Show Notes: linuxactionnews.com/251

The post Linux Action News 251 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/185

The post Linux Action News 185 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/353

The post Feeling Elive | LINUX Unplugged 353 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/417

The post Machine Learning Magic | TechSNAP 417 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/320

The post RHELhide | LINUX Unplugged 320 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/124

The post Linux Action News 124 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

• Wes meets a linux user in the wild.

Complicated things explained well

A real world guide to WebRTC

What do we need to get started? Two things: a reasonably recent browser (WebRTC is supported in current versions of Chrome, Firefox, Edge and Opera but not in Safari or many mobile browsers) and drumroll – a server.

An Introduction to the ss Command

The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat. The ss command can also display even more TCP and state information than most other tools. Because ss is the new netstat, we’re going to take a look at how to make use of this tool so that you can more easily gain information about your Linux machine and what’s going on with network connections.

Systemd for (Impatient) Sysadmins

…and although I’m at philosophical odds with it at some levels, I see no reason why everybody shouldn’t understand it a bit better – especially now that most people will need to deal with it on their favorite distros.

Encrypting drives with LUKS

Linux tracing systems & how they fit together

The thing I learned last week that helped me really understand was – you can split linux tracing systems into data sources (where the tracing data comes from), mechanisms for collecting data for those sources (like “ftrace”) and tracing frontends (the tool you actually interact with to collect/analyse data). The overall picture is still kind of fragmented and confusing, but it’s at least a more approachable fragmented/confusing system.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Follow Up / Catch Up

How Microsoft brought SQL Server to Linux

“Talking to enterprises, it became clear that doing this was necessary,” Kumar said. “We were forcing customers to use Windows as their platform of choice.” In another incarnation of Microsoft, that probably would’ve been seen as something positive, but the company’s strategy today is quite different.

Formal Verification of WireGuard Protocal

The WireGuard protocol, described in the technical paper, and based on Noise, has been formally verified in the symbolic model using Tamarin. This means that there is a security proof of the WireGuard protocol.

ZFS Is the Best Filesystem (For Now…)

ZFS should have been great, but I kind of hate it: ZFS seems to be trapped in the past, before it was sidelined it as the cool storage project of choice; it’s inflexible; it lacks modern flash integration; and it’s not directly supported by most operating systems. But I put all my valuable data on ZFS because it simply offers the best level of data protection in a small office/home office (SOHO) environment.

Status update about bcachefs

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

New stuff from the internet

You can root your Google Wifi router, but you’ll need a screwdriver

What’s nice about this hack is that GaleForce will keep working even after Google applies automatic updates to the router. It’s a best-of-both-worlds situation: your home router becomes a Linux box with endless possibilities, but it still has the mesh networking and app-based interface that Google provides.

Smach Z – The Handheld gaming PC

“Hi Smachers,
AMD has kindly agreed to let us inform backers about the new SoC upgrade. We can officially confirm that we are moving to the latest generation AMD technology which will be based on Ryzen and Vega technology.
We’re working together with AMD to bring the best performance to SMACH Z, so it will be the most powerful handheld console in the market. The new generation looks amazing, and we want to thank AMD for all the support and efforts contributed to our project.
At this point we cannot say any more information, but I hope that this announcement works to alleviate the long waiting and to confirm that SMACH Z will feature the best hardware when it will become available.
This decision has been taken after a thorough analysis of the situation. Being forced to move away from Romb.io technology and having to redo the SoC integration has moved our schedule opening the opportunity to bring the latest technology to our design. For the moment this announcements is private only for backers.
Thanks for your support!”

Beginner-Friendly Vulkan Tutorials

For those who don’t know, Vulkan is a new graphics API– in other words, a fresh new way to talk to your GPU and make it do things. It’s managed by the Khronos Group, which means no one corporation controls it. It’s pretty cool, and anyone who wants to do work on GPUs (not restricted to graphics programmers!) should at least have a high level knowledge of what it is.

vkmark: more than a Vulkan benchmark

Ever since Vulkan was announced a few years ago, the idea of creating a Vulkan benchmarking tool in the spirit of glmark2 had been floating in my mind. Recently, thanks to my employer, Collabora, this idea has materialized! The result is the vkmark Vulkan benchmark

TING

• Ting – mobile that makes sense

Distro Corner

Slackware turns 24

Today marks 24 years since the original release of Slackware, which continues to be led by Patrick Volkerding. …development on Slackware does continue and its rolling-release code is currently on the Linux 4.9 LTS kernel and has many new packages compared to the v14.2 release.

• Slackware birthday r/linux post

Announcing Mageia 6, finally ready to shine!

The whole Mageia community is extremely happy to announce the release of Mageia 6, the shiny result of our longest release cycle so far!

Though Mageia 6’s development was much longer than anticipated, we took the time to polish it and ensure that it will be our greatest release so far.

Highlights of Mageia 6

• KDE Plasma 5 replaces the previous KDE SC 4 desktop environment
• Support for AppStream and thus GNOME Software and Plasma Discover
• Support for Fedora COPR and openSUSE Build Service
• Successful integration of the ARM port (ARMv5 and ARMv7) in the buildsystem

• While not a new feature, Mageia 6 supports over 25 desktop environments and window managers

• Forking Mandriva Linux: The birth of Mageia

The post Beardy McBeardface | LINUX Unplugged 206 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

• This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
• CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
• The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
  • CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
  • A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
  • CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
• During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
• When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
• Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

• “Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
• But, there are some shortcomings to that type of password manager
• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?
• To solve this, LessPass does it differently
• “The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
• “No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
• There are some issues though.
  • Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
  • Some sites obviously do not hash passwords correctly, and do not allow some characters
  • What if you want to, or need to, change your password?
• LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
• To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
• Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
• So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
• There are obviously some privacy concerns, and security concerns here.
• How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
• Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
• “You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
• The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
• This leaves a few problems:
  • You can never change your master password, as it will effectively change all of your passwords
  • It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
  • The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
  • LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
• There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

• It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
• Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
• Colin’s day job is running Tarsnap – backups for the truly paranoid.
• To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
• “While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
  • the vulnerability can be exploited remotely, over the internet;
• the attack cannot be blocked by firewalls;
  • the attack can be carried out without any account credentials on the system being attacked;
  • the attack yields money (as opposed to say, credit card details which need to be separately monetized);
  • once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
  • the attack can be performed without writing a single line of code.
• “Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
• “The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
• “Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
• “For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
• The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
  • Pay for something using bitcoin.
  • Wait until the price of bitcoin drops.
  • Send more bitcoins to the address used for the initial payment.
  • Ask for a refund of the excess bitcoin.
• “Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
• “Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
• “Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
• “As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
• “And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
• A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

• ipV6 vs Mirai

• Freenas replication

• Freenas 10 question

• Backup & LUKS

• Chromecast across subnets

• A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

• Windows Atom Tables popped by security researchers
• The Million-Key Question—Investigating the Origins of RSA Public Keys
• Microsoft stops selling Windows 7 and Windows 8.1 to computer makers i
• Researchers make high performance battery from junkyard scraps
• Why Windows hack is being blamed on Russia-linked group
• “Decimeter-Level Localization with a Single WiFi Access Point” — Locating a device to within 4 inches using only 1 WiFi access point
• Stealth Cell Tower
• Kaspersky quarterly DDoS report: 70-80% of botnets consist of Linux devices, most attacks last under 4 hours.
• Level 3 drops its packets for hours, causing Internet traffic jam
• Microsoft Reimagines Open Source Cloud Hardware
• Pagliano Emails Detail Attempts to Hack Clinton Unsecure Email Server 10 Times in Two Days in November 2010 – U.S. Secret Service Informed of Hacking Attempts – Judicial Watch
• Teenager accidentally DDoSes 911 system

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

This week on the show, we’ve got something pretty different. We went to a Linux convention and asked various people if they’ve ever tried BSD and what they know about it. Stay tuned for that, all this week’s news and, of course, answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

LUKS in OpenBSD

• Last week, we were surprised to find out that DragonFlyBSD has support for dm-crypt, sometimes referred to as LUKS (Linux Unified Key Setup)
• It looks like they might not be the only BSD with support for it for much longer, as OpenBSD is currently reviewing a patch for it as well
• LUKS would presumably be an additional option in OpenBSD’s softraid system, which already provides native disk encryption
• Support hasn’t been officially committed yet, it’s still going through testing, but the code is there if you want to try it out and report your findings
• If enabled, this might pave the way for the first (semi-)cross platform encryption scheme since the demise of TrueCrypt (and maybe others BSDs will get it too in time)

FreeBSD gets 64bit Linux emulation

• For those who might be unfamiliar, FreeBSD has an emulation layer to run Linux-only binaries (as rare as they may be)
• The most common use case is for desktop users, enabling them to run proprietary applications like Adobe Flash or Skype
• Similar systems can also be found in NetBSD and OpenBSD (though disabled by default on the latter)
• However, until now, it’s only supported binaries compiled for the i386 architecture
• This new update, already committed to -CURRENT, will open some new possibilities that weren’t previously possible
• Meanwhile, HardenedBSD considers removing the emulation layer entirely

BSD at Open Source Conference 2015 Nagoya

• We’ve covered the Japanese NetBSD users group setting up lots of machines at various conferences in the past, but now they’re expanding
• Their latest report includes many of the NetBSD things you’d expect, but also a couple OpenBSD machines
• Some of the NetBSD ones included a Power Mac G4, SHARP NetWalker, Cubieboard2 and the not-so-foreign Raspberry Pi
• One new addition of interest is the OMRON LUNA88k, running the luna88k port of OpenBSD
• While at the event, NetBSD even revived their older luna68k port
• There was even an old cell phone running Windows games on NetBSD
• Check the mailing list post for some links to all of the nice pictures

LLVM introduces OpenMP support

• One of the things that has kept some people in the GCC camp is the lack of OpenMP support in LLVM
• According to the blog post, it “enables Clang users to harness full power of modern multi-core processors with vector units”
• With Clang being the default in FreeBSD, Bitrig and OS X, and with some other BSDs exploring the option of switching, the need for this potential speed boost was definitely there
• This could also open some doors for more BSD in the area of high performance computing, putting an end to the current Linux monopoly

Interview – Eric, FSF, John, Jose, Kris and Stewart

Various “man on the street” style mini-interviews

News Roundup

BSD-licensed gettext replacement

• If you’ve ever installed ports on any of the BSDs, you’ve probably had GNU’s gettext pulled in as a dependency
• Wikipedia says “gettext is an internationalization and localization (i18n) system commonly used for writing multilingual programs on Unix-like computer operating systems”
• A new BSD-licensed rewrite has begun, with the initial version being for NetBSD (but it’s likely to be portable)
• If you’ve got some coding skills, get involved with the project – the more freely-licensed replacements, the better

Unix history git repo

• A git repository was recently created to show off some Unix source code history
• The repository contains 659 thousand commits and 2306 merges
• You can see early 386BSD commits all the way up to some of the more modern FreeBSD code
• If you want to browse through the giant codebase, it can be a great history lesson
• Paper with additional details and methodology

PCBSD 10.1.2 and Lumina updates

• We mentioned 10.1.1 being released last week (and all the cool features a couple weeks before) but now 10.1.2 is out
• This minor update contained a few hotfixes: RAID-Z installation, cache and log devices and the text-only installer in UEFI mode
• There’s also a new post on the PCBSD blog about Lumina, answering some frequently asked questions and giving a general status update

Feedback/Questions

• Jake writes in
• Van writes in
• Anonymous writes in
• Dominik writes in (text answer)
• Chris writes in

Mailing List Gold

• Death by chocolate

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’re recording two episodes next week, so some extra feedback email would be good

The post Vox Populi | BSD Now 91 first appeared on Jupiter Broadcasting.

What’s the best TrueCrypt alternative for Linux? We’ll introduce you to Tomb, a tool that sits on top of open source encryption tools you can trust, that come built into every install of Linux.

Plus we’ll demo native Netflix working on Linux without any plugins, the big changes coming to Fedora…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Tomb :: The Crypto Undertaker

Tomb is 100% free and open source software to make strong encryption easy to use.
A tomb is like a locked folder that can be safely transported and hidden in a filesystem.
Keys can be kept separate: for instance the tomb on your computer and the key on a USB stick.

All dependencies used in Tomb are common GNU/Linux components, well peer reviewed and found in most distributions. Plus there is no cloud service connected and no network connection needed: Tomb works entirely off-line, of course.

Because dm-crypt is a block-level encryption layer, it only encrypts full devices, full partitions and loop devices. To encrypt individual files requires a filesystem-level encryption layer, such as eCryptfs or EncFS. See Disk encryption for general information about securing private data.

LUKS and Tomb:

The Linux Unified Key Setup or LUKS is a disk-encryption specification created by Clemens Fruhwirth in 2004 and originally intended for Linux.

While most disk encryption software implements different and incompatible, undocumented formats, LUKS specifies a platform-independent standard on-disk format for use in various tools. This not only facilitates compatibility and interoperability amongst different programs, but also assures that they all implement password management in a secure and documented manner.1

The reference implementation for LUKS operates on Linux and is based on an enhanced version of cryptsetup, using dm-crypt as the disk encryption backend.

dm-crypt and Tomb:

dm-crypt is a transparent disk encryption subsystem in Linux kernel versions 2.6 and later and in DragonFly BSD. It is part of the device mapper infrastructure, and uses cryptographic routines from the kernel’s Crypto API.

dm-crypt is implemented as a device mapper target and may be stacked on top of other device mapper transformations. It can thus encrypt whole disks (including removable media), partitions, software RAID volumes, logical volumes, as well as files. It appears as a block device, which can be used to back file systems, swap or as an LVM physical volume.

Installing Tomb:

• Tomb needs a few programs to be installed on a system in order to work:
  • zsh
  • gnupg
  • cryptsetup
  • steghide (not required, this is for stashing your key in a jpg)
  • pinentry-curses (or -gtk or -qt as you prefer)

Most systems provide these tools in their package collection, for instance on Debian/Ubuntu one can use ‘apt-get install’ on Fedora and CentOS one can use ‘yum install’

Install Tomb

• To install Tomb simply download the source distribution (the tar.gz file) and decompress it.
  • Arch users can install from the AUR – tomb
• Then enter its directory and run ‘make install’ as root, this will install Tomb into /usr/local:

  sudo make install

• After installation one can read the commandline help or read the manual:

  tomb -h
man tomb (show the full usage manual)

• At this point one can proceed creating a tomb, for instance:

  tomb dig -s 1000 secrets.tomb (be patient and wait a bit)
  tomb forge -k secrets.tomb.key (be patient and follow instructions)
  tomb lock -k secrets.tomb.key secrets.tomb

Mount your Tomb:

tomb open secret.tomb -k secret.tomb.key

• And after you are done:

tomb close

Key Storage:

Steganography helps here. Tomb offers the possibility to bury and exhume keys from jpeg images: if steghide is installed on a system then Tomb will offer this commands in its command-line help.

When securing your private data one of the bigger problems is represented by the fallacy of your memory: in some future you might forget where you left the keys.

This feature lets you keep in mind a certain picture rather than a position in a filesystem, much easy to remember. It also helps in hiding well the key and eventually communicating it without being suspicious, as it is very difficult to detect the presence of a key inside an image without knowing the password you used to seal it.

• Steghide

Hide the key

To hide the key inside an image file (jpeg):

tomb bury -k /path/to/key /path/to/file.jpg

Extractto the hidden key

To extract a pre-hidden key:

tomb exhume -k /path/to/newkeylocation /path/to/file.jpg

Advanced features

• steganography (to hide the key inside a jpeg/wav file)
• bind hooks: can mount some of its subdirectories as “bind” to some other. Suppose, for example, you would like to encrypt your .Mail, .firefox and Documents directories. Then you can create a tomb which contains these subdirectories (and others too, if you want) and create a simple configuration file inside the tomb itself; when you run tomb open it will automatically bind that directories into the right places. This way you will easily get an encrypted firefox profile, or maildir.
• post hooks: commands that are run when the tomb is open, or closed. You can imagine lot of things for this: open files inside the tomb, put your computer in a “paranoid” status (for example, disabling swap), whatever.

Areas for improvement:

• Cleaner key management. IE not having to ever have the key sit on my file system.

• Intergration with Yubikey

• AUR (en) – tomb

• encfs – another option with some possible current issues

EncFS provides an encrypted filesystem in user-space. It runs without any special permissions and uses the FUSE
library and Linux kernel module to provide the filesystem interface.
You can find links to source and binary releases below. EncFS is open
source software, licensed under the GPL.

— PICKS —

Runs Linux

Fish Who Plays Pokemon, Runs Linux – Twitch

• Catherine and Patrick are two developers from the HackNY Fellows Class of 2014 that attend school at the University of Chicago and Columbia University, respectively. You can follow them on twitter at @catmoresco and @plfacheris.

• Over 22,000 People Are Watching A Fish Play Pokemon By Swimming Around Its Fish Bowl – Business Insider

At the time of writing, over 22,000 are currently watching Grayson play Pokemon, with a little under 50,000 total views.

• An Exclusive Interview With the Fish Playing Pokemon | Motherboard

Desktop App Pick

serman – Dialog-based systemd service management.

“Serman is a simple dialog-based systemd service manager. It provides an easy way to manage services with an overview of what is currently enabled, running, etc.

The package currently includes the original version of serman based on the dialog and a complete rewrite using Python’s ncurses library. The latter is installed as serman2 for testing. It will soon replace the current version of serman.”

Skyward Collapse on Steam

How do you balance — and indeed encourage — a war between factions without letting either side obliterate the other? How do you rule over gods, creatures, and men who refuse to obey you? How do you build a landscape of villages when bandits and mythology are conspiring to tear it down?

Weekly Spotlight

KNOPPIX 7.4.0

Version 7.4.0 of KNOPPIX is based on the usual picks from Debian stable (wheezy) and newer Desktop packages from Debian/testing and Debian/unstable (jessie). It uses kernel 3.15.6 and xorg 7.7 (core 1.16.0) for supporting current computer hardware.

TalkingArch – Home

This is TalkingArch, a respin of the Arch Linux live CD/USB image modified to include speech and braille output for blind and visually impaired users.
Arch Linux
is designed to be simple, lightweight and flexible. TalkingArch retains all the features of the Arch Linux live image, but adds speech and braille packages to make it possible for blind and visually impaired users to install Arch Linux eyes-free

— NEWS —

Turin becomes the first Italian city to adopt Ubuntu and Open Office, saves millions of Euros!

The city administrators calculated that, updating the licences for all the PCs running Windows products will cost them a whopping 22 million Euros over a period of 5 years! At the same time, adopting Linux and open source alternatives will actually save them 6 million Euros during the same period.

It’s Now Possible To Play Netflix Natively On Linux Without Wine Plug-Ins

• Phoronix: It’s Now Possible To Play Netflix Natively On Linux Without Wine Plug-Ins

According to reader reports this Saturday morning, with just modifying the user-agent of the latest beta version of Google’s Chrome web browser, it’s possible to get Netflix running natively on Linux. Thanks to DRM support with HTML5 and Google’s Chrome developers moving quick to implement the support that’s backed by Netflix, you can today run Chrome and play Netflix videos without having to use Pipelight or any other plug-ins — the support simply works through having DRM’ed HTML5 video support.

• Chrome Web Store – User-Agent Switcher for Chrome

Flock 2014 Day One: The State of Copr

Miloslav Suchy delivered a report on the state of Copr yesterday at Flock that demonstrated just how far a service can go in one year. Work on Copr, the lightweight build service for contributor packages that aren’t yet in Fedora officially, started less than a year ago. But the service is already hosting more than 250GB of data and has churned out more than 25,000 builds!

What’s Copr? In a nutshell, it’s a system for building packages and offering repositories for packages that aren’t yet in Fedora or aren’t ready for Fedora – for example, GNOME 3.12 built for Fedora 20 for users who want to go to the latest GNOME before the next Fedora release. Or experimental builds of packages.

Wayland in GNOME

Jasper St. Pierre presented an overview of GNOME’s Wayland support on July 28. St. Pierre’s talk started off with an atypical question-and-answer session as he debugged some last-minute problems with his current Wayland session in GNOME’s Mutter.

— FEEDBACK —

• Someday Came Sooner Than Expected

• The Linux Desktop Getting me Down…

• PC-BSD

• The PC-BSD Tour | BSD Now 49

Add this to your queue

• The Xamarin Solution | CR 112 | A look at where the folks behind Mono are now

• Corner of Shame | CR 113 | Chris chats Oculus VR DK2, iOS8, Overcast.fm and calls

• Anyone out there using owncloud/mozilla_sync with ownCloud 7?

— CHRIS’ STASH —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

• Check out LINUX Unplugged
• Matt’s Articles
• Geek And The Gamer

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Tomb of Secrets | LAS 325 first appeared on Jupiter Broadcasting.