Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 3 hours 45 min ago

[$] LWN.net Weekly Edition for October 19, 2017

Thursday 19th of October 2017 01:20:51 AM
The LWN.net Weekly Edition for October 19, 2017 is available.

[$] KRACK, ROCA, and device insecurity

Wednesday 18th of October 2017 10:21:26 PM

Monday October 16 was not a particularly good day for those who are even remotely security conscious—or, in truth, even for those who aren't. Two separate security holes came to light; one probably affects almost all users of modern technology. The other is more esoteric at some level, but still serious. In both cases, the code in question is baked into various devices, which makes it more difficult to fix; in many cases, the devices in question may not even have a plausible path toward a fix. Encryption has been a boon for internet security, but both of these vulnerabilities have highlighted that there is more to security than simply cryptography.

Tips to Secure Your Network in the Wake of KRACK (Linux.com)

Wednesday 18th of October 2017 07:21:31 PM
Konstantin Ryabitsev argues on Linux.com that WiFi security is only a part of the problem. "Wi-Fi is merely the first link in a long chain of communication happening over channels that we should not trust. If I were to guess, the Wi-Fi router you’re using has probably not received a security update since the day it got put together. Worse, it probably came with default or easily guessable administrative credentials that were never changed. Unless you set up and configured that router yourself and you can remember the last time you updated its firmware, you should assume that it is now controlled by someone else and cannot be trusted."

[$] Achieving DisplayPort compliance

Wednesday 18th of October 2017 03:55:40 PM

At the X.Org Developers Conference, hosted by Google in Mountain View, CA September 20-22, Manasi Navare gave a talk about her journey learning about kernel graphics on the way to achieving DisplayPort (DP) compliance for Intel graphics devices. Making that work involved learning about DP, the kernel graphics subsystem, and how to do kernel development, as well. There were plenty of details to absorb, including the relatively new atomic mode setting support, the design of which was described in a two-part LWN article.

Ruiz: Fleet Commander: production ready!

Wednesday 18th of October 2017 03:34:18 PM
Alberto Ruiz announces that Fleet Commander is ready for production use. "Fleet Commander is an integrated solution for large Linux desktop deployments that provides a configuration management interface that is controlled centrally and that covers desktop, applications and network configuration. For people familiar with Group Policy Objects in Active Directory in Windows, it is very similar."

Stable kernel updates

Wednesday 18th of October 2017 03:33:13 PM
Greg Kroah-Hartman has released stable kernels 4.13.8, 4.9.57, 4.4.93, and 3.18.76. All of them contain important fixes and users should upgrade.

Security updates for Wednesday

Wednesday 18th of October 2017 03:27:17 PM
Security updates have been issued by Arch Linux (kernel, linux-hardened, and linux-zen), CentOS (wpa_supplicant), Debian (xorg-server), Fedora (selinux-policy), Gentoo (libarchive, nagios-core, ruby, and xen), openSUSE (wpa_supplicant), Oracle (wpa_supplicant), Red Hat (Red Hat Single Sign-On, rh-nodejs6-nodejs, rh-sso7-keycloak, and wpa_supplicant), Scientific Linux (wpa_supplicant), SUSE (git, wpa_supplicant, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-lts-xenial).

ACME Support in Apache HTTP Server Project

Tuesday 17th of October 2017 06:37:58 PM
Let's Encrypt has announced that Automatic Certificate Management Environment (ACME) protocol support is being integrated into the Apache HTTP Server (httpd). "ACME support being built in to one of the world’s most popular Web servers, Apache httpd, is great because it means that deploying HTTPS will be even easier for millions of websites. It’s a huge step towards delivering the ideal certificate issuance and management experience to as many people as possible."

[$] A comparison of cryptographic keycards

Tuesday 17th of October 2017 03:33:22 PM
An earlier LWN article showed that private key storage is an important problem to solve in any cryptographic system and established keycards as a good way to store private key material offline. But which keycard should we use? This article examines the form factor, openness, and performance of four keycards to try to help readers choose the one that will fit their needs.


Security updates for Tuesday

Tuesday 17th of October 2017 03:22:39 PM
Security updates have been issued by Arch Linux (flashplugin, hostapd, lib32-flashplugin, and wpa_supplicant), Debian (sdl-image1.2), Fedora (curl, openvswitch, weechat, and wpa_supplicant), openSUSE (GraphicsMagick, kernel, mbedtls, and wireshark), Red Hat (flash-plugin), and Ubuntu (wpa).

Green: Falling through the KRACKs

Tuesday 17th of October 2017 01:19:24 PM
Matthew Green explores the origins of the KRACK vulnerability. "I don’t want to spend much time talking about KRACK itself, because the vulnerability is pretty straightforward. Instead, I want to talk about why this vulnerability continues to exist so many years after WPA was standardized. And separately, to answer a question: how did this attack slip through, despite the fact that the 802.11i handshake was formally proven secure?"

[$] Point releases for the GNU C Library

Monday 16th of October 2017 10:45:31 PM
The GNU C Library (glibc) project produces regular releases on an approximately six-month cadence. The current release is 2.26 from early August; the 2.27 release is expected at the beginning of February 2018. Unlike many other projects, though, glibc does not normally create point releases for important fixes between the major releases. The last point release from glibc was 2.14.1, which came out in 2011. A discussion on the need for a 2.26 point release led to questions about whether such releases have a useful place in the current software-development environment.

DragonFly BSD 5.0

Monday 16th of October 2017 08:43:18 PM
DragonFly BSD 5.0 has been released. "Preliminary HAMMER2 support has been released into the wild as-of the 5.0 release. This support is considered EXPERIMENTAL and should generally not yet be used for production machines and important data. The boot loader will support both UFS and HAMMER2 /boot. The installer will still use a UFS /boot even for a HAMMER2 installation because the /boot partition is typically very small and HAMMER2, like HAMMER1, does not instantly free space when files are deleted or replaced. DragonFly 5.0 has single-image HAMMER2 support, with live dedup (for cp's), compression, fast recovery, snapshot, and boot support. HAMMER2 does not yet support multi-volume or clustering, though commands for it exist. Please use non-clustered single images for now."

Millions of high-security crypto keys crippled by newly discovered flaw (Ars Technica)

Monday 16th of October 2017 03:21:04 PM
Ars Technica is reporting on a flaw in the RSA library developed by Infineon that drastically reduces the amount of work needed to discover a private key from its corresponding public key. This flaw, dubbed "ROCA", mainly affects key pairs that have been generated on keycards. "While all keys generated with the library are much weaker than they should be, it's not currently practical to factorize all of them. For example, 3072-bit and 4096-bit keys aren't practically factorable. But oddly enough, the theoretically stronger, longer 4096-bit key is much weaker than the 3072-bit key and may fall within the reach of a practical (although costly) factorization if the researchers' method improves. To spare time and cost, attackers can first test a public key to see if it's vulnerable to the attack. The test is inexpensive, requires less than 1 millisecond, and its creators believe it produces practically zero false positives and zero false negatives. The fingerprinting allows attackers to expend effort only on keys that are practically factorizable. The researchers have already used the method successfully to identify weak keys, and they have provided a tool here to test if a given key was generated using the faulty library. A blog post with more details is here."

Security updates for Monday

Monday 16th of October 2017 03:04:37 PM
Security updates have been issued by Debian (wpa), Fedora (perl, recode, and tor), Gentoo (elfutils, gnutls, graphite2, libtasn1, puppet-agent, shadow, and webkit-gtk), Mageia (pjproject, thunderbird, and weechat), and SUSE (kernel).

An enforcement clarification from the kernel community

Monday 16th of October 2017 02:26:20 PM
The Linux Foundation's Technical Advisory board, in response to concerns about exploitative license enforcement around the kernel, has put together this patch adding a document to the kernel describing its view of license enforcement. This document has been signed or acknowledged by a long list of kernel developers. In particular, it seeks to reduce the effect of the "GPLv2 death penalty" by stating that a violator's license to the software will be reinstated upon a timely return to compliance. "We view legal action as a last resort, to be initiated only when other community efforts have failed to resolve the problem. Finally, once a non-compliance issue is resolved, we hope the user will feel welcome to join us in our efforts on this project. Working together, we will be stronger."

See this blog post from Greg Kroah-Hartman for more information.

"KRACK": a severe WiFi protocol flaw

Monday 16th of October 2017 01:55:49 PM
The "krackattacks" web site discloses a set of WiFi protocol flaws that defeat most of the protection that WPA2 encryption is supposed to provide. "In a key reinstallation attack, the adversary tricks a victim into reinstalling an already-in-use key. This is achieved by manipulating and replaying cryptographic handshake messages. When the victim reinstalls the key, associated parameters such as the incremental transmit packet number (i.e. nonce) and receive packet number (i.e. replay counter) are reset to their initial value. Essentially, to guarantee security, a key should only be installed and used once. Unfortunately, we found this is not guaranteed by the WPA2 protocol".

Kernel prepatch 4.14-rc5

Monday 16th of October 2017 01:50:56 AM
The 4.14-rc5 kernel prepatch is out. "We've certainly had smaller rc5's, but we've had bigger ones too, and this week finally felt fairly normal in a release that has up until now felt a bit messier than it perhaps should have been. So assuming this trend holds, we're all good. Knock wood."

Bottomley: Using Elliptic Curve Cryptography with TPM2

Sunday 15th of October 2017 04:16:10 PM
James Bottomley describes the use of the trusted platform module with elliptic-curve cryptography, with a substantial digression into how the elliptic-curve algorithm itself works. "The initial attraction is the same as for RSA keys: making it impossible to extract your private key from the system. However, the mathematical calculations for EC keys are much simpler than for RSA keys and don’t involve finding strong primes, so it’s much simpler for the TPM (being a fairly weak calculation machine) to derive private and public EC keys."

Stable kernel 4.13.7

Saturday 14th of October 2017 02:08:39 PM
The 4.13.7 stable kernel update has been released; it contains a fix for an unpleasant local vulnerability that affects only 4.13 kernels.

More in Tux Machines

Security: WPA2, RSA/TPM, and Microsoft Breach

  • Google and Apple yet to fix Wi-Fi hole in a billion devices

    The WPA2 security protocol has been a mandatory requirement for all devices using the Wi-Fi protocol since 2006, which translates into billions of laptops, mobiles and routers. The weakness identified by Mathy Vanhoef, a digital security researcher at the Catholic University of Leuven (KUL) in Belgium, lies in the way devices running WPA2 encrypt information.

  • The Flawed System Behind the Krack Wi-Fi Meltdown

    No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release.

  • Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible

    Security experts say the bug has been present since 2012 and found specifically in the Infineon’s Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.

  • ROCA: RSA encryption key flaw puts 'millions' of devices at risk

    This results in cyber criminals computing the private part of an RSA key and affects chips manufactured from 2012 onwards, which are now commonplace in the industry.

  • Infineon RSA Key Generation Issue

    Yubico estimates that approximately 2% of YubiKey customers utilize the functionality affected by this issue. We have addressed this issue in all shipments of YubiKey 4, YubiKey 4 Nano, and YubiKey 4C, since June 6, 2017.

  • Microsoft remains tight-lipped about 2013 internal database hack [sic]

    A secretive internal database used by Microsoft to track bugs in its software was compromised by hackers [sic] in 2013.

  • Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

    Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking [sic] group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

Red Hat reduces IoT tradeoffs and Asia Coverage

  • Industry Spotlight: Red Hat reduces IoT tradeoffs
    Organizations rolling out the IoT usually aren’t prepared for the additional complexity. With the IoT, data volumes grow exponentially, infrastructure management gets more complicated and the security vulnerabilities increase disproportionately. Nevertheless, IT departments are expected to handle all these changes competently without proportional increases in budget or other resources.
  • Analyse Asia 211: Red Hat in Asia & Open Innovation Institute with Dirk-Peter van Leeuwen
    Dirk-Peter van Leeuwen, senior vice president & general manager at Redhat, Asia Pacific, joined us to discuss the company’s footprint across Asia and the recent launch of their new Open Innovation Institute in Singapore. We discuss how Asian companies are in different phases of digital transformation from culture to innovation and adjusting against digital disruption.

Samsung and Tizen: Bixby 2.0, Tizen 3.0, GNU/Linux on DeX

Ubuntu 17.10: What’s New? [Video]

It’s Artful Aardvark arrival day today (no, really!) and to mark the occasion we’ve made our first video in 3 years! Prime your eyeballs and pop in some earbuds as we (try to) bring you up to speed on what’s new in Ubuntu 17.10. At a smidgen over 3 minutes long we think our video is perfect for watching on your commute; when you’re bleary eyed in bed; or when you get the tl;dr feels thinking about our fuller, longer, and far wordier Ubuntu 17.10 review (due out shortly). Read more