Inspired by the Let’s Encrypt project, we break down the basics of SSL & how easy it is to set up on your Linux box now.
Plus hacking GRUB by hitting backspace 28 times, the Linux Foundation wants the Blockchain, without the Bitcoin and their bedfellows are concerning, the steady steps towards cross distro application bundles & more!
Thanks to:
Direct Download:
HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent
RSS Feeds:
HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed
Become a supporter on Patreon:
— Show Notes: —
Brought to you by: Linux Academy
Linux Academy Apache and SSL Self Signed Certificates
Apache and SSL Self Signed Certificates
This course will detail how to install and configure Apache web services to answer for HTTPS connections. In addition, we will show how to generate a key file to use for obtaining a third party certificate and then use that key to generate a full self-signed certificate. Finally, we will configure our SSL VHOST to use that SSL certificate and verify its availability and content serving from an external location.
Let’s Encrypt
What is encryption
Asymmetric vs Symmetric Antenna
Symmetric encryption uses the identical key to both encrypt and decrypt the data. Symmetric key algorithms are much faster computationally than asymmetric algorithms as the encryption process is less complicated.
Asymmetric encryption uses two related keys (public and private) for data encryption and decryption, and takes away the security risk of key sharing. The private key is never exposed. A message that is encrypted by using the public key can only be decrypted by applying the same algorithm and using the matching private key.
Secure Socket Layer
SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).
SSL allows sensitive information such as credit card numbers, social security numbers, and login credentials to be transmitted securely. Normally, data sent between browsers and web servers is sent in plain text—leaving you vulnerable to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a web server they can see and use that information.
More specifically, SSL is a security protocol. Protocols describe how algorithms should be used; in this case, the SSL protocol determines variables of the encryption for both the link and the data being transmitted.
Let’s Encrypt
Anyone who has gone through the trouble of setting up a secure website knows what a hassle getting and maintaining a certificate can be. Let’s Encrypt automates away the pain and lets site operators turn on and manage HTTPS with simple commands.
No validation emails, no complicated configuration editing, no expired certificates breaking your website. And of course, because Let’s Encrypt provides certificates for free, no need to arrange payment.This page describes how to carry out the most common certificate management functions using the Let’s Encrypt client. You’re welcome to use any compatible client, but we only provide instructions for using the client that we provide.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate
at zero cost. - Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
- Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
- Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
- Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
-
Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.
-
Welcome to the Let’s Encrypt client documentation! — Let’s Encrypt 0.2.0.dev0 documentation
Today, I’m very excited to announce Caddy 0.8! It features automatic HTTPS, zero-downtime restarts, and the ability to embed Caddy in your own Go programs.
— PICKS —
Runs Linux
George’s Hacked Acrua, Runs Linux
He’s been keeping the project to himself and is dying to show it off. We pace around the car going over the technology. Hotz fires up the vehicle’s computer, which runs a version of the Linux operating system, and strings of numbers fill the screen. When he turns the wheel or puts the blinker on, a few numbers change, demonstrating that he’s tapped into the Acura’s internal controls.
Desktop App Pick
Nuvola Player
Nuvola Player is a runtime for web-based music streaming services providing more native user experience and integration with Linux desktop environments than usual web browsers can offer. It tries to feel and look like a native application as possible.
Sent in by Rikai
Weekly Spotlight
GDriveFS
GDriveFS is an innovative FUSE wrapper for Google Drive developed under
Python 2.7.
DOUBLE SPOTLIGHT
Block Spoilers for Star Wars
Force Block is safer than ever! Now, in addition to our standard pattern matching logic which requires a critical mass of related keywords to initiate a block, we’ve added a handful of instant-blocking keyphrases, sourced from people who have seen the film via early screenings. One of our engineers took one for the team punching those in! Ironic, he could save others from spoilers… but not himself.
— NEWS —
You Can Break Into a Linux System by Pressing Backspace 28 Times. Here’s How to Fix It
The researchers, Hector Marco and Ismael Ripoll from the Cybersecurity Group at Polytechnic University of Valencia, found that it’s possible to bypass all security of a locked-down Linux machine by exploiting a bug in the Grub2 bootloader. Essentially, hitting backspace 28 times when the machine asks for your username accesses the “Grub rescue shell,” and once there, you can access the computer’s data or install malware. Fortunately, Marco and Ripoll have made an emergency patch to fix the Grub2 vulnerability. Ubuntu, Red Hat, and Debian have all issued patches to fix it as well.
Linux is often thought of as a super secure operating system, but this is a good reminder to take physical security just as seriously as network security (if not more). Take extra care when your machine is around people you don’t know, especially if your system has sensitive data on it.
Description
A vulnerability in Grub2 has been found. Versions from
1.98 (December, 2009) to 2.02 (December, 2015) are affected.
The vulnerability can be exploited under certain circumstances,
allowing local attackers to bypass any kind of authentication
(plain or hashed passwords). And so, the attacker may take
control of the computer.Grub2 is the bootloader used by most Linux systems including
some embedded systems. This results in an incalculable number
of affected devices.As shown in the picture, we successfully exploited this
vulnerability in a Debian 7.5 under Qemu getting a Grub
rescue shell.
Am I vulnerable ?
To quickly check if your system is vulnerable, when the Grub
ask you the username, press the Backspace 28 times. If
your machine reboots or you get a rescue shell then your
Grub is affected.
Impact
An attacker which successfully exploits this vulnerability will
obtain a Grub rescue shell. Grub rescue is a very powerful shell
allowing to:
Elevation of privilege: The attacker is authenticated
without knowing a valid username nor the password. The
attacker has full access to the grub’s console (grub
rescue).Information disclosure: The attacker can load a
customized kernel and initramfs (for example from a USB) and
then from a more comfortable environment, copy the full disk
or install a rootkit.Denial of service: The attacker is able to destroy
any data including the grub itself. Even in the case that the
disk is ciphered the attacker can overwrite it, causing a
DoS.
Linux Foundation assembles gang to build a better Blockchain
The Linux Foundation has decided the time is right to apply its special brand of collaboration to the Blockchain, the distributed ledger technology behind Bitcoin and other cryptocurrencies.
The Foundation is talking up the blockchain as a supply-chain enhancer and electronic-transaction-speeder-upper, thanks to its provision of a distributed ledger that has no central point of control and therefore allows secure peer-to-peer information exchange.
Big companies desperately hoping for blockchain without Bitcoin is exactly like 1994: Can't we please have online without Internet??
— Marc Andreessen (@pmarca) December 18, 2015
there’s a big group of backers in the financial, tech and business industries that have taken the next step to making blockchain move forward without ties to bitcoin.
But as Webster pointed out in her column, “if we kill bitcoin that means we will also kill and bury the blockchain since bitcoin is what keeps the blockchain alive.” Because bitcoin is the method of transport used by the blockchain to move data between the miners, there’s a case for why bitcoin’s blockchain has stuck around.
But big banks like JPMorgan, along with the support of IBM and Intel want to bury that vision and resurrect their own vision for what they envision to be a more productive use case for the concept of a distributed ledger. This is like a blockchain, but sans the bitcoin.
The goal of the Open Ledger Project is not to work in the cryptocurrency space, but rather to leverage the technology behind the distributed ledger in order to streamline business tools that enable transactions and documents to move between parties faster. Another goal of the project would be to create open ledgers that can decide who can access that ledger.
XDG-App Continues Maturing For GNOME App Sandboxing
XDG-App has made much progress and is found in a “tech preview” state for GNOME 3.18 but it’s not until GNOME 3.20 and later where things will get more interesting. Alexander Larsson has provided a “Christmas 2015” update concerning the project for GNOME sandboxing.
Google’s killing Chrome support for 32-bit Linux, Ubuntu 12.04, and Debian 7
In an update posted to the Chromium-dev mailing list, Google’s Dirk Pranke wrote:
“To provide the best experience for the most-used Linux versions, we will end support for Google Chrome on 32-bit Linux, Ubuntu Precise (12.04), and Debian 7 (wheezy) in early March, 2016. Chrome will continue to function on these platforms but will no longer receive updates and security fixes.
We intend to continue supporting the 32-bit build configurations on Linux to support building Chromium. If you are usingPrecise, we’d recommend that you to upgrade to Trusty.”
Feedback:
Brought to you by: System76
-
https://slexy.org/view/s20p9vkcTi
-
https://slexy.org/view/s21mtiOvGQ
Chris’s Twitter account has changed, you’ll need to follow!
Chris Fisher (@ChrisLAS) | Twitter
— CHRIS’ STASH —
Hang in our chat room:
irc.geekshed.net #jupiterbroadcasting
— NOAH’S STASH —
Noah’s Day Job
Contact Noah
noah [at] jupiterbroadcasting.com