Forgot your password?
typodupeerror

Become a fan of Slashdot on Facebook

Security

New Mayhem Malware Targets Linux and UNIX-Like Servers 168

Posted by Soulskill
from the keep-calm-and-patch-on dept.
Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."
Hardware Hacking

SRI/Cambridge Opens CHERI Secure Processor Design 59

Posted by Unknown Lamer
from the dreaming-of-hurd/coyotos dept.
An anonymous reader writes with some exciting news from the world of processor design: Robert Watson at Cambridge (author of Capsicum) has written a blog post on SRI/Cambridge's recent open sourcing of the hardware and software for the DARPA-sponsored CHERI processor — including laser cutting directions for an FPGA-based tablet! Described in their paper The CHERI Capability Model: Reducing Risk in an age of RISC, CHERI is a 64-bit RISC processor able to boot and run FreeBSD and open-source applications, but has a Clang/LLVM-managed fine-grained, capability-based memory protection model within each UNIX process. Drawing on ideas from Capsicum, they also support fine-grained in-process sandboxing using capabilities. The conference talk was presented on a CHERI tablet running CheriBSD, with a video of the talk by student Jonathan Woodruff (slides).

Although based on the 64-bit MIPS ISA, the authors suggest that it would also be usable with other RISC ISAs such as RISC-V and ARMv8. The paper compares the approach with several other research approaches and Intel's forthcoming Memory Protection eXtensions (MPX) with favorable performance and stronger protection properties.
The processor "source code" (written in Bluespec Verilog) is available under a variant of the Apache license (modified for application to hardware). Update: 07/16 20:53 GMT by U L : If you have any questions about the project, regular Slashdot contributor TheRaven64 is one of the authors of the paper, and is answering questions.
Education

Prof. Andy Tanenbaum Retires From Vrije University 136

Posted by timothy
from the congratulations-and-good-wishes dept.
When Linus Torvalds first announced his new operating system project ("just a hobby, won't be big and professional like gnu"), he aimed the announcement at users of Minix for a good reason: Minix (you can download the latest from the Minix home page) was the kind of OS that tinkerers could afford to look at, and it was intended as an educational tool. Minix's creator, Professor Andrew Stuart "Andy" Tanenbaum, described his academic-oriented microkernel OS as a hobby, too, in the now-famous online discussion with Linus and others. New submitter Thijssss (655388) writes with word that Tanenbaum, whose educational endeavors led indirectly to the birth of Linux, is finally retiring. "He has been at the Vrije Universiteit for 43 years, but everything must eventually end."
GUI

Meet Carla Shroder's New Favorite GUI-Textmode Hybrid Shell, Xiki 176

Posted by timothy
from the shades-of-some-others dept.
New submitter trogdoro (3716731) writes with an excerpt from Linux Cookbook author Carla Schroder's enthusiastic introduction to what looks like a tempting tool, combining elements of GUI and text-mode interfaces: Command-line lovers, allow me to introduce you to Xiki, the incredibly interactive, flexible, and revolutionary command shell. I do not use the word "revolutionary" lightly. The command shell has not advanced all that much since the ancient days of Unix. Xiki is a giant leap forward. If you're looking for the Next Big Thing in FOSS, Xiki is it. It's not the first tool meant to combine text and graphic interface, but from the screencast demo, Xiki looks like it gets a lot of things right.
Security

Exploiting Wildcards On Linux/Unix 215

Posted by Soulskill
from the teaching-a-new-dog-old-tricks dept.
An anonymous reader writes: DefenseCode researcher Leon Juranic found security issues related to using wildcards in Unix commands. The topic has been talked about in the past on the Full Disclosure mailing list, where some people saw this more as a feature than as a bug. There are clearly a number of potential security issues surrounding this, so Mr. Juranic provided five actual exploitation examples that stress the risks accompanying the practice of using the * wildcard with Linux/Unix commands. The issue can be manifested by using specific options in chown, tar, rsync etc. By using specially crafted filenames, an attacker can inject arbitrary arguments to shell commands run by other users — root as well.
Programming

Ask Slashdot: Best Rapid Development Language To Learn Today? 466

Posted by timothy
from the pronto-now-yesterday-or-else dept.
An anonymous reader writes "Many years ago, I was a coder—but I went through my computer science major when they were being taught in Lisp and C. These days I work in other areas, but often need to code up quick data processing solutions or interstitial applications. Doing this in C now feels archaic and overly difficult and text-based. Most of the time I now end up doing things in either Unix shell scripting (bash and grep/sed/awk/bc/etc.) or PHP. But these are showing significant age as well. I'm no longer the young hotshot that I once was—I don't think that I could pick up an entire language in a couple of hours with just a cursory reference work—yet I see lots of languages out there now that are much more popular and claim to offer various and sundry benefits I'm not looking to start a new career as a programmer—I already have a career—but I'd like to update my applied coding skills to take advantage of the best that software development now has to offer. (More, below.)
Unix

Terran Computational Calendar Introduces Minimonths, Year Bases, and Datemods 209

Posted by timothy
from the on-a-night-just-like-tonight dept.
First time accepted submitter TC+0 (3672227) writes "Inspired by comments regarding its first incarnation, the Terran Computational Calendar's recent redefinition now includes dynamic support for 'leap duration', 'year bases', and 'datemods'. Here's the new abstract from terrancalendar.com (wikia mirror) captured at 44.5.20,6.26.48 TC+7H:

Synchronized with the northern winter solstice, the terran computational calendar began roughly* 10 days before the UNIX Epoch. Each year is composed of 13 identical 28-day months, followed by a 'minimonth' that houses leap days (one most years and two every 4th but not 128th year) and leap seconds (issued by the IERS during that year). Each date is an unambiguous instant in time that exploits zero-based numbering and a handful of delimiters to represent the number of years and constant length months, days, hours, minutes, and seconds that have elapsed since 0TC (the calendar's starting point). An optional 'year base' may be applied to ignore erratic leap duration. Arithmetic date adjusting 'datemods' can be applied to define things like weeks, quarters, and regional times."
Debian

Ask Slashdot: Practical Alternatives To Systemd? 533

Posted by timothy
from the going-forward dept.
First time accepted submitter systemDead (3645325) writes "I looked mostly with disinterest at Debian's decision last February to switch to systemd as the default init system for their future operating system releases. The Debian GNU/Linux distribution is, after all, famous for allowing users greater freedom to choose what system components they want to install. This appeared to be the case with the init system, given the presence of packages such as sysvinit-core, upstart, and even openrc as alternatives to systemd.

Unfortunately, while still theoretically possible, installing an alternative init system means doing without a number of useful, even essential system programs. By design, systemd appears to be a full-blown everything-including-the-kitchen-sink solution to the relatively simple problem of starting up a Unix-like system. Systemd, for example, is a hard-coded dependency for installing Network Manager, probably the most user-friendly way for a desktop Linux system to connect to a wireless or wired network. Just this week, I woke up to find out that systemd had become a dependency for running PolicyKit, the suite of programs responsible for user privileges and permissions in a typical Linux desktop.

I was able to replace Network Manager with connman, a lightweight program originally developed for mobile devices. But with systemd infecting even the PolicyKit framework, I find myself faced with a dilemma. Should I just let systemd take over my entire system, or should I retreat to my old terminal-based computing in the hope that the horde of the systemDead don't take over the Linux kernel itself?

What are your plans for working with or working around systemd? Are there any mainstream GNU/Linux distros that haven't adopted and have no plans of migrating to systemd? Or is migrating to one of the bigger BSD systems the better and more future-proof solution?"
Open Source

Linus Torvalds Receives IEEE Computer Pioneer Award 141

Posted by timothy
from the what's-that-guy-done-anyhow dept.
mikejuk (1801200) writes "Linus Torvalds, the 'man who invented Linux' is the 2014 recipient of the IEEE Computer Society's Computer Pioneer Award, '[f]or pioneering development of the Linux kernel using the open-source approach.' According to Wikipedia, Torvalds had wanted to call the kernel he developed Freax (a combination of 'free,' 'freak,' and the letter X to indicate that it is a Unix-like system), but his friend Ari Lemmke, who administered the FTP server it was first hosted for download, named Torvalds' directory linux. In some ways Git can be seen as his more important contribution — but as it dates from 2005 it is outside the remit of the IEEE Computer Pioneer award."
Security

Anonymous' Airchat Aim: Communication Without Need For Phone Or Internet 180

Posted by timothy
from the turn-down-your-volume-before-clicking dept.
concertina226 (2447056) writes "Online hacktivist collective Anonymous has announced that it is working on a new tool called Airchat which could allow people to communicate without the need for a phone or an internet connection — using radio waves instead. Anonymous, the amorphous group best known for attacking high profile targets like Sony and the CIA in recent years, said on the project's Github page: 'Airchat is a free communication tool [that] doesn't need internet infrastructure [or] a cell phone network. Instead it relies on any available radio link or device capable of transmitting audio.' Despite the Airchat system being highly involved and too complex for most people in its current form, Anonymous says it has so far used it to play interactive chess games with people at 180 miles away; share pictures and even established encrypted low bandwidth digital voice chats. In order to get Airchat to work, you will need to have a handheld radio transceiver, a laptop running either Windows, Mac OS X or Linux, and be able to install and run several pieces of complex software." And to cleanse yourself of the ads with autoplaying sound, you can visit the GitHub page itself.
Security

Heartbleed Sparks 'Responsible' Disclosure Debate 188

Posted by Soulskill
from the arguing-about-ethics dept.
bennyboy64 writes: "IT security industry experts are beginning to turn on Google and OpenSSL, questioning whether the Heartbleed bug was disclosed 'responsibly.' A number of selective leaks to Facebook, Akamai, and CloudFlare occurred prior to disclosure on April 7. A separate, informal pre-notification program run by Red Hat on behalf OpenSSL to Linux and Unix operating system distributions also occurred. But router manufacturers and VPN appliance makers Cisco and Juniper had no heads up. Nor did large web entities such as Amazon Web Services, Twitter, Yahoo, Tumblr and GoDaddy, just to name a few. The Sydney Morning Herald has spoken to many people who think Google should've told OpenSSL as soon as it uncovered the critical OpenSSL bug in March, and not as late as it did on April 1. The National Cyber Security Centre Finland (NCSC-FI), which reported the bug to OpenSSL after Google, on April 7, which spurred the rushed public disclosure by OpenSSL, also thinks it was handled incorrectly. Jussi Eronen, of NCSC-FI, said Heartbleed should have continued to remain a secret and be shared only in security circles when OpenSSL received a second bug report from the Finnish cyber security center that it was passing on from security testing firm Codenomicon. 'This would have minimized the exposure to the vulnerability for end users,' Mr. Eronen said, adding that 'many websites would already have patched' by the time it was made public if this procedure was followed."
Unix

Seven Habits of Highly Effective Unix Admins 136

Posted by Soulskill
from the make-sure-you're-in-folder-you-think-you're-in dept.
jfruh writes: "Being a Unix or Linux admin tends to be an odd kind of job: you often spend much of your workday on your own, with lots of time when you don't have a specific pressing task, punctuated by moments of panic where you need to do something very important right away. Sandra Henry-Stocker, a veteran sysadmin, offers suggestions on how to structure your professional life if you're in this job. Her advice includes setting priorities, knowing your tools, and providing explanations to the co-workers whom you help." What habits have you found effective for system administration?
Earth

Introducing a Calendar System For the Information Age 224

Posted by timothy
from the might-not-last-a-whole-week dept.
First time accepted submitter chimeraha (3594169) writes "Synchronized with the northern winter solstice and the UNIX Epoch, the terran computational calendar contains 13 identical months of 28 days each in addition to a short Month Zero containing only new year's day and a single leap year day every four years (with the exception of every 128 years). The beginning of this zero-based numbering calendar, denoted as 0.0.0.0.0.0 TC, is on the solstice, exactly 10 days before the UNIX Epoch (effectively, December 22nd, 1969 00:00:00 UTC in the Gregorian Calendar). It's "terran" inception and unit durations reflect the human biological clock and align with astronomical cycles and epochs. Its "computational" notation, start date, and algorithm are tailored towards the mathematicians & scientists tasked with calendrical programming and precise time calculation.

There's a lot more information at terrancalendar.com including a date conversion form and a handfull of code-snipits & apps for implementing the terran computational calendar."
Security

Malware Attack Infected 25,000 Linux/UNIX Servers 220

Posted by Soulskill
from the sudo-configure-your-stuff-properly dept.
wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."
Open Source

Interview: Ask Eric Raymond What You Will 126

Posted by samzenpus
from the go-ahead-and-ask dept.
Author of The Cathedral and the Bazaar and The Art of Unix Programming, Eric S.Raymond (ESR) has long been an important spokesperson for the open source movement. It's been a while since we talked to the co-founder of the Open Source Initiative so ESR has agreed to give us some of his time and answer your questions. As usual, ask as many as you'd like, but please, one question per post.
Books

Book Review: Threat Modeling: Designing For Security 32

Posted by samzenpus
from the read-all-about-it dept.
benrothke writes "When it comes to measuring and communicating threats, perhaps the most ineffective example in recent memory was the Homeland Security Advisory System; which was a color-coded terrorism threat advisory scale. The system was rushed into use and its output of colors was not clear or intuitive. What exactly was the difference between levels such as high, guarded and elevated? From a threat perspective, which color was more severe — yellow or orange? Former DHS chairman Janet Napolitano even admitted that the color-coded system presented 'little practical information' to the public. While the DHS has never really provided meaningful threat levels, in Threat Modeling: Designing for Security, author Adam Shostack has done a remarkable job in detailing an approach that is both achievable and functional. More importantly, he details a system where organizations can obtain meaningful and actionable information, rather than vague color charts." Read below for the rest of Ben's review.
Books

Book Review: Sudo Mastery: User Access Control For Real People 83

Posted by samzenpus
from the read-all-about-it dept.
Saint Aardvark writes "If you're a Unix or Linux sysadmin, you know sudo: it's that command that lets you run single commands as root from your own account, rather than logging in as root. And if you're like me, here's what you know about configuring sudo:

1.) Run sudoedit and uncomment the line that says "%wheel ALL=(ALL) ALL".
2.) Make sure you're in the wheel group.
3.) Profit!

If you're a sysadmin, you need to stop people from shooting themselves in the foot. There should be some way of restricting use, right? Just gotta check out the man page.... And that's where I stopped, every time. I've yet to truly understand Extended Backus-Naur Form, and my eyes would glaze over. And so I'd go back to putting some small number of people in the 'wheel' group, and letting them run sudo, and cleaning up the occasional mess afterward. Fortunately, Michael W. Lucas has written Sudo Mastery: User Access Control for Real People."
Keep reading for the rest of Saint Aardvark's review.
Operating Systems

BSD Real-Time Operating System NuttX Makes Its 100th Release: NuttX 6.33 64

Posted by timothy
from the you're-a-nut dept.
paugq writes "NuttX is a real-time operating system (RTOS) with an emphasis on standards compliance and small footprint. Scalable from 8-bit to 32-bit microcontroller environments, the primary governing standards in NuttX are POSIX and ANSI standards. Additional standard APIs from Unix and other common RTOS's (such as VxWorks) are adopted for functionality not available under these standards, or for functionality that is not appropriate for deeply-embedded environments. NuttX was first released in 2007 by Gregory Nutt under the permissive BSD license, and today the 100th release was made: NuttX 6.33. Supported platforms include ARM, Atmel AVR, x86, Z80 and others."
Operating Systems

Plan 9 From Bell Labs Operating System Now Available Under GPLv2 223

Posted by Soulskill
from the still-kicking dept.
TopSpin writes "Alcatel-Lucent has authorized The University of California, Berkeley to 'release all Plan 9 software previously governed by the Lucent Public License, Version 1.02 under the GNU General Public License, Version 2.' Plan 9 was developed primarily for research purposes as the successor to Unix by the Computing Sciences Research Center at Bell Labs between the mid-1980s and 2002. Plan 9 has subsequently emerged as Inferno, a commercially supported derivative, and ports to various platforms, including a recent port to the Raspberry Pi. In Plan 9, all system interfaces, including those required for networking and the user interface, are represented through the file system rather than specialized interfaces. The system provides a generic protocol, 9P, to perform all communication with the system, among processes and with network resources. Applications compose resources using union file systems to form isolated namespaces."

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...