It’s Season Nine Episode Thirty-Nine of Ubuntu AU! Alan Pope, Mark Johnson, Martin Wimpress and Dan Kermac are connected and speaking to your brain.
Podcast: Play in new window | Download
We are four once more, thank you Australia!
In this week’s show:
- We discuss what we’ve been up to recently:
- Alan and Martin went to UbuCon Europe
- We discuss the news:
- The UK parliament enacts extreme surveillance laws, and no-one seems to notice
- openSUSE community Linux moves ahead of Fedora
- Thanks to a report from BackBlaze Seagate’s 8TB disks seem to be solid
- A long-standing major flaw in Linux security has been found
- Google has “Strongly recommended” OEM against using proprietary fast charging methods in phones
- Spotify’s desktop app writes tons of data to storage drives
- Samsung has launched a Tizen app incentive program
- Apple reinvent the book
- Presenters news picks we didn’t have time to discuss:
- Kids Win the Right to Sue the US Government Over Climate Change
- SpaceX has filed for a massive constellation of satellites
- Windows 10’s virtual trackpad turns tablets into mice
- You don’t need to sign in to use Skype anymore
- It’s 1989 again! WHSmith will sell video games again with GAME’s help
- VW says Audi software can distort emissions during tests
- Facebook halts WhatsApp data sharing across Europe
- Domino’s starts delivering pizza by drone, but only in New Zealand
- Bogus claims by homeopathic drug makers will now face wrath of FTC
- Amazon Prime Now delivers Morrisons products in an hour
- Google’s self-driving cars master tricky three-point turns
- HTC Vive goes wireless with pricey upgrade kit
- Europe rules that libraries can lend e-books like normal ones
- Oxford University will offer free online courses in 2017
- We discuss the community news:
- Microsoft has been demonstrating its continued commitment to supporting Open Source platforms.
- Colin Watson: Git-to-Git imports are available in Launchpad. Also known as Git mirroring.
- Sergio Schvezov: Making your snaps available to the store using snapcraft
- David Callé: How to build your own Ubuntu Core image and other documentation add-on
- Tim Peters: How to create Snap packages of Qt applications
- Ubuntu Budgie Becomes An Official Ubuntu Flavor
- Ubuntu Kernel Update Utility
- Fedora 25 Finally Makes MP3 Playback Easy, Fedora 26 Might Ship It By Default
- We mention some events:
-
DevRel London 2016: 7th December 2016 – London, England.
- A one day conference about developer relations, developer experience and developer marketing.
-
2nd Horsham Raspberry Jam: Sunday 11th December 2016 – Horsham, England.
- Come and have fun learning about and using Raspberry Pi, Arduinos, robotics, coding and electronics! Many interactive projects will be on show. Thanks to Gavin Hewins from HackHorsham for emailing us.
-
linux.conf.au 2017: 16 to 20 of January 2017 – Hobart, Australia.
- linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it.
-
FOSDEM 2017: 4 to 5 of February 2017 – Brussels, Belgium.
- FOSDEM is a free event for software developers to meet, share ideas and collaborate.
-
DevRel London 2016: 7th December 2016 – London, England.
- This weeks cover image is taken from Wikipedia.
That’s all for this week! If there’s a topic you’d like us to discuss, or you have any feedback on previous shows, please send your comments and suggestions to [email protected] or Tweet us or Comment on our Facebook page or comment on our Google+ page or comment on our sub-Reddit.
- Join us in the Ubuntu Podcast Chatter group on Telegram
I’m really disappointed in the LUKS “vulnerability” discussion. Did you all forget to mention how the encryption itself wasn’t compromised and a shell at boot really does nothing but modify the /boot contents and other partitions that are not encrypted (and this could be accomplished anyway by any liveCD???)? I’m assuming that since 98% of Linux machines out there are not using “secure boot” in the uefi, I’m curious how /boot safeguards against tampering like “kernel replacement from a 3rd party”……is there checksum on /boot upon successful LUKS entry into the system? Last time I heard, this was still a “thing” back in 2013 and the way you’d mitigate it was by storing your entire /boot partition and keys on a usb drive and plain dm-crypt everything else on the machine. I would like Martin to explain this is full detail.
*in
As explained in the CVE-2016-4484:
An attacker with access to the console of the computer and with the ability to reboot the computer can launch a shell (with root permissions) when he/she is prompted for the password to unlock the system partition. The shell is executed in the initrd environment. Obviously, the system partition is encrypted and it is not possible to decrypt it (AFAWK). But other partitions may be not encrypted, and so accessible. Just to mention some exploitation strategies:
So that outlines the impact. As to mitigation, if someone has physical access to your server then all bets are off, there is no adequate mitigation. The information security CIA triad (confidentiality, integrity and availability) can no longer be assured. Locks and encryption do not prevent access to anything, they merely delay access.
Again, I fail to see the “vulnerability” here. All 3 of those bullet points could simply be accomplished with a root shell from any liveCD, no? A PoC was demonstrated of kernel replacement on /boot over 5 years ago: https://twopointfouristan.wordpress.com/2011/04/17/pwning-past-whole-disk-encryption/