Article from Issue 170/2015

Updates on Technologies, Trends, and Tools

More Online


Off the Beat * Bruce Byfield

Free Software: Doing the Impossible I worry about free software's lack of diversity, but I also find much to admire. I like how free software makes computers available to impoverished people and nations who otherwise could never afford them.

Ubuntu at 10: All That Way for This?

"In a middle of a good time * Fate dealt me her icy kiss * Look around, you must be joking * We've come all that way for this." Oysterband

Last week, Ubuntu celebrated the 10th anniversary of its first release.

Productivity Sauce * Dmitri Popov

Generate Slick Galleries in Seconds with 1Page Gallery At first glance, 1Page Gallery looks like yet another single-page PHP script for publishing photos. But if you look closer, you'll notice that unlike its counterparts, the tiny application generates galleries from a ZIP archive containing photos.

Extend Bash and Zsh Prompt with Liquid Prompt The default Bash or Zsh prompt isn't exactly a hub of useful information, but you can change that by deploying Liquid prompt. Once enabled, Liquid prompt turns the humble prompt into a dashboard capable of displaying all sorts of data: from processor load and battery status to current time and the key info of the current Git repo. Better still, Liquid prompt is easy to install and requires no tweaking or complicated configuration.


Top Top-Like Tools * Jeff Layton

Admins solve problems ranging from slow servers to failing applications. The first tool I reach for when I need to check on a server with shell access is Top.

Student Cluster Competition * Joe Casad

Winners of an annual contest sponsored by HPC Advisory Council to be announced at SC14.

ADMIN Online

Hardware MFA: Death to the Password! * Joseph Guarino

Passwords have been around since the 1960s, and they are still the mainstay for authentication. The good news is you have alternatives in hardware multifactor authentication.

ZFS on Linux * Mark Feilner and Hans-Peter Merkel

The new version 10 of FreeBSD can cause Linux admins problems when attempting to reconstruct data from ZFS pools.

Disaster Recovery for Windows Servers * Thomas Joos

When a server fails, you need a considered but fast response. Experts have some easy ways to put Windows servers back on their feet, but some of these powerful techniques could render your system completely useless.

Drupal Advisory Unleashes a Torrent of Attacks

On October 15, the Drupal security team announced an SQL injection vulnerability affecting Drupal 7 websites. A patch was quickly provided, and users were urged to upgrade their Drupal systems to Version 7.32. In a recent update to the original post, the team says that multiple attacks appeared "… in the wild following the release of this security advisory." The extreme efficiency with which the vulnerability was turned into a real-world attack means that, according to Drupal, any site that wasn't patched within 7 hours of the original October 15 announcement should be considered compromised.

If a system was breached before the patch was applied, an update to the system doesn't help. In fact, it appears that an unexpectedly updated system is sometimes evidence of an attack. Intruders, it seems, are eager to update the system to Drupal 7.32 once they gain entry to prevent other intruders from slipping in also.

Ironically, the attack exploits a vulnerability in a Drupal API that is designed to help prevent SQL injection attacks.

If you did not get your Drupal site updated within 7 hours of the initial October 15 announcement, the Drupal team recommends the following steps:

1 Take the website offline by replacing it with a static HTML page.

2. Notify the server's administrator, emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack.

3. Consider obtaining a new server, or otherwise remove all the website's files and database from the server. (Keep a copy safe for later analysis.)

4. Restore the website (Drupal files, uploaded files, and database) from backups from before October 15, 2014.

5. Update or patch the restored Drupal core code.

6. Put the restored and patched/updated website back online.

7. Manually redo any desired changes made to the website since the date of the restored backup.

8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

HTML5 Gets Promoted to a Standard

The World Wide Web Consortium (W3C) has announced that it is promoting the HTML5 specification to Recommendation status, that highest level of approval, which effectively pushes HTML5 to the level of a web standard.

The new HTML5 specification has been in the works for 10 years, and previous drafts have already been adopted by browser and web server vendors, which means the recent announcement is something of a formality. Still, the declaration of victory is a signal to developers and implementors that more changes won't be coming and the community can move on to other priorities.

In the press announcement, W3C CEO Jeff Jaffe states, "… now that HTML5 is done, W3C should do more to strengthen the parts of the Open Web Platform that developers most urgently need for success."

HTML5 is an attempt to catch up with the 21st Century reality of the web, with better security and a wealth of new multimedia capabilities. The HTML5 specification began in 2004 through the work of the Web Hypertext Application Technology Working Group (WHATWG), with founding members from Apple, Opera, and the Mozilla Foundation. Google, Microsoft, and other companies joined in the development.

Shellshock Spreads to Email

New evidence the dangerous Bash bug has made its way into SMTP.

A report at the SANS website has raised alarms that attackers have learned to exploit the dangerous Shellshock bug, which makes any system running an unpatched version of the Bash shell vulnerable to attack, through SMTP email services. The InfoSec Handlers Diary Blog states, "I've received several reports of what appears to be shellshock exploit attempts via SMTP. The sources so far have all been webhosting providers, so I'm assuming these are compromised systems." The post shows an infected header.

According to the report, the payload is "… an IRC bot with simple DDoS commands and the ability to fetch and execute further code."

Yet one more reason to PATCH YOUR SYSTEMS … .

Bugzilla Bug Allows Privilege Escalation

Bug-tracking tool lets the user set up an account without email verification.

Mozilla has announced vulnerabilities in the Bugzilla bug-tracking tool used by software developers around the world. The bug lets the attacker bypass email verification when setting up a new account. Instead of sending the user login information by email, the user can log in directly.

This might not seem like a serious issue, but the real problem is that Bugzilla allows the admin to assign privileges based on email address. An attacker could simply use the email address of someone with a higher level of privilege and assume the higher privilege level. Circumventing email verification means the user never has to prove that the email address given when the account is created is correct.

Patches for fixing the bug are available now through the Bugzilla website.

New SSL Attack Lets a Malicious Listener Steal Session Cookies

Researchers at Google have discovered a flaw in SSL 3 that allows "the plaintext of secure connections to be calculated by a network attacker."

The vulnerability, known as POODLE (Padding Oracle On Downgraded Legacy Extension), is a form of man-in-the-middle attack, in which the attacker injects malicious JavaScript into the victim's browser. The attack, which is especially dangerous for an insecure wireless network such as a coffee house or other public space, results in information disclosure. For example, the attacker can obtain session cookies from the target browser and use them to access the victim's online accounts.

SSL 3 is more than 18 years old, and has long since been deprecated in favor of more advanced technologies, such as the heir-apparent TLS protocol, which is now the recommended replacement for SSL.

The real problem is that browsers and servers are often configured to negotiate an encryption protocol. If the highest level protocol isn't available, the server will allow a connection with a less secure alternative. The attacker can thus coax the target to use SSL 3 even if more secure options are available.

The POODLE problem is not something that is easily patched, and, given the fact that SSL 3 is obsolete anyway, experts are advising users, admins, and developers to disable it. Mozilla has announced that SSL 3 will be disabled by default in the Firefox 34 release, which is due in November.

According to the post at the Google Online Security blog, "…our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks."

The TLS_FALLBACK_SCSV indicator was created by Google and implemented for Chrome browsers. Mozilla has announced that it will implement TLS_FALLBACK_SCSV in Firefox in early 2015.

IBM Stops Making Chips

IBM announced that it is exiting the chip manufacturing business with the sale of its existing chip-making unit to GlobalFoundries. The sale will include IBM's manufacturing plants in East Fishkill, New York, and Essex Junction, Vermont. The word "sale" is used loosely in this case, because IBM is actually giving GlobalFoundries $1.5 billion to take over the struggling manufacturing.

IBM views itself as a enterprise software and system integration company. Recent initiatives have pumped funding into cloud computing and new-age artificial intelligence solutions, such as the famous Watson project. The company sold its enterprise server business to Lenovo, and the chip business has become increasingly orphaned and overshadowed beneath higher priorities of IBM's vast high-tech empire. By ditching the chip unit to a company with a tighter focus on the chip manufacturing arena, they place the unit in a better position to succeed with the new generation of mobile and Internet of Things technologies.

Interestingly, IBM does not see the move as an exit from the chip business, only from the headaches of manufacturing. The company will continue to invest in semiconductor research and will presumably license its new chip to other companies, mirroring the model of ARM and the hugely popular RISC chip series.

GlobalFoundries was created in 2008 as a spinoff of AMD with funding from the Advanced Technology Investment Company.

Microsoft Goes ARM

Microsoft is reportedly working on an ARM version of Windows Server. According to a Bloomberg report, Redmond has a test version of Windows Server that is already running on ARM-based processors. An unidentified source reports that the software giant hasn't decided yet whether to make the ARM version available commercially.

Windows has traditionally run on Intel-equivalent processors, and in fact, the partnership between Microsoft and Intel is what rocketed the two companies to the top of their respective markets in the first place. The step of branching out into the ARM family is thus a major development, but one that could have been predicted based on the evolution of the chip industry. ARM chips, which have long been popular in the mobile space, are gaining ground in the competition for enterprise and cloud server systems due to their low power usage.

The power supply is often a major limiting factor for data centers and high-performance clusters.

Although this development is certainly a setback for Intel, it is a little early to feel sorry for them, because they still control well over 90% of the overall server market.

Linus Addresses Criticism for Harsh Language

Linux founder and kernel honcho Linus Torvalds took the stage recently at the Linux + CloudOpen conference in Düsseldorf, Germany. The Q&A session was moderated by Intel Linux chief Dirk Hohndel and also included questions from the audience. Much of the session focused on the kernel development process, the role of maintainers, and the need for more and better testing for the 10,000 packages submitted with each new kernel release cycle.

Some of the commentary, however, seemed to be in response to the recent, well publicized remarks from kernel developer Lennart Poettering, who questioned the combativeness of the kernel development process and blamed Torvalds for setting a tone of disrespect. When asked what about his biggest regret over his years as the top kernel maintainer, Linus replied that he had no technical regrets, however, "the problems tend to be alienating users and developers, and I'm pretty good at that."

Linus seemed conciliatory in acknowledging the criticism of his harsh tone; however, he also offered justification, adding "On the Internet, no one can hear you be subtle."

Those who prefer the high-stress and strong language of the kernel development community needn't worry that Linus will change his approach anytime soon. The interview also included the following exchange:

Linus: What really matters is people are involved with creating the best technology we can.

Hohndel: And what's important is they enjoy being called monkeys on crack?

Linus: Some people do. There is a certain amount of Stockholm syndrome. When you abuse somebody enough, they start liking it.

Torvalds added that he was joking; however, it is likely that those who call for more civility will not find levity in the casual comparison of kernel developers to hostages under duress. The complete interview is available online at the site.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Drupal Advisory Unleashes a Torrent of Attacks

    Users only had 7 hours to update before the intrusions started.

  • Linux News

    Updates on Technologies, Trends, and Tools

  • NEWS

    In the news: VMware rolls out essential PKS; Linux 5.0 is here; Kali Linux 2019.1 is available; Linux Foundation releases a new draft of OpenChain specification; hackers start exploiting a Drupal bug;  LibreOffice is vulnerable to a remote code execution flaw; and an early warning system for seismic events.

  • Releases Drupal Code

    Open source code affects the project in terms of scalability, accessibility, communication.

  • NEWS

    Updates on technologies, trends, and tools.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More