Article from Issue 172/2015

Updates on Technologies, Trends, and Tools

More online

Linux Pro Online * <U><U>

Off the Beat * Bruce Byfield

Coming Attractions for 2015 Last year at this time, I was waiting for Vivaldi, the free-licensed KDE tablet, to go into production. That never happened, and free software is worse off for Vivaldi's disappearance. But, undaunted, I find myself looking ahead once again to three of the events likely to have a major influence on free software in the next 12 months.

Improving on Bug Reports There's nothing like the comments to justify an article. After I wrote about the average user's difficulty with filing bugs, the responses came rapidly.

Why I Rarely File Bug Reports "Any chance of a bug report?" a developer asked when I mentioned a problem with an application on social media. As a free software supporter, I felt an obligation to oblige, but in practice, the chance was slim.

Productivity Sauce * Dmitri Popov

Add Desktop Notifications to Shell Scripts with notify-send Monitoring a running shell script usually means keeping an eye on the terminal window. Obviously, that's not the most productive way to spend your time, so instead of staring at the terminal, you can equip shell scripts with desktop notifications that give you visual feedback when specific events occur. The Simplest Flashcard Tool Consisting of merely 40 lines of code, the Bash script is hands down the most simple and lightweight flashcard tool out there.

Push Files from Android Using Send With FTP Although Android file managers like Ghost Commander can be used to transfer files and documents to a remote FTP server, the Send With FTP app provides a more elegant way to do this.


Nmon: All-Purpose Admin Tool * Jeff Layton

The most common issue users have is poor or unexpected application performance. In this case, you need a simple tool to help you understand what's happening on the nodes: nmon.

ADMIN Online * <U><U>

Security Data Analytics and Visualization with R * Russ McRee

Conduct improved security analysis and visualization of security-related data using R, a scripting language for statistical data manipulation and analysis.

Coming to Grips with grep * Chris Binnie

Now is the time to re-examine and consider again the power of grep and its relatives.

TGXf Project Warns of File Transfer Through Screen Pixels

Ian Latter, of the Through Glass Transfer project (TGXf), presented a paper at the Kiwicon conference describing a technique for clientless data transfer through pixels on a standard display monitor.

The TGXf project provides a suite of tools intended to debunk the myth that data transfer requires some form of network communication that is detectable by monitoring network traffic. Some security standards, such as the US HIPAA medical records standard, make a distinction between records that can be transmitted over the network and records that should only be used on an isolated system. The TGXf project considers this distinction irrelevant, and they have developed tools to prove it.

The TGXf protocol transfers data by outputting QR codes to the screen. A simple HDMI recorder, or even a smartphone, can capture the screen output and analyze it later to recover the file. Of course, the system must be compromised to produce the QR-coded screen output, but the important thing is, no trace of the data transfer is left behind, and no server/client communication reveals that the data transfer is taking place.

The TGXf project offers other alternatives for this clientless data transfer, including ThruKeyboardXfer (TKXf), which captures keyboard output through an Arduino board attached to a USB port.

The TGXf techniques do require physical access to the system, but they circumvent all common security measures. According to the TGXf website, the problems revealed through the TGXf project do not even have Common Vulnerabilities and Exposures IDs, because they aren't actually vulnerabilities; rather, they represent "a flaw in the end-to-end architecture."

Industry Giants Announce a Fix for the Password Mess

The FIDO (Fast IDentity Online) Alliance has announced the final drafts of its 1.0 specifications for next-generation authentication technology. The two specifications are the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F).

The FIDO Alliance is a consortium of high-tech and online banking companies that have combined forces to solve the problem of replacing the outdated, hopelessly insecure, username/password paradigm for network authentication. According to FIDO, passwords play a role in up to 76% of all security breaches. The goal of the alliance is to create a universal, open standard for two-factor authentication and other strong authentication techniques that will support interoperability among software systems and network services. Alliance members include Google, Microsoft, Lenovo, Samsung, BlackBerry, and ARM Holdings, as well as credit giants such as Bank of America, MasterCard, Discover Financial Services, and PayPal.

The new specifications provide a roadmap for developing and implementing strong authentication systems. FIDO members have agreed not to enforce any patents related to technologies used in the specifications. According to FIDO president Michael Barrett, "Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die."

Intel Unveils Compute Stick

As expected, this year's CES show in Las Vegas bubbled with a new generation of wearables and other mobile-Internet gadgets, with every vendor claiming a "breakthrough" that would bring forth a revolution in tech.

One development that could prove important to the Linux community was the Intel Compute Stick. The Compute Stick is a whole personal computer on a stick – not just an operating system you plug into a home PC. It is a PC, with a quad-core 1.33GHz Atom processor, wireless networking, on-board storage, USB 2.0 and MicroUSB, Bluetooth 4.0, and a microSD card slot for adding more storage capacity. Intel says the Compute Stick will provide "… everything you love about your desktop computer in a device that fits in the palm of your hand."

Putting the operating system and working files on a USB stick, so you can plug it into any personal computer to boot a familiar system, has become quite common in the Linux community. The Compute Stick takes this paradigm a step further. You can plug the Compute Stick into any HDMI display device to transform the display into a full computer system.

Processor-on-a-stick systems have existed for some time, but a more-or-less complete system, with onboard storage and Intel marketing clout could be an important development.

The Compute Stick comes with either Windows 8.1 or Linux Ubuntu Linux 14.04 LTS. The Linux version sells for only $89 – significantly less than the $149 for the Windows model. Before you celebrate the economy of free software, however, note that the Ubuntu model comes with less RAM (1GB vs. 2GB for Windows) and less storage (8GB vs. 32GB for Windows).

Technologies like the Compute Stick could provide additional mobility for users who aren't interested in throwing their whole life into the cloud and prefer the benefits of local computing and storage. Intel is still awaiting FCC approval to release the Compute Stick to the public. The stick should go on sale in 2015 – some industry experts estimate by March or April.

Obama Proposes Personal Data Notification Law

President Obama proposed new legislation that would standardize rules for companies reporting credit card compromise to their customers. The "Personal Data Notification and Protection Act (if enacted by Congress) would require that companies inform their customers within 30 days after discovering an attack.

In the United States, statutes related to reporting cybercrime are typically defined at the state level, meaning that the country has a confusing muddle of different laws with different requirements and protections.

The situation is especially confusing for a consumer doing business with a company in another state. The law proposed by the president would provide uniform requirements for consumer protection.

Some consumer advocates have pointed out that, although the law would raise the notification requirements for several states, for other states, the federal law will be less strict than laws already in place. The intent of the law is apparently to set a minimum that would then allow states to set stricter requirements, but some advocates are waiting for the details before voicing support for the initiative.

President Obama also proposed the Student Data Privacy Act, which would restrict the ability of technology companies to profit from data mining of students using Internet-connected devices in educational settings.

Intel Releases New Chip Series

Intel used the occasion of the annual Consumer Electronics Show (CES) in Las Vegas to announce the next generation of mainstream PC processors. The company has been dropping hints and previews about the "Broadwell" chip series for some time, but, after many delays, the new series has finally arrived.

Intel presented 14 different Broadwell series chips for a range of laptop and desktop uses. The new chips are smaller in size than previous versions, but Intel is most excited about faster performance and longer battery life. The new chips will have 30% more battery life, which, Intel says, will translate to 90 minutes of additional playing time for video files. Faster performance will lead to better boot times and more efficient rendering of 3D graphics.

Despite Intel's claim that the latest release represents a "new generation" in chip design, the Broadwell chips appear to be a refined and improved version of the previous "Haswell" chips. The still more innovative and experimental "Skylake" series chips are set to appear later in 2015.

Fedora 21 Released

The Fedora project has announced the release of Fedora 21. Fedora is a community-based distro sponsored by Red Hat that often serves as a test bed for new technologies that will one day be part of Red Hat Enterprise Linux. Fedora Project Leader Matthew Miller calls Fedora 21 a "game-changer for the Fedora project."

The new release reflects the principles of the initiative, which was intended to chart a course for the next 10 years of Fedora development. Fedora 21 comes in three flavors: Server, Workstation, and Cloud. Each flavor builds upon a common "base" set of packages and adds additional functionality targeted to the use case. The Server edition comes with several new system management features and includes rolekit , a "role deployment and management toolkit that provides a consistent interface to administrators to install and configure all the packages needed to implement a specific server role." The Workstation edition includes the Wayland display technology and provides improvements to the installer and terminal application. The DevAssistant tool provides a fast and simple means for developers to configure different programming environments.

The Cloud edition includes built-in support for OpenStack and Docker. The cloud version is smaller and lighter than other editions and excludes packages such as hardware drivers that aren't necessary for operating in the cloud. Fedora 21 is also the first release to offer an image tailored for Red Hat's Project Atomic, which provides a streamlined operating system intended to run in virtual containers.

Turla Malware Variant Targets Linux

Researchers at Kaspersky have uncovered a Linux variant of the powerful Turla malware family, one of the most technically advanced trojans ever discovered. Turla has been around for several years, but previously known versions only attacked 32- and 64-bit Windows systems.

The fact that the Linux version seems to have existed in the wild for at least four years without discovery is further evidence of the sophisticated nature of Turla, which is thought to have been created by a spy agency with the backing of a nation-state.

According to the blog post, Turla hides on the victim's computer until activated through a "magic packet for authentication" consisting of a numerical value ("magic number") and an existing network interface name. Once activated, the code is able to receive communication over the network and execute arbitrary commands on the system even if it doesn't have elevated access privileges, thus circumventing the entire Linux security structure. The process is not detectable through standard process management tools like netstat.

The version examined at Kaspersky is hard-coded to communicate with the domain or the IP address . One way to detect the trojan is to watch for communication with these sites, but of course, modified versions of the code could easily point to different places. Ars Technica points out that investigators could also build a profile using the YARA malware detection tool to search for evidence of an attack.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More