Updates on Technologies, Trends, and Tools
Linux Pro Online * <U>www.linuxpromagazine.com<U>
Off the Beat * Bruce Byfield
How Reliable is a Wikipedia Citation? "I don't trust it," someone wrote when Wikipedia and its reliability was discussed on Facebook recently. I was surprised by these old school sentiments, having imagined that familiarity had years ago blunted contempt, and Wikipedia now had at least a reluctant acceptance.
When Happens if Crowdfunding Free Software Reaches Saturation? Suddenly, every other free software project seems to be crowdfunding – and those that aren't will probably be trying tomorrow.
Productivity Sauce * Dmitri Popov
Picturo: Simplified Photo Publishing In many ways, Picturo is similar to many other simple photo publishing web applications. It requires only a web server with PHP and the GD library in order to run, and it's supremely easy to deploy.
dhcp.io: Dynamic DNS Service DynDNS's recent decision to cancel its free plan sent many users scrambling to find alternatives to this popular dynamic DNS service. Fortunately, there are plenty of options to choose from, including the newly-launched dhcp.io service.
Paw Prints * Jon "maddog" Hall
Standards Bodies and Free Software: We get by with a little help from our friends I have a friend who needs a little help…he needs access to four of the twelve volumes of the ISO/IEC documents describing ISO SQL and SQL/PSM.
Graphite By Jens-Christoph Brendel
Graphite is hierarchically structured, real-time graphing system.
Combining Directories on a Single Mountpoint By Jeff Layton With some simple tuning, SSHFS performance is comparable to NFS almost across the board. To get even more performance from SSHFS, we examine SSHFS-MUX, which allows you to combine directories from multiple servers into a single mountpoint.
Malware Analysis By David J. Dodd
Dig deep to find hidden and covert processes, clandestine communications, and signs of misconduct.
IPv6 Tables By Eric Amberg
Design a basic set of ip6tables rules for an IPv6 firewall.
KVM Security By Tim Schürmann
A common misconception posits that software cannot cause mischief if you lock the system away in a virtual machine, because even if an intruder compromises the web server on the virtual machine, it will only damage the guest. If you believe this, you are in for a heap of hurt.
Drone Brain Goes Open Source
The US Defense Advanced Research Projects Administration (DARPA) and Australia's National Information and Communication Technology Agency (NICTA) have released the code for the ultra-secure embedded microkernel operating system that is used with flying drone devices. The seL4 (Secure L4) system is based on the L4 microkernel. The kernel is available for download at the seL4 system website (http://sel4.systems/).
L4 is a microkernel system used in mobile devices throughout the world. A microkernel design implements a modular architecture, minimizing the size of the kernel itself and maximizing the number of services that are able to run in userspace. The modular design and minimal use of code in kernel space means microkernel systems are (at least theoretically) more stable and more secure. Famous microkernels include Minix (which influenced the early development of Linux) and GNU Herd. The L3 and L4 systems were originally developed by German computer scientist Jochen Liedtke, who wanted to build a microkernel that was free of the performance issues associated with previous attempts. Researchers at NICTA joined with DARPA and aviation industry experts to develop seL4 from the L4 microkernel.
The seL4 system came from the need to create a microkernel that could be used in aerial drones and would be completely and verifiably free from the possibility of attack. The code for the kernel has undergone formal verification (http://en.wikipedia.org/wiki/Formal_verification), a mathematical proof that the algorithms used in the system will perform as specified and won't be subject to intrusion.
Now that the highly stable and secure seL4 is in open source, other vendors will probably start to consider it for other mission critical embedded systems, such as medical implants and navigation devices.
Heartbleed Bleeds On
The recent Heartbleed scare revealed that millions of servers around the world were vulnerable to an SSL-based attack that could compromise private keys and thus allow an intruder to break into supposedly encrypted and secure Internet services. Heartbleed was widely reported and was considered a wake-up call for software developers, webmasters, and security specialists to get serious about fixing broken software and keeping systems up to date.
But according to a study by Venafi Labs, the Heartbleed cleanup remains unfinished. The study investigated servers for 1,639 companies around the world and found that 99% had checked and patched the actual Heartbleed flaw, but only 3% had made the effort to change their original private key. If any of these servers using the previous private key were subject to a Heartbleed attack prior to the patch, they are still vulnerable.
In an interview with The Register (http://www.theregister.co.uk/2014/07/29/only_3_of_top_firms_fully_patched_against_heartbleed_flaw/), Venafi VP Kevin Bocek explains, "Mopping up after an incident isn't as simple as it used to be … . You can't just stick a patch on it and call it done."
PHP Attack Puts WordPress and Drupal at Risk
The WordPress and Drupal websites are warning of a newly discovered flaw that could make these leading content management systems susceptible to a denial of service attack. The so-called XML Quadratic Blowup Attack, which was discovered by security expert Nir Goldshlager, affects the PHP XML module, which is included with both WordPress and Drupal. The attack distorts the memory limit, consuming all memory and bringing down the system.
According to the blog post (http://www.breaksec.com/?p=6362), this attack can work on a default installation of Drupal or WordPress and requires only one attacking computer to trigger the exploit. The popularity of both CMS systems means that this attack could affect thousands, or even millions, of websites.
Patches have already been released at both the Drupal and WordPress websites. Users are advised to update as soon as possible.
Knoppix 7.4 Released
Klaus Knopper announced the release of the latest Knoppix Live Linux distro. Knoppix 7.4 comes with Linux kernel 3.15.6, LibreOffice 4.3, and a comprehensive collection of useful troubleshooting and system rescue utilities.
Knoppix is the original Live Linux distro, and it is used worldwide as a tool for troubleshooting downed Windows and Linux systems.
The DVD edition comes with a vast array of end-user and network management tools, making Knoppix a fully functionally desktop Linux that just happens to run from the DVD. The tool collection is designed for operation in heterogeneous environments. You can access SMB/CFS volumes easily with the
smbmount-knopppix search and mount utility.
Knoppix (http://www.knopper.net/index-en.html) also comes with Wine 1.7 for running Windows programs and supports easy desktop export with VNC and RDP.
Red Hat Launches ARM Partner Program
Red Hat continues to scale up its ARM server operation with the recent announcement of a new partner program for hardware vendors who sell 64-bit ARMv8-A systems that support Red Hat software. The program will target a broad range of vendors in the IT server hardware space, including OEMs, chipmakers, and independent hardware vendors. Several vendors have already announced support for the program, including AMD, American Megatrends, Applied Micro, ARM, Broadcom, Cavium, Dell, HP, and Linaro.
The ARM chip architecture has been around for years, but ARM technology has recently gained traction in the server space for its energy efficiency. Additionally, the ARM licensing model, which allows competing chip vendors to add extensions and modifications around the ARM platform, brings a healthy spirit of innovation to the server space, which has long been dominated by Intel and Intel-like systems.
This innovation also has a downside for a software vendor like Red Hat. Red Hat developers must respond separately to the idiosyncrasies of each system designer. The new ARM Partner Early Access program will encourage cooperation among the ARM vendors to settle on a common standard platform.
According to the press release, partners will receive early-stage pre-release versions of Red Hat development software, documentation, and tools, and Red Hat will have the chance to "… evaluate technical features across various market segments, develop feedback-based targeted use cases, and perform market demand assessments that could influence future product decisions."
Correction: Data Encryption over the Airways
One of our readers sent additional information about data encryption over the airways that corrects a news item in issue 164.
I am writing about an important error in the July issue of Linux Pro Magazine. On page 9, you published the story "Anonymous Transcends the Internet; Takes to the Air" about AirChat, which can encrypt communication over radio waves. You write: "The system requires a ham radio transceiver attached to a Windows, Mac OS, or Linux system running the AirChat software."
The article further states, "The developers believe this technology could one day allow users to communicate for free without the need for Internet access, a phone line, or the mobile phone network, all of which are subject to industry and government control."
All radio transmission, not only in the United States, but everywhere in the world, is under control of the government from which the radio transmission originates. Without such control, there would be chaos on the airwaves. Every type of transmission, whether it be radio or TV broadcasting, vehicle dispatching, aircraft control, police and fire department operations, and amateur radio is under the control of the relevant government authority, which in the United States is the Federal Communications Commission (FCC).
I am a radio amateur operator, a "ham," and I can assure you that amateurs are not permitted to send any kind of encrypted messages over the amateur bands. Although there has been some discussion about this, the Code of Federal Regulations (the controlling document for all kinds radio transmission in the United States), part 97, the section devoted to amateur radio, prohibits "messages encoded for the purpose of obscuring their meaning, except as otherwise provided herein" (§97.113.a.4). This does not prohibit encoding that is available to anyone with the proper resources to understand – radio-teletype, for instance, or a modern digital scheme called D-Star. However, any encryption that would not be available to anyone with such equipment is clearly forbidden.
Discussion has taken place regarding very limited encryption that could be used to ensure identity, but at present, such is not permitted. The identity of the persons using an amateur radio link not only may not be disguised, but is required to be transmitted in the clear at least once every 10 minutes. Under no circumstances would any sort of encryption designed to anonymize the participants be permitted.
Doug McGarrett, WA2SAY
Code of Federal Regulations part 97:http://www.arrl.org/part-97-amateur-radio
Secret Windows Attack Exists Only in the Registry
Security experts have uncovered a new form of Windows malware that doesn't require any files to be copied to or stored on the target system and exists purely within the Windows Registry. Malware hunter Paul Rascagnères describes the attack in a recent blog post.
Most anti-malware engines operate by scanning files, so an attack that doesn't leave a signature anywhere on the filesystem has the potential to avoid detection using standard techniques. The attack enters the system through a link to a malicious Microsoft Word document sent via email. This original entry point exploit is described in CVE-2012-0158 and is known to circulate with a bogus message from the Canadian or US post office claiming to provide package delivery information. (Of course, the attacker could employ other scenarios as well.) Clicking on the document causes the creation of an autostart registry key, which enables PowerShell and starts a PowerShell script that launches a Windows binary containing the payload. In Rascagnères' tests, the payload attempted to connect to a remote IP address for further commands, but the attacker could easily write a payload binary to take other kinds of actions.
According to the blog post (https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html), you can't use the Regedit registry editor to look for the presence of the malicious autostart registry key, because the key does not begin with an ASCII character and is thus hidden from the registry editor. The best shot at prevention is to catch the Windows document before it is executed. Otherwise, the only options are to monitor the system for suspicious behavior (after it is already infected) or to implement some form of registry surveillance system.
NERSC Gets Ready for Exascale
The US National Energy Research Scientific Computing Center (NERSC) has launched a new program to prepare for the arrival of next-generation exascale supercomputers. The NERSC Exascale Science Applications Program (NESAP) will support the development of software tools that will be necessary to utilize fully the power of the Cori exascale supercomputer, which NERSC will bring online in 2016. NERSC will collaborate with Intel and Cray for the project, which will provide "broad-based training, access to early development systems, and application kernel deep dives" to prepare the development community for Cori's arrival.
The Cori system, which was announced earlier this year, is based on the Intel Xeon Phi "Knights Landing" processor, which offers more than 60 cores per node and four hardware threads per core. The processor technology includes several innovations that will require some adaptation of conventional programming techniques, such as "higher intra-node parallelism, higher bandwidth, on-package memory, and longer hardware vector lengths."
The program is expected to last until the Cori system goes online. According to NERSC Services Department Head Katie Antypas, "By starting this well before Cori arrives, we hope to ensure that our users, and the supercomputing community in general, are ready for the coming exascale revolution. Our goal is to enable performance that is portable across systems and will be sustained in future supercomputing architectures."
IBM Announces New Chip Modeled on the Brain
IBM has announced the SyNAPSE neurosynaptic computer chip (http://www-03.ibm.com/press/us/en/pressrelease/44529.wss). The brain-inspired SyNAPSE chip comes with 1 million programmable neurons and 256 million programmable synapses, and according to IBM, the chip is capable of 46 billion synaptic operations per second per watt.
The powerful chip, which includes around 5.4 billion transistors, consumes only 70mW of power – much less than a modern microprocessor. IBM says the new chip is "a neurosynaptic supercomputer the size of a postage stamp that runs on the energy equivalent of a hearing-aid battery."
The announcement could lead to a whirlwind of new development and discovery in the field of cognitive computers – computers that are modeled directly on the structure of the human brain. Experts believe cognitive systems will someday learn more efficiently and adapt more readily to real-world environments.
Buy this article as PDF
The bug was introduced back in 2009 and has been lurking around all this time.
The new release deprecates the sshd_config UsePrivilegeSeparation option.
Lives on as a community project
Five new systems join Dell XPS 13 Developer Edition that come with Ubuntu pre-installed.
The Skype Linux client now has almost the same capabilities that it enjoys on other platforms.
At CeBIT 2017, OpenStack Day will offer a wide range of lectures and discussions.
A major setback for the Linux desktop.
Improved support for GPU in virtualization.
News site for the openSUSE community falls victim to a Wordpress exploit.
The source code is available online.