0-rc4 is out. Linus writes that "things look pretty normal, and nothing huge stands out." He also mentions that "Size-wise, rc4 has a bit more commits that the last few releases have had at this point, but it's not even remotely a new record size, and not all that much of an outlier anyway. I _do_ hope that things will start to calm down for rc5 onwards."

The LXQt team recently released LXQt 0.14.0, the Lightweight Qt Desktop Environment. With this release working toward LXQt 1.0.0, new features include split view is added to pcmanfm-qt, the "Desktop can have icons like Computer, Network, User-Dir and Trash", "custom terminal margins and history-based tab switching are added to qterminal" and more. See the release notes for all the changes, and you can download it from download.lxqt.org or GitHub.

News Raspberry Pi Embedded MakuluLinux Nextcloud kernel LXQt Distributions Desktop
Categories: Linux News

Data Privacy Year

Linux Journal - Mon, 01/28/2019 - 04:00
by Doc Searls

Today is Data Privacy Day, known in Europe as Data Protection Day.

It's not new. Though created in 2006, it commemorates the Council of Europe treaty creating "the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data." The treaty was signed on January 28, 1981, a date when the ancestors of today's PCs were still in the wombs of IBM and Apple. Hats off to Eurocrats who were decades ahead of a problem that's worse than ever.

Clearly, a day isn't enough—not when most humans are still naked as newborns in the digital world, and not much better equipped to protect and project their privacy there.

See, like nature in the physical world, the digital world came without privacy. But while we've had millennia to make privacy meaningful in the physical world, we've had only a few decades here in the virtual one where you're reading this now. And so far we've failed.

Sure, most of us alpha geeks are adept at guarding our private lives and spaces in the digital world, but let's face it, that world is a jungle where the apex predators are vampires living off the blood of personal data, and the sum of victims rounds to everybody.

So, although we salute the organizations celebrating this day, we are looking instead at the gigantic pile of work to be done before humans begin to enjoy the same degrees of personal privacy online as they've had in the offline world since the invention of clothing and shelter.

That work is the job of the world's hackers, which is us. And that's why we're declaring 2019 Data Privacy Year. Because a year should be enough at least to start making real progress toward personal data privacy online.

It should help to know two things:

Go to Full Article
Categories: Linux News

Sortie de SFLphone 0.9.7

Savoir-faire Linux - Fri, 12/11/2009 - 13:47
<img src="uploads/RTEmagicC_logo_phone_02.gif.gif" style="width: 200px; height: 59px; float: right;" alt="" /> C'est une étape importante que vient de franchir le projet SFLPhone avec la sortie cette semaine de la version 0.9.7. En plus des traditionnels bugfixes, cette version introduit de nouvelles fonctionnalités très attendues par les professionnels de la téléphonie IP, comme le support des conférences, plusieurs codecs haute définition, et le support des principaux protocoles de chiffrement des communications (TLS, SRTP/ZRTP). Publié sous licence GPLv3, le projet SFLphone, développé par...
Categories: Linux News

Séminaire gratuit : La solution Business Intelligence Open Source SpagoBI, le 6 novembre à Montréal

Savoir-faire Linux - Mon, 09/28/2009 - 10:45
<p><a href="http://www.spagobi.com" target="top"><img src="/fileadmin/user_upload/partenaires/SpagoBI.png" align="right"></a>SpagoBI et Savoir-faire Linux ont le plaisir de vous inviter à un séminaire de présentation consacré aux solutions de business Intelligence SpagoBI le vendredi 6 novembre à Montréal de 9h00 à 12h00.</p><p>Fin 2008, une étude Gartner identifiait SpagoBI comme l'une des technologies les plus prometteuses en matières d'informatique décisionnelle. La sortie de SpagoBI 2.2 en 2009 validait cette analyse et confirmait la place de chef de file incontesté des solutions de...
Categories: Linux News

Séminaire gratuit : Les Infrastructures à Clés Publiques (PKI) Open Source, le 4 novembre 2009 à Montréal

Savoir-faire Linux - Thu, 09/24/2009 - 09:01
<a href="http://www.ejbca.org"><img src="fileadmin/user_upload/partenaires/ejbca.png" height="60" width="157" align="right" alt="" /></a>PrimeKey Solutions et Savoir-faire Linux ont le plaisir de vous inviter à un séminaire de présentation de l'infrastructure à clés publiques Open Source EJBCA le mercredi 4 novembre à Montréal de 9h00 à 12h00. Après la Société Générale, le GIE Cartes Bancaires, la Police de Suède (30 000 utilisateurs), Daimler AG, Liechtensteinische Landesbank AG, Bankgirocentralen BGC AB, LM Ericsson AB, l'infrastructure à clés publiques EJBCA a été selectionnée par la...
Categories: Linux News

Framakey Ubuntu Remix, un tour de force !

Zone libre en éducation - Mon, 06/29/2009 - 16:27
La Framakey Ubuntu Remix offre le mode nomade sous trois OS : Windows, Mac et Linux.
Categories: Linux News

Accès libre aux documents et aux logiciels de l'État de New York

Zone libre en éducation - Mon, 06/29/2009 - 15:51
Le Sénat de l'État de New York libéralise l'accès à ses documents et aux logiciels qu'il produit.
Categories: Linux News

Edulibre est porté sur les fonts baptismaux

Zone libre en éducation - Thu, 06/25/2009 - 14:31
Une forge pédagogique vient d'ouvrir sur le Web. Souhaitons-lui longue vie.
Categories: Linux News

Accord entre l'UNESCO et Sun Microsystem en faveur du libre en éducation

Zone libre en éducation - Fri, 06/05/2009 - 13:30
Au Sommet mondial sur la société de l'information, l'UNESCO et Sun ont décidé d'unir leurs efforts pour renforcer l'éducation et le développement communautaire par le biais des technologies open source.
Categories: Linux News

Supprimer un bruit de fond avec Audacity

Zone libre en éducation - Mon, 06/01/2009 - 08:51
Apprenez à supprimer les bruits de fonds de vos fichiers sonores à l'aide d'Audacity
Categories: Linux News

KeepNote, pour organiser vos idées et vos notes

Zone libre en éducation - Fri, 05/22/2009 - 14:41
Un logiciel pour organiser vos notes de toutes sortes (texte, URL, multimédia, etc)
Categories: Linux News

Droit d'auteur 101 pour le Web

Zone libre en éducation - Wed, 05/20/2009 - 13:09
Ce que vous voulez savoir sur le droit d'auteur en rapport avec le Web.
Categories: Linux News
Syndicate content