Linux News Today features the latest news from the global Linux community. This site is updated daily. Click here to return to our homepage. Get the lowest cost and the best tech support on any Linux web hosting plan. Click here for details.
                                          home   |   news archives   |   advertise on our site   |   contact

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Plans begin at $24.95 a month. Get more details, click here.

Do it right this time. Click here and we will take good care of you!

Get all the details by clicking here!

Plans begin at $24.95 a month. Get more details, click here.

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Click here to order our special clearance dedicated servers.

Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.

Promote your company. Reach over 450,000 Linux software developers, Linux users, Web hosting companies, etc. Boost your sales and promote your brand. Read more, click here.

Raspberry Pi runs a flavor of Debian Linux tuned for tiny computers

Share on Twitter.

Get the most dependable SMTP service for your business. You wished you got it sooner!

December 2, 2015

In the IT community these days, it's needless to say that Raspberry Pis are running Raspbian, a flavor of Debian GNU/Linux tuned specifically for the teeny tiny computers.

But like just about anything in modern life, there are a few caveats-- this could potentially generate some weaker (ie: less secure) SSH host keys.

This could potentially yield 'man-in-the-middle' attackers a good chance of decrypting people's secure connections to Raspberry Pi devices.

Last month's release of Raspbian does not use a hardware random number generator by default, according to a bug report posted to the Pi Forums.

Ideally, this generator should pour unpredictable numbers into a so-called entropy pool from which cryptographically secure numbers could be obtained.

However, this doesn't happen right now, and so the operating system's algorithms end up producing rather predictable random numbers that could be easily intercepted by a hacker.

Overall, crypto keys crafted from these 'predictable sequences' during the machine's first boot-up can be recreated by eavesdroppers, and used to decrypt intercepted SSH connections to reveal login passwords and snoop on Debian Linux terminals.

If the hardware generator was seeding the pool in the first place, the generated keys would be vastly more secure. But here's what the bug reporter had to say:

  • Raspbian ( SHA1: ce1654f4b0492b3bcc93b233f431539b3df2f813) doesn't enable hardware random number generator by default. This causes generation of predictable SSH host keys on the first boot. As soon as the systems starts up systemd-random-seed tries to seed /dev/urandom, but /var/lib/systemd/random-seed is missing, because it hasn't been created yet. /etc/rc2.d/S01regenerate_ssh_host_keys is executed, but /dev/urandom pool doesn't have that much entropy at this point and predictable SSH host keys will be created.
  • We've been told that the problem is due to be fixed in the next Raspbian image release, and users should ensure they upgrade when that's available.

    In the meantime, people worried about the security of their SSH servers should regenerate their host keys after seeding /dev/urandom with the hardware random number generator in the Pi's system-on-chip processor.

    The commands to do that, and a hotfix patch to address the issue, are given in the aforementioned forum post.

    “This is something that’s easily fixed but then relies on Raspberry Pi users to be aware and update their systems,” said Patrick Hilt, CTO of two-factor authentication biz MIRACL. “If they don’t, it creates a potential weak spot.”

    This specific issue is not just for the Raspberry Pi nor Raspbian; it's just that systems like the Pi are more susceptible. Many Linux distributions stockpile random seed data during installation, and then use that to prime the pool during first boot-up, but Raspbian doesn't work that way.

    Instead it starts up ready to go straight from the SD card, and thus suffers from low entropy. As Hilt explained it to us, by the time most Linux systems have finished downloading various packages and spinning disks during the install process, they've built up enough entropy and enough random numbers to generate secure keys.

    “On a server or desktop computer, entropy isn’t needed until later during system startup and use,” he said.

    By then, based on network traffic and/or user input and other hardware events, there is usually plenty of entropy to go around. In embedded systems, the situation can be different especially if random numbers are accessed early in the boot process, and that’s what we’re seeing here with Raspbian.

    “It’s imperative, especially in the Internet-of-Things era, for embedded systems developers to be security conscious and design whole systems in such a way that random numbers are not needed until there is enough entropy and/or the Linux kernel entropy pool is seeded from a hardware random number generator if it is present in the system," he asserted.

    In other Linux and open source news

    Debian founder Ian Murdock has joined the Linux container team at Docker.

    Murdock, who created and developed Debian more than twenty-two years ago and led the project for three years during its birth, has taken up position as a member of Docker’s technical team.

    Various details of Murdock’s role or responsibilities were not available at the time of this writing, however.

    But Docker has a huge interest in perfecting the deployment of Linux applications in its container technology for cloud and micro services.

    Until October, Murdock was vice president of platform services for Salesforce’s marketing cloud. He’d been with the as-a-service provider for 4 years.

    He joined through the cloudy firm’s $2.5 billion acquisition of ExactTarget in 2013. ExactTarget has since been renamed Salesforce Marketing Cloud.

    And before that, Murdock has occupied different open-source friendly executive positions for Sun Microsystems, including some work on operating systems and Project Indiana (the open-sourcing of Solaris as OpenSolaris).

    OpenSolaris was such a successful project that Sun’s new owner Oracle killed it by chopping off the community.

    Overall, Murdock was also chief technology officer for the Linux Foundation but it’s Debian that birthed the legend of Murdock as the developer’s technologist.

    Debian was one of the first Linux distributions to be forged and regarded as a one of the most successful open-source projects ever launched.

    The Debian universe consists of more than 43,000 software packages with popular and free programs including LibreOffice and GIMP. Docker is one of the Debian universe’s packages.

    Since Murdock’s time, the Debian project has grown in manpower to span more than 1,000 members globally.

    There exists fifty-two distributions built on the Debian platform with, arguably, Ubuntu being the best-known and most successful of them.

    By extension, a host of Ubuntu spinoffs also use Debian. Debian is available in 73 languages and on ARM, AMD, Intel, MIPS, Power and z architectures, running on desktop, with the Gnome project on servers and in embedded applications.

    In other Linux and open source news

    Linux Fedora 23 is finally here, even if it's a week late. The new version represents a significant update that was worth waiting for, however.

    That’s thanks not just to upstream projects like GNOME, now at 3.18, but also some impressive new features from the Linux community that maintains Fedora.

    Like its predecessor, this Fedora new version comes in three base configurations: Workstation, Server and Cloud.

    The former is the desktop release and the primary basis for our testing, though we also tested the Server release this time around.

    The default Fedora 23 live CD will install the GNOME desktop though there are plenty of spins available if you prefer something else.

    We opted for GNOME since a lot of what's new in it, like much improved Wayland support is currently only really available through Fedora.

    We have been hard on Fedora's Anaconda installer in the past, but we are slowly coming around now. The installation experience in Fedora 23 is hard to beat, particularly the way you don't need to visit sections if Fedora has guessed something right.

    For example, Anaconda correctly guessed our time zone so we can just skip that screen without even needing to click OK. It's a small thing, but it helps set a certain tone of feature completeness right from the start.

    But overall, we still think that the button-based approach of Anaconda can sometimes make it difficult to figure out what you've missed if it's your first time using the installer.

    But it's a little simpler in Fedora 23 because there's an additional orange bar across the bottom to tell you about whatever you missed.

    What's perhaps most encouraging about Anaconda is that Fedora keeps refining it. Having just installed and tested Ubuntu and openSUSE on other machines recently, we wouldn't hesitate to say that Anaconda is a better experience than either.

    It's certainly faster thanks to the amount of stuff you can simply ignore. Once you've got Fedora WorkStation installed, the first thing you'll likely notice is GNOME 3.18.

    For all intents and purposes, GNOME may be upstream from Fedora, but the repository has long been where GNOME turns to showcase new features, and Fedora 23 is no different.

    Among the changes in GNOME 3.18 are faster searching, first-class support for integrating Google Drive in Nautilus, support for light sensors (handy on laptops since you can lower the back light setting and extend battery life) and improved Wayland support.

    And some other new features in GNOME 3.18 deserve mention. GNOME Software now has support for firmware updates via fwupd. The firmware support means that you won't need any proprietary tools nor will you have to resort to pulling out the bootable DVDs.

    The catch is that the vendor for your hardware needs to upload the firmware to the Linux Vendor Firmware Service.

    Another big new GNOME project that will arrive soon is the Xdg project. Xdg will be a system for building, distributing and running sandboxed desktop applications. More on that in a later article.

    But for now, aside from the security gains of sandboxing, xdg-app also hopes to allow app developers to use a single package for multiple distributions. The xdg support in Fedora 23 is still very experimental and none of the apps are actually packaged this way, but look for xdg support to continue expanding in Fedora and GNOME's futures.

    Fedora has been an early adopter of Wayland, the replacement that will eventually be the default option, coming perhaps as early as Fedora 24. If you'd like to play around with Wayland, this release offers considerably more support than any other distro to date.

    Provided that you have the supported hardware, Wayland actually works quite well and with a little extra effort, installing some experimental repos can get you really nice features like full GTK 3 support for OpenOffice 5.

    It will also offer support for HiDPI screens, among other things, and even support for running monitors with DPI-independent resolution.

    You can also have hi-resolution and normal res monitors running off the same machine and it all just works well.

    However, not everything in GNOME 3.18 is great... The GNOME project continues its curious take on usability by removing something that was genuinely useful. In this case, it's the file copy feedback message that was a small window with a progress bar.

    The window is gone and now you'll have to get by with a tiny icon in the Nautilus window that kind of shows some progress via a pie chart-looking icon.

    We mention this not so much to poke fun at Nautilus's ever-declining usability, but because it is the only file copy feedback you'll get and unless you know it's there you'll probably keep dragging and dropping files, thinking they haven't copied, when in fact you just didn't notice.

    In other Linux and open source news

    A snippet of new code can give Linux servers a boost by addressing an unnoticed bug in a congestion control algorithm in the operating system's kernel.

    The new code was provided by Google's transport networking team, with contributions from Jana Iyengar, Neal Cardwell and a few others.

    It repairs an old bug in a set of routines called TCP CUBIC designed to address the slow response of TCP in long-distance networks, according to its creators.

    Like any congestion control algorithm, TCP CUBIC makes network-level decisions based on traffic congestion reports.

    If the network becomes very busy with sudden bursts of traffic, hosts are told to slow down.

    As Mozilla developer Patrick McManus explains, the bug was simple-- TCP CUBIC interprets a lack of congestion reports as an opportunity to send data at a faster rate. That's it. Nothing more.

    But of course, that condition could arise merely because the system hasn't been getting any congestion update reports in a while. That's something else, but nothing that can't be addressed.

    What's supposed to happen in congestion control is that the operating system starts sending data slowly, increases its transmission rate until the network says 'that's enough', and then backs off a bit. The design is really simple but smart when you think of it.

    The bug in TCP CUBIC fools the system into thinking it has a clear run at the network and should transmit at the maximum possible rate, crashing into other traffic, and ruining the performance and the efficiency of the system.

    Click here to order the best deal on a HP enterprise dedicated server and at a great price.

    “The end result is that applications that toggle between transmitting lots of data and then laying quiescent for a bit before returning to high rates of sending will transmit way too fast when returning to the sending state,” McManus explained to us in an email.

    However, that condition could be quite common, he notes. A server may have sent a short burst of data over HTTP containing a web form for someone to fill out, and go quiet waiting for a response, then assume there's no congestion, and burst out of the blocks at top-rate when it gets the user's response back.

    “A far more dangerous class of triggers is likely to be the various HTTP based adaptive streaming media formats where a series of chunks of media are transferred over time on the same HTTP channel”, McManus asserted.

    That's why a fix for that old flaw could be important. Linux is used in many media servers, and for the past ten years or more, an important slate of congestion control hasn't been working quite efficiently in some cases.

    The code snippet forces the Linux kernel to act a little more intelligently after an idle period.

    A more technical description is included with the bug fix. The code snippet is available on Google's website.

    In other Linux and open source news

    The open source router OpenWrt version 15.05 has hit the streets and the new release is now operational.

    One highlight of the new iteration is an upgrade to Version 3.18 of the Linux kernel, and security has been beefed up with ed-25519 package signing support, and also support for jails and hardened builds as well.

    But the big news is a fully writable filesystem with package management, according to the project's founders.

    This, OpenWrt explains, offers users different options for the installation and the customisation of the upgraded routing system.

    Instead of having to use a vendor's application and selection framework, OpenWrt can now be configured using developer-supplied applications, the group said.

    “OpenWrt is a framework to build an application without having to build a complete firmware from the ground up”, the announcement says, while users get “full customization to use the device in ways never envisioned in the past”.

    Of course, that almost sounds like a challenge to the FCC, which just a few weeks ago issued a proposed new rule-making that would demand Wi-Fi lock down on several systems.

    The proposed regulation specifically proposes requiring Wi-Fi vendors to lock down their firmware and names OpenWrt as a potential issue.

    As the rule states, router vendors selling new equipment in America would have to answer “What prevents third parties from loading non-US versions of the software/firmware on the device? Describe in detail how the device is protected from “flashing” and the installation of third-party firmware such as DD-WRT,” the new ruling states.

    The FCC's overall concerns are that third-party firmware could allow end users to mess around with their wireless settings, and in careless or malicious hands, that could end up with a Wi-Fi router operating outside its radio spectrum certification.

    With OpenWrt's new upgrade, its device support has now passed 950 products from 159 vendors, with new devices added from Marvell, Broadcom and Raspberry Pi.

    Source: The Debian Project.

    Get the most reliable SMTP service for your business. You wished you got it sooner!

    All logos, trade marks or service marks on this website are the property of their respective companies or owners.

    Article featured on Tech Blog and on Business 5.0

    Get a best price and the most dependable server colocation reliability from the experts at Sun Hosting. Learn more. This article was featured on Tech Blog and Business 5.0.

    Linux News is read by over 450,000 people involved in the field of Linux application development, professional Web hosting services, Linux security, Linux Web development, etc. Inquire about our reasonable advertising rates on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.

      Site powered by Linux Hosting      Sponsored by Sun Hosting.      Linux news while they are still fresh.    ©   Linux is a registered trademark of Linus Torvalds.