Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

More in Tux Machines

Mozilla Firefox News and Opera Release

  • 2019 Add-ons Community Meetup in London

    At the end of October, the Firefox add-ons team hosted a day-long meetup with a group of privacy extension developers as part of the Mozilla Festival in London, UK. With 2019 drawing to a close, this meetup provided an excellent opportunity to hear feedback from developers involved in the Recommended Extensions program and to get input about some of our plans for 2020. [...] We recently announced that Firefox Preview, Mozilla’s next generation browser for Android built on GeckoView, will support extensions through the WebExtensions API. Members of the Android engineering team will build select APIs needed to initially support a small set of Recommended Extensions. The group discussed a wishlist of features for extensions on Android, including support for page actions and browser actions, history search, and the ability to manipulate context menus. These suggestions will be considered as work on Firefox Preview moves forward.

  • Here’s why pop culture and passwords don’t mix

    Were they on a break or not?! For nearly a decade, Ross and Rachel’s on-screen relationship was a point of contention for millions of viewers around the world. It’s no surprise to learn that years after the series finale, they are not only TV’s most beloved characters, but their names are popular account passwords, too. That’s right. More than thousands of internet users love Rachel, Monica, Joey, Chandler, Ross and Phoebe enough to use their names as passwords. Wondering about trends, we turned to haveibeenpwned (HIBP) — the website that aggregates data from known breaches — for pop culture favorites. (Firefox Monitor draws from HIBP to help people learn if they’ve been caught up in a data breach and take steps to protect themselves.) We couldn’t access any data files, browse lists of passwords or link passwords to logins — that info is inaccessible and kept secure — but we could look up random bad passwords manually on HIBP. It turns out, quite a lot of sitcom and sports fans are using pop culture passwords for their accounts. These bad passwords are not only weak, they have also been breached. Here’s what we spotted.

  • Adding CodeQL and clang to our Bug Bounty Program

    One of the ways we’re supporting this initiative at Mozilla is through renewed investment in automation and static analysis. We think the broader Mozilla community can participate, and we want to encourage it. Today, we’re announcing a new area of our bug bounty program to encourage the community to use the CodeQL tools.  We are exploring the use of CodeQL tools and will award a bounty – above and beyond our existing bounties – for static analysis work that identifies present or historical flaws in Firefox.

  • Opera Browser 65 Released with Redesigned Address Bar

    Opera web browser 65 was released a day ago with redesigned address bar, improved tracker blocker, and new bookmarks panel.

  • Opera 65 Launches with Much-Improved Tracker Blocker, Redesigned Address Bar

    Opera Software announced today the general availability of the Opera 65 web browser for desktop platforms, including GNU/Linux, macOS, and Windows, a release that brings a bunch of enhancements and new features. Based on Chromium 78, the Opera 65 web browser is here and it's better than ever, brining a much-improved tracker blocker that finally lets you see which trackers are tracking your digital footprint while you're surfing the Internet. Based on the EasyPrivacy Tracking Protection list, Opera's tracker blocker feature will now show you all the trackers following you and let you take action against them if you believe some aren't good for you. By default, the tracker blocker will automatically block known tracker scripts to speed up the loading of pages and keep your online activity private. In Opera 65, the built-in tracker blocker can be toggled on and off per site too.

Red Hat Leftovers

  • Red Hat Adds AI Capabilities to Process Automation Suite
  • Department of Defense Enlists Red Hat to Help Improve Squadron Operations and Flight Training

    Red Hat, Inc., the world's leading provider of open source solutions, today announced that the Department of Defense (DoD) worked with Red Hat to help improve aircraft and pilot scheduling for United States Marine Corps (USMC), United States Navy (USN) and United States Air Force (USAF) aircrews. Using modern development practices and processes from Red Hat Open Innovation Labs that prioritized end user needs, the project team identified unaddressed roadblocks and gained new skills to build the right solution, a digital "Puckboard" application, for their unique scheduling challenge. [...] The problem facing squadrons was seemingly straightforward: how to improve and digitize the management of flight training operations. The existing process was entirely manual, each representing pertinent information like a pilot’s name, associated with their training syllabus, location and time of flights. Simple at a glance, the number of cognitive variables contained within this undertaking made it stressful for the operator and difficult to scale across squadrons and bases. For more than a decade, various project teams within the DoD had tried to improve the system via custom built applications, aircraft scheduling software and hybrid solutions. None of these deployments withstood the test of time or could be replicated if the operator took a new role elsewhere. The Defense Innovation Unit (DIU), an organization tasked with accelerating commercial technologies into the military, took on this challenge.

  • It's RedHat, And Everyone Else

    As time passes, it appears that corporations are primarily considering one distribution when considering installing Linux, and that distro is clearly RedHat. That probably does not come as any major surprise, but it appears RedHat's dominance continues to get stronger. What use to be a landscape littered with a multitude of choices has nearly been rendered down to one. Wow! That didn't take long. The open source software dynamic seemed to be formed on the premise that users were never again going to be pigeon-holed into using one piece of software. Or, perhaps better stated, that was a byproduct of making the source code readily available. And, that is still true to this day. However, as a corporate citizen in today's business climate, one finds themselves with limited possibilities. It was a mere 20 years ago when the buzz of Linux was starting to hit its stride. Everywhere you looked, there was a different flavor of Linux. There were nearly too many to count. And, these were not just hobbyist distros. Instead, they were corporations rising like corn stalks all over the place. Sure, there were more dominant players, but one had the ability to analyze at least 10 different fully corporate supported distributions when making a decision. With that amount of possibilities, the environment was ripe for consolidation or elimination. And, we have all watched that take place. But, did we ever think we were going to find ourselves in the current predicament? The data that has been collected over the past five years paints a concerning picture. Even a mere five years ago, it seemed likely that at a minimum RedHat would always have Suse as a legitimate competitor. After all, those were the two distros that seemed to win the consolidation and elimination war. At least in the corporate space. As was widely reported during that time, RedHat had somewhere in the neighborhood of 70% marketshare. It was always the gorilla in the room. But, Suse was always looked upon as an eager and willing participant, no matter its stature, and tended to garner most of the remaining marketshare. That is the way it appeared for a length of time prior to this decline over the past few years.

  • Scale testing the Red Hat OpenStack Edge with OpenShift

    Red Hat Openstack offers an Edge computing architecture called Distributed Compute Nodes (DCN), which allows for many hundreds or thousands of Edge sites by deploying hundreds or thousands of compute nodes remotely, all interacting with a central control plane over a routed (L3) network. Distributed compute nodes allow compute node sites to be deployed closer to where they are used, and are generally deployed in greater numbers than would occur in a central datacenter. With all the advantages that this architecture brings, there are also several scale challenges due to the large number of compute nodes that are managed by the OpenStack controllers. A previous post details deploying, running and testing a large scale environment using Red Hat OpenStack Director on real hardware, but this post is about how we can simulate far greater scale and load on the OpenStack control plane for testing using containers running on OpenShift without needing nearly as much hardware. In order to prove the effectiveness of Red Hat's DCN architecture, we'd like to be able to get quantitative benchmarks on Red Hat Openstack's performance when many hundreds or thousands of compute nodes are deployed.

today's howtos

How to Clear Systemd Journal Logs in Linux

This quick tutorial shows you two ways to clear systemd journal logs from your Linux system. Read more