Linux Weekly Daily Wednesday – Dang Dirty COW

By Venn Stone Oct 26, 2016 / No Comments

Linux returns to the PS4! Mozilla blocks WoSign certificates, Twitter invades the command line, and enabling Canonical Livepatch for the low low price of free.

Subscribe: Linux Weekly Daily Wednesday

Notes:
Colour key – Venn Pedro Mathieu Jordan

News

Free patch
https://fossbytes.com/how-to-enable-linux-kernel-livepatch-in-ubuntu-16-04-lts-for-free/

  • You can use Ubuntu Live Patch on three boxes for free but if you install in on four Shuttleworth will come to your house and kneecap ya.
  • Most mall companies will still need to purchase a Ubuntu Advantage subscription.
  • Starting at the low low price of
    • Desktop Support
    • $150.00 USD /node/year
  • “Don’t reboot it, just patch”
  • I’m having a hard time figuring out how this kind of feature can be provided as a service
  • But then again, it’s a service like Landscape which is basically apt-get as a service
  • For mission critical servers and other such use cases, it makes sense.
  • Especially when a critical flaw is found and is known to be exploited like the one we will talk about later on.
  • This allows the machine to stay up and get the needed patch, while also providing a degree of assurance to the company paying for the service.

 

Bank these chains
http://fortune.com/2016/10/24/visas-blockchain-chain-open-source/

  • Chain is also releasing a “test net,” or test network, for coders to experiment in partnership with Microsoft, which has agreed to supply cloud infrastructure with its Azure business.”
  • Really? Microsoft?! Do you want to set yourself up for failure from the get go?
  • Because nobody will ever trust a closed source system, ever.
  • Especially ones to help banks build “permissioned” blockchain systems”
  • Remember kids, Banks and governments loathe the bitcoins because they are unable to control it.

 

CLI Twitter
http://www.omgubuntu.co.uk/2016/10/twitter-command-line-client-rainbow-stream

  • Tried it and it works great. Looks neat for a command line app.
  • For Python devs, it’s worth taking a look at the source code if you’re into network programming and APIs
  • This weeks “oh, that’s neat but useless” story.

 

16.04 Upgrade Talk
http://askubuntu.com/questions/777803/apt-relocation-error-version-glibcxx-3-4-21-not-defined-in-file-libstdc-so-6
https://launchpad.net/~ubuntu-toolchain-r/+archive/ubuntu/test?field.series_filter=trusty
http://askubuntu.com/questions/824391/nvidia-driver-issues-ubuntu-16-04

  • IMA let Frenchy talk for a bit so you can see why software devels make horrid sys admins.
  • This is the type of stuff you encounter when running a system that has been patched all over the place in the past and decide it’s time to upgrade.
    • No, this is Ubuntu messing up something every other distro has sorted.
  • It’s one of the reason some people recommend doing a clean install, because they don’t know how to fix things when that happens
  • You can patch your system with never stuff, you can build yourself a frankendistro if you want to, just be prepared to clean up the mess when you upgrade.
  • Best solution might be to do a bit of cleaning up before upgrading so that things won’t break after.
    • Did that and the built in check even agreed that no problems were spotted.
  • From all the things you can patch on your system, using the Ubuntu Toolchain PPA is by far the most risky. Even installing a newer kernel won’t get you into any trouble.
    • Never used it until after the update.
  • There are many other alternatives to patching your daily system: dual booting, virtual machines, containers or even stuff like Flatpack and Snaps now. Keep in mind that if you want to run the latest software you have to run the latest OS as well.
    • You would leave an internet facing machine unpatched?
    • This, this right here is his malfunction.
    • Tis not a daily system” it’s a production box that has to work the same today as it does 9 months from now.
  • Had to dpkg –force-all -i libstdc+‌+6_5.4.0-6ubuntu1~16‌.04.2_amd64.deb and libstdc+‌+6_5.4.0-6ubuntu1~16‌.04.2_i386.deb to get the little bugger to boot.
    • This was an adventure since the system could not enable networking.
  • Then ended up adding ppa:ubuntu-toolchain-r/test so I could run apt-get install -f
  • Had to install gcc-4.9 and remove gcc-4.8 to get the NVIDIA module to compile because ¯\_()_/¯  
  • That said, it sorted the Warhammer online issue.
  • I’ve had so many bad experiences updating distros without a reinstall.
  • The only one I’ve had any success with to this day was Fedora.
    • Ain’t no upgrade like a Fedora upgrade.

 

Dirty cow
https://www.engadget.com/2016/10/24/linux-exploit-gives-any-user-full-access-in-five-seconds

  • So my RedHat 5.2 box is safe, gotcha.
  • Yet another vulnerability that is extremely hard to exploit (remotely)
  • But if you have any kind of machine open on the internet, I’m sure you already have updated your kernel.
    • You’d need remote filesystem access, like SSHFS or even FTP, which in a sense broadens the attack scope exponentially.
  • So, how does this effect routers, thermostats, and refrigerators?

 

Bonus cow
http://arstechnica.com/security/2016/10/android-phones-rooted-by-most-serious-linux-escalation-bug-ever/

  • Talk about a silver lining.
  • Guess we will see how quickly carriers can push a patch when it’s in their best interest.
  • Now, exploiting the vulnerability locally is a whole different story. Having local access to a machine makes any vulnerability much easier to exploit.
  • And for Android, I’m not sure this is a bad thing since having all those restricted devices kinda sucks.
  • But having some rogue app rooting your device against your will for malicious purposes is not something you want.
  • Yeah, and it’s exactly the prominence and proliferation of malicious apps in Android which makes this a much more serious problem.

 

The Fox brings down the Fire
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

  • What’s not to like about all of this? I just hope that Chrome will do the same. That will teach those sketchy CAs.
  • Good on Mozilla!
  • Of course, in the age of Let’s Encrypt, there is absolutely no excuse to allow these CAs to keep pulling crap like this.
  • Anyone backdating certs should be noped on that alone.

 

SmachZing
https://www.reddit.com/r/pcgaming/comments/593uy7/smach_z_the_handheld_gaming_pc/d95gb6r/

  • Helping confirm what I already said.
  • I wasn’t aware of the shady background of the company before reading this.
  • Now I don’t considering an unrealistic project, it’s only a scam.
    • Why not both?

 

PS4.01 Linux
http://www.eurogamer.net/articles/digitalfoundry-2016-ps4-hacked-again-linux-on-firmware-401

  • Sony has already released firmware 4.05, quite possibly to address this.
  • The two hackers who were giving the presentation work for Chaitin, which is a chinese IT security firm.
  • I’m guessing they tipped Sony off before revealing anything regarding the exploit.

Slice of Pi

Pi Start
https://www.hackster.io/sajingeo/echo-starts-your-car-07b871

  • Step 1 for building your own batmobile
  • And in today’s world of faulty IoT security, have your car be part of a DDoS botnet.

 

Fedora
http://betanews.com/2016/10/19/fedora-25-beta-linux-raspberry-pi/

  • So that’s it? It’s just called Fedora? I wish Jordan came up with a cool name for this.

Feedback

RISC
http://linuxgamecast.com/bradley/?MWgZPU3

  • Maybe because Power8, like Power7 before it and PPC before all of them were RISC ISAs?
  • And RISC-V is just the latest of pure RISC IS processors.

Related:

Linux Weekly Daily Wednesday – Grilling Solus Linux Weekly Daily Wednesday – Final Flashdown Linux Weekly Daily Wednesday – Unity No More Linux Weekly Daily Wednesday – PopKraut Linux Weekly Daily Wednesday: AAC! Fedora
0 Comments

Leave Your Reply