tech

  • NTP updated to counter attacks

    Steve WoodsOpen Source, Open Standards, Tech

    NTP graphicIt’s that time of year again when summer daylight saving time has just ended in Europe and the developers of the NTP time synchronisation service are responding to a series of new attacks with an update, German IT news site heise reports. With these attacks communication between servers and clients can be manipulated so that the clients receive the incorrect time or no time at all.

    The reference implementation of the NTP time server service is now version 4.2.8p4, with which the developers have closed 13 security holes, including a series of vulnerabilities which four Boston University researchers describe in detail in a research paper (PDF). The researchers succeeded in finding several ways of attacking the time service, including preventing clients of the service from using it, also known as a Denial of Service (DoS) attack and providing them with the wrong time under certain circumstances.

    NTP is used to synchronise the local clocks of all kinds of computers via the network. Various providers make different servers available which a client can query for the current clock time. Nearly all modern operating systems adjust this unnoticed in the background. Nevertheless, there have been attacks in the past on software implementations of this system and on the NTP protocol itself.

    Kiss of death

    Two of the new attacks are characterised mainly by the fact that the attacker does not need to hook up to the connection between client and server as a “man in the middle“. Both kinds of DoS attack take advantage of the so-called “Kiss o’ Death” (KoD) packet to cripple communication between the client and server. The KoD packet tricks the client into thinking that a NTP server is very busy or overloaded and the client should send fewer queries.

    Attackers can now fake packets for all services which a client normally queries for its time; and do so in such a way that the client doesn’t update its internal clock for months or even years on end. The elegant thing about this hack is that the attacker only needs to send very few packets. In the second attack possibility described by the researchers the attacker must fake many client requests and thus force the server to silence the client with KoD packets. This also results in the client no longer updating its clock.

    Both holes (CVE-2015-7704 and CVE-2015-7705) have been plugged in the new version of NTP.

    Time shift

    With 2 further attack methods the researchers succeeded in foisting incorrect clock times on clients. Clients should normally ignore times which differ by more than 1,000 seconds from their system time – the so-called “Panic Threshold“. However, in many configurations this does not apply to NTP queries sent immediately after a reboot of the client. Their system times can therefore be manipulated almost at will if they can be forced to reboot. Cryptography operations can be gerrymandered or DoS attacks conducted on the software running on the client with such a manipulation.

    The intentional fragmentation of IPv4 packets can also be abused to confound a client’s time queries and foist an incorrect time on it. However, this method is very fiddly and the researchers did not want to test in the the wild since it uses the techniques of the decades-old Teardrop attacks and can crash old operating systems. This problem with overlapping TCP/IP packets is not a specific error of the NTP protocol, but of the underlying operating systems.

    Admins should patch NTP

    The Boston University researchers discovered the security holes on 20th August. Their paper has only been published now to give the NTP developers time to plug the holes. The researchers are recommending that admins running NTP servers update them as quickly as possible to version 4.3.8p4.

    Reposted from Bristol Wireless.

  • Alliterative Linux

    Steve WoodsLanguage, Linux, Open Source, Tech

    The Ubuntu Linux distribution is well known for its use of alliteration in the naming its releases.

    This convention dates back to the release of version 5.04 which bore the name “Hoary Hedgehog“.

    The latest in the series has just been announced: Softpedia reported yesterday that Ubuntu 16.04 LTS will be named Xenial Xerus.

    What’s a Xerus and how is it xenial?

    a family group of xerus inaurisWikipedia informs us that the genus Xerus is better known as African ground squirrels. These squirrels form a taxon of squirrels under the subfamily Xerinae and are only found in Africa. A family group of 3 Xerus inauris or Cape Ground Squirrel is shown to the left of this paragraph.

    There are four species of African ground squirrels divided into three subgenera.

    The subgenus Euxerus is made up of the Striped Ground Squirrel, Xerus erythropus, which lives in south-western Morocco, southern Mauritania and Senegal.

    The subgenus Geosciurus consists of 2 species:

    1. Cape Ground Squirrel, Xerus inauris (also called South African Ground Squirrel), native to Namibia, Botswana, Zimbabwe, South Africa; and
    2. Damara Ground Squirrel, Xerus princeps, native to south-western Angola and Namibia.

    The subgenus Xerus also consists of just one species, the Unstriped Ground Squirrel, Xerus rutilus, whose home range is from north-eastern Sudan to north-eastern Tanzania.

    As for xenial, that’s a great word whose definition is:

    1. Hospitable, especially to visiting strangers or foreigners.
    2. Of the relation between a host and guest; friendly.

    In addition, Dictionary.com informs us that the word originates from the Greek xenĂ­a, meaning hospitality.

    However, if you want your computing to be powered by a hospitable African ground squirrel, you’ll have to wait until next April!

  • LibreOffice 5.1 – first bug hunting session announced

    Steve WoodsOpen Source, Open Standards, Tech

    Writing on The Document Foundation blog, Italo Vignoli has announced that a bug hunting session will take place from 30th October to 1st November for LibreOffice 5.1, the next planned major release of this popular open source office productivity suite.

    LibreOffice 5

    Over those 3 days, volunteers and members of the LibreOffice community will check the first alpha of LibreOffice 5.1 for bugs and flaws.

    On those dates, mentors will be available on the QA IRC channel and via email on the QA mailing list from 08.00 a.m. UTC to 10.00 p.m. UTC to help less experienced volunteers to triage bugs.

    People who cannot participate the bug hunting session are always welcome to help chasing bugs and regressions when they have time. There will be a later bug hunting session in December this year to test LibreOffice 5.1 Release Candidate 1.

    Additional information on bug hunting is available on The Document Foundation wiki.

  • A world without Linux – episode 1

    Steve WoodsLinux, Media, Open Source, Tech

    Below is the first of what will a series of videos seeking to depict what the world would be like had Linus Torvalds not released his kernel 24 years ago, with that kernel then being combined with the tools produced by the GNU project to create a powerful and reliable operating system.

    A World Without Linux is a web series that flips this reality on its head to illustrate entertainingly just how pervasive Linux is today.

    The video itself reminds your correspondent of how much time he used to spend doing work research in reference libraries before the advent of the internet: now the internet comes to him, which is much more convenient. 🙂

    Linux is the world’s largest collaborative project in the history of computing. It runs most of the world’s technology infrastructure and is supported by more developers and companies than any other platform. It’s everywhere – from your phone to your car and your office. It also powers the internet, the cloud, the world’s stock exchanges, supercomputers, embedded devices and more.

    Reposted from Bristol Wireless.

  • Linux kernel is 24 years young on Monday

    Steve WoodsLinux, Open Source, Tech

    Although Linus Torvalds, the originator of the Linux kernel, announced his initial work on the kernel on 25th August 1991, it was not until 5th October 1991 that Linus actually released his code: Linux kernel 0.01.

    Linus Torvalds gives a photographer the finger
    Linus Torvalds in combative mood

    With this October anniversary in mind, it’s worth taking a bit of time to review what’s changed to the kernel over the intervening years.

    Version 0.01 of the kernel had 10,293 lines of code. In contrast, version 4.1, released in July 2015, has more than 19 million lines of code, according to Phoronix. That’s quite spectacular!

    The current Linux kernel is the result of one of the largest collaborative projects ever attempted and since tracking began 10 years ago, more than 10,000 developers working from more than 1,200 companies have contributed to the kernel.

    Furthermore, the speed of Linux kernel development is breathtaking. The average number of changes accepted into the kernel per hour is 7.71, equivalent to 185 changes every day and nearly 1,300 per week.

    This rapid development and collaboration have been a spur to others. Writing yesterday on the Linux Foundation blog, Jennifer Cloer states: “In recent years, the powerful growth of the Linux kernel and resulting innovation has inspired others to adapt the principles, practices and methodologies that makes Linux so successful to solve some of today’s most complex technology problems,” and, “We’ve learned so much from Linux and have no doubt that learning will continue.”

    Originally posted on Bristol Wireless.

  • ODF is a “financial and social responsibility”

    Steve WoodsOpen Source, Open Standards, Politics, Tech

    ODF logoThe Dutch government wants to accelerate the adoption of Open Document Format by the country’s public sector according to a press release by the government’s Standardisation Board.

    On behalf of the government, the Standardisation Board is determined to speed up ODF’s adoption throughout the government.

    This was one of the most important announcements made at the 11th ODF Plugfest held in The Hague, where a group of international developers, EU policy-makers, digital archivists, academics and other experts assembled to discuss the Open Document Format, an XML-based file format for spreadsheets, charts, presentations and word processing documents that was developed with the aim of providing an open, XML-based file format specification for office applications.

    “In view of its extent, the public sector is an important stakeholder when a sound future for office applications is involved”, says Steven Luitjens, the director of Logius, the largest operational IT organisation within the Dutch government. “It is our financial and social responsibility to bring about an improvement. We are therefore increasing our efforts in the Netherlands. We want to play an important role in the huge transition from commercial productivity packages to better, bespoke solutions based on open standards which lies ahead of governments and the private sector.”

    ODF is top priority

    “The need to adopt ODF speaks for itself,” says Nico Westpalm van Hoorn, Chairman of the Standardisation Board, which is concerned with the choice of IT standards for the government. “However, the adoption is proceeding too slowly. ODF is therefore out top priority”.

  • LibreOffice 5.0.2 announced at LibreOffice Conference

    Steve WoodsOpen Source, Tech

    To underline the importance of the event for the community, The Document Foundation (TDF) has today announced the release of LibreOffice 5.0.2 during the opening session of the 2015 LibreOffice Conference in Aarhus, which runs until Friday 25th September.

    LibreOffice 5.0.2 is the second minor release of the LibreOffice 5.0 family, with a large number of fixes over the first minor (5.0.1) release announced in August. Based on feedback from the marketplace, the LibreOffice 5.0 family has so far proved the most popular LibreOffice release ever.

    LibreOffice 5

    LibreOffice 5.02 will offer OpenGL rendering by default on Windows for the first time for those with the very latest Windows drivers. In the event of problems, this functionality is easy to disable by accessing Tools > Options.

    LibreOffice 5.0.2 is aimed at technology enthusiasts, early adopters and power users. For more conservative users and for enterprise deployments, TDF recommends the “still” version: LibreOffice 4.4.5. For commercial deployments, The Document Foundation recommends the backing of professional support by certified people.

    People interested in technical details about the release can access the change logs via the following links: bugs fixed in RC1 and bugs fixed in RC2.

    LibreOffice 5.0.2 is available for immediate download from http://www.libreoffice.org/download/.

  • FSFE elects new top officials

    Steve WoodsOpen Source, Tech

    FSFE logoMatthias Kirschner and Alessandro Rubini are the new President and Vice-President respectively of the Free Software Foundation Europe (FSFE). They were elected last week in Bucharest during FSFE’s General Assembly, while Reinhard MĂĽller was re-elected as Financial Officer. They will serve FSFE in those capacities for the next 2 years.

    Matthias Kirschner has been an FSFE employee since 2009. He started using GNU/Linux in 1999 and realised that software is deeply involved in all aspects of our lives. Matthias is convinced that this technology has to empower society rather than restrict it. While studying Political and Administrative Science, he convinced the FSFE to accept him as its first intern in 2004. Since then he has been helping other organisations, companies and governments to understand how they can benefit from Free Software and how those rights help to support freedom of speech, freedom of the press and privacy.

    Alessandro Rubini is an electronic engineer and holds a Ph.D. in computer science. He was an early Linux adopter, installing Linux 0.99.14, is an active Free Software user and developer, and author of the book “Linux Device Drivers”. After his doctorate, he left the university as he did not want to just write academic papers and now works as an independent consultant in the industrial use of GNU/Linux, mainly on device drivers and embedded system as well as on micro-controllers and PCB design. Recently he has been working with CERN within the White Rabbit project, aimed at sub-nanosecond synchronisation of I/O cards. One reason he enjoys working with CERN is the organisation’s policy of releasing all their work as Free Software and Free Hardware.

    Alessandro was previously a member of the Free Software Foundation Europe from 2001 to 2006 and recently rejoined. He felt that FSFE is the right place for positive and constructive discussions about Free Software.

    “I am happy to welcome both Matthias and Alessandro to their new roles,” says Executive Director Jonas Ă–berg, “both have been instrumental in shaping the organisation into its current form and I look forward to the expertise they will bring as we go about empowering users to control technology.”

    Reposted from Bristol Wireless.

  • Tomorrow is Software Freedom Day 2015

    Steve WoodsOpen Source, Tech

    Besides being International Talk Like a Pirate Day, 19th September 2015 is also a date for the diaries of people advocating free and open source software; it’s Software Freedom Day 2015.

    Software Freedom Day 2015 bannerThe idea of Software Freedom Day (SFD) is for everyone without a vested interest in proprietary software to unite and educate the world about the ideals of Software Freedom and the practical benefits of Free Software. August 28th 2004 was the first ever Software Freedom Day and was initiated group of FOSS believers – Matt Oquist, Henrik Omma and Phil Harper – with the idea of distributing The OpenCD – a collection of free and open source software for Windows – to everyone.

    SFD has since extended around the world with events being organised on every continent.

    Why is software freedom important?

    The United Nations’ Universal Declaration of Human Rights is a set of basic human rights that most people would agree would be a bare minimum. Not often are our basic rights thought of in the context of technology, but as more and more our lives are dependent on technology, it is a rapidly growing concern. Technologies that matter to our freedom are used in our voting systems, our leisure, our work, education, art and our communication. What does this mean to you? It means that the basic human freedoms you take for granted are only as free as the technologies you use.

    Transparent and sustainable technologies are vital to ensuring we can protect our freedoms.

    Think about any software you use everyday that is proprietary and the consider that you can’t be sure what it is actually doing. Does your email system send copies of your mail to a third party? Is your web browser, logging and automatically sending your browsing history to someone?

    As more and more of the world’s population starts using technology, getting online and developing the next major life-changing event of the future (such as the internet was for many of us), ensuring open, transparent and sustainable approaches are considered best practice is important; i.e. important to a future where technology empowers everyone equally, where knowledge is forever and where our basic human freedoms are strengthened, not hampered, by technology.

    Reposted, with some edits, from Bristol Wireless.

Posts navigation