Linux Journal

New Linux Malware Called EvilGnome Discovered; First Preview of Fedora CoreOS Now Available; Germany Bans Schools from Using Microsoft, Google and Apple; VirtualBox 6.0.10 Released; and Sparky 5.8 Has New Live/Install Media for Download

12 hours 47 minutes ago

News briefs for July 18, 2019.

New Linux malware has been discovered that masquerades as a GNOME shell extension and spies on users. Bleeping Computer reports that Intezer Labs' researchers made the discovery earlier this month, and they say that "EvilGnome's functionalities include desktop screenshots, file stealing, allowing capturing audio recording from the user's microphone and the ability to download and execute further modules. The implant contains an unfinished keylogger functionality, comments, symbol names and compilation metadata which typically do not appear in production versions." See Intezer's blog for more on EvilGnome.

Fedora recently announced the first preview release of Fedora CoreOS. From the announcement: "Fedora CoreOS is built to be the secure and reliable host for your compute clusters. It's designed specifically for running containerized workloads without regular maintenance, automatically updating itself with the latest OS improvements, bug fixes, and security updates. The initial preview release of Fedora CoreOS runs on bare metal, QEMU, VMware, and AWS, on x86_64 only." Go here to download and get started with Fedora CoreOS.

Germany has banned its schools from using cloud-based productivity suites from Microsoft, Google, and Apple, because the companies weren't meeting the country's privacy requirements. Naked Security reports, that the statement from the Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hesse Commissioner for Data Protection and Freedom of Information, or HBDI) said, "The digital sovereignty of state data processing must be guaranteed. With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries to Microsoft. Such data is also transmitted when using Office 365." The HBDI also stressed that "What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensible set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible."

VirtualBox 6.0.10 was released this week. According to Linux Uprising, it's a maintenance release with mostly bug fixes, but it does have one main new addition: "support for UEFI secure boot driver signing on Ubuntu and Debian 10+ hosts". See the full Changelog for more details.

Sparky 5.8 "Nibiru" has new live/install media available to download. This is the first release of the stable line based on Debian 10 "Buster". Changes include Linux kernel 4.19.37-5 (i686 and amd64) and 4.19.57-v7 (ARMHF), Calamares installer updated to 3.2.11, old third party repositories have been removed and much more. Go here to download the Sparky stable edition.

News Security GNOME Fedora Germany Microsoft Google Apple VirtualBox UEFI Sparky Linux
Jill Franklin

Shrinking Linux Attack Surfaces

15 hours 18 minutes ago
by Zack Brown

Often, a kernel developer will try to reduce the size of an attack surface against Linux, even if it can't be closed entirely. It's generally a toss-up whether such a patch makes it into the kernel. Linus Torvalds always prefers security patches that really close a hole, rather than just give attackers a slightly harder time of it.

Matthew Garrett recognized that userspace applications might have secret data that might be sitting in RAM at any given time, and that those applications might want to wipe that data clean so no one could look at it.

There were various ways to do this already in the kernel, as Matthew pointed out. An application could use mlock() to prevent its memory contents from being pushed into swap, where it might be read more easily by attackers. An application also could use atexit() to cause its memory to be thoroughly overwritten when the application exited, thus leaving no secret data in the general pool of available RAM.

The problem, Matthew pointed out, came if an attacker was able to reboot the system at a critical moment—say, before the user's data could be safely overwritten. If attackers then booted into a different OS, they might be able to examine the data still stored in RAM, left over from the previously running Linux system.

As Matthew also noted, the existing way to prevent even that was to tell the UEFI firmware to wipe system memory before booting to another OS, but this would dramatically increase the amount of time it took to reboot. And if the good guys had won out over the attackers, forcing them to wait a long time for a reboot could be considered a denial of service attack—or at least downright annoying.

Ideally, Matthew said, if the attackers were only able to induce a clean shutdown—not simply a cold boot—then there needed to be a way to tell Linux to scrub all data out of RAM, so there would be no further need for UEFI to handle it, and thus no need for a very long delay during reboot.

Matthew explained the reasoning behind his patch. He said:

Unfortunately, if an application exits uncleanly, its secrets may still be present in RAM. This can't be easily fixed in userland (eg, if the OOM killer decides to kill a process holding secrets, we're not going to be able to avoid that), so this patch adds a new flag to madvise() to allow userland to request that the kernel clear the covered pages whenever the page reference count hits zero. Since vm_flags is already full on 32-bit, it will only work on 64-bit systems.

Matthew Wilcox liked this plan and offered some technical suggestions for Matthew G's patch, and Matthew G posted an updated version in response.

Go to Full Article
Zack Brown

Malicious Python Libraries Discovered on PyPI, Offensive Security Launches the Kali NetHunter App Store, IBM Livestreaming a Panel with Original Apollo 11 Technicians Today, Azul Systems Announces OpenJSSE and Krita 4.2.3 Released

1 day 12 hours ago

News briefs for July 17, 2019.

Malicious Python libraries have been found on the official Python Package Index (PyPI), which contain a hidden backdoor that would activate when installed on Linux systems. According to ZDNet, the three packages are named libpeshnx, libpesh and libari, and they "were authored by the same user (named ruri12) and had been available for download from PyPI for almost 20 months, since November 2017, before the packages were discovered earlier this month by security researchers from ReversingLabs. The PyPI team removed the packages on July 9, the same day ReversingLabs notified the PyPI repo maintainers about their findings." In addition, "None of the three packages ever listed a description, so it's impossible to tell what was their purpose. However, PyPI stats showed that the packages were being regularly downloaded, with tens of monthly installations for each."

Offensive Security, the creators of open-source Kali Linux, has launched the Kali NetHunter App Store, "a new one stop shop for security relevant Android applications. Designed as an alternative to the Google Play store for Android devices, the NetHunter store is an installable catalogue of Android apps for pentesting and forensics". The press release also notes that the NetHunter store is a slightly modified version of F-Droid: "While F-Droid installs its clients with telemetry disabled and asks for consent before submitting crash reports, the NetHunter store goes a step further by removing the entire code to ensure that privacy cannot be accidentally compromised". See the Kali.org blog post for more details.

IBM to reunite original Apollo 11 mission technicians today for a live panel discussion celebrating the 50th anniversary of the Apollo 11 moon landing. The panel will be available via livestream starting at 2:30pm EDT. From the press release: "Moderated by Dr. John E. Kelly, IBM Executive Vice President, from the Johnson Space Center in Houston, Texas, the panel will reunite veterans of the Apollo 11 mission to share behind-the-scenes details of what it was like to be right in the middle of the action in the lead-up to and during this historic moment in time. The panelists will also look ahead to how the future of artificial intelligence, quantum computing, and other technologies could help us reach new frontiers." The livestream will be available here.

Azul Systems announces it has created OpenJSSE, an open-source implementation of TLS 1.3 for Java SE 8, which is now included in the latest releases of its Zulu Community and Zulu Enterprise products. You can find source code, example use cases and documentation on GitHub.

Krita 4.2.3 was released this morning. This release is mainly a bug fix release, but it does include one new feature: "it is now possible to rotate the canvas with a two-finger touch gesture. This feature was implemented by Sharaf Zaman for his 2019 Google Summer of Code work of porting Krita to Android. The feature also works on other platforms, of course."

News python Security Kali Linux Kali NetHunter App Store Android IBM Java OpenJSSE Krita
Jill Franklin

When Choosing Your Commercial Linux, Choose Wisely!

1 day 14 hours ago
by Vince Calandra

“Linux is Linux is Linux,” is a direct quote I heard in a meeting I had recently with a major multi-national, critical-infrastructure company. Surprisingly and correctly, there was one intelligent and brave engineering executive who replied to this statement, made by one of his team members, with a resounding, “That’s not true.” Let’s be clear, selecting a commercial Linux is not like selecting corn flakes. This is especially true when you are targeting embedded systems. You must be considering key questions regarding the supplier of the distribution, the criticality of the target application, security and life-cycle support for your product.

Choose Wisely

There is a wonderful scene in the movie Indiana Jones and the Last Crusade when our hero, Indiana, must select the true Holy Grail. Set before him is a multitude of cups ranging from opulent, bejeweled challises to simple clay drinking cups. If you have seen the movie, Indiana reasons out the best choice, and it was a life or death selection. The knight who had been guarding the challises for centuries famously says, “You chose… wisely.” Why bring up this iconic scene? When you are selecting a commercial Linux distribution, you have a multitude of choices all bejeweled with wonderful marketing. The bottom line is that you want to save dollars that you would have otherwise spent on a DIY-Linux approach and ensure the commercial Linux selected fits your particular application. Here are some questions that you will need to keep in mind:

  • Is this for an IT application?

  • Is this for an OT (Operational Technology) application?

  • How long will this system be in the field?

  • What processes and procedures are used by my supplier to cover security vulnerabilities?

  • Can my supplier integrate in other Linux packages that support functionality I need going forward?

This is the short list. Other elements to keep in mind are the specific distribution’s origin and the Open Source community upon which it is based. How important is that specific Linux supplier with regard to the Open Source community upon which the distribution is based? These elements need to be part of the thought process.

I’ll Let My Silicon Choose

Go to Full Article
Vince Calandra

IBM Announces Three New Open Source Projects for Developing Apps for Kubernetes and the Data Asset eXchange (DAX), the Linux Foundation Is Having a Sysadmin Day Sale, London Launches Open-Source Homebuilding App and Clonezilla Live 2.6.2-15 Released

2 days 12 hours ago

News briefs for July 16, 2019.

IBM this morning announces three new open-source projects that "make it faster and easier for you to develop and deploy applications for Kubernetes". Kabanero "integrates the runtimes and frameworks that you already know and use (Node.js, Java, Swift) with a Kubernetes-native DevOps toolchain". Appsody "gives you pre-configured stacks and templates for a growing set of popular open source runtimes and frameworks, providing a foundation on which to build applications for Kubernetes and Knative deployments". And Codewind "provides extensions to popular integrated development environments (IDEs) like VS Code, Eclipse, and Eclipse Che (with more planned), so you can use the workflow and IDE you already know to build applications in containers."

IBM also today announces the Data Asset eXchange (DAX), which is "an online hub for developers and data scientists to find carefully curated free and open datasets under open data licenses". The press release notes that whenever possible, "datasets posted on DAX will use the Linux Foundation's Community Data License Agreement (CDLA) open data licensing framework to enable data sharing and collaboration. Furthermore, DAX provides unique access to various IBM and IBM Research datasets. IBM plans to publish new datasets on the Data Asset eXchange regularly. The datasets on DAX will integrate with IBM Cloud and AI services as appropriate."

In honor of Sysadmin Day, the Linux Foundation is offering all IT certification and prep course bundles for $325 each, along with a bonus course valued at $299 and a free Linux Foundation ball cap. The sale runs today until July 26th.

The city of London launches an open-source app for homebuilding. Arch News reports that "The freely-available app, titled PRISM, is aimed at the design and construction of high-quality, factory-built homes to address the current demand of 50,000+ houses per year."

Clonezilla live (2.6.2-15) was released recently. This release include major enhancements and bug fixes. The Linux kernel was updated to 4.19.37-5, the underling OS is based on the Debian Sid repository (as of 2019/Jul/07), the mechanism to update uEFI nvram boot entry was improved, and much more. The Clonezilla live 2.6.2-15 download link is here.

News IBM Kubernetes DevOps Open Data The Linux Foundation Clonezilla
Jill Franklin

Arduino from the Command Line: Break Free from the GUI with Git and Vim!

2 days 14 hours ago
by Matthew Hoskins

Love Arduino but hate the GUI? Try arduino-cli.

In this article, I explore a new tool released by the Arduino team that can free you from the existing Java-based Arduino graphical user interface. This allows developers to use their preferred tools and workflow. And perhaps more important, it'll enable easier and deeper innovation into the Arduino toolchain itself.

The Good-Old Days

When I started building hobby electronics projects with microprocessors in the 1990s, the process entailed a discrete processor, RAM, ROM and masses of glue logic chips connected together using a point-to-point or "wire wrapping" technique. (Look it up kids!) Programs were stored on glass-windowed EPROM chips that needed to be erased under UV light. All the tools were expensive and difficult to use, and development cycles were very slow. Figures 1–3 show some examples of my mid-1990s microprocessor projects with discrete CPU, RAM and ROM. Note: no Flash, no I/O, no DACs, no ADCs, no timers—all that means more chips!

Figure 1. Example Mid-1990s Microprocessor

Figure 2. Example Mid-1990s Microprocessor

Figure 3. Example Mid-1990s Microprocessor

It all changed in 2003 with Arduino.

The word "Arduino" often invokes a wide range of opinions and sometimes emotion. For many, it represents a very low bar to entry into the world of microcontrollers. This world before 2003 often required costly, obscure and closed-source development tools. Arduino has been a great equalizer, blowing the doors off the walled garden. Arduino now represents a huge ecosystem of hardware that speaks a (mostly) common language and eases transition from one hardware platform to another. Today, if you are a company that sells microcontrollers, it's in your best interest to get your dev boards working with Arduino. It offers a low-friction path to getting your products into lots of hands quickly.

It's also important to note that Arduino's simplicity does not inhibit digging deep into the microcontroller. Nothing stops you from directly twiddling registers and using advanced features. It does, however, decrease your portability between boards.

Go to Full Article
Matthew Hoskins

Q4OS 3.8 Stable Released, Kernel 5.2.1 Is Out, Cloudera Announces New Open-Source Licensing Model, Microsoft's Quantum Development Kit Now Available as an Open-Source Project on GitHub and Alan Turing to Be Featured on New Note in the UK

3 days 12 hours ago

News briefs for July 15, 2019.

Q4OS 3.8 stable was released today. This is a long-term support (LTS) release based on Debian Buster 10 with Plasma 5.14 and optionally Trinity 14.0.6 for desktop environments. Its primary aim is stability, and it's code-named Centaurus. It's available for 64bit and 32bit/i686pae computers, and also for older i386 systems without PAE extension. Support for ARM devices is in the works. Go here to download.

Linux kernel 5.2.1 was released yesterday. Greg Kroah-Hartman writes, "All users of the 5.2 kernel series must upgrade. The updated 5.2.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.2.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary."

Cloudera recently announced an new open-source licensing model. The company's Vision blog post states that the new strategy "aligns the licensing models previously used by each of Hortonworks and Cloudera and also introduces some new changes. We take our open source leadership role seriously, and recognize that our need to align our own licenses is also an opportunity to lead and to renew our commitment to open source software." Moving forward all of the company's open-source licenses "will adhere to one of two OSI approved licenses: the Apache License, Version 2, or the GNU Affero General Public License, Version 3 ('AGPL')". The post also notes Cloudera's open-source goals: "freedom from vendor lock-in", "community standards, not Cloudera standards" and "open ecosystem". See the Cloudera Licensing Policy FAQ for more details.

Microsoft's Quantum Development Kit is now available as an open source project on GitHub. According to Windows Central, "The QDK, which launched in preview last year, gives developers access to the Q# programming language, quantum simulators, and the libraries needed to start experimenting with quantum computing before it goes mainstream." See also the Microsoft Quantum blog for more information.

The Bank of England has announced that Alan Turing will be on the new £50 note in the UK. Gizmodo quotes Bank of England Governor Mark Carney: "Why Turing? Turing was an outstanding mathematician whose works had an enormous impact on how we live today. As the father of computer science and artificial intelligence, Alan Turing's contributions were far-ranging and path-breaking. His genius lay in a unique ability to link the philosophical and the abstract with the practical and the concrete. And all around us his legacy continues to build. Turing is a giant on whose shoulders so many now stand."

News Q4OS Distributions Debian kernel Cloudera open source licensing Microsoft Quantum Computing Alan Turing
Jill Franklin

An AI Wizard of Words

3 days 15 hours ago
by Marcel Gagné

A look at using OpenAI's Generative Pretrained Transformer 2 (GPT-2) to generate text.

It's probably fair to say that there's more than one person out there who is worried about some version of artificial intelligence, or AI, possibly in a robot body of some kind, taking people's jobs. Anything that is repetitive or easily described is considered fair game for a robot, so driving a car or working in a factory is fair game.

Until recently, we could tell ourselves that people like yours truly—the writers and those who create things using some form of creativity—were more or less immune to the march of the machines. Then came GPT-2, which stands for Generative Pretrained Transformer 2. I think you'll agree, that isn't the sexiest name imaginable for a civilization-ending text bot. And since it's version 2, I imagine that like Star Trek's M-5 computer, perhaps GPT-1 wasn't entirely successful. That would be the original series episode titled, "The Ultimate Computer", if you want to check it out.

So what does the name "GPT-2" stand for? Well, "generative" means pretty much what it sounds like. The program generates text based on a predictive model, much like your phone suggests the next word as you type. The "pretrained" part is also quite obvious in that the model released by OpenAI has been built and fine-tuned for a specific purpose. The last word, "Transformer", refers to the "transformer architecture", which is a neural network design architecture suited for understanding language. If you want to dig deeper into that last one, I've included a link from a Google AI blog that compares it to other machine learning architecture (see Resources).

On February 14, 2019, Valentine's Day, OpenAI released GPT-2 with a warning:

Our model, called GPT-2 (a successor to GPT), was trained simply to predict the next word in 40GB of Internet text. Due to our concerns about malicious applications of the technology, we are not releasing the trained model. As an experiment in responsible disclosure, we are instead releasing a much smaller model for researchers to experiment with, as well as a technical paper.

I've included a link to the blog in the Resources section at the end of this article. It's worth reading partly because it demonstrates a sample of what this software is capable of using the full model (see Figure 1 for a sample). We already have a problem with human-generated fake news; imagine a tireless machine capable of churning out vast quantities of news and posting it all over the internet, and you start to get a feel for the dangers. For that reason, OpenAI released a much smaller model to demonstrate its capabilities and to engage researchers and developers.

Go to Full Article
Marcel Gagné

Google Announces Docsy; KDE Releases Applications 19.04.3, Plasma 5.16.3 and Kdenlive 19.04.3; Alpine Linux 3.10.1 Is Now Available; and Valve Launches Steam Labs

6 days 12 hours ago

News briefs for July 12, 2019.

Google yesterday announced Docsy, a website theme for technical documentation. From the Google blog post: "Docsy builds on existing open source tools, like Hugo, and our experience with open source docs, providing a fast and easy way to stand up an OSS documentation website with features specifically designed to support technical documentation. Special features include everything from site navigation to multi-language support—with easy site deployment options provided by Hugo. We also created guidance on how to add additional pages, structure your documentation, and accept community contributions, all with the goal of letting you focus on creating great content."

Several KDE releases came this week. KDE Applications 19.04.3 was released yesterday. This release contains more than 60 bugfixes and translation updates. See the full changelog for details.

KDE Plasma 5.16.3 also was released. This update comes just two weeks after the 5.16 release and contains several bugfixes and new translations. See the full Changelog for specifics.

And, Kdenlive 19.04.3 was released today. This release contains a ton of fixes, including "fixing compositing and speed effect regressions, thumbnail display issues of clips in the timeline and many Windows fixes. You can get the AppImage from the download page.

Alpine Linux 3.10.1 has been released. See the git log for the full list of changes in this version of the security-oriented lightweight distro.

Valve has launched Steam Labs, which gives users a peek at new experiments in development. According to TechCrunch, "Valve is quick to point out that all of these experiments are just that—there's no promising that any of the stuff that hits the Labs will make it all the way to the official client. They also say that even 'Steam Labs is itself an experiment', which will probably change and evolve a bunch over time." The first three experiments on Steam Labs are Micro Trailers, Interactive Recommender and Automatic Show.

News Google Docsy KDE Plasma Alpine Linux
Jill Franklin

GIS on Linux with SAGA

6 days 14 hours ago
by Joey Bernard

In this article, I want to look at a GIS option available for Linux—specifically, a program called SAGA (System for Automated Geoscientific Analyses). SAGA was developed at the Department of Physical Geography in Germany. It is built with a plugin module architecture, where various functions are provided by individual modules. A very complete API is available to allow users to extend SAGA's functionality with newly written modules. I take a very cursory look at SAGA here and describe a few things you might want to do with it.

Installing SAGA should be as easy as looking at the software repository for your favourite distribution. For Debian-based distros, you can install it with the command:

sudo apt-get install saga

When you first start it, you get a blank workspace where you can begin your project.

Figure 1. SAGA starts up with a central project window, several tool panes on the left and console messages at the bottom.

Two major categories of data sets are available that you can use within your projects: satellite imagery and terrain data. The tutorial website provides detailed walk-throughs that show how you can get access to these types of data sets for use in your own projects. The tutorial website also has sections on some of the processing tools available for doing more detailed analysis.

SAGA understands several data file formats. The typical ones used in GIS, like SHP files or point clouds, are the default options in the file selector window. You can work with these types of data, or satellite imagery or terrain data.

Let's start by looking at terrain analysis in SAGA. You'll need digital elevation data, in DEM format, which is available from the SRTM Tile Grabber site. You will get a zip file for each region you select, and these zip files contain geotiff files for the selected regions.

Load the geotiff file by clicking File→Open. By default, it will show only the common project file formats. To locate your downloaded geotiff files, you'll need to change the filter at the bottom of the file selector window to be all files. Once it is loaded, it will show up in the list of data sources in the bottom-left window pane.

Figure 2. You can load data sources, such as geotiffs, into your project.

Go to Full Article
Joey Bernard

EFF Celebrating 29th Birthday with $20 Membership, Linode Launches New GPU-Optimized Cloud Computing Instances, Syncthing 1.2.0 Released, Kali Linux Now Available for RPi 4 and GNOME Devs to Disable Snap Plugin for GNOME Software

1 week ago

News briefs for July 11, 2019.

The Electronic Frontier Foundation is celebrating its 29th birthday "by building a future where tech respects and empowers users". From now until July 24, 2019, the EFF is offering a $20 membership, which includes a set of limited-edition enamel pins. (Note also that the EFF is a US 501(c)(3) nonprofit, so contributions are tax-deductible as allowed by law.)

Linode yesterday launched new GPU-optimized cloud computing instances, specifically for developers and business that need massive parallel computational power. From the press release: "The new instances are built on NVIDIA Quadro RTX 6000 GPU cards with all three major types of processing cores (CUDA, Tensor, and Real-Time Ray Tracing) available to users. Linode is one of the first cloud providers to deploy NVIDIA's latest GPU architecture." For more information, see linode.com.

Syncthing 1.2.0 was released recently. Linux Uprising reports that this version of the open-source peer-to-peer synchronization tool "adds QUIC with NAT traversal as a new transport protocol, fixes some bugs and enables automatic error reporting." The article notes Syncthing's emphasis on privacy: "None of your data is ever store anywhere else other than your own computers (no central server); all communication is secured using TSL and authenticated using a strong cryptographic certificate. Basically, it can replace Dropbox and other similar services with something decentralized, where your data is your data alone." Go here to download.

Kali Linux for Raspberry Pi 4 was released recently, "complete with on-board wifi monitor mode & frame injection support!" You can download it from the Kali Linux ARM Images page. Currently there is support only for 32-bit, but 64-bit is coming soon.

GNOME developers plan to disable the Snap plugin for GNOME Software, as Canonical has started creating its own Snap Store and won't be using GNOME Software in Ubuntu 20.04 LTS. According to Phoronix, "Canonical's in-development Snap Store will obviously be focused just on their own Snap effort and not supporting the likes of Flatpak. Due to the likelihood that the GNOME Software Snap plug-in will quickly suffer from bit-rot and pose a maintenance burden to GNOME developers with little to no return, it's certainly reasonable that they would at least disable this plug-in."

News eff Linode Syncthing Kali Linux Raspberry Pi GNOME Canonical
Jill Franklin

Linux IoT Development: Adjusting from a Binary OS to the Yocto Project Workflow

1 week ago
by Mirza Krak

Introducing the Yocto Project and the benefits of using it in embedded Linux development.

In embedded Linux development, there are two approaches when it comes to what operating system to run on your device. You either build your own distribution (with tools such as Yocto/OpenEmbedded-Core, Buildroot and so on), or you use a binary distribution where Debian and derivatives are common.

It's common to start out with a binary distribution. This is a natural approach, because it's a familiar environment for most people who have used Linux on a PC. All the commodities are in place, and someone else has created the distribution image for you to download. There normally are custom vendor images for specific hardware that contain optimizations to make it easy to get started to utilize your hardware fully.

Any package imaginable is an apt install command away. This, of course, makes it suitable for prototyping and evaluation, giving you a head start in developing your application and your product. In some cases, you even might ship pre-series devices using this setup to evaluate your idea and product further. This is referred to as the "golden image" approach and involves the following steps:

  1. Flash the downloaded Debian image to an SD card.
  2. Boot the SD card, log in and make any modifications needed (for example, installing custom applications). Once all the modifications are complete, this becomes your golden image.
  3. Duplicate the SD card into an image on your workstation (for example, using dd).
  4. Flash the "golden image" to a fleet of devices.

And every time you need to make a change, you just repeat steps 2–4, with one change—that is, you boot the already saved "golden image" in step 2 instead of the "vanilla" image.

At a certain point, the approach of downloading a pre-built distribution image and applying changes to it manually will become a problem, as it does not scale well and is error-prone due to the amount of manual labor that can lead to inconsistent output. The optimization would be to find ways to automate this, generating distribution images that contain your applications and your configuration in a reproducible way.

This is a crossroad where you decide either to stick with a binary distribution or move your idea and the result of the evaluation and prototyping phase to a tool that's able to generate custom distributions and images in a reproducible and automated way.

Go to Full Article
Mirza Krak

Samba 4.11.0rc1 Released, Firefox 68.0esr Now Available, SPI Board Elections, Microsoft Admitted to linux-distro List and SoftMaker FreeOffice Now Includes Anniversary Update

1 week 1 day ago

News briefs for July 10, 2019.

Samba 4.11.0rc1 was released yesterday. Note that this release is for testing purposes only and not intended for production. New features include default samba process model, authentication logging, LDAP referrals, Bind9 logging, samba-tool improvements and much more. See the full Release Notes for more information, and go here to download the source code.

Mozilla released the latest Firefox update for iOS and Desktop. Highlights of Firefox 68.0esr include blackout shades for Firefox Reader View, Firefox Recommended Extensions (a curated "list of recommended extensions that have been thoroughly reviewed for security, usability and usefulness"), more customization for IT Pros and more. See the Release Notes for more details.

SPI board elections coming soon. The announcement notes there are three seats available for the Software in the Public Interest board, each for a three-year term: President and two General board member seats. Nominations are open now and end July 15th, 2019. Voting begins July 17th and ends July 30th, and the results will be announced on July 31st. From the announcement: "The ideal candidate will have an existing involvement in the Free and Open Source community, though this need not be with a project affiliated with SPI."

Microsoft has been admitted to the closed linux-distro list. ZDNet reports that "Microsoft wanted in because, while Windows sure isn't Linux, the company is, in fact, a Linux distributor. Sasha Levin, a Microsoft Linux kernel developer, pointed out Microsoft has several distro-like builds -- which are not derivative of an existing distribution—that are based on open-source components." The ZDNet article also noted that open-source security expert David A. Wheeler supported the decision as "the purpose of the list is to enable 'everyone to coordinate so that users get fixes.' That includes Linux users on Windows and Azure. So, he supported Microsoft being allowed into the private list."

SoftMaker FreeOffice now includes the Anniversary update. This new version has many new features for the TextMaker word processor and spreadsheets, and improved user-friendliness. See the press release for details on the office suite's update, and go here to download.

News Samba Mozilla Firefox SPI Microsoft Security FreeOffice SoftMaker office suite
Jill Franklin

Address Space Isolation and the Linux Kernel

1 week 1 day ago
by Zack Brown

Mike Rapoport from IBM launched a bid to implement address space isolation in the Linux kernel. Address space isolation emanates from the idea of virtual memory—where the system maps all its hardware devices' memory addresses into a clean virtual space so that they all appear to be one smooth range of available RAM. A system that implements virtual memory also can create isolated address spaces that are available only to part of the system or to certain processes.

The idea, as Mike expressed it, is that if hostile users find themselves in an isolated address space, even if they find bugs in the kernel that might be exploited to gain control of the system, the system they would gain control over would be just that tiny area of RAM to which they had access. So they might be able to mess up their own local user, but not any other users on the system, nor would they be able to gain access to root level infrastructure.

In fact, Mike posted patches to implement an element of this idea, called System Call Isolation (SCI). This would cause system calls to each run in their own isolated address space. So if, somehow, an attacker were able to modify the return values stored in the stack, there would be no useful location to which to return.

His approach was relatively straightforward. The kernel already maintains a "symbol table" with the addresses of all its functions. Mike's patches would make sure that any return addresses that popped off the stack corresponded to entries in the symbol table. And since "attacks are all about jumping to gadget code which is effectively in the middle of real functions, the jumps they induce are to code that doesn't have an external symbol, so it should mostly detect when they happen."

The problem, he acknowledged, was that implementing this would have a speed hit. He saw no way to perform and enforce these checks without slowing down the kernel. For that reason, Mike said, "it should only be activated for processes or containers we know should be untrusted."

There was not much enthusiasm for this patch. As Jiri Kosina pointed out, Mike's code was incompatible with other security projects like retpolines, which tries to prevent certain types of data leaks falling into an attacker's hands.

There was no real discussion and no interest was expressed in the patch. The combination of the speed hit, the conflict with existing security projects, and the fact that it tried to secure against only hypothetical security holes and not actual flaws in the system, probably combined to make this patch set less interesting to kernel developers.

Go to Full Article
Zack Brown

IBM Closes Red Hat Acquisition, Kaidan 0.4.0 Released, Android Apps Can Track You Even If You Deny Permission, Debian Edu 10 "Buster" Now Available and MIT Researchers Create New AI Programming Language

1 week 2 days ago

News briefs for July 9, 2019.

IBM closes its acquisition of Red Hat for $34 billion. From the press release: "The acquisition redefines the cloud market for business. Red Hat's open hybrid cloud technologies are now paired with the unmatched scale and depth of IBM's innovation and industry expertise, and sales leadership in more than 175 countries. Together, IBM and Red Hat will accelerate innovation by offering a next-generation hybrid multicloud platform. Based on open source technologies, such as Linux and Kubernetes, the platform will allow businesses to securely deploy, run and manage data and applications on-premises and on private and multiple public clouds." In addition, the release notes that IBM will preserve Red Hat's independence and neutrality, and also that "Red Hat's unwavering commitment to open source remains unchanged".

Kaidan 0.4.0 has been released. This version of the "user-friendly Jabber/XMPP client" comes after a year and a half of development and now includes "multiplatform-support for all common operating systems like Linux, Windows, Android and macOS". See the ChangeLog for all the details.

Android apps can track your phone even if you deny permissions. According to The Verge, "researchers say that thousands of apps have found ways to cheat Android's permissions system, phoning home your device's unique identifier and enough data to potentially reveal your location as well." The article notes that even if you deny permission to one app, "a second app with permissions you have approved can share those bits with the other one or leave them in shared storage where another app—potentially even a malicious one—can read it. The two apps might not seem related, but researchers say that because they're built using the same software development kits (SDK), they can access that data, and there's evidence that the SDK owners are receiving it. It's like a kid asking for dessert who gets told 'no' by one parent, so they ask the other parent."

Debian has released Debian Edu (also known as Skolelinux) 10 "Buster". This distro is "based on Debian providing an out-of-the box environment of a completely configured school network". The Debian Edu developer team is asking users to test and report any issues back to debian-edu@lists.debian.org, so they can continue to improve it. See the Debian Edu Wiki page for a list of all the new features and updates.

MIT researchers used Julia to create Gen, "a new probabilistic programming system with programmable inference". From MIT News: "Users write models and algorithms from multiple fields where AI techniques are applied—such as computer vision, robotics, and statistics—without having to deal with equations or manually write high-performance code. Gen also lets expert researchers write sophisticated models and inference algorithms—used for prediction tasks—that were previously infeasible." The article also notes that "Due to its simplicity—and, in some use cases, automation—the researchers say Gen can be used easily by anyone, from novices to experts."

News IBM Red Hat Cloud Kaidan Android Privacy Debian Education Debian Edu Julia AI
Jill Franklin

What Really IRCs Me: Mastodon

1 week 2 days ago
by Kyle Rankin

Learn how to use the Mastodon social network platform from the comfort of your regular IRC client.

When it comes to sending text between people, I've found IRC (in particular, a text-based IRC client) works best. I've been using it to chat for decades while other chat protocols and clients come and go. When my friends have picked other chat clients through the years, I've used the amazing IRC gateway Bitlbee to connect with them on their chat client using the same IRC interface I've always used. Bitlbee provides an IRC gateway to many different chat protocols, so you can connect to Bitlbee using your IRC client, and it will handle any translation necessary to connect you to the remote chat clients it supports. I've written about Bitlbee a number of times in the past, and I've used it to connect to other instant messengers, Twitter and Slack. In this article, I describe how I use it to connect to yet another service on the internet: Mastodon.

Like Twitter, Mastodon is a social network platform, but unlike Twitter, Mastodon runs on free software and is decentralized, much like IRC or email. Being decentralized means it works similar to email, and you can create your own instance or create an account on any number of existing Mastodon networks and then follow people either on the same Mastodon network or any other instance, as long as you know the person's user name (which behaves much like an email address).

I've found Bitlbee to be a great interface for keeping track of social media on Twitter, because I treat reading Twitter like I was the operator for a specific IRC room. The people I follow are like those I've invited and given voice to, and I can read what they say chronologically in my IRC room. Since I keep my IRC instance running at all times, I can reconnect to it and catch up with the backlog whenever I want. Since I'm reading Twitter over a purely text-based IRC client, this does mean that instead of animated gifs, I just see URLs that point to the image, but honestly, I consider that a feature!

Since Mastodon behaves in many ways like Twitter, using it with Bitlbee works just as well. Like with Twitter over Bitlbee, it does mean you'll need to learn some extra commands so that you can perform Mastodon-specific functions, like boosting a post (Mastodon's version of retweet) or replying to a post so that your comment goes into the proper thread. I'll cover those commands in a bit.

Installing the Mastodon Bitlbee Plugin

The first step is to install the Mastodon Bitlbee Plugin. This plugin is already packaged for Debian and other distributions—look for the bitlbee-mastodon package. In that case, you can just install it with your package manager. Otherwise, you'll need to clone the source code from the plugin's git repo and build it from source:

Go to Full Article
Kyle Rankin

Kernel 5.2 Is Out, Tutanota Launches a Fully Encrypted Calendar, ISPA UK Announces Internet Hero and Villain Nominations, Tesla to Start Providing a Free Self-Driving Chip, and System76's Thelio Desktop Now Available with Third-Gen AMD Rizen Processors

1 week 3 days ago

News briefs for July 8, 2019.

Kernel 5.2 has been released. Linus Torvalds writes, "...there really doesn't seem to be any reason for another rc, since it's been very quiet. Yes, I had a few pull requests since rc7, but they were all small, and I had many more that are for the upcoming merge window. Part of it may be due to the July 4th week, of course, but whatever - I'll take the quiet week as a good sign."

Tutanota has just launched a fully encrypted free calendar. Matthias Pfau, co-founder and developer of Tutanota, says this of the new calendar: "With our encryption expertise, we have not only made sure that all data people enter is encrypted, we are also encrypting the notifications for upcoming events. In contrast to other calendar services (e.g. Google), we do not know when, where, and with whom people have an appointment. Basically, we as the provider remain completely blind to people's daily habits." See the Tutanota Blog for more information.

The Internet Services Provides' Association (ISPA) UK has announced this year's nominations for Internet Hero and Villain. In the running for ISPA Internet Hero are Sir Tim Berners-Lee; Andrew Ferguson OBE, Editor Thinkbroadband; and Oscar Tapp-Scotting and Paul Blaker, Global Internet Governance Team, DCMS. Nominated for villain are Mozilla; Article 13 Copyright Directive; and Donald Trump. The winners will be chosen by the ISPA Council and announced on July 11, 2019. See ispa.org for the reasons behind the nominations.

Elon Musk says Tesla will "most likely" start providing a free self-driving chip upgrade to those with older Teslas later this year. The Verge reports that "The new FSD chip is the first to have been designed in-house. Tesla says it offers 21 times the performance of the Nvidia chips it replaces—a claim Nvidia disputes. The new chip has been shipping in Model S, X, and 3 cars since before its announcement, but soon it will be offered as a free upgrade to half a million Tesla owners." In addition, The Verge article notes that Musk claims the new chip "has enough power to eventually allow for fully self-driving cars, if and when the software catches up."

System76's Thelio desktop now available with third generation AMD Ryzen processors. According to BetaNews, "The base model, which is priced at $999, still comes with a 2nd gen Ryzen 5 2400G (quad-core). This is still a very capable chip, but not the latest and greatest. For only about $200 more, however, you can opt for a super-new 3rd gen Ryzen 5 3600X (hexa-core). For even more money, you can also choose a Ryzen 7 3800X (octa-core) or the insanely powerful 12-core Ryzen 9 3900X. That 3900X is notable for rivaling Intel's much pricier Core i9 chips." Go here to design and buy your own.

News kernel Tutanota Security Privacy Tesla System76
Jill Franklin

Contributor Agreements Considered Harmful

1 week 3 days ago
by Eric S. Raymond

Why attempts to protect your project with legal voodoo are likely to backfire on you.

I have a little list (they never will be missed) of stupid things that open-source projects should stop doing. High on this list are CLAs (Contributor License Agreements) and their cousin the mandatory CA (Copyright Assignment).

In this article, I explain why CLAs and CAs are bad ideas and what we ought to be doing instead. In obedience to custom, at this point I issue the ritual disclaimer "I am not a lawyer", but one does not have to be a lawyer to understand the law and game out the ways CLAs and CAs fail to achieve their intended purpose. And, I have researched these failure modes with both lawyers and executives that have literally billions of dollars at stake around IP violations.

I've made a distinction between CAs and CLAs; we can make a further one between ICLAs (Individual Contributor License Agreements) and CCLAs (Corporate Contributor License Agreements). While all are about equally useless, they have slightly differing failure modes.

First, let's consider the ICLA. Some projects require that you sign one before being allowed to submit changes to their repository. Typically, it requires you to assert that (a) you affirmatively choose to license your contributions to the project, and (b) you have the right to do that.

Here's the problem. If you are employed, you almost certainly cannot make claim (b), and the project you are probably trying to help is only setting itself up for trouble if it behaves as though you can. The problem is that most employment contracts define any software you write on working hours or even off hours in connection with your job as "work for hire", and you don't own the rights to work for hire—your employer does.

CAs, such as the Free Software Foundation requires, have exactly the same problem. You don't own the copyright on a work for hire either. Therefore, you can't assign it. I'll get to the case of individual developers not in a work-for-hire situation in a bit.

The CCLA exists as an attempt to address the problems with ICLAs. It's not an agreement that you sign, it's an agreement your employer has to have pre-negotiated with the project to which you want to contribute. You then have to offer the project an identity that it can associate with that CCLA so it knows your contributions are covered.

That at least sounds like it might be useful. Why isn't it? To understand this, we need to do a bit more threat modeling. What is it that open-source projects hope to prevent using CCLAs?

Go to Full Article
Eric S. Raymond