Linux

Larry Finger made Linux wireless work and brought others along to learn

larry finger, Linux, Linux kernel, linux kernel mailing list, Tech, wi-fi, wireless / Ari B / June 24, 2024

Linux kernel —

Remembering Finger, 84, who learned as he went and left his mark on many.

Kevin Purdy – Jun 24, 2024 7: 21 pm UTC

Laptop showing a Wi-Fi signal icon amidst an outdoor scene with a coffee cup nearby. — Aurich Lawson | Getty Images

Linux and its code are made by people, and people are not with us forever. Over the weekend, a brief message on the Linux kernel mailing list reminded people of just how much one person can mean to a seemingly gargantuan project like Linux, and how quickly they can disappear:

Denise Finger, wife of the deceased, wrote to the Linux Wireless list on Friday evening:

This is to notify you that Larry Finger, one of your developers, passed away on June 21st.

LWN.net reckons that Finger, 84, contributed to 94 Linux kernel releases, or 1,464 commits total, at least since kernel 2.6.16 in 2006 (and when the kernel started using git to track changes). Given the sometimes precarious nature of contributing to the kernel, this is on its own an impressive achievement—especially for someone with no formal computer training, and who considered himself a scientist.

The deepest of trenches: Linux Wi-Fi in the 2000s

That kind of effort is worth celebrating, regardless. But it’s the space that Finger devoted himself to that makes him a notably patient, productive contributor.

Getting Wi-Fi to work on a device running Linux back when Finger started contributing was awful. The chances of your hardware being recognized, activated, and working properly right after install was akin to getting a straight flush in poker. If nobody had gotten around to your wireless chipset yet, you used NDISwrapper, a Windows-interfacing kludge tool that simultaneously made your Linux install less open and yet still painful to install and maintain.

Finger started fixing this with work on Broadcom’s BCM43XX drivers. Broadcom provided no code for its gear, so Finger helped reverse-engineer the necessary specs by manually dumping and reading hardware registers. Along with Broadcom drivers, Finger also provided Realtek drivers. Many commenters across blogs and message boards are noting that their systems are still using pieces of Finger’s code today.

Fixing mainframes, science gear, and RV resorts

Larry Finger, and fish, from his Quora profile.

Quora

Finger doesn’t have a large footprint on the web, outside of his hundreds of kernel commits. He has a page for DRAWxtl, for producing crystal-structure drawings, on his personal domain, but not a general personal page. He sometimes answered Quora questions. He had a GitHub profile, showing more than 100 contributions to projects in 2024.

Perhaps the biggest insight into Finger found in one place is a three-part series for Linux Journal, “Linux in a Windows Workstation Environment,” written in 2005, when he was roughly 65. He summarizes his background: Fortran programmer in 1963, PDP-11 interfaces to scientific instruments in the 1970s, VAX-11/780 work in the early 1980s, and then Unix/Linux systems, until retiring from the Carnegie Institution for Science in Washington, DC, in 1999. The mineral Fingerite is named for Finger, whose work in crystallography took him on a fellowship to northern Bavaria, as noted in one Quora answer about the Autobahn.

“At that time, I became a full-time RV resident, dedicated to the avoidance of cold weather,” Finger writes. He and his wife Denise arrived that year at a 55-plus RV community in Mesa, Arizona. He joined the computer club, which had a growing number of Windows PCs sharing a DSL connection through one of the systems running WinGate. A new RV resort owner wanted to expand to 22 workstations, but WinGate licenses for that many would have been expensive for the club. Finger, who was “highly distrustful of using Windows 98 in a mission-critical role,” set to work.

Finger goes on across the series to describe the various ways he upgraded the routing and server capacity of the network, which grew to 38 user stations, Samba shares, a membership database, VPN tunnels, several free RJ-45 ports, and “free Wi-Fi access… throughout the park.”

Passing it along

Enlarge / Larry Finger, from his obituary page.

Hixson-Klein Funeral Home

Lots of people have commented on the broad work Finger did to make Linux usable for more people. A few mention that Finger also mentored people, the kind of work that has exponential effects. “MB” wrote on LWN.net that Finger “mentored other people to get the Broadcom Open Source code into kernel. And I think it was a huge success. And that was only a small part of Larry’s success story.”

In a 2023 Quora response to someone asking if someone without “any formal training in computer science” can “contribute something substantial” to Linux, Finger writes, “I think that I have.” Finger links to the stats for the 6.4 kernel, showing 172,346 lines of his code in it, roughly 0.5% of the total.

I have never taken any courses in Computer Science; however, I have considerable experience in coding, much of which happened when computers were a lot less powerful than today, and it was critical to write code that ran efficiently.

Finger suggests in his response small patches, deep reading of the guidelines, and always using git’s send-email to send patches: “Nothing will get shot down more quickly than a patch submitted from a mailer such as Thunderbird.” Finding typos and errors in comments and text strings can help, especially after translation. Finger advises being patient, expecting criticism about following rules and formats, and to keep plugging away at it.

In another Quora response about kernel driver development, Finger says, “This activity can be highly rewarding, and also equally frustrating!” You should learn C, Finger suggested, and maybe start with analyzing USB drivers, and take your time learning about DMA.

“Do not lose hope,” Finger wrote. “It took me about 2 years before I could do anything more than tell the experts where my system was generating a fault.”

Larry Finger made Linux wireless work and brought others along to learn Read More »

40 years later, X Window System is far more relevant than anyone could guess

astrophysics, dumb terminal, Linux, Sun microsystems, Tech, UNIX, VAX, Wayland, X, x window system, x11, zaphod / Ari B / June 21, 2024

Widely but improperly known as X-windows —

One astrophysics professor’s memories of writing X11 code in the 1980s.

Kevin Purdy – Jun 21, 2024 7: 47 pm UTC

low angle view of Office Buildings in Hong Kong from below, with the sky visible through an X-like cross — Getty Images

Often times, when I am researching something about computers or coding that has been around a very long while, I will come across a document on a university website that tells me more about that thing than any Wikipedia page or archive ever could.

It’s usually a PDF, though sometimes a plaintext file, on a .edu subdirectory that starts with a username preceded by a tilde (~) character. This is typically a document that a professor, faced with the same questions semester after semester, has put together to save the most time possible and get back to their work. I recently found such a document inside Princeton University’s astrophysics department: “An Introduction to the X Window System,” written by Robert Lupton.

X Window System, which turned 40 years old earlier this week, was something you had to know how to use to work with space-facing instruments back in the early 1980s, when VT100s, VAX-11/750s, and Sun Microsystems boxes would share space at college computer labs. As the member of the AstroPhysical Sciences Department at Princeton who knew the most about computers back then, it fell to Lupton to fix things and take questions.

“I first wrote X10r4 server code, which eventually became X11,” Lupton said in a phone interview. “Anything that needed graphics code, where you’d want a button or some kind of display for something, that was X… People would probably bug me when I was trying to get work done down in the basement, so I probably wrote this for that reason.”

Where X came from (after W)

Robert W. Scheifler and Jim Gettys at MIT spent “the last couple weeks writing a window system for the VS100” back in 1984. As part of Project Athena‘s goals to create campus-wide computing with distributed resources and multiple hardware platforms, X fit the bill, being independent of platforms and vendors and able to call on remote resources. Scheifler “stole a fair amount of code from W,” made its interface asynchronous and thereby much faster, and “called it X” (back when that was still a cool thing to do).

That kind of cross-platform compatibility made X work for Princeton, and thereby Lupton. He notes in his guide that X provides “tools not rules,” which allows for “a very large number of confusing guises.” After explaining the three-part nature of X—the server, the clients, and the window manager—he goes on to provide some tips:

Modifier keys are key to X; “this sensitivity extends to things like mouse buttons that you might not normally think of as case-sensitive.”
“To start X, type xinit; do not type X unless you have defined an alias. X by itself starts the server but no clients, resulting in an empty screen.”
“All programmes running under X are equal, but one, the window manager, is more equal.”
Using the “--zaphod” flag prevents a mouse from going into a screen you can’t see; “Someone should be able to explain the etymology to you” (link mine).
“If you say kill 5 -9 12345 you will be sorry as the console will appear hopelessly confused. Return to your other terminal, say kbd mode -a, and make a note not to use -9 without due reason.”

I asked Lupton, whom I caught on the last day before he headed to Chile to help with a very big telescope, how he felt about X, 40 years later. Why had it survived?

“It worked, at least relative to the other options we had,” Lupton said. He noted that Princeton’s systems were not “heavily networked in those days,” such that the network traffic issues some had with X weren’t an issue then. “People weren’t expecting a lot of GUIs, either; they were expecting command lines, maybe a few buttons… it was the most portable version of a window system, running on both a VAX and the Suns at the time… it wasn’t bad.”

40 years later, X Window System is far more relevant than anyone could guess Read More »

Federal agency warns critical Linux vulnerability being actively exploited

Biz & IT, cve-2024-1086, kernel, Linux, Security, vulnerability / Ari B / May 31, 2024

NETFILTER FLAW —

Cybersecurity and Infrastructure Security Agency urges affected users to update ASAP.

Dan Goodin – May 31, 2024 5: 38 pm UTC

The US Cybersecurity and Infrastructure Security Agency has added a critical security bug in Linux to its list of vulnerabilities known to be actively exploited in the wild.

The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges. It’s the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation.

The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations, including packet filtering, network address [and port] translation (NA[P]T), packet logging, userspace packet queueing, and other packet mangling. It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.

A deep-dive write-up of the vulnerability reveals that these exploits provide “a very powerful double-free primitive when the correct code paths are hit.” Double-free vulnerabilities are a subclass of use-after-free errors that occur when the free() function for freeing memory is called more than once for the same location. The write-up lists multiple ways to exploit the vulnerability, along with code for doing so.

The double-free error is the result of a failure to achieve input sanitization in netfilter verdicts when nf_tables and unprivileged user namespaces are enabled. Some of the most effective exploitation techniques allow for arbitrary code execution in the kernel and can be fashioned to drop a universal root shell.

The author offered the following graphic providing a conceptual illustration:

CISA has given federal agencies under its authority until June 20 to issue a patch. The agency is urging all organizations that have yet to apply an update to do so as soon as possible.

Federal agency warns critical Linux vulnerability being actively exploited Read More »

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach

Biz & IT, ebury, Linux, openssh, secure shell, Security, SSH, Uncategorized / Ryan Harris / May 15, 2024

ONGOING LINUX THREAT —

Ebury backdoors SSH servers in hosting providers, giving the malware extraordinary reach.

Dan Goodin – May 15, 2024 4: 56 pm UTC

A cartoon door leads to a wall of computer code.

Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers’ most closely guarded resources: the /etc/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.

The unknown attackers behind the compromise infected at least four servers inside kernel.org, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.

Stealing kernel.org’s keys to the kingdom

An infection of kernel.org came to light in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or “root,” system access to servers connected to the domain. Maintainers reneged on a promise to provide an autopsy of the hack, a decision that has limited the public’s understanding of the incident.

Besides revealing the number of compromised user accounts, representatives of the Linux Kernel Organization provided no details other than saying that the infection:

Occurred no later than August 12, 2011, and wasn’t detected for another 17 days
Installed an off-the-shelf rootkit known as Phalanx on multiple servers and personal devices belonging to a senior Linux developer
Modified the files that both servers and end user devices inside the network used to connect through OpenSSH, an implementation of the SSH protocol for securing remote connections.

In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a second piece of malware they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.

A 47-page report summarizing Ebury’s 15-year history said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.

Researcher Marc-Etienne M. Léveillé wrote:

In our 2014 paper, we mentioned that there was evidence that kernel.org, hosting the source code of the Linux kernel, had been a victim of Ebury. Data now at our disposal reveals additional details about the incident. Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011. It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.

The perpetrator also had copies of the /etc/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force.

The researcher said in an email that the Ebury and Phalanx infections appear to be separate compromises by two unrelated threat groups. Representatives of the Linux Kernel Organization didn’t respond to emails asking if they were aware of the ESET report or if its claims were accurate. There is no indication that either infection resulted in tampering with the Linux kernel source code.

Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach Read More »

Ubuntu 24.04 LTS, Noble Numbat, overhauls its installation and app experience

Linux, Tech, Ubuntu, ubuntu 24.04, xz utils / Blake Jones / April 26, 2024

Ubuntu 24.04 —

Plus Raspberry Pi 5 support, better laptop power, and lots of other changes.

Kevin Purdy – Apr 25, 2024 6: 59 pm UTC

Ubuntu desktop running on a laptop on a 3D-rendered desktop, with white polygonal coffee mug and picture frame nearby. — Enlarge / Ubuntu has come a long way over nearly 20 years, to the point where you can now render 3D Ubuntu coffee mugs and family pictures in a video announcing the 2024 spring release.

Canonical

History might consider the most important aspect of Ubuntu 24.04 to be something that it doesn’t have: vulnerabilities to the XZ backdoor that nearly took over the global Linux scene.

Betas, and the final release of Ubuntu 24.04, a long-term support (LTS) release of the venerable Linux distribution, were delayed, as backing firm Canonical worked in early April 2024 to rebuild every binary included in the release. xz Utils, an almost ubiquitous data-compression package on Unix-like systems, had been compromised through a long-term and elaborate supply-chain attack, discovered only because a Microsoft engineer noted some oddities with SSH performance on a Debian system. Ubuntu, along with just about every other regularly updating software platform, had a lot of work to do this month.

Canonical’s Ubuntu 24.04 release video, noting 20 years of Ubuntu releases. I always liked the brown.

What is actually new in Ubuntu 24.04, or “Noble Numbat?” Quite a bit, especially if you’re the type who sticks to LTS releases. The big new changes are a very slick new installer, using the same Subiquity back-end as the Server releases, and redesigned with a whole new front-end in Flutter. ZFS encryption is back as a default install option, along with hardware-backed (i.e., TPM) full-disk encryption, plus more guidance for people looking to dual-boot with Windows setups and BitLocker. Netplan 1.0 is the default network configuration tool now. And the default installation is “Minimal,” as introduced in 23.10.

The numbat is an <a href= — Enlarge / The numbat is an endangered species, and I think we should save it.

Getty Images

Raspberry Pi gets some attention, too, with an edition of 24.04 (64-bit only) available for the popular single-board computer, including the now-supported Raspberry Pi 5 model. That edition includes power supply utility Pemmican and enables 3D acceleration in the Firefox Snap. Ubuntu also tweaked the GNOME (version 46) desktop included in this release, such that it should see better performance on Raspberry Pi graphics drivers.

What else? Lots of little things:

Support for autoinstall, i.e., YAML-based installation workflows
A separate, less background-memory-eating firmware updating tool
Additional support for Group Policy Objects (GPOs) in Active Directory environments
Security improvements to Personal Package Archives (PPA) software setups
Restrictions to unprivileged user namespace through apparmor, which may impact some third-party apps downloaded from the web
A new Ubuntu App Center, replacing the Snap Store that defaults to Snaps but still offers traditional .deb installs (and numerous angles of critique for Snap partisans)
Firefox is a native Wayland application, and Thunderbird is a Snap package only
More fingerprint reader support
Improved Power Profiles Manager, especially for portable AMD devices
Support for Apple’s preferred HEIF/HEIC files, with thumbnail previews
Snapshot replaces Cheese, and GNOME games has been removed
Virtual memory mapping changes that make many modern games run better through Proton, per OMG Ubuntu
Linux kernel 6.8, which, among other things, improves Intel Meteor Lake CPU performance and supports Nintendo Switch Online controllers.

The suggested system requirements for Ubuntu 24.04 are a 2 GHz dual-core processor, 4GB memory, and 25GB free storage space. There is a dedicated WSL edition of 24.04 out for Windows systems.

Listing image by Getty Images

Ubuntu 24.04 LTS, Noble Numbat, overhauls its installation and app experience Read More »

Linus Torvalds reiterates his tabs-versus-spaces stance with a kernel trap

Biz & IT, coding style, Linus Torvalds, Linux, Linux kernel, linux kernel mailing list, tab vs space, tabs versus spaces, Tech / Mike M. / April 17, 2024

Tabs Versus Space 2024: The Sabotage —

One does not simply suggest changing a kernel line to help out a parsing tool.

Kevin Purdy – Updated Apr 16, 2024 9: 51 pm UTC

Tab soda displayed on a grocery shelf — Enlarge / Cans of Tab diet soda on display in 2011. Tab was discontinued in 2020. There has never been a soda named “Spaces” that had a cult following.

Getty Images

Anybody can contribute to the Linux kernel, but any person’s commit suggestion can become the subject of the kernel’s master and namesake, Linus Torvalds. Torvalds is famously not overly committed to niceness, though he has been working on it since 2018. You can see glimpses of this newer, less curse-laden approach in how Torvalds recently addressed a commit with which he vehemently disagreed. It involves tabs.

The commit last week changed exactly one thing on one line, replacing a tab character with a space: “It helps Kconfig parsers to read file without error.” Torvalds responded with a commit of his own, as spotted by The Register, which would “add some hidden tabs on purpose.” Trying to smooth over a tabs-versus-spaces matter seemed to awaken Torvalds to the need to have tab-detecting failures be “more obvious.” Torvalds would have added more, he wrote, but didn’t “want to make things uglier than necessary. But it *mightbe necessary if it turns out we see more of this kind of silly tooling.”

If you’ve read this far and don’t understand what’s happening, please allow me, a failed CS minor, to offer a quick explanation: Tabs Versus Spaces will never be truly resolved, codified, or set right by standards, and the energy spent on the issue over time could, if harnessed, likely power one or more small nations. Still, the Linux kernel has its own coding style, and it directly cites “K&R,” or Kernighan & Ritchie, the authors of the coding bible The C Programming Language, which is a tabs book. If you are submitting kernel code, it had better use tabs (eight-character tabs, ideally, though that is tied in part to teletype and line-printer history).

By attempting to smooth over one tiny part of the kernel so that a parsing tool could see a space character as a delineating whitespace, Prasad Pandit inadvertently spurred a robust rebuttal:

It wasn’t clear what tool it was, but let’s make sure it gets fixed. Because if you can’t parse tabs as whitespace, you should not be parsing the kernel Kconfig files.

In fact, let’s make such breakage more obvious than some esoteric ftrace record size option. If you can’t parse tabs, you can’t have page sizes.

Yes, tab-vs-space confusion is sadly a traditional Unix thing, and ‘make’ is famous for being broken in this regard. But no, that does not mean that it’s ok.

Torvalds’ hidden tabs appear in the fourth release candidate for Linux kernel 6.9, which Torvlads wrote had “nothing particularly unusual going on” the week of its release.

Disclosure: The author is a tab person insofar as he has any idea what he’s doing.

This post was updated at 6: 33 pm Eastern to fix some line-break issues in the Torvalds blockquote. The irony was duly noted. A better link regarding the Tabs Vs. Spaces debate was also swapped in.

Linus Torvalds reiterates his tabs-versus-spaces stance with a kernel trap Read More »

German state gov. ditching Windows for Linux, 30K workers migrating

Biz & IT, germany, LibreOffice, Linux, microsoft, Software, Windows / Blake Jones / April 5, 2024

Open source FTW —

Schleswig-Holstein looks to succeed where Munich failed.

Scharon Harding – Apr 5, 2024 7: 03 pm UTC

Schleswig-Holstein, one of Germany’s 16 states, on Wednesday confirmed plans to move tens of thousands of systems from Microsoft Windows to Linux. The announcement follows previously established plans to migrate the state government off Microsoft Office in favor of open source LibreOffice.

As spotted by The Document Foundation, the government has apparently finished its pilot run of LibreOffice and is now announcing plans to expand to more open source offerings.

In 2021, the state government announced plans to move 25,000 computers to LibreOffice by 2026. At the time, Schleswig-Holstein said it had already been testing LibreOffice for two years.

As announced on Minister-President Daniel Gunther’s webpage this week, the state government confirmed that it’s moving all systems to the Linux operating system (OS), too. Per a website-provided translation:

With the cabinet decision, the state government has made the concrete beginning of the switch away from proprietary software and towards free, open-source systems and digitally sovereign IT workplaces for the state administration’s approximately 30,000 employees.

The state government is offering a training program that it said it will update as necessary.

Regarding LibreOffice, the government maintains the possibility that some jobs may use software so specialized that they won’t be able to move to open source software.

In 2021, Jan Philipp Albrecht, then-minister for Energy, Agriculture, the Environment, Nature, and Digitalization of Schleswig-Holstein, discussed interest in moving the state government off of Windows.

“Due to the high hardware requirements of Windows 11, we would have a problem with older computers. With Linux we don’t have that,” Albrecht told Heise magazine, per a Google translation.

This week’s announcement also said that the Schleswig-Holstein government will ditch Microsoft Sharepoint and Exchange/Outlook in favor of open source offerings Nextcloud and Open-Xchange, and Mozilla Thunderbird in conjunction with the Univention active directory connector.

Schleswig-Holstein is also developing an open source directory service to replace Microsoft’s Active Directory and an open source telephony offering.

Digital sovereignty dreams

Explaining the decision, the Schleswig-Holstein government’s announcement named enhanced IT security, cost efficiencies, and collaboration between different systems as its perceived benefits of switching to open source software.

Further, the government is pushing the idea of digital sovereignty, with Schleswig-Holstein Digitalization Minister Dirk Schrödter quoted in the announcement as comparing the concept’s value to that of energy sovereignty. The announcement also quoted Schrödter as saying that digital sovereignty isn’t achievable “with the current standard IT workplace products.”

Schrödter pointed to the state government’s growing reliance on cloud services and said that with related proprietary software, users have no influence on data flow and whether that data makes its way to other countries.

Schrödter also claimed that the move would help with the state’s budget by diverting money from licensing fees to “real programming services from our domestic digital economy” that could also create local jobs.

In 2021, Albrecht said the state was reaching its limits with proprietary software contracts because “license fees have continued to rise in recent years,” per Google’s translation.

“Secondly, regarding our goals for the digitalization of administration, open source simply offers us more flexibility,” he added.

At the time, Albrecht claimed that 90 percent of video conferences in the state government ran on the open source program Jitsi, which was advantageous during the COVID-19 pandemic because the state was able to quickly increase video conferencing capacity.

Additionally, he said that because the school portal was based on (unnamed) open source software, “we can design the interface flexibly and combine services the way we want.”

There are numerous other examples globally of government entities switching to Linux in favor of open source technology. Federal governments with particular interest in avoiding US-based technologies, including North Korea and China, are some examples. The South Korean government has also shared plans to move to Linux by 2026, and the city of Barcelona shared migration plans in 2018.

But some government bodies that have made the move regretted it and ended up crawling back to Windows. Vienna released the Debian-based distribution WIENUX in 2005 but gave up on migration by 2009.

In 2003, Munich announced it would be moving some 14,000 PCs off Windows and to Linux. In 2013, the LiMux project finished, but high associated costs and user dissatisfaction resulted in Munich announcing in 2017 that it would spend the next three years reverting back to Windows.

Albrecht in 2021 addressed this failure when speaking to Heise, saying, per Google’s translation:

The main problem there was that the employees weren’t sufficiently involved. We do that better. We are planning long transition phases with parallel use. And we are introducing open source step by step where the departments are ready for it. This also creates the reason for further rollout because people see that it works.

German state gov. ditching Windows for Linux, 30K workers migrating Read More »

Backdoor found in widely used Linux utility breaks encrypted SSH connections

backdoors, Biz & IT, Linux, Security, supply chain attack, xz utils / Ari B / March 29, 2024

SUPPLY CHAIN ATTACK —

Malicious code planted in xz Utils has been circulating for more than a month.

Dan Goodin – Mar 29, 2024 6: 50 pm UTC

Enlarge / Internet Backdoor in a string of binary code in a shape of an eye.

Getty Images

Researchers have found a malicious backdoor in a compression tool that made its way into widely used Linux distributions, including those from Red Hat and Debian.

The compression utility, known as xz Utils, introduced the malicious code in versions 5.6.0 and 5.6.1, according to Andres Freund, the developer who discovered it. There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions—specifically, in Fedora 40 and Fedora Rawhide and Debian testing, unstable and experimental distributions. A stable release of Arch Linux is also affected. That distribution, however, isn’t used in production systems.

Because the backdoor was discovered before the malicious versions of xz Utils were added to production versions of Linux, “it’s not really affecting anyone in the real world,” Will Dormann, a senior vulnerability analyst at security firm Analygence, said in an online interview. “BUT that’s only because it was discovered early due to bad actor sloppiness. Had it not been discovered, it would have been catastrophic to the world.”

Several people, including two Ars readers, reported that the multiple apps included in the HomeBrew package manager for macOS rely on the backdoored 5.6.1 version of xz Utils. HomeBrew has now rolled back the utility to version 5.4.6. Maintainers have more details available here.

Breaking SSH authentication

The first signs of the backdoor were introduced in a February 23 update that added obfuscated code, officials from Red Hat said in an email. An update the following day included a malicious install script that injected itself into functions used by sshd, the binary file that makes SSH work. The malicious code has resided only in the archived releases—known as tarballs—which are released upstream. So-called GIT code available in repositories aren’t affected, although they do contain second-stage artifacts allowing the injection during the build time. In the event the obfuscated code introduced on February 23 is present, the artifacts in the GIT version allow the backdoor to operate.

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer’s name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said.

He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise.

Maintainers for xz Utils didn’t immediately respond to emails asking questions.

The malicious versions, researchers said, intentionally interfere with authentication performed by SSH, a commonly used protocol for connecting remotely to systems. SSH provides robust encryption to ensure that only authorized parties connect to a remote system. The backdoor is designed to allow a malicious actor to break the authentication and, from there, gain unauthorized access to the entire system. The backdoor works by injecting code during a key phase of the login process.

“I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access,” Freund wrote. “Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.”

In some cases, the backdoor has been unable to work as intended. The build environment on Fedora 40, for example, contains incompatibilities that prevent the injection from correctly occurring. Fedora 40 has now reverted to the 5.4.x versions of xz Utils.

Xz Utils is available for most if not all Linux distributions, but not all of them include it by default. Anyone using Linux should check with their distributor immediately to determine if their system is affected. Freund provided a script for detecting if an SSH system is vulnerable.

Backdoor found in widely used Linux utility breaks encrypted SSH connections Read More »

Playtron’s wildly ambitious gaming OS aims to unite stores, lure “core casuals”

AOSP, asus rog ally, Cyanogen, cyanogen inc., CyanogenMod, gaming, Handheld Gaming, handheld gaming pc, Linux, Portable gaming, steam deck / Ari B / March 18, 2024

Core Casual Corps —

Headed by former Cyanogen CEO, it’s a Linux OS that might not be fully open.

Kevin Purdy – Mar 18, 2024 8: 36 pm UTC

Mock-up of a potential Playtron device — Enlarge / This isn’t what the first PlaytronOS-powered device will look like. That could be your Steam Deck, a 5G device from your cell carrier, or maybe your car.

Playtron

The Steam Deck’s OS is purpose-built for handheld gaming, but it’s confined to one device, unless you’re willing to head out to the bleeding edge. Beyond SteamOS, there is Windows, which can let down ambitious Deck-likes, there is the Nintendo Switch, and there are Android-based devices that are a lot like Android phones. This setup has got at least one company saying, in infomercial tones, that there has got to be a better way.

That company is Playtron, a new software startup that aims to fix that setup with a Linux-based gaming OS that’s tied to no particular game store or platform. Playtron has $10 million, coders from open source projects like ChimeraOS and Heroic Games Launcher, and the former CEO of Cyanogen. With that, it aims to have “Playtron-native devices shipping worldwide in 2025,” and to capture the 1 billion “core casual” gamers they see as under-served.

Demo of Playtron running on a Lenovo Legion Go, uploaded by Playtron CEO Kirk McMaster.

What devices will Playtron use to serve them? Some of them might be Steam Decks, as you will “soon be able to install Playtron on your favorite handheld PC,” according to Playtron’s ambitious, somewhat scattershot single-page website. Some might be “Playtron-powered 5G devices coming soon to markets around the world.” Really, though, Playtron aims to provide a gaming platform to any device with a CPU and a screen, be it desktop or mobile, ARM or x86, TV or car.

I have looked at this Venn diagram for long stretches and have still not figured out if the target is someone who is deeply into gaming or turned off by having to choose a platform or both or neither.

Playtron
Additional mock-ups of hypothetical Playtron devices from Playtron’s website or possibly just Playtron logos on existing devices.

Playtron

Sean Hollister at The Verge spoke with Playtron CEO Kirk McMaster. He has also viewed internal planning documents and tried out an alpha of the OS. McMaster told Hollister that handheld-maker Ayaneo plans to ship a Playtron device in 2024, while “numerous OEMs and mobile operators” are looking at 2025. Playtron aims to compete with Windows on price ($10 instead of what McMaster cites as $80 per head), and against Steam with a non-Steam platform that, McMaster claims, will still prevent cheating with a Fedora-Silverblue-based immutable file system. There are also some mentions of AI tools for helping casual gamers or determining launch configurations for games. Also, there are crypto-focused investors and a mention of offering crypto-based game purchases, though Playtron may also not have a store at all.

Another notable thing Playtron has is McMaster, the former head of Cyanogen Inc. That project launched in 2013 with $7 million in venture funding and an ambition to turn the free and open source-minded Android ROM community, CyanogenMod, into a for-profit OS and apps vendor. Google reportedly tried to buy Cyanogen Inc. at some point in 2014 but was turned away, as the company saw itself as growing. By the end of 2016, Cyanogen Inc. was shut down, and the Android ROM community reorganized around LineageOS. Ars’ 2016 “Deathwatch” cited McMaster’s “delusions of grandeur,” noting his claimed desire to “put a bullet in Google’s head” while maintaining an OS that was almost entirely dependent on Google’s open source Android code.

McMaster told The Verge’s Hollister that, from his time at Cyanogen Inc., he “learned that you shouldn’t try to commercialize an open-source project with a significant history because it can lead to culture wars.” There are strong hints that Playtron will not be entirely open source, though it will encourage the Linux coders it has hired to continue contributing to projects like ChimeraOS.

Playtron’s wildly ambitious gaming OS aims to unite stores, lure “core casuals” Read More »

Critical vulnerability affecting most Linux distros allows for bootkits

Biz & IT, bootkits, Linux, Security, shim, uefi, vulnerabilities / Blake Jones / February 6, 2024

Linux developers are in the process of patching a high-severity vulnerability that, in certain cases, allows the installation of malware that runs at the firmware level, giving infections access to the deepest parts of a device where they’re hard to detect or remove.

The vulnerability resides in shim, which in the context of Linux is a small component that runs in the firmware early in the boot process before the operating system has started. More specifically, the shim accompanying virtually all Linux distributions plays a crucial role in secure boot, a protection built into most modern computing devices to ensure every link in the boot process comes from a verified, trusted supplier. Successful exploitation of the vulnerability allows attackers to neutralize this mechanism by executing malicious firmware at the earliest stages of the boot process before the Unified Extensible Firmware Interface firmware has loaded and handed off control to the operating system.

The vulnerability, tracked as CVE-2023-40547, is what’s known as a buffer overflow, a coding bug that allows attackers to execute code of their choice. It resides in a part of the shim that processes booting up from a central server on a network using the same HTTP that the Internet is based on. Attackers can exploit the code-execution vulnerability in various scenarios, virtually all following some form of successful compromise of either the targeted device or the server or network the device boots from.

“An attacker would need to be able to coerce a system into booting from HTTP if it’s not already doing so, and either be in a position to run the HTTP server in question or MITM traffic to it,” Matthew Garrett, a security developer and one of the original shim authors, wrote in an online interview. “An attacker (physically present or who has already compromised root on the system) could use this to subvert secure boot (add a new boot entry to a server they control, compromise shim, execute arbitrary code).”

Stated differently, these scenarios include:

Acquiring the ability to compromise a server or perform an adversary-in-the-middle impersonation of it to target a device that’s already configured to boot using HTTP
Already having physical access to a device or gaining administrative control by exploiting a separate vulnerability.

While these hurdles are steep, they’re by no means impossible, particularly the ability to compromise or impersonate a server that communicates with devices over HTTP, which is unencrypted and requires no authentication. These particular scenarios could prove useful if an attacker has already gained some level of access inside a network and is looking to take control of connected end-user devices. These scenarios, however, are largely remedied if servers use HTTPS, the variant of HTTP that requires a server to authenticate itself. In that case, the attacker would first have to forge the digital certificate the server uses to prove it’s authorized to provide boot firmware to devices.

The ability to gain physical access to a device is also difficult and is widely regarded as grounds for considering it to be already compromised. And, of course, already obtaining administrative control through exploiting a separate vulnerability in the operating system is hard and allows attackers to achieve all kinds of malicious objectives.

Critical vulnerability affecting most Linux distros allows for bootkits Read More »

Convicted murderer, filesystem creator writes of regrets to Linux list

Biz & IT, file systems, Hans Reiser, Linux, Linux kernel, linux kernel mailing list, LKML, ReiserFS, Tech / Ari B / January 19, 2024

Pre-release notes —

“The man I am now would do things very differently,” Reiser says in long letter.

Kevin Purdy – Jan 19, 2024 9: 20 pm UTC

Hans Reiser letter to Fredrick Brennan — Enlarge / A portion of the cover letter attached to Hans Reiser’s response to Fredrick Brennan’s prompt about his filesystem’s obsolescence.

Fredrick Brennan

With the ReiserFS recently considered obsolete and slated for removal from the Linux kernel entirely, Fredrick R. Brennan, font designer and (now regretful) founder of 8chan, wrote to the filesystem’s creator, Hans Reiser, asking if he wanted to reply to the discussion on the Linux Kernel Mailing List (LKML).

Reiser, 59, serving a potential life sentence in a California prison for the 2006 murder of his estranged wife, Nina Reiser, wrote back with more than 6,500 words, which Brennan then forwarded to the LKML. It’s not often you see somebody apologize for killing their wife, explain their coding decisions around balanced trees versus extensible hashing, and suggest that elementary schools offer the same kinds of emotional intelligence curriculum that they’ve worked through in prison, in a software mailing list. It’s quite a document.

What follows is a relative summary of Reiser’s letter, dated November 26, 2023, which we first saw on the Phoronix blog, and which, by all appearances, is authentic (or would otherwise be an epic bit of minutely detailed fraud for no particular reason). It covers, broadly, why Reiser believes his system failed to gain mindshare among Linux users, beyond the most obvious reason. This leads Reiser to detail the technical possibilities, his interpersonal and leadership failings and development, some lingering regrets about dealings with SUSE and Oracle and the Linux community at large, and other topics, including modern Russian geopolitics.

“LKML and Slashdot.org seem like reasonable places to send it (as of 2006)”

In a cover letter, Reiser tells Brennan that he hopes he can use OCR to import his lengthy letter and asks him to use his best judgment in where to send his reply. He also asks, if he has time, Brennan might send him information on “Reiser5, or any interesting papers on other Filesystems, compression (especially Deep Learning based compression), etc.”

Then Reiser addresses the kernel mailing list directly—very directly:

I was asked by a kind Fredrick Brennan for my comments that I might offer on the discussion of removing ReiserFS V3 from the kernel. I don’t post directly because I am in prison for killing my wife Nina in 2006.

I am very sorry for my crime–a proper apology would be off topic for this forum, but available to any who ask.

A detailed apology for how I interacted with the Linux kernel community, and some history of V3 and V4, are included, along with descriptions of what the technical issues were. I have been attending prison workshops, and working hard on improving my social skills to aid my becoming less of a danger to society. The man I am now would do things very differently from how I did things then.

ReiserFS V3 was “our first filesystem, and in doing it we made mistakes, because we didn’t know what we were doing,” Reiser writes. He worked through “years of dark depression” to get V3 up to the performance speeds of ext2, but regrets how he celebrated that milestone. “The man I was then presented papers with benchmarks showing that ReiserFS was faster than ext2. The man I am now would stat his papers … crediting them for being faster than the filesystems of other operating systems, and thanking them for the years we used their filesystem to write ours.” It was “my first serious social mistake in the Linux community, and it was completely unnecessary.”

Reiser asks that a number of people who worked on ReiserFS be included in “one last release” of the README, and to “delete anything in there I might have said about why they were not credited.” He says prison has changed him in conflict resolution and with his “tendency to see people in extremes.”

Reiser extensively praises Mikhail Gilula, the “brightest mind in his generation of computer scientists,” for his work on ReiserFS from Russia and for his ideas on rewriting everything the field knew about data structures. With their ideas on filesystems and namespaces combined, it would be “the most important refactoring of code ever.” His analogy at the time, Reiser wrote, was Adam Smith’s ideas of how roads, waterways, and free trade affected civilization development; ReiserFS’ ideas could similarly change “the expressive power of the operating system.”

Convicted murderer, filesystem creator writes of regrets to Linux list Read More »

Stealthy Linux rootkit found in the wild after going undetected for 2 years

backdoor, Biz & IT, Linux, malware, rootkits, Security / Mike M. / December 10, 2023

Trojan horse on top of blocks of hexadecimal programming codes. Illustration of the concept of online hacking, computer spyware, malware and ransomware.

Stealthy and multifunctional Linux malware that has been infecting telecommunications companies went largely unnoticed for two years until being documented for the first time by researchers on Thursday.

Researchers from security firm Group-IB have named the remote access trojan “Krasue,” after a nocturnal spirit depicted in Southeast Asian folklore “floating in mid-air, with no torso, just her intestines hanging from below her chin.” The researchers chose the name because evidence to date shows it almost exclusively targets victims in Thailand and “poses a severe risk to critical systems and sensitive data given that it is able to grant attackers remote access to the targeted network.

According to the researchers:

Krasue is a Linux Remote Access Trojan that has been active since 20 and predominantly targets organizations in Thailand.

Group-IB can confirm that telecommunications companies were targeted by Krasue.

The malware contains several embedded rootkits to support different Linux kernel versions.

Krasue’s rootkit is drawn from public sources (3 open-source Linux Kernel Module rootkits), as is the case with many Linux rootkits.

The rootkit can hook the `kill()` syscall, network-related functions, and file listing operations in order to hide its activities and evade detection.

Notably, Krasue uses RTSP (Real-Time Streaming Protocol) messages to serve as a disguised “alive ping,” a tactic rarely seen in the wild.

This Linux malware, Group-IB researchers presume, is deployed during the later stages of an attack chain in order to maintain access to a victim host.

Krasue is likely to either be deployed as part of a botnet or sold by initial access brokers to other cybercriminals.

Group-IB researchers believe that Krasue was created by the same author as the XorDdos Linux Trojan, documented by Microsoft in a March 2022 blog post, or someone who had access to the latter’s source code.

During the initialization phase, the rootkit conceals its own presence. It then proceeds to hook the `kill()` syscall, network-related functions, and file listing operations, thereby obscuring its activities and evading detection.

The researchers have so far been unable to determine precisely how Krasue gets installed. Possible infection vectors include through vulnerability exploitation, credential-stealing or -guessing attacks, or by unwittingly being installed as trojan stashed in an installation file or update masquerading as legitimate software.

The three open source rootkit packages incorporated into Krasue are:

Enlarge / An image showing salient research points of Krasue.

Group-IB

Rootkits are a type of malware that hides directories, files, processes, and other evidence of its presence to the operating system it’s installed on. By hooking legitimate Linux processes, the malware is able to suspend them at select points and interject functions that conceal its presence. Specifically, it hides files and directories beginning with the names “auwd” and “vmware_helper” from directory listings and hides ports 52695 and 52699, where communications to attacker-controlled servers occur. Intercepting the kill() syscall also allows the trojan to survive Linux commands attempting to abort the program and shut it down.

Stealthy Linux rootkit found in the wild after going undetected for 2 years Read More »