Language Selection

English French German Italian Portuguese Spanish

Security: WireGuard, Birds and Updates

Filed under
Security
  • WireGuard Restored In Android's Google Play Store After Brief But Controversial Removal

    After Google dropped the open-source WireGuard app from their Play Store since it contained a donation link, the app has now been restored within Google's software store for Android users but without the donation option.

    The WireGuard app for Android makes it easy to setup the secure VPN tunnel software on mobile devices, similar to its port to iOS and other platforms. The WireGuard apps are free but have included a donation link to the WireGuard website should anyone wish to optionally make a donation to support the development of this very promising network tech.

  • Letting Birds scooters fly free

    At that point I had everything I need to write a simple app to unlock the scooters, and it worked! For about 2 minutes, at which point the network would notice that the scooter was unlocked when it should be locked and sent a lock command to force disable the scooter again. Ah well.

    So, what else could I do? The next thing I tried was just modifying some STM firmware and flashing it onto a board. It still booted, indicating that there was no sort of verified boot process. Remember what I mentioned about the throttle being hooked through the STM32's analogue to digital converters[3]? A bit of hacking later and I had a board that would appear to work normally, but about a minute after starting the ride would cut the throttle. Alternative options are left as an exercise for the reader.

    Finally, there was the component I hadn't really looked at yet. The Quectel modem actually contains its own application processor that runs Linux, making it significantly more powerful than any of the chips actually running the scooter application[4]. The STM communicates with the modem over serial, sending it an AT command asking it to make an SSL connection to a remote endpoint. It then uses further AT commands to send data over this SSL connection, allowing it to talk to the internet without having any sort of IP stack. Figuring out just what was going over this connection was made slightly difficult by virtue of all the debug functionality having been ripped out of the STM's firmware, so in the end I took a more brute force approach - I identified the address of the function that sends data to the modem, hooked up OpenOCD to the SWD pins on the STM, ran OpenOCD's gdb stub, attached gdb, set a breakpoint for that function and then dumped the arguments being passed to that function. A couple of minutes later and I had a full transaction between the scooter and the remote.

    The scooter authenticates against the remote endpoint by sending its serial number and IMEI. You need to send both, but the IMEI didn't seem to need to be associated with the serial number at all. New connections seemed to take precedence over existing connections, so it would be simple to just pretend to be every scooter and hijack all the connections, resulting in scooter unlock commands being sent to you rather than to the scooter or allowing someone to send fake GPS data and make it impossible for users to find scooters.

  • Security updates for Friday

    Security updates have been issued by Debian (poppler, sudo, and wordpress), Oracle (java-1.8.0-openjdk), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and kernel), and SUSE (kernel and postgresql10).

More in Tux Machines

Bringing PostgreSQL to Government

  • Crunchy Data, ORock Technologies Form Open Source Cloud Partnership for Federal Clients

    Crunchy Data and ORock Technologies have partnered to offer a database-as-a-service platform by integrating the former's open source database with the latter's managed offering designed to support deployment of containers in multicloud or hybrid computing environments. The partnership aims to implement a PostgreSQL as a service within ORock's Secure Containers as a Service, which is certified for government use under the Federal Risk and Authorization Management Program, Crunchy Data said Tuesday.

  • Crunchy Data and ORock Technologies Partnership Brings Trusted Open Source Cloud Native PostgreSQL to Federal Government

    Crunchy Data and ORock Technologies, Inc. announced a partnership to bring Crunchy PostgreSQL for Kubernetes to ORock’s FedRAMP authorized container application Platform as a Service (PaaS) solution. Through this collaboration, Crunchy Data and ORock will offer PostgreSQL-as-a-Service within ORock’s Secure Containers as a Service with Red Hat OpenShift environment. The combined offering provides a fully managed Database as a Service (DBaaS) solution that enables the deployment of containerized PostgreSQL in hybrid and multi-cloud environments. Crunchy PostgreSQL for Kubernetes has achieved Red Hat OpenShift Operator Certification and provides Red Hat OpenShift users with the ability to provision trusted open source PostgreSQL clusters, elastic workloads, high availability, disaster recovery, and enterprise authentication systems. By integrating with the Red Hat OpenShift platform within ORock’s cloud environments, Crunchy PostgreSQL for Kubernetes leverages the ability of the Red Hat OpenShift Container Platform to unite developers and IT operations on a single FedRAMP-compliant platform to build, deploy, and manage applications consistently across hybrid cloud infrastructures.

Hardware, Science and History

  • An Open Source Toolbox For Studying The Earth

    Fully understanding the planet’s complex ecosystem takes data, and lots of it. Unfortunately, the ability to collect detailed environmental data on a large scale with any sort of accuracy has traditionally been something that only the government or well-funded institutions have been capable of. Building and deploying the sensors necessary to cover large areas or remote locations simply wasn’t something the individual could realistically do. But by leveraging modular hardware and open source software, the FieldKit from [Conservify] hopes to even the scales a bit. With an array of standardized sensors and easy to use software tools for collating and visualizing collected data, the project aims to empower independent environmental monitoring systems that can scale from a handful of nodes up to several hundred.

  • The Early History of Usenet, Part II: Hardware and Economics

    There was a planning meeting for what became Usenet at Duke CS. We knew three things, and three things only: we wanted something that could be used locally for administrative messages, we wanted a networked system, and we would use uucp for intersite communication. This last decision was more or less by default: there were no other possibilities available to us or to most other sites that ran standard Unix. Furthermore, all you needed to run uucp was a single dial-up modem port. (I do not remember who had the initial idea for a networked system, but I think it was Tom Truscott and the late Jim Ellis, both grad students at Duke.) There was a problem with this last option, though: who would do the dialing? The problems were both economic and technical-economic. The latter issue was rooted in the regulatory climate of the time: hardwired modems were quite unusual, and ones that could automatically dial were all but non-existent. (The famous Hayes Smartmodem was still a few years in the future.) The official solution was a leased Bell 801 autodialer and a DEC DN11 peripheral as the interface between the computer and the Bell 801. This was a non-starter for a skunkworks project; it was hard enough to manage one-time purchases like a modem or a DN11, but getting faculty to pay monthly lease costs for the autodialer just wasn't going to happen. Fortunately, Tom and Jim had already solved that problem.

  • UNIX Version 0, Running On A PDP-7, In 2019

    WIth the 50th birthday of the UNIX operating system being in the news of late, there has been a bit of a spotlight shone upon its earliest origins. At the Living Computers museum in Seattle though they’ve gone well beyond a bit of historical inquiry though, because they’ve had UNIX (or should we in this context say unix instead?) version 0 running on a DEC PDP-7 minicomputer. This primordial version on the original hardware is all the more remarkable because unlike its younger siblings very few PDP-7s have survived. The machine running UNIX version 0 belongs to [Fred Yearian], a former Boeing engineer who bought his machine from the company’s surplus channel at the end of the 1970s. He restored it to working order and it sat in his basement for decades, while the vintage computing world labored under the impression that including the museum’s existing machine only four had survived — of which only one worked. [Fred’s] unexpected appearance with a potentially working fifth machine, therefore, came as something of a surprise.

Audiocasts/Shows: Linux Action News and Open Source Security Podcast

Red Hat and Containers

  • Queensland government looks to open source for single sign-on project

    Red Hat Single Sign-On, which is based on the open source Keycloak project, and the Apollo GraphQL API Gateway platform will be the two key software components underpinning a Queensland effort to deliver a single login for access to online government services. Queensland is implementing single sign-on capabilities for state government services, including ‘tell us once’ capabilities that will allow basic personal details of individuals to be, where consent is given by an individual, shared between departments and agencies.

  • Red Hat Releases Open Source Project Quay Container Registry
  • Red Hat open sources Project Quay container registry

    Yesterday, Red Hat introduced the open source Project Quay container registry, which is the upstream project representing the code that powers Red Hat Quay and Quay.io. Open-sourced as a Red Hat commitment, Project Quay “represents the culmination of years of work around the Quay container registry since 2013 by CoreOS, and now Red Hat,” the official post reads. Red Hat Quay container image registry provides storage and enables users to build, distribute, and deploy containers. It will also help users to gain more security over their image repositories with automation, authentication, and authorization systems. It is compatible with most container environments and orchestration platforms and is also available as a hosted service or on-premises.

  • Red Hat declares Quay code open

    Red Hat has open sourced the code behind Project Quay, the six year old container registry it inherited through its purchase of CoreOS. The code in question powers both Red Hat Quay and Quay.IO, and also includes the Clair open source security project which was developed by the Quay team, and integrated with the registry back in 2015. In the blog post announcing the move, Red Hat principal software engineer – and CoreOS alumnus – Joey Schorr, wrote, “We believe together the projects will benefit the cloud-native community to lower the barrier to innovation around containers, helping to make containers more secure and accessible.”

  • New Open Source Offerings Simplify Securing Kubernetes

    In advance of the upcoming KubeCon 2019 (CyberArk booth S55), the flagship event for all things Kubernetes and Cloud Native Computing Foundation, CyberArk is adding several new Kubernetes offerings to its open source portfolio to improve the security of application containers within Kubernetes clusters running enterprise workloads.

  • Java Applications Go Cloud-Native with Open-Source Quarkus Framework

    "With Quarkus, Java developers are able to continue to work in Java, the language they are proficient in, even when they are working with new, cloud-native technologies," John Clingan, senior principal product manager of middleware at Red Hat, told IT Pro Today. "With memory utilization measured in 10s of MB and startup time measured in 10s of milliseconds, Quarkus enables organizations to continue with their significant Java investments for both microservices and serverless." Many organizations have been considering alternative runtimes to Java, like Node.js and Go, due to high memory utilization of Java applications, according to Clingan. In addition, Java’s startup times are generally too slow to be an effective solution for serverless environments. As such, Clingan said that even if an organization decided to stick with Java for microservices, it would be forced to switch to an alternative runtime for serverless, or functions-as-a-service (FaaS), deployment.

  • Styra Secures $14M in Funding Led by Accel to Expand Open Source and Commercial Solutions for Kubernetes/Cloud-native Security

    New technology—like Kubernetes, Containers, ServiceMesh, and CICD Automation—speed application delivery and development. However, they lack a common framework for authorization to determine where access should be allowed, and where it should be denied. Styra’s commercial and open source solutions—purpose-built for the scale of cloud-native development—provide this authorization layer to mitigate risk across cloud application components, as well as the infrastructure they are built upon.