It’s Thursday! And you know what that means… It’s Linux Day on the Lunduke Hour! In today’s episode Matt Hartley and I take a boat load of questions from the viewers on BtrFS, KDE, Internet Privacy, the ending of the Linux Action Show, Linux Marketing issues, and the weirdness (or lack of weirdness) of Linux.
Valve’s Steam PCs. This first episode of Freedom Penguin “For The Record” deals head on with the train wreck that is Valve’s investment in hardware. Not all is lost however, as Linux Gaming reaped the benefits from Valve’s efforts.
Part of this year’s LinuxCON / ContainerCON in Toronto was a full day program called Kids’ Day. Its purpose was to foster an interest in technology among junior nerds and the children of their nerd parents (raises hand). My 12 and 15 year olds were keen to lay hands on some hardware and hang out with like-minded instructors, so we signed up.
What we did not know at the time was that the program was organized by Kids on Computers (@kidsoncomputers, http://www.kidsoncomputers.org/), a charity dedicated toward bringing technology to communities where it doesn’t exist and where there is no internet access. Much of the first part of the session involved having the kids wipe Windows from a bunch of donated laptops and install GNU/Linux on them before they were to be shipped to Mexico as part of this endeavor. By my count, 17 kids were given flash drives with Ubermix (http://www.ubermix.org/) and were walked through the steps to boot off of the flash drive, select the script that did the nuking and paving. I imagined I could smell the uranium and asphalt on the ground.
Having cleansed and consecrated the hardware, the children were instructed to connect to a local network containing an Intel NUC specially designed to act as an offline Wikipedia / Khan Academy / Open Street Maps / <So much more> server. Once that was done, it was a simple matter to enter “school” into the laptop’s Firefox browser to pull up the school interface and to see what was there. A complete listing of the services offered can be found on the kidsoncomputers.org site (http://www.kidsoncomputers.org/knowledge–base) but I understand the NUC cost a little under $300 and runs CentOS.
As the laptops were connected to an ad-hoc network, they were able to ping and SSH to one another on the local network. The kids were shown how to do that and how to use SCP to move a greeting to other laptops with minimal/no security. When asked what I thought his greeting should say, I suggested ‘sudo apt install malware,’ which elicited a few chuckles. My sons had a grand time shutting each other’s systems down before I reminded them that they could change their administrator passwords or turn on the firewall. Thankfully, the instructors decided to move us along before things devolved into a mini black-hat conference.
The rest of the morning had the group playing with Scratch. For those of us old enough to remember, Scratch might remind you of the Logo language from a generation ago. But instead of moving a turtle around to create different shapes, you move a cat around and… create different shapes. The times, they are a changing.
The afternoon focused almost exclusively on the Arduino (https://www.arduino.cc/). Kids connected Arduino Unos to their former windows laptops and used the installed Arduino IDE to upload programs they created or modified to make lights blink faster or slower, make speakers play tunes and respond to button presses.
All in all, Kids’ Day was extremely productive – for the kids, certainly, but for the community, for the other kids to be served by their efforts and for the amazing instructors who put it all together.
After some “going back and forth”, Bryan and I have decided it was high time we did a proper show together. Here are the details you need to know. Yes, it’s actually happening!
New show, baby! New weekly show!
I’ve teamed up with the ever-adorable +Matt Hartley to create a video-only show we call “Lunduke & Whatnot (with Matt)”.
A few things worth noting: – No advertisements. At all. Ever. Because there are too many nerdy podcasts that are chock full of advertisements. And that sucks. – No show “segments”. One big block of Matt & I talking with interesting people about a single, cool topic.
In the first episode, we brought on fellow-cool-kid +Michael Hall (community manager for +Canonical and +Ubuntu) to talk about the Ubuntu tablet experience. I’ve had the BQ 10-inch tablet for a little while and I’ve got some thoughts I wanted to bounce off him.
POSTED 3:43PM PST, Sunday — Unless you’re completely unplugged from the Linux news media, by now you’ve heard about the exploit that affected both the Linux Mint WordPress site and the Linux Mint 17.3 Cinnamon edition.
What you need to know:
Softpedia provides a solid account and breakdown of events. However, they did miss something…more on that later. If you’re into screen shots and the details of the event, check it out.
ISO Torrents were not affected.
SSL wouldn’t have protected squat. Don’t misunderstand, it does protect against OTHER potential attacks, but the initial point of entry was WordPress. Remember the entry point of attack was WordPress, so for this specific attack, Clem’s statement below is correct. However, offering anything for download without SSL in play is a special kind of dangerous. Let’s hope they keep the site offline until SSL is implemented.
nizzle Says: February 21st, 2016 at 2:46 am Doesn’t do much good to post hashes on a site that’s not served over TLS. When will *.linuxmint.com go https only? Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.
Checksums simply don’t cut it, however, end users won’t mess with OpenPGP secret keys….unless you force them to. Most people simply don’t understand the importance of using them or simply don’t care.
This isn’t a new issue. Mind the date of this tweet…clearly Mint’s web team needs training or some assistance with security. And then a month later (note the date again) we see things finally being addressed.
Fixed/irrelevant?: Seven hours ago, I received an unsubstantiated claim that their blogging site was running WordPress 4.2.2. I can’t speak to this, however I can tell you their site as of the time of this post runs WordPress 4.4.2. I’d file this under rumor-mill for now.Pinguy OS‘ Antoni Norman has confirmed that this rumor is not true after checking through the cache of the site.
How to protect ourselves
As a community, casual Linux users (myself included) are generally pretty complacent. We blindly download anything and everything from PPAs to AUR packages, assuming that nothing has slipped through the cracks. Granted, I believe the AUR receives greater scrutny than the current PPA system, but that’s beside the point.
The key things we can do to protect ourselves as end users are:
Only download ISOs from trusted sources. This means distribution providers need to make sure “trusted download” options are provided. Adding a SSL cert isn’t a fix, there needs to be additional measures put into place. Whether or not this means OpenPGP is the solution remains to be seen. I honestly don’t think it is.
Get to know the MD5 signature(s). Before you install a downloaded ISO, verify the hash sum for that ISO. Far from a great solution, at least as an end user you did SOMETHING to protect yourself.
Locking down your distro locally (for end users). Arch documentation has a solid write up that you should familiarize yourself with. This can help minimize the damage that a exploit can do to your system. So instead of taking the scan and pray approach, use these techniques to prevent the available ground an attack can exploit. Pay special attention to the firewall and root control.
Keep spare (trusted) ISOs handy locally. This borders on the “security through obscurity” philosophy, but it also means you have safe/functional ISOs available no matter what.
There is no spoon
The fact of the matter is if you can read/write to a system, there is an opportunity to exploit it. All we can do is control the attack surface available and minimize it as much as possible. Remember: Lock it down, keep it patched and pay attention. This is the best advice anyone could hope for coming from the end user perspective.
On the distribution and server side of things, I think this provides us with an opportunity to re-examine how we’re distributing Linux ISOs. Yes, minding the IP sources and hash sums are a “fair” place to start. I for one, think we can do better and I would like to see some new ideas. Fact of the matter is, this won’t be the first time this happens. And thankfully, due to Clem’s rapid response, this event was addressed very quickly. Let’s hope some tough lessons were learned here to prevent another event in the future.
For the sake of research, I saved a cached copy of the download page for Linux Mint 17.3 Cinnamon edition. Every single download for each country is pointing to the malicious IP address. Worse, the mere act of clicking on any of the download links instantly starts the download process – no browsing of the directory. Folks, the current method for downloading ISOs is in need of something a bit more secure.
Why this bitter pill is a good thing – long term
At the end of the day, I see this as a positive. First, I believe that Linux Mint will come out of this stronger than ever. Second, this will force others to take ISO security more seriously. This also provides end users with a stronger reason to pay closer attention to what they’re doing.
I don’t know how all of this will play out. But two things I do know for sure. The Linux Mint team did an outstanding job dealing with this right away. Also, downloading ISO images from randomly linked mirrors might not be the most secure way to distribute today’s modern Linux distributions.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.