This week we take a deep dive into the IOT & the Cloud. Noah isn’t quite dead yet as he gives us an earful on the future of MacOS. Plus our thoughts on Signal, Telegram, Wire, IRC & more!
Follow Up / Catch Up
They conclude that it is impossible to say if Signal meets its goals, as there are none stated, but say their analysis proves it satisfies security standards adding “we have found no major flaws in its design, which is very encouraging”.
The three primary issues here are:
1) The input devices are on SPI, not USB. Apple’s ACPI tables don’t provide the GPIO mappings for these things via the standard mechanisms, so the chipset driver won’t bind. You then still need another driver for the SPI controller, and there’s an out of tree one at https://github.com/cb22/macbook12-spi-driver/ . Longer term, the kernel needs to be able to parse Apple’s ACPI tables and that driver needs merging.
2) Apple’s NVME hardware uses the wrong PCI device class, possibly because it’s not entirely NVME compatible (trying to read 64 bits of mmio register space in one go will fail, for instance). Linux has a specific entry for the older Apple NVME devices, and that may need to be broadened.
3) Having source ID checking enabled when doing IRQ remapping results in the system hanging on boot. It’s unclear what the underlying problem is.
– mjg59 @ https://news.ycombinator.com/item?id=12924051
In 1968, The Great Northern Railroad hired Bill, then a student at Western Washington University, because of his computer experience, which at that time consisted of using punched cards and perforated paper tapes. Bill became interested in Linux and the open source community in the late 1990s. With a few other computer nerds, he helped start the Bellingham Linux User Group in 1998 and its first LinuxFest in 2000. As BLUG and LFNW’s Treasurer, Bill has been involved with organizing and community outreach ever since.
“Linuxfest Northwest reaches a huge number of people,” said Emily Dunham, who serves on the award committee. “Bill is a great example of what the award is about.” The award committee hopes that Bill Wright’s tireless work will continue to inspire other free software activists in the Cascadia region.
Please note that as of Budgie 11, support will be withdrawn for the OBS repositories for the Budgie Desktop for openSUSE and Fedora.
This will ensure that the Solus project is no longer maintaining external repositories for Budgie Desktop. As a desktop environment, it is vital that it is well tested, and well integrated, into other distributions.
Unfortunately, in the 3 years that the OBS repo has been maintained by the Solus team (Ikey, personally), nobody has stepped forward to maintain the repos, and we’ve seen no news of remaining downstreams trying to integrate Budgie into their parent repos (Budgie Desktop wiki in openSUSE says to use the OBS repo)
The Linux Foundation’s Core Infrastructure Initiative Renews Funding for Reproducible Builds Project
The grant extends the contribution to include Debian developers Chris Lamb, Mattia Rizzolo, Ximin Luo and Vagrant Cascadian, as well as extending funding for Holger Levsen. Furthermore, this contribution adds support for Ed Maste, working with FreeBSD.
While anyone can inspect the source code of free software for malicious flaws, most Linux distributions provide binary (or compiled) packages to end users. The motivation behind “reproducible” builds is to allow verification that no flaws have been introduced during the compilation process by endeavouring that identical binary packages are generated from a given source. This prevents the installation of backdoor-introducing malware on developers’ machines as an attacker would need to simultaneously infect all developers attempting to reproduce the build.
“Ensuring that no flaws are introduced during the build process greatly improves software security and control,” said Lamb. “Our work has already made significant progress in Debian GNU/Linux, and we are making our tools available for Fedora, Guix, Ubuntu, OpenWrt and other distributions.
A vulnerability and a separate logic error exist in the gstreamer 0.10.x player for NSF music files. Combined, they allow for very reliable exploitation and the bypass of 64-bit ASLR, DEP, etc. The reliability is provided by the presence of a turing complete “scripting” inside a music player. NSF files are music files from the Nintendo Entertainment System
This exploit abuses a vulnerability in the gstreamer-0.10 plug-in for playing NSF music files. These music files are not like most other music files that your desktop can play. Typical music files are based on compressed samples and are decoded with a bunch of math. NSF music files, on the other hands, are played by actually emulating the NES CPU and sound hardware in real time. Is that cool or what? The gstreamer plug-in creates a virtual 6502 CPU hardware environment and then plays the music by running a bit of 6502 code for a little while and then looking at the resulting values in the virtualized sound hardware registers and then rendering some sound samples based on that.
The package archive used by KDE neon was incorrectly configured allowing anyone to upload packages to it. There is no reason to think that anyone actually did so but as a precaution we have emptied the archives and removed ISOs built before this date. The archive is being rebuilt and ISOs regenerated.
Upgrade to the latest packages once rebuilt.
An error in the implementation of the Cryptsetup utility used for encrypting hard drives allows an attacker to bypass the authentication procedures on some Linux systems just by pressing the Enter key for around 70 seconds. This results in the attacked system opening a shell with root privileges.
Encrypted data is safe, but attackers can get root privileges on targeted systems.
Security is a selling point for these products, and for good reason. The Mirai botnet that recently attacked the Dyn service and blacked out much of the U.S. Internet for a day brought Linux-based IoT into the forefront — and not in a good way. Just as IoT devices can be turned to the dark side via DDoS, the devices and their owners can also be the victimized directly by malicious attacks.
In this final, future-looking segment of our IoT series, we look at two Linux-based, Docker-oriented container technologies that are being proposed as solutions to IoT security. Containers might also help solve the ongoing issues of development complexity and barriers to interoperability that we explored in our story on IoT frameworks.
- The cloud’s most open option for containers
+ [fix-windows-privacy: new tool to automate getting your privacy back on Windows 10](https://modzero.github.io/fix-windows-privacy/)