Aggregator

At Rest Encryption

2 months ago
by Kyle Rankin

Learn why at rest encryption doesn't mean encryption when your laptop is asleep.

There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

What Disk Encryption Does

In the context of Linux servers and workstations, disk encryption generally means you are using a system such as LUKS to encrypt either the entire root partition or only a particularly sensitive mountpoint. For instance, some Linux distributions offer the option of leaving the root partition unencrypted, and they encrypt each user's /home directories independently, to be unlocked when the user logs in. In the case of servers, you might leave root unencrypted and add encryption only to specific disks that contain sensitive data (like database files).

In a workstation, you notice when a system is encrypted at rest because it will prompt you for a passphrase to unlock the disk at boot time. Servers typically are a bit trickier, because usually administrators prefer that a server come back up after a reboot without manual intervention. Although some servers may provide a console-based prompt to unlock the disk at boot time, administrators are more likely to have configured LUKS so that the key resides on a separate unencrypted partition. Or, the server may retrieve the key from the network using their configuration management or a centralized secrets management tool like Vault, so there is less of a risk of the key being stolen by an attacker with access to the filesystem.

The main thing that at rest encryption protects you from is data loss due to theft or improper decommissioning of hard drives. If someone steals your laptop while it's powered off, your data will be protected. If someone goes into a data center and physically removes drives from a server with at rest encryption in place, the drives will spin down, and the data on them will be encrypted. The same goes for disks in a server that has been retired. Administrators are supposed to perform secure wiping or full disk destruction procedures to remove sensitive data from drives before disposal, but if the administrator was lazy, disk encryption can help ensure that the data is still protected if it gets into the wrong hands.

Go to Full Article
Kyle Rankin

Pinguy OS Puts On a Happier GNOME 3 Face

2 months 1 week ago
Pinguy OS 18.04 is an Ubuntu-based distribution that offers a non-standard GNOME desktop environment intended to be friendlier for new Linux users. This distro is a solid Linux OS with a focus on simple and straightforward usability for the non-geek desktop user. If you do not like tinkering with settings or having numerous power-grabbing fancy screen animations, Pinguy OS could be a good choice.
Jack M. Germain

Open Source at 20

2 months 1 week ago
by Doc Searls

Open source software has been around for a long time. But calling it open source only began in 1998. Here's some history:

Christine Peterson came up with the term "open source software" in 1997 and (as she reports at that link) a collection of like-minded geeks decided on February 3, 1998 to get behind it in a big way. Eric S. Raymond became the lead evangelist when he published Goodbye, "free software"; hello, "open source" on February 8th. Bruce Perens led creating the Open Source Initiative later that month. Here at Linux Journal, we were all over it from the start as well. (Here's one example.)

"Open source" took off so rapidly that O'Reilly started OSCON the next year, making this year's OSCON, happening now, the 19th one. (FWIW, at the 2005 OSCON, O'Reilly and Google together gave me an award for "Best Communicator" on the topic. I was at least among the most enthusiastic.)

Google's Ngram Viewer, which searches through all scanned books from 1800 to 2008, shows (see above) that use of "open source" hockey-sticked quickly. Today on Google, "open source" gets 116 million results.

But interest has been trailing off, as we see from Google Trends, which follows "interest over time." Here's how that looks since 2004:

Go to Full Article
Doc Searls

IBM's New Security-First Nabla Container, Humble Bundle's "Linux Geek Bundle", Updates on the Upcoming Atari VCS Console, Redesigned Files App for Chromebooks and Catfish 1.4.6 Released

2 months 1 week ago

News briefs for July 17, 2018.

IBM has a new container called Nabla designed for security first, ZDNet reports. IBM claims it's "more secure than Docker or other containers by cutting operating system calls to the bare minimum and thereby reducing its attack surface as small as possible". See also this article for more information on Nabla and this article on how to get started running the containers.

Humble Bundle is offering a "Linux Geek Bundle" of ebooks from No Starch Press for $1 (or more—your choice) right now, in connection with It's FOSS. The Linux Geek bundle's books are worth $571 and are available in PDF, ePUB and MOBI format, and are DRM-free. Part of the purchase price will be donated to the EFF. See the It's FOSS post for the list of titles and more info.

More information on the upcoming Atari VCS console due to launch next year has been released in a Q&A on Medium with Rob Wyatt, System Architect for the Atari VCS project. Rob provides more details on the hardware specs: "The VCS hardware will be powered by an AMD Bristol Ridge family APU with Radeon R7 graphics and is now going to get 8 gigabytes of unified memory. This is a huge upgrade from what was originally specified and unlike other consoles it's all available, we won't reserve 25% of hardware resources for system use." In addition, the Q&A covers the Atari VCS "open platform" and "Sandbox", compatible controllers and more.

Google's Chrome OS team is working on redesigning its Files app for Chromebooks "with a new 'My Files' section that promises to help you better organize your local files, including those from any Android and Linux apps you might have installed." See the Softpedia News post for more information on this redesigned app for Android and Linux files and how to test it via the Chrome OS Canary experimental channel.

Catfish 1.4.6 has been released, and it has now officially joined the Xfce family. According to the announcement, it's "lightweight, fast, and a perfect companion to the Thunar file manager. With the transition from Launchpad to Xfce, things have moved around a bit. Update your bookmarks accordingly!" Other new features include an improved thumbnailer, translation updates and several bug fixes. New releases of Catfish now can be found at the Xfce release archive.

News IBM Containers Nabla Security Books gaming Google ChromeOS Chromebooks Catfish XFCE
Jill Franklin

A Look at Google's Project Fi

2 months 1 week ago
by Shawn Powers

Google's Project Fi is a great cell-phone service, but the data-only SIMs make it incredible for network projects!

I have a lot of cell phones. I have iPhones (old and new), Android phones (old, new, very old and funny-shaped), and I have a few legacy phones that aren't either Android or iPhone. Remember Maemo? Yeah, and I still have one of those old Nokia phones somewhere too. Admittedly, part of the reason I have such a collection is that I tend to hoard nostalgic technology, but part of it is practical too.

I've used phones as IP cameras for BirdTopia (my recorded and streamed bird-feeder collection). I've created WiFi-only audiobook devices that I use when I'm out and about. I've used old phones as SONOS remotes, Plex players, Chromecast initiators and countless other tasks that tiny little computers are perfect for doing. One of the frustrating things about using old cell phones for projects like that though is they only have WiFi access, because adding multiple devices to a cell plan becomes expensive quickly. That's not the case anymore, however, thanks to Google's Project Fi.

Most people love Project Fi because of the tower-hopping features or because of the fair pricing. I like those features too, but the real bonus for me is the "data only" SIM option. Like most people, I rarely make phone calls anymore, and there are so many chat apps, texting isn't very important either. With most cell-phone plans, there's an "access" fee per line. With Project Fi, additional devices don't cost anything more! (But, more about that later.) The Project Fi experience is worth investigating.

What's the Deal?

Project Fi is a play on the term "WiFi" and is pronounced "Project Fye", as opposed to "Project Fee", which is what I called it at first. Several features set Project Fi apart from other cell-phone plans.

First, Project Fi uses towers from three carriers: T-Mobile, US Cellular and Sprint. When using supported hardware, Project Fi constantly monitors signal strength and seamlessly transitions between the various towers. Depending on where you live, this can mean constant access to the fastest network or a better chance of having any coverage at all. (I'm in the latter group, as I live in a rural area.)

The second standout feature of Project Fi is the pricing model. Every phone pays a $20/month fee for unlimited calls and texts. On top of that, all phones and devices share a data pool that costs $10/GB. The data cost isn't remarkably low, but Google handles it very well. I recently discovered that it's not billed in full $10 increments (Figure 1). If you use 10.01GB of data, you pay $10.01, not $20.

Go to Full Article
Shawn Powers