Brief items
Security
EFF: Code, Speech, and the Tornado Cash Mixer
The Electronic Frontier Foundation has announced that it is representing cryptography professor Matthew Green, who has chosen to republish the sanctioned Tornado Cash open-source code as a GitHub repository.EFF’s most central concern about OFAC’s [US Office of Foreign Assets Control] actions arose because, after the SDN [Specially Designated Nationals] listing of “Tornado Cash,” GitHub took down the canonical repository of the Tornado Cash source code, along with the accounts of the primary developers, including all their code contributions. While GitHub has its own right to decide what goes on its platform, the disappearance of this source code from GitHub after the government action raised the specter of government action chilling the publication of this code.In keeping with our longstanding defense of the right to publish code, we are representing Professor Matthew Green, who teaches computer science at the Johns Hopkins Information Security Institute, including applied cryptography and anonymous cryptocurrencies. Part of his work involves studying and improving privacy-enhancing technologies, and teaching his students about mixers like Tornado Cash. The disappearance of Tornado Cash’s repository from GitHub created a gap in the available information on mixer technology, so Professor Green made a fork of the code, and posted the replica so it would be available for study. The First Amendment protects both GitHub’s right to host that code, and Professor Green’s right to publish (here republish) it on GitHub so he and others can use it for teaching, for further study, and for development of the technology.
Security quotes of the week
Already, previous versions of the [USB] Rubber Ducky could carry out attacks like creating a fake Windows pop-up box to harvest a user's login credentials or causing Chrome to send all saved passwords to an attacker's webserver. But these attacks had to be carefully crafted for specific operating systems and software versions and lacked the flexibility to work across platforms.— Corin Faife on the USB Rubber Ducky at The VergeThe newest Rubber Ducky aims to overcome these limitations. It ships with a major upgrade to the DuckyScript programming language, which is used to create the commands that the Rubber Ducky will enter into a target machine. While previous versions were mostly limited to writing keystroke sequences, DuckyScript 3.0 is a feature-rich language, letting users write functions, store variables, and use logic flow controls (i.e., if this... then that).
That means, for example, the new Ducky can run a test to see if it's plugged into a Windows or Mac machine and conditionally execute code appropriate to each one or disable itself if it has been connected to the wrong target. It also can generate pseudorandom numbers and use them to add variable delay between keystrokes for a more human effect.
Perhaps most impressively, it can steal data from a target machine by encoding it in binary format and transmitting it through the signals meant to tell a keyboard when the CapsLock or NumLock LEDs should light up. With this method, an attacker could plug it in for a few seconds, tell someone, "Sorry, I guess that USB drive is broken," and take it back with all their passwords saved.
"Greenluigi1" found within the firmware image the RSA public key used by the updater, and searched online for a portion of that key. The search results pointed to a common public key that shows up in online tutorials like "RSA Encryption & Decryption Example with OpenSSL in C."— Thomas Claburn at The RegisterThat tutorial and other projects implementing OpenSSL include within their source code that public key and the corresponding RSA private key.
This means Hyundai used a public-private key pair from a tutorial, and placed the public key in its code, allowing "greenluigi1" to track down the private key. Thus he was able to sign Hyundai's files and have them accepted by the updater.
Kernel development
Kernel release status
The current development kernel is 6.0-rc2, released on August 21. Linus said:
The most noticeable fix in here is likely the virtio reverts that fixed the problem people had with running tests on the google cloud VMs, which was the 'pending issue' that we had noticed just as the merge window was closing.
Stable updates: 5.19.3, 5.18.19, 5.15.62, and 5.10.137 were released on August 21. Note that the 5.18.x series ends with 5.18.19.
The 5.19.4, 5.15.63, 5.10.138, 5.4.211, 4.19.256, 4.14.291, and 4.9.326 stable updates are all in the review process; they are due on August 25.
Linux Foundation TAB election: call for nominees
The 2022 election for members of the Linux Foundation Technical Advisory Board (TAB) will be held during the Linux Plumbers Conference, September 12 to 14. The TAB represents the kernel-development community to the Linux Foundation (and beyond) and holds a seat on the Foundation's board of directors. The call for nominees for this year's election has gone out; the deadline for nominations is September 12.Serving on the TAB is an opportunity to help the community; interested members are encouraged to send in a nomination.
Development
Firefox 104 released
Version 104 of the Firefox browser has been released. The most interesting new feature, perhaps, is the ability to analyze a web site's power usage — but that feature is not available on Linux.Julia 1.8 released
Version 1.8 of the Julia language has been released. Changes include typed globals, a new default thread scheduler, some new profiling tools, and more.Krita 5.1.0 released
Version 5.1.0 of the Krita painting program is out. "Krita 5.1 comes with a ton of smaller improvements and technical polish. This release sees updates to usability across the board, improved file format handling, and a whole lot of changes to the selection and fill tools."
LibreOffice 7.4 Community released
The Document Foundation has announced the release of LibreOffice 7.4 Community, which is the community-supported version of the open-source office suite. Version 7.4 comes with new features for the suite as a whole (WebP and EMZ/WMZ support, ...), the Writer word-processor (better change tracking and hyphenation settings, ...), the Calc spreadsheet (16K columns, ...), and more. "Development is now focused on interoperability with Microsoft’s proprietary file formats, and many new features are targeted at users migrating from MS Office". More information can be found in the release notes.
The future of NGINX
This blog post on the NGINX corporate site describes the plans for this web server project in the coming year.
For the core NGINX Open Source software, we continue to add new features and functionality and to support more operating system platforms. Two critical capabilities for security and scalability of web applications and traffic, HTTP3 and QUIC, are coming in the next version we ship.
public-inbox 1.9.0 released
Version 1.9.0 of the public-inbox email archive manager has been released. Improvements include a POP3 server, a new multi-protocol "superserver", some search improvements, and performance improvements. (LWN looked at public-inbox in 2018).Development quote of the week
But contrary to what people repeat off internet blogs, the X server is not seeing a lack of maintenance, manpower, or even new features: XInput 2.4, with support for trackpad gestures, was released approximately a year ago, which shows that it is evolving faster than it was during the heyday of X development in the mid-90s. X is also a stable and mature system, by nature of its much more centralized development methodology, meaning that it requires less manpower to keep working than Wayland, where every feature is preceded by two to three protocol extensions from different organizations, and constant changes in the display server are required to keep up with updates to unstable protocol extensions.— Po Lu
Page editor: Jake Edge
Next page:
Announcements>>