Mozilla's Firefox Nightly Experiment Results, EFF's Back to School Tips, HHVM 3.28 Released, Oracle Solaris 11.4 Now Available and Dropbox Vulnerability Discovered

3 weeks 4 days ago

News briefs for August 29, 2018.

Mozilla posted the results of its planned Firefox nightly experiment involving secure DNS via the DNS over HTTPS (DoH) protocol. The experiment focused on two questions: "Does the use of a cloud DNS service perform well enough to replace traditional DNS?" and "Does the use of a cloud DNS service create additional connection errors?" See the Mozilla Blog for details.

The EFF yesterday posted its Back to School Essentials for Security—great tips whether or not you're currently a student.

HHVM 3.28 was released yesterday. This new release of the open-source virtual machine for executing programs written in Hack and PHP "contains new language features, bugfixes, performance improvements, and improvements to the debugger and editor/IDE support."

Oracle Solaris 11.4 has been released. Scott Lynn, Director of Product Management, Oracle Linux and Oracle Solaris, writes "There have been 175 development builds to get us to Oracle Solaris 11.4. We've tested Oracle Solaris 11.4 for more than 30 million machine hours. Over 50 customers have already put Oracle Solaris 11.4 into production and it already has more than 3000 applications certified to run on it. Oracle Solaris 11.4 is the first and, currently, the only operating system that has completed UNIX V7 certification."

A vulnerability in Microsoft's cloud storage solution Dropbox was discovered recently. According to Appuals, this DLL hijacking and code execution vulnerability affects Dropbox's version 54.5.90, and "a user whose device is undergoing this exploit won't realize it until the process has been exploited to inject malware into the system. The DLL injection and execution runs in the background without requiring any user input to run its arbitrary code."

News PHP Programming Virtual Machines Oracle Mozilla Firefox Security DNS eff Dropbox
Jill Franklin

Creating the Concentration Game PAIRS with Bash

3 weeks 4 days ago
by Dave Taylor

Exploring the nuances of writing a pair-matching memory game and one-dimensional arrays in Bash.

I've always been a fan of Rudyard Kipling. He wrote some great novels and stories, mostly about British colonial-era India. Politically correct in our modern times? Not so much, but still, his books are good fun for readers and still are considered great literature of its time. His works include The Jungle Book, Captains Courageous, The Just So Stories and The Man Who Would Be King, among many others.

He also wrote a great spy novel about a young English boy who is raised as an Indian native and thence recruited by the British government as a spy. The boy's name is the title of the book: Kim. In the story, Kim is trained to have an eidetic memory with a memory game that involves being shown a tray of stones of various shapes, sizes and colors. Then it's hidden, and he has to recite as many patterns as he can recall.

For some reason, that scene has always stuck with me, and I've even tried to teach my children to be situationally aware through similar games like "Close your eyes. Now, what color was the car that just passed us?" Since most of us are terrible observers (see, for example, how conflicting eyewitness accident reports can be), it's undoubtedly good practice for general observations about life.

Although it's tempting to try to duplicate this memory game as a program, the reality is that with just a shell script, it would be difficult. Perhaps you display a random pattern of letters and digits in a grid, then clear the screen, then ask the user to enter patterns, but that's really much more of a game for a screen-oriented, graphical application—not shell scripts.

But, there's a simplified version of this that you can play with a deck of cards: Concentration. You've probably played it yourself at some point in your life. You place the cards face down in a grid and then flip up two at a time to try to find pairs. At the beginning, it's just random guessing, but as the game proceeds, it becomes more about your spatial memory, and by the end, good players know what just about every unflipped card is at the beginning of their turn.

Designing PAIRS

That, of course, you can duplicate as a shell script, and since it is going to be a shell script, you also can make the number of pairs variable. Let's call this game PAIRS.

As a minimum, let's go with four pairs, which should make debugging easy. Since there's no real benefit to duplicating playing card values, it's just as easy to use letters, which means a max of 26 pairs, or 52 slots. Not every value is going to produce a proper spread or grid, but if you aim for 13 per line, players then can play with anywhere from 1–4 lines of possibilities.

Go to Full Article
Dave Taylor

3D-Printed Firearms Are Blowing Up

3 weeks 5 days ago
by Kyle Rankin

What's the practical risk with 3D-printed firearms today? In this opinion piece, Kyle explores the current state of the art.

If you follow 3D printing at all, and even if you don't, you've likely seen some of the recent controversy surrounding Defense Distributed and its 3D-printed firearm designs. If you haven't, here's a brief summary: Defense Distributed has created 3D firearm models and initially published them for free on its DEFCAD website a number of years ago. Some of those 3D models were designed to be printed with a traditional home hobbyist 3D printer (at least in theory), and other designs were for Defense Distributed's "Ghost Gunner"—a computer-controlled CNC mill aimed at milling firearm parts out of metal stock. The controversy that ensued was tied up in the general public debate about firearms, but in particular, a few models got the most attention: a model of an AR-15 lower receiver (the part of the rifle that carries the serial number) and "the Liberator", which was a fully 3D-printed handgun designed to fire a single bullet. The end result was that the DEFCAD site was forced to go offline (but as with all website take-downs, it was mirrored a million times first), and Defense Distributed has since been fighting the order in court.

The political issues raised in this debate are complicated, controversial and have very little to do with Linux outside the "information wants to be free" ethos in the community, so I leave those debates for the many other articles on this issue that already have been published. Instead, in this article, I want to use my background as a hobbyist 3D printer and combine it with my background in security to build a basic risk assessment that cuts through a lot of the hype and political arguments on all sides. I want to consider the real, practical risks with the 3D models and the current Ghost Gunner CNC mill that Defense Distributed provides today. I focus my risk assessment on three main items: the 3D-printed AR-15 lower receiver, the Liberator 3D-printed handgun and the Ghost Gunner CNC mill.

3D-Printed AR-15 Lower Receiver

This 3D model was one of the first items Defense Distributed shared on DEFCAD. In case you aren't familiar with the AR-15, its modular design is one of the reasons for its popularity. Essentially every major part of the rifle has numerous choices available that are designed to integrate with the rest of the rifle, and you can find almost all of the parts you need to assemble this rifle online, order them independently, and then build your own—that is, except for the lower receiver. That part of the rifle is what the federal government considers "the rifle", as it is the part that's stamped with the serial number that uniquely identifies and registers one particular rifle versus all of the others out there in the world. This part has restrictions like you would find with a regular rifle, revolver or other firearm.

Go to Full Article
Kyle Rankin

Kali Linux's New Version 2018.3, Open-Source License War, Lenovo Announces Five New Android Tablets, Google Releases Open-Source Reinforcement Learning Framework and KD Chart Update

3 weeks 5 days ago

News briefs for August 28, 2018.

Kali Linux recently announced its third release of 2018. Version 2018.3 features several new tools: idb, an iOS research/penetration-testing tool; gdb-peda, Python Exploit Development Assistance for GDB; datasploit, OSINT Framework to perform various recon techniques; and kerberoast, Kerberos assessment tools. See the Change Log for more information on all the changes, and download Kali from here.

A new open-source license war has begun. According to the ZDNet, Redis Labs has added the Commons Clause to its license for Redis, the open-source, in-memory data structure store that "enables real-time applications such as advertising, gaming financial services, and IoT to work at speed". This license "forbids you from selling the software. It also states you may not host or offer consulting or support services as 'a product or service whose value derives, entirely or substantially, from the functionality of the software'".

Lenovo has released a new generation of Android tablets for home and entertainment use: "the Lenovo Tab E7, Lenovo Tab E8, Lenovo Tab E10, as well as new mainstream and premium tablets, the Lenovo Tab M10 and Lenovo Tab P10". See the press release for more details on these affordable, thin and light tablets.

Google released an open-source reinforcement learning framework based on TensorFlow for training AI models. It's available on GitHub. Venture Beat quotes Pablo Samuel Castro and Marc G. Bellemare, researchers on the Google Brain Team, on the platform: "Inspired by one of the main components in reward-motivated behavior in the brain and reflecting the strong historical connection between neuroscience and reinforcement learning research, this platform aims to enable the kind of speculative research that can drive radical discoveries."

KD Chart has a new release. The latest release of this open-source Qt component for creating business charts builds with modern Qt versions (up to Qt 5.10), improves tooltip handling and now "includes Stock Charts, Box & Whisker Charts and the KD Gantt module for implementing ODF Gantt charts into applications". You can get it from here.

News Kali Linux Security licensing Redis Lenovo Android Mobile Google AI qt
Jill Franklin

Cleaning Your Inbox with Mutt

3 weeks 5 days ago
by Kyle Rankin

Teach Mutt yet another trick: how to filter messages in your Inbox with a simple macro.

I'm a longtime Mutt user and have written about it a number of times in Linux Journal. Although many people may think it's strange to be using a command-line-based email client in 2018, I find a keyboard-driven email client so much more efficient than clicking around in a web browser. Mutt is extremely customizable, which presents a steep learning curve at first, but now that I'm a few decades in, my Mutt configuration is pretty ideal and fits me like a tailored suit.

Of course, as with any powerful and configurable tool, every now and then I learn of a new Mutt feature that improves my quality of life dramatically. In this case, I was using an email system that didn't offer server-side filters. Because I was a member of many different email groups and aliases, this meant that my Inbox was flooded with emails of all kinds, and it became difficult to filter through all the unimportant email I wanted to archive with the emails that demanded my immediate attention.

There are many ways to solve this problem, some of which involve tools like offlineimap combined with filtering tools. With email clients like Thunderbird, you also can set up filters that automatically move email to other folders every time you sync. I wanted a similar system with Mutt, except I didn't want it to happen automatically. I wanted to be able to press a key first so I could confirm what was moving. In the process of figuring this out, I discovered a few gotchas I think other Mutt users will want to know about if they set up a similar system.

Tagging Emails

The traditional first step when setting up a keyboard macro to move email messages based on a pattern would be to use Mutt's tagging-by-pattern feature (by default, the T key) to tag all the messages in a folder that match a certain pattern. For instance, if all of your cron emails have "Cron Daemon" in the subject line, you would type the following key sequence to tag all of those messages:

TCron Daemon

That's the uppercase T, followed by the pattern I want to match in the subject line (Cron Daemon) and then the Enter key. If I type that while I'm in my Mutt index window that shows me all the emails in my Inbox, it will tag all of the messages that match that pattern, but it won't do anything with them yet. To act on all of those messages, I press the ; key (by default), followed by the action I want to perform. So to save all of the tagged email to my "cron" folder, I would type:

Go to Full Article
Kyle Rankin

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

3 weeks 6 days ago
by Petros Koutoupis

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Containers are about as close to bare metal as you can get when running virtual machines. They impose very little to no overhead when hosting virtual instances. First introduced in 2008, LXC adopted much of its functionality from the Solaris Containers (or Solaris Zones) and FreeBSD jails that preceded it. Instead of creating a full-fledged virtual machine, LXC enables a virtual environment with its own process and network space. Using namespaces to enforce process isolation and leveraging the kernel's very own control groups (cgroups) functionality, the feature limits, accounts for and isolates CPU, memory, disk I/O and network usage of one or more processes. Think of this userspace framework as a very advanced form of chroot.

Note: LXC uses namespaces to enforce process isolation, alongside the kernel's very own cgroups to account for and limit CPU, memory, disk I/O and network usage across one or more processes.

But what exactly are containers? The short answer is that containers decouple software applications from the operating system, giving users a clean and minimal Linux environment while running everything else in one or more isolated "containers". The purpose of a container is to launch a limited set of applications or services (often referred to as microservices) and have them run within a self-contained sandboxed environment.

Note: the purpose of a container is to launch a limited set of applications or services and have them run within a self-contained sandboxed environment.

Figure 1. A Comparison of Applications Running in a Traditional Environment to Containers

This isolation prevents processes running within a given container from monitoring or affecting processes running in another container. Also, these containerized services do not influence or disturb the host machine. The idea of being able to consolidate many services scattered across multiple physical servers into one is one of the many reasons data centers have chosen to adopt the technology.

Container features include the following:

Go to Full Article
Petros Koutoupis

New Raspberry Pi PoE HAT, UBports Foundation Releases Ubuntu Touch OTA-4, OpenSSH 7.8 Now Available, KDE Enhancements and Seagate Media Server SQL Injection Vulnerabilities,

4 weeks ago

News briefs for August 27, 2018.

Raspberry Pi Trading is offering a Power-over-Ethernet HAT board for the RPi 3 Model B+ for $20 that ships with a small fan. Linux Gizmos notes that the "802.3af-compliant 'Raspberry Pi PoE HAT' allows delivery of up to 15W over the RPi 3 B+'s USB-based GbE port without reducing the port's up to 300Mbps bandwidth." To purchase, visit here.

UBports Foundation has released Ubuntu Touch OTA-4. This release features Ubuntu 16.04 and includes many security fixes and stability improvements. UBports notes that "We believe that this is the 'official' starting point of the UBports project. From the point when Canonical dropped the project until today, the community has been playing 'catch up' in development, infrastructure, and community building. This release shows that the community is soundly based and capable of delivering."

OpenSSH 7.8 was released August 24, 2018, and is available from its mirrors at

KDE developers continue to enhance KDE. According to Phoronix, the latest usability and productivity improvements include a new Plasmoid that brings easy access to the screen layout switcher, the logout screen will now warn you when other users are still logged in, new thumbnails for AppImages and more.

Several SQL injection vulnerabilities were discovered in the Seagate Media Server. Evidently the public folder facility "can be abused by malicious attackers when they upload troublesome files and media to the folder in the cloud". See the Appuals post for more details about this exploit.

News Raspberry Pi Ubuntu Touch UBports OpenSSH KDE Plasma
Jill Franklin

Intel Reworks Microcode Security Fix License after Backlash, Intel's FSP Binaries Also Re-licensed, Valve Releases Beta of Steam Play for Linux, Chromebooks Running Linux 3.4 or Older Won't Get Linux App Support and Windows 95 Now an App

4 weeks 2 days ago

News briefs for August 24, 2018.

Intel has now reworked the license for its microcode security fix after outcry from the community. The Register quotes Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."

Intel also has re-licensed its FSP binaries, which are used by Coreboot, LinuxBoot and Facebook's Open Compute Project, so that they are under the same license as the CPU microcode files. According to the Phoronix post, "The short and unofficial summary of that license text is it allows for redistribution (and benchmarking, if so desired) of the binaries and the restricts essentially come down to no reverse-engineering/disassembly of the binaries and respecting the copyright."

Valve announced this week that it's releasing the Beta of a new and improved Steam Play version to Linux. The new version includes "a modified distribution of Wine, called Proton, to provide compatibility with Windows game titles." Other improvements include DirectX 11 and 12 implementations are now based on Vulkan, full-screen support has been improved, game controller support has been improved, and "Windows games with no Linux version currently available can now be installed and run directly from the Linux Steam client, complete with native Steamworks and OpenVR support".

Linux app support will be available soon for many Chromebooks, but a post on the Chromium Gerrit indicates that devices running Linux 3.14 or older will not be included. See this beta news article for a full list of the Chromebooks that won't be able to run Linux apps.

Windows 95 is now an app you can run on Linux, macOS and Windows thanks to Slack developer Felix Rieseberg who created the electron app. See The Verge for more details. The source code and app installers are available on GitHub.

News Intel licensing Valve gaming Chromebooks Windows
Jill Franklin