Linux Solutions

Hackers love spying on and intercepting commutation between two computers, but now researchers at Carnegie Mellon University hope the software they have created will help thwart criminals.

The free software can be downloaded for use with the increasingly popular Mozilla Firefox browser, and creates a new way for people to verify whether the site they are entering is authentic.

Most browsers already alert users to a dodgy site. The most common way is for the browser to let us know that the site has not been verified by VeriSign or GoDaddy.com. Those are two companies who sell Secure Sockets Layer certificates, which are what the little padlock in the bottom right of a toolbar.

The problem Carnegie Mellon researchers say is that many people are confused about what to do when they get warnings about a bad certificate.

Some users click through, heading happily on to malicious suites that steal personal information, while others just head somewhere else.

Researchers - David Andersen, Adrian Perrig and Dan Wendlandt - created a program that performs a simple extra step. It can tap into a network of publicly accessible servers that have been programmed to ping Web sites and record changes in the encryption keys they use to secure data.

Any discrepancy can be a sign that hackers are rerouting traffic through machines under their control, a pernicious type of attack known as a “man in the middle.”

As a result, the new program either overrides the security warning if a site is deemed legitimate, or throws up another warning if the subsequent probes reveal more red flags

The US Computer Emergency Readiness Team is warning that attacks against Linux systems with compromised SSH keys are taking place.

The attacks use stolen SSH keys to take hold of a targeted machine and than gain root access by exploiting weaknesses in the kernel. A rootkit called Phalanx2 is then installed, which scans the system for more SSH keys. As each new SSH key is stolen new machines are vulnerable to attack.

The CERT advisory doesn’t mention the flaw in the Debian random number generator, but that is the likely entry point for attack. The flaw caused SSL keys generated for more than a year to be so predictable that they could be guessed in a matter of hours. Debian reportedly fixed the flaw in May.

After a Linux server using a weak key is identified and rooted, it gives up the keys it uses to connect to other servers. Attackers can potentially use them to access the servers that use them if both the private and public parts of the key are included. As well as this, attackers can identify other servers that have connected to the infected machine recently, information that could enable additional breaches.

Phalanx2 is the follow-on from a rootkit known as Phalanx. According to Packet Storm, Phalanx is a self-injecting kernel rootkit designed for the Linux 2.6 branch that hides in files, processes and sockets, and includes tools for sniffing a tty program and connecting it with a backdoor. Phalanx2 has been updated to systematically steal SSH keys.

Happily Phalanx2 is relatively easy to detect. One way of telling is to type “ls” at a command prompt and if it fails to show directory “/etc/khubd.p2/”. Also the “/dev/shm/” directory could contain files used in the attack.

CERT advises that keys use strong passphrases or passwords to reduce the risk of a key being stolen.

“I’m still absolutely adamant this is a problem system administrators should have handled a long time ago,” said Bill Stearns, a security researcher and incident handler for the SANS Internet Storm Center. “It’s a really big issue. If they haven’t figured it out, someone will do it for them.”

Canonical, the commercial sponsor of the Ubuntu Linux distribution, is now a member of the Linux Foundation (LF). A non-profit organisation, which supports the accelerated growth of Linux, made the announcement of Canonical’s membership on Tuesday.

Ubuntu community members have been active participants in a variety of workgroups at LF, including the Linux Standard Base, Desktop Architects and Driver Backporting groups. As well as this, Canonical supports a range of other open source projects including Bazaar, Storm and Upstart.

Andrew Rodaway, director of marketing for Canonical, said of the announcement: “Ubuntu has a huge user base and substantial community support around the world. We think the passion these users have for Linux and the open source movement generally will be important in helping the Linux Foundation to accelerate the uptake of Linux in organizations of all size.”

According to Linux Foundation officials; with the support of Canonical, user interests for both commercial and community version of Ubuntu will be represented.

Mr Rodaway noted that the LF is becoming an increasingly influential organisation in the enterprise market, and Canonical is increasing its own footprint in the same space.

“So it seemed logical for us to join the other major vendors supporting the Linux Foundation at this time,” he said.

Remarkably, despite Ubuntu’s popularity as a Linux distribution, Canonical has not been directly associated with the Linux Foundation until now.

Amanda McPherson, LF’s vice president of marketing and developer programs, said that “Even though [Canonical and Ubuntu have] been participating in our activities for the last few years, the direct association with them means we’ll have closer coordination across their organization. It also means they see enough value in what we do to financially support it.”

“We have great respect for all the other distros and the people that create and use them,” Rodaway added. “That’s a fundamental part of the Ubuntu philosophy. The many different types of distros are one of the greatest strengths of Linux over proprietary solutions, where you basically have to take what you are given.”

Microsoft’s Open XML (Extensible Markup Language) format has leapt over its final hurdle, and is now moving forward as an official ISO standard. The file format had been held back earlier this year by claims that the voting process was rushed and that Microsoft’s specification information was incomplete.

Open XML has finally been given approval after appeals from Brazil, India, South Africa and Venezuela failed to gain enough support from the other national standards bodies. Microsoft’s file format will now also be known as ISO/IEC DIS 29500, Information technology – Office Open XML formats.

Complaints about the Open XML format has been going on ever since Microsoft submitted its first standard proposal. Concerns escalated after it was given fast track approval in March 2007.

At that time, the countries who were opposed to Open XML as a standard raised concerns over how the file format works, patent violations, and the overlap with Open Document Format (ODF), which is an alternate Office-compatible file format that had already been approved as an ISO standard.

Open XML’s approval is a significant victory for Microsoft because it allows the company to market its Office software suite to government agencies that require open file formats. The ISO will publish the DIS 29500 standard in the coming weeks.

According to an article in the New York Times, T-Mobile is to partner with mobile phone manufacturer HTC to deliver the first smartphone running Google’s Android Platform.

The unnamed source said the carrier could announce the phone as early as September, but realistically October.

An unofficial T-Mobile blog claims the new phone, to be called the “G1,” would launch Sept. 17 to T-Mobile customers only at a price of US$150. The following week it would rise in price to $250 to $400 and be available to new T-Mobile customers.

HTC is widely expected to be the manufacturer, as the company has expressed interest and support of Android and is also a member of the Google-run Open Handset Alliance.

“As to the T-Mobile rumour, I really can’t comment - but Android has been due for sometime now,” Sean Ryan, a research analyst for IDC’s Mobile and Wireless Group, said

“Q4 delivery of an Android product would make sense, and HTC does seem to be the most likely device manufacturer to deliver a first Android device,” he added.

Chris Hazelton, a research director of mobile and wireless for The 451 Group, said that, “I think it’s likely.”

“HTC is good at developing UIs (user interfaces) and touch screen interfaces - and also at working with a complex operating system like Windows Mobile. I have pretty strong faith in HTC’s ability to work with Linux and Android and roll out a device that … T-Mobile, HTC, Google and the Open Handset Alliance will be happy with,” he added.

Google has not confirmed or denied the rumours about T-Mobile and HTC but it did note that the first Android-based handsets are on track for delivery in the second half of 2008.

A glitch in VMware’s most recent update had its customers up in arms this week. The problems were caused by a bug from the beta version of the software that engineers failed/forgot to remove which left VMware users unable to power on virtual machines running the hypervisor software.

The bug, referred to as a “time bomb”, is code that developers insert in beta software to push users to upgrade to an application’s final version. The code is a commonly used tool for developers; however it must be removed from anything into which it has been inserted prior to final release.

The virtualisation software maker released an “express patch” on Wednesday to fix the glitch. However, VMware customers have been left a little disgruntled, and the incident has made the company look a bit amateurish.

The way people look at VMware after the cock-up is “definitely not very good,” according to Gary Chen, a Yankee Group analyst.

“This is the most publicised issue they’ve had in their history, and it’s really the sort of embarrassing bug that never should have made it past QA (quality assurance),” he told said.

In a letter posted on the company’s blog, Paul Maritz, VMware’s recently appointed chief executive officer said: “Last night, we became aware of a code issue with the recently released update to ESX 3.5 and ESXi 3.5 (Update 2).”

According to Maritz, when the time clock in a server running the updated ESX 3.5 or ESXi 3.5 software registered 12:00 a.m. on August 12, 2008, the code caused the product license to expire. As a result of this, powered-off virtual machines could not be turned on; those that had been suspended could not be awakened from that mode; and machines could not migrate using Vmotion.

The problem has also occurred with a recent patch to ESX 3.5 or ESXi 3.5 Update 2. The company has begun a review of its QA processes, Maritz said. (Which means someone’s getting the sack)

To VMware’s credit that it took less than 24 hours to come up with a patch that seems to have corrected the problem, said Chen.

“From what I’ve heard, the patch fixes the problem. You do have to give kudos to VMware for addressing the issue so quickly,” he noted.

Some users have turned to VMware’s Communities discussion pages to vent. “As a VMware Enterprise Partner and VMware Authorized Consultant, I can tell you this IS a big deal for VMware to release a product that has such grave consequences for even a relatively small portion of the total VMware user population,” wrote one user.

“A small percentage does not diminish the severity of problem for affected users and the upmost urgency is expected from a company that caters to enterprise customers who don’t have ‘downtime’ in their corporate dictionary anymore.

“Bugs happen,” the poster continued. “However, I believe this could have been prevented by not rushing an update to market which was intended to be free and compete with [Microsoft’s] Hyper V. This will no doubt teach VMware a lesson and unfortunately will cast doubt about the reliability of VMware in the enterprise. It’s a shame a clearly superior product is going to get bad publicity from this oversight. Let’s give them credit and hope they learn from their mistakes.”

Chen pointed out that most customers were glad of the quick response time from VMware: “The issue was fixed quickly, and there was lots of communication as to the status, cause and future changes to prevent another incident,” he said.

“However, some faith has been lost, as most customers I’ve talked to are disappointed that a bug like this made it past QA. Many admins have been pushing virtualisation to their executives, and this doesn’t help their case,” Chen added.

“Virtualisation is still in the emerging stages, and enterprise reliability is a huge issue that can only be proven over time,” said Chen. “Vendors have been pushing the idea that it is enterprise-ready, and an incident like this hurts not only VMware but the entire virtualisation movement. Virtualisation is inevitable and will certainly continue to proceed, but people will slow down and think more about how to protect themselves against things like this.”

“More and more people are using it, and a major incident, whether a bug or a security hack, could freeze your entire infrastructure. I think people will begin to re-evaluate their options and contingency plans for an incident like this, including perhaps diversifying their infrastructure and adopting multiple hypervisors,” Chen concluded.

After a ten month campaign by volunteers to encourage open source in schools, the Polish Ministry of National Education has recommended that schools and universities switch to open source software.

In a statement, the Ministry recommended that schools and universities use OpenOffice. They say believe that the application is sufficiently mature and advanced enough for teaching and for office use in education and science institutes. “OpenOffice can successfully substitute proprietary applications and will result in significant savings on licenses.”

The ministry published the statement on its website just before the end of the ‘WiOO w Szkole’ (’Free and Open Software in Schools’) campaign. The promotional tour was run by 150 volunteers of the Polish Foundation on Open Source (Fwioo).

Over the course of ten months, the volunteers visited 99 schools, mostly junior and high scools, speaking to 4,506 students an 43 villages and cities.

“During these meetings, our volunteers presented Open Source applications, answered questions and cleared up doubts. They often also helped in installing the software on the PCs in school computer labs and on school servers”, says Fwioo member Łukasz Nowicki, who began setting up the campaign at the end of the summer in 2007 in Poznan, where Fwioo was founded.

Where possible, the Wioo w Szkole campaign volunteers used local Open Source enthusiasts to assist in the promotion.

In the city of Bielsko Biała for example, all schools participated in the campaign. “We combined our visit to the city with the Free Software day, which attracted local Open Source developers and we even managed to interest university teachers and several local police officers.”

So far 30 percent of the schools visited by the volunteers have switched - at least partly - to Open Source. Most of these schools have now configured their PCs to run a GNU/Linux distribution such as Ubuntu, Suse or Mandriva, alongside Windows.

“Some school staff told us they are still considering a switch, others would use the summer vacation to for instance install OpenOffice and a few schools said they would switch to Open Source when they renew their computer labs,” said Nowicki.

A good example of a school using Open Source is, according to Nowicki, High School No 15 in the city of Wrocław. “At this school teachers show students how to use Microsoft Windows, GNU/Linux and Mac OS X. This broad knowledge base lets students develop their interests without limiting them to a specific platform.”

A company that ensures the Linux community is safe from intellectual property litigation by buying up patents, will soon launch a website to help inventors file defensive publications – that’s documents that make details of an invention public, thus preventing others from later making patent claims on it..

“The more we can mobilize this community, the fewer patents that will actually be granted,” said Keith Bergelt, CEO of the Open Invention Network (OIN). “Whatever happens in the patent reform world in the next [U.S.] administration is great, but we have to act now to stop the granting of patents that threaten Linux and open-source in general.”

OIN will reveal more details about the site over the coming weeks. Bergelt described it as “a production environment where we educate and train people to do this. We’ll work with them to make sure it’s put in a form that is acceptable.”

With backing from Google, Sony, Novell, IBM, Philips, Red Hat, NEC, Alfresco and Oracle among the licensees, the effort will serve as a counterpart to OIN’s existing strategy, where it provides royalty free patents to companies in exchange for a commitment that they won’t assert their patents against the Linux system.

OIN generally acquires patents tied to areas like virtualisation and networking. “Those are kind of the key areas to Linux as it moves forward,” Bergelt said.

He did not reveal quite how much money OIN has on hand but said that it is in the hundreds of millions of dollars and that the organisation will “continue to buy at a brisk pace.”

One small town in the US has started an anti-Windows revolution that comes hot off the heels of Independence Day: the cunningly titled, “Lindependece Day”.

On July 28th “a significant percentage” of the town of Felton, Calif, declared independence form Microsoft’s strangle hold on the world, and are going Redmond-free “for one week…maybe an entire month.” But, its organisers say, “If things go right, we can start talking about forever.”

It’s quite outstanding that the world’s media didn’t pick this up. Lindependence Day was preceded by three weeks of “installfests” to give Felton residents a chance to look at the other options provided by Linux-based systems. LiveCDs and bootable thumb drives – “dual booting for the more daring residents” – were among the technologies covered.

Representatives from distros and FOSS (free open source software) programs were there to answer questions and give tutorials on how to use the software, with support from Mandriva, Fedora, Debian, Ubuntu, AntiX, Wolvix, OpenOffice.org and CodeWeavers.

No word yet on how many of Felton’s 6,000 or so residents participated, but “I expect that most of the people who participate in this project will continue to stay ‘proprietary free’ after the week is over, because they will discover what we already know: Linux, FOSS and the freedom to choose in our digital pursuits far outweigh the digital hegemony provided by the digital mandarins in Redmond and Cupertino,” wrote Larry Cafiero of HeliOS Solutions West, one of the project’s organizers, on the Ubuntu Forums.

Briliantly the trend seems to be spreading, with reports that similar initiatives are coming in Boulder Creek, Calif.; Portland, Ore.; Taos, N.M.; and even Italy, where 100 towns will participate, according to a Lindependence blog.

“The Lindependence events are a good thing since they help overcome one of Microsoft’s biggest advantages: inertia,” Gerhard Mack, a Montreal-based consultant and Slashdot blogger, said

“If not for the event, people would just continue using Microsoft products because that’s what they have always been using, and they would be afraid to try something new on their own,” Mack said

Embedded designer Paul Thomas is showcasing a tiny, open source computer at Linuxworld in San Francisco this week. “Linuxstamp” enthusiasts can obtain pre-built boards for $120 directly from the designer himself, or they can download the design and build it themselves for free.

Consisting of six integrated circuits; processor, flash, RAM, serial-to-USB, Ethernet PHY, and power converter, as well as a few passives.

Thomas demonstrated the capabilities of the Linuxstamp in the “Garage” area of Linuxworld. He showed a home-made robotic car, which was made with Lego, and moved around by wheels controlled by the stamp.

The Linuxstamp’s features include:

Atmel AT91RM9200 processor (ARM9 core, includes MMU)
32MB SDRAM
8MB SPI flash memory
10/100 Ethernet (supplied by the Atmel processor)
USB host port (supplied by the Atmel processor)
USB device port (generated by a serial/USB converter)
SD card slot
USB debug port (via the USB device port)
JTAG port
Can be powered via POE

Thomas tried to ensure the design remained simple so as to allow for a two-layer CB design, which reduces cost and encourages homebrew construction.

With the inclusion of a USB-based serial debug port, implemented via a serial/USB converter chip, users won’t need to use the boards JTAG debug port, according to Thomas.

Initialisation of the board’s low-level bootstrap loader is simple, Thomas said. The Atmel processor includes an innovative, built in hardware bootstrap function that automatically attempts to load the onboard SPI flash via the serial debug port when a newly built board powers up for the first time

The Linuxstamp runs Linux with two distributions currently available: a minimal filesystem that boots and runs entirely from within the Linuxstamp’s 8MB flash and 32MB RAM memory; and a debian-based filesystem that requires an SD card to supplement the board’s on-board flash.

In addition to the linux kernel, the minimal filesystem includes BusyBox and DropBear SSH among other basic system functions. The minimal system allocates about 2MB of the 8MB available flash to linux and the boot-loaders, with the rest for the filesystem, according to Thomas.