Hanno's blog (Entries tagged as freesoftware)

What the GHOST tells us about free software vulnerability management

nospam@example.com (Hanno Böck) — Fri, 30 Jan 2015 00:52:00 +0100

On Tuesday details about the security vulnerability GHOST in Glibc were published by the company Qualys. When severe security vulnerabilities hit the news I always like to take this as a chance to learn what can be improved and how to avoid similar incidents in the future (see e. g. my posts on Heartbleed/Shellshock, POODLE/BERserk and NTP lately).

GHOST itself is a Heap Overflow in the name resolution function of the Glibc. The Glibc is the standard C library on Linux systems, almost every software that runs on a Linux system uses it. It is somewhat unclear right now how serious GHOST really is. A lot of software uses the affected function gethostbyname(), but a lot of conditions have to be met to make this vulnerability exploitable. Right now the most relevant attack is against the mail server exim where Qualys has developed a working exploit which they plan to release soon. There have been speculations whether GHOST might be exploitable through Wordpress, which would make it much more serious.

Technically GHOST is a heap overflow, which is a very common bug in C programming. C is inherently prone to these kinds of memory corruption errors and there are essentially two things here to move forwards: Improve the use of exploit mitigation techniques like ASLR and create new ones (levee is an interesting project, watch this 31C3 talk). And if possible move away from C altogether and develop core components in memory safe languages (I have high hopes for the Mozilla Servo project, watch this linux.conf.au talk).

GHOST was discovered three times

But the thing I want to elaborate here is something different about GHOST: It turns out that it has been discovered independently three times. It was already fixed in 2013 in the Glibc Code itself. The commit message didn't indicate that it was a security vulnerability. Then in early 2014 developers at Google found it again using Address Sanitizer (which – by the way – tells you that all software developers should use Address Sanitizer more often to test their software). Google fixed it in Chrome OS and explicitly called it an overflow and a vulnerability. And then recently Qualys found it again and made it public.

Now you may wonder why a vulnerability fixed in 2013 made headlines in 2015. The reason is that it widely wasn't fixed because it wasn't publicly known that it was serious. I don't think there was any malicious intent. The original Glibc fix was probably done without anyone noticing that it is serious and the Google devs may have thought that the fix is already public, so they don't need to make any noise about it. But we can clearly see that something doesn't work here. Which brings us to a discussion how the Linux and free software world in general and vulnerability management in particular work.

The “Never touch a running system” principle

Quite early when I came in contact with computers I heard the phrase “Never touch a running system”. This may have been a reasonable approach to IT systems back then when computers usually weren't connected to any networks and when remote exploits weren't a thing, but it certainly isn't a good idea today in a world where almost every computer is part of the Internet. Because once new security vulnerabilities become public you should change your system and fix them. However that doesn't change the fact that many people still operate like that.

A number of Linux distributions provide “stable” or “Long Time Support” versions. Basically the idea is this: At some point they take the current state of their systems and further updates will only contain important fixes and security updates. They guarantee to fix security vulnerabilities for a certain time frame. This is kind of a compromise between the “Never touch a running system” approach and reasonable security. It tries to give you a system that will basically stay the same, but you get fixes for security issues. Popular examples for this approach are the stable branch of Debian, Ubuntu LTS versions and the Enterprise versions of Red Hat and SUSE.

To give you an idea about time frames, Debian currently supports the stable trees Squeeze (6.0) which was released 2011 and Wheezy (7.0) which was released 2013. Red Hat Enterprise Linux has currently 4 supported version (4, 5, 6, 7), the oldest one was originally released in 2005. So we're talking about pretty long time frames that these systems get supported. Ubuntu and Suse have similar long time supported Systems.

These systems are delivered with an implicit promise: We will take care of security and if you update regularly you'll have a system that doesn't change much, but that will be secure against know threats. Now the interesting question is: How well do these systems deliver on that promise and how hard is that?

Vulnerability management is chaotic and fragile

I'm not sure how many people are aware how vulnerability management works in the free software world. It is a pretty fragile and chaotic process. There is no standard way things work. The information is scattered around many different places. Different people look for vulnerabilities for different reasons. Some are developers of the respective projects themselves, some are companies like Google that make use of free software projects, some are just curious people interested in IT security or researchers. They report a bug through the channels of the respective project. That may be a mailing list, a bug tracker or just a direct mail to the developer. Hopefully the developers fix the issue. It does happen that the person finding the vulnerability first has to explain to the developer why it actually is a vulnerability. Sometimes the fix will happen in a public code repository, sometimes not. Sometimes the developer will mention that it is a vulnerability in the commit message or the release notes of the new version, sometimes not. There are notorious projects that refuse to handle security vulnerabilities in a transparent way. Sometimes whoever found the vulnerability will post more information on his/her blog or on a mailing list like full disclosure or oss-security. Sometimes not. Sometimes vulnerabilities get a CVE id assigned, sometimes not.

Add to that the fact that in many cases it's far from clear what is a security vulnerability. It is absolutely common that if you ask the people involved whether this is serious the best and most honest answer they can give is “we don't know”. And very often bugs get fixed without anyone noticing that it even could be a security vulnerability.

Then there are projects where the number of security vulnerabilities found and fixed is really huge. The latest Chrome 40 release had 62 security fixes, version 39 had 42. Chrome releases a new version every two months. Browser vulnerabilities are found and fixed on a daily basis. Not that extreme but still high is the vulnerability count in PHP, which is especially worrying if you know that many webhosting providers run PHP versions not supported any more.

So you probably see my point: There is a very chaotic stream of information in various different places about bugs and vulnerabilities in free software projects. The number of vulnerabilities is huge. Making a promise that you will scan all this information for security vulnerabilities and backport the patches to your operating system is a big promise. And I doubt anyone can fulfill that.

GHOST is a single example, so you might ask how often these things happen. At some point right after GHOST became public this excerpt from the Debian Glibc changelog caught my attention (excuse the bad quality, had to take the image from Twitter because I was unable to find that changelog on Debian's webpages):

What you can see here: While Debian fixed GHOST (which is CVE-2015-0235) they also fixed CVE-2012-6656 – a security issue from 2012. Admittedly this is a minor issue, but it's a vulnerability nevertheless. A quick look at the Debian changelog of Chromium both in squeeze and wheezy will tell you that they aren't fixing all the recent security issues in it. (Debian already had discussions about removing Chromium and in Wheezy they don't stick to a single version.)

It would be an interesting (and time consuming) project to take a package like PHP and check for all the security vulnerabilities whether they are fixed in the latest packages in Debian Squeeze/Wheezy, all Red Hat Enterprise versions and other long term support systems. PHP is probably more interesting than browsers, because the high profile targets for these vulnerabilities are servers. What worries me: I'm pretty sure some people already do that. They just won't tell you and me, instead they'll write their exploits and sell them to repressive governments or botnet operators.

Then there are also stories like this: Tavis Ormandy reported a security issue in Glibc in 2012 and the people from Google's Project Zero went to great lengths to show that it is actually exploitable. Reading the Glibc bug report you can learn that this was already reported in 2005(!), just nobody noticed back then that it was a security issue and it was minor enough that nobody cared to fix it.

There are also bugs that require changes so big that backporting them is essentially impossible. In the TLS world a lot of protocol bugs have been highlighted in recent years. Take Lucky Thirteen for example. It is a timing sidechannel in the way the TLS protocol combines the CBC encryption, padding and authentication. I like to mention this bug because I like to quote it as the TLS bug that was already mentioned in the specification (RFC 5246, page 23: "This leaves a small timing channel"). The real fix for Lucky Thirteen is not to use the erratic CBC mode any more and switch to authenticated encryption modes which are part of TLS 1.2. (There's another possible fix which is using Encrypt-then-MAC, but it is hardly deployed.) Up until recently most encryption libraries didn't support TLS 1.2. Debian Squeeze and Red Hat Enterprise 5 ship OpenSSL versions that only support TLS 1.0. There is no trivial patch that could be backported, because this is a huge change. What they likely backported are workarounds that avoid the timing channel. This will stop the attack, but it is not a very good fix, because it keeps the problematic old protocol and will force others to stay compatible with it.

LTS and stable distributions are there for a reason

The big question is of course what to do about it. OpenBSD developer Ted Unangst wrote a blog post yesterday titled Long term support considered harmful, I suggest you read it. He argues that we should get rid of long term support completely and urge users to upgrade more often. OpenBSD has a 6 month release cycle and supports two releases, so one version gets supported for one year.

Given what I wrote before you may think that I agree with him, but I don't. While I personally always avoided to use too old systems – I 'm usually using Gentoo which doesn't have any snapshot releases at all and does rolling releases – I can see the value in long term support releases. There are a lot of systems out there – connected to the Internet – that are never updated. Taking away the option to install systems and let them run with relatively little maintenance overhead over several years will probably result in more systems never receiving any security updates. With all its imperfectness running a Debian Squeeze with the latest updates is certainly better than running an operating system from 2011 that stopped getting security fixes in 2012.

Improving the information flow

I don't think there is a silver bullet solution, but I think there are things we can do to improve the situation. What could be done is to coordinate and share the work. Debian, Red Hat and other distributions with stable/LTS versions could agree that their next versions are based on a specific Glibc version and they collaboratively work on providing patch sets to fix all the vulnerabilities in it. This already somehow happens with upstream projects providing long term support versions, the Linux kernel does that for example. Doing that at scale would require vast organizational changes in the Linux distributions. They would have to agree on a roughly common timescale to start their stable versions.

What I'd consider the most crucial thing is to improve and streamline the information flow about vulnerabilities. When Google fixes a vulnerability in Chrome OS they should make sure this information is shared with other Linux distributions and the public. And they should know where and how they should share this information.

One mechanism that tries to organize the vulnerability process is the system of CVE ids. The idea is actually simple: Publicly known vulnerabilities get a fixed id and they are in a public database. GHOST is CVE-2015-0235 (the scheme will soon change because four digits aren't enough for all the vulnerabilities we find every year). I got my first CVEs assigned in 2007, so I have some experiences with the CVE system and they are rather mixed. Sometimes I briefly mention rather minor issues in a mailing list thread and a CVE gets assigned right away. Sometimes I explicitly ask for CVE assignments and never get an answer.

I would like to see that we just assign CVEs for everything that even remotely looks like a security vulnerability. However right now I think the process is to unreliable to deliver that. There are other public vulnerability databases like OSVDB, I have limited experience with them, so I can't judge if they'd be better suited. Unfortunately sometimes people hesitate to request CVE ids because others abuse the CVE system to count assigned CVEs and use this as a metric how secure a product is. Such bad statistics are outright dangerous, because it gives people an incentive to downplay vulnerabilities or withhold information about them.

This post was partly inspired by some discussions on oss-security

How to stop Bleeding Hearts and Shocking Shells

nospam@example.com (Hanno Böck) — Mon, 06 Oct 2014 23:35:00 +0200

The free software community was recently shattered by two security bugs called Heartbleed and Shellshock. While technically these bugs where quite different I think they still share a lot.

Heartbleed hit the news in April this year. A bug in OpenSSL that allowed to extract privat keys of encrypted connections. When a bug in Bash called Shellshock hit the news I was first hesistant to call it bigger than Heartbleed. But now I am pretty sure it is. While Heartbleed was big there were some things that alleviated the impact. It took some days till people found out how to practically extract private keys - and it still wasn't fast. And the most likely attack scenario - stealing a private key and pulling off a Man-in-the-Middle-attack - seemed something that'd still pose some difficulties to an attacker. It seemed that people who update their systems quickly (like me) weren't in any real danger.

Shellshock was different. It's astonishingly simple to use and real attacks started hours after it became public. If circumstances had been unfortunate there would've been a very real chance that my own servers could've been hit by it. I usually feel the IT stuff under my responsibility is pretty safe, so things like this scare me.

What OpenSSL and Bash have in common

Shortly after Heartbleed something became very obvious: The OpenSSL project wasn't in good shape. The software that pretty much everyone in the Internet uses to do encryption was run by a small number of underpaid people. People trying to contribute and submit patches were often ignored (I know that, I tried it). The truth about Bash looks even grimmer: It's a project mostly run by a single volunteer. And yet almost every large Internet company out there uses it. Apple installs it on every laptop. OpenSSL and Bash are crucial pieces of software and run on the majority of the servers that run the Internet. Yet they are very small projects backed by few people. Besides they are both quite old, you'll find tons of legacy code in them written more than a decade ago.

People like to rant about the code quality of software like OpenSSL and Bash. However I am not that concerned about these two projects. This is the upside of events like these: OpenSSL is probably much securer than it ever was and after the dust settles Bash will be a better piece of software. If you want to ask yourself where the next Heartbleed/Shellshock-alike bug will happen, ask this: What projects are there that are installed on almost every Linux system out there? And how many of them have a healthy community and received a good security audit lately?

Software installed on almost any Linux system

Let me propose a little experiment: Take your favorite Linux distribution, make a minimal installation without anything and look what's installed. These are the software projects you should worry about. To make things easier I did this for you. I took my own system of choice, Gentoo Linux, but the results wouldn't be very different on other distributions. The results are at at the bottom of this text. (I removed everything Gentoo-specific.) I admit this is oversimplifying things. Some of these provide more attack surface than others, we should probably worry more about the ones that are directly involved in providing network services.

After Heartbleed some people already asked questions like these. How could it happen that a project so essential to IT security is so underfunded? Some large companies acted and the result is the Core Infrastructure Initiative by the Linux Foundation, which already helped improving OpenSSL development. This is a great start and an example for an initiative of which we should have more. We should ask the large IT companies who are not part of that initiative what they are doing to improve overall Internet security.

Just to put this into perspective: A thorough security audit of a project like Bash would probably require a five figure number of dollars. For a small, volunteer driven project this is huge. For a company like Apple - the one that installed Bash on all their laptops - it's nearly nothing.

There's another recent development I find noteworthy. Google started Project Zero where they hired some of the brightest minds in IT security and gave them a single job: Search for security bugs. Not in Google's own software. In every piece of software out there. This is not merely an altruistic project. It makes sense for Google. They want the web to be a safer place - because the web is where they earn their money. I like that approach a lot and I have only one question to ask about it: Why doesn't every large IT company have a Project Zero?

Sparking interest

There's another aspect I want to talk about. After Heartbleed people started having a closer look at OpenSSL and found a number of small and one other quite severe issue. After Bash people instantly found more issues in the function parser and we now have six CVEs for Shellshock and friends. When a piece of software is affected by a severe security bug people start to look for more. I wonder what it'd take to have people looking at the projects that aren't in the spotlight.

I was brainstorming if we could have something like a "free software audit action day". A regular call where an important but neglected project is chosen and the security community is asked to have a look at it. This is just a vague idea for now, if you like it please leave a comment.

That's it. I refrain from having discussions whether bugs like Heartbleed or Shellshock disprove the "many eyes"-principle that free software advocates like to cite, because I think these discussions are a pointless waste of time. I'd like to discuss how to improve things. Let's start.

Here's the promised list of Gentoo packages in the standard installation:

bzip2
gzip
tar
unzip
xz-utils
nano
ca-certificates
mime-types
pax-utils
bash
build-docbook-catalog
docbook-xml-dtd
docbook-xsl-stylesheets
openjade
opensp
po4a
sgml-common
perl
python
elfutils
expat
glib
gmp
libffi
libgcrypt
libgpg-error
libpcre
libpipeline
libxml2
libxslt
mpc
mpfr
openssl
popt
Locale-gettext
SGMLSpm
TermReadKey
Text-CharWidth
Text-WrapI18N
XML-Parser
gperf
gtk-doc-am
intltool
pkgconfig
iputils
netifrc
openssh
rsync
wget
acl
attr
baselayout
busybox
coreutils
debianutils
diffutils
file
findutils
gawk
grep
groff
help2man
hwids
kbd
kmod
less
man-db
man-pages
man-pages-posix
net-tools
sed
shadow
sysvinit
tcp-wrappers
texinfo
util-linux
which
pambase
autoconf
automake
binutils
bison
flex
gcc
gettext
gnuconfig
libtool
m4
make
patch
e2fsprogs
udev
linux-headers
cracklib
db
e2fsprogs-libs
gdbm
glibc
libcap
ncurses
pam
readline
timezone-data
zlib
procps
psmisc
shared-mime-info

Extract base64-encoded images from CSS

nospam@example.com (Hanno Böck) — Wed, 26 Mar 2014 14:32:06 +0100

I recently stepped upon a webpage where I wanted to extract an image. However, after saving the page with my browser I couldn't find any JPG or PNG file. After looking into this, I saw some CSS code that looked like this:

background-image:url("data:image/jpeg;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgAQAAAABbAUdZAAAAE0lEQVR4AWNgYPj/n4oElU1jAADtvT/BfzVwSgAAAABJRU5ErkJggg==";

What this does is that it embeds a base64 encoded image file into the CSS layout. I found some tools to create such images, but I found none to extract them. It isn't very hard to extract such an image, I wrote a small bash script that will do and that I'd like to share:

#!/bin/sh
n=1
for i in `grep -ho "base64,[A-Za-z0-9+/=]*" $@|sed -e "s:base64,::g"`; do
echo $i | base64 -d > file_$n
n=`expr $n + 1`
done

Save this as css2base64 and pass HTML or CSS files on the command line (e. g. css2base64 test.html test.css).

Hope this helps others. If this script is copyrightable at all (which I doubt), I hereby release it (like the other content of my blog) as CC0 / Public Domain.

Free rar unpacking code

nospam@example.com (Hanno Böck) — Sat, 08 Oct 2011 20:03:10 +0200

One of the few pieces of non-free software I always needed on my system is a rar unpacker. Despite that there are very good free alternatives for high-compression archivers like 7-zip or tar.xz, many people seem to like relying on a proprietary format like rar and it's in widespread use.

Years ago, someone came up with a GPLed rar unpacker, but sadly, that was never updated to support the rar version 3 format. Its development is stalled.

For that reason, some time back I suggested to the Free Software Foundation to add a free rar unpacking tool to their list of high priority projects - they did so. Happily I recently read that they've removed it. There's The Unarchiver now, based on an old amiga library. It supports a whole bunch of formats - including rar v3. It's mainly a MacOS application, but it also provides a command line tool that can be compiled in Linux.

It needs objective C, the gnustep-base libraries and it took me some time to get it to compile properly. For the Gentoo-users: I already committed an ebuild, just run "emerge unar".emerge TheUnarchiver

Update: Changed ebuild name to unar, as that's the name upstream uses for the command line version now.

The sad state of the Linux Desktop

nospam@example.com (Hanno Böck) — Sun, 21 Aug 2011 21:30:02 +0200

Some days ago it was reported that Microsoft declared it considers Linux on the desktop no longer a threat for its business. Now I usually wouldn't care that much what Microsoft is saying, but in this case, I think, they're very right – and thererfore I wonder why this hasn't raised any discussions in the free software community (at least I haven't seen one – if it has and I missed it, please provide links in the comments). So I'd like to make a start.

A few years ago, I can remember that I was pretty optimistic about a Linux-based Desktop (and I think many shared my views). It seemed with advantages like being able to provide a large number of high quality applications for free and having proven to be much more resilient against security threats it was just a matter of time. I had the impression that development was often going into the right direction, just to name one example freedesktop.org was just starting to try to unify the different Linux desktop environments and make standards so KDE applications work better under GNOME and vice versa.

Today, my impression is that everything is in a pretty sad state. Don't get me wrong: Free software plays an important role on Desktops – and that's really good. Major web browsers are based on free software, applications like VLC are very successful. But the basis – the operating system – is usually a non-free one.

I recently was looking for netbooks. Some years ago, Asus came out with the Eee PC, a small and cheap laptop which ran Linux by default – one year later they provided a version with Windows as an alternative. Today, you won't find a single Netbook with Linux as the default OS. I read more often than not in recent years that public authorities trying to get along with Linux have failed.

I think I made my point; the Linux Desktop is in a sad state – I'd like to discuss why this is the case and how we (the free software community) can change it. I won't claim that I have the definite answer for the cause. I think it's a mix of things, I'd like to start with some points:

Some people seem to see Desktop environments more as a playground for creative ideas than something other people want to use on a daily basis in a stable way. This is pretty much true for KDE 4 – the KDE team abandoned a well-working Desktop environment KDE 3.5 for something that isn't stable even today and suffers from a lot of regressions. They permanently invent new things like Akonadi and make them mandatory even for people who don't care about them – I seriously don't have an idea what it does, except throwing strange error messages at me. I switched to GNOME, but what I heard about GNOME 3 doesn't make me feel that it's much better there (I haven't tested it yet and I hope that, unlike the KDE-team, GNOME learns from that and supports 2.x until version 3 is in a state working equally well). I think Ubuntu's playing with the Unity Desktop go in the same direction: We found something cool, we'll use it, we don't care that we'll piss of a bunch of our users. In contrast to that, I have the impression that what I named above – the idea that we can integrate different desktop environments better by standards – isn't seen as important as it used to be. (I know this part may provoke flames, I hope this won't hide the other points I made)
The driver problem. I still encounter it to be one of the biggest obstacles and it hasn't changed a bit for years. You just can't buy a piece of hardware and use it. It usually is “somehow possible”, but the default is that it requires a lot of extra geeky work that the average user will never manage. I think there's no easy solution to that, as it would require cooperation from hardware vendors (and with diminishing importance of the Linux Desktop this is likely getting harder). But a lot of things are also self-made. In 2006, Eric Raymond wrote an essay how crappy CUPS is – I think it hasn't improved since then. How often have I read Ubuntu bug reports that go like this: “My printer worked in version [last version], but it doesn't work in [current version]” - “Me too.” - “Me too.” - “Me too” - no reply from any developer. One point that this shares with the one above is the caring about regressions, which I think should be a top priority, but obviously, many in the free software community don't seem to think so. (if you don't know the word: something is called a regression if something worked in an older version of a software, but no longer works in the current version)
The market around us has changed. Back then, we were faced with a “Windows or nothing” situation we wanted to change to a “Windows or Linux” situation. Today, we're faced with “Windows or MacOS X”. Sure, MacOS existed back then, but it only got a relevant market share in recent years (and many current or former free software developers use MacOS X now). Competition makes products better, so Windows today is not Windows back then. Our competitors just got better.
The desktop is loosing share. This is a point often made, with mobile phones, tablets, gaming consoles and other devices taking over tasks that were done with desktop computers in the past. This is certainly true for some degree, but I think it's also often overestimated. Desktop computers still play an important role and I'm sure they will continue to do so for a long time. The discussion how free software performs on other devices (and how free Android is) is an interesting one, too, but I won't go into it for now, as I want to talk about the Desktop here.

Okay, I've started the discussion, I'd like others to join. Please remember: It's not my goal to flame or to blame anyone – my goal is to discuss how we can make the Linux desktop successful again.

Welcome to Fake Disneyland

nospam@example.com (Hanno Böck) — Sun, 10 Jul 2011 21:52:11 +0200

Maybe you've heared that some years ago, a story about a fake Disneyland amusement park in China made some rumors in the media. As I love good fakes, I obviously had to take a look. The amusement park in question is Shijingshan Amusement Park ( 北京石景山游乐园) and is located in Beijing. It can easily be reached, as it has its own metro station.

The park had the advertisement slogan "Disneyland is too far to go" some years ago and some images of Mickey Mouse and other Disney figures in the park boosted the story (see Wikipedia for details). Also, like all Disneylands, the Park has a Cinderella castle. It seems in the meantime things have changed - we didn't see any Disney charakters there. The only thing that still reminds of the story is the Cinderella castle - but as much as Disneys lawyers might want this, Cinderella is not a Disney invention after all.
I even found a fake Mickey Mouse (at least I think it was fake, it looked somehow wrong) in Beijing, but it was not in the amusement park, it was in the olympic village.

The story of a fake Disneyland seems highly exaggerated. The Cinderella is probably no issue at all, as I doubt there's anything that makes it a special "Disney-Cinderella". I'm not sure if there was a copyright violation at all: The fake Mickey Mouse and other figures in combination with the solgan could probably be considered parody - which is legally allowed in most of the world's copyright laws.

The park itself was kind of weird. Large parts of it were in really bad shape. Some looked like a construction site, many parts were not operational. On the other hand, other parts of it were really well-designed. One could hardly imagine that this was the same park.

A nice thing to mention: They had a dance dance revolution like arcade machine - but the game on it was StepMania - a free software game. I think this is the first time I saw a free software game in an arcade machine.

Unlike most european amusement parks, the pricing concept here is different - the entrance fee costs almost nothing (10 Yuan, approximately 1 €), but you pay for every ride.

Pictures from the park

Notes from talk about GSM and free software

nospam@example.com (Hanno Böck) — Fri, 10 Dec 2010 22:35:59 +0100

Yesterday I was at a talk at the FSFE Berlin about free software and GSM. It was an interesting talk and discussion.
Probably most of you know that GSM is the protocol that keeps the large majority of mobile phones running. In the past, only a handful of companies worked with the protocol and according to the talk, even most mobile phone companies don't know much of the internal details, as they usually buy ready-made chips.
Three free software projects work on GSM, OpenBTS and OpenBSC on the server side and OsmocomBB on the client side. What I didn't know yet and think is really remarkable: The Island State of Niue installed a GSM-network based on OpenBTS. The island found no commercial operator, so they installed a free software based and community supported GSM network.

Afterwards, we had a longer discussion about security and privacy implications of GSM. To sum it up, GSM is horribly broken on the security side. It offers no authentication between phones and cells. Also, it's encryption has been broken in the early 90s. There is not much progress in protocol improvements although this is known for a very long time. It's also well known that so-called IMSI-cachers are sold illegally for a few thousand dollars. The only reason GSM is still working at all is basically that those possibilities still cost a few thousands. But cheaper hardware and improvement in free GSM software makes it more likely that those possibilities will have a greater impact in the future (this is only a brief summary and I'm not really in that topic, see Wikipedia for some starting points for more info).

There was a bit of discussion about the question how realistic it is that some "normal user" is threatened by this due to the price of a few thousand dollars for the equipment. I didn't bring this up in the discussion any more, but I remember having seen a talk by a guy from Intel that the tendency is to design generic chips for various protocols that can be GSM, Bluetooth or WLAN purely by software control. Thinking about that, this raises the question of protocol security even more, as it might already be possible to use mainstream computer hardware to do mobile phone wiretapping by just replacing the firmware of a wireless lan card. It almost certainly will be possible within some years.

Another topic that was raised was frequency regulation. Even with free software you wouldn't be able to operate your own GSM network, because you couldn't afford buying a frequency (although it seems to be possible to get a testing license for a limited space, e. g. for technical workshops - the 27C3 will have a GSM test network). I mentioned that there's a chapter in the book "Code" from Lawrence Lessig (available in an updated version here, chapter is "The Regulators of Speech: Distribution" and starts on page 270 in the PDF). The thoughts from Lessing are that frequency regulation was neccessary in the beginning of radio technology, but today, it would be easily possible to design protocols that don't need regulation - they could be auto-regulating, e. g. with a prefix in front of every data package (the way wireless lan works). But the problem with that is that today, frequency usage generates large income for the state - that's completely against the original idea of it, as it's primarily purpose was to keep technology usable.

BIOS update by extracting HD image from ISO

nospam@example.com (Hanno Böck) — Thu, 14 Jan 2010 21:16:17 +0100

Today I faced an interesting Linux problem that made me learn a couple of things I'd like to share. At first, we found an issue on a Thinkpad X301 notebook that was fixed in a newer BIOS version. So we wanted to do a BIOS update. Lenovo provides BIOS updates either for Windows or as bootable ISO CD-images. But the device had no CD-drive and only Linux installed. First we tried unetbootin, a tool to create bootable USB sticks out of ISO-Images. That didn't work.
So I had a deeper look at the ISO. What puzzled me was that when mounting it as a loopback device, there were no files on it. After some research I learned that there are different ways to create bootable CDs and one of them is the El Torito extension. It places an image of a harddisk on the CD, when booting, the image is loaded into memory and an OS can be executed (this probably only works for quite simple OSes like DOS, the Lenovo BIOS Upgrade disk is based on PC-DOS). There's a small PERL-script called geteltorito that is able to extract such images from ISO files.
It's possible to boot such harddisk images with grub and memdisk (part of syslinux). Install syslinux, place the file memdisk into /boot (found in /usr/lib/syslinux/ or /usr/share/syslinux/) and add something like this to your grub config:

title HD Image
root (hd0,0)
kernel /boot/memdisk
initrd /boot/image.img

Or for grub2:

menuentry "HD Image" {
set root=(hd0,2)
linux16 /boot/memdisk
initrd16 /boot/hdimage.img
}

Now you can select bios update in your boot menu and it should boot the BIOS upgrade utility.

(Note that this does not work for all Lenovo BIOS updates, only for those using an El Torito harddisk image - you can mount your iso with mount -o loop [path_to_iso] [mount_path] to check, if there are any files, this method is not for you)

Looking for router firmware alternatives

nospam@example.com (Hanno Böck) — Thu, 11 Jun 2009 14:16:44 +0200

A couple of projects exist for alternative router firmwares. I used to work with Buffalo Routers combined with DD-WRT.

Now DD-WRT became quite unusable for two reasons. First there was a Cross Site Request Forgery reported on bugtraq a while back, where one of the DD-WRT developers answered in a way that clearly showed he doesn't really understand what CSRF is - so already from a security point of view, DD-WRT seems to be a no-go.

Beside, DD-WRT development more or less is stale at the moment - there are commercial spin-offs and there's been some controversy if everything they did was compliant to the GPL. Fact is there were no new releases since several months - with open security bugs.

Now I've been looking for alternatives. What I'm looking for should be

a ready-to-use router firmware with easy web-interface configuration from the start, not something like OpenWRT
free software
obviously, a project that handles security-reports in a sane way

For now, Gargoyle the only one suitable. It doesn't officially support my Hardware, but it works anyway. I haven't looked deeper into it (e. g. didn't do any security analysis myself), but it seems to do the basic tasks. If you have suggestions of other projects, please leave a comment.

LPI / LPIC - ein kleines Resumee

nospam@example.com (Hanno Böck) — Sat, 21 Mar 2009 09:35:38 +0100

Ich habe, wie ich kürzlich bereits erwähnt habe, auf den Chemnitzer Linux-Tagen die erste LPI-Prüfung abgelegt. Die LPI ist eine Institution, die Zertifizierungen für Linux-Kenntnisse anbietet. Es existieren verschiedene Levels, nach Bestehen der zweiten Prüfung darf ich mich dann LPIC-1 nennen.

Zwar darf ich natürlich zu konkreten Inhalten der Prüfungsfragen nichts sagen (das muss man während der Prüfung unterschreiben), möchte aber dennoch einige allgemeine Anmerkungen dazu loswerden.

Zunächst mein Haupt-Kritikpunkt: Die Prüfung bezieht sich auf alte Inhalte, und zwar auf sehr alte. Eine Frage bezog sich auf Spezifika eines 2.0-Kernels. Ich erinnere mich noch dunkel, dass zu der Zeit, als ich gerade mal anfing, mich mit Linux zu beschäftigen, gerade das Neuerscheinen von Kernel 2.4.0 ein heißes Thema war. Das ist nun schon knapp 10 Jahre her. Das war sicher das extremste Beispiel, aber es zieht sich durch mehrere Fragen durch. Nehmen wir jemanden, der sich sehr kompetent mit Linux auskennt, aber sich vielleicht erst seit 3 Jahren mit Linux beschäftigt. Er hätte schlicht das Problem, dass ihm xfree86 einfach nie begegnet ist. Bei den nicht gerade günstigen Preisen der Prüfung hätte ich schon erwartet, dass sie halbwegs dem aktuellen Stand der Entwicklung entsprechen.

Ein weiterer, sicher schon oft genannter Kritikpunkt, ist die Frage der (nicht vorhandenen) Distributions-Neutralität. Im Flyer des LPI wird explizit damit geworben wird, dass die Zertifizierungen Distributions-übergreifend seien. Das ist, um es deutlich zu sagen, schlicht gelogen. Es handelt sich nur um einen kleinen Teil der Fragen (bzgl. rpm), die man auch einfach weglassen könnte, es würde der Prüfung nichts nehmen.

Jenseits dessen noch eine eher grundsätzliche Anmerkung: Große Teile der Prüfung beziehen sich auf das mehr oder weniger Ausweniglernen von Befehlen und Parametern. Das ist natürlich komplett realitätsfern. In jeder realen Situation, in der meine Linux-Kompetenz gefordert ist, habe ich natürlich die Möglichkeit, mir die man-Pages und Dokumentationen von Programmen anzusehen. Insofern sollte man sich klar sein, dass ein LPI-Zertifikat auch nur sehr beschränkt Auskunft darüber gibt, wie fähig man tatsächlich mit einem Linux-System umgehen kann.

Chemnitzer Linux-Tage 2009

nospam@example.com (Hanno Böck) — Sat, 14 Mar 2009 18:40:32 +0100

Ich bin mal wieder, wie in den Vorjahren auch schon, auf den Chemnitzer Linux-Tagen. Die Linux-Tage in Chemnitz gehören inzwischen zu einer der zentralen Veranstaltungen der freien Software-Community.

Morgen werde ich mich zum ersten Mal an einer LPI-Prüfung versuchen. Habe mich kaum vorbereitet und bin mal gespannt ob man das auch so schafft. Wenn es nicht klappt werde ich mir evtl. entsprechende Literatur zulegen und es erneut versuchen.

Bilder gibt's hier: https://pictures.hboeck.de/clt2009/

Filling the proprietary gaps: Real Video (RV30/RV40) support in ffmpeg

nospam@example.com (Hanno Böck) — Thu, 25 Dec 2008 15:38:07 +0100

The free software projects for media playing did a good job in the past on supporting a wide variety of formats. From the common to many very obscure formats, current versions of the free software mediaplayers were usually able to play them. Today it's even common to suggest vlc for Windows users if they can't play unusual media formats.

Though there were a few exceptions, the most notable probably the long-time missing support for many of the Real formats. While these are rarely used today, many archived videos in the Internet still rely on it. For example, many german television stations provide real video files on their webpages.

Recently and without much public notion, ffmpeg first got support for RV40, some weeks later also for RV30. This fills a long time gap in free software support for video formats. ffmpeg is used by all major free software video players (vlc, xine, mplayer), so you should get the support within some time in all of them. For now, it's quite easy to checkout mplayer from subversion and build it on your own.

Want something to try out? Here's a video from Desert Planet in real format.

The only gap I know of a format that really got usage in the wild and that is not yet supported by free software is WMA3.

Interview on FSFE webpage

nospam@example.com (Hanno Böck) — Wed, 17 Dec 2008 17:28:21 +0100

As an FSFE fellow, I got interviewed for their webpage.

You can read it here.

A critique on the FSFE campaign on PDF readers

nospam@example.com (Hanno Böck) — Sat, 13 Dec 2008 13:35:40 +0100

The Free Software Foundation Europe has recently started a campaign promoting free PDF readers. The idea is to replace the tons of »Get Adobe Reader to view the PDF«-Buttons with ones that don't promote a proprietary product for viewing PDFs. On the page, they list a couple of free PDF readers for various operating systems.

While I fully support the intention of this campaign, I think there's a big strategic misconception. As a small sample, let's take this PDF (an old advertisement for a Linux installation party). It's created with Scribus, based on a transparent SVG tux image I got from Wikipedia. On the right, you can see the PDF rendered with Evince (one of the three Linux-based solutions listed there). The others (kpdf and okular), although based on the same poppler-libarary, show a different rendering, though it's not better.

Loading the same PDF in the only listed Windows program SumatraPDF (which will, sad but true, probably the one most people will look for) gives an even more interesting result (see on the left). Though, after resizing the window, it changes it's opinion and renders the PDF, although still broken as you can see on the right (results may be false as I only tried it in WINE).

Continuing with the problems, SumatraPDF is unable to fill in PDF forms. Luckily today Linux-based PDF readers are able to do that, though one of the listed programs (kpdf) is not.

In fact, those are no reasons not to start a campaign for free PDF readers. But it should start with a completely different focus, like »we have some coders wanting to improve free PDF readers, send us your wrong rendered PDFs« or something like that. And then start improving the free PDF readers. And then promote them. Doing it the other way round with a »there is no problem, just take a free PDF reader« message and then giving them ones with grave problems is just lying to people. There's a good reason why for example the Scribus project promotes the Adobe Reader.

Oh, and before you ask, yes, I have reported the bug about the misrendered transparency a long time ago.

Lenovo, Linux and Windows refunding

nospam@example.com (Hanno Böck) — Mon, 06 Oct 2008 13:17:04 +0200

Recently there were some News that Lenovo does not like Linux any more. This was supported by comments like this at Lenovoblogs (by a Lenovo engineer):

»Again, what’s the incentive for us to start providing all of this intellectual property for free to the Linux community? You may say it drives support for Linux on ThinkPads and people would buy more ThinkPads as a result. I think that’s a dubious assertion at best.«
(the subject was driver support for switchable graphics on modern thinkpads and brings up some common urban legends about linux and driver support)

Sadly, I experienced one more place where Lenovo seems to shift away from a Linux friendly viewpoint: I tried to return the windows license of my new Thinkpad with a pre-made form by Lenovo itself (I got this from someone else by eMail, not from Lenovo directly). In the net, you can find tons of reports that it was easy for people to get money back for their windows licenses by Lenovo.

Though what I got was this:
»Leider können wir Ihrem Wunsch nach Rückerstattung der Kosten für das auf Ihrem Lenovo Produkt vorinstallierte Microsoft-Betriebssystem nicht entsprechen, da das Betriebssystem aus unserer Sicht einen integralen Bestandteil des jeweiligen Lenovo Produkts darstellt.«
(rough translation: We won't refund your windows-license, because we think it's an integral part of the product)

I find it hard to understand why Lenovo makes this shift. When running around on linux conferences in recent months, the number of thinkpads is hughe. While many other vendors shift to a much more free software friendly behaviour (think of AMD/ATI), Lenovo seems to go the different direction. It's especially strange because Lenovo is probably one of the few vendors that has a notable market share in the linux community.

By the way, I welcome any hints how I should continue with the windows refunding. I'd prefer not to capitulate yet (like I did with my last laptop by Samsung), and I assume the law is clearly on my side.

Update: As some of you asked, here is the form by Lenovo, though you'll probably just get the same reply I got.

Probably interesting, here you can find all EULAs from Microsoft. They are quite clear on the subject and say that you MUST return the windows license to the vendor if you don't agree to the EULA.

In the meantime, I wrote several messages about the issue to various people and instutitions. The FSFE is also working on the subject.