Archive for the ‘Linux’ Category
Tuesday, May 8th, 2012
The deal could mean a further expansion of open-source software use in the enterprise
The announcement Tuesday of a new partnership between Dell and Red Hat could mark a further expansion of open-source software use in the enterprise.
OEM customers looking to Dell for custom products will now have additional open-source options. Red Hat Enterprise Linux and JBoss join SUSE as standard choices for Dell OEM.
Red Hat’s recently acquired status as the first billion-dollar open-source business underlines the importance of open technologies and their growing appeal to a wide variety of firms.
“I think everybody’s wanting to have alternatives,” says Ron Pugh, Dell executive director and general manager of the company’s OEM solutions group for the Americas. “Most of our customers have … seen that there are some benefits [to Linux use] from a time-to-market perspective and working with the open-source community.”
Among the most important verticals for this new OEM partnership, he adds, are telecommunications and security equipment manufacturers. The former industry is “entirely green-field” for Dell, while Red Hat’s prominence in the latter area should help boost sales.
“We see this as the next step in companies moving from proprietary architecture to building their own things from the ground up to a commodity … solution, and both companies see that we can help each other,” according to Pugh.
The deal with Red Hat is part of Dell’s ongoing transformation from a pure hardware manufacturer into a vendor of a wide range of business services. The company’s recent run of acquisitions have been focused on some of the hottest areas of enterprise technology, including virtualization and security. Given the increasing popularity of open source — and recent moves by rivals like IBM, which released a line of specialized PowerLinux servers last month — Dell’s move emphasizes its continuing transition.
Source: computerworld.com
Tags: Dell, Red Hat
Posted in Linux, OS, Server, Software | No Comments »
Tuesday, March 6th, 2012
A Russian hacker dramatically demonstrated one of the most common security weaknesses in the Ruby on Rails web application language. By doing so, he took full control of the databases GitHub uses to distribute Linux and thousands of other open-source software packages.
Egor Homakov exploited what’s known as a mass assignment vulnerability in GitHub to gain administrator access to the Ruby on Rails repository hosted on the popular website. The weekend hack allowed him to post an entry in the framework’s bug tracker dated 1,001 years into the future. It also allowed him to gain write privileges to the code repository. He carried out the attack by replacing a cryptographic key of a known developer with one he created. While the hack was innocuous, it sparked alarm among open-source advocates because it could have been used to plant malicious code in repositories millions of people use to download trusted software.
Homakov launched the attack two days after he posted a vulnerability report to the Rails bug list warning mass assignments in Rails made the websites relying on the developer language susceptible to compromise. A variety of developers replied with posts saying the vulnerability is already well known and responsibility for preventing exploits rests with those who use the language. Homakov responded by saying even developers for large sites for GitHub, Poster, Speakerdeck, and Scribd were failing to adequately protect against the vulnerability.
In the following hours, participants in the online discussion continued to debate the issue. The mass assignment vulnerability is to Rails what SQL injection weaknesses are to other web applications. It’s a bug that’s so common many users have grown impatient with warnings about them. Maintainers of Rails have largely argued individual developers should single out and “blacklist” attributes that are too sensitive to security to be externally modified. Others such as Homakov have said Rails maintainers should turn on whitelist technology by default. Currently, applications must explicitly enable such protections.
A couple days into the debate, Homakov responded by exploiting mass assignment bugs in GitHub to take control of the site. Less than an hour after discovering the attack, GitHub administrators deployed a fix for the underlying vulnerability and initiated an investigation to see if other parts of the site suffered from similar weaknesses. The site also temporarily suspended Homakov, later reinstating him.
“Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated,” a blog post published on Monday said. It went on to encourage developers to practice “responsible disclosure.”
Source: arstechnica.com
Tags: Ruby on Rails
Posted in Database, Linux, Programming, Security, Server, Web | 1 Comment »
Friday, December 23rd, 2011
Hewlett-Packard said today that it has taken steps to prevent a “certain type of unauthorized access” to LaserJet printers.
The company didn’t describe its new firmware as a fix for the potential printer problem. Rather, it rather delicately used the word “mitigate,” the dictionary definition of which is “to make less severe or painful.” Here’s HP’s full statement on the matter:
HP has built a firmware update to mitigate this issue and is communicating this proactively to customers and partners. No customer has reported unauthorized access to HP. HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.
Then again, HP has steadfastly declared that no customers have reported unauthorized access and that issue was overblown from the start, as in late November when it said “there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers.”
At that time, it described the nature of the problem and promised a firmware update to address the issues:
The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.
HP also at that time decried “speculation” that the LaserJets in question could catch fire because of a firmware update or “this proposed vulnerability.”
Despite those assurances, HP became the target of a lawsuit in early December alleging that the company sold those printers even though it knew of those alleged vulnerabilities. The lawsuit charges that software on the printers that allows for updates over the Internet does not use digital signatures to verify the authenticity of any software upgrades or downloaded modifications.
Source: CNET
Tags: HP, Printers
Posted in Electronics, Hardware, Linux, Mac, Network, Security | No Comments »
Friday, October 28th, 2011
The Linux Foundation wants OEMs to give control of the PC to its owner
The Linux Foundation today released technical guidance to PC makers on how to implement secure UEFI without locking Linux or other free software off of new Windows 8 machines. The guidance included a subtle tisk-tisk at Microsoft’s Steven Sinofsky for suggesting that PC owners won’t want to mess with control of their hardware and would happily concede that to operating system makers and hardware manufacturers.
Hey why should the Free Software Foundation get the last word, with its anti-secure-boot petition?
To recap: The next-generation boot specification is known as Unified Extensible Firmware Interface. Microsoft is requiring Windows 8 PC makers to use UEFI’s secure boot protocol to qualify for Microsoft’s Windows 8 logo program. Secure UEFI is intended to thwart rootkit infections by using a key infrastructure before allowing executables or drivers to be loaded onto the device. Problem is, such keys can also be used to keep the PC’s owner from wiping out the current OS and installing another option such as Linux. It can also prevent them from loading their own device drivers.
It is possible for OEMs to implement Secure UEFI in a way that users can simply disable it. Sinofsky, who is president of Microsoft’s Windows division, pointed this out in a blog post last month. He also noted that the Samsung Windows 8 developer tablet given away to BUILD attendees could disable secure boot. But Microsoft is not mandating the disable option. Matthew Garrett, a developer that works for Red Hat and has been involved in the UEFI specification process, has said that Red Hat is aware of some Windows 8 PCs that do not allow users a way to disable.
The issue becomes even trickier if PC owners don’t want to disable secure UEFI and still want to be able to load Linux or to dual-boot Windows and Linux. In that case, they need access to the master platform key. Only the owner of the platform key can authorize new firmware or operating systems to be loaded onto the device. Then they will need a way to manage the signature database that validates the firmware, drivers and operating system.
Many free software advocates fear Microsoft is pushing an approach in which the key does not wind up in the hands of the devices owner. “Steven Sinofsky has suggested in his blog posting … that the average platform owner might wish to give up control of the PK [platform key] (and with it control of the signature database) to Microsoft and the OEM suppliers of the platform. This mode of operation runs counter to the UEFI recommendation that the platform owner be the PK controller,” the authors say in their paper entitled, Making UEFI Secure Boot Work With Open Platforms. The paper was written by James Bottomley, CTO at Parallels and Jonathan Corbet, Editor at LWN.net , both of whom are on the Linux Foundation Technical Advisory Board.
The paper’s authors concede that some PC owners may have no desire to manage a PK infrastructure to use their PCs and would just as soon give it over to Microsoft to do, even if that means they will not be able to load drivers or operating systems unless Microsoft first approves.
But for those that want control and want the extra security secure UEFI affords, The Linux Foundation is proposing several guidelines:. It wants:
1) all platforms that enable UEFI secure boot to ship “in setup mode” where the PC owner can be the one to initially control the platform key. The owner can choose one controlled by Microsoft at that time. The device owner should also be able to return to setup mode and change the choice. This is particularly important if the owner sells the machine.
2) an operating system to detect when the PC is in setup mode and install keys appropriately at that time and then activate secure boot mode.
3) a firmware-based mechanism used to allow a platform owner to add new keys for validating software while running in secure mode so that dual-boot systems can be set up.
4) a firmware-based mechanism for easy booting off of removable media.
5) At some future time, the Foundation also wants an operating-system- and vendor-neutral certificate authority to be established to issue keys for third-party hardware and software vendors. However, the paper notes while this would make using secure UEFI easier, a new CA isn’t mandatory.
The authors emphasize that secure UEFI doesn’t have to be a technology that drives stakes between Microsoft and free software.
“Some observers have expressed concerns that secure boot could be used to exclude open systems from the market, but, as we have shown, there is no need for things to be that way,” they write. “If vendors ship their systems in the setup mode and provide a means to add new [keys] to the firmware, those systems will fully support open operating systems while maintaining compliance with the Windows 8 logo requirements. ”
Still, how much burden will the average Windows 8 consumer want to take on to manage secure UEFI? How much will the typical enterprise want to do? Can PC makers find a balance?
Source: networkworld.com
Tags: Secure boot, UEFI, Windows 8
Posted in Hardware, Linux, Microsoft, OS, Security, Software | No Comments »
Thursday, October 27th, 2011
A new worm exploiting a JBoss vulnerability that was patched in April 2010 is targeting unsecured servers and adding them to a botnet, security researchers are reporting. “The problem has been fixed last year, but there are apparently still a number of vulnerable installs out there,” Johannes Ullrich of the SANS Technology Institute writes. The older configuration of JBoss only authenticated GET and POST requests, but did not protect other HTTP request types or interfaces, so attackers could “use other methods to execute arbitrary code without authentication.”
“The worm affects users of JBoss Application Server who have not correctly secured their JMX consoles as well as users of older, unpatched versions of JBoss enterprise products,” Red Hat security response director Mark Cox writes in a blog, which points to both the April 2010 patch and instructions for securing the JMX console. “This worm propagates by connecting to unprotected JMX consoles, then uses the ability of the JMX console to execute arbitrary code in the context of the JBoss user.”
In addition to adding servers to a botnet, the worm can install a remote access tool giving the attacker control over the infected server, Kaspersky Lab reports. One user who set up a honeypot on a deliberately insecure JBoss server reports having explored the contents of the malicious payload and discovered that it “contained Perl Scripts to automatically connect the compromised host to an IRC Server and be part of a BOTNET.”
The new worm taking advantage of a long-fixed flaw points to the need for users to update their systems, both servers and PCs. A recent report by Microsoft found that 3.2 percent of malware was from exploits for which security updates had been available for at least a year, and another 2.4 percent were related to exploits for which an update was available for less than a year.
Source: arstechnica.com
Tags: Botnet, JBoss, Red Hat, Updates
Posted in Linux, Microsoft, Security, Server, Web | No Comments »
Thursday, October 27th, 2011
The Linux-based Tsunami backdoor trojan has made its way over to the Mac, according to security firm ESET. The company posted to its blog (hat tip to Macworld) that a Mac-specific variant, OSX/Tsunami.A has made an appearance on the trojan scene, though ESET made no mention of whether it was gaining any traction among users.
ESET’s Robert Lipovsky wrote on Wednesday that the code for OSX/Tsunami.A was ported from the Linux version of the trojan that the company has been tracking since 2002. Hard-coded is a list of IRC servers and channels, which the trojan tries to connect to in order to listen for malicious commands sent from those channels.
Lipovsky published a list of the commands pulled from the Linux variant of Tsunami, but the general gist is that the trojan can open a backdoor to perform DDoS attacks, download files, or execute shell commands. Tsunami has “the ability to essentially take control of the affected machine.”
Security firm Sophos also acknowledged the appearance of the Mac-targeted Tsunami backdoor, but reminded users that there is still “far less malware [in] existence for Mac OS X than for Windows.” Still, the company says the problem is real and that users should protect themselves with anti-malware software. “We fully expect to see cybercriminals continuing to target poorly protected Mac computers in the future,” Sophos’ Graham Cluley wrote. “If the bad guys think they can make money out of infecting and compromising Macs, they will keep trying.”
Source: arstechnica.com
Tags: Trojan, Tsunami
Posted in Anti-Virus, Apple, Linux, Mac, OS, Security, Server, Web | No Comments »
Tuesday, January 11th, 2011
Switching between open source OSs can sometimes be confusing, since they may have different ways of doing things. A common task that may confuse some users when switching systems is getting hardware information. In the case of Linux-based OSs and FreeBSD, the following cheat sheet for figuring out how to do the same things on two different systems can ease some of the pain.
CPU and memory information
Because Linux-based systems use the proc device filesystem to provide access to information about hardware devices in the system, getting specific information about the hardware sometimes involves finding it in files using the grep command. The same information is normally accessed on FreeBSD via the sysctl command.
To get information about your CPU model . . .
- Linux:
grep model /proc/cpuinfo
- FreeBSD:
sysctl hw.model
To get information about total system memory . . .
Device listings
Information about many other devices might be needed as well. For these, each system has tools designed to provide listings of devices connected to various system buses.
To get information about PCI devices . . .
- Linux:
lspci -v
- FreeBSD:
pciconf -lv
To get information about USB devices . . .
- Linux:
lsusb -v
- FreeBSD:
usbconfig
To get other connected device information . . .
- Linux:
dmidecode
This command shows DMI/SMBIOS hardware information.
lshal
This command shows all devices managed by the HAL subsystem.
- FreeBSD:
atacontrol list
This command shows all ATA devices.
camcontrol devlist -v
Notes
Some of the above commands may work from a normal, unprivileged user account. Others may be restricted to root access.
On both of these OS types, a lot more information can be had by means similar to those described above. For instance, the /proc/cpuinfo and /proc/meminfo files contain a lot more information than just the CPU model and total memory. There is a sysctl command on Linux-based systems as well as on FreeBSD and other BSD Unix systems, but it is not as broadly useful as on FreeBSD, nor does it offer as comprehensive coverage of the system, because Linux-based systems default to other means of accessing and configuring system configuration values (such as the proc filesystem). On either system type, a picture of sysctl capabilities can be seen by viewing the utility’s manpage.
If you are feeling curious and have some time to spend exploring, sysctl -a outputs all information sysctl has to provide.
Source: techrepublic.com
Tags: command line, FreeBSD
Posted in Hardware, Linux, OS | No Comments »
Wednesday, October 13th, 2010
 A new report from the nonprofit Linux Foundation shows that Linux continues to grow at breakneck speed and will outpace all other server operating systems over the next five years. Additionally, Linux will be chosen for more than 66 percent of new or “greenfield” applications.
The report, titled “Linux Adoption Trends: A Survey of Enterprise End Users,” reflects the results of an invitation-only survey with responses from 1,900 individuals. According to the report, Linux adoption continues to grow for a number of reasons, not just driven by reduced costs, but by technical superiority and security measures.
It’s important to take these kinds of statistics with a grain of salt, considering the respondents are already partial to Linux. However, the trend toward Linux and open-source is clearly a big part of enterprise computing, and the report itself shows that end-users believe the OS continues to improve–even if they often still have to sell their companies’ upper-management on the idea. That said, nearly 60 percent of respondents said that Linux is seen as more strategic to their organization than it was a year ago.
Key findings from the report:
- 79.4 percent of companies plan to add more Linux relative to other operating systems in the next five years.
- 66 percent of users surveyed say that their Linux deployments are brand-new deployments.
- Among the early adopters who are operating in cloud environments, 70.3 percent use Linux as their primary platform, while only 18.3 percent use Windows.
- 60.2 percent of respondents say they will use Linux for more mission-critical workloads over the next 12 months.
- 86.5 percent of respondents report that Linux is improving, and 58.4 percent say their CIOs see Linux as more strategic to the organization as compared to three years ago.
Another important aspect of the report results is the fact that with more companies coming to depend on Linux, there are many job opportunities available for those with skills. In fact, more than 38 percent of the survey respondents cited a lack of available Linux talent as one of their main concerns related to the platform.
Other major concerns include driver support and availability for specific hardware and overall interoperability with other applications and platforms, both of which Linux Foundation Executive Director Jim Zemlin assured me the organization and its constituents are working on. Zemlin also told me that Linux is seeing phenomenal growth in emerging markets such as China, where many developers have grown up using Linux and see it as the obvious solution to computing challenges.
Source: http://news.cnet.com/8301-13846_3-20019135-62.html
Posted in Linux, Microsoft, OS, Software | No Comments »
|
