Simple Cloud Hardening

Simple Cloud Hardening
make your cloud environments safer while not making them too complex
Kyle Rankin Tue, 04/10/2018 - 10:30

Apply a few basic hardening principles to secure your cloud environment.

I've written about simple server-hardening techniques in the past. Those articles were inspired in part by the Linux Hardening in Hostile Networks book I was writing at the time, and the idea was to distill the many different hardening steps you might want to perform on a server into a few simple steps that everyone should do. In this article, I take the same approach only with a specific focus on hardening cloud infrastructure. I'm most familiar with AWS, so my hardening steps are geared toward that platform and use AWS terminology (such as Security Groups and VPC), but as I'm not a fan of vendor lock-in, I try to include steps that are general enough that you should be able to adapt them to other providers.

New Accounts Are (Relatively) Free; Use Them

One of the big advantages with cloud infrastructure is the ability to compartmentalize your infrastructure. If you have a bunch of servers racked in the same rack, it might be difficult, but on cloud infrastructures, you can take advantage of the technology to isolate one customer from another to isolate one of your infrastructure types from the others. Although this doesn't come completely for free (it adds some extra overhead when you set things up), it's worth it for the strong isolation it provides between environments.

One of the first security measures you should put in place is separating each of your environments into its own high-level account. AWS allows you to generate a number of different accounts and connect them to a central billing account. This means you can isolate your development, staging and production environments (plus any others you may create) completely into their own individual accounts that have their own networks, their own credentials and their own roles totally isolated from the others. With each environment separated into its own account, you limit the damage attackers can do if they compromise one infrastructure to just that account. You also make it easier to see how much each environment costs by itself.

In a traditional infrastructure where dev and production are together, it is much easier to create accidental dependencies between those two environments and have a mistake in one affect the other. Splitting environments into separate accounts protects them from each other, and that independence helps you identify any legitimate links that environments need to have with each other. Once you have identified those links, it's much easier to set up firewall rules or other restrictions between those accounts, just like you would if you wanted your infrastructure to talk to a third party.

Lock Down Security Groups

One advantage to cloud infrastructure is that you have a lot tighter control over firewall rules. AWS Security Groups let you define both ingress and egress firewall rules, both with the internet at large and between Security Groups. Since you can assign multiple Security Groups to a host, you have a lot of flexibility in how you define network access between hosts.

My first recommendation is to deny all ingress and egress traffic by default and add specific rules to a Security Group as you need them. This is a fundamental best practice for network security, and it applies to Security Groups as much as to traditional firewalls. This is particularly important if you use the Default security group, as it allows unrestricted internet egress traffic by default, so that should be one of the first things to disable. Although disabling egress traffic to the internet by default can make things a bit trickier to start with, it's still a lot easier than trying to add that kind of restriction after the fact.

You can make things very complicated with Security Groups; however, my recommendation is to try to keep them simple. Give each server role (for instance web, application, database and so on) its own Security Group that applies to each server in that role. This makes it easy to know how your firewall rules are being applied and to which servers they apply. If one server in a particular role needs different network permissions from the others, it's a good sign that it probably should have its own role.

The role-based Security Group model works pretty well but can be inconvenient when you want a firewall rule to apply to all your hosts. For instance, if you use centralized configuration management, you probably want every host to be allowed to talk to it. For rules like this, I take advantage of the Default Security Group and make sure that every host is a member of it. I then use it (in a very limited way) as a central place to define any firewall rules I want to apply to all hosts. One rule I define in particular is to allow egress traffic to any host in the Default Security Group—that way I don't have to write duplicate ingress rules in one group and egress rules in another whenever I want hosts in one Security Group to talk to another.

Use Private Subnets

On cloud infrastructure, you are able to define hosts that have an internet-routable IP and hosts that only have internal IPs. In AWS Virtual Private Cloud (VPC), you define these hosts by setting up a second set of private subnets and spawning hosts within those subnets instead of the default public subnets.

Treat the default public subnet like a DMZ and put hosts there only if they truly need access to the internet. Put all other hosts into the private subnet. With this practice in place, even if hosts in the private subnet were compromised, they couldn't talk directly to the internet even if an attacker wanted them to, which makes it much more difficult to download rootkits or other persistence tools without setting up elaborate tunnels.

These days it seems like just about every service wants unrestricted access to web ports on some other host on the internet, but an advantage to the private subnet approach is that instead of working out egress firewall rules to specific external IPs, you can set up a web proxy service in your DMZ that has more broad internet access and then restrict the hosts in the private subnet by hostname instead of IP. This has an added benefit of giving you a nice auditing trail on the proxy host of all the external hosts your infrastructure is accessing.

Use Account Access Control Lists Minimally

AWS provides a rich set of access control list tools by way of IAM. This lets you set up very precise rules about which AWS resources an account or role can access using a very complicated syntax. While IAM provides you with some pre-defined rules to get you started, it still suffers from the problem all rich access control lists have—the complexity makes it easy to create mistakes that grant people more access than they should have.

My recommendation is to use IAM only as much as is necessary to lock down basic AWS account access (like sysadmin accounts or orchestration tools for instance), and even then, to keep the IAM rules as simple as you can. If you need to restrict access to resources further, use access control at another level to achieve it. Although it may seem like giving somewhat broad IAM permissions to an AWS account isn't as secure as drilling down and embracing the principle of least privilege, in practice, the more complicated your rules, the more likely you will make a mistake.


Cloud environments provide a lot of complex options for security; however, it's more important to set a good baseline of simple security practices that everyone on the team can understand. This article provides a few basic, common-sense practices that should make your cloud environments safer while not making them too complex.

Feral Interactive Releases GameMode, YouTube Music Videos Hacked, Oregon Passes Net Neutrality Law and More

News briefs for April 10, 2018.

Feral Interactive today released GameMode, an open-source tool that helps Linux users get the best performance out of their games. According to the press release, "GameMode instructs your CPU to automatically run in Performance Mode when playing games." Rise of the Tomb Raider, which is being released later this month, will be the first release to integrate this tool. GameMode is available now via GitHub.

If you are using ZFS On Linux 0.7.7, which was released in March, upgrade immediately to version 0.7.8 to keep your data safe. Version 0.7.8 is an emergency release to deal with a possible data loss issue, Phoronix reports. See the ZOL bug report for more info.

YouTube was hacked this morning, and many popular music videos were defaced, including the video for the hit song Despacito, as well as videos by Shakira, Selena Gomez, Drake and Taylor Swift. According to the BBC story, "A Twitter account that apparently belongs to one of the hackers posted: 'It's just for fun, I just use [the] script 'youtube-change-title-video' and I write 'hacked'."

Linux computer maker System76 is moving its manufacturing factory from China to Denver, Colorado. In an interview with about the move and bringing manufacturing in-house, System 76 marketing director Louisa Bisio, said "Creating a computer that is open source from the physical design to the OS is the next step in our mission to empower our customers and the community. We believe that by leading with open source design, the rest of the industry will have to follow."

Oregon becomes the second state to pass Net Neutrality law. Governor Kate Brown signed the bill yesterday, "withholding state business from internet providers who throttle traffic, making the state the second to finalize a proposal aimed at thwarting moves by federal regulators to relax net neutrality requirements".

Blockchain, Part I: Introduction and Cryptocurrency

Blockchain, Part I: Introduction and Cryptocurrency
Petros Koutoupis Mon, 04/09/2018 - 10:45

It seems nearly impossible these days to open a news feed discussing anything technology- or finance-related and not see a headline or two covering bitcoin and its underlying framework, blockchain. But why? What makes both bitcoin and blockchain so exciting? What do they provide? Why is everyone talking about this? And, what does the future hold?

In this two-part series, I introduce this now-trending technology, describe how it works and provide instructions for deploying your very own private blockchain network.

Bitcoin and Cryptocurrency

The concept of cryptocurrency isn't anything new, although with the prevalence of the headlines alluded to above, one might think otherwise. Invented and released in 2009 by an unknown party under the name Satoshi Nakamoto, bitcoin is one such kind of cryptocurrency in that it provides a decentralized method for engaging in digital transactions. It is also a global technology, which is a fancy way of saying that it's a worldwide payment system. With the technology being decentralized, not one single entity is considered to have ownership or the ability to impose regulations on the technology.

But, what does that truly mean? Transactions are secure. This makes them more difficult to track and, therefore, difficult to tax. This is because these transactions are strictly peer-to-peer, without an intermediary in between. Sounds too good to be true, right? Well, it is that good.

Although transactions are limited to the two parties involved, they do, however, need to be validated across a network of independently functioning nodes, called a blockchain. Using cryptography and a distributed public ledger, transactions are verified.

Now, aside from making secure and more-difficult-to-trace transactions, what is the real appeal to these cryptocurrency platforms? In the case of bitcoin, a "bitcoin" is generated as a reward through the process of "mining". And if you fast-forward to the present, bitcoin has earned monetary value in that it can be used to purchase both goods and services, worldwide. Remember, this is a digital currency, which means no physical "coins" exist. You must keep and maintain your own cryptocurrency wallet and spend the money accrued with retailers and service providers that accept bitcoin (or any other type of cryptocurrency) as a method of payment.

All hype aside, predicting the price of cryptocurrency is a fool's errand, and there's not a single variable driving its worth. One thing to note, however, is that cryptocurrency is not in any way a monetary investment in a real currency. Instead, buying into cryptocurrency is an investment into a possible future where it can be exchanged for goods and services—and that future may be arriving sooner than expected.

Now, this doesn't mean cryptocurrency has no cash value. In fact, it does. As of the day I am writing this (January 27, 2018), a single bitcoin is $11,368.56 USD. This value is extremely volatile, and who knows what direction it will take tomorrow. One thing influencing the value of a bitcoin is the rate of adoption. More people using the technology results in more transactions being verified by the people-owned nodes forming the underlying blockchain. In turn, the owners of the verification systems earn their rewards, thereby increasing the value of the technology. It's simple: verify more transactions, and earn more money. Sure, there is a bit more to it, but that's the general idea.

The owners of the verification systems are referred to as "miners". Miners provide a service of record keeping. Such a service requires a good amount of processing power to handle the cryptographic computations. The purpose of the miner is to keep the underlying blockchain consistent, complete and unaltered. A miner repeatedly verifies and collects broadcasted transactions into groups of transactions referred to as blocks. Using an SHA-256 algorithm (Secure Hash Algorithm 256-bit hash), each new block contains a cryptographic hash of the block prior to it, establishing a link for forming the chain of blocks, hence the name, blockchain.

Figure 1. An Example of How Blocks of Data Are "Chained" to One Another

A Global "Crisis"

With the rise of cryptocurrency and the rise of miners competing to earn their fair share of the digital currency, we are now facing a dilemma—a global shortage of high-end PC graphics adapters. Even previously-used adapters are resold at a much higher price than newly boxed versions. But why is that? Using such high-end cards with enough onboard memory and dedicated processing capabilities easily can yield several dollars in cryptocurrency per day. Remember, mining requires the processing of memory-hungry algorithms. And as cryptocurrency prices continue to increase, albeit at a rapid rate, the worth of the digital currency awarded to miners also increases. This shortage of graphics adapters has become an increasing bottleneck for existing miners looking to expand their operations or for new miners to get in on the action. Hopefully, graphic card vendors will address this shortage sooner rather than later.

Comparing Blockchain Technologies

Multiple platforms exist for crypto-trading. You may come across articles discussing bitcoin and comparing that currency to others like ethereum or litecoin. Initially, those articles can lead to confusion between the two different types of digital coins: 1) cryptocurrencies and 2) tokens. The key things to remember are the following:

  • A bitcoin or litecoin or any other form of cryptocurrency actively competes against existing money and gold in the hopes of replacing them as an accepted form of global currency. As mentioned previously, the technology promises a non-regulated and globally accessible currency—one that contains the same stable value regardless of location. This concept definitely could appeal to those living in unstable countries with unstable currencies.

  • And ethereum? Well, it deals in tokens. It works on the idea of contracts. Ethereum is a platform that allows its users to write conditional digital "smart contracts", showing proof of a transaction that never can be deleted.

In the modern world, a traditionally written contract will outline the terms of a relationship, usually enforceable by law. A smart contract will enforce a relationship using cryptographic code—that is, by executing the conditions defined by its creators using a program. What makes ethereum more interesting is that unlike bitcoin (or litecoin for that matter), the platform does not limit itself to the currency use case.

Much like bitcoin, when a transaction takes place utilizing one or more of these contracts, transaction fees are charged to source the computation power required. The more computational power needed, the higher the fee.

What Is Blockchain?

To understand this cryptocurrency phenomenon and its explosive growth in popularity, you need to understand the technology supporting it: the blockchain. As mentioned previously, a blockchain consists of a continuously growing list of records captured in the form of blocks. Using cryptography, each new block is linked and secured to an existing chain of blocks.

Each block will contain a hash pointer to the previous block within the chain, a timestamp and transactional data. By design, the blockchain is resistant to any sort of modification of data. This is because a blockchain provides an open and distributed ledger to record transactions between two interested parties efficiently, reliably and permanently.

Once data has been recorded, the data in a given block cannot be altered without altering all subsequent blocks.

I guess you can think of this as a distributed "database" where its contents are duplicated hundreds, if not thousands, of times across a network of computers. This method of replication emphasizes the decentralized aspect of the technology. Without a centralized version or a single "master" copy, this database is public and, therefore, can be verified easily without risk or fear of hacking or corruption. Simultaneously hosted by millions of computing nodes, the contents of this database are accessible to anyone on the internet. As an added benefit, the distributed and decentralized model reassures its users that no single point of failure exists. Imagine that one or more of these computing nodes are either inaccessible or experiencing some sort of internal failures or are even producing corrupted data. The blockchain is resilient in that it will continue to make available the requested data contents and in their proper (that is, uncorrupted) format. This is because of a technique commonly referred to as the Byzantine Fault Tolerance method.

Byzantine Fault Tolerance

Systems fail, and they can fail for multiple reasons (such as hardware, software, power, networking connectivity and others). This is a fact. Also, not all failures are easily detectable (even through traditional fault-tolerance mechanisms) nor will they always appear the same to the rest of the systems in the networked cluster. Again, imagine a large network consisting of hundreds, if not thousands, of nodes. To handle such unpredictable conditions, one must employ a voting system to ensure that the cluster will tolerate the failure or misbehavior.

A Byzantine fault is defined by any fault showcasing different types of symptoms to different observers (that is, distributed computing systems). A Byzantine failure is the loss of a system service due to a Byzantine fault in an environment where a consensus must reached in order to perform that one service or operation.

The purpose of Byzantine Fault Tolerance (BFT) is to defend the distributed platform against such Byzantine failures. Failing components of the system will not prevent the remaining components from reaching an agreement among themselves, where such an agreement is required to perform an operation. Correctly functioning components of a BFT system will continue to provide uninterrupted service, assuming that not too many faults exist.

The name of this mechanism is derived from the Byzantine Generals' Problem (BGP). The BGP highlights an agreement problem, where there is a disagreement with all participating members. Imagine a scenario where several divisions of the Byzantine army are camped outside a fortified city. Each division has its own general, and the only way the generals are able to communicate with each other is through the use of messengers. The generals need to decide on a common plan of action. The problem is, some of the generals may and very well could be traitors. With one traitor in their midst, can the non-traitors decide on a common plan?

In a BFT environment, the answer to this question is yes. In a group of three, one traitor makes it impossible not to reach a majority consensus. For instance, if one general says "attack" while the other two say to "retreat", it is easy to determine who the traitor of the group is. It is also possible to reach some sort of agreement across the non-traitors. Now, apply this concept to a distributed network of computing nodes. For example, when f number of nodes goes Byzantine, 2f + 1 nodes will not tolerate the misbehavior. All you need is 1 properly functioning node more than the potentially faulty nodes.

Figure 2. The Byzantine Generals' Problem illustrated

Now, why am I talking about this? The BFT is at the core of a blockchain's resiliency. If a consensus cannot be made to handle a transaction, the blockchain itself is no good.

The Network

A network consisting of computing nodes is what makes up the blockchain. A node gets an identical copy of the blockchain as soon as it joins the network. Each node is considered to be an administrator of the blockchain and not in any more control over the other nodes within the cluster—again, the result of being decentralized.

Figure 3. An Example of a Decentralized Blockchain Network

This method of computing is what lends the blockchain its robustness. Aside from updating the blockchain, each node can and will act independently from the other regardless of how it was accessed. And when it needs to append a new block to the chain, it will broadcast the update to the rest of the nodes (updating the public ledger).

Whatever the user-driven event, it is considered to be a function of the network as a whole. It is the global network that manages the application, and it will operate on a user-to-user or peer-to-peer basis. Each node, when accessed independently, is tasked with confirming the requested transaction (such as mining). Already alluded to previously, it is this core concept that makes the blockchain that much more secure. The blockchain technology eliminates the risks (and vulnerabilities) introduced with data being held (or managed) centrally and not replicated across the network. Another way to think of it is this: instead of having a single entity validate the transaction, you now have multiple entities validating the transaction after reaching a consensus. They act as witnesses, and not one single entity has more authority over the other. This leaves no room for ambiguity, and if one or more nodes misrepresents the original data, the BFT model will address that.

Almost everyone reading this is familiar with the constant security problems running rampant on the internet. We personally attempt to protect both our identity and our assets online by relying on the traditional "user name" and "password" systems. Blockchain takes this a step further and differs in that its security stems from its use of encryption technologies. The authentication "problem" is solved with the generation of "keys". A user will create a public key (a long and randomly generated numeric string) and a private key (which acts like a password). The public key serves as the user's address within the blockchain, and any transaction involving that address will be recorded as belonging to that address. The private key gives its owner access to his or her digital assets. The combination of both public and private keys provide a digital signature. The only concern here is taking the appropriate measures to protect private keys.

Putting the Pieces Together

By now, you should have more of a complete picture of how all of these components tie together.

Figure 4. The General Handling of a Transaction across a Blockchain Network

For example, let's say there's a bitcoin transaction (or it could something else entirely different), but imagine someone in the network is requesting the transaction. This requested transaction is then broadcasted across a peer-to-peer network of computing nodes. Using cryptographic algorithms, the network of nodes validates the user's status and the transaction. Once verified, the transaction is combined with other transactions, creating a new block of data for the public ledger. The new block of data is then appended to the existing blockchain and is done in a way that makes it permanent and unalterable. Then the transaction is complete. Using timestamping schemes, all transactions are serialized.

What Makes Blockchain Important?

Much like TCP/IP, the blockchain is a foundation technology. As TCP/IP enabled the internet by the 1990s, you can expect wonderful new beginnings with the blockchain. It is still a bit too early to see how it will evolve. This revolutionary technology has enabled organizations to explore what it can and will mean for their businesses. Many of these same organizations already have begun the exploration, although it primarily has been focused around financial services. The possibilities are enormous, and it seems that any industry dealing with any sort of transaction-based model will be disrupted by the technology.


This article covers the rise and interest in cryptocurrencies and begins to dive into the underlying blockchain technology that enables it. In the next part of this series, using open-source tools, I start to describe how to build your very own private blockchain network. This private deployment will allow you to dig deeper into the details highlighted here. The technology may be centered around cryptocurrency today, but I also look at various industries the blockchain can help to redefine and the potential for a promising future leveraging the technology.

Rise of the Tomb Raider Coming to Linux This Month, phpMyAdmin New Release, Canonical’s Kernel Update for RPi 2 and More

News briefs for April 9, 2018.

Feral Interactive confirms: "Lara Croft is returning to Linux in Rise of the Tomb Raider later this month, shortly after macOS. Specs will be announced closer to launch. In the meantime, gear up for adventure with our Linux livestream tomorrow at 6PM BST / 10AM PDT on Twitch."

phpMyAdmin version 4.8.0 was released over the weekend. This release brings the usual bug and security fixes, and other major changes include "security enhancements, such as removing the PHP eval() function and authentication logging, a mobile interface to improve the interface when used with tablets or mobile phones, and two-factor authentication options."

Canonical released a "major Linux kernel update for Raspberry Pi 2" that addresses various security vulnerabilities. Among other things, 21 security vulnerabilities were fixed for linux-raspi2, "including a race condition that could lead to a use-after-free vulnerability in Linux kernel's ALSA PCM subsystem, and a use-after-free vulnerability in the network namespaces implementation." Update now if you haven't already. (Source: Softpedia News.)

FreeCAD 0.17 was released last week, marking the first release in two years, so it's certainly a major update. Along with several workbench improvements, "more than 6,800 revisions were added to FreeCAD's source code". See the changelog for all the details, and download it here.

A new major version of the HandBrake open-source video transcoder was released this weekend, v. 1.1.0. Updates include an improved user interface, new and improved official presets, improved Apple TV 4K support and more. See all the details on the GitHub page.

Phoronix reports on big changes in store for the Linux 4.17 kernel (expected to be stable mid-June), including "a huge DRM subsystem update", "initial NVIDIA Tegra 'Xavier' SoC support", "fixes for the Macintosh PowerBook 100 series" and much more.

Best Programming Language

Best Programming Language
Programming, python, Readers' Choice Awards
Carlie Fairchild Fri, 04/06/2018 - 14:23

Surprise—Python wins again!

Here's the breakdown (the contenders listed below were nominated by LJ readers via Twitter):

  • Python: 31%
  • C: 20%
  • C++: 14%
  • Other: 9%
  • Java: 8%
  • Perl: 7%
  • JavaScript: 4%
  • PHP: 3%
  • Ruby: 3%

Python wins Best Programming Language again this year in Linux Journal's annual Readers' Choice Awards. It's easy to use, powerful and versatile with a really large and active community. Having that supportive community ensures that developers of all skill levels easily can find the support and documentation they require, which feeds Python's popularity. It certainly helps that Python has something like a corporate sponsor. Python is recognized as an official language at Google, running on many of its internal systems and showing up in many Google APIs. In fact, Google's developer website offers free Python classes, videos and exercises.

Weekend Reading: Sysadmin 101

Weekend Reading: Sysadmin 101
Kyle Rankin
Kyle Rankin Fri, 04/06/2018 - 12:27

This series covers sysadmin basics. The first article explains how to approach alerting and on-call rotations as a sysadmin. In the second article, I discuss how to automate yourself out of a job, and in the third, I explain why and how you should use tickets. The fourth article covers some of the fundamentals of patch management under Linux, and the fifth and final article describes the overall sysadmin career path and the attributes that might make you a "senior sysadmin" instead of a "sysadmin" or "junior sysadmin", along with some tips on how to level up.

Sysadmin 101: Alerting

In this first article, I cover on-call alerting. Like with any job title, the responsibilities given to sysadmins, DevOps and Site Reliability Engineers may differ, and in some cases, they may not involve any kind of 24x7 on-call duties, if you're lucky. For everyone else, though, there are many ways to organize on-call alerting, and there also are many ways to shoot yourself in the foot.

Sysadmin 101: Automation

Here we cover systems administrator fundamentals. These days, DevOps has made even the job title "systems administrator" seem a bit archaic, much like the "systems analyst" title it replaced. These DevOps positions are rather different from sysadmin jobs in the past. They have a much larger emphasis on software development far beyond basic shell scripting, and as a result, they often are filled by people with software development backgrounds without much prior sysadmin experience. In the past, a sysadmin would enter the role at a junior level and be mentored by a senior sysadmin on the team, but in many cases currently, companies go quite a while with cloud outsourcing before their first DevOps hire. As a result, the DevOps engineer might be thrust into the role at a junior level with no mentor around apart from search engines and Stack Overflow posts.

Sysadmin 101: Ticketing

By ticketing, I'm referring to systems that allow sysadmins to keep track of tasks both internally and those requested by their coworkers or customers. There are many ways to get ticketing wrong so that it becomes a drain on an organization, so many sysadmins avoid or it use it begrudgingly. Also, ticketing approaches that work well for developers may be horrible for sysadmins, and vice versa. If you don't currently use a ticketing system, I hope by the end of this article, I've changed your mind. If you do use tickets, but you wish you didn't, I hope I can share how to structure a ticketing system that makes everything easier, not more difficult.

Sysadmin 101: Patch Management

Most Linux system administrators are no different from Windows sysadmins when it comes to patch management. Honestly, in some areas (in particular, uptime pride), some Linux sysadmins are even worse than Windows sysadmins regarding patch management. So in this article, I cover some of the fundamentals of patch management under Linux, including what a good patch management system looks like, the tools you will want to put in place and how the overall patching process should work.

Sysadmin 101: Leveling Up

In the past, a sysadmin would enter the role at a junior level and be mentored by a senior sysadmin on the team, but in many cases these days, companies go quite a while with cloud outsourcing before their first DevOps hire. As a result, the DevOps engineer might be thrust into the role at a junior level with no mentor around apart from search engines and Stack Overflow posts.


Matthew Garrett Calls on Symantec to Share Its Code, EFF Questions Google’s Work on Project Maven and More

News briefs for April 6, 2018.

Linux kernel developer, free software activist and Google engineer Matthew Garrett discovered that Symantec is using a Linux distro based on the QCA Software Development Kit (QSDK) project: "This is a GPLv2-licensed, open-source platform built around the Linux-based OpenWrt Wi-Fi router operating system" (if true, this means Symantic needs to share the Norton Core Router's code). So, Garrett tweeted "Hi @NortonOnline the Norton Core is clearly running Linux and the license requires you to distribute the kernel source code so where can I get it?" (Source: ZDNet.)

The EFF has questions and advice for Google regarding the company's work on "Project Maven", which is "a U.S. Department of Defense (DoD) initiative to deploy machine learning for military purposes". Read the "Google Should Not Help the U.S. Military Build Unaccountable AI Systems" post by Peter Eckersley and Cindy Cohn for more information.

Ubuntu 18.04 LTS (Bionic Beaver) final beta was released this morning. This release includes Ubuntu 18.04 LTS Desktop, Server and Cloudproducts, as well as Kubuntu, Lubuntu, Ubuntu Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu. Note that this version is still beta and not intended for use in production. The final release is scheduled for April 26. See the release notes for more details and download images.

Zilliqa recently announced its Testnet v1.0 release: codename Red Prawn. According to the press release, Zilliqa's is the "first blockchain platform to actually implement the technology of sharding, which has the potential to scale blockchain transaction speeds to match VISA."

openSUSE's Tumbleweed distro (a pure rolling-release version of openSUSE) had several snapshot releases this week, most notably with updates to KDE's newest point version of Plasma (5.12.4). The snapshots this week also included updates to gstreamer, Firefox and Digikam, among other things.

Tackling L33t-Speak

Tackling L33t-Speak
Dave Taylor Thu, 04/05/2018 - 09:00

How to script a l33t-speak translator.

My daughter and I were bantering with each other via text message this morning as we often do, and I dropped into a sort of mock "leet speak". She wasn't impressed, but it got me thinking about formulaic substitutions in language and how they represent interesting programming challenges.

If you're not familiar with "leet speak" it's a variation on English that some youthful hackers like to use—something that obscures words sufficiently to leave everyone else confused but that still allows reasonably coherent communication. Take the word "elite", drop the leading "e" and change the spelling to "leet". Now replace the vowels with digits that look kind of, sort of the same: l33t.

There's a sort of sophomoric joy in speaking—or writing—l33t. I suppose it's similar to pig latin, the rhyming slang of East Londoners or the reverse-sentence structure of Australian shopkeepers. The intent's the same: it's us versus them and a way to share with those in the know without everyone else understanding what you're saying.

At their heart, however, many of these things are just substitution ciphers. For example, "apples and pears" replaces "stairs", and "baked bean" replaces "queen", in Cockney rhyming slang.

It turns out that l33t speak is even more formalized, and there's actually a Wikipedia page that outlines most of its rules and structure. I'm just going to start with word variations and letter substitutions here.

The Rules of L33t Speak

Okay, I got ahead of myself. There aren't "rules", because at its base, leet speak is a casual slang, so l33t and 733T are both valid variations of "elite". Still, there are a lot of typical substitutions, like dropping an initial vowel, replacing vowels with numerical digits or symbols (think "@" for "a"), replacing a trailing "s" with a "z", "cks" with "x" (so "sucks" becomes "sux"), and the suffixed "ed" becomes either 'd or just the letter "d".

All of this very much lends itself to a shell script, right? So let's test some mad skillz!

For simplicity, let's parse command-line arguments for the script and use some level of randomness to ensure that it's not too normalized. How do you do that in a shell script? With the variable $RANDOM. In modern shells, each time you reference that variable, you'll get a different value somewhere in the range of 1..MAXINT. Want to "flip a coin"? Use $(($RANDOM % 2)), which will return a zero or 1 in reasonably random order.

So the fast and easy way to go through these substitutions is to use sed—that old mainstay of Linux and UNIX before it, the stream editor. Mostly I'm using sed here, because it's really easy to use substitute/pattern/newpattern/—kind of like this:

word="$(echo $word | sed "s/ed$/d/")"

This will replace the sequence "ed" with just a "d", but only when it's the last two letters of the word. You wouldn't want to change education to ducation, after all.

Here are a few more that can help:

word="$(echo $word | sed "s/s$/z/")"
word="$(echo $word | sed "s/cks/x/g;s/cke/x/g")"
word="$(echo $word | sed "s/a/@/g;s/e/3/g;s/o/0/g")"
word="$(echo $word | sed "s/^@/a/")"
word="$(echo $word |  tr "[[:lower:]]" "[[:upper:]]")"

In order, a trailing "s" becomes a trailing "z"; "cks" anywhere in a word becomes an "x", as does "cke"; all instances of "a" are translated into "@"; all instances of "e" change to "3"; and all instances of "o" become "0". Finally, the script cleans up any words that might start with an "a". Finally, all lowercase letters are converted to uppercase, because, well, it looks cool.

How does it work? Here's how this first script translates the sentence "I am a master hacker with great skills":


That's a good start, but there's more you can do, something I'll pick up in my next article. Meanwhile, if you consider yourself a l33t expert, hit me up, let's talk about some additional letter, letter combination and word rules.

Subutai Blockchain Router v2.0, NixOS New Release, Slimbook Curve and More

News briefs for April 5, 2018.

Subutai recently announced that its Subutai Blockchain Router v2.0 is in production: "This broadband cloud router serves as a 'plug-and-play' cryptocurrency wallet and mining device with energy savings of 10x over traditional mining methods, and also allows users to share and rent their idle computer resources by registering their computers with the Subutai Bazaar."

NixOS released version 18.03 "Impala" yesterday. Highlights include "core version changes: linux: 4.9 -> 4.14, glibc: 2.25 -> 2.26, gcc: 6 -> 7, systemd: 234 -> 237"; "desktop version changes: gnome: 3.24 -> 3.26, (KDE) plasma-desktop: 5.10 -> 5.12"; the Nix package manager now defaults to 2.0 and more.

Matthew Garrett wrote a blog post yesterday titled "Linux Kernel Lockdown and UEFI Secure Boot" to elaborate on the kernel lockdown feature being paired with UEFI SecureBoot, in response to discussion on the LKML.

The Slimbook Curve—a new cool-looking, all-in-one Linux PC with a 24" full-HD curved screen—is now available from Spanish company Slimbook. See the OMG Ubuntu post for specs and pricing info.

LibreOffice 6.0.3 is available for download. This is the third minor release of LibreOffice 6, and it has about 70 bug and regression fixes. This version "represents the bleeding edge in terms of features and as such is targeted at early adopters, tech-savvy and power users, while LibreOffice 5.4.6—provided as an alternative download option—is targeted at mainstream users and enterprise deployments."

Richard Stallman’s Privacy Proposal, Valve’s Commitment to Linux, New WordPress Update and More

News briefs for April 4, 2018.

Richard Stallman writes "A radical proposal to keep personal data safe" in The Guardian: "The surveillance imposed on us today is worse than in the Soviet Union. We need laws to stop this data being collected in the first place."

WordPress 4.9.5 was released yesterday. This is a security and maintenance release, and it fixes 28 bugs, so be sure to update right away. To download or view the changelog, go here.

Valve's Pierre-Loup Griffais writes about the company's commitment to Linux after de-listing Steam Machines (it's still available, just not from the main navigation bar on the site due to low traffic): "While it's true Steam Machines aren't exactly flying off the shelves, our reasons for striving towards a competitive and open gaming platform haven't significantly changed. We're still working hard on making Linux operating systems a great place forgaming and applications." He then went on to say "we're continuing to invest significant resources in supporting the Vulkan ecosystem, tooling and driver efforts. We also have other Linux initiatives in the pipe that we're not quite ready to talk about yet; SteamOS will continue to be our medium to deliver these improvements to our customers, and we think they will ultimately benefit the Linux ecosystem at large." (Source: Phoronix's "Valve Reaffirms Commitment To Linux, SteamOS").

Amazon announced the new Gadgets Skill API (beta), which will allow developers to build games for Echo Buttons.

The Fedora Project announced the release of Fedora 28 Beta. Features include Modular Repository for Fedora Server, 64-bit Arm is now a primary architecture for Fedora Server, the inclusion of GNOME 3.28, VirtualBox Guest Additions and more.

How Wizards and Muggles Break Free from the Matrix

How Wizards and Muggles Break Free from the Matrix
red pill
Doc Searls Wed, 04/04/2018 - 10:32

First we invented a world where everyone could be free. Then we helped build feudal castles on it, where everyone now lives. Now it's time to blow up those castles by giving everybody much better ways to use their freedom than they ever would enjoy in a castle.

I'm going to mix movie metaphors here. You'll see why.

In April 1999, a few weeks after The Matrix came out, the entire Linux Journal staff watched it in a theater not far from our headquarters at the time, in Seattle's Ballard neighborhood. While it was instantly clear to us that the movie was geek classic (hell, its hero was an ace programmer), it also was clear that the title subject—a fully convincing fake world occupied by nearly the whole human species—was an allegory (which Wikipedia calls "a metaphor whose vehicle may be a character, place or event, representing real-world issues and occurrences").

One obvious interpretation was religious. Neo was a Christ-like savior, resurrected by a character named Trinity, who played the Holy Spirit role after Neo got killed by the Satan-like Agent Smith—all while the few humans not enslaved by machines lived in an underground city called Zion.

When the second and third installments came out in the years that followed, more bits of the story seemed borrowed from other religions: Buddhism, Gnosticism and Hinduism. Since the Wachowski brothers, who wrote and directed the films, have become the Wachowski sisters, you also can find, in retrospect, plenty of transgender takes on the series.

Then there's the philosophical stuff. Prisoners in the Matrix believe the world they inhabit is real, much as prisoners in Plato's Allegory of the Cave believe the shadows they see on a wall are real, because they can't tell the source of light is a fire behind them. In Plato's story, one prisoner is set free to visit the real world. In The Matrix, that one prisoner is Neo, his name an anagram for "The One" whose job is to rescue everybody or at least save Zion. (Spoiler: he does.)

But I didn't buy any of that, because already I saw marketing working to turn the free and open online world into a commercial habitat where—as in the fictional Matrix—human beings were reduced to batteries for giant robotic machines that harvested human attention, which they then processed and fed back to humans again.

This was the base design of the world marketing wanted to make for us in the digital age: one where each of us were "targets", "captured", "acquired", "controlled", "managed" and "locked in", so personalized "content" and "experiences" could be "delivered" to our ears and eyeballs. Marketers talked like that long before the internet showed up, but with every eyeball suddenly addressable, personally, the urge to jack us into marketing's Matrix became irresistible.

In fact, one reason four of us posted The Cluetrain Manifesto on the web that very same month was that we wanted to make clear that the internet was for everybody, not just marketing.

But, popular as Cluetrain was (especially with marketers), marketing got engineering—including plenty of Linux wizards—to build a Matrix for us. We live there now. Unless you have your hardware and software rigged for absolute privacy while roaming about the online world (and can you really be sure?), you're in marketing's Matrix.

The obvious parts of that Matrix are maintained by Google, Facebook, LinkedIn, Twitter, Tumblr, Pinterest, Amazon and so on. Much more of it is provisioned by names you never heard of. To see what they're up to, equip your browser with a form of tracking protection that names sources of tracking files. (Examples are Baycloud Bouncer, Disconnect, Ghostery, Privacy Badger and RedMorph.) Then point your browser to the website of a publisher whose business side has been assimilated by the Agent Smith called "adtech"—The Los Angeles Times, for example. Then, check your tracking-protection tool's list of all the entities trying to spy on you.

Here are just some of the 57 suspects that Privacy Badger found for me on the LA Times index page:


Many of those appear more than once, with different prefixes. I've also left off variants of google, doubleclick, facebook, twitter and other familiars.

Interesting: when I look a second, third or fourth time, the list is different—I suppose because third-party ad servers are busy trying to shove trackers into my browser afresh, as long as a given page is open.

When I looked up one of those trackers, "moatads", which I chose at random, most of the 1,820,000 search results were about how moatads is bad stuff. In order, this is the first page of search results:

  • Remove Moatads virus (Removal Guide) - Oct 2017 update - 2 Spyware
  • Moatads Malware Removal (What is moatads?) March 2018 Update ...
  • What is - Webroot Community
  • How to remove fully -
  • Uninstall Moatads virus (Uninstall Guide) - Oct 2017 updated
  • Moatads Malware Removal | Mobile Security Zone
  • Moatads Removal Guide | Spyware Techie
  • This keeps cropping up and is a real problem. How do i get rid of it..

The fourth item says the company behind moatads,, "measures real-time Attention Analytics over 33 billion times per day". And that's just one Matrix-builder.

Clearly there is no Architect or Oracle building this Matrix, or it wouldn't suck so bad. That's to our advantage, but we're still stuck in an online world where spying is the norm rather than the exception, and personal autonomy is mostly contained within the castles of giant service providers, "social networks" and makers of highly proprietary gear.

Way back in 2013, Shoshana Zuboff called on us to "be the friction" against "the New Lords of the Ring". In later essays, she labeled the whole spying-fed advertising system both surveillance capitalism and The Big Other. If things go according to plan, her new book, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, will come out soon. (Here's the Amazon link.)

People are already fighting back, whether they know it or not. PageFair's 2017 Adblock Report says at least 11% of the world's population is now blocking ads on at least 615 million devices. GlobalWebIndex says 37% of all the world's mobile users were blocking ads by January of 2016 and another 42% wanted to do so as well. Statista says the number of mobile-phone users in the world would reach 4.77 billion at some point this past year. Combine those last two numbers, and you get more than 1.7 billion people blocking ads already—a sum exceeding the population of the Western Hemisphere. All of which is why I called ad blocking the world's biggest boycott, way back in 2015. Today I'd rather think of it as a slave revolt.

But we need to be more than freed slaves. We need to be, as Shoshana says, masters of our own lives and of all the relationships we have online.

In The Matrix, Morpheus asks the still-captive Neo if he believes in fate. "No", says Neo, "because I don't like the idea that I'm not in control of my life."

We can't be in control of our lives as long as those lives are lived within corporate castles and we lack the tools for mastery over our virtual bodies and minds online.

It doesn't matter if Facebook, Google and the rest have no malicious intent, or if they really do want to "bring the world closer together", or "organize the world's information and make it universally accessible and useful", or "develop services that significantly improve the lives of as many people as possible". We need to be free and independent agents of our selves.

That can't happen inside the client-server systems we've had online since 1995 and earlier—systems that might as well be called slave-master. It can't happen as long as we always have to click "accept" to the terms and conditions of the online world's defaulted slave-master system. It can't happen as long as everything useful in the online world requires a login and a password. Each of those norms are walls in what Morpheus calls "a prison for your mind".

We have to think and work outside the walls in those prisons (formerly castles). And it isn't enough to free ourselves. To switch movie metaphors, it's time for the wizards to free the muggles. Here's a punch list of what we need to do:

At the end of The Matrix trilogy, Neo succeeds at stopping the viral Agent Smith program from destroying both the machine and human worlds. But there is no vision of what all the people jacked into the Matrix would do once they were free—or if freedom was in the cards at all. In fact, all Neo does is save Zion and leave the rest of humanity living in the same old Matrix: a machine-maintained illusory existence where their only true purpose was to power the Matrix as batteries.

That bulleted list above is a set of visions missed by both The Matrix and the Harry Potter movies. All of them give everybody far more power than even the wizards of the world—our readers and writers—now possess.

Fortunately, the internet isn't Hogwarts. Though it's a product of wizardry, everybody—wizards included—live and think inside its walls. But digital technology and the internet were designed for freedom, and not just for more enslavement on the industrial model.

So let's finish making online civilization something better than the digital feudal system we have now.

[Note: an ancestor of this article appeared on the Linux Journal website in January 2018.]

Caption This

Caption This
Amazon Echo plugged in to hamburger
Carlie Fairchild Wed, 04/04/2018 - 10:14

Each month, we provide a cartoon in need of a caption. You submit your caption, we choose three finalists, and readers vote for their favorite. The winning caption for this month's cartoon will appear in the May issue of Linux Journal.


To enter, simply type in your caption in the comments below or email us,