Sunday Morning Linux Review
Mat Enders and Tony Bemus
Intro Sound bite by Mike Tanner
Kernel News: Mat
Latest RC release is 3.2-rc5 released on Friday 12/9 at 6pm Eastern standard time.
It has been slightly over a week since the last rc release. And rc5 is bigger in number of commits. Many of the commits are small, so it is possible that the *diff* will be smaller than both -rc2 and -rc4 were.
A big part of this release is that Ingo is back, and had a backlog. That isn’t enough to explain it all. There were xfs and btrfs changes, along with network updates, and the usual 50% random driver updates.
Greg KH announced the release of the 184.108.40.206, 3.0.13, and 3.1.5 stable kernels 12/9.
The 220.127.116.11 kernel had 28 files changed, 164 insertions, and 54 deletions.
The 3.0.13 kernel had 93 files changed, 659 insertions, and 201 deletions.
The 3.1.5 kernel had 135 files changed, 1170 insertions, and 471 deletions.
Kernel Quote of The Week:
Hey Linus stop working on Subsurface, The Scuba Diving Log that doesn’t suck, during the week so you can get the latest RC out before 6pm eastern time so it is easier for me to do these updates. (insert appropriate smiley here)
Distro News: Tony
- 12-10 – Semplice Linux 2.0 RC1 –
- 12-10 – KahelOS 111111 –
- 12-10 – CentOS 6.1 –
- 12-06 – Red Hat Enterprise Linux 6.2 –
- 12-06 – Ultimate Edition 3.0 –
- 11-06 – TurnKey Linux 11.3 –
- 11-06 – Ubuntu Privacy Remix 10.04r2 –
Distro of the Week: Tony
- Debian – 1367
- Fedora – 1427
- Ultimate – 1742
- Ubuntu – 1977
- Mint – 4115
jQuery Tells The Real Story About Plugin Site, or Why You Should Have a Backup More Recent Than a Year Old
The jQuery plugins site devolopers have finaly told the real story, in a blog posting. The plugins site went down about a week ago with just this message: “The plugins site is currently unavailable. We’ve been looking to provide a higher-quality, spam-free expierence at the plugins site for some time and we have decided to temporarily shutter the existing site. We will be providing more details on the new plugins site soon, so that plugin authors can hit the ground running with our new submission process.” What really happened was, in an attempt to clean up the spam using Drupal Views Bulk Operations, all of the plugins were deleted. And the only backup was a year old. The developers asked for forgiveness and some help in developing a completely new plugins site. The plugins site needed renovations for quite some time. Due to the spam issue and because of how plugins were manged through the CMS that was cluttered and awkward. They were planning on replacing the site when events caused an imdeiate need. When I say events I mean the accidental deletion and lack of backup was the impetus to move those plans into action. jQuery plugin developers should create a GitHub presence, even if they just mirror their existing source code management. The new site still being developed on github.com/jquery/plugins.jquery.com/ and there is currently no date for its launch.
Download.com accused of wrapping nmap in a “trojan installer”
Nmaps author says CBS Interactive and CNET’s Download.com are wrapping the open source application in a proprietary installer. In the past, they have never altered the application downloads they serve up, they have been changing that over the last six months. Gordon “Fyodor” Lyon, lays out his issues in a posting to the Nmap Hackers mailing list. He claims the installer does thing like install the ‘StartNow’ toolbar”, makes Bing the default search engine, and then sets the users home page to MSN. This is how a “trojan installer” functions. If the installer is seperated from the download and sent to VirusTotal it shows that ten of the 42 scanners, they run it against, identify it as a trojan or adware installer. Also the Nmap trademark is displayed next to offers to install software, as if the Nmap organization supports these products. As Nmap is not under the plain GPL but under an enhanced version that specifically prohibits aggregation into a proprietary executable installer.
Download.com initially claimed its scheme is simple for developers to opt-out of. The opt out is not automatic though. Download.com says “all opt-out requests are carefully reviewed on a case by case basis.” Lyon is looking for a US copyright attorney and wants to get the word to the hundreds of users who use Download.com every week to download Nmap.
CBS’s Download.com site has been called out for this type of behaviour before. In August, ExtremeTech claimed similar behaviour with the media player VLC. According to an FAQ from CBS this installer software was rolled out in July.
After the fecal matter hit the fan on this Download.COM back pedaled in a big way. In a statement, Sean Murphy, the Vice President and General Manager of Download.com said, “The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.” Then adding that they had “reviewed all open source files in our catalog to ensure none are being bundled”.
Lyon posted an update, stating that Microsoft had been in contact with him and claimed they “didn’t know they were sponsoring CNET to trojan open source software”. Microsoft also stated that they had stopped the practice, which seems odd since they said that they were unaware that it was happening. So now the Download.com installer changed to install the “Babylon toolbar” which did different search engine redirection. CNET then later removed that and is now installing its own “techtracker” tool for updating downloaded software. However they are also restoring the “Direct download link” which allows users to download files without having to download the “download manager”.
Who knows if these changes will quell the controversey. The changes only affect open source software and the proprietary freeware and trial software on Download.com will still have the Download.com Installer packaging. A number of open source programs at Download.COM still had an installer wrapping them. There has been no general apology for bundling GPL software with closed source installers.
Researchers at Google Have Proposed s Fix to The SSL Dilemma
Google researchers Adam Langley and Ben Laurie have proposed a new method for ensuring the trustworthiness of the public key infrastructure (PKI) underpinning HTTPS. Thier idea is based on a public list of all certificates ever issued by certificate authorities. The two problems with how the current system works are. First, if an attacker can comprimise any of the more than 100 certificate authorities and aquire a certificate for a server such as amazon.com, end users would not be able to tell the fraudulant site from the real one. Second, the way the system currently works Amazon would not be able to detect the fraud either.
Langley and Laurie believe that a public list would mitigate both problems. Whenever a website offered up a certificate, the browser would check the supplied certificate against one of these public lists. If the browser did not find the certificate on any of the lists, the site would be treated as untrusted. Companies would then be able to check these lists regularly, to locate any fraudulent certificates. Which means that even if a criminal was able to obtain a fake certificate, they could not use it efectively. Merkle signature trees would be used to maintain the integrity of the lists.
The proposals might not be implemented and, if it is, noone knows over what sort of timescale. There are also other alternatives being proposed like Firefoxs’ extension Convergence being pursued by security expert Moxie Marlinspike.
Android’s Revenge on Apple’s iPhone & iPad
Could Apple be regretting its world-wide war on Android? A German court issued a preliminary injunction on Motorola’s behalf that prevents European sales of all Apple’s 3G-enabled devices. Android-power Motorola Mobility, soon to be a part of Google, used a patent to thwart the competition. Apple has been using design and software patents in order to attack Android world wide. So I don’t think this could have happened to a nicer company.
Regretably the patent being used, Method for performing a countdown function during a mobile-originated transfer for a packet radio system, is an excellent example of brain dead software patents. Almost as bad as Apple trying to block anybody from creating a rectangular phone or tablet as it would infringe on thier “unique” design. Thing like this sadly are not unusual but equate to little more than Intelectual Property (IP) blackmail. Just check out U.S. Patent No. 6,359,898 and its European Union equivalent, EP1010336 (B1) ? 2003-03-19. They basicly describe performing a countdown over a 3G connection. You know lik, “Ten seconds to complete your download, three, two, one, download complete.” Oh, obviously an original idea indeed.
So you say why is a countdown mechanism so essential that a court would rule that Apple would be in violation and unable to sell thier products in Europe. Well so does Apple which is why they have appealled using a Fair, Reasonable, and Non-Discriminatory (FRAND) defense. [Tony this is a link to a PDF that explains a frand defense please embed it https://www.ucl.ac.uk/laws/jevons/papers/colloquium_2007/jevons07_glader.pdf] This defenses core argument is that this feature is not an essential component to 3G mobile telephony. I and I also assume you all understand that, but the German court wasn’t going for it.
So this will go on for a while in the court system with suit and counter suit. And in the end it will only delay the sale of Apple products in the EU. But another side effect is that no matter where you buy your smartphone it will cost you more because thes kinds of court battles do not come cheap. I have a suggestion to all of these patent mongers and trolls, knock it off and just compete in the market place instead of the court room.
Get top-quality open source security tools in one distro
If you could have just one toolkit for network security, which one would you choose? I mean the one toolkit that had all of the functionality you needed for securing, analyzing, monitoring, and validating your network. Would it be BackTrack, Deft, or Helix? Well I have used two of those and I have found a distro that I think kicks thier ass. After you have checked out Network Security Toolkit (NST), I believe that you will choose it also.
This live DVD is based on Fedora. NST was designed to bring you easy access to the best Open Source Network Security Applications. It should run on most x86/x86_64 platforms. The intent of this distrobution is to provide network security administrators with a complete set of tools. Most of the tools in INSECURE.ORGs Top 100 Security Tools are in this kit. An advanced Web User Interface (WUI) is provided for system administration, navigation, automation, geolocation and configuration for many of the network and security applications in distribution.
Here are some of the tools that come with NST:
Aircrack NG: A wireless sniffer and WEP/WPA-PSK key cracker
Airsnort: A wireless LAN (WLAN) tool that recovers encryption keys.
Amap: A next-generation scanning tool that identifies applications and services even if they are not listening on the default port by creating a bogus communication and analyzing the responses.
Argus/Argus-Clients/Argus-Monitor: An audit record generation and utilization system
Arp-Scan: A scanning and fingerprinting tool
Arpwatch: Network monitoring tools for tracking IP addresses on a network.
Awstats: Advanced Web statistics
Bandwidthd: Tracks network usage and builds HTML and graphs
Beecrypt: An open source cryptography library
Bit-twist: A simple yet powerful libpcap-based Ethernet packet generator
BlackOwlMIBBrowser: A Visual SNMP MIB browser with MIB variable graphing.
Cadaver: A command-line WebDAV client
CheckDNS: A Domain Name Server analysis and reporting tool
Chkrootkit: A tool to locally check for signs of a rootkit
Conntrack-tools: Tools to manipulate netfilter connection tracking table
DNScap: A DNS traffic capture utility
DNSenum: The tool gathers as much information as possible about a domain.
DNSmap: A network tool that performs brute force search/query of domains.
DNSwalk: A DNS debugger
Dsniff: Tools for network auditing and penetration testing.
Etherape: A graphical network viewer modeled after etherman.
Firewalk: Active reconnaissance network security tool.
Foremost: Recover files by carving them from a raw disk.
Freeradius: A high-performance and highly configurable free RADIUS server
Fwbuilder: A firewall builder
Geoclue: A modular geoinformation service
GPGme: GnuPG Made Easy — a high level crypto API
Greenbone-Security-Assistant: A Web-based interface to the Open Vulnerability Assessment Scanner
GSD: A desktop (GUI) interface to the Open Vulnerability Assessment Scanner
Honeyd: A honeypot daemon
Hunt: A tool for demonstrating well-known weaknesses in the TCP/IP protocol suite.
Kismet: Kismet is an 802.11 layer2 wireless network detector, sniffer, and IDS.
Mbrowse: A GUI SNMP MIB browser
Nagios: Nagios monitors hosts and services and yells if something breaks.
NBTScan: A tool to gather NetBIOS info from Windows networks.
Netmask: A utility for determining network masks.
Netwag: The GUI for the network toolbox Netwox
Nload: Monitor network traffic and bandwidth usage in real-time.
Wireshark: A network protocol analyzer
Installing NST is as simple and easy as any other major Linux distribution out there today. After downloading the DVD image burn it out to disk, then pop it in and and boot up. You can choose to either boot into console or graphical mode, recommend the graphical mode even though it is GNOME 3. If your hardware will not support GNOME 3 you can opt to fall back on Classic GNOME. After bootup you will see the default live user enter the password nst2003 and let the desktop load. Once the desktop has fully loaded you can either take it for a test drive or jump right into the install. In order to install it you have to go to Applications > System Tools > Install NST To Hard Drive. If you have installed any Linux distribution before you will find no surprises here. When the installation is complete, or the live version is up and running, you can start experimenting with the tools. There are hundreds of available tools here to help you monitor, secure, analyze, and do practicly anything else on your network.
Carrier IQ [...] has been hit with two class-action lawsuits from users worried about how the company’s software tracks their smartphone activity. Carrier IQ, of course, professes its innocence. But the company has also received some public support from security researchers who say Carrier IQ’s software is only tracking diagnostic information and likely is not violating user privacy.
The Software Freedom Law Center has filed a request with the US Librarian of Congress for a DMCA exception that would allow users to freely decide what software they can install and uninstall on devices they own.
Arduino 1.0 Released
A long time coming, this release brings small but important changes to clean up the Arduino environment and language – as well as adding lots of additional features. Updates to the environment include a new file extension, toolbar icons, and color scheme as well as a progress bar on compilation and upload. The language changes include modifications to the Serial class, addition of DHCP and DNS support to the Ethernet library, a new SoftwareSerial library, multi-file support in the SD library, modifications to the Wire library and UDP class, etc.
Gnome Shell Extensions Website Launched
The site, which is primarily provided for GNOME 3.2 users, only works in Firefox presently. Support for additional browsers is planned. Amongst the extensions already on offer are an old school ‘GNOME Applications Menu’, ‘Frippery Bottom Panel’ (which adds a window switcher panel to the bottom of the screen), and a ‘Places Status Indicator‘.