Brief items

Security

Security quotes of the week

We study the impact that Internet routing attacks (such as BGP hijacks) and malicious Internet Service Providers (ISP) can have on the Bitcoin cryptocurrency. Because of the extreme efficiency of Internet routing attacks and the centralization of the Bitcoin network in few networks worldwide, we show that the following two attacks are practically possible today:

Partition attack: Any ISP can partition the Bitcoin network by hijacking few IP prefixes.
Delay attack: Any ISP carrying traffic from and/or to a Bitcoin node can delay its block propagation by 20 minutes while staying completely under the radar.

— Maria Apostolaki, Aviv Zohar, and Laurent Vanbever (Thanks to Paul Wise.)

Traditionally, information that was most precious to us was physically close to us. It was on our bodies, in our homes and offices, in our cars. Because of that, the courts gave that information extra protections. Information that we stored far away from us, or gave to other people, afforded fewer protections. Police searches have been governed by the "third-party doctrine," which explicitly says that information we share with others is not considered private.

The Internet has turned that thinking upside-down. Our cell phones know who we talk to and, if we're talking via text or e-mail, what we say. They track our location constantly, so they know where we live and work. Because they're the first and last thing we check every day, they know when we go to sleep and when we wake up. Because everyone has one, they know whom we sleep with. And because of how those phones work, all that information is naturally shared with third parties.

More generally, all our data is literally stored on computers belonging to other people. It's our e-mail, text messages, photos, Google docs, and more all in the cloud. We store it there not because it's unimportant, but precisely because it is important.

— Bruce Schneier

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.

— Steven Englehardt, Gunes Acar, and Arvind Narayanan

Comments (17 posted)

Kernel development

Kernel release status

The current development kernel is 4.15-rc1, released on November 26. Linus said: "So it's been the usual two weeks of merge window, and rc1 is out. And that normal time length is about the only thing usual about this merge window. Because of the indiscriminate mass slaughter of turkeys in the US last week, lots of people - including me - were on vacation. That meant that I had asked for people to try to make the merge window front-heavy, but it also meant that then during the second week I was rather more strict than usual in what I pulled."

Stable updates have not been in short supply over the last two weeks. 4.13.14, 4.9.63, 4.4.99, and 3.18.82 were released on November 18; 4.14.1, 4.13.15, 4.9.64, 4.4.100, and 3.18.83 on November 21, and 4.14.2, 4.13.16, 4.9.65, 4.4.101, 4.4.102, and 3.18.84 on November 24.

The 4.14.3, 4.9.66, 4.4.103, and 3.18.85 updates are in the review process; they are due on November 30.

Comments (none posted)

Several companies clarify GPL enforcement policies

Here is a press release from Red Hat on GPL enforcement: "To provide greater predictability to users of open source software, Red Hat, Facebook, Google and IBM today each committed to extending the GPLv3 approach for license compliance errors to the software code that each licenses under GPLv2 and LGPLv2.1 and v2." This is, in effect, a reiteration of the approach to enforcement recently adopted by many kernel developers, but it extends to all GPLv2-licensed software contributed by those companies.

Comments (29 posted)

Quotes of the week

From a security standpoint, when you find an invalid access, and you mitigate it, you've done a great job, and your hardening was successful and you're done. "Look ma, it's not a security issue any more", and you can basically ignore it as "just another bug" that is now in a class that is no longer your problem.

So to you, the big win is when the access is _stopped_. That's the end of the story from a security standpoint - at least if you are one of those bad security people who don't care about anything else.

But from a developer standpoint, things _really_ are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected.

So from a developer standpoint, the end point of hardening is just the starting point, and when _you_ think you're done, we're really only getting started.

And from a _user_ standpoint, it's something else altogether. For a user, pretty much EVERY SINGLE TIME, it wasn't actually a security attack at all, it was just a latent bug that got exposed. And the keyword here is that it was _latent_, and things used to work, and the hardening patch did something - probably fairly drastic - to turn it from "dangerous" to "benign" from a security perspective.

— Linus Torvalds

Jumbo Array. Many
pieces hidden behind walls.
Will anyone notice?

— Dave Chinner

Comments (3 posted)

Distributions

Linux Mint 18.3 released

Linux Mint has released 18.3 "Sylvia" in Cinnamon and MATE editions. Linux Mint 18.3 is a long term support release which will be supported until 2021. Both editions feature a revamped Software Manager with support for flatpaks. See more about what's new in the Cinnamon and MATE editions or check out the release notes for Cinnamon and MATE.

Comments (14 posted)

Announcing Tumbleweed Snapshots

The newly announced openSUSE "Tumbleweed snapshots" feature is an attempt to make rolling distributions a little easier for those who don't want to stay on the leading edge all the time. In essence, it keeps a snapshot of the state of the distribution at regular intervals and enables users to install applications from their particular snapshot. That allows the installation of new applications without the need to drag in everything else that may have changed since the system as a whole was updated. "Tumbleweed Snapshots provides the best of both worlds, the latest packages when you want them and the one package you need in the middle of working on a project."

Full Story (comments: 3)

Ubuntu 17.10: Return of the GNOME (ars technica)

Ars technica reviews the Ubuntu 17.10 release. "In light of the GNOME switch, this release seems like more of a homecoming than an entirely new voyage. But that said, Ubuntu 17.10 simultaneously feels very much like the start of a new voyage for Ubuntu. The last few Ubuntu desktop releases have been about as exciting as OpenSSH releases—you know you need to update, but beyond that, no one really cares."

Comments (6 posted)

Distribution quote of the weeks

Instead, I believe that Ubuntu realized its mistake wasn't just pursuing convergence, but that convergence wasn't what its users wanted. I believe that the new Canonical, the new Ubuntu, is going to listen more closely to its community. I also think that the desktop release will eventually be spun off as a community-driven product only loosely affiliated with Canonical. Shuttleworth has already said Canonical is prepping for an IPO, hence the focus on money-making uses of Ubuntu (embedded, server, etc.). If that happens, the desktop will very likely slide to the side. There's plenty of prior art here—think Fedora and Red Hat, OpenSUSE and SUSE—and that's not necessarily at bad thing. In fact, it can be good. Keeping things separate allows the desktop to develop and grow largely independent of Canonical's bottom line.

— Scott Gilbertson

Comments (none posted)

Development

7 tools for analyzing performance in Linux with bcc/BPF (opensource.com)

Brendan Gregg introduces a set of BPF-based tracing tools on opensource.com. "Traditional analysis of filesystem performance focuses on block I/O statistics—what you commonly see printed by the iostat(1) tool and plotted by many performance-monitoring GUIs. Those statistics show how the disks are performing, but not really the filesystem. Often you care more about the filesystem's performance than the disks, since it's the filesystem that applications make requests to and wait for. And the performance of filesystems can be quite different from that of disks! Filesystems may serve reads entirely from memory cache and also populate that cache via a read-ahead algorithm and for write-back caching. xfsslower shows filesystem performance—what the applications directly experience."

Comments (1 posted)

Introducing container-diff, a tool for quickly comparing container images (Google Open Source Blog)

Google has announced that it has released its container-diff tool under the Apache v2 license. "container-diff helps users investigate image changes by computing semantic diffs between images. What this means is that container-diff figures out on a low-level what data changed, and then combines this with an understanding of package manager information to output this information in a format that’s actually readable to users. The tool can find differences in system packages, language-level packages, and files in a container image. Users can specify images in several formats - from local Docker daemon (using the prefix `daemon://` on the image path), a remote registry (using the prefix `remote://`), or a file in the .tar in the format exported by "docker save" command. You can also combine these formats to compute the diff between a local version of an image and a remote version."

Comments (1 posted)

Development quotes of the weeks

There's an old net story from the 80's, which I can't find right now, but is about two computers, 10 feet apart, having a ridiculously long network route between them, packets traveling into other states or countries and back, when they could have flowed over a short cable.

Ever since I read that, I've been collecting my own ridiculously long routes. ssh bouncing from country to country, making letters I type travel all the way around the world until they echo back on my screen. Tasting the latency that's one of the only ways we can viscerally understand just how big a tangle of wires humanity has built.

Yesterday, I surpassed all that, and I did it in a way that hearkens right back to the original story. I had two computers, 20 feet apart, I wanted one to talk to the other, and the route between the two ended up traveling not around the Earth, but almost the distance to the Moon.

[...]

And finally, after 178000 and change miles of data transfer, the letter I'd typed a full second ago appeared on my screen.

Not bad for a lazy solution to a problem that could have been solved by walking across the room, eh?

— Joey Hess

DOS is simple, which is why it remains so common for BIOS flashing, testing, etc. Replacing that with the horrendous bloat of UEFI Shell or Python!?!? Yuck!!

tl;dr: You can pry 7c00h and INT xx from my cold, dead hands.

— userbinator (Thanks to Paul Wise)

According to recent press, "Kodi boxes" can KILL.

Okay, to be specific (and perhaps a touch less alarmist), the power supplies on cheap, untested devices are often a bit on the dreadful side, and that's where a risk of things bursting into flames resides. Beyond that, we assure you that the Kodi software remains friendly, docile, free-range, and free of any killer instinct.

— Prof Yaffle

Comments (1 posted)

Page editor: Jake Edge
Next page: Announcements>>