Linux 5.0, Canonical Update, openSUSE Board Elections, Woman and Girls in Science, European Astro-Pi Challenge

The release candidate 6 for the highly anticipated 5.0 Linux kernel was just released. You can view the changeset for 5.0-rc6 here.

Canonical issued an update (USN-3878-3) and a formal apology for a recent kernel update regression that prevented systems with certain graphics chipsets from booting.

A stable version of Chrome OS 72 was just released on Friday which introduces better access to external storage, touchscreen optimizations for tablet mode and more.

There are only a few days left to cast your ballot in the 2018-2019 openSUSE board elections. Be sure to get your vote in.

Today, the Raspberry Pi Foundation and ESA Education are celebrating the International Day of  Women and Girls in Science and to support the occasion, astronaut Jenni Sidey is helping to kick off the European Astro-Pi challenge. While the challenge itself is not limited to female contestants, it will hopefully encourage more to participate.

Easier Python paths with pathlib

python

A look at the benefits of using pathlib, the "object-oriented way of dealing with paths".

Working with files is one of the most common things developers do. After all, you often want to read from files (to read information saved by other users, sessions or programs) or write to files (to record data for other users, sessions or programs).

Of course, files are located inside directories. Navigating through directories, finding files in those directories, and even extracting information about directories (and the files within them) might be common, but they're often frustrating to deal with. In Python, a number of different modules and objects provide such functionality, including os.path, os.stat and glob.

This isn't necessarily bad; the fact is that Python developers have used this combination of modules, methods and files for quite some time. But if you ever felt like it was a bit clunky or old-fashioned, you're not alone.

Indeed, it turns out that for several years already, Python's standard library has come with the pathlib module, which makes it easier to work with directories and files. I say "it turns out", because although I might be a long-time developer and instructor, I discovered "pathlib" only in the past few months—and I must admit, I'm completely smitten.

pathlib has been described as an object-oriented way of dealing with paths, and this description seems quite apt to me. Rather than working with strings, instead you work with "Path" objects, which not only allows you to use all of your favorite path- and file-related functionality as methods, but it also allows you to paper over the differences between operating systems.

So in this article, I take a look at pathlib, comparing the ways you might have done things before to how pathlib allows you to do them now.

pathlib Basics

If you want to work with pathlib, you'll need to load it into your Python session. You should start with:


import pathlib

Note that if you plan to use certain names from within pathlib on a regular basis, you'll probably want to use from-import. However, I strongly recommend against saying from pathlib import *, which will indeed have the benefit of importing all of the module's names into the current namespace, but it'll also have the negative effect of importing all of the module's names into the current namespace. In short, import only what you need.

Now that you've done that, you can create a new Path object. This allows you to represent a file or directory. You can create it with a string, just as you might do a path (or filename) in more traditional Python code:

Microsoft Joins the OpenChain Project, Google Open-Sources ClusterFuzz, New Android Vulnerability, FSF Gives the Vikings D8 Mainboard and Workstation Its “Respect Your Freedom” Endorsement, and Fedora Is Redesigning Its Logo

News briefs for February 8, 2019.

Microsoft has joined the OpenChain Project, "which builds trust in open source by making open source license compliance simpler and more consistent". Uber, Google and Facebook joined it last month. According to the announcement, "By joining OpenChain, Microsoft will help create best practices and define standards for open source software compliance, so that its customers have even greater choice and opportunity to bridge Microsoft and other technologies together in heterogeneous environments."

Google today announced it is open-sourcing ClusterFuzz and making it available for anyone to use. Fuzzing is "an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program", and it's "effective at finding memory corruption bugs". ClusterFuzz is "a fuzzing infrastructure running on over 25,000 cores" was written to aid in the Chrome development process. You can check it out at the ClusterFuzz GitHub repository.

A security vulnerability discovered in Android gives attackers access to your phone if you open a .png file. ZDNet reports that "All it takes to trigger the bug is for attackers to send a crafted, malicious Portable Network Graphic (.PNG) file to a victim's device. Should the user open the file, the exploit is triggered." This bug affects Android versions 7.0–9.0.

The Free Software Foundation has certified new hardware with its "Respect Your Freedom" endorsement: the Vikings D8 mainboard and D8 workstation. According to Phoronix, "The Vikings D8 is a re-branded ASUS KCMA-D8 but flashed with Libreboot+Coreboot to free the hardware down to the BIOS." In addition, "the D8 Workstation also ships with the FSF-approved Trisquel operating system that is free of any Linux binary blobs and proprietary software." See also the FSF post on the Respects Your Freedom certification.

Fedora is redesigning its logo due to issues with its current logo, including "the lack of a single colour variant", "the logo not working well on dark backgrounds", "confusion with other well-known brands, and the use of a proprietary font." See this article by Máirín Duffy for more on the history of the Fedora logo and other details on the change, and also see this post to join the discussion on the new options.

The Taloflow Instance Manager (Tim)

Taloflow logo

For years, modern workloads have shifted to the cloud, with AWS being the most popular. And although this shift has cut down operating costs significantly, millions, if not billions, of dollars still are wasted to maintain all those virtual instances—even when they are not in use.

To help alleviate both the burden and headache of managing your cloud-hosted virtual machines, Taloflow built the Taloflow Instance Manager (Tim), which can reduce your expenditures by as much as 40%. Tim monitors your AWS resources and suggests automations that effortlessly save you money in real time.

Taloflow is a Vancouver- and California-based startup, offering a Software-as-a-Service (SaaS) platform that seamlessly integrates into your preferred cloud service provider to set up alerts, capture metrics and automate a list of useful actions. The company is focused solely on bringing artificial intelligence (AI) automation and intelligence to cloud services. Currently, Taloflow is an operation of at least eight talented engineers coming from all business backgrounds (from startups to enterprises).

Taloflow team

Figure 1. The Taloflow Team

One of the key differences with Tim is that it works in real time. Unlike its competition, which is focused primarily on accountants and finance departments, Tim takes a bottoms-up approach and shifts that focus onto the engineers and operators pulling the levers on these cloud virtual instances. Think of it as bot or tool helping developers manage their resources and monitor their workflows. Tim will provide recommendations to those same engineers on how to optimize the performance, as well as the cost in the cloud.

The current implementation of Tim is available under a freemium model. This is intended to encourage early adoption, and it also allows users to hit the ground running and get started quickly. Depending on usage, number of users and the required performance, a paid tier or Enterprise Model eventually will be offered by March 2019.

Tim's basic model runs on Taloflow's own cloud, and depending on the customer's security preferences, the company will offer and provision private instances for each user (under the Enterprise subscription model). This will look like a Kubernetes image running on-premises at the customer site.

LibreOffice 6.2 Officially Available, Raspberry Pi Opens a Store in the UK, Purism Announces Partnership with GDQuest to Create Games for the Librem 5, Three New Snapshots for openSUSE Tumbleweed and Document Your DNA with an RPi Gel Imager

News briefs for February 7, 2019.

The Document Foundation today announces the official release of LibreOffice 6.2 with NotebookBar. This is a major new release that "features a radical new approach to the user interface—based on the MUFFIN concept—and provides user experience options capable of satisfying all users'preferences, while leveraging all screen sizes in the best way." This version has many new and features, including substantial changes to icon themes, context menus are tidied up and interoperability with proprietary file formats has been improved. See this video for details on all the new features. Note that LibreOffice 6.1.5 also was released today for enterprise-class deployments. You can download LibreOffice 6.2 or LibreOffice 6.1.5 from here.

Raspberry Pi has opened a store in the Grand Arcade, Cambridge, UK. See this video for details and follow #RPiStore for more photos and info.

Purism recently announced a partnership with GDQuest to teach people how to create games for the Librem 5 smartphone using the free/libre Godot game engine. GDQuest founder and game design expert/teacher Nathan Lovato's video series will show how to create and release games on the Librem 5 and then submit them to the PureOS store. See also GDQuest's crowdfunding campaign for information on other tutorial videos and to help support the project.

Three new snapshots were released this week for openSUSE Tumbleweed with updates for ImageMagick, Mesa, Apache, Ceph, Flatpak Builder, Python and more. Bash, glusterfs, libvirt and openconnect got updates this week as well.

You can now document your DNA with a Raspberry Pi gel imager. Make magazine published a step-by-step how-to by Dr. Lindsay V. Clark, so you can make your own imager from a styrofoam box and RPi for around $150, because "Any genetics lab or DIY biohacker needs to be able to visualize DNA and RNA, and a common technique for doing so is agarose gel electrophoresis."

Disk Encryption for Low-End Hardware

Eric Biggers and Paul Crowley were unhappy with the disk encryption options available for Android on low-end phones and watches. For them, it was an ethical issue. Eric said:

We believe encryption is for everyone, not just those who can afford it. And while it's unknown how long CPUs without AES support will be around, there will likely always be a "low end"; and in any case, it's immensely valuable to provide a software-optimized cipher that doesn't depend on hardware support. Lack of hardware support should not be an excuse for no encryption.

Unfortunately, they were not able to find any existing encryption algorithm that was both fast and secure, and that would work with existing Linux kernel infrastructure. They, therefore, designed the Adiantum encryption mode, which they described in a light, easy-to-read and completely non-mathematical way.

Essentially, Adiantum is not a new form of encryption; it relies on the ChaCha stream cipher developed by D. J. Bernstein in 2008. As Eric put it, "Adiantum is a construction, not a primitive. Its security is reducible to that of XChaCha12 and AES-256, subject to a security bound; the proof is in Section 5 of our paper. Therefore, one need not 'trust' Adiantum; they only need trust XChaCha12 and AES-256."

Eric reported that Adiantum offered a 20% speed improvement over his and Paul's earlier HPolyC encryption mode, and it offered a very slight improvement in actual security.

Eric posted some patches, adding Adiantum to the Linux kernel's crypto API. He remarked, "Some of these patches conflict with the new 'Zinc' crypto library. But I don't know when Zinc will be merged, so for now, I've continued to base this patchset on the current 'cryptodev'."

Jason A. Donenfeld's Zinc ("Zinc Is Not crypto/") is a front-runner to replace the existing kernel crypto API, and it's more simple and low-level than that API, offering a less terrifying coding experience.

Jason replied to Eric's initial announcement. He was very happy to see such a good disk encryption alternative for low-end hardware, but he asked Eric and Paul to hold off on trying to merge their patches until they could rework them to use the new Zinc security infrastructure. He said, "In fact, if you already want to build it on top of Zinc, I'm happy to work with you on that in a shared repo or similar."

He also suggested that Eric and Paul send their paper through various academic circles to catch any unanticipated problems with their encryption system.

But Paul replied:

Vivaldi 2.3 Has Arrived, Security Flaw Discovered in LibreOffice and OpenOffice, Firefox 66 to Stop Loud Videos from Playing Automatically, Red Hat CodeReady Workspaces Released and Flowblade 2.0 Is Now Available

News briefs for February 6, 2019.

Vivaldi's first release of 2019 arrived this morning. Version 2.3 introduces "a unique way to 'auto-stack' tabs that streamline your workflow even more. We've also added new ways to access websites in the Address Field and made overall improvements to navigate and interact with the Web quicker". You can download Vivaldi from here.

Security researchers have discovered a remote code execution vulnerability in LibreOffice on both Linux and Windows, Softpedia News reports. Evidently "the flaw can be exploited with just a malicious ODT document that includes code for running a macro with a mouse-hover action." Patches have been released, so update to the latest versions now (6.0.7 and 6.1.3). OpenOffice is vulnerable to the attack as well—specifically OpenOffice 4.1.6, and according to the Softpedia post, there is no fix yet.

Firefox 66 will stop videos containing audio from playing automatically. According to Ars Technica, "by default, any site that tries to play video with audio will have that video playback blocked", and "Firefox users will be able to override this block on a site-by-site basis, so those sites where autoplay is inoffensive can have it re-enabled." Mozilla plans to release Firefox 66 on March 19th.

Red Hat has released Red Hat CodeReady Workspaces, "a Kubernetes-native, browser-based IDE". ZDNet reports that "CodeReady is based on the open-source Eclipse Che IDE. It also includes formerly proprietary features from Red Hat's Codenvy acquisition." In addition, the IDE is optimized for Red Hat OpenShift, and Red Hat claims that "CodeReady Workspaces is the first IDE, which runs inside a Kubernetes cluster."

Flowblade 2.0, the open-source GTK3-based Linux video editor, was released this week. According to Phoronix, version 2.0 comes with "a new custom GTK3 theme and configurable workflow items to better cater to different users, a number of tools from keyframes to cut. Flowblade 2.0 also features better tool-tip coverage, various GUI updates, a transform compositor, and other changes." See the release notes and the GitHub repo for more information.

What Is “Surveillance Capitalism?” And How Did It Hijack the Internet?

surveillance

Shoshana Zuboff's new book The Age of Surveillance Capitalism goes into gory details of how companies collect, use, buy and sell your data for profit, often without consent or even the consumer knowing it was happening, until disasters reveal some of the dark underbelly—like the Cambridge Analytica scandal. But, I’m a marketer, so I will focus on the subset of “surveillance marketing”—also known as “digital marketing”—where companies profit off of you, because they are set up to do so. Digital ad-tech companies were built to extract as much value as possible from the trust transaction that used to be the user going to a publisher’s site that carries an advertiser’s ad.

Surveillance Marketing Was Built on the Foundation of Three Myths

Digital marketing as we know it today can be traced all the way back to Chris Anderson’s book The Long Tail, published in 2006. Before that, digital media was primarily purchased from large sites that had large human audiences. The Long Tail promulgated the idea that collectively a large number of small sites could rival the scale of a small number of large sites. This simple premise alone led digital marketing down a dark and dangerous path to the hell we now know is surveillance marketing. But most marketers don’t even know they are in this hell. They were looking for scale in digital—and they got it. They were looking for data in digital—and they got it. And, they were looking for more granular targeting in digital—and they got it. But how?

Herein lies the three myths: 1) the long tail, 2) behavioral targeting and 3) hypertargeting.

The Myth of the Long Tail

February 2019 Security Bulletin for Android Released, New Patches Needed for Ubuntu 18.04, EU Recalls ENOX Safe-KID-One Smartwatches Due to Security Flaws, Raspberry Pi to Celebrate Its 7th Birthday with Jams March 2-3 and Some Fresh Snaps

News briefs for February 5, 2019.

Google yesterday released its February 2019 security bulletin for Android. Source code patches should be released to the Android Open Source Project (AOSP) repository soon. The most severe vulnerability is in Framework "that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process."

Evidently the patches released for Ubuntu 18.04 last week caused other inadvertent problems, and Canonical has released a new patch to fix those issues. ZDNet quotes the Ubuntu security team: "Unfortunately, that update introduced regressions with docking station displays and mounting ext4 file systems with the meta_bg option enabled." This bug also could effect Kubuntu, Xubuntu, Lubuntu, Linux Mint 19 and Linux Mint 19.1. The new patch replaces linux-image 4.15.0-44.47 with the fixed linux-image 4.15.0-45.48 kernel.

The EU orders a recall of ENOX Safe-KID-One smartwatches due to significant security flaws that allow third parties to track and call the watches, ZDNet reports. From the Rapid Alert System for Non-Food Products (RAPEX) alert: "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed." In addition, "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

To celebrate its seventh birthday next month, the Raspberry Pi Foundation is coordinating several "Jams" all over the world: "Whether you're a Raspberry Pi user, club volunteer, avid forum question answerer, regular blog commenter, or brand-new community member, we want you to feel welcome! Look at the map, find a Jam near you, and meet the real-world Raspberry Pi community on 2 or 3 March."

The Ubuntu blog published a list of fresh snaps from January 2019. New snaps include OpenToonz, Eureka DOOM Editor, HexChat, Blender and much more. (All are available from the Snap store.)

Writing Secure Shell Scripts

security

Don't expose your system with sloppy scripts!

Although a Linux desktop or server is less susceptible to viruses and malware than a typical Windows device, there isn't a device on the internet that isn't eventually attacked. The culprit might be the stereotypical nerd in a bedroom testing his or her hacker chops (think Matthew Broderick in War Games or Angelina Jolie in Hackers). Then again, it might be an organized military, criminal, terrorist or other funded entity creating massive botnets or stealing millions of credit cards via a dozen redirected attack vectors.

In any case, modern systems face threats that were unimaginable in the early days of UNIX development and even in the first few years of Linux as a hobbyist reimplementation of UNIX. Ah, back in the day, the great worry was about copyrighted code, and so useful tools constantly were being re-implemented from scratch to get away from the AT&T Bell Labs licenses and so forth.

I have personal experience with this too. I rewrote the Hunt the Wumpus game wumpus from scratch for BSD 4.2 when the Berkeley crowd was trying to get away from AT&T UNIX legal hassles. I know, that's not the greatest claim to fame, but I also managed to cobble together a few other utilities in my time too.

Evolution worked backward with the internet, however. In real life, the lawless Wild West was gradually tamed, and law-abiding citizens replaced the outlaws and thugs of the 1850s and the Gold Rush. Online, it seems that there are more, smarter and better organized digital outlaws than ever.

Which is why one of the most important steps in learning how to write shell scripts is to learn how to ensure that your scripts are secure—even if it's just your own home computer and an old PC you've converted into a Linux-based media server with Plex or similar.

Let's have a look at some of the basics.

Know the Utilities You Invoke

Here's a classic trojan horse attack: an attacker drops a script called ls into /tmp, and it simply checks to see the userid that invoked it, then hands off its entire argument sequence to the real /bin/ls. If it recognizes userid = root, it makes a copy of /bin/sh into /tmp with an innocuous name, then changes its permission to setuid root.

This is super easy to write. Here's a version off the top of my head:


#!/bin/sh

if [ "$USER" = "root" ] ; then
  /bin/cp /bin/sh /tmp/.secretshell
  /bin/chown root /tmp/.secretshell
  /bin/chmod 4666 root /tmp/.secretshell
fi

exec /bin/ls $*

I hope you understand what just happened. This simple little script has created a shell that always grants its user root access to the Linux system. Yikes. Fancier versions would remove themselves once the root shell has been created, leaving no trace of how this transpired.

ZaReason Debuts New Gamerbox 9400, Google Announces Live Transcribe and Sound Amplifier Android Apps, Microsoft Bringing Xbox Live to Android, Kernel 5.0-rc5 Is Out and Mallard 1.1 Released

News briefs for February 4, 2019.

ZaReason debuted its new Gamerbox 9400, "the ultimate Linux gaming PC". And, the Gamebox is just the beginning, ZDNet reports, quoting ZaReason CEO Cathy Malmrose: "Our current team is mostly gamers so, not surprisingly, that is the direction we are going. We have a full line of gaming machines in R&D." The Gamebox runs Ubuntu 18.04, with a 64-bit Pentium 3.8Ghz G5500 Coffee Lake processor and 8GB of DDR4 memory.

Google announces two new audio apps for Android to help people who are deaf or hard of hearing: Live Transcribe and Sound Amplifier. Live Transcribe "takes real-world speech and turns it into real-time captions using just the phone's microphone". Starting today, Live Transcribe will rollout gradually as a limited beta via the Play Store and pre-installed on Pixel 3 devices. You can sign up here to be notified when it's more widely available. Sound Amplifier makes "audio is more clear and easier to hear. You can use Sound Amplifier on your Android smartphone with wired headphones to filter, augment and amplify the sounds in your environment. It works by increasing quiet sounds, while not over-boosting loud sounds." Sound Amplifier is available now via the Play Store and supports Android 9 Pie or later and comes pre-installed on Pixel 3.

Microsoft is bringing Xbox Live to Android, macOS and Nintendo Switch. According to The Verge, "Some iOS and Android games already have Xbox Live Achievements, but they're only enabled in titles from Microsoft Studios and there's not many of them available right now. Microsoft describes this new push as much bigger. 'Xbox Live is expanding from 400 million gaming devices and a reach to over 68 million active players to over 2 billion devices with the release of our new cross-platform XDK,' says the GDC listing."

Linux kernel 5.0-rc5 is out. Linus writes, "I'm happy to report that things seem to be calming down nicely, and rc5 is noticeably smaller than previous rcs. Let's hope the trend continues."

Mallard 1.1 was released recently. Mallard is a "markup language for dynamic topic-oriented help. It is designed to be as simple as possible, while still providing the features needed for a modern help system. Mallard features a unique reciprocal linking system that helps writers create flexible help frameworks that are easy to extend with new content. Writers can create an outline-like structure, and as they add new help topics, the reciprocal linking mechanism will neatly integrate the new help topics with the existing help topics." To see the list of what's new, go here.

If Software Is Funded from a Public Source, Its Code Should Be Open Source

government

If we pay for it, we should be able to use it.

Perhaps because many free software coders have been outsiders and rebels, less attention is paid to the use of open source in government departments than in other contexts. But it's an important battleground, not least because there are special dynamics at play and lots of good reasons to require open-source software. It's unfortunate that the most famous attempt to convert a government IT system from proprietary code to open source—the city of Munich—proved such a difficult experience. Although last year saw a decision to move back to Windows, that seems to be more a failure of IT management, than of the code itself. Moreover, it's worth remembering that the Munich project began back in 2003, when it was a trailblazer. Today, there are dozens of large-scale migrations, as TechRepublic reports:

Most notable is perhaps the French Gendarmerie, the country's police force, which has switched 70,000 PCs to Gendbuntu, a custom version of the Linux-based OS Ubuntu. In the same country 15 French ministries have made the switch to using LibreOffice, as has the Dutch Ministry of Defence, while the Italian Ministry of Defence will switch more than 100,000 desktops from Microsoft Office to LibreOffice by 2020 and 25,000 PCs at hospitals in Copenhagen will move from Office to LibreOffice.

More are coming through all the time. The Municipality of Tirana, the biggest in Albania, has just announced it is moving thousands of desktops to LibreOffice, and nearly 80% of the city of Barcelona's IT investment this year will be in open source.

One factor driving this uptake by innovative government departments is the potential to cut costs by avoiding constant upgrade fees. But it's important not to overstate the "free as in beer" element here. All major software projects have associated costs of implementation and support. Departments choosing free software simply because they believe it will save lots of money in obvious ways are likely to be disappointed, and that will be bad for open source's reputation and future projects.

Arguably as important as any cost savings is the use of open standards. This ensures that there is no lock-in to a proprietary solution, and it makes the long-term access and preservation of files much easier. For governments with a broader responsibility to society than simply saving money, that should be a key consideration, even if it hasn't been in the past.

February 2019, #295: The Security Issue

Feb 2019 cover

On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL."

Although this message—which showed up on smart phones across the state—was, indeed, not a drill...it also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.

This is officially known as a "whoopsie daisy".

As the story spread around the globe, obviously all the news reports were going to need a picture to run along with it. As luck would have it, the Associated Press had published a picture taken inside the Hawaii Emergency Management Agency—showing computer workstations where they watch for such possible threats. This picture was spread far and wide.

On that picture, people noticed something. Something amusing. Something, for many of us, relatable.

On one of the monitors was a sticky note. With the password written on it.

(There were actually two sticky notes on the monitors in the picture. The second sticky note contained the message "SIGN OUT". Because, you know, security is important.)

While the accidental, non-real emergency alert was not caused by any sort of security breach (sticky-note-based or otherwise), this picture served as a great reminder to the entire world that we probably shouldn't write down our passwords on sticky notes. Not even a government agency tasked with Emergency Management is immune to this sort of weak security.

It reminds me of a scene from the Mel Brooks' film Spaceballs. In the film, an advanced security barrier had been constructed around a planet. The dastardly space-villains forced the king of the planet to give up the code that would open that barrier. That code? 12345. Upon learning of the code, one of the characters was shocked. "Remind me to change the code on my luggage."

Any of this sound familiar? Perhaps it's time to get rid of the sticky notes—and the passwords that are no more complex than "password123"—and get yourself a good password manager.

In this issue, Shawn Powers provides a good "Password Manager Roundup", laying out the pros and cons of various options.

Then, while you're in a security frame of mind, familiarize yourself with a good set of guidelines (based on the Linux Foundation's Security Checklist) for how to keep your system secure with Mike McCallister's "Everyday Security Tips".

Following these suggestions will make you far more secure than that Emergency Agency in Hawaii or that planet in Spaceballs, but what if you want to take things a step further? What if you want to dive into the world of encryption and hardware security keys?

Qt 5.12.1 Is Now Available, Tor Browser 8.0.5 and Tails 3.12 Both Released with Important Security Fixes, Virt2real Launches StereoPi and Chrome Update for Android

News briefs for February 1, 2019.

Qt 5.12.1 was released today, marking the first patch release of the Qt 5.12 LTS series. It contains nearly 300 bug fixes and other improvements. See the Change Files for all the changes. Use the online installer's maintenance tool to make the update, or for new installations, download the latest installer from the Qt Account Portal or the qt.io Download page.

Tor Browser 8.0.5 was released this week. This release includes important security updates to Firefox and also updates Tor to the first stable release in the 0.3.5 series. NoScript and HTTPS Everywhere also were updated to their latest versions. You can view the full changelog here and download from here.

Tails 3.12 was released this week. The release fixes many security vulnerabilities, but the biggest change is to the installation method: "In short, instead of downloading an ISO image (a format originally designed for CDs), you now download Tails as a USB image: an image of the data as it needs to be written to the USB stick." This release also updates Linux to 4.19, the Tor Browser to 8.0.5 and Thunderbird to 60.4.0.

Virt2real has launched a Crowd Supply campaign for its $89 "StereoPi" stereoscopic camera board designed to work with the RPi Compute Module and dual RPi cameras. According to Linux Gizmos, the StereoPi is open-spec and "supports spatial awareness, 3D depth maps, and 3D video livestreaming". In addition, "The StereoPi can capture, save, livestream, and process real-time stereoscopic video and images for robotics, AR/VR, computer vision, drone instrumentation, and panoramic video".

The Chrome team announced an update for Android this week. Chrome 72 (72.0.3626.76) is now available on Google Play, and the release includes several stability and performance improvements. In addition, Softpedia News reports that "To tackle various security and privacy issues that users have reported since previous updates, Google decided to update the built-in Incognito Mode of the Chrome web browser by making the media player controls and notifications incognito as well, which means that they're now invisible to the naked eye." See the Git log for all the changes.

Ubuntu 18.04 Needs to Patching, Alpine 3.9 Released, Three New openSUSE Tumbleweed Snapshots, Latest Version of Red Hat Infrastructure Migration Solution Now Available and Electric Cloud Announces ElectricAccelerator 11.0

News briefs for January 31, 2019.

Ubuntu 18.04 needs to be patched to fix several security bugs. ZDNet reports that Canonical is updating Ubuntu 18.04 to a new kernel, 4.15.0-44.47, which contains 11 security fixes. The most important of these addresses problems with the ext4 filesystem. If you use Ubuntu 18.04, patch your system as soon as possible. See also the Ubuntu security notice for more information and instructions on how to update.

Alpine 3.9 was released this week—the first release of the v3.9 stable series of the "security-oriented, lightweight Linux distribution based on musl libc and busybox". New features include support for armv7, a switch from LibreSSL to OpenSSL and improved GRUB support. Go here to download.

Three new openSUSE Tumbleweed snapshots were released this week that contained new versions of PHP7, poppler, GTK3 and LibreOffice. The first of the snapshots also included all the package upgrades for KDE Applications.

Red Hat this morning announced the latest version of the Red Hat infrastructure migration solution. New capabilities provide "greater customer choice, helping to further reduce infrastructure complexity and facilitating a pathway to open hybrid cloud environments". The two new target platforms are the Red Hat OpenStack Platform and the Red Hat Hyperconverged Infrastructure for Virtualization.

Electric Cloud yesterday announced a new version of its software build and test acceleration platform, ElectricAccelerator 11.0. The press release notes that "the platform now offers new plug-and-play support for Android Open Source Project, accelerated embedded Linux builds based on the Yocto project, and cloud bursting for AWS and Kubernetes help businesses shrink development cycles and improve software quality."

Tamper-Evident Boot with Heads

Learn about how the cutting-edge, free software Heads project detects BIOS and kernel tampering, all with keys under your control.

Disclaimer: I work for Purism, and my experience with Heads began as part of supporting it on Purism's hardware. As a technical writer, I personally find ads that mask themselves as articles in technical publications disingenuous, and this article in no way is intended to be an advertisement for my employer. However, in writing this deep dive piece, I found that mentioning Purism was unavoidable in some places without leaving out important information about Heads—in particular, the list of overall supported hardware and an explanation of Heads' HOTP alternative to TOTP authentication, because it requires a specific piece Purism hardware.

Some of the earliest computer viruses attacked the boot sector—that bit of code at the beginning of the hard drive in the Master Boot Record that allowed you to boot into your operating system. The reasons for this have to do with stealth and persistence. Viruses on the filesystem itself would be erased if users re-installed their operating systems, but if they didn't erase the boot sector as part of the re-install process, boot sector viruses could stick around and re-infect the operating system.

Antivirus software vendors ultimately added the ability to scan the boot sector for known viruses, so the problem was solved, right? Unfortunately, as computers, operating systems and BIOSes became more sophisticated, so did the boot-sector attacks. Modern attacks take over before the OS is launched and infect the OS itself, so when you try to search for the attack through the OS, the OS tells you everything is okay.

That's not to say modern defenses to this type of attack don't exist. Most modern approaches involve proprietary software that locks down the system so that it can boot only code that's signed by a vendor (typically Microsoft, Apple, Google or one of their approved third-party vendors). The downside, besides the proprietary nature of this defense, is that you are beholden to the vendor to bless whatever code you want to run, or else you have to disable this security feature completely (if you can).

Fortunately, an alternative exists that is not only free software, but that also takes a completely different approach to boot security by alerting you to tampering instead of blocking untrusted code. This approach, Heads, can detect tampering not only in the BIOS itself but also in all of your important boot files in the /boot directory, including the kernel, initrd and even your grub config. The result is a trusted boot environment with keys fully under your own control.

In this article, I describe some of the existing boot security approaches in more detail, along with some of their limitations, and then I describe how Heads works, and how to build and install it on your own system.

Game Review: Mage’s Initiation: Reign of the Elements

Mage's Initiation

Welcome, young initiate. Do you have what it takes to become a full-fledged mage?

I've been playing a pre-release version of Mage's Initiation: Reign of the Elements, a classic role-playing game from Himalaya Studios, done in the style of Sierra On-Line's classic King's Quest series. This is only so surprising given that the people behind this new game worked on creating those classics and their remakes. Mage's Initiation is a medieval-style fantasy game with puzzles, treasures, labyrinthine settings, magic, spell-casting battles and monsters. Mage's Initiation began its life as a Kickstarter where it has been hotly anticipated. If you want to check into all that, I link to the Kickstarter page at the end, but right now, I just want to tell you about the game.

In Mage's Initiation, you play a student mage, taken from your family at the age of six to a mystical tower in Iginor, a seemingly idyllic land. In the Mage's Tower, you spend years studying the power of the elements. After ten years, it's Initiation Day, and you are ready to discover which of the elements has chosen you as its champion. In my case, I wound up following the path of water, but you can play (or replay) any of the four classic elements.

Figure 1. Initiation Day, Following the Path of Water

My young initiate's name is "D'Arc", which is, of course, an interesting name partly in what it might conceal. You find out that D'Arc dreams of demons which, he is told, means greatness. He also learns that the road to greatness is dangerous.

The colorful two-dimensional animation is reminiscent of games I played more than 20 years ago, and it's wonderful. I was taken in right away. There are plenty of characters, all with their own personalities, and the voice acting is varied and excellent. In the first part of the game, you'll wander the halls of the Mage's tower, taking in details, talking to other students, collecting various items, and most important, gathering information about what is to come next. This is, after all, the day of your initiation, and you will face a number of quite possibly, deadly trials before the day is out. Ask lots of questions. Pay attention. No detail is too small.

There are several halls that you access by an element-themed transport pad with a large gem in the center (pay attention, and don't forget the combinations). Each hall may be populated with different characters who will provide you with what you need to continue.

Thunderbird 60.5.0 Released, System76 Introduces New “Darter Pro” Linux Laptop, Kodi 18.0 “Leia” Now Available, Slax 9.7.0 Is Out and Systemd Vulnerabilities Proof of Concept Published

News briefs for January 30, 2019.

Mozilla Thunderbird 60.5.0 has been released. New features include FileLink provider WeTransfer for uploading large attachments, more search engines (DuckDuck Go and Google offered by default in some locations) and various security fixes. You can download Thunderbird from here.

System76 introduces its new "Darter Pro" Linux laptop, which provides a choice of Ubuntu or Pop!_OS. According to Beta News, the Darter Pro is 15.6", has two USB-A ports, a USB-C/Thunderbolt 3 port and is "expected to last a full work day without needing a charger". The laptop will be available starting February 5th from System76. You can sign up here to be notified when it's available. Pricing info coming soon.

Kodi 18.0 "Leia" is now available for all supported platforms. This is a major release, reflecting nearly 10,000 commits, 9,000 changed files and half a million lines of code added. This new release features support for gaming emulators, ROMs and controls; DRM decryption support; significant improvements to the music library; live TV improvements; and much more. See the changelog for more details, and go here to download.

Slax 9.7.0 was released yesterday. You can download it for free or purchase a USB drive with Slax pre-installed from slax.org. New to this version: usb-modeswitch was added, the slax activate command now copies module to RAM only if necessary, and now Slax is even smaller—255MB compared to 265MB previously.

Capsule8 yesterday posted the first of a multipart series detailing new research on exploiting two vulnerabilities in systemd-journald, which were published by Qualys on January 9, 2019. "Specifically, the vulnerabilities were: 1) a user-influenced size passed to alloca(), allowing manipulation of the stack pointer (CVE-2018-16865) and 2) a heap-based memory out-of-bounds read, yielding memory disclosure (CVE-2018-16866)." See the post for details on the two vulnerabilities—CVE-2018-16865 and CVE-2018-16866—that systemd-journald with Address Space Layout Randomization (ASLR) disabled.

Why Linux Is Spelled Incorrectly

penguin

You ever see an injustice in the world—one so strong, so overwhelming—that, try as you might, you just can't ignore it? A crime that dominates your consciousness beyond all others? That drives you, even in the face of certain defeat, to action?

Mine is...Linux.

Not the existence of Linux. Linux is amazing. Linux powers the world. Linux is, as the kids say, totally tubular.

It's the name. It's the name that makes me Hulk out. Specifically, it's that confounded "X". It just plain should not be there.

Linux should be spelled L-I-N-U-C-S. Linucs.

Seriously.

That's not a joke.

To make my case for why I believe this, with every fiber of my being, let's start by understanding why "Linux" has that X in the first place. It happened back in the early 1990s, when the first snapshot of Linucs (ahem) code was first uploaded to an FTP server.

Back then, Linus Torvalds wanted to name his kernel "Freax" ("Free" + "Freak" + "Unix"). Linus felt naming the kernel after himself would be a bit, you know, weird. A friend of his disagreed, and when he uploaded the source, he named the folder "Linux".

See that "X" there at the end? It was meant to represent the "X" in UNIX. There's just one problem with that.

UNIX was never supposed to have an "X" in the name at all.

You see, "UNIX" originally was spelled U-N-I-C-S, which stands for UNiplexed Information and Computing Service. This was, itself, based off the name for an operating system made by some of the same folks—Multics (MULTiplexed Information and Computing Service).

(Note: neither Unics or Multics is spelled with an "X".)

The people that created, engineered and ran the project named it "Unics", and, here's the kicker, nobody is 100% sure where that X even came from. I cover the topic a bit further in my video "The Complete History of Linux (Abridged)" around the five-minute mark. But, the gist is this: the most viable, detailed theory for "the X" is that "maybe someone in PR did it?"

In other words, Linucs—possibly the most critical and valuable piece of software in human history—is incorrectly named "Linux" because an unknown person may or may not have accidentally written Unics as "UNIX" once. Maybe. We're not really sure.

But, because everyone else uses the X, so must I. In every article. Every video. Every presentation.

Whenever I write the word "Linux"—which is about 80 bajillion times every day—I let out a whisper-quiet, short, tortured scream, followed by a subtle wimper of defeated acceptance. If you've ever seen me at a conference, writing an article on my laptop, now you know why I look like a completely insane person.

It's that stupid, friggin' X.

So. There you have it.