Skip to main content

Feed aggregator

Four Hidden Costs and Risks of Sudo Can Lead to Cybersecurity Risks and Compliance Problems on Unix and Linux Servers

Linux Journal - lun, 11/20/2017 - 10:19
Sponsored Post

more>>

It is always a philosophical debate as to whether to use open source software in a regulated environment. Open source software is crowd sourced, and developers from all over the world contribute to packages that are later included in Operating System distributions.
Catégories: Linux News

Zentera Systems, Inc.'s CoIP Security Enclave

Linux Journal - mer, 11/15/2017 - 07:38

On the heels of being crowned "Cool Vendor in Cloud Security" by Gartner, Zentera Systems, Inc., announced an upgrade to its flagship CoIP Security Enclave solution. more>>

Catégories: Linux News

Sysadmin 101: Patch Management

Linux Journal - mar, 11/14/2017 - 07:23

A few articles ago, I started a Sysadmin 101 series to pass down some fundamental knowledge about systems administration that the current generation of junior sysadmins, DevOps engineers or "full stack" developers might not learn otherwise. I had thought that I was done with the series, but then the WannaCry malware came out and exposed some of the poor patch management practices still more>>

Catégories: Linux News

Montréal-Python 68: Wysiwyg Xylophone

Montreal Python - mar, 11/14/2017 - 00:00

Please RSVP on our meetup event

When

November 20th at 6:00PM

Where

Google Montréal 1253 McGill College #150 Montréal, QC

We thank Google Montreal for sponsoring MP68

Schedule
  • 6:00PM - Doors open
  • 6:30PM - Talks
  • 7:30PM - Break
  • 7:45PM - Talk
  • 8:30-9:00PM - End of event
Presentations Va debugger ton Python! - Stéphane Wirtel

Cette présentation vous explique les bases de Pdb ainsi que GDB, afin de debugger plus facilement vos scripts Python.

Writing a Python interpreter in Python from scratch - Zhentao Li

I will show a prototype of a Python interpreter written in entirely in Python itself (that isn't Pypy).

The goal is to have simpler internals to allow experimenting with changes to the language more easily. This interpreter has a small core with much of the library modifiable at run time for quickly testing changes. This differs from Pypy that aimed for full Python compatibility and speed (from JIT compilation). I will show some of the interesting things that you can do with this interpreter.

This interpreter has two parts: a parser to transform source to Abstract Syntax Tree and a runner for traversing this tree. I will give an overview of how both part work and discuss some challenges encountered and their solution.

This interpreter makes use of very few libraries, and only those included with CPython.

This project is looking for members to discuss ways of simplifying parts of the interpreter (among other things).

The talk would be about Rasa, an open-source chatbots platform - Nathan Zylbersztejn

Most chatbots rely on external APIs for the cool stuff such as natural language understanding (NLU) and disappoint because if and else conditionals fail at delivering good representations of our non linear human way to converse. Wouldn’t it be great if we could 1) take control of NLU and tweak it to better fit our needs and 2) really apply machine learning, extract patterns from real conversations, and handle dialogue in a decent manner? Well, we can, thanks to Rasa.ai. It’s open-source, it’s in Python, and it works

About Nathan Zylbersztejn:

Nathan is the founder of Mr. Bot, a dialogue consulting agency in Montreal with clients in the media, banking and aerospace industries. He holds a master in economics, a graduate diploma in computer science, and a machine learning nanodegree.

Catégories: External Blogs

pfSense: Not Linux, Not Bad

Linux Journal - lun, 11/13/2017 - 05:28

Through the years, I've used all sorts of router and firewall solutions at home and at work. For home networks, I usually recommend something like DD-WRT, OpenWRT or Tomato on an off-the-shelf router. For business, my recommendations typically are something like a Ubiquiti router or a router/firewall solution like Untangled or ClearOS. more>>

Catégories: Linux News

NETGEAR 48-Port Gigabit Smart Managed Plus Switch (GS750E)

Linux Journal - ven, 11/10/2017 - 11:12

More than ever, small to mid-sized businesses demand and rely on their networks to carry out mission-critical business activities. As always, however, budgets and expertise constrain these companies from using complex managed switches to run their networks. more>>

Catégories: Linux News

New Hope for Digital Identity

Linux Journal - jeu, 11/09/2017 - 06:14

Identity is personal. You need to start there.

In the natural world where we live and breathe, personal identity can get complicated, but it's not broken. If an Inuit family from Qikiqtaaluk wants to name their kid Anuun or Issorartuyok, they do, and the world copes. If the same kid later wants to call himself Steve, he does. Again, the world copes. So does Steve. more>>

Catégories: Linux News

DivvyCloud Platform for VMware Cloud on AWS

Linux Journal - mer, 11/08/2017 - 09:03

DivvyCloud's unique niche in the IT ecosystem is helping organizations automate and manage their multi-cloud infrastructure at scale. more>>

Catégories: Linux News

Montréal-Python 68: Call For Speakers

Montreal Python - mer, 11/08/2017 - 00:00

We are looking for speakers that want to give a regular presentation (20 to 25 minutes) or a lightning talk (5 minutes).

Submit your proposal at team@montrealpython.org

When

November 20th, 2017
6PM to 9PM

Where

Google Montréal
1253 McGill College Ave #150
H3B 2Y5
https://goo.gl/maps/oNruyD2oVbq

Catégories: External Blogs

Slicing Scientific Data

Linux Journal - mar, 11/07/2017 - 08:53

I've covered scientific software in previous articles that either analyzes image information or actually generates image data for further analysis. In this article, I introduce a tool that you can use to analyze images generated as part of medical diagnostic work. more>>

Catégories: Linux News

Linux Journal November 2017

Linux Journal - mar, 11/07/2017 - 07:00
Arrogance, the Biggest Linux Security Problem

Linux is no longer an obscure platform avoided by those with malicious intent. more>>

Catégories: Linux News

PoE, PoE+ and Passive POE

Linux Journal - lun, 11/06/2017 - 07:27

I've been installing a lot of POE devices recently, and the different methods for providing power over Ethernet cables can be very confusing. There are a few standards in place, and then there's a method that isn't a standard, but is widely used.

802.3af or Active PoE: more>>

Catégories: Linux News

Galit Shmueli et al.'s Data Mining for Business Analytics (Wiley)

Linux Journal - ven, 11/03/2017 - 11:11

The updated 5th edition of the book Data Mining for Business Analytics from Galit Shmueli and collaborators and published by Wiley is a standard guide to data mining and analytics that adds two new co-authors and a trove of new material vis-á-vis its predecessor. more>>

Catégories: Linux News

October 2017 report: LTS, feed2exec beta, pandoc filters, git mediawiki

Anarcat - jeu, 11/02/2017 - 11:12
Debian Long Term Support (LTS)

This is my monthly Debian LTS report. This time I worked on the famous KRACK attack, git-annex, golang and the continuous stream of GraphicsMagick security issues.

WPA & KRACK update

I spent most of my time this month on the Linux WPA code, to backport it to the old (~2012) wpa_supplicant release. I first published a patchset based on the patches shipped after the embargo for the oldstable/jessie release. After feedback from the list, I also built packages for i386 and ARM.

I have also reviewed the WPA protocol to make sure I understood the implications of the changes required to backport the patches. For example, I removed the patches touching the WNM sleep mode code as that was introduced only in the 2.0 release. Chunks of code regarding state tracking were also not backported as they are part of the state tracking code introduced later, in 3ff3323. Finally, I still have concerns about the nonce setup in patch #5. In the last chunk, you'll notice peer->tk is reset, to_set to negotiate a new TK. The other approach I considered was to backport 1380fcbd9f ("TDLS: Do not modify RNonce for an TPK M1 frame with same INonce") but I figured I would play it safe and not introduce further variations.

I should note that I share Matthew Green's observations regarding the opacity of the protocol. Normally, network protocols are freely available and security researchers like me can easily review them. In this case, I would have needed to read the opaque 802.11i-2004 pdf which is behind a TOS wall at the IEEE. I ended up reading up on the IEEE_802.11i-2004 Wikipedia article which gives a simpler view of the protocol. But it's a real problem to see such critical protocols developed behind closed doors like this.

At Guido's suggestion, I sent the final patch upstream explaining the concerns I had with the patch. I have not, at the time of writing, received any response from upstream about this, unfortunately. I uploaded the fixed packages as DLA 1150-1 on October 31st.

Git-annex

The next big chunk on my list was completing the work on git-annex (CVE-2017-12976) that I started in August. It turns out doing the backport was simpler than I expected, even with my rusty experience with Haskell. Type-checking really helps in doing the right thing, especially considering how Joey Hess implemented the fix: by introducing a new type.

So I backported the patch from upstream and notified the security team that the jessie and stretch updates would be similarly easy. I shipped the backport to LTS as DLA-1144-1. I also shared the updated packages for jessie (which required a similar backport) and stretch (which didn't) and those Sebastien Delafond published those as DSA 4010-1.

Graphicsmagick

Up next was yet another security vulnerability in the Graphicsmagick stack. This involved the usual deep dive into intricate and sometimes just unreasonable C code to try and fit a round tree in a square sinkhole. I'm always unsure about those patches, but the test suite passes, smoke tests show the vulnerability as fixed, and that's pretty much as good as it gets.

The announcement (DLA 1154-1) turned out to be a little special because I had previously noticed that the penultimate announcement (DLA 1130-1) was never sent out. So I made a merged announcement to cover both instead of re-sending the original 3 weeks late, which may have been confusing for our users.

Triage & misc

We always do a bit of triage even when not on frontdesk duty, so I:

I also did smaller bits of work on:

The latter reminded me of the concerns I have about the long-term maintainability of the golang ecosystem: because everything is statically linked, an update to a core library (say the SMTP library as in CVE-2017-15042, thankfully not affecting LTS) requires a full rebuild of all packages including the library in all distributions. So what would be a simple update in a shared library system could mean an explosion of work on statically linked infrastructures. This is a lot of work which can definitely be error-prone: as I've seen in other updates, some packages (for example the Ruby interpreter) just bit-rot on their own and eventually fail to build from source. We would also have to investigate all packages to see which one include the library, something which we are not well equipped for at this point.

Wheezy was the first release shipping golang packages but at least it's shipping only one... Stretch has shipped with two golang versions (1.7 and 1.8) which will make maintenance ever harder in the long term.

We build our computers the way we build our cities--over time, without a plan, on top of ruins. - Ellen Ullman

Other free software work

This month again, I was busy doing some serious yak shaving operations all over the internet, on top of publishing two of my largest LWN articles to date (2017-10-16-strategies-offline-pgp-key-storage and 2017-10-26-comparison-cryptographic-keycards).

feed2exec beta

Since I announced this new project last month I have released it as a beta and it entered Debian. I have also wrote useful plugins like the wayback plugin that saves pages on the Wayback machine for eternal archival. The archive plugin can also similarly save pages to the local filesystem. I also added bash completion, expanded unit tests and documentation, fixed default file paths and a bunch of bugs, and refactored the code. Finally, I also started using two external Python libraries instead of rolling my own code: the pyxdg and requests-file libraries, the latter which I packaged in Debian (and fixed a bug in their test suite).

The program is working pretty well for me. The only thing I feel is really missing now is a retry/fail mechanism. Right now, it's a little brittle: any network hiccup will yield an error email, which are readable to me but could be confusing to a new user. Strangely enough, I am particularly having trouble with (local!) DNS resolution that I need to look into, but that is probably unrelated with the software itself. Thankfully, the user can disable those with --loglevel=ERROR to silence WARNINGs.

Furthermore, some plugins still have some rough edges. For example, The Transmission integration would probably work better as a distinct plugin instead of a simple exec call, because when it adds new torrents, the output is totally cryptic. That plugin could also leverage more feed parameters to save different files in different locations depending on the feed titles, something would be hard to do safely with the exec plugin now.

I am keeping a steady flow of releases. I wish there was a way to see how effective I am at reaching out with this project, but unfortunately GitLab doesn't provide usage statistics... And I have received only a few comments on IRC about the project, so maybe I need to reach out more like it says in the fine manual. Always feels strange to have to promote your project like it's some new bubbly soap...

Next steps for the project is a final review of the API and release production-ready 1.0.0. I am also thinking of making a small screencast to show the basic capabilities of the software, maybe with asciinema's upcoming audio support?

Pandoc filters

As I mentioned earlier, I dove again in Haskell programming when working on the git-annex security update. But I also have a small Haskell program of my own - a Pandoc filter that I use to convert the HTML articles I publish on LWN.net into a Ikiwiki-compatible markdown version. It turns out the script was still missing a bunch of stuff: image sizes, proper table formatting, etc. I also worked hard on automating more bits of the publishing workflow by extracting the time from the article which allowed me to simply extract the full article into an almost final copy just by specifying the article ID. The only thing left is to add tags, and the article is complete.

In the process, I learned about new weird Haskell constructs. Take this code, for example:

-- remove needless blockquote wrapper around some tables -- -- haskell newbie tips: -- -- @ is the "at-pattern", allows us to define both a name for the -- construct and inspect the contents as once -- -- {} is the "empty record pattern": it basically means "match the -- arguments but ignore the args" cleanBlock (BlockQuote t@[Table {}]) = t

Here the idea is to remove <blockquote> elements needlessly wrapping a <table>. I can't specify the Table type on its own, because then I couldn't address the table as a whole, only its parts. I could reconstruct the whole table bits by bits, but it wasn't as clean.

The other pattern was how to, at last, address multiple string elements, which was difficult because Pandoc treats spaces specially:

cleanBlock (Plain (Strong (Str "Notifications":Space:Str "for":Space:Str "all":Space:Str "responses":_):_)) = []

The last bit that drove me crazy was the date parsing:

-- the "GAByline" div has a date, use it to generate the ikiwiki dates -- -- this is distinct from cleanBlock because we do not want to have to -- deal with time there: it is only here we need it, and we need to -- pass it in here because we do not want to mess with IO (time is I/O -- in haskell) all across the function hierarchy cleanDates :: ZonedTime -> Block -> [Block] -- this mouthful is just the way the data comes in from -- LWN/Pandoc. there could be a cleaner way to represent this, -- possibly with a record, but this is complicated and obscure enough. cleanDates time (Div (_, [cls], _) [Para [Str month, Space, Str day, Space, Str year], Para _]) | cls == "GAByline" = ikiwikiRawInline (ikiwikiMetaField "date" (iso8601Format (parseTimeOrError True defaultTimeLocale "%Y-%B-%e," (year ++ "-" ++ month ++ "-" ++ day) :: ZonedTime))) ++ ikiwikiRawInline (ikiwikiMetaField "updated" (iso8601Format time)) ++ [Para []] -- other elements just pass through cleanDates time x = [x]

Now that seems just dirty, but it was even worse before. One thing I find difficult in adapting to coding in Haskell is that you need to take the habit of writing smaller functions. The language is really not well adapted to long discourse: it's more about getting small things connected together. Other languages (e.g. Python) discourage this because there's some overhead in calling functions (10 nanoseconds in my tests, but still), whereas functions are a fundamental and important construction in Haskell that are much more heavily optimized. So I constantly need to remind myself to split things up early, otherwise I can't do anything in Haskell.

Other languages are more lenient, which does mean my code can be more dirty, but I feel get things done faster then. The oddity of Haskell makes frustrating to work with. It's like doing construction work but you're not allowed to get the floor dirty. When I build stuff, I don't mind things being dirty: I can cleanup afterwards. This is especially critical when you don't actually know how to make things clean in the first place, as Haskell will simply not let you do that at all.

And obviously, I fought with Monads, or, more specifically, "I/O" or IO in this case. Turns out that getting the current time is IO in Haskell: indeed, it's not a "pure" function that will always return the same thing. But this means that I would have had to change the signature of all the functions that touched time to include IO. I eventually moved the time initialization up into main so that I had only one IO function and moved that timestamp downwards as simple argument. That way I could keep the rest of the code clean, which seems to be an acceptable pattern.

I would of course be happy to get feedback from my Haskell readers (if any) to see how to improve that code. I am always eager to learn.

Git remote MediaWiki

Few people know that there is a MediaWiki remote for Git which allow you to mirror a MediaWiki site as a Git repository. As a disaster recovery mechanism, I have been keeping such a historical backup of the Amateur radio wiki for a while now. This originally started as a homegrown Python script to also convert the contents in Markdown. My theory then was to see if we could switch from Mediawiki to Ikiwiki, but it took so long to implement that I never completed the work.

When someone had the weird idea of renaming a page to some impossible long name on the wiki, my script broke. I tried to look at fixing it and then remember I also had a mirror running using the Git remote. It turns out it also broke on the same issue and that got me looking in the remote again. I got lost in a zillion issues, including fixing that specific issue, but I especially looked at the possibility of fetching all namespaces because I realized that the remote fetches only a part of the wiki by default. And that drove me to submit namespace support as a patch to the git mailing list. Finally, the discussion came back to how to actually maintain that contrib: in git core or outside? Finally, it looks like I'll be doing some maintenance that project outside of git, as I was granted access to the GitHub organisation...

Galore Yak Shaving

Then there's the usual hodgepodge of fixes and random things I did over the month.

There is no [web extension] only XUL! - Inside joke

Catégories: External Blogs

Analyzing Song Lyrics

Linux Journal - jeu, 11/02/2017 - 07:06

I was reading about the history of The Beatles a few days ago and bumped into an interesting fact. According to the author, The Beatles used the word "love" in their songs more than 160 times. At first I thought, "cool", but the more I thought about it, the more I became skeptical about the figure. In fact, I suspect that the word "love" shows up considerably more than 160 times. more>>

Catégories: Linux News

Testing the Waters: How to Perform Internal Phishing Campaigns

Linux Journal - mar, 10/31/2017 - 08:50

Phishing is one of the most dangerous threats to modern computing. Phishing attacks have evolved from sloppily written mass email blasts to targeted attacks designed to fool even the most cautious users. No defense is bulletproof, and most experts agree education and common sense are the best tools to combat the problem. more>>

Catégories: Linux News

The Wire

Linux Journal - lun, 10/30/2017 - 07:09

In the US, there has been recent concern over ISPs turning over logs to the government. During the past few years, the idea of people snooping on our private data (by governments and others) really has made encryption more popular than ever before. One of the problems with encryption, however, is that it's generally not user-friendly to add its protection to your conversations. more>>

Catégories: Linux News

InfluxData

Linux Journal - ven, 10/27/2017 - 12:03

What is ephemeral data, you ask? InfluxData can supply the answer, because handling it is the business of the company's InfluxData open-source platform that is custom-built for metrics and events. more>>

Catégories: Linux News

Live Stream Your Pets with Linux and YouTube!

Linux Journal - jeu, 10/26/2017 - 06:53

Anyone who reads Linux Journal knows about my fascination with birdwatching. I've created my own weatherproof video cameras with a Raspberry Pi. I've posted instructions on how to create your own automatically updating camera image page with JavaScript. Heck, I even learned CSS so I could make a mobile-friendly version of BirdCam that filled the screen in landscape mode. more>>

Catégories: Linux News

Neuranet's Flexitive

Linux Journal - mer, 10/25/2017 - 10:24

The new Interactive Advertising Bureau (IAB) Standard Ad Unit Portfolio's support for flexible ads is intended to improve the ad experience for users and boost revenue potential for advertisers. more>>

Catégories: Linux News
Syndiquer le contenu