Security Alert: Potential SSH Backdoor Via Liblzma

In breaking news that dropped just after our weekly security column went live, a backdoor has been discovered in the xz package, that could potentially compromise SSH logins on Linux systems. The most detailed analysis so far seems to be by [Andres Freund] on the oss-security list.

The xz release tarballs from 5.6.0 in late February and 5.6.1 on March 9th both contain malicious code. A pair of compressed files in the repository contain the majority of the malicious patch, disguised as test files. In practice, this means that looking at the repository doesn’t reveal anything amiss, but downloading the release tarballs gives you the compromised code.

This was discovered because SSH logins on a Debian sid were taking longer, with more CPU cycles than expected. And interestingly, Valgrind was throwing unexpected errors when running on the liblzma library. That last bit was first discovered on February 24th, immediately after the 5.6.0 release. The xz-utils package failed its tests on Gentoo builds.

Continue reading “Security Alert: Potential SSH Backdoor Via Liblzma”

FLOSS Weekly Episode 776: Dnsmasq, Making The Internet Work Since 1999

This week Jonathan Bennett and Simon Phipps sit down with Simon Kelley to talk about Dnsmasq! That’s a piece of software that was first built to get a laptop online over LapLink, and now runs on most of the world’s routers and phones. How did we get here, and what does the future of Dnsmasq look like? For now, Dnsmasq has a bus factor of one, which is a bit alarming, given how important it is to keeping all of us online. But the beauty of the project being available under the GPL is that if Simon Kelley walks away, Google, OpenWRT, and other users can fork and continue maintenance as needed. Give the episode a listen to learn more about Dnsmasq, how it’s tied to the Human Genome Project, and more!

Continue reading “FLOSS Weekly Episode 776: Dnsmasq, Making The Internet Work Since 1999”

FLOSS Weekly Episode 775: Meshtastic Central

This week, Jonathan Bennett and Rob Campbell chat with Ben Meadors and Adam McQuilkin to talk about what’s new with Meshtastic! There’s a lot. To start with, your favorite podcast host has gotten roped into doing development for the project. There’s a new Rust client, there’s a way to run the firmware on Linux Native, and there’s a shiny new web-based flasher tool!

Continue reading “FLOSS Weekly Episode 775: Meshtastic Central”

Open-Source Solar Modules

As the price of solar panels continues to fall, more and more places find it economical to build solar farms that might not have been able to at higher prices. High latitude locations, places with more clouds than sun, and other challenging build sites all are seeing increased green energy development. The modules being used have one main downside, though, which is that they’re essentially a black box encased in resin and plastic, so if one of the small cells fails a large percentage of the panel may be rendered useless with no way to repair it. A solar development kit like this one from a group called Biosphere Solar is looking to create repairable, DIY modules that are completely open source, to help solve this issue.

The modular solar panel is made from a 3D printed holster which can hold a number of individual solar cells. With the cells placed in the layout and soldered together, they are then sandwiched between a few layers of a clear material like acrylic or glass with a seal around the exterior to prevent water intrusion. Since the project is open-source any number of materials can be used for the solar cell casing, and with the STL file available it’s not strictly necessary to 3D print the case as other manufacturing methods could be used. The only thing left is to hook up a DC/DC converter if you need one, and perhaps also a number of bypass and/or blocking diodes depending on your panel’s electrical layout.

The project is still in active development, and some more information can be found at the project’s website. While the “recyclability” of large-scale solar farms is indeed a problem, it’s arguably one which has been overblown by various interests who are trying to cast doubt on green energy. A small build like this won’t solve either problem anytime soon, so the real utility here would be for home users with small off-grid needs who want an open-source, repairable panel. It’s a great method to make sure solar technology is accessible and repairable for anyone that wants it, and in a way this approach to building hardware reminds us a lot of the Framework laptops.

A General-Purpose PID Controller

For those new to fields like robotics or aerospace, it can seem at first glance that a problem like moving a robot arm or flying an RC airplane might be simple problems to solve. It turns out, however, that control of systems like these can get complicated quickly; so much so that these types of problems have spawned their own dedicated branch of engineering. As controls engineers delve into this field, one of their initial encounters with a control system is often with the PID controller, and this open source project delivers two of these general-purpose controllers in one box.

The dual-channel PID controller was originally meant as a humidity and temperature controller and was based on existing software for an ATmega328. But after years of tinkering, adding new features, and moving the controller to an ESP32 platform, [knifter] has essentially a brand new piece of software for this controller. Configuring the controller itself is done before the software is compiled, and it includes a GUI since one of the design goals of the project was ease-of-use. He’s used it to control humidity, temperature and CO2 levels in his own work at the University of Amsterdam, but imagines that it could see further use outside of his use cases in things like reflow ovens which need simple on/off control or for motors which can be controlled through an H-bridge.

The PID controller itself seems fairly robust, and includes a number of features that seasoned controls engineers would look for in their PID controllers. There are additionally some other open-source PID controllers to take a look at like this one built for an Arduino, and if you’re still looking for interesting use cases for these types of controllers one of our favorites is this PID controller built into a charcoal grill.

FLOSS Weekly Episode 766: WebRTC — The Hack That Connects Everyone To Everything

This week Jonathan Bennett and Dan Lynch talk with Sean DuBois, WebRTC wizard, all about the crazy feats the Pion Go server is capable of, how WebRTC is about to change OBS, and what it looks like to build a successful Open Source Career.

WebRTC is for more than video. The TOR Snowflake project uses Pion to sneak TOR traffic through firewalls even with Deep Packet Inspection (DPI) at play. Since nobody wants to block web conferencing, TOR and even Wireguard can use this to slip though.

Sean is also working on some game-changing patches for OBS Studio, including WHEP support to go along with the newly introduced WHIP feature. This enables direct connections to another OBS client, as well as connection to another WebRTC client like vdo.ninja without running an embedded browser to make it work.

And then there’s WebRTC For The Curious, a free CC0 e-book all about the nuts and bolts of WebRTC. And Broadcast Box, a ready-to-run WebRTC one-to-many broadcasting solution that lets you run your own streaming service. You can connect with Sean at the Real-time Broadcast Discord server for information about all of the projects listed here and more!

Continue reading “FLOSS Weekly Episode 766: WebRTC — The Hack That Connects Everyone To Everything”

FLOSS Weekly Episode 764: You Have To Be Pretty Cynical

This week Jonathan Bennett and Katherine Druckman talk with benny Vasquez, chair of AlmaLinux, all about the weird road we’ve been on with Enterprise Linux distributions, and how that’s landed us here, where we have AlmaLinux, Rocky Linux, and multiple other Red Hat downstream distros. What’s the difference between those projects, and why does it matter?

Projects need more than just developers. How do you keep members doing documentation, bug hunting, outreach, and even graphic design plugged in and feeling like part of the team? How do you walk the narrow line between the different directions a project can drift, setting up your community for long term success? And where’s the most surprising place benny has found AlmaLinux running? And why is benny’s first name never capitalized? Give this week’s show a listen to find out!

Continue reading “FLOSS Weekly Episode 764: You Have To Be Pretty Cynical”