Freedom Penguin’s “Off The Record” | Teaser Video

Coming soon

Coming this week….stay tuned for the first episode.

If you have trouble playing the video (likely because of your region and the music used in the teaser), just use this link instead: https://archive.org/details/teaser_20170318

LinuxCON Kids’ day

LinuxCON-ContainerCON

Part of this year’s LinuxCON / ContainerCON in Toronto was a full day program called Kids’ Day. Its purpose was to foster an interest in technology among junior nerds and the children of their nerd parents (raises hand). My 12 and 15 year olds were keen to lay hands on some hardware and hang out with like-minded instructors, so we signed up.

What we did not know at the time was that the program was organized by Kids on Computers (@kidsoncomputers, http://www.kidsoncomputers.org/), a charity dedicated toward bringing technology to communities where it doesn’t exist and where there is no internet access. Much of the first part of the session involved having the kids wipe Windows from a bunch of donated laptops and install GNU/Linux on them before they were to be shipped to Mexico as part of this endeavor. By my count, 17 kids were given flash drives with Ubermix (http://www.ubermix.org/) and were walked through the steps to boot off of the flash drive, select the script that did the nuking and paving. I imagined I could smell the uranium and asphalt on the ground.

Having cleansed and consecrated the hardware, the children were instructed to connect to a local network containing an Intel NUC specially designed to act as an offline Wikipedia / Khan Academy / Open Street Maps / <So much more> server. Once that was done, it was a simple matter to enter “school” into the laptop’s Firefox browser to pull up the school interface and to see what was there. A complete listing of the services offered can be found on the kidsoncomputers.org site (http://www.kidsoncomputers.org/knowledgebase) but I understand the NUC cost a little under $300 and runs CentOS.

As the laptops were connected to an ad-hoc network, they were able to ping and SSH to one another on the local network. The kids were shown how to do that and how to use SCP to move a greeting to other laptops with minimal/no security. When asked what I thought his greeting should say, I suggested ‘sudo apt install malware,’ which elicited a few chuckles. My sons had a grand time shutting each other’s systems down before I reminded them that they could change their administrator passwords or turn on the firewall. Thankfully, the instructors decided to move us along before things devolved into a mini black-hat conference.

The rest of the morning had the group playing with Scratch. For those of us old enough to remember, Scratch might remind you of the Logo language from a generation ago. But instead of moving a turtle around to create different shapes, you move a cat around and… create different shapes. The times, they are a changing.

The afternoon focused almost exclusively on the Arduino (https://www.arduino.cc/). Kids connected Arduino Unos to their former windows laptops and used the installed Arduino IDE to upload programs they created or modified to make lights blink faster or slower, make speakers play tunes and respond to button presses.

All in all, Kids’ Day was extremely productive – for the kids, certainly, but for the community, for the other kids to be served by their efforts and for the amazing instructors who put it all together.

Bryan Lunduke and Matt Hartley – The Boys Are Back

After some “going back and forth”, Bryan and I have decided it was high time we did a proper show together. Here are the details you need to know. Yes, it’s actually happening!

New show, baby! New weekly show!

I’ve teamed up with the ever-adorable +Matt Hartley to create a video-only show we call “Lunduke & Whatnot (with Matt)”.

A few things worth noting:
– No advertisements. At all. Ever. Because there are too many nerdy podcasts that are chock full of advertisements. And that sucks.
– No show “segments”. One big block of Matt & I talking with interesting people about a single, cool topic.

In the first episode, we brought on fellow-cool-kid +Michael Hall (community manager for +Canonical and +Ubuntu) to talk about the Ubuntu tablet experience. I’ve had the BQ 10-inch tablet for a little while and I’ve got some thoughts I wanted to bounce off him.

So be sure to subscribe to Bryan’s YouTube channel. We’ll also be sharing each episode on Lunduke.com and FreedomPenguin.com.

 

Lessons from the Linux Mint Hack

POSTED 3:43PM PST, Sunday — Unless you’re completely unplugged from the Linux news media, by now you’ve heard about the exploit that affected both the Linux Mint WordPress site and the Linux Mint 17.3 Cinnamon edition.

What you need to know:

  • Softpedia provides a solid account and breakdown of events. However, they did miss something…more on that later. If you’re into screen shots and the details of the event, check it out.
  • ISO Torrents were not affected.
  • SSL wouldn’t have protected squat. Don’t misunderstand, it does protect against OTHER potential attacks, but the initial point of entry was WordPress. Remember the entry point of attack was WordPress, so for this specific attack, Clem’s statement below is correct. However, offering anything for download without SSL in play is a special kind of dangerous. Let’s hope they keep the site offline until SSL is implemented.

nizzle Says:
February 21st, 2016 at 2:46 am
Doesn’t do much good to post hashes on a site that’s not served over TLS.
When will *.linuxmint.com go https only?
Edit by Clem: It’s planned and I’m hoping it’ll happen soon. Please note that this wouldn’t have helped here though. You’d be served the exact same hacked information via HTTPs.

  • Checksums simply don’t cut it, however, end users won’t mess with OpenPGP secret keys….unless you force them to. Most people simply don’t understand the importance of using them or simply don’t care.
  • twitterThis isn’t a new issue. Mind the date of this tweet…clearly Mint’s web team needs training or some assistance with security. And then a month later (note the date again) we see things finally being addressed.
  • Critical: Mint doesn’t release security advisories to trusted alert sites at this time.
  • Fixed/irrelevant?: Seven hours ago, I received an unsubstantiated claim that their blogging site was running WordPress 4.2.2. I can’t speak to this, however I can tell you their site as of the time of this post runs WordPress 4.4.2. I’d file this under rumor-mill for now. Pinguy OS‘ Antoni Norman has confirmed that this rumor is not true after checking through the cache of the site.

How to protect ourselves

As a community, casual Linux users (myself included) are generally pretty complacent. We blindly download anything and everything from PPAs to AUR packages, assuming that nothing has slipped through the cracks. Granted, I believe the AUR receives greater scrutny than the current PPA system, but that’s beside the point.

The key things we can do to protect ourselves as end users are:

  • Only download ISOs from trusted sources. This means distribution providers need to make sure “trusted download” options are provided. Adding a SSL cert isn’t a fix, there needs to be additional measures put into place. Whether or not this means OpenPGP is the solution remains to be seen. I honestly don’t think it is.
  • Get to know the MD5 signature(s). Before you install a downloaded ISO, verify the hash sum for that ISO. Far from a great solution, at least as an end user you did SOMETHING to protect yourself.
  • Locking down your distro locally (for end users). Arch documentation has a solid write up that you should familiarize yourself with. This can help minimize the damage that a exploit can do to your system. So instead of taking the scan and pray approach, use these techniques to prevent the available ground an attack can exploit. Pay special attention to the firewall and root control.
  • Keep spare (trusted) ISOs handy locally. This borders on the “security through obscurity” philosophy, but it also means you have safe/functional ISOs available no matter what.

There is no spoon

The fact of the matter is if you can read/write to a system, there is an opportunity to exploit it. All we can do is control the attack surface available and minimize it as much as possible. Remember: Lock it down, keep it patched and pay attention. This is the best advice anyone could hope for coming from the end user perspective.

On the distribution and server side of things, I think this provides us with an opportunity to re-examine how we’re distributing Linux ISOs. Yes, minding the IP sources and hash sums are a “fair” place to start. I for one, think we can do better and I would like to see some new ideas. Fact of the matter is, this won’t be the first time this happens. And thankfully, due to Clem’s rapid response, this event was addressed very quickly. Let’s hope some tough lessons were learned here to prevent another event in the future.

For the sake of research, I saved a cached copy of the download page for Linux Mint 17.3 Cinnamon edition. Every single download for each country is pointing to the malicious IP address. Worse, the mere act of clicking on any of the download links instantly starts the download process – no browsing of the directory. Folks, the current method for downloading ISOs is in need of something a bit more secure.

Why this bitter pill is a good thing – long term

At the end of the day, I see this as a positive. First, I believe that Linux Mint will come out of this stronger than ever. Second, this will force others to take ISO security more seriously. This also provides end users with a stronger reason to pay closer attention to what they’re doing.

I don’t know how all of this will play out. But two things I do know for sure. The Linux Mint team did an outstanding job dealing with this right away. Also, downloading ISO images from randomly linked mirrors might not be the most secure way to distribute today’s modern Linux distributions.

Locked Up with Linux

The sheer versatility of the Linux kernel truly knows no bounds. It can be found, literally, everywhere. From your local library to your local big box retailer, Linux is barely a stone’s throw away. There are very few places in the world that can be considered Linux-free. A small tribal village? Maybe. A shade tree mechanic? Possibly. A Prison? Well … not really. That’s right. It seems that Linux has been sent to the joint, and it poised to be there for a very long time.

Linux is being sent to prison in an effort to streamline correctional institution management and inmate education; primarily in Australian prisons. Linux’s introduction into the Australian prison system comes in the form of the PrisonPC produced by Cyber IT Solutions. According to Cyber IT Solutions, PrisonPC provides:

“a range of required functions and services supporting basic numeracy and literacy education, work-place reentry programmes, vocational and distance education, integrated digital television, and other entertainment options.”(1)

In short, the software’s main focus is prisoner education and entertainment.

However, it seems that PrisonPC is more than just a Learning Management System for prisons, it has also been designed to aid in prison management. PrisonPC can also filter email, which only allows access to designated individuals such as inmate lawyers. Moreover, Cyber IT Solutions states, that the software can not only restrict web access, but it can also restrict access to the entire desktop environment through the enforcement of configured curfews.

In its latest release of the software (September 2015), Cyber IT Solutions introduced IPTV functionality. According to the press release (2):

“PrisonPC IPTV replaces legacy television sets … [which] negates the need to have a separate, unmanaged television set and offers education providers the ability to make on-demand educational content available to inmates.”

PrisonPC is built upon the Linux kernel and utilizes a modified Ubuntu operating system that essentially locks the user, in this case the inmate, out of any functionality that could cause an issue (3). For example, PrisonPC computers (the company also can provide the hardware) contain no hard-drive, USB storage, or writable DVD/CD prohibiting the user from making any modifications to the system. Additionally, 3G modems, USB drives, WiFi controllers, webcams, and Bluetooth transceivers are blocked by default, prohibiting their use in the event such devices are smuggled into the facility by an inmate. And the list of security features goes on.

The linux-based system is so versatile that many institutions implement PrisonPC in a number of different ways. For instance, the Alexander Maconochie Centre utilizes the Learning Management functionality and the restricted email filtering; while Marngoneet Correctional Centre uses it to support their Integrate dLibrary System.(4)

PrisonPC provides a much needed service to both prison inmates and prison officials. A service that has been built with the Linux kernel at its core.

For more information about PrisonPC visit their website at: http://www.prisonpc.com/

Does your business or organization use Linux in some way, then contact Dennis today to see if your business or organization can be featured on Freedom Penguin.

Sources

1. http://www.prisonpc.com/projects.html

2. http://www.prisonpc.com/PrisonPC_IPTV_media_release_20150922.html

3. http://www.itwire.com/business-it-news/open-source/25331-linux-finds-a-role-in-australian-prison-cells

4. http://www.prisonpc.com/projects.html

5. Image credit: PrisonPC.com