On February 20th, servers hosting the Linux Mint web site were compromised and the site was modified to point to a version of Mint with a backdoor installed. Very few people were impacted, fortunately; only those who downloaded Mint 17.3 Cinnamon on February 20th. The forum user database was also compromised.
What is most impressive here is not that Linux Mint was compromised, but the response and security measures that were already in place that prevented this from becoming a bigger problem. First, it was detected the same day that it was a problem, so the vulnerability only lasted less than a day. Second, it only affected downloads of a specific version, and only if they clicked a specific link, so anyone who was downloading from a direct HTTP request or a torrent is unaffected. Third, they were able to track down the names of three people in Bulgaria who are responsible for this hack.
As far as the forum compromise, the breech netted usernames, emails, and encrypted passwords, as well as personal information that forum users may have entered in signatures or private messages. It’s always nice to see when compromised sites are not storing passwords in plain text, though.
There is one security measure which should have protected against this and failed for a couple of reasons, and that’s the signature. Normally, the file download is accompanied by a signature which is generated from the file, like an MD5 or SHA checksum. By generating the checksum of the downloaded ISO file and comparing it to the reported signature on the web site, one can confirm that the file has downloaded correctly and that it is the same file. In this case anyone downloading the bad ISO should have caught that the downloaded file was not the official one because the signatures did not match. This can fail. Most people are too lazy to check (and there is no automated checking process). More importantly, because the attackers controlled the web site, they could change the site to report any signature they wanted, including the signature for the bad ISO file.
If you are affected by this, you should change your password on the forum and anywhere you use the same email/password. More importantly, as great as the verification signature is, shouldn’t there be a better way to verify so that people use it regularly and so that it can’t be compromised so easily?
[Andy France] built his computer into a Windows XP box. (Yes, this is from the past.) He needed to run windows most of the time, but it was nice to boot into Linux every now and then. That’s where the problem lay. If he was running Linux on his Windows XP case mod, he’d get made fun of. The only solution was to make a Linux sleeve for his computer. He would slide the sleeve over the case whenever he ran Linux, and hide his shame from wandering eyes. Once his plan was fully formed, he went an extra step and modified the computer so that if the sleeve was on, it would automatically boot Linux, and if it was off it would boot Windows.
The Linux sleeve could only slide on if the computer was flipped upside down. So he needed to detect when it was in this state. To do this he wired a switch into one of the com ports of his computer, and attached it to the top of the case mod. He modified the assembly code in the MBR to read the state of the switch. When the Linux sleeve is on (and therefore the computer is flipped over) it boots Linux. When the sleeve is off, Windows. Neat. It would be cool to put a small computer in a cube and have it boot different operating systems with this trick. Or maybe a computer that boots into guest mode in one orientation, and the full system in another.
Continue reading “Flip Your Desktop Over to Boot Linux”
We’ve got two hacks in one from [Serge Rabyking] on fingerprint scanning. Just before leaving on a trip he bought a laptop on the cheap. He didn’t pay much attention to the features and was disappointed it didn’t have a fingerprint scanner. Working in Linux he uses sudo a lot and typing the password is a hassle. Previously he just swiped his finger on the scanner and execution continued.
He found a cheap replacement fingerprint scanner on hacker’s heaven, also known as eBay. It had four wires attached to a 16 pin connector. Investigation on the scanner end showed the outer pair were power and ground which made [Serge] suspect it was a USB device. Wiring up a USB connector and trying it the device was recognized but with a lot of errors. He swapped the signal lines and everything was perfect. He had sudo at his finger tip.
Next he wonder if it would work with a Raspberry Pi. He installed the necessary fingerprint scanning software, ran the enrollment for a finger, and it, not terribly surprisingly, worked.
On Linux the command fprintd-enroll reads and stores the fingerprint information. By default it scans and saves the right index finger but all ten fingers can be scanned and stored. Use libpam-fprintd to enable account login using a finger. Anyone know how you can trigger other events using a different finger? A quick search didn’t turn up any results.
In true hacker style, [Serge] created his own fingerprint reader from a replacement part. But you can jump start your finger usage by purchasing one of many inexpensive available readers.
For the 20th anniversary of the Movie “Hackers” [Jamie Zawinski], owner of DNA Lounge in San Francisco, threw an epic party – screening the movie, setting up skating ramps and all that jazz. One of the props he put up was an old payphone, but he didn’t have time to bring it alive. The one thing he didn’t want this phone to do was to be able to make calls. A couple of weeks later, he threw another party, this time screening “Tank Girl” instead. For this gathering he had enough time to put a Linux computer inside the old payphone. When the handset is picked up, it “dials” a number which brings up a voice mail system that announces the schedule of events and other interactive stuff. As usual, this project looked simple enough to start with, but turned out way more complicated than he anticipated. Thankfully for us, he broke down his build in to bite sized chunks to make it easy for us to follow what he did.
This build is a thing of beauty, so let’s drill down into what the project involved:
Continue reading “My Payphone Runs Linux”
While on the hunt for some hardware that would let him stream video throughout his LAN [danman] got a tip to try the €69 Tronsmart Pavo M9 (which he points out is a re-branded Zidoo X9). With some handy Linux terminal work and a few key pieces of software [danman] was able to get this going.
The Android box was able to record video from the HDMI input with pre-installed software found in the main menu as [danman] explains on his blog. File format options are available in the record menu, however none of them were suitable for streaming the video (which was the goal, remember?).
[danman] was able to poke around the system easily since these boxes come factory rooted (or at least the Tronsmart variant that [danman] uses in his demo did). Can anyone with a Zidoo X9 verify access to the root directory?
Long story short, [danman] was able to get the stream working over the network. Although he did have to make some changes to the stream command he was issuing over ssh. He finds the fix in the ffmpeg documentation which saves you the trouble of reading through it but you’ll have to check out his blog post for that (pro tip: he links to a sweet little .apk reverse engineering tool as well).
We’ve seen set top box hacks before, however, streaming and recording HDMI at this price is a rare find. If you’ve been hacking up the same tree let us know in the comments, and don’t forget to send in those tips!
Plovdiv, Bulgaria has a long history of design and innovation going back at least 6000 years to cultures like the Thracians, Celts, and Romans. In the last decade it is also an important center for open hardware innovation — reviving the lost glory of the computer hardware industry from the former “Soviet bloc countries”. One of the companies in the region that has thrived is a 5000 square-meter microelectronics factory which you may have heard of before: Olimex.
Olimex has over 25 years of experience in designing, prototyping, and manufacturing printed circuit boards, components, and complete electronic products. Over the last decade it has evolved into a shining example of an open hardware company. We recently had the chance to visited Olimex and to meet its CEO, Tsvetan Usunov.
Continue reading “25 Years of Hardware Manufacturing in Plovdiv”
A few years ago [Serge Vakulenko] started the RetroBSD project–a 16-bit port of the old 2.11BSD operating system to the Microchip PIC32 microcontroller. This was impressive, but version 2 of BSD is, to most people, old news and somewhat difficult to use compared to modern BSD and Linux operating systems.
[Serge] has been at it again, however, and now has a port of 4.4BSD–LiteBSD–running on the PIC32MZ. According to [Alexandru Voica] there is about 200K of user space memory in the basic build, and by removing some OS features, you could double or triple that figure.
Continue reading “LiteBSD Brings 4.4BSD to PIC32”