Share on Twitter.
Get the most dependable SMTP service for your business. You wished you got it sooner!
December 2, 2015
In the IT community these days, it's needless to say that Raspberry Pis are running Raspbian, a flavor
of Debian GNU/Linux tuned specifically for the teeny tiny computers.
But like just about anything in modern life, there are a few caveats-- this could potentially generate
some weaker (ie: less secure) SSH host keys.
This could potentially yield 'man-in-the-middle' attackers a good chance of decrypting people's
secure connections to Raspberry Pi devices.
Last month's release of Raspbian does not use a hardware random number generator by default, according to
a bug report posted to the Pi Forums.
Ideally, this generator should pour unpredictable numbers into a so-called entropy pool from which
cryptographically secure numbers could be obtained.
However, this doesn't happen right now, and so the operating system's algorithms end up producing
rather predictable random numbers that could be easily intercepted by a hacker.
Overall, crypto keys crafted from these 'predictable sequences' during the machine's first boot-up
can be recreated by eavesdroppers, and used to decrypt intercepted SSH connections to reveal login passwords
and snoop on Debian Linux terminals.
If the hardware generator was seeding the pool in the first place, the generated keys would be vastly more
secure. But here's what the bug reporter had to say:
Raspbian (2015-11-21-raspbian-jessie.zip SHA1: ce1654f4b0492b3bcc93b233f431539b3df2f813) doesn't enable
hardware random number generator by default. This causes generation of predictable SSH host keys on the
first boot. As soon as the systems starts up systemd-random-seed tries to seed /dev/urandom, but
/var/lib/systemd/random-seed is missing, because it hasn't been created yet. /etc/rc2.d/S01regenerate_ssh_host_keys is
executed, but /dev/urandom pool doesn't have that much entropy at this point and predictable SSH host keys will be
We've been told that the problem is due to be fixed in the next Raspbian image release, and users
should ensure they upgrade when that's available.
In the meantime, people worried about the security of their SSH servers should regenerate their host
keys after seeding /dev/urandom with the hardware random number generator in the Pi's system-on-chip processor.
The commands to do that, and a hotfix patch to address the issue, are given in the aforementioned forum post.
“This is something that’s easily fixed but then relies on Raspberry Pi users to be aware and update their
systems,” said Patrick Hilt, CTO of two-factor authentication biz MIRACL. “If they don’t, it creates a potential
This specific issue is not just for the Raspberry Pi nor Raspbian; it's just that systems like the Pi are
more susceptible. Many Linux distributions stockpile random seed data during installation, and then use that to
prime the pool during first boot-up, but Raspbian doesn't work that way.
Instead it starts up ready to go straight from the SD card, and thus suffers from low entropy. As Hilt explained
it to us, by the time most Linux systems have finished downloading various packages and spinning disks during
the install process, they've built up enough entropy and enough random numbers to generate secure keys.
“On a server or desktop computer, entropy isn’t needed until later during system startup and use,” he said.
By then, based on network traffic and/or user input and other hardware events, there is usually plenty of
entropy to go around. In embedded systems, the situation can be different especially if random numbers are accessed
early in the boot process, and that’s what we’re seeing here with Raspbian.
“It’s imperative, especially in the Internet-of-Things era, for embedded systems developers to be security
conscious and design whole systems in such a way that random numbers are not needed until there is enough entropy
and/or the Linux kernel entropy pool is seeded from a hardware random number generator if it is present in the system,"
In other Linux and open source news
Debian founder Ian Murdock has joined the Linux container team at Docker.
Murdock, who created and developed Debian more than twenty-two years ago and led the project
for three years during its birth, has taken up position as a member of Docker’s technical team.
Various details of Murdock’s role or responsibilities were not available at the time of this writing,
But Docker has a huge interest in perfecting the deployment of Linux applications in its container
technology for cloud and micro services.
Until October, Murdock was vice president of platform services for Salesforce’s marketing cloud.
He’d been with the as-a-service provider for 4 years.
He joined Salesforce.com through the cloudy firm’s $2.5 billion acquisition of ExactTarget
in 2013. ExactTarget has since been renamed Salesforce Marketing Cloud.
And before that, Murdock has occupied different open-source friendly executive positions for Sun
Microsystems, including some work on operating systems and Project Indiana (the open-sourcing
of Solaris as OpenSolaris).
OpenSolaris was such a successful project that Sun’s new owner Oracle killed it by chopping
off the community.
Overall, Murdock was also chief technology officer for the Linux Foundation but it’s Debian
that birthed the legend of Murdock as the developer’s technologist.
Debian was one of the first Linux distributions to be forged and regarded as a one of the most
successful open-source projects ever launched.
The Debian universe consists of more than 43,000 software packages with popular and free programs
including LibreOffice and GIMP. Docker is one of the Debian universe’s packages.
Since Murdock’s time, the Debian project has grown in manpower to span more than 1,000
There exists fifty-two distributions built on the Debian platform with, arguably, Ubuntu being
the best-known and most successful of them.
By extension, a host of Ubuntu spinoffs also use Debian. Debian is available in 73 languages
and on ARM, AMD, Intel, MIPS, Power and z architectures, running on desktop, with the Gnome project
on servers and in embedded applications.
In other Linux and open source news
Linux Fedora 23 is finally here, even if it's a week late. The new version represents a significant update
that was worth waiting for, however.
That’s thanks not just to upstream projects like GNOME, now at 3.18, but also some impressive new
features from the Linux community that maintains Fedora.
Like its predecessor, this Fedora new version comes in three base configurations: Workstation,
Server and Cloud.
The former is the desktop release and the primary basis for our testing, though we also tested
the Server release this time around.
The default Fedora 23 live CD will install the GNOME desktop though there are plenty of spins
available if you prefer something else.
We opted for GNOME since a lot of what's new in it, like much improved Wayland support is currently
only really available through Fedora.
We have been hard on Fedora's Anaconda installer in the past, but we are slowly coming around now.
The installation experience in Fedora 23 is hard to beat, particularly the way you don't need
to visit sections if Fedora has guessed something right.
For example, Anaconda correctly guessed our time zone so we can just skip that screen without
even needing to click OK. It's a small thing, but it helps set a certain tone of feature completeness
right from the start.
But overall, we still think that the button-based approach of Anaconda can sometimes make it difficult
to figure out what you've missed if it's your first time using the installer.
But it's a little simpler in Fedora 23 because there's an additional orange bar across the bottom
to tell you about whatever you missed.
What's perhaps most encouraging about Anaconda is that Fedora keeps refining it. Having just
installed and tested Ubuntu and openSUSE on other machines recently, we wouldn't hesitate to say
that Anaconda is a better experience than either.
It's certainly faster thanks to the amount of stuff you can simply ignore. Once you've got Fedora
WorkStation installed, the first thing you'll likely notice is GNOME 3.18.
For all intents and purposes, GNOME may be upstream from Fedora, but the repository
has long been where GNOME turns to showcase new features, and Fedora 23 is no different.
Among the changes in GNOME 3.18 are faster searching, first-class support for integrating
Google Drive in Nautilus, support for light sensors (handy on laptops since you can lower the back
light setting and extend battery life) and improved Wayland support.
And some other new features in GNOME 3.18 deserve mention. GNOME Software now has support for
firmware updates via fwupd. The firmware support means that you won't need any proprietary tools
nor will you have to resort to pulling out the bootable DVDs.
The catch is that the vendor for your hardware needs to upload the firmware to the Linux Vendor
Another big new GNOME project that will arrive soon is the Xdg project. Xdg will be a system for
building, distributing and running sandboxed desktop applications. More on that in a later article.
But for now, aside from the security gains of sandboxing, xdg-app also hopes to allow app developers
to use a single package for multiple distributions. The xdg support in Fedora 23 is still very experimental
and none of the apps are actually packaged this way, but look for xdg support to continue expanding in Fedora
and GNOME's futures.
Fedora has been an early adopter of Wayland, the X.org replacement that will eventually be
the default option, coming perhaps as early as Fedora 24. If you'd like to play around with Wayland,
this release offers considerably more support than any other distro to date.
Provided that you have the supported hardware, Wayland actually works quite well and with a little extra
effort, installing some experimental repos can get you really nice features like full GTK 3 support for
It will also offer support for HiDPI screens, among other things, and even support for running
monitors with DPI-independent resolution.
You can also have hi-resolution and normal res monitors running off the same machine and it all
just works well.
However, not everything in GNOME 3.18 is great... The GNOME project continues its curious take on
usability by removing something that was genuinely useful. In this case, it's the file copy feedback
message that was a small window with a progress bar.
The window is gone and now you'll have to get by with a tiny icon in the Nautilus window that kind of shows
some progress via a pie chart-looking icon.
We mention this not so much to poke fun at Nautilus's ever-declining usability, but because it is
the only file copy feedback you'll get and unless you know it's there you'll probably keep dragging
and dropping files, thinking they haven't copied, when in fact you just didn't notice.
In other Linux and open source news
A snippet of new code can give Linux servers a boost by addressing an unnoticed bug in a
congestion control algorithm in the operating system's kernel.
The new code was provided by Google's transport networking team, with contributions from Jana
Iyengar, Neal Cardwell and a few others.
It repairs an old bug in a set of routines called TCP CUBIC designed to address the slow response
of TCP in long-distance networks, according to its creators.
Like any congestion control algorithm, TCP CUBIC makes network-level decisions based on traffic
If the network becomes very busy with sudden bursts of traffic, hosts are told to slow down.
As Mozilla developer Patrick McManus explains, the bug was simple-- TCP CUBIC interprets a lack of
congestion reports as an opportunity to send data at a faster rate. That's it. Nothing more.
But of course, that condition could arise merely because the system hasn't been getting any congestion
update reports in a while. That's something else, but nothing that can't be addressed.
What's supposed to happen in congestion control is that the operating system starts sending data
slowly, increases its transmission rate until the network says 'that's enough', and then backs off
a bit. The design is really simple but smart when you think of it.
The bug in TCP CUBIC fools the system into thinking it has a clear run at the network and
should transmit at the maximum possible rate, crashing into other traffic, and ruining the performance
and the efficiency of the system.
“The end result is that applications that toggle between transmitting lots of data and then laying
quiescent for a bit before returning to high rates of sending will transmit way too fast when returning
to the sending state,” McManus explained to us in an email.
However, that condition could be quite common, he notes. A server may have sent a short burst of
data over HTTP containing a web form for someone to fill out, and go quiet waiting for a response,
then assume there's no congestion, and burst out of the blocks at top-rate when it gets the user's
“A far more dangerous class of triggers is likely to be the various HTTP based adaptive streaming
media formats where a series of chunks of media are transferred over time on the same HTTP channel”,
That's why a fix for that old flaw could be important. Linux is used in many media servers, and
for the past ten years or more, an important slate of congestion control hasn't been working quite
efficiently in some cases.
The code snippet forces the Linux kernel to act a little more intelligently after an idle period.
A more technical description is included with the bug fix. The code snippet is available on Google's
In other Linux and open source news
The open source router OpenWrt version 15.05 has hit the streets and the new release is
One highlight of the new iteration is an upgrade to Version 3.18 of the Linux kernel, and security
has been beefed up with ed-25519 package signing support, and also support for jails and hardened
builds as well.
But the big news is a fully writable filesystem with package management, according to the project's
This, OpenWrt explains, offers users different options for the installation and the customisation
of the upgraded routing system.
Instead of having to use a vendor's application and selection framework, OpenWrt can now be configured
using developer-supplied applications, the group said.
“OpenWrt is a framework to build an application without having to build a complete firmware from
the ground up”, the announcement says, while users get “full customization to use the device in ways
never envisioned in the past”.
Of course, that almost sounds like a challenge to the FCC, which just a few weeks ago issued
a proposed new rule-making that would demand Wi-Fi lock down on several systems.
The proposed regulation specifically proposes requiring Wi-Fi vendors to lock down their
firmware and names OpenWrt as a potential issue.
As the rule states, router vendors selling new equipment in America would have to answer “What
prevents third parties from loading non-US versions of the software/firmware on the device? Describe
in detail how the device is protected from “flashing” and the installation of third-party firmware such
as DD-WRT,” the new ruling states.
The FCC's overall concerns are that third-party firmware could allow end users to mess around
with their wireless settings, and in careless or malicious hands, that could end up with a Wi-Fi
router operating outside its radio spectrum certification.
With OpenWrt's new upgrade, its device support has now passed 950 products from 159 vendors, with
new devices added from Marvell, Broadcom and Raspberry Pi.
Source: The Debian Project.
Get the most reliable SMTP service for your business. You wished you got it sooner!
All logos, trade marks or service marks on this website are the property of their respective
companies or owners.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.