Forgot your password?

Follow Slashdot stories on Twitter

Operating Systems

Exodus Intelligence Details Zero-Day Vulnerabilities In Tails OS 129

Posted by timothy
from the compared-to-what? dept.
New submitter I Ate A Candle (3762149) writes Tails OS, the Tor-reliant privacy-focused operating system made famous by Edward Snowden, contains a number of zero-day vulnerabilities that could be used to take control of the OS and execute code remotely. At least that's according to zero-day exploit seller Exodus Intelligence, which counts DARPA amongst its customer base. The company plans to tell the Tails team about the issues "in due time", said Aaron Portnoy, co-founder and vice president of Exodus, but it isn't giving any information on a disclosure timeline. This means users of Tails are in danger of being de-anonymised. Even version 1.1, which hit public release today (22 July 2014), is affected. Snowden famously used Tails to manage the NSA files. The OS can be held on a USB stick and leaves no trace once removed from the drive. It uses the Tor network to avoid identification of the user, but such protections may be undone by the zero-day exploits Exodus holds.

MicroxWin Creates Linux Distribution That Runs Debian/Ubuntu & Android Apps 39

Posted by samzenpus
from the all-in-one dept.
An anonymous reader writes VolksPC who developed MicroXwin as a lightweight X Window Server has come up with their own Linux distribution. Setting apart VolksPC's distribution from others is that it's based on both Debian and Android and has the capability to run Debian/Ubuntu/Android apps together in a native ARM experience. The implementation doesn't depend on VNC or other similar solutions of the past that have tried to join desktop apps with mobile Android apps. This distribution is also reportedly compatible with all Android applications. The distribution is expected to begin shipping on an ARM mini-PC stick.

Ask Slashdot: Is It Feasible To Revive an Old Linux PC Setup? 176

Posted by Unknown Lamer
from the when-real-hackers-used-fvwm dept.
Qbertino (265505) writes I've been rummaging around on old backups and cleaning out my stuff and have once again run into my expert-like paranoid backups and keepsakes from back in the days (2001). I've got, among other things, a full set of Debian 3 CDs, an original StarOffice 6.0 CD including a huge manual in mint condition, Corel Draw 9 for Linux, the original box & CDs — yes it ran on a custom wine setup, but it ran well, I did professional design and print work with it.

I've got more of other stuff lying around, including the manuals to run it. Loki Softs Tribes 2, Kohan, Rune, and the original Unreal Tournament for Linux have me itching too. :-)

I was wondering if it would be possible to do an old 2001ish setup of a Linux workstation on some modern super cheap, super small PC (Raspberry Pi? Mini USB PC?), install all the stuff and give it a spin. What problems should I expect? VESA and Soundblaster drivers I'd expect to work, but what's with the IDE HDD drivers? How well does vintage Linux software from 2003 play with todays cheap system-on-board MicroPCs? What's with the USB stuff? Wouldn't the install expect the IO devices hooked on legacy ports? Have you tried running 10-15 year old Linux setups on devices like these and what are your experiences? What do you recommend?
Linux Business

Alienware Swaps SteamOS For Windows 173

Posted by Soulskill
from the missing-the-train dept.
An anonymous reader writes "Valve left many OEMs hanging when they delayed Steam machines until sometime next year to work out their controller issues. Many of these companies excitedly showed off new Steam machine hardware that they cannot ship, so Alienware has been the first to re-purpose its Debian-based Steam machine to be a Windows-based Steam machine bundled with an Xbox controller. While Windows 8.x has not been particularly well-received it does support a lot more games than Linux and when configured to boot straight into Steam Big Picture mode the influence of the underlying OS is visible only in the larger game library."
Hardware Hacking

OpenRISC Gains Atomic Operations and Multicore Support 77

Posted by Unknown Lamer
from the now-that's-hardware-hacking dept.
An anonymous reader writes "You might recall the Debian port that is coming to OpenRISC (which is by the way making good progress with 5000 packages building) — Olof, a developer on the OpenRISC project, recently posted a lengthy status update about what's going on with OpenRISC. A few highlights are upstreamed binutils support, multicore becoming a thing, atomic operations, and a new build system for System-on-Chips."

Ask Slashdot: Practical Alternatives To Systemd? 533

Posted by timothy
from the going-forward dept.
First time accepted submitter systemDead (3645325) writes "I looked mostly with disinterest at Debian's decision last February to switch to systemd as the default init system for their future operating system releases. The Debian GNU/Linux distribution is, after all, famous for allowing users greater freedom to choose what system components they want to install. This appeared to be the case with the init system, given the presence of packages such as sysvinit-core, upstart, and even openrc as alternatives to systemd.

Unfortunately, while still theoretically possible, installing an alternative init system means doing without a number of useful, even essential system programs. By design, systemd appears to be a full-blown everything-including-the-kitchen-sink solution to the relatively simple problem of starting up a Unix-like system. Systemd, for example, is a hard-coded dependency for installing Network Manager, probably the most user-friendly way for a desktop Linux system to connect to a wireless or wired network. Just this week, I woke up to find out that systemd had become a dependency for running PolicyKit, the suite of programs responsible for user privileges and permissions in a typical Linux desktop.

I was able to replace Network Manager with connman, a lightweight program originally developed for mobile devices. But with systemd infecting even the PolicyKit framework, I find myself faced with a dilemma. Should I just let systemd take over my entire system, or should I retreat to my old terminal-based computing in the hope that the horde of the systemDead don't take over the Linux kernel itself?

What are your plans for working with or working around systemd? Are there any mainstream GNU/Linux distros that haven't adopted and have no plans of migrating to systemd? Or is migrating to one of the bigger BSD systems the better and more future-proof solution?"

All Packages Needed For FreedomBox Now In Debian 54

Posted by Unknown Lamer
from the i-think-you-mean-gnu-slash-freedom dept.
Eben Moglen's FreedomBox concept (personal servers for everyone to enable private communication) is getting closer to being an easy-to-install reality: all packages needed for FreedomBox are now in Debian's unstable branch, and should be migrating to testing in a week or two. Quoting Petter Reinholdtsen: "Today, the last of the packages currently used by the project to created the system images were accepted into Debian Unstable. It was the freedombox-setup package, which is used to configure the images during build and on the first boot. Now all one need to get going is the build code from the freedom-maker git repository and packages from Debian. And once the freedombox-setup package enter testing, we can build everything directly from Debian. :) Some key packages used by Freedombox are freedombox-setup, plinth, pagekite, tor, privoxy, owncloud, and dnsmasq. There are plans to integrate more packages into the setup. User documentation is maintained on the Debian wiki." You can create your own image with only three commands, at least if you have a DreamPlug or Raspberry Pi (you could also help port it to other platforms).

Heartbleed Disclosure Timeline Revealed 62

Posted by samzenpus
from the when-did-you-know dept.
bennyboy64 (1437419) writes "Ever since the Heartbleed flaw in OpenSSL was made public there have been various questions about who knew what and when. The Sydney Morning Herald has done some analysis of public mailing lists and talked to those involved with disclosing the bug to get the bottom of it. The newspaper finds that Google discovered Heartbleed on or before March 21 and notified OpenSSL on April 1. Other key dates include Finnish security testing firm Codenomicon discovering the flaw independently of Google at 23:30 PDT, April 3. SuSE, Debian, FreeBSD and AltLinux all got a heads up from Red Hat about the flaw in the early hours of April 7 — a few hours before it was made public. Ubuntu, Gentoo and Chromium attempted to get a heads up by responding to an email with few details about it but didn't, as the guy at Red Hat sending the disclosure messages out in India went to bed. By the time he woke up, Codenomicon had reported the bug to OpenSSL."

OpenSSL Bug Allows Attackers To Read Memory In 64k Chunks 303

Posted by Unknown Lamer
from the check-your-bounds dept.
Bismillah (993337) writes "A potentially very serious bug in OpenSSL 1.0.1 and 1.0.2 beta has been discovered that can leak just about any information, from keys to content. Better yet, it appears to have been introduced in 2011, and known since March 2012." Quoting the security advisory: "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server." The attack may be repeated and it appears trivial to acquire the host's private key. If you were running a vulnerable release, it is even suggested that you go as far as revoking all of your keys. Distributions using OpenSSL 0.9.8 are not vulnerable (Debian Squeeze vintage). Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2 and all following releases are vulnerable. OpenSSL released 1.0.1g today addressing the vulnerability. Debian's fix is in incoming and should hit mirrors soon, Fedora is having some trouble applying their patches, but a workaround patch to the package .spec (disabling heartbeats) is available for immediate application.

Not Just Apple: GnuTLS Bug Means Security Flaw For Major Linux Distros 144

Posted by timothy
from the holes-to-plug dept.
According to an article at Ars Technica, a major security bug faces Linux users, akin to the one recently found in Apple's iOS (and which Apple has since fixed). Says the article:"The bug is the result of commands in a section of the GnuTLS code that verify the authenticity of TLS certificates, which are often known simply as X509 certificates. The coding error, which may have been present in the code since 2005, causes critical verification checks to be terminated, drawing ironic parallels to the extremely critical 'goto fail' flaw that for months put users of Apple's iOS and OS X operating systems at risk of surreptitious eavesdropping attacks. Apple developers have since patched the bug." And while Apple can readily fix a bug in its own software, at least for users who keep up on patches, "Linux" refers to a broad range of systems and vendors, rather than a single company, and the affected systems include some of the biggest names in the Linux world, like Red Hat, Debian, and Ubuntu.

Interview: Ask Bruce Perens What You Will 129

Posted by samzenpus
from the go-ahead-and-ask dept.
Bruce Perens is a computer programmer and one of the most important advocates for the open source community. He co-founded the Open Source Initiative with ESR and has worked towards reforms of national and international technology policies. He is an amateur radio enthusiast, and has pushed for open radio communication standards. He is also our interview guest today. As usual, ask as many questions as you'd like, but please, one per post.

Ask Slashdot: Moving From Tech Support To Development? 133

Posted by timothy
from the which-flavor-of-ice-cream? dept.
An anonymous reader writes "My eastern European tech-support job will be outsourced in 6 months to a nearby country. I do not wish to move, having relationship and roots here, and as such I stand at a crossroads. I could take my current hobby more seriously and focus on Java development. I have no degree, no professional experience in the field, and as such, I do not hold much market value for an employer. However, I find joy in the creative problem solving that programming provides. Seeing the cogs finally turn after hours invested gives me pleasures my mundane work could never do. The second option is Linux system administration with a specialization in VMware virtualisation. I have no certificates, but I have been around enterprise environments (with limited support of VMware) for 21 months now, so at the end of my contract with 27 months under my belt, I could convince a company to hire me based on willingness to learn and improve. All the literature is freely available, and I've been playing with VDIs in Debian already.

My situation is as follows: all living expenses except food, luxuries and entertainment is covered by the wage of my girlfriend. That would leave me in a situation where we would be financially alright, but not well off, if I were to earn significantly less than I do now. I am convinced that I would be able to make it in system administration, however, that is not my passion. I am at an age where children are not a concern, and risks seem to be, at first sight, easier to take. I would like to hear the opinion and experience of fellow readers who might have been in a similar situation."

Debian Considering Long Term Support for Squeeze 46

Posted by Unknown Lamer
from the thank-gnu dept.
Via Bits from Debian, comes news that the security team is considering adding a Long Term Support suite for Squeeze (Debian 6) after Jessie (Debian 8) is released sometime next year. From the mailing list post: "At the moment it seems likely that an extended security support timespan for squeeze is possible. The plan is to go ahead, sort out the details as as it happens, and see how this works out and whether it is going to be continued with wheezy. The rough draft is that updates will be delivered via a separate suite (e.g. squeeze-lts), where everyone in the Debian keyring can upload in order to minimise bottlenecks and allow contributions by all interested parties. Some packages will be exempted upfront due to their volatile nature (e.g. some web applications) and others might be expected to see important changes. The LTS suite will be limited to amd64 and i386. The exact procedures will be sorted out soon and announced in a separate mail. ... It needs to be pointed out that for this effort to be sustainable actual contributions by interested parties are required. squeeze-lts is not something that will magically fall from the sky. If you're dependent/interested in extended security support you should make an effort to contribute." If successful, the LTS idea would possibly be carried over to Wheezy. With all of the changes coming in Jessie and its aggressive release schedule, this sysadmin really likes the idea of having a bit more breathing room for updating infrastructure between releases. The email also contains a bunch of other info on changes coming to the security process.

In related news, the Debian Installer team announced the first alpha of debian-installer for Jessie. Just the installer, not the distro as a whole (Jessie will be frozen in November). XFCE remains the default desktop, ia64 was kicked out of the archive, and a few new ARM variants are supported.

Ask Slashdot: Linux For Grandma? 287

Posted by Unknown Lamer
from the gnu-slash-grandma dept.
First time accepted submitter BlazeMiskulin writes "With XP approaching end-of-life, I find myself in a situation that I'm guessing is common: What to do with Mom's machine (or 'grandma's machine' for the younger of you). Since a change has to be made, this seems like a good time to move to a Linux distro. My mother (82) uses her computer for e-mail and web-browsing only. I know that any distro will be able to handle her needs. I've been using Linux (Ubuntu, CentOS, and Redhat--usually with KDE interface) for about 10 years now, but I know that my preferences are quite different from hers.

I have my own ideas, but I'm curious what others think: What combination of distro and UI would you recommend for an old, basic-level user who is accustomed to the XP interface and adverse to change?"
My Grandmother seems happy running KDE on Debian.

Experimental Port of Debian To OpenRISC 56

Posted by Unknown Lamer
from the building-rms-a-new-laptop dept.
Via Phoronix comes news that Debian has been ported to the OpenRISC architecture by Christian Svensson. Quoting his mailing list post: "Some people know that I've been working on porting Glibc and doing some toolchain work. My evil master plan was to make a Debian port, and today I'm a happy hacker indeed! ... If anyone want to try this on real hardware (would be very cool to see how this runs IRL), ping me on IRC [#openrisc on freenode] and I'll set you up with instructions how to use debootstrap - just point to a repo with the debs and you're all set, the wonders of binary distributions." For those who don't know, OpenRISC is the completely open source RISC processor intended as the crown jewel of the Opencores project. A working port of glibc and a GNU/Linux distribution is a huge step toward making use of OpenRISC practical. There's a screencast of the system in action, and source on Github (at posting time, it was a month out of date from the looks of it). Christian Svensson's Github account also has repos for the rest of the toolchain.

Why We Need To Teach Hacking In High School 124

Posted by Unknown Lamer
from the rms-teaches-programming dept.
An anonymous reader writes "Following one of the best descriptions ever of a hacker I've ever seen, Pete Herzog, creator of the 'security testing' (professional hacking) manual OSSTMM outlines compelling reasons why the traits of the hacker should be taught in school to make better students and better people. It starts out with 'Whatever you may have heard about hackers, the truth is they do something really, really well: discover.' and it covers open education, teaching kids to think for themselves, and promoting hacking as a tool for progress." A good read, despite confusing hacker and hacker a bit. I remember getting to set up Debian on a scrap machine in high school, only to have county IT kill the project because of the horrible danger experimentation could have proven to the network...

Ubuntu To Switch To systemd 279

Posted by Soulskill
from the follow-the-leader dept.
GuerillaRadio writes "Following the decision for Debian to switch to the systemd init system, Ubuntu founder and SABDFL Mark Shuttleworth has posted a blog entry indicating that Ubuntu will now follow in this decision. 'Nevertheless, the decision is for systemd, and given that Ubuntu is quite centrally a member of the Debian family, that's a decision we support. I will ask members of the Ubuntu community to help to implement this decision efficiently, bringing systemd into both Debian and Ubuntu safely and expeditiously.'"

The two most common things in the Universe are hydrogen and stupidity. -- Harlan Ellison