Linux USA 02 2024

Soar High with Pi: We complete
FR D
+
DV
EE
our maker-tech flight simulator
ISSUE 279 – FEBRUARY 2024
Intrusion
Detection
Protect your home network
with a Raspberry Pi
Passive Reconnaissance: DNS Hijacking: A poorly

Discover the tools intruders use managed DNS server could
to prepare for an attack give up your IP address
VeraCrypt: Lock Down your Data SSH Best Practices:
Limit access and be careful
Mining Crypto on Linux: with the keys!
You can still get in the
game with Monero and a INCREDIBLE
not-too-enhanced Debian rig 10 FOSS FINDS
W W W. L I N U X - M A G A Z I N E . C O M
* !*$'#$*
*%(&** "*

)*!'*''*
*(&** "*

$&( "( (#(( !($ #(

#'( '(($!(

(( '( ( " (% '(

( ($ (

EDITORIAL
Welcome
HOW DEEP IS YOUR CHAT?

Dear Reader,
Books, academic journals, tech blogs, and social media posts by one- to three-percent margins. The implications of a
have been trumpeting dire warnings about super-intelligent chatbot acting as a source for voters and getting 30 per-
AI systems snuffing out civilization. This certainly is a real cent of the answers wrong are enormous.
problem – I don’t want to make light of it. But another serious, The study also points out that accuracy varies with the lan-
and perhaps more immediate, problem is really stupid, inept guage. Questions asked in German led to inaccurate re-
AI systems messing things up through sheer incompetence. sponses 37 percent of the time, whereas English answers
The Washington Post had a story recently [1] about a study were only wrong 20 percent of the time (that’s still way too
by a European nonprofit [2] on the trouble AI chatbots had many mistakes). French weighed in at a 24-percent error rate.
with answering basic questions about political elections. AI proponents answer that this is all a process, and the an-
According to the story, Bing’s AI chatbot, which is now swers will get more accurate in time. The general sense is
called Microsoft Copilot, “gave inaccurate answers to one that this is just a matter of bug hunting. You make a list of
out of every three basic questions about candidates, polls, the problems, then tick them off one by one. But it isn’t
scandals, and voting in a pair of recent election cycles in clear that these complex issues will be solved in some
Germany and Switzerland.” pleasingly linear fashion. The AI industry made surpris-
Before you write this off as yet another Linux guy ranting ingly little progress for years and slow-walked through
about Microsoft, I should add, the reason why the study fo- most of its history before the recent breakthroughs that
cused on Microsoft’s chat tool is because Copilot can output led to the latest generation. It is possible we’ll need to wait
its sources along with its chat responses, which made it for another breakthrough to make another incremental
easier to check. The story points out that “Preliminary test- step, and in the meantime, we could do a lot of damage by
ing of the same prompts on OpenAI’s GPT-4, for instance, encouraging people to put their trust in all the bots that
turned up the same kinds of inaccuracies.” Google Bard are currently getting hyped in the press.
wasn’t tested because it isn’t yet available in Europe. If you want to get an AI to draw a picture of your boss, go
The errors cited in the study included giving incorrect dates ahead and play. But it looks like, at least for now, questions
for elections, misstating poll numbers, and failing to men- about which candidate to vote for
tion when a candidate dropped out of the race. The study might require a human.
even documents cases of the chatbot “inventing contro-
versies” about a candidate.
Note that I’m not talking about some arcane anomaly
buried deep in the program logic. The bot literally
couldn’t read the very articles it was citing as sources. Joe Casad,
Editor in Chief
Of course, Copilot got many of the answers right. “Two
out of three” wouldn’t have been too bad for an experi-
mental system 10 years ago maintained by experts who
knew what they were getting. The problem is that we have
endured a year of continuous hype about the wonders of
generative AI, and people are actually starting to believe it.
It is one thing to ask an AI to write a limerick – it is quite
another to ask it to chase down information you will use
for voting in a critical election. Many elections are decided
Info
[1] “AI Chatbot Got Election Info Wrong 30 Percent of the Time,
European Study Finds” by Will Oremus, Washington Post,
December 15, 2023: https://www.washingtonpost.com/
technology/2023/12/15/microsoft-copilot-bing-ai-
hallucinations-elections/ (paywalled)
[2] “Prompting Elections: The Reliability of Generative AI in the 2023
Swiss and German Elections,” AI Forensics: https://aiforensics.
org/work/bing-chat-elections
LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 3

FEBRUARY 2024
ON THE COVER
36 DNS Subdomain Hijacking 54 VeraCrypt
Protect yourself from the dangers of dangling Save your secrets with this powerful disk
DNS records with DNS Reaper. encryption tool.
38 Passive Reconnaissance 70 Flight Simulator

Find out what intruders already know about Sophisticated simulator for would-be aviators
your network. in the maker space.
48 Mining Monero 92 SSH Keys

We’ll show you how to mine crypto without These keys to SSH safety will keep your
expensive hardware or a bulky interface. communications private.
NEWS REVIEWS
8 News 22 Distro Walk – Peppermint OS
• Hundreds of Consumer and Enterprise Devices Peppermint OS promotes user choice every step of the
Vulnerable to LogoFAIL way. Bruce talks to the Peppermint OS team about how
• Linux Mint 21.3 Beta Available the project has evolved over more than a decade.
• Arch Linux 2023.12.01 Released
• Zorin OS 17 Beta Available for Testing 26 Organizational Tools
• Red Hat Migrates RHEL from Xorg to Wayland If you need help staying organized, Linux does not let you
• PipeWire 1.0 Officially Released down with its large collection of organization and
• Rocky Linux 9.3 Available for Download scheduling tools.
• Ubuntu Budgie Shifts How to Tackle Wayland
• TUXEDO’s New Ultraportable Linux Workstation Released
IN-DEPTH
12 Kernel News
• Fonts in the Kernel 32 Command Line – tldr
• IA-64 Removed from the Kernel (Not) A simplified alternative to man pages, tldr provides the
• Jitter Patches most common command options at a glance.
36 DNS Subdomain Hijacking

COVER STORY Attackers can use poorly maintained DNS records to gain
access to your IP address. The open source DNS Reaper lets
16 Building a Rasp Pi IDS you monitor your records to ward off attacks.
An intrusion detection system was once considered too
complicated and too expensive for a home network, but 38 Passive Reconnaissance
nowadays, you can use a Raspberry Pi and the Suricata IDS Cyberattacks often start with preliminary research on
for real-time notice of an incoming attack. network assets and the people who use them. We'll show
you some of the tools attackers use to get information.
@linux_pro Linux Magazine
44 Formatting with LibreOffice
@linuxpromagazine @linuxmagazine Learning how to use styles in LibreOffice can save you
hours of formatting and let you focus on your writing.
ERRATUM: BCPL for the Raspberry Pi, Linux Magazine 278, p. 74.
We published an incorrect link to the article listings and “A 48 Mining Monero
User Guide to BCPL for the Raspberry Pi.” The correct link is: The Monero cryptocurrency lets you get in the game without
https://linuxnewmedia.thegood.cloud/s/5Rzx9tQW2FJ6N3Z spending thousands on hardware. We’ll show you how.
4 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

16 Intrusion
Detection
You don’t need a fancy
appliance to watch for 77 Welcome
This month in Linux Voice.
intruders – just Suricata
79 Doghouse – Choosing an OS
and a Raspberry Pi. A few considerations can help you choose the right OS.
80 Oh My Posh
Adapt the terminal’s appearance and feature set with
IN-DEPTH the Oh My Posh prompt theme engine.
54 VeraCrypt 82 System Monitoring Center

Protect your data and operating system from prying eyes The System Monitoring Center combines all the
with VeraCrypt. important information you need to monitor a
computer in a single state-of-the-art interface.
58 Programming Snapshot – Google Drive
Search Tool 86 FOSSPicks
To check his Google Drive files with three different pattern This month Graham looks at Cardinal, Celestia 1.7.0,
matchers, Mike builds a command-line tool in Go to Friture, Wavetable, Helix Editor, Brogue CE, and more!
maintain a meta cache.
92 Tutorial – SSH Keys
MakerSpace Verifying the security of your SSH configuration and
performing regular audits are critical practices in
maintaining a secure Linux environment.
66 Sensor Shootout
Any application that collects a large number of measurements
is bound to have some anomalous measurements, but good
sensor breakouts should not output such values all the
time. We tested eight temperature and humidity
sensors for accuracy.
70 Pi Flight Simulator
A Raspberry Pi 4B with Linux can solve the equations TWO TERRIFIC DISTROS
for real-time aircraft simulation, including emulation
of modern aircraft flight displays.
DOUBLE-SIDED DVD!
SEE PAGE 6 FOR DETAILS
95 Back Issues 97 Call for Papers
96 Events 98 Coming Next Month

DVD
This Month’s DVD
EndeavourOS 11 and Arch Linux 2023.12.01

Two Terrific Distros on a Double-Sided DVD!
EndeavourOS 11 Arch Linux 2023.12.01

64-bit 64-bit
EndeavourOS is an ideal choice for users who want Arch Linux is one of the oldest and most popular
to experience Arch Linux but not the challenges of distributions, as well as one of the first rolling
installing it. EndeavourOS replaces Arch’s traditional releases. For years it has had a formidable reputation
manual install with Calamares, a popular graphic for its manual install, which requires patience and
installer used by many modern distributions, documentation for new users to master.
making it more accessible than even the latest Arch Arch Linux 2023.12.01 represents a mild departure
release. from this tradition. Although it lacks a graphical
Code-named Galileo, EndeavourOS 11 is a installer, it includes a text-based guided installer,
housekeeping release, intended to make the which has only been available for the last couple of
distribution easier to both maintain and use. For the years. When typing archinstall at the root prompt,
first time, community editions and multiple desktops users can search for the latest version of the installer
are not available through the installer, and the and then select via the keyboard a series of choices
default desktop is KDE Plasma instead of Xfce. at each step. Guidance is minimal, without instruction
or any more feedback than what is selected, but it is
Galileo also restructures package selection as well
enough that anyone who has installed Linux before
as the installer, offers stronger LUKS encryption, and
is likely to have few problems.
improves dual booting with Windows, while also
providing the usual application upgrades of most Other new features include a unified kernel image
general releases. The overall result is an even more (UKI) to boot easily from UEFI or bootloaders and
user-friendly distribution than earlier releases. support for proprietary NVIDIA drivers, but archinstall
remains the outstanding feature of the release.
Thanks to archinstall, installing Arch Linux remains a
useful way to learn more about the structure of Linux.
Although Arch Linux 2023.12.01 requires less
expertise than earlier releases, it still offers a
hands-on experience that assumes at least some
familiarity with Linux.
Defective discs will be replaced. Please send an email to subs@linux-magazine.com.

Although this Linux Magazine disc has been tested and is to the best of our knowledge free of malicious software and defects, Linux Magazine
cannot be held responsible and is not liable for any disruption, loss, or damage to data and computer systems related to the use of this disc.

NEWS
Updates on technologies, trends, and tools
THIS MONTH’S NEWS

Hundreds of Consumer and Enterprise
08 • Hundreds of Consumer
and Enterprise Devices
Vulnerable to LogoFAIL
Devices Vulnerable to LogoFAIL
At Black Hat Europe 2023, Fabio Pagani shared a presentation (https://www.blackhat.
• Linux Mint 21.3 Beta com/eu-23/briefings/schedule/index.html#logofail-security-implications-of-image-pars-
Available with Latest
ing-during-system-boot-35042) about a newly discovered collection of vulnerabilities
Version of Cinnamon
being used against Linux and Windows systems that involves, believe it or not, logos.
09 • Arch Linux 2023.12.01

Released with a Much-
LogoFAIL is a group of vulnerabilities that targets UEFI code from various firm-
ware/BIOS vendors through high-impact flaws in the image parsing libraries within
the firmware.
Improved Installer
• Zorin OS 17 Beta According to Binarly (https://binarly.io/posts/The_Far_Reaching_Consequences_
Available for Testing of_LogoFAIL/index.html ), “One of the most important discoveries is that LogoFAIL
• More Online is not silicon-specific and can impact x86 and ARM-based devices. LogoFAIL is
UEFI and IBV-specific because of the specifics of vulnerable image parsers that
10 • Red Hat Migrates RHEL

from Xorg to Wayland
have been used. That shows a much broader impact from the perspective of the
discoveries that will be presented on Dec 6th.”
• PipeWire 1.0 Officially The vulnerability was originally discovered on Lenovo devices with Insyde, AMI,
Released and Phoenix reference code and was reported under the advisory BRLY-2023-006.
• Rocky Linux 9.3 Available After the research group was able to demonstrate a number of attack surfaces from
for Download image-parsing firmware components, it became a “massive industry-wide disclosure.”
LogoFAIL allows attackers to store malicious images on either the EFI system
11 • Ubuntu Budgie Shifts
How to Tackle Wayland
partition or inside unsigned sections of firmware updates. When the images are
parsed at boot, the vulnerability is triggered and the payload can then be executed
• TUXEDO’s New to hijack the process and bypass security features.
Ultraportable Linux
Hundreds of consumer and enterprise devices (from numerous vendors) are vul-
Workstation Released
nerable. As of now, there’s no indication of when this vulnerability will be patched.
Linux Mint 21.3 Beta Available with Latest

Version of Cinnamon
Christmas came early for Linux Mint fans because version 21.3 (aka “Virginia”) is
now available for download and testing.
The big ticket item for 21.3 is Cinnamon 6, which offers a Wayland session
(for those interested in testing). The Wayland session for Cinnamon 6 includes
support for fractional scaling (with HiDPI screens) and plenty of other improve-
ments/new features, such as an updated Sound applet (with support for the
Telegram Desktop), support for AVIF images as desktop wallpapers, better han-
dling of YouTube in Hypnotix IPTV player, window resizing from with the menu
editor, window resizing and keybinding updates from within the Menu Editor,
and plenty of bug fixes.
All of the in-house apps have received plenty of attention and the “Romeo” unstable
software repository will be available to use to install bleeding-edge releases of apps.
Linux Mint 21.3 is based on Ubuntu 22.04, is powered by the 5.15 LTS kernel, and
will receive updates until 2027.
You can download an ISO of the beta version (https://mirrors.edge.kernel.org/
linuxmint/testing/linuxmint-21.3-cinnamon-64bit-beta.iso) and test it yourself. To
learn more about the latest release from Linux Mint, check out the official release
notes (https://www.linuxmint.com/rel_virginia.php).

NEWS
Linux News
Arch Linux 2023.12.01 Released with a

MORE ONLINE
Much-Improved Installer
Linux Magazine
Arch Linux is well known for not only being one of the most stable operating www.linux-magazine.com
systems on the market but also for being a bit complicated to install. With the
December release (available now), that all changes. ADMIN HPC
Although Arch Linux still doesn’t use a GUI installer, the archinstall command http://www.admin-magazine.com/HPC/
makes installing the open source OS much simpler than previous iterations. With Linux Software RAID
a text-based menu installer, you’ll find getting Arch Linux up and running a far less • Jeff Layton
“painful” process. Manage storage by building software RAID
As first reported by 9to5Linux (https://9to5linux.com/arch-linuxs-december- with the Linux mdadm command.
2023-iso-release-brings-linux-6-6-lts-updated-installer), the latest version of
archinstall (version 2.7) also adds a few important features: support for unified ADMIN Online
kernel image (UKI), the ability to check for a new version of archinstall during http://www.admin-magazine.com/
the installation process, support for the nvidia-dkms package (when installing Dockerizing Legacy Applications
the NVIDIA proprietary graphics driver); and plenty of bug fixes. • Artur Skura
The latest version of Arch Linux also includes kernel 6.6 LTS. Sooner or later, you’ll want to convert
Anyone looking to install the latest version of Arch Linux can head to the official your legacy application to a containerized
download page (https://archlinux.org/download/ ), select the mirror nearest to your environment. Docker offers the tools for a
location, and download the ISO image for installation. smooth and efficient transition.
Unlike many Linux distributions, Arch Linux doesn’t publish official release notes.
Integrating a Linux system with Active
Instead, you’ll find information shared by the team with the public for the latest re-
Directory
lease at https://archlinux.org/releng/releases/2023.12.01/ . • Ali Imran Nagori
Of course, you can always join the Arch-announce mailing list (https://lists.arch- Your Active Directory system doesn’t have to
linux.org/postorius/lists/arch-announce.lists.archlinux.org/ ) to keep abreast of what’s be a walled garden. A few easy steps are all
going on with the distribution. you need to integrate Linux with AD.
Network Security in the Google Cloud

Zorin OS 17 Beta Available for Testing Platform
• Guido Söldner
The team behind Zorin OS proudly announces the release of the beta for version
Creating complex network infrastructures
17 of the popular Linux distribution. The developers and designers behind Zorin on the Google Cloud Platform is quick and
OS listened to community feedback when creating the new release to bring easy with virtual private clouds, but fast
what they are calling the “greatest and most refined computing experience doesn’t always mean right. We look at the
ever.” on-board tools you need to heighten your
New features found in Zorin OS 17 Beta include a universal search in the main cloud security.
menu, which allows you to search for apps, files, calendar appointments, con-
tacts, world clocks, apps that can be installed from the Software store, and even
use it as a calculator. It’s also possible to customize the search providers within
Settings | Search Panel.
Zorin OS 17 Beta also refines multitasking with a nod to GNOME 45 by arrang-
ing workspaces horizontally. Users also can open the overview with a three-finger
up or down swipe on a touchpad and switch between workspaces with a three-
finger swipe to the left or right. When you double-tap the Super key, the app grid
expands so you can open a new app by dragging and dropping its launcher to the
desired workspace.
There also is the new Spatial Desktop, which gives you better contextual
awareness of what’s on your desktop. The Spatial Desktop includes two fea-
tures: Spatial Window Switcher (which replaces the old, flat switcher with a 3D
option) and Desktop Cube (which resembles the old Cube desktop from Com-
piz). Both of these new options are not only an easier way to interact with your
workspaces but also add enough eye candy to wow users.
Other improvements include performance optimizations at every level, a re-
freshed Software store, advanced window tiling, improved Quick Settings, a
new Power Modes option, new screenshot and screen recording tools, a rede-
signed weather app, and (coming soon) two new desktop layers.
If you’d like to test the beta of Zorin OS 17, you can download it here
(https://zrn.co/17corebeta ).

NEWS
Linux News
Red Hat Migrates RHEL from Xorg to Wayland

With the release of RHEL 10, Red Hat plans on making the migration from Xorg to
Wayland, thereby closing the door on the out-of-date Linux windowing service for good.
On November 27th, developer Carlos Sanchez posted this in the official announce-
ment (https://www.redhat.com/en/blog/rhel-10-plans-wayland-and-xorg-server):
“...We’ve decided to remove Xorg server and other X servers (except
Xwayland) from RHEL 10 and the following releases. Xwayland should be able
to handle most X11 clients that won’t immediately be ported to Wayland, and if
needed, our customers will be able to stay on RHEL 9 for its full life cycle while
resolving the specifics needed for transitioning to a Wayland ecosystem.”
The announcement continues, “It’s important to note that ‘Xorg Server’ and ‘X11’
are not synonymous, X11 is a protocol that will continue to be supported through
Xwayland, while the Xorg Server is one of the implementations of the X11 protocol.”
This move will help Red Hat (and other distributions) take care of numerous is-
sues, especially those regarding security (as Xorg cannot meet today’s heightened
needs for a more secure windowing protocol). Beyond security, Wayland also ad-
dresses things like better GPU/Display hot-plugging, improved gestures and
scrolling, better support for high-density displays, and more.
Although not every distribution has made the switch, when Red Hat finally mi-
grates to Wayland, it would come as no surprise that those distributions that have
hesitated will make the jump as well. And given that Xorg development has gone
nearly stagnant, this shift should come as no surprise.
PipeWire 1.0 Officially Released

Most likely, you use a Linux distribution that employs PipeWire, which is the subsys-
tem that handles audio and video on modern Linux desktop computers. It has been
a long time coming, but the release of version 1.0 is finally here.
Version 1.0 enables jackdbus support by default; retains API/ABI compatibility; solves
the jitter issue in ALSA (when using IRQ mode); offers plenty of module bug fixes;
vastly improves Bluetooth LC3 codec compatibility as well as JACK transport and time
handling; optimizes buffer reuse with JACK; better socket permissions; MIDI event re-
cording preview in Ardour; improved resume from suspend in ALSA; and much more.
There are relatively few new features for PipeWire 1.0. You will find a new option
for exposing ALSA controls as prop parameters as well as support for XDG-base
directories (when loading ACP configurations).
In addition, the update includes support for pause and resume in pipe-tunnel, fil-
ter-chain support for new linear/clamp/recip/exp/log/mult/sing plugins, the ability
to handle NULL values from mmap_areas in the ALSA plugin, and support for uclamp
(to allow the PipeWire scheduler to make better-informed decisions about task
placement).
Read the full details on the PipeWire GitHub page for the “El Presidente” release
(https://gitlab.freedesktop.org/pipewire/pipewire/-/releases/1.0.0) and wait for your
distribution of choice to update to the latest version of the sound subsystem.
Rocky Linux 9.3 Available for Download

Rocky Linux 9.3 is ready to download and install. This latest release includes en-
hancements to the AWS EC2 AMD and Intel architecture AMI image to support
UEFI boot, as well as the legacy BIOS option.
Get the latest news There have been plenty of security improvements, including a Keylime rebase to
version 7.3.0; OpenSSH was migrated from the less secure SHA-1 message digest;
in your inbox every improvements to support the Extended Master Secret (EMS) extension that is re-
week quired by the FIPS-140-3 standard for TLS 1.2 connections; SELinux tools were re-
based to version 4.4.2; OpenSCAP rebased to 1.3.8; and the SCAP Security Guide
Subscribe FREE rebased to version 0.1.69.
to Linux Update As for programming languages and toolchains, you’ll find Redis 7.0, Node.js
bit.ly/Linux-Update 20, GCC 11.4.1, Valgrind 3.21, SystemTap 4.9, elfutils 0.189, the addition of the

NEWS
Linux News
GCC Toolset (version 13), LLVM Toolset 16.0.6, Rust Toolset 1.71.1, and Go Tool-
set 1.20.6.
A number of issues also have been fixed for the installer and image creator, secu-
rity, software management, shells and CLI tools, networking, and more.
One thing to keep in mind with this release is that there is no upgrade path to 9.3
from version 8. If you’re running Rocky Linux 8.x, you’ll need to do a fresh install to
migrate to version 9.3.
You can download an ISO of Rocky Linux 9.3 (https://rockylinux.org/download )
and read the full release notes (https://docs.rockylinux.org/release_notes/9_3/ ) for
more information.
Ubuntu Budgie Shifts How to Tackle Wayland

Up to now, Ubuntu Budgie has held fast to Xorg as their windowing system. They fo-
cused their efforts with the help of Enlightenment, but, with that relationship souring
(due to very slow development on the Wayland/Enlightenment front), the Ubuntu
Budgie team has decided to part ways and are now considering Xfce as their guide.
The current Enlightenment/Wayland support is far from suitable for end users,
which puts Ubuntu Budgie at an impasse, as they want to make the switch.
To that end, the team started exploring different routes to success and decided
Xfce’s work with libxfce4windowing offers them the best chance for success. The
libxfce4windowing layer serves as a bridge between X11 and Wayland to make the
transition as seamless as possible.
The two teams have decided to collaborate on the Wayland mission to build a
robust, seamless experience for users and, hopefully, will be able to deliver
much sooner than they would have previously. And with elementary OS prepping
to migrate to Wayland for version 8 of their distribution, it’s becoming more and
more important for other distributions to follow suit.
X11 is an insecure and inefficient protocol and the project’s development has hit
an all-time low.
Because of those two reasons alone, every Linux distribution must find a way to
make the switch to the more modern, secure windowing system.
This was originally reported on both The Register (https://www.theregister.
com/2023/11/20/budgie_switches_wayland_approach/ ) and ISP.PAGE (https://isp.
page/news/ubuntu-budgie-switches-its-approach-to-wayland/#gsc.tab=0).
TUXEDO’s New Ultraportable Linux

Workstation Released
If you’re looking for an ultraportable, Linux-based laptop that doesn’t skimp on power,
TUXEDO has an option just for you.
The Pulse 14 features an AMD Ryzen 7 7840HS CPU with 8-cores and 16-threads
that surpasses the Intel Core i7 14-core CPU.
Thanks to the AMD Ryzen CPU’s efficiency – and the 60Wh battery – you can
expect up to 11 hours of local video playback on a single charge.
There also is an integrated Radeon 780M GPU with 12 cores and up to 2700 MHz
clock speeds and 32GB LPDDR5-6400 RAM (a first for a TUXEDO device) to help
boost the laptop’s performance.
Other specs include a 14" LPTS 3K display with 100 percent sRGB coverage
with a 120Hz refresh rate and a 180-degree opening angle, up to 8TB SSD M.2
storage, USB-C charging, dual DisplayPort 1.4, four USB ports, one HDMI port
aluminum chassis, Bluetooth 5.2, and Intel Wi-Fi 6 AX200.
The Pulse 14 can be customized to fit your needs and the base model starts at
EUR1,111. You can spec the laptop up with more storage and even select from your
favorite Linux distribution (such as TUXEDO OS, Ubuntu, Kubuntu, Ubuntu Budgie,
Ubuntu Mate, Xubuntu, and more.
You can order the TUXEDO Pulse 14 Gen 3 from at (https://www.tuxedocomput-
ers.com/en/TUXEDO-Pulse-14-Gen3).

NEWS
Kernel News
Zack’s Kernel News

Fonts in the Kernel was the gatekeeper, and he explained sev-
Recently, Bagas Sanjaya said, “The eral points. First, he said, Bagas’s patch
Linux kernel documentation is primarily attempted to dual-license various fonts
composed of text (both prose and code under both the OFL and the GPL. But it’s
snippets) and a few images. Hence, mak- actually not okay to simply add a new li-
ing the text easy to read by proper typog- cense to something. Whether it’s a font or
raphy choices is crucial.” He went on, a kernel patch, only the copyright holder
“The problem is depending on the serif for that font or piece of kernel code can
font selected by system, the docs text choose to release their contribution under
(especially long passages) can be hard some other license. This doesn’t apply in
and uncomfortable to read. For develop- cases like the BSD license, which allows
ers reading the docs on multiple devices, users to distribute BSD licensed projects
the appearence may look inconsistent.” under the terms of any other license the
To solve this, he proposed, “Uniform user chooses. But for licenses such as the
Chronicler Zack Brown reports the font choices by leveraging web fonts. GPL and OFL that require all distributions
Most of people reading the kernel docs to use the same license, simply adding
on the latest news, views, should already have modern browser new license terms is a no-no. It’s a viola-
dilemmas, and developments that supports this feature (e.g. Chrome/ tion of the terms specified by the copy-
within the Linux kernel Chromium and Firefox). The fonts are right holder.
downloaded automatically when loading Richard Fontana from Red Hat re-
community. the page, but only if the reader [doesn’t] marked, “I think it should be beyond
By Zack Brown already have ones installed locally. Sub- dispute that OFL-1.1 is incompatible
sequent docs page loading will use the with the GPL (over at the Fedora project
browser cache to retrieve the fonts. If for we don’t even classify it as a FOSS li-
some reasons the fonts fail to load, the cense), not that that is likely to matter
browser will fall back to fallback fonts for the kernel.”
commonly seen on other sites.” Bagas replied, “I was thinking of put-
Therefore, he said, in terms of which ting OFL in LICENSES/exceptions in-
fonts to include in the kernel source tree, stead due to this nature.” He added,
“we settle down on IBM Plex Sans (sans- “Another alternative is to put license no-
serif), IBM Plex Mono (monospace), and tice on CSS code that includes the font.”
Newsreader (serif). All these fonts are li- Greg was not having any of this. He
censed under OFL 1.1 [SIL Open Font Li- said, “Anyway, this is independent of the
cense] and can be distributed alongside issue if we actually should take these fonts
the kernel docs.” into the kernel tree, and mandate their use
In a later thread, Bagas attempted to (my opinion is no, that’s not for us to use,
add a new license to the Linux kernel: the and especially for any action that might
SIL OFL v1.1. SIL International (formerly cause a web browser to look elsewhere
Summer Institute of Linguistics) is a reli- outside of our documentation).”
gious nonprofit that does a lot of work in Greg also went on to say that, in fact,
helping people learn to read, preserving the Linux kernel project should not be
languages in danger of falling into disuse, including fonts in its source tree at all.
and other global projects of that sort. A He said, “no, let’s not deal with that
Author lot of fonts used in the open source world mess for now.”
The Linux kernel mailing list comprises are released under the OFL. However, it is Bagas knew when to give up. For now
the core of Linux development activities. not necessarily fully compatible with the at least, the Linux kernel will apparently
Traffic volumes are immense, often GNU General Public License (GPL) under not ship with any fonts for its documen-
reaching 10,000 messages in a week, and which the Linux kernel is released, be- tation – or at least none that require an
keeping up to date with the entire scope cause of certain clauses that do things additional or GPL-incompatible license.
of development is a virtually impossible like reserve certain font names. I’m always interested when licensing
task for one person. One of the few brave Bagas’s patch did not go over well, for discussions crop up among kernel devel-
souls to take on this task is Zack Brown. a couple of reasons. Greg Kroah-Hartman opers. For example, I believe it’s actually

NEWS
Kernel News
virtually impossible for the kernel to existing problems (glibc, gcc) and others
ever be released under a license other also did their part in getting things fixed
than the GPL v2. The GNU project sug- for ia64 (grub). We gathered people
gests releasing code under the terms of a around us that have both the required
particular version, “or any later ver- machines and the interest to help out.
sion.” But Linus Torvalds chose not to And despite what others claim, we are
trust the future of the GNU project in users of this architecture and continue to
that way. And with each developer hold- be and we are not alone.
ing the copyright to their own patches, “We simply tried to take care of the ar-
the effort to find all of those people and chitecture in and outside of kernel space
get their permission to relicense their with the assumption that this was what
kernel patches would be a completely was needed to keep an architecture alive.
overwhelming task. It simply couldn’t be But apparently that was either not good
done. Like it or not, the Linux kernel is enough, not wanted or simply not
now and forever subject to the terms of enough to prevent its removal.
the GPL v2. So whenever something like “At the moment I am out of ideas what
Bagas’s font issue comes up, I’m always other options there are, actually I’m re-
curious about how it will all be resolved. ally puzzled here. Because what we tried
As I said before, BSD code can be reli- to accomplish, isn’t that what you want
censed, and for sure there is BSD code in for Linux: to arouse people’s interest in
Linux that has been relicensed under the working on the kernel and ecosytem?
terms of the GPL v2. There are other Well, you were successful with that for
“GPL-compatible” licenses that have ia64, but removed it anyhow.
code under their terms in the kernel as “So I ask the simple question:
well. The final result in any particular “What needs to be done to get ia64
case is never obvious ahead of time, and back into Linux?”
it’s always fascinating to watch the de- This response came as a surprise to
bates play out. Linus Torvalds, who had been under the
impression the architecture was well and
IA-64 Removed from the truly dead. He replied to Frank:
Kernel (Not) “Well, I’d have personally been willing
Arnd Bergmann posted a patch, an- to resurrect it, but I was told several times
nouncing, “The ia64 architecture gets its that other projects were basically just
well-earned retirement as planned.” His waiting for the kernel support to die.
patch removed all IA-64 support in the “Has the itanium situation really
kernel. The IA-64 platform is the Intel changed?
Itanium chip, developed with Hewlett- “The thing is, nobody doing new kernel
Packard in the early 2000s. It had a code wants to deal with itanium, so rele-
pretty good run. In fact, it represented a gating it to the same situation that i386
whole series of chips and a significant support was (‘it still works in old ker-
and ambitious departure from Intel’s nels’) doesn’t seem to be a huge issue for
previous approach to chip design, but it the people who actually want to use those
was discontinued by Intel in 2019. machines.
Arnd’s patch was accepted immedi- “That said, I’d be willing to resurrect
ately, to the dumbfounded dismay of itanium support, even though I person-
Frank Scheiner, who posted the follow- ally despise the architecture with a pas-
ing response: sion for being fundamentally based on
“So the ia64 removal happened despite faulty design premises, and an imple-
the efforts – not only from us – to keep it mentation based on politics rather than
alive in Linux. That is a – sad – fact good technical design.
now. “But only if it turns out to actually
“There was no real breakage for ia64 have some long-term active interest (ie
in the kernel that I know of since I’d compare it to the situation with m68k
[db3e33d] was merged five months ago etc – clearly dead architectures that we
and _if it ain’t broke, don’t fix it_. still support despite them being not rele-
“Well, it’s really broken now. vant – because some people care and they
“We built upon what others had accom- don’t cause pain).
plished before in the kernel and outside “So I’d be willing to come back to the
of the kernel. We started to take care of ‘can we resurrect it’ discussion, but not

NEWS
Kernel News
immediately – more along the lines of a compile-time user configuration questions To which Linus grudgingly agreed,
‘look, we’ve been maintaining it out of too hard for users to answer. Linus said: saying:
tree for a year, the other infrastructure is “This is beyond annoying. “I think that would help the situation,
still alive, there is no impact on the rest “These are adding Kconfig questions but I assume the sizing for the jitter buf-
of the kernel, can we please try again’?” that don’t make sense. The whole jitter fer is at least partly due to trying to ac-
John Paul Adrian Glaubitz replied to thing is debatably useful in the first count for cache sizing or similar issues?
this with a whoop of glee, remarking, “I place, and now you just annoy users with “Which really means that I assume any
think this is a very reasonable approach. random questions. static compile-time answer to that ques-
If keeping the architecture alive is sus- “And I mean truly random – the whole tion is always wrong – whether you are an
tainable, it should be possible to do that jitter entropy is voodoo programming to expert or not. Unless you are just building
out of tree for a given period of time.” begin with, and having some crazy 8MB the thing for one particular machine.
And Tomáŝ Glozar also remarked to buffer for it is just ridiculous. “So I do think the problem is deeper
Linus, “I agree with Adrian, that sounds “Honestly, this all smells like some- than ‘this is a question only for experts’. I
very reasonable to me. If we want Ita- body’s PhD thesis, not a real life thing. definitely don’t think you should ask a
nium to stay in kernel and it is a burden “And no, we don’t make our Kconfig regular user (or even a distro kernel
to other developers, it is fair that we take questions more annoying for some PhD package manager). I suspect it’s likely
the burden on us for the time being even thesis. that the question is just wrong in general
if it means overhead from maintaining “We also don’t ask people questions – because any particular one buffer size
an out-of-tree patch.” that don’t have valid answers. Just be- for any number of machines simply can-
Breathing a sigh of relief, Frank said, cause the whole ‘what is entropy in the not be the right answer.
“That is really something. We’ll see first place’ isn’t clear-cut, we don’t then “I realize that the commit says ‘*allow*
where this goes. I always hope for the punt some tweaking question to the user. for configuration of memory size’, but I
best. (-:” “We have a very simple and stupid jitter really question the whole approach.
So there you have it. From the ashes of entropy thing AT BOOT TIME just to try to “But yes – hiding these questions from
doom has arisen the Itanium phoenix generate some amount of entropy to make any reasonable normal user is at least a
once again, breathing fiery life. boots non-repeatable (see ‘try_to_gener- good first step.”
This whole thread strikes me as hav- ate_entropy()‘ in drivers/char/random.c). And that was the end of that.
ing been a very public misunderstanding “Honestly, the whole crypto layer one is Linus’s attitude toward a lot of secu-
that would normally not have occurred. ridiculous overkill in the first place, but rity features is one of great skepticism.
An architecture with users and maintain- the annoying new questions have now There seem to be at least two schools of
ers does not fall out of the Linux kernel. literally made me consider just removing thought. Linus seems to feel that secu-
So it’s interesting for me to see how it entirely. rity patches should fix actual security ex-
quickly the situation was addressed and “Because no, IT IS NOT OK TO ASK ploits. If there is not a known exploit for
resolved, even granting that there will CRAZY QUESTIONS. If some developer something, Linus considers that there is
now be a new onus on the Itanium cannot come up with a reasonable an- not actually a security problem.
maintainers to do solid work for a period swer, a random user sure as hell cannot. On the other side, various developers
of time before their code can go back “And no, any question that says ‘do seem to believe that some aspects of
into the official source tree. you want to use 8MB of memory for jitter the kernel present tempting targets for
entropy’ is just batsh*t crazy. attackers who don’t yet themselves
Jitter Patches “This kind of crap needs to stop. know if there’s an exploitable bug or
Herbert Xu ran afoul of Linus Torvalds “If somebody wants to do this kind of not, but who will poke and prod the
when he posted an update to the crypto thing, just do it in user space. It’s ridicu- kernel in that area until they find
code. In fact it was not a simple patch, lously pointless in the kernel. something. These developers advocate,
but a large collection of patches by many “Convince me I’m wrong. But there is for example, randomizing virtual mem-
people – a perfectly normal code sub- no way in *hell* you will convince me ory, making it as difficult as possible
mission from Herbert – except for one that we should ask users about some jit- for any attacker to even know what
group that caught Linus’s attention. Spe- ter memory sizing. Allocating memory part of the kernel they might be poking
cifically, these patches dealt with Jitter. for timing analysis is silly to begin with, and prodding. They argue that this
Jitter is one of the crypto darlings: It since any kernel thing could just use the kind of protection reduces the size of
uses the unpredictable microscopic de- physical memory mapping we already the “attack surface” that an attacker
lays between instructions to generate have in the kernel. I suspect strongly that might explore.
cryptographically secure random num- all this code has been influenced by code It’s an ongoing and nearly religious
bers. These in turn can be used to do running in user space, where it belongs, debate. Linus has shown that he’s will-
useful things like randomize virtual and where you do need to allocate mem- ing to compromise and accept patches
memory addresses so that attackers are ory to have it available. that reduce attack surfaces, but he has
less able to predict where to launch “Please just make this noise go away.” also shown that there are significant
their attacks. Herbert replied, “Fair enough. How limits to what he’ll accept in the ab-
In this case, however, Linus felt that the about adding an EXPERT dependency sence of an actual known exploitable
jitter patches rendered some of the on this?” bug. Q Q Q

vOp s | Cloud Native
D e | De
u x| vel
op
L in er
d
an |E
m
i o be
a d
R
dd
M
ed
HA
|H
e|
om
tur
eA
ruc
u to
ra s t
mati
Systems and Inf
o n | I o T | Ke r n e l | L
i t y |
ur
o
c
w
S e
Le
|
v
es
e l
t
Sy
n e
s
e r
em t
u b
K
s
| |O
n t bs
e er
nm r va
e bil
ov G ity
| Ar p e n
ti ci
al Intelligence | O
Don't miss North America's largest annual

community organized Open Source gathering!
LM50

socallinuxexpo.org
SOUTHERN CALIFORNIA LINUX EXPO SponsorExhibit Volunteer

sponsorship@socallinuxexpo.org
COVER STORY
Building a Rasp Pi IDS
Detecting intruders with a Raspberry Pi IDS
Smoke Alarm
An intrusion detection system was once considered too complicated and
too expensive for a home network, but nowadays you can use a Raspberry
Pi and the Suricata IDS for real-time notice of an incoming attack.
By Markus Stubbig
A
n intrusion detection system (IDS) works like a smoke to take on additional tasks, which might slow it down, depend-
detector. It detects a risk, issues a warning, but does ing on the make and model, but in a low-traffic setting like a
not take any further steps to prevent the attack. A full- home network, you might not notice the difference.
blown intrusion prevention system (IPS), on the other
hand, can take additional steps to stop the attack. However, an Equipment
IPS is much more elaborate (and often expensive), and it is The IDS needs compute power for its investigations. You will
often overkill for a small home network. For many users on want to use at least a Raspberry Pi 3B+, or preferably a fourth-
small networks, the notification is the most important part, generation Rasp Pi model. If you want to try some another
and an IDS can deliver that notification for far less trouble mini PC, you’ll need at least 1GB RAM and a dual-core CPU.
and a smaller learning curve. A recent Raspberry Pi OS or Debian without a graphical user
An IDS takes a deep look at the IP packets passing through. interface is fine as the operating system.
If the analyzed content appears suspicious, the system alerts After installing Raspberry Pi OS, the Raspberry Pi no longer
the user. The IDS references a database populated with needs a local console. You can configure it via SSH. As for the
known attack patterns to decide whether or not a packet choice of software: Make sure you reduce the power and flash
contains a possible attack. This makes it similar to a virus requirements. A 500MB IDS logfile will slow the system down
scanner, which examines data and compares the data and make it almost unusable. Elasticsearch might be the right
against known patterns. choice of back end for large installations, but a lightweight
An IDS is part of the standard equipment at any data center SQLite database is better suited for a Rasp Pi IDS.
today. At a modern data center, a fast appliance fields data
streams from all servers via a multi-gigabit network interface Suricata
card and reports its discoveries to the network operations Suricata [1] is an open source IDS tool that will serve as the
team. This might sound like an expensive solution, but the foundation for this Rasp Pi IDS. Suricata listens on a network
technology can just as easily be applied to home networks. adapter and compares the IP packets passing through with its
This article describes how to set up a simple Raspberry Pi or signature database. If the examined packet matches a signa-
comparable single-board system to act as an IDS. The down- ture, Suricata responds with the defined action, which could
sized IDS receives a copy of the incoming packets from the be, say, firing off an alert. This analysis depends heavily on the
router. You’ll need a router that is capable of capturing and for- quality of the signatures.
warding incoming packets to the Rasp Pi for monitoring pur- You first need to install the Suricata software on the Rasp Pi
poses. Some routers might include this feature directly. In other (Listing 1, line 1). The repository contains a recent version,
cases, you can set up forwarding on the router if it comes with which is fine for your home IDS. One special thing about
Bash scripting support. The examples in
this article are based on a Fritz!Box 7583 Listing 1: Install and Update Suricata
router. 01 # apt install suricata
Like many Rasp Pi scenarios, the setup 02 # sed -i -e 's/interface: eth0/interface: ids0/' /etc/suricata/suricata.yaml
presented in this article is more of a life
03 # ln -s /var/lib/suricata/rules/suricata.rules /etc/suricata/rules/
hack than an industrial-strength solu-
04 # suricata-update
tion, but it does the job. When you’re
05 # systemctl stop suricata
finished configuring it, you might find
06 [... see Listing 2 ...]
that you know a little more about IDS
07 # suricata -c /etc/suricata/suricata.yaml -i ids0 -v
systems and how they work. One note to
08 # systemctl start suricata
keep in mind: You are asking the router

Suricata is that it does not reference the physical network advantage that more analysis tools can be added without mak-
adapter eth0 but the virtual adapter ids0 (line 2). The update ing any changes (e.g., Tcpdump).
command (line 4) fetches the free signatures – this can take a Suricata saves its results as a text file in JSON format. The
few minutes depending on the speed of your Internet connec- graphical processing is handled by EveBox [2]. The EveBox
tion. As an example, loading and testing 43,000 rules on a tool disassembles the JSON lines, extracts the essential con-
Raspberry Pi 3B+ took about three minutes. tent, and serves everything up as a fancy web page.
Then stop Suricata for the time being (line 5). When first
launched in a live scenario, Surricata has to wait until the com- Fritz!Box and Fritzdump
mands in Listing 2 have fired up the ids0 interface – but more The Bash wizardry for the Fritz!Box and PCAP has already
on that later. Once this is complete, you need to restart Suricata been scripted by other people and is available on GitHub [3] in
manually (Listing 1, lines 7 and 8). Suricata then sniffs the the form of the fritzdump.sh file. The target system is not an
packets from the ids0 interface and checks them against the IDS but is, instead, the Ntop NG monitoring package; however,
enabled signatures. If one of the rules matches, an entry is converting this script to work with an IDS is surprisingly sim-
added to the eve.json file – again, more on that later. If you ple. If you have another router with similar scripting support,
see any error messages at system startup, it makes sense to adapt the script as needed.
use the verbose option -v. Because Raspberry Pi OS includes NetworkManager, the
You will need to be patient, because it can take up to two setup only needs a one-liner (Listing 2, first line). The dummy
minutes for Suricata to load the signatures. The application network adapter provides the link between Fritzdump and Su-
logfile is available in /var/log/suricata/. ricata. The two systemctl lines at the end of the listing make
sure that NetworkManager is running and take care of the new
Workflow interface ids0.
The Rasp Pi system will need some way of reading the packets Back to the Fritz!Box: The Fritz!Box must support the hidden
that pass through the router. Some routers have a mirror port packet recording function. You can easily check this; if your
that creates copies of packets and forwards them via a different
LAN port to a server for analysis. If your router does not have
this feature (and many home routers don’t), the Rasp Pi IDS
will need to request the data. In the case of my Fritz!Box router
(Figure 1), all it takes is Wget and some Bash wizardry. Note
that it usually doesn’t work to cache the collected packets (that
would kill off the SD card relatively quickly). The goal is in-
stead to feed the data to the IDS process.
Unfortunately, pipe magic is not going to help here. Suricata
stops working if there is no data flow through the pipe (i.e.,
whenever the Fritz!Box is idle). The solution is a dummy net-
work adapter that behaves like a second loopback interface.
More specifically, Wget fetches PCAP files from the Fritz!Box
and sends the IP packets they contain to the dummy interface.
Suricata listens to this dummy NIC, which means that it re-
ceives a copy of all the packets that flow through your Internet
connection. Suricata rummages through the packages for sus- Figure 1: The Rasp Pi resides on the home network and
picious content. Detouring via the dummy interface offers the gets the copies of all IP packets from the Fritz!Box.

COVER STORY
Listing 2: Setting up a Dummy Interface Listing 4: Creating an Exception List

# nmcli con add type dummy ifname ids0 ipv4.method disabled ipv6.method disabled # cat <<EOF > /etc/suricata/disable.conf
# systemctl enable NetworkManager group:stream-events.rules
# systemctl start NetworkManager group:decoder-events.rules
group:emerging-info.rules
EOF
Listing 3: Packet Forwarding
# suricata-update
01 # apt install tcpreplay
02 # wget https://raw.githubusercontent.com/ntop/ntopng/dev/tools/fritzdump.sh
username for the script is dslf-config or
03 # sed -i -e 's/ntopng.*/nice tcpreplay --mbps 1000 -i ids0 -/' fritzdump.sh
fritz3103.
04 # install --mode=755 fritzdump.sh /usr/bin/
The script immediately starts pushing
05 # fritzdump.sh dslf-config
packets to the dummy NIC. You can use
06 # systemctl restart suricata
Tcpdump to check whether this is work-
07 # tcpdump -nnli ids0
ing; the command displays the pack-
ages on the terminal (line 7). For Fritz-
Fritz!Box has this feature, it will open up a web page if you type dump to resume its work after a reboot, you need an entry
http://fritz.box/html/capture.html in your browser (Figure 2). On in the /etc/rc.local file before the final exit statement.
the other hand, things look bad if you see a 404 error instead.
Given such a wide choice of interfaces, the question is, Ruleset
which one is the right one? Basically, an IDS examines the By default, the IDS uses all available signatures, including sig-
packets on the LAN side, as attacks are relatively normal on natures for protocols that are uncommon on home networks.
the WAN side. Accordingly, the right choice is the lan or This means that the IP packet scan goes through an unneces-
wifi0 interface. sary number of checks, which in turn slows down the IDS.
Inconveniently, the interface has another name internally, What’s even worse: Some signatures even complain about un-
and Fritzdump needs the exact notation. If you don’t want to expected values in the TCP header, bloating the eve.json log-
browse the HTML source code, click Start on the web page for file. This adds about 500MB to the file every day, which is way
the right interface and then look at the download link. The link too much for the Rasp Pi IDS.
contains the ifaceorminor parameter in the URL, followed by As a rule of thumb: Enable only the most important rules,
the name of the selected interface. otherwise eve.json will burst at the seams and EveBox will
Last but not least, you need to mod the script. It’s on GitHub stop responding. But what are the most important rules? You
and requires very little customization to fill its new role. Listing will simply have to try this out, because every home network
3 shows the installation and customization of the script to the uses different applications. If a specific alert from Suricata
Rasp Pi IDS. In the fritzdump.sh script, you need to enter the keeps getting posted in the log and the post is irrelevant or for
interface name from the previous section for the IFACE variable. information only, you can add the matching rule or rule group
The sed command from Line 3 removes Ntop NG and re- to the exception list. The example from Listing 4 disables three
places it with Tcpreplay, a tool that feeds packages from PCAP rule groups with purely informational content and then up-
files back into the network. When this happens, the packets dates the new streamlined signature list.
are routed beyond the
dummy interface to Su-
ricata. Since Tcpreplay
burns a massive
amount of compute
power, the nice process
management utility
slows it down and
makes the overall sys-
tem seem less sluggish.
Once the preparations
are complete, you can
launch fritzdump.sh and
Suricata (lines 5 and 6).
The script expects the
Fritz!Box username and
password as command
line arguments. If you
log in to your Fritz!Box
with a password, the
recommended Figure 2: If the Fritz!Box offers packet capture, the IDS can sniff and analyze the packets.

COVER STORY
A minimal configura-
tion for the EveBox is
shown in Listing 6; you
need to store the con-
tents in the /etc/eve-
box/evebox.yaml file.
The values were chosen
carefully and are suit-
able for a Raspberry Pi.
After saving the file,
you need to tell EveBox
to restart by typing sys-
temctl restart evebox.
The web page http://pi_
ip_here:5636 is ready
and will notify you of
alerts in the future.
Strictly speaking, you
will not see the original
alerts from Suricata but
the list processed by
Figure 3: EveBox gives you a graphical view of the alert list from Suricata. EveBox.
Listing 5: Setting Up Repository and GPG Keys IDS Test

# apt install gnupg apt-transport-https
Everything is ready to go, but you will want to test
# wget -qO - https://evebox.org/files/GPG-KEY-evebox | apt-key add -
the setup to make sure that your home IDS is work-
ing correctly. Much like EICAR for virus scanners,
# cat <<EOF > /etc/apt/sources.list.d/evebox.list
there is a prepared web page that should attract the
deb http://evebox.org/files/debian stable main
attention of any active IDS.
EOF
For this test, a client on the home network
# apt update
needs to access the website on http://testmynids.
# apt install evebox
org/uid/index.html. It doesn’t matter whether you
do this in a web browser or use curl, as long as
EveBox you access the website via the Fritz!Box. The important
What packages did Suricata alert on? If you don’t want to work thing is that Suricata detects the pseudo attack and EveBox
through long lines of JSON, install the web-based EveBox
event management tool for Suricata and browse through the
messages, as shown in Figure 3. The team behind EveBox pro-
vides its own repository for the installation, which is useful for
updates later on. Setting up the repository and GPG key turns
out to be almost more complicated than the actual installation,
as Listing 5 shows.
Listing 6: EveBox Configuration

http:
tls:
enabled: false
host: 0.0.0.0
port: 5636
database:
type: sqlite
retention:
days: 7
size: "500 MB"
input:
enabled: true
paths:
Figure 4: Suricata detects the test website, and EveBox
- "/var/log/suricata/eve.json*"
reports the pseudo-alarm.

COVER STORY
displays it as GPL ATTACK_RESPONSE id check returned root more alarms that Listing 7: Setting Up M/Monit
(Figure 4). are false, unneces- # apt install monit
sary, or simply a # cat <<EOF >> /etc/monit/monitrc
Slimming Down nuisance, you can
set httpd port 2812 and
By default, Suricata stores a huge amount of information and add an entry to
use address 0.0.0.0
statistics, which bloats the logfiles in next to no time. On top the disable.conf
allow admin:monit
of this, the bloat makes it more difficult for EveBox to find the file and then up-
EOF
genuine alerts, and this results in more disk I/O to the flash date the signature
# systemctl restart monit
memory device. A RAM disk can help, but it definitely makes database.
more sense simply not to store the values you don’t need. If the Rasp Pi is
To do this, you have to modify the suricata.yaml configuration still sluggish after the cleanup, it makes sense to empty Eve-
file. The YAML format uses indentations and reads like an out- Box’s SQLite database in /var/lib/evebox/ or to create a new
line, with topics and bullet points. Suricata lists everything in- eve.json in /var/log/suricata/. In both cases, you will need to
tended for the eve.json logfile below outputs in the eve-log sub- restart the service using Systemctl.
section. For use on a Raspberry Pi, the recommendation is to Last but not least, check the load on the Fritz!Box when the
comment out all output formats listed in types, or to set them to IDS is enabled. Older models might be overtaxed by the contin-
false, with the exception of alert, anomaly, and drop (Figure 5). uous PCAP file download, leading to a reduced throughput
The next savings relate to the signatures. In the previous sec- rate. For example, a Fritz!Box 6591 on a 100Mbit/s cable con-
tion, I already ditched three control groups. If EveBox reports nection from Vodafone still achieves about 75Mbit/s in the
download direction with the home IDS
running. Obviously, the upload rate is
not affected at all. It is important to
weigh up whether security or perfor-
mance is your priority.
The IDS only works when the Fritz-
dump and Suricata processes are run-
ning. If not, the intrusion detection net-
work is worthless and dangerous IP
packets remain undetected. A small
monitoring tool like M/Monit [4] can
check for the critical processes and re-
start them if necessary (Listing 7).
A configuration file for all the home
IDS’s services is available in the down-
load section for this article [5]. You
need to store the monit_ids.conf file in
the /etc/monit/conf.d/ directory. M/
Monit uses it automatically on restart.
If you access the page at http://Ras_Pi_
IP:2812, or if you run the monit summary
CLI command, your watcher will give
Figure 5: Modifying the configuration files tells Suricata to ignore less you information about the status of the
important things, which in turn reduces the load on the Rasp Pi. services it is looking after (Figure 6).
Evaluating Alerts
EveBox uses color highlighting to show
the meaning of a message. Hints are
shown in turquoise in the Light Theme,
attacks in orange, and critical conditions
in red (Figure 3). The dark theme makes
it difficult to see the colors; important
messages no longer stand out suffi-
ciently. Clicking on the message takes
you to the detailed view with all the in-
formation that Suricata has recorded. Su-
ricata uses the Severity value to indicate
how threatening it considers an alert to
Figure 6: The Monit Service Manager monitors the IDS processes and be. EveBox uses this numerical value to
restarts them if necessary. color highlight the message.

COVER STORY
The next step is to find out which cli-

ent triggered the alarm. The Source and
Destination fields show the offending IP
addresses, including port numbers, but
without resolving to a hostname or ap-
plication. If the alert title is unclear, the
signature ID can help; you can use the
signature ID to find the rule in the signa-
ture files. If you need more details on a
signature, grep will give them:
$ grep signature_ID /etc/suricata/rules/*
The result is the syntax of the signature

as Suricata reads and processes it. Edi-
tors with appropriate syntax highlight-
ing, such as Visual Studio Code, make
the content more readable.
For example, a message such as Figure 7: A DNS query for the pw top-level domain prompted
ALERT: ET CINS Active Threat Intelli- Suricata to sound the alarm. In this case, it was just a user updating
gence Poor Reputation IP group 48 points her password manager, which queries its servers in the pw domain.
to a suspicious incoming HTTP packet
on the LAN. It appears that there is a public web server on the better to store security-relevant information in variables or files
local network that can be accessed from any IP address on the with restrictive rights. And running Suricata with root privi-
Internet. Neither Suricata nor EveBox recommend any specific leges is questionable practice. You can change this in the
action in this case, but both tools at least make the admin run-as: section of the configuration file and use a dedicated
aware of the issue. In the simplest case, this might mean a IDS account instead.
forgotten port forward. However, the message suggests that A Raspberry Pi running Linux is not completely unprotected,
the company’s own web server is under attack. Meaningful but you would still want to enable a local firewall. Raspberry Pi
responses include using a GeoIP blocker or a DDoS tool such OS offers the usual suspects: iptables, nftables, and firewalld.
as Fail2Ban [6]. A firewall lets you restrict access to the required applications
(SSH and HTTPS) and keep things within the boundaries of the
False Alerts? local network. Finally, integration with an existing alerting sys-
Not every attack has to be dangerous. The orange message tem can be useful. If you lose sight of critical messages in the
ALERT: ET DNS Query to a *.pw domain – Likely Hostile warns mass of files on the Rasp Pi, the IDS is not going to be a big
users against accessing a web page with the pw top-level do- help. Messages need to be displayed in good time on the ad-
main. A quick search shows that someone updated a Buttercup min’s smartphone.
password manager via the buttercup.pw website (Figure 7).
There is no immediate danger from this. Conclusions
No machines running, but the IDS still reports something? No IDS is capable of solving every imaginable security prob-
No panic: How many smartphones, laptops, and smart home lem, but a good IDS is an important component for securing
devices use your Fritz!Box? Every device on the network has your network. Even on a low budget, a Raspberry Pi and the
an IP address, and every Suricata message contains that de- free Suricata software can handle intrusion detection, in con-
vice’s source and destination addresses. A quick look at the junction with a compatible router like Fritz!Box. Q Q Q
Fritz!Box subscriber list reveals which terminal this address be-
longs to. Granted: Once Suricata has annoyed you with the Info
same message for about the hundredth time, you might want [1] Suricata: https://suricata.io
to remove this signature. [2] EveBox: https://evebox.org
[3] Fritzdump:
Security https://github.com/ntop/ntopng/blob/dev/tools/fritzdump.sh
An IDS does add a little more security, but the installation [4] M/Monit: https://mmonit.com
shown in this article is the beginning of any serious intrusion [5] M/Monit configuration for monitoring Suricata, EveBox, and
detection project. Some additions would still be required for ro- Fritzdump:
bust enterprise use. The EveBox and M/Monit websites require https://linuxnewmedia.thegood.cloud/s/5Rzx9tQW2FJ6N3Z
HTTPS access with alert-free certificates. And you would need [6] Fail2Ban: https://www.fail2ban.org/wiki/index.php/Main_Page
authentication, unless you want everyone to be able to view
the logs. Author
Fritzdump expects the Fritz!Box password, but you would Markus Stubbig is a system developer with a focus on network-
definitely not want this to be visible in the process list. It is ing and Linux in the automotive environment.

REVIEW
Distro Walk – Peppermint OS
A choice-driven hybrid distro
Peppermint OS
Peppermint OS promotes user choice every step of the way. Bruce talks to Peppermint OS
about how the project has evolved over more than a decade. By Bruce Byfield
F
ew distributions have had the ups as LibreOffice are not included by de- Peppermint OS’s security is enhanced,
and downs of Peppermint OS [1] fault. Instead, a variety of options are because users know exactly what is in-
(Figure 1). Founded in 2010 dur- offered including six different web stalled. The result is one of the fastest
ing a pub discussion in North browsers (Figure 2), a choice of init distributions I have installed, aided by
Carolina, Peppermint OS enjoyed initial tools, and a selection of Snap, Flatpak, the default Xfce desktop and extensive
success only to decline after the death and AppImage packages repositories. use of Qt for development.
of one of its founders. A few years ago, At every point user choice is stressed – Peppermint began with the goal of
the project had shrunk to a single main- for instance, which LibreOffice mod- producing a hybrid of desktop and cloud
tainer, but the last few years have seen ules to install – even though the space services. That goal is most obvious in its
a resurgence of effort with the develop- saved is minimal. As a bonus, site-specific browsers (SSBs) [2], which
ment of a closely knit and active
community.
Throughout its history, though, Pep-
permint’s releases have shown several
points of continuity. Its source has al-
ways been a Debian derivative – cur-
rently, Debian and Devuan. In addi-
tion, it has always had a minimal in-
stallation in which standard apps such
Author
Lead Image © pixelrobot, 123RF.com
Bruce Byfield is a computer journalist and

a freelance writer and editor specializing
in free and open source software. In
addition to his writing projects, he also
teaches live and e-learning courses. In his
spare time, Bruce writes about Northwest
Coast art (http://brucebyfield.wordpress.
com). He is also co-founder of Prentice
Pieces, a blog about writing and fantasy at
https://prenticepieces.com/. Figure 1: Peppermint OS’s default desktop.

REVIEW
whether] to employ and use the

Debian base with the Xfce desktop.
• 2021: Our goal at this point was to pro-
duce a tribute release to PCNetSpec,
one of the original founders and a
long-time leader. At this point, we
managed to overcome several late is-
sues that we faced with changes to im-
prove the Calamares theme, technical
gremlins, and that nagging issue of an
Ubuntu fan base unable to accept the
migration to Debian. Even after our
launch was welcomed by the wider
public, that received critical praise
from the Linux news media.
• Circa May 2022: We began to look at
our image to place our stamp on Pep-
permint OS. We rebranded ourselves
for Debian Bookworm, with new icons
and name banners. We also released
our network install ISO, and both
Debian and Devuan ARM iterations. A
Figure 2: Peppermint leaves the choice of most applications to the user, server is our next objective.
including the web browser.
LM: What are the advantages of Kumo
convert URLs to desktop objects. Origi- front-line team to test and determine and SSBs?
nally, this conversion was done by an which components could or would
application called ICE, which has since perform successfully within the modu- Tommy: Kumo allows for easier backup
been replace by Kumo (Figure 3). lar LXDE desktop environment as it and restore needs, as well as sharing
Requests for information about Pep- gradually evolved into a functional hy- apps with other Kumo users. For many
permint OS produced answers from brid environment. users, having a single web view of a site
cavy, the communications spokesman, • 2019-2021: A transition period, begin- that they use is, in some ways, helpful
and Tommy, the development lead, with ning the initial attempts to build a for a user to focus on the content. What
input from other main developers. working desktop utilizing LXDE and I hear from some users is that SSBs are
Ubuntu. Both had their foibles, making useful for banking, for example, and not
Linux Magazine (LM): How has Pep- this task harder, due to the Canonical getting distracted by other tabs of the
permint evolved over the years? decision to insist snaps be the de facto browser.
software solution. Determining neither
cavy: There have been four distinct eras: was a viable approach, then began the LM: Peppermint has been described as
• 2010-2014: The Shane Remington and long and contentious debate [about a hybrid between the LXDE and Xfce
Kendall Weaver period. Shane and
Kendall picked up LXDE from Linux
Mint, who had dropped it from their
desktop range. In May 2010, their goal
was to produce a mini desktop with
only system tools and allow the user
to choose what software and apps they
would want to have. Soon after in
June 2010, they released Peppermint
ICE (SSB) to distinguish it from their
initial release.
• 2014: During this period LXDE saw a
gradual demise, slipping into a dor-
mant state, due to most of the LXDE
maintainers leaving to join the Qt-ori-
ented team that went on to develop
LXQt. PCNetSpec (Mark Greaves) car-
ried out numerous experiments with
VinDSL and other lead members of his Figure 3: SSBs create a desktop object for a URL.

REVIEW
desktops. What does it borrow from Tommy: Peppermint does have a struc- has been to provide maximum choice
each? What is original with ture, with a project lead, a spokesman, a where acceptable – in other words, not so
Peppermint? webmaster, and a group of core develop- minimum that lots of time is consumed to
ers. Features, issues, and direction are build the system, and not so many pack-
cavy: Originally Peppermint was a mini openly discussed in the community on ages that a user is losing time undoing
LXDE. Later when the LXDE team left many occasions, but mainly with the the things we implemented. There are not
to join the LXQt team, it was left in a core team. Sometimes things are voted really too many distributions out there
dormant state, with little being done to on for decisions. If agreements cannot be that give a user that nice in-between; they
it between 2015 and 2020. PCNetSpec met, compromises are proposed to help either focus solely on new users or solely
introduced various Xfce, MATE, and meet that middle ground. on the veteran user.
Cinnamon components in an attempt to Really, Peppermint is not just a desk-
prolong the LXDE base and created what cavy: Even with all the good will in the top distro at all. It is a starting point for
became our signature custom look for world, being a benign dictator is the what the user needs, be it desktop or
Peppermint. Today, apart from the trib- only course of action. server – not too much stuff installed
ute to PCNetSpec in February 2022 with where time is lost removing things but
the custom component of the Nemo file LM: Who is the target audience? just enough stuff to generally have a
manager, we have reverted to a full plug-and-play working system to get
blown Xfce. Tommy & cavy: Anyone who has an in- them going.
terest in wanting a choice of how they We value choice. The user should
LM: How is Peppermint OS associated equip their computer, like the option of ei- be able to do the following with gen-
with the Portugese distribution AcorOS [3]? ther a systemd or a non-systemd-init OS. eral ease:
• Use Peppermint as a server system if
Tommy & cavy: Manuel Rosa is a part LM: Why should users try Peppermint they want. We are currently working
of the Peppermint team as well as the OS? to help users deploy Peppermint as a
project lead for AcorOS. Peppermint server environment.
has a concept of choice as the value cavy: It is intuitive and straightforward • Use Peppermint as a desktop and build
that we provide. Therefore, the things to use. It puts you in control of what it with ease to the user’s specs.
that we ship with sometimes do not goes into your computer. • Spin their version of Peppermint using
fully fit that out-of-the-box experience the ISO build tools we have.
that some users may want. AcorOS LM: Can you provide any stats about the • Choose init systems, hence the
fills that missing link, due to its focus distro, such as the number of downloads Devuan spin.
on an out-of-the-box fully functional or commits? We believe that these principles will help
experience, with preinstalled applica- Peppermint OS’s community grow and
tions, configurations, and settings that cavy: Peppermint OS averages approxi- continue as we roll into the future. Q Q Q
some users may prefer. In many ways mately over 20,000 downloads per
our build processes are similar month, with 60,775 in the last three Info
enough that we are able to work to- months, from September 5 to December [1] Peppermint OS:
gether and help each other’s commu- 3, 2023. https://peppermintos.com/
nities, as well as collaborate with
[2] SSBs: https://en.wikipedia.org/wiki/
ideas and testing. LM: Is there a future roadmap?
Site-specific_browser
LM: How is Peppermint organized? How Tommy: The goal from the beginning in [3] AcorOS: https://sourceforge.net/
are decisions made? the transition from Ubuntu to Debian projects/acor-os/files/AcorOS-6.0/
QQQ

FEBRUARY 26 & 27 2024
ANNUAL EUROPEAN
STRATEGY & NETWORKING EUROPE
| TRENDS | INVESTMENTS | CLOUD |

| CONNECTIVITY | DATA CENTERS |
AMSTERDAM RAI
REVIEW
Organizational Tools
Scheduling tools for Linux
Get Organized
If you need help staying organized, Linux does not let you down with its large collection of
organization and scheduling tools. By Erik Bärwaldt
P
lanning tools for the desktop function that draws your attention to up- the ./run_borg.sh script at the prompt or
have long since replaced the di- coming appointments. launch the application by typing
ary-style organizers that were The tools in this review are also capa-
often given away as promos in ble of organizing individual events in java -jar borg.jar
the past. These electronic organizers freely definable categories to distinguish

offer several advantages over their paper between private and business appoint- After a short wait, the software opens a
counterparts. They can’t be misplaced, ments. To let you transfer appointment window where you can see a monthly
illegible entries are a thing of the past, data to other applications, including calendar based off the current week.
and thanks to reminder functions you’ll project management tools, the software Above the calendar is a small buttonbar
never miss an appointment or deadline. needs export options with standard for- and a large menubar (Figure 1).
Users are spoiled for choice: There are mats and import routines to match. You can use the buttonbar to switch be-
numerous graphical appointment calen- tween the different views. There are sepa-
dars, some of which are preinstalled on BORG Calendar rate buttons for the daily, weekly, and
desktop environments. Their feature sets The BORG Calendar [1] desktop calendar yearly views. Each of these opens a new
differ considerably, potentially consum- solution is written in Java, making it plat- tab while the previously opened tabs re-
ing your storage media. This article ex- form-independent. Two variants of BORG main active, allowing you to jump back
amines some of the leading free graphi- are available for Linux: a DEB package for and forth between views. To the right of
cal schedulers for individual worksta- 64-bit systems and a ZIP archive. The ZIP the buttons that display the calendar
tions. Not considered in this roundup are archive does not contain a Java runtime views you’ll find a group of buttons for
cloud-based personal information man- environment, so you’ll need Java in place an addressbook, a to-do list, tasks, notes,
agers (PIMs), groupware calendars, and on your Linux system. The output from and checklists. Tasks can be defined in
Lead Image © Rachata Teyparsit, 123RF.com
schedulers integrated into email clients. the java -version command in a terminal the scope of projects, which can consist
window will tell you if this is the case. If of several sub-projects (in a tree view).
Features no detailed version information appears, All of the dialog boxes appear in separate
The basic functions of an appointment you first need to add a Java runtime to tabs, and the tab structure extends to two
scheduler include a daily, weekly, and the system using your distribution’s pack- lines if there are many active lists.
monthly overview, where you can enter age manager. On the left side of the menubar, the
important dates. It should also be possi- Download the BORG ZIP package Action item reflects the functions of the
ble to set the time and duration of the from the project page on GitHub and buttonbar. This is followed by the Op-
event if needed. In addition, most orga- unzip it. Next, change to the newly cre- tions dialog for settings. Categories lets
nizers include some kind of reminder ated application directory and either run you assign the appointments to different

REVIEW
desired reminder options to specify how

often and at what intervals you want
BORG Calendar to remind you of the ap-
pointment. Then, in the Recurrence sec-
tion, you can use Frequency to define
whether the appointment is a one-time
event or takes place on multiple days. If
you want to link external files to the
entry, for example, to have important
documents at hand during a phone call,
use the Link file button in the Links area
and select the file in question in the file
browser. If needed, you can link several
files to the task. The files then appear in
the window segment and can be opened
at any time using the external applica-
tions available on your system. Finally,
save the new entry by pressing Save or
Figure 1: In BORG Calendar the buttonbar and menubar demonstrate Save & Close. The application then closes
its feature scope. the settings window (Figure 2) and dis-
plays the appointment in the primary
groups to improve the calendar views’ disables the time selection. You can un- window’s calendar.
clarity. Individual categories can be check to set a specific time. The Proper- Sometimes an appointment cannot be
shown or hidden. The Import/Export ties section also relies on checkmarks. precisely scheduled and does not require
button (to the right of the category dia- You can use them to assign the appoint- additional configuration such as setting
log) can be used to integrate or transfer ment to one of the predefined categories: up reminders. In this case, you can right-
data from other calendar applications. Holiday, Private, Vacation, Half Day, or click on the daily display and select the
BORG Calendar uses XML as its file for- To Do. Your own categories are listed in Appointment Quick Entry option to open
mat. Sync lets you synchronize files with the Category field. a small window that only prompts you
different services. You can choose be- In the Popup Reminders section you for the name of the event. OK confirms
tween CalDAV, ICS, vCard, and Google. can press Change and then check the the new entry, which the application
Go to the configuration dialog below
Options | Edit Preferences to customize
BORG. Popup Reminders lets you specify
the intervals at which the calendar dis-
plays appointment reminders on the
desktop.
Startup Views lets you decide which
tab to open automatically when you
launch the program. Miscellaneous is for
the system tray settings and other items.
BORG Calendar disappears into the
desktop’s system tray, remaining active
when the actual program window is
closed. You also define backups and log-
ging behavior.
The Email Parameters dialog includes
settings for configuring automatic email
notifications.
Once you complete the configuration,
you can enter some initial appointments.
To do this, right-click on the desired date
and time in the daily, weekly, or monthly
view and select Add New from the con-
text menu. Then enter a description in
the description field below Subject in the
Appointment Text area. Under the Ap-
pointment Time section, the No Specific
Time box is initially checked; this Figure 2: The settings options for appointments are extensive.

REVIEW
then adds to the calendar. While conven-

tional appointments are assigned a time,
a red dot appears to the left of appoint-
ments for which no further details exist.
BORG Calendar displays today’s events
in a mixed order. Double-clicking on an
entry without additional details takes
you to the detailed configuration dialog
for conventional appointments.
If you want to delete an appointment,
just right-click it, declare the task done,
and delete it. Entries marked as done
that have not been removed are dis-
played in a strikethrough font.
In a busy calendar, it’s easy to lose
track of things. You can use the binocu-
lars icon in the buttonbar to search for
appointments. If necessary, you can nar-
row down the matches by also defining
what type of event it is and whether it
belongs to one of the categories you
specified. After clicking Search, the ap- Figure 3: The Gnome Calendar interface looks very neat.
plication shows a list of all the events
that match the search criteria. decide is whether the application should a blue circle in the scaled-down monthly
The software summarizes the appoint- show you the weather in the daily dis- view. The application visualizes appoint-
ments for a single day in the Appoint- play based on the automatic location ments extending over several days on the
ment List column in the settings dialog. finder that is also enabled. Beyond that, right with a continuous gray line in the
Below this are buttons that you can use the settings menu only contains an over- large monthly overview (Figure 5).
to delete or manage entries in the list. view of the preset keyboard shortcuts To delete an appointment, left-click on it
Repeat appointments can be duplicated and an info window for the program it- and choose Edit. You are then taken to the
using Copy Appointment. After that, you self. The Online accounts option takes conventional edit window, which shows a
only need to change the date in a sepa- you nowhere and is probably still under Delete appointment button bottom right.
rate window and the duplicated entry development. Gnome Calendar minimizes and disap-
with all its settings is added to the open To enter appointments, click on the pears into the system tray by default; it
calendar overview. plus sign in the titlebar to open a dialog.
You can edit the individual text fields by
Gnome Calendar clicking on each field and entering the
Gnome Calendar [2] is a software com- title and location. Under Schedule, you
ponent of the Gnome graphical desktop can enter start and end dates for your
environment. However, the GTK-based task. If you want to mark the event as
application runs just as well on other All Day, use the slider to the right of it.
desktops. When you launch the pro- The Repeat input area lets you define
gram, a three-panel window appears. A whether and when the task will repeat.
view of the current month is on the You cannot create custom settings, only
right, with a reduced overview of the select from fixed intervals and days.
month at top left and a free area with to- If you want to receive a reminder, Re-
day’s appointments below it (Figure 3). minders offers several options. Gnome
Gnome Calendar is based on the Calendar then outputs an audible warn-
Gnome desktop, so it does not have a ing signal reminding you of the upcom-
buttonbar or a conventional menubar. ing appointment. Notes is where you can
Instead, the few controls are located in store notes about the appointment. The
the titlebar. Use the titlebar to switch the free text input field offers the option of
monthly view to a daily or weekly view transferring data from the clipboard or a
using the buttons in the center. Unlike file to the note field (Figure 4).
most Gnome applications, Calendar does The green Done button finishes the
not have a settings menu. To configure configuration and adds the appointment,
the program, click the hamburger menu which now appears bottom left in the Figure 4: The entry dialog for new
in the titlebar. You are then taken to a main program window’s free panel. The appointments in Gnome Calendar
spartan dialog where your only option to day of the appointment is also marked by is quite spartan.

REVIEW
important details,
such as a field for
free text entry. You
can also define key-
words to help you
find the entry again.
In the lower area
there are several
configuration fields
in an integrated tab
structure, where you
can specify whether
the appointment re-
peats and add re-
minders. Enter addi-
tional participants in
a separate tab. How-
Figure 5: Filling out the schedule improves the task overview. ever, you can only
use this option if
is shown there whenever the computer buttonbar with just as much detail below KDE Plasma is installed, along with
is rebooted. Reminders appear as pop- it for quick access to the most important any specific programs you wish to ref-
ups on the desktop, while a mouse click functions. On the left, there is a monthly erence. If you want to link content to
on the calendar icon in the system tray overview consisting of three or four tiles the appointment, use the Attachments
displays a separate window with a list of arranged vertically. Below, in a free area, tab to link documents from external
reminders reflecting your configuration. you can see the details of the appoint- and local sources or embed files in the
Right-clicking on the icon opens a small ments you added and a list of the active dialog (Figure 7). A click on OK con-
settings window that helps you custom- categories. On the right side, KOrganizer firms the entry.
ize the icon functions. displays the actual calendar. By default, To manage your appointments, just
The main program window cannot be the software shows you the upcoming right-click on the desired calendar entry.
dragged from the system tray to the week, but you can change the view to You can then edit or delete the entry via
desktop. If you have closed the window, other time spans (Figure 6). the context menu and print the entry or
it can only be called up again using the The New Event button opens a win- enable the reminder function. To remove
desktop menu. dow to let you save an event. In addi- past appointments in a single step, you
tion to name, location, and time infor- can call the matching command in the
KOrganizer mation, an event record includes other File menu.
KOrganizer [3] is the
KDE Plasma Desk-
top’s calendar applica-
tion. You can use the
application with other
desktop environ-
ments, too, but KOr-
ganizer accesses other
KDE Plasma Desktop
applications that may
not be available on
other desktops.
The KOrganizer
window seems a little
cluttered. At first
glance, you will note
that KOrganizer is not
just a calendar appli-
cation, but a complete
organizer for several
users. This explains
why the program win-
dow has an extensive
menubar and a Figure 6: KOrganizer offers very sophisticated functionality.

REVIEW
audible signal for date marked, while smaller versions of

reminders, or set the previous and next months appear
up an email ad- below. On the right side of the program
dress used to no- window, after the first launch, a large
tify other partici- info area appears, showing you today’s
pants (this re- details (Figure 8). The installation rou-
quires a group- tine also creates a small launcher in the
ware connection). desktop environment’s system tray to let
If you set up re- you quickly access the application.
minders, the ap- Right-clicking on the desired date in
plication outputs the current monthly calendar on the left
them in a separate opens a context menu where you can se-
window as a plain lect New task. An entry dialog in a sepa-
list when the trig- rate window then prompts you for the
ger event occurs. data required for the appointment, in-
If you also speci- cluding its priority. In addition, there is a
fied an audio file, free text input field for notes. You can
an audible signal configure reminders in the Advanced tab.
Figure 7: Appointments can be entered in detail in is output. By default, a reminder window on the
KOrganizer. desktop and an audible signal are en-
Osmo abled for each entry (Figure 9).
File | Import lets you import datasets Osmo [4] is a personal information man- As soon as you close the appointment
from other task planners. KOrganizer ager – developed independently of desktop configuration, Osmo displays the new ap-
supports data in the ICS and VCS for- environments – with a focus on appoint- pointment on the right in the info area
mats. To export datasets from another ment management and with additional below the general information. It lists
calendar application, use the File | Ex- task and contact management features. several entries, one below the other. On
port dialog. You can then convert the Osmo has been developed with great at- the left of the calendar display, today’s
desired data to iCalendar format. For tention to detail, and it has already made date is circled in red, while a green dot on
access to past events later on, create an its way into the repositories of most pack- the date denotes days with task entries.
archive in File | Archive Old Incidences. age managers. As a cross-platform applica- Osmo displays completed or finished ap-
Settings | Configure KOrganizer lets tion, Osmo is available for Linux and BSD. pointments in a strikethrough font.
you access the program’s configuration You’ll find the appearance of Osmo’s You can enter notes for an appointment
options. The developers based this on interface a little out of the ordinary. Al- by double-clicking on it. In the right part
the operating conventions defined by though there are typical controls with a of the window, Osmo then displays a free
KDE Plasma. On the left of the settings conventional menubar and a buttonbar, area where you can enter or edit notes.
dialog, you will find a vertical category Osmo splits the main window segment The application’s buttonbar adapts to
bar; you then make the changes on the into two sections. On the left, you will reflect the function you called. In the
right. You can define color coding, set an find this month’s calendar with today’s Calendar tab, Osmo offers various navi-
gation options in the calendar, and you
also select the varying time periods for
the calendar view. Print jobs can be
started in Calendar. A backup and re-
store function supports convenient back
up and restoration of data files.
Tasks returns the entries, with a
checkmark indicating completed en-
tries. If you have completed a task
ahead of time, you can select it manu-
ally by checking the box to the left of
the entry. Clicking on an event in the
list displayed on the left calls up its de-
tails (Figure 10).
The task list, along with the Notes and
Contacts tabs, all have a backup and re-
store function in the buttonbar. The Con-
tacts tab lets you include photos and store
birthdays. Osmo then automatically
Figure 8: Osmo uses an unconventional interface design for the pro- transfers birthdays to the calendar view
gram window. and marks them with a yellow ellipse.

REVIEW
both applications require a longer training

period. The reward for this, though, is
that they massively facilitate appointment
management once you complete the
learning curve. Q Q Q
Info
[1] BORG Calendar: https://github.com/
mikeberger/borg_calendar
[2] Gnome Calendar: https://apps.gnome.
org/app/org.gnome.Calendar/
[3] KOrganizer: https://apps.kde.org/
en-gb/korganizer/
[4] Osmo: https://osmo-pim.sourceforge.net/
Author
Erik Bärwaldt is a self-employed IT admin
Figure 9: The entry dialog for appointments in Osmo is limited to the and technical author living in the United
bare essentials. Kingdom. He writes for several IT
magazines.
Osmo lets you import and export data
and can be combined with other similar ap- Table 1: Graphical Scheduler Features
plications. You can export appointments by BORG Gnome KOrganizer Osmo
opening a file manager in Tasks | Export Calendar Calender
tasks and specifying the file name and path. License GPLv2 GPLv3 GPLv2 GPLv2
The application converts the data to ICS for- Different calendar views + + + +
mat before storing it in the target path. Categorization of appointments + Restrictions + +
Contacts can also be imported and ex- Data import + – + +
ported. When importing, use a file man- Data export + – + +
ager to select the desired file in CSV for- Notes for tasks + + + +
mat. To let you export a file, the applica- To-do lists + – – –
tion opens a separate dialog, where you Synchronization function + – – –
not only enter the name and path for the Optical reminder + + + +
file to be converted, but also select the Audible reminder + + + +
data fields you want Osmo to include in Variable reminder intervals + + + +
the file. Then Export the file to CSV, Data encryption + – – +
XHTML, or VCF format. Data backup + – Restrictions +
File attachments + + + –
Conclusions Search function (appointments/terms) + + + +
As Table 1 demonstrates, the graphical
schedulers available for Linux serve quite
different needs. If you are only looking for
a simple appointment management tool
without additional features, Gnome Cal-
endar is a good choice.
In terms of functionally, Osmo is a little
more sophisticated. This distribution-in-
dependent tool’s interface is very appeal-
ing, and the calendar offers contact man-
agement and a notes area for free text en-
tries linked to the appointments.
KOrganizer and BORG Calendar are suit-
able for professional groupware connec-
tions, which is why they come with many
additional features. Both of these tools can
send emails and add multiple participants
to appointments; both are useful as rudi-
mentary project planners thanks to their Figure 10: In a separate view, you can also see details of appointments
categorization functions. On the downside, in Osmo.

IN-DEPTH
Command Line – tldr
A simplified documentation command
Cheat Sheet
A simplified alternative to man pages, tldr provides the most common command options at a glance.
By Bruce Byfield
T
oo long; didn’t read (TL;DR) is a The most common documentation for- calls, kernel routines, and daemons.
flippant Internet acronym for a mat, of course, is the man page, which Each page presents information in a rigid
summary that first came into use dates back to 1971 (Figure 1). Man pages format divided into further sections (see
about a decade ago. It seems to cover commands, libraries, and configu- Table 1), although not all sections are
be falling out of fashion but survives in ration files, usually aiming for an ency- mandatory. The Examples, Notes, and
tldr, the newest command and format clopedia-like summary of their topics. Bugs sections, for example, are fre-
for computer documentation. It is far One great advantage is that the pages are quently omitted. This consistent struc-
from the first documentation command, highly organized, arranged in nine sec- ture compensates for the often over-
but it fills a niche as a cheat sheet for the tions ranging from user commands and whelming detail of some man pages,
most common options for commands. system calls to system administration which can be over 1,000 lines long.
Lead Image © toonzzz, 123RF.com
Figure 1: The beginning of the ls man page.

IN-DEPTH
Table 1: Man Page Sections similar functions. Similar to whatis, tldr command or its own tldr command, or
NAME provides documentation closer to GNU – ironically – from a man page.
SYNOPSIS Info and man pages in the amount of de-
CONFIGURATION tail given. Writing tldr Pages
DESCRIPTION Like man, tldr benefits from a well-de-
OPTIONS Using tldr as a Reference fined structure (Figure 2). However, tl-
EXIT STATUS
Created by Romain Prieto in 2013, tldr dr’s structure is much simpler, making it
became one of the most popular projects clear that tldr is a supplement to man, not
RETURN VALUE
on GitHub by 2015. It received large a replacement. Only commands are in-
ERRORS
boosts in such a short period as to suggest cluded in the pages, with only the most
ENVIRONMENT
an organized promotional campaign. common use cases for each command.
FILES
Whatever the case, the project has re- Contributors wishing to set up a tldr
VERSIONS
mained popular ever since, and the com- page are encouraged to use the following
CONFORMING TO
mand is now readily available in many guidelines from the tldr GitHub page [2]:
NOTES
distributions. It is also available for An- “1. Try to keep pages at around 5 exam-
BUGS
droid, macOS, SunOS, and Windows. ples. Pages can be longer or shorter
EXAMPLES When used for the first time, tldr uses when appropriate, but don't exceed 8
AUTHORS online pages, resulting in a noticeable examples. Remember, it's OK if the
SEE ALSO lapse before results are displayed. How- page doesn't cover everything; that's
ever, the option --update (-u), with an what man is for.
GNU projects provide Info pages that optional LOCALE at the end, creates a local “2. When in doubt, keep new command-
have a similar purpose to man pages and cache in the current account at .local/ line users in mind. Err on the side of
often use more user-friendly language. share/tldr. The same option can be used clarity rather than terseness. For exam-
However, they can be less structured and to update the cache periodically with ple, commands that require sudo
concise and have not caught on nearly should include it directly in the
as much. In fact, even GNU projects --auto-update-interval DAYS examples.
often maintain both formats. The main “3. Try to incorporate the spelled-out ver-
advantage of Info pages is that they can With --platform (-p) PLATFORM, an operat- sion of single-letter options in the exam-
be read in Emacs using a mouse. ing system’s pages can be specified, but ple's description. The goal is to allow
Less common but useful in their own in practice this is rarely needed. By de- people to understand the syntax of the
way are whatis, which returns a one-sen- fault, results are printed in color, but the commands, not just memorize it.
tence definition of a command, and (ap- color can be turned off with --no-colors. “4. Introduce options gradually, starting
ropos) which, which lists commands with Help is on a summary listed by the bare with the simplest command
Figure 2: While much simpler than a man page, tldr offers a well-defined structure.

IN-DEPTH
Figure 3: More complex commands are broken into subcommands on their base pages.
invocations, and using more complex preferred – for instance, denylist/allow- are entered in an order that is checked
examples progressively. list instead of blacklist/whitelist. The de- when a page is submitted for approval.
“5. Focus on details specific to the com- fault language is English, although other
mand, and avoid explaining general languages are encouraged. The Limits of tldr
Unix concepts that could apply to any Because tldr is written in Markdown, It is important not to expect too much
command (ex: relative/absolute the page structure is easy to learn – a ne- from tldr. The command is not a replace-
paths, glob patterns/wildcards, spe- cessity for a project that depends so heav- ment for man or GNU Info so much as a
cial character escaping, ...).” ily on outside contributions (Figure 4). quick reference guide. Just like many
In addition, more complex commands Input is done by lines. General information desktop applications, it makes no attempt
may be broken into subcommands, such can simply be entered as a line. Specific to cover every option. In fact, with com-
as git-commit and git-push (Figure 3). types of lines are identified by their first plicated commands, it can be less useful
These divisions should be listed on the character (Table 2), just as an initial # indi- than a man or Info page, becoming cum-
base page. Also, inclusive language is cates a comment in a text file. These lines bersome, even with base pages. More-
over, in some cases, a tldr page can
Table 2: tldr Syntax sometimes appear at first glance as ob-
Character Line Type scure as the command structure at the
# The name of the command. Alternatively, the first line that is not an top of a man page. Some might also dis-
example. like the lack of developer credit, both be-
> Other information including a general description (one to two lines cause credit is the traditional reward for
long) and a link to additional information – often but not always to a writing free software and for the practical
man page. reason that a developer’s credit can be
- An example followed by a general line that gives the example. Up to handy for those who want more detailed
eight examples can be included, with the most common use cases first. information or to file a bug.
Despite these limitations, tldr fills a
niche that was previously empty. Some-
times, what users need is only a quick
reminder that takes them away from
their work for the least time possible.
When that happens, tldr is the com-
mand to use. Q Q Q
Info
[1] tldr: https://github.com/tldr-pages
[2] Guidelines:
https://github.com/tldr-pages/tldr/
Figure 4: The template for tldr pages. blob/main/CONTRIBUTING.md
QQQ

IN-DEPTH
DNS Subdomain Hijacking
Preventing DNS subdomain hijacking
Domains Gone Astray
Attackers can use poorly maintained DNS records to gain access to your IP address. The open source
DNS Reaper lets you monitor your records to ward off attacks. By Matthias Wübbeling
T
he Domain Name System (DNS), very large zone files. Often, remnants of still points to the provider’s IP address,
comparable to an address book, test setups or projects will remain in a this entry becomes a dangling record –
forms the backbone of today’s zone even after they are no longer in at least as long as the resource is not ac-
communication on the Internet. use. Combine this with external services, cessible. If a potential attacker gets the
With IPv4, IT administrators could mem- such as external hosting or cloud service newly freed IP address for their server,
orize their most important servers’ IPv4 providers, and outdated entries can be- the address can also be reached through
addresses, but there is no alternative to come dangerous. your company’s subdomain, but the ser-
DNS with IPv6. In this article, I will vices or content offered at the IP address
show you how attackers exploit old DNS Subdomain Hijacking are no longer under your control.
records to hijack parts of your domain, A simple example involves an A or If you rely on cloud providers for your
Photo by cdd20 on Unsplash
as well as show you how to protect your- AAAA entry from a subdomain on a projects’ resources, your subdomains
self against these attacks. cloud provider’s IP address. When a will come from the provider’s zone. A
DNS is divided into zones (a portion project ends, all paid services are can- generic domain such as xyz.example.
of the DNS namespace) managed by in- celed with no further access to the cloud com is then made available to let you ac-
dividual organizations or administra- server. If this DNS entry does not result cess your files. Of course, you could now
tions. New entries are quickly created, in explicit costs, users often simply for- resolve the IP address and add it as an A
and many projects sometimes result in get to delete the entry. Because the entry record for cloud.linux-magazine.com to

IN-DEPTH
DNS Subdomain Hijacking
your DNS. However, cloud providers provider, checks may not be performed on your system. Punk Security also of-
usually operate a content delivery net- to ascertain whether use of the stored fers a pre-built image for use in a Docker
work (CDN), so your file is usually ac- name is actually legitimate. In addition, container, which lets you use DNS
cessible from multiple IP addresses, and the name can only be used if a CNAME Reaper directly without managing the
these addresses can change. record is stored for it in DNS. runtime environment and any depen-
To avoid dealing with these underlying dencies yourself. To view DNS Reaper’s
provider-side infrastructure changes, it Rebound Attack options and download the Docker image,
makes sense not to use A records. In- While the attacker will not get the same simply use the following command:
stead, you can use a CNAME record that subdomain xyz.example.com as you did
points directly to xyz.example.com. for your projects, it could be something docker run -ti U
Much like a shortcut on a filesystem, this like zyx. In fact, a real A record for your --rm punksecurity/dnsreaper --help
changes the name resolution for your xyz entry in your provider’s DNS zone
subdomain when the entries for xyz.ex- has never existed. Instead, wildcards You can use the output to get oriented
ample.com change. By doing this, you (*.example.com) simply resolve all the and identify potential arguments for
can still benefit from the dynamics of- requested subdomains to the availble IP your use case. Of course, DNS Reaper
fered by your cloud provider without addresses in your provider’s CDN. Your needs a way to check all the existing
having to worry about name resolution provider handles the actual assignment entries in your zone. A black box check
yourself. When you use your own do- to the data via the hostname supplied (i.e., without further knowledge of your
main name, you will not even notice the with the request – and this hostname is DNS zone’s structure) is not possible.
difference, because the resolving name now stored under the attacker’s account. While there are techniques to determine
server takes care of everything and sim- With the data available in the attack- different entries in the DNS, applying
ply returns the IP address that you need er’s project, which can be accessed them will not give you all of the exist-
to access the files. through your company’s domain, the ating entries.
tacker can now disseminate information For a comprehensive check, your best
Name Assignments in the claiming to be your company. They can bet is to export your entire zone from the
Cloud also specifically attack your company or DNS server and make it available to DNS
Your data in the cloud is stored along- your customers, for example, by embed- Reaper. If this is available in a BIND DNS
side data from your provider’s other cus- ding manipulated content from this do- compatible format, the software can use
tomers. The provider evaluates the host- main via a vulnerability in a web appli- it directly. To use a zone file named do-
name transmitted in the request in order cation. By using your subdomain, the main.zone in the Docker container, you
to determine what information needs to same-origin policies of modern web need to mount it as a volume in the
be delivered when the data is accessed. browsers may allow active content to be image. You can then start it using the fol-
However, this hostname is no longer xyz. executed in the context of your website. lowing command:
example.com but the name of your sub- In addition to attacks based on stored
domain, which resolves to the IP address files, the same techniques can be used docker run -it --rm -v ./domain.zone:/U
of xyz.example.com thanks to the for access by other services. CNAME re- domain.zone punksecurity/dnsreaper U
CNAME record. cords can be created for any type of bind --bind-zone-file /domain.zone
Once you have finished the project server, including the names of
and released the resources from the namespace (NS) or mail exchange (MX) Alternatively, you also use providers
cloud, the assignment to your subdo- records. Armed with these, an attacker supported by DNS Reaper, such as AWS
main also disappears from the provider’s can then control an entire subdomain or or Azure, by passing in your access cre-
system. Access is now no longer possible use one of your company’s subdomains dentials with the call. Transferring the
using the hostnames from your subdo- to send and receive email. zone directly from a DNS server is also
main. In many cases, however, the possible, but this requires intervention in
admin responsible for the DNS zone is Taking Countermeasures the server’s configuration to allow a
not notified, and the CNAME record con- In an ideal world, the DNS zone’s ad- zone transfer.
tinues to exist – your provider’s xyz sub- ministrators would immediately be noti-
domain is so long and random that it fied upon completion of a project and Conclusions
would probably never be assigned to subsequently would remove the CNAME Poorly maintained DNS records are more
anyone a second time. record, ensuring these attacks couldn’t dangerous than they might appear at
If an attacker sees that you connect to happen. Unfortunately, this sometimes first glance. Attackers can use dangling
your cloud provider via your domain’s does not happen in real life. On a posi- records to run attacks that look like they
CNAME record (e.g., by assigning the IP tive note, there are a number of tools to originated in your organization. DNS
address resolved by your subdomain to help admins to check active and passive Reaper helps you monitor your DNS re-
your provider), the attacker could at- DNS entries. cords to protect against attackers. Q Q Q
tempt to store the hostnames originally Punk Security’s DNS Reaper [1], an
used in your company’s subdomain actively maintained open source tool, is Info
under the attacker’s account with the one such solution. You can download [1] DNS Reaper: https://github.com/
same provider. Depending on your DNS Reaper from GitHub and install it punk-security/dnsReaper

IN-DEPTH
Passive Reconnaissance
Researching a target with passive reconnaissance tools
Hunting and
Gathering
Cyberattacks often start with preliminary research on network assets and the people who use them.
We’ll show you some of the tools attackers use to get information. By Chris Binnie
W
hen sizing up potential tar- Google stated authoritatively (as the not be subject to eavesdropping, man-in-
gets, attackers try to get as main player in the search space): “Brows- the-middle attacks, or data modification.”
much information as pos- ing the web should be a private experience And, while this announcement pro-
sible without raising any between the user and the website and must vided an excellent incentive for website
alarms. The ability to passively research
the details of online resources and
their associated humans has never
been easier. If you’re wondering what
kind of information about you and
your network is available online right
now, the best way to find out is to look
for it yourself.
This article examines some online ser-
vices that tabulate known information
on users and websites. Some of these Figure 1: This website has used a number of different certificates.
services use information that is freely
available through online sources; others
delve into the dark web to find data that
has turned up in security breaches. For
privacy, and in order to demonstrate
richer examples, identifying information
in the output of the tools described in
Photo by Goh Rhy Yan on Unsplash
this article will be redacted.
Certifiable
A few years ago, the mighty Google
announced [1] that it was putting more
weight on websites running HTTPS, as
opposed to the unencrypted HTTP al-
ternative, for its search engine index-
ing results. Figure 2: There’s a lot of information stored at crt.sh.

IN-DEPTH
owners to move to solely using HTTPS, database of certificates that were discov- automate usage of the tool by passing
it had an unwelcome side effect that ered on websites (and potentially other the search query directly to the main
made life a little easier for attackers. At- services). Its splash page [2] tempts URL, such as:
tackers soon realized that, if each web- users with broad search criteria: “Enter
site uses HTTPS, the SSL certificates an Identity (Domain Name, Organization https://crt.sh/?q=domain.tld
(now TLS certificates) for every website Name, etc), a Certificate Fingerprint
could be captured and scrutinized. Un- (SHA-1 or SHA-256), or a crt.sh ID.” Figure 1 shows an example of a search.
like a simple DNS entry, certificates hold In other words, it is possible to search For a relatively quiet website, there’s lots
much more information. for companies (not just domain names), of information available for an attacker.
The first online tool that I will look at as well as by certificate fingerprints and It is immediately obvious that over the
is called crt.sh. The crt.sh service [2], other criteria. There are also a number years, the site used a variety of certifi-
which is run by the certificate company of advanced search options that I’d rec- cate providers, including Let’s Encrypt,
Sectigo Limited [3], maintains a massive ommend testing. It is possible to DigiCert, and RapidSSL.
The wealth of information available
just from the abbreviated output in
Figure 1 would surprise most crt.sh
users. Click on a link on the right side
of Figure 1, and you’ll see a tiny sam-
ple of what is known, including infor-
mation on which applications can
make use of the certificate authority
(Figure 2).
Back to the results in Figure 1, the
column entitled Common Name pro-
vides a plethora of information that just
Figure 3: A redacted example of DNSDumpster in action. keeps on giving. The field reports hun-
dreds, maybe thousands, of hostnames
that certificates have supported over the
years, along with timestamps to check
for the likely status. These hostnames
could include valuable information on
the domain path, such as accounts.do-
main.com or mail3.domain.org.
Each of these fully qualified names
present an attack surface that you can
Figure 4: DNSDumpster offers clever visualizations. extract from crt.sh. I’d encourage you to
try tools like this yourself to see if your
website has publicly leaked any unwel-
come information.
Digging into DNS

Another tool that can reveal a lot of in-
formation about resources related to a
domain name is called DNSDumpster [4]
by Hacker Target Pty Ltd. According to
the website, this service offers “…a
FREE domain research tool that can dis-
cover hosts related to a domain. Finding
visible hosts from the attackers perspec-
tive is an important part of the security
assessment process.”
Figure 3 shows what happens when you
add a domain name to the DNSDumpster
search box.
Even querying against a relatively
quiet domain name, DNSDumpster can
fill the screen with information that
points the user in all sorts of directions.
Figure 5: OSINT Framework delivering on suggested DNS tools. Figure 4 shows a visualization of the

IN-DEPTH
apparently obsolete and no longer public

IP Addresses might currently have other
live systems using them.
The sophisticated DNS History service
also displays easy-to-read representa-
tions of the number of registrations for
domain names. As shown in Figure 8, a
new feature, currently in Beta, shows a
heat map of where on the planet regis-
trations are taking place. DNS History is
an impressive site that deserves much
more time dedicated to exploring it.
Going Dark
So far I have focused on certificates and
DNS, along with the outstanding OSINT
Framework, which is a topic all of its
own. If you’re willing to take a step
Figure 6: You should experiment with the clever DNS History service. down into the darkness, you can also
find information by rummaging deeper
relationships among the discovered re- Scroll a little further down the search on the dark web. Suppose I wanted to
sources in the form of graph. page to see some historical record refer- find information relating to a specific
If you are new to the term, OSINT ences that might be useful to you or an user via their email address. There are a
(Open Source Intelligence) provides “le- attacker (Figure 7). In some cases, number of services that collect
gally gathered information about an indi-
vidual or organization from free, public
sources.” If you discover intriguing infor-
mation within DNS for a domain name, I
recommend visiting an excellent OSINT
resource called OSINT Framework [5].
OSINT Framework is an eye-watering re-
source that you could spend several days
exploring. The site pulls together a vast
array of free online tools and resources.
Consider PassiveDNS as an example.
Figure 5 shows that, by expanding vari-
ous menu options relating to DNS, you
can see there are many pointers to free
online tools to help you perform passive
reconnaissance for DNS queries.
Click the DNS History button on the
right side of Figure 5, and you are
pointed at a site called DNS History [6],
which is run by 8086 Consultancy [7]. Figure 8: A heat map lets you see where domain names are commonly
Figure 6 shows how simple it is to use registered. (Source http://dnshistory.org/p/heatmaps)
the site if you need to query when
changes took place for a DNS entry.
Figure 7: Useful DNS A records

with IP Addresses and the dates Figure 9: Dehashed: That’s a lot of assets. (Source: https://www.
they were in use. dehashed.com)

IN-DEPTH
Pwn Check
Entering a problematic email address
into Have I Been Pwned returns lots of
information about each breach associ-
ated with the address. For the address
used in this article, I also received this
warning: “Pwned in 18 data breaches
and found 2 pastes (subscribe to
search sensitive breaches)”. That’s re-
ally not good news, and if you didn’t
have unique passwords, it could be
even worse.
Have I Been Pwned also lets you set up
an alert to notify you if your email ad-
dress shows up in a data breach [10]
(see Figure 10).
information from the dark web for secu-

rity professionals (and attackers obvi-
ously) to query. One service I’ve used
professionally is Dehashed [8]. Figure 9 Figure 10: Using Have I Been Pwned. (Source https://haveibeenpwned.com)
shows the mind-blowing number of com-
promised resources visible to Dehashed. To demonstrate what is available for When I checked the email address in
You need to register for a free account free, I have used an email I know has been Dehashed, I got the results shows in Fig-
to query the database. Signing up for a exposed a number of times, thanks to the ure 11. Figure 12 shows some of the details
reasonably priced subscription will pro- inimitable Have I Been Pwned website [9] from the 31 results Figure 11 mentions.
vide much more information in relation (for more on Have I Been Pwned, see the A careful look at Figure 12 shows
to the queries you perform. box entitled “Pwn Check”) some of the Sourced from data sources.
IN-DEPTH
These sources are well-known data data is not just alluded to either – the narrative that provides some additional
breaches that contained the email ad- findings are displayed for all to see. and useful context.
dress. (If you’re interested, check out the Dehashed lets you request that an
article at the CSO site on the 15 biggest entry be removed from its database, but Conclusion
data breaches this century [11].) of course, the data could still be present There are many ways of performing recon
Back to Dehashed, if you have an ac- in many other places online, including online without ever going near a potential
tive subscription, you can click on any of the dark web. Removing the visibility of target. Attackers will take advantage of
the items relating to breaches on the left the data in Dehashed only hides it from tools like the ones described in this article.
side of the screen, and the service will some security researchers and others If you’re serious about thinking like an at-
reveal what data was present in the data who are using Dehashed. tacker, you can use these tools to do your
breach (relating to the email address). Dehashed also provides a comprehen- own reconnaissance and determine how
Findings can include all sorts of data, sive (subscription-based) monitoring much of your data is exposed online. I en-
including: usernames, email addresses, service, alongside a fully fledged API. courage you to spend lots of time on the
IP Addresses, postal addresses, tele- The Dehashed Data Wells page [12] OSINT Framework site to gain a better un-
phone numbers, passwords (hashed and shows how much data was retrieved derstanding of the passive reconnaissance
in plain text), and human names. The from specific data breaches, along with a tools currently in use. Q Q Q
Figure 11: Dehashed has found some worrying data relating to the email address. (Source: https://www.
dehashed.com)
Info
[1] “Indexing HTTPS Pages by Default”:
https://developers.google.com/search/
blog/2015/12/indexing-https-pages-
by-default
[2] crt.sh: https://crt.sh
[3] Sectigo: https://sectigo.com
[4] DNSDumpster:
https://dnsdumpster.com
[5] OSINT Framework:
https://osintframework.com
[6] DNS History: http://dnshistory.org
[7] 8086 Consultancy:
http://www.8086.net
[8] Dehashed:
Figure 12: The breaches where the findings were discovered. (Source: https://www.dehashed.com
https://www.dehashed.com) [9] Have I Been Pwned?:
https://haveibeenpwned.com
[10] Notification at Have I Been Pwned?:
https://haveibeenpwned.com/
NotifyMe
[11] “The 15 Biggest Data Breaches of the
21st Century”: https://www.csoonline.
com/article/2130877/the-biggest-data-
breaches-of-the-21st-century.html
[12] Dehashed Data Wells: https://
dehashed.com/data
Author
Chris Binnie is a Cloud Native Security
Figure 13: The breaches that Dehashed references (Source: https:// consultant and coauthor of the book Cloud
dehashed.com/data): The “17 Database Breach,” where apparently, in Native Security: https://www.amazon.com/
2016, data related to a streaming app was exposed, including informa- Cloud-Native-Security-Chris-Binnie/dp/
tion about four million users. 1119782236.
QQQ

IN-DEPTH
Formatting with LibreOffice
A more consistent, time-saving formatting option
The case for style

Learning how to use styles in LibreOffice can save you hours of and a toolbar item to display the most
commonly used styles. The Styles win-
formatting and let you focus on your writing. By Bruce Byfield dow is particularly useful because it can
W
be repositioned and offers different
hy does LibreOffice Writer Styles can be set up to be applied auto- views of the available styles, including a
need a how-to? Aren’t mil- matically. When styles are used, a for- view of the styles used in the document.
lions familiar with it mat only needs to be changed once, in- At first, setting a Writer style may seem
through daily use? Not ex- stead of individually. Although styles a daunting task that requires dozens of
actly – many use LibreOffice inef- can take time to set up, they can be choices. However, Writer includes dozens
ficiently, ignoring the tools designed to saved as templates and reused. By using of defaults that can be customized with
make work easier, and do everything the styles, users can focus on developing only minimal changes. For instance, if
hard way. It’s like dragging your feet in- their thoughts, as well as save them- you do not want a particular feature, such
stead of using the brakes. selves time formatting their documents. as a background color, you can simply ig-
When using LibreOffice, or any word These benefits apply especially to Li- nore it. Moreover, a style can be used for
processor, most people type some text, breOffice Writer. Most word processors
pause to format the text before typing have paragraph and character styles, but
more, and then repeat the process, which Writer also has page, list, frame, and table
is slow and likely to interrupt one’s train styles. The story goes that when StarDiv-
of thought. To change the format, a user ision, LibreOffice’s original ancestor, was
must go through the document individu- developed, the programmers were told
ally updating every instance of the old they would have to use it to document
format. This method of working is known their efforts. As a result, they added every
as direct or manual formatting. useful tool they could think of, especially
Word processors in general, and Libre- for styles. The developers were so thor-
Office Writer in particular, are not pri- ough that many publishers today set their
marily designed for direct formatting. books using Writer. In fact, thanks to
They can be used that way and even styles, Writer is not so much a word
Photo by Nick Morrison on Unsplash
have tools to help users who insist on di- processor as a desktop publisher.
rect formatting. However, LibreOffice is
most efficient when using styles, its The Structure of Styles
equivalent of programming variables. Styles can be edited through Writer’s
Styles is a collection of formatting op- Styles window by pressing F11 (Fig-
tions, where one paragraph style might ure 1). The Styles window is also the Figure 1: Writer’s Styles window is
be Times Roman 12-point bold italic and most convenient way to apply styles, al- the most convenient place to
another Helvetica Regular 18-point. though you can also use the Styles menu apply styles.

IN-DEPTH
years, so the effort upfront can save time have many features in common, this ar- example, if the First Page style is followed
and effort each time you use the style in rangement saves considerable time. by the Left Page style, and the Left Page
the future. In fact, a well-customized style Another useful field on the Organizer style followed by the Right Page, a docu-
can save you hours over the years. I still tab is the Next style field, which assigns ment is formatted in the background as
use a template with styles that I created the style that follows the current one. For you write (Figure 4). Once you apply the
20 years ago that probably has saved me
days of work.
When you are writing, the features of a
style are applied automatically. If, for in-
stance, a paragraph style indents the first
line, there is no need for a tab. Similarly,
if there are spaces following a paragraph
rather than an initial indent, the spaces
are applied when you press the Enter
key. In addition, on the Organizer tab of
any style (Figure 2), you can use the In-
herited from field to base a style on an
existing one, a feature that is useful
when creating related styles. In fact, sev-
eral groups of files are hierarchical, such
as the Heading, Table of Contents, Index,
and Text Body styles. Edit the Heading
style, for example, and your changes are
automatically applied to Heading 1
through Heading 10 (Figure 3). You only
need to edit Heading 1 through Heading
10 individually for their unique features.
Because such hierarchical styles usually Figure 2: The Organizer tab helps to automate the use of styles.
IN-DEPTH
Figure 4: One style can be set to succeed another automatically.
finalize the styles, you will make so The more circumstances that apply, the
many changes that creating styles is clearer your decision will be.
mostly wasted effort.
• The document’s formatting is ex- A Different Way to Write
tremely simple, like an essay. You may need time to get used to the
On the other hand, I recommend using idea of styles. Instead of jumping right
styles for the following cases: into writing, using styles involves more
Figure 3: Because styles can be • A document is long (over three pages). preplanning than manual formatting.
hierarchical, changes to the top • A document will be used over and However, using styles allows you to con-
style are inherited by styles lower over. centrate on developing your thoughts
in the hierarchy. • A document will be edited by more rather than focusing on formatting. Once
than one person. you are used to the change, you should
First Page style, the rest is taken care of • A document will be edited weeks, start to see that word processing is more
for you. In the same way, you can set a months, or even years after the first than an electric typewriter. Moreover,
Title style to be followed by a Subtitle version. you’ll be working with LibreOffice,
style and then Text Body. • A document belongs to a standard class rather than against it. Q Q Q
Because setting all the styles in a docu- of documents, such as a letter or memo.
ment can take several hours, you won’t • A document must match that of other Author
want to do this each time you start a doc- documents from you or your company Bruce Byfield is a computer journalist and
ument. Instead, when the styles are per- or organization. a freelance writer and editor specializing
fected, you can save your effort in a tem- • A document will be used in a number in free and open source software. In
plate via File | Templates | Save As Tem- of different ways, each of which re- addition to his writing projects, he also
teaches live and e-learning courses. In his
plate. To reuse the template, select it from quires some minor changes (e.g.,
spare time, Bruce writes about Northwest
Files | New | Templates (Figure 5). You printing it on both a white and a red Coast art (http://brucebyfield.wordpress.
might also use File | Templates | Edit Tem- background). com). He is also co-founder of Prentice
plates to add other automatic features • A document is highly formatted, like a Pieces, a blog about writing and fantasy at
such as Fields to complement the styles. brochure. https://prenticepieces.com/.
When to Use Styles?

Ideally, the answer would be always.
However, unless you develop a template
for each kind of document you fre-
quently write, that may not be practical.
I suggest the following guidelines for
manual formatting:
• The document is short (one-two pages).
• The document will be used once and
never reused.
• The document will be edited by only
one person.
• The document will only be edited
soon after it is written.
• The document will be edited by people
who have no idea how to use styles
and refuse to learn.
• A consistent format doesn’t matter for
some other reason.
• You are experimenting with styles
while building a template. Until you Figure 5: Templates store styles (and therefore layout) for reuse.

IN-DEPTH
Mining Monero
Mining the Monero cryptocurrency the CLI way
Mini Miner
The Monero cryptocurrency lets you get in the game without spending thousands on
hardware. We’ll show you how. By Daniel LaSalle
W
hen I started mining Bitcoin article describes how to start mining Technical Requirements
13 years ago, the hardware XMR on a Debian-based Linux system. The most important asset for mining
standard was a bunch of cryptocurrencies is electricity. The sec-
Windows computers built A Little Bit More on XMR ond most important asset is a fast CPU
up around the best possible video cards The value of Monero is nowhere near chip [5] that you can overclock. You’ll
and power supplies. The end goal was to the range of Bitcoin’s value. The price of also need a means for dissipating the
achieve the most hashes per second (H/ XMR at the time I wrote this article was heat and keeping your environment dust
s, or sometimes expressed as kH/s or $142.30, whereas the price of Bitcoin free. Because mining is a process that
mH/s) [1]. To this day, it is easy to find ar- was $25,851.07. Some have wondered never sleeps and demands full capacity,
ticles explaining how to mine Bitcoin whether XMR would ever reach the it will be important to leave room for
using this classic setup. But few of the value of BTC, but since its inception in your hardware to remain in a cool,
mining tools are command-line based, 2014, it has failed to even reach the $500 friendly zone for the time it will be
which is a problem for Linux veterans mark [4]. However, projections are look- crunching its life away. While it does,
who wish to avoid GUI clutter. But rest ing solid, and Monero shouldn’t disap- and if it runs as dedicated, it will emit a
assured: A basic Debian system, with the pear any time soon. vast quantity of heat. The final factor
fastest CPU you can get your hands on,
is all you need to start mining
cryptocurrencies.
In the highly competitive universe of
crypto mining, major currencies like Bit-
coin are typically mined using specially
built Application-Specific Integrated Cir-
cuit (ASIC) systems, which require a sig-
nificant investment of the miner’s time
and money.
Lead Image © Chode, 123RF.com
Alternative currencies offer a lower

barrier of entry. One alternative crypto-
currency that has gained some recent at-
tention is Monero (abbreviated XMR).
Monero stands out because it is truly
anonymous [2] and because of its resis-
tance to ASIC hardware mining [3]. This Figure 1: You’ll need SSH and the standard system utilities.

IN-DEPTH
Mining Monero
affecting hashing performance is the This process will take a while – and even now and then, in order to avoid all this
clock speed of the RAM, although the longer if you are working with a slow hard synchronization.
RAM speed is less important than the drive. Alternatively, specifying Whatever you attempt to do while the
other features I’ve mentioned. blockchain finishes updating could end
A minimal system for mining XMR --data-dir /path/of/.bitmonero up not working immediately. Therefore
would have a 250GB SSD, 4GBs of RAM, the wisest thing to do is to allow it to
and the cheapest video card available. will simply download the delta since last complete. However, this process will
The high-grade components need to be update. That way you can always back take several hours and can take days,
the CPU and the power supply unit. In- up your downloaded blockchain every depending on your Internet connection.
vesting in a good mother-
board is optional yet vital if
you wish for your system to
beat the clock. Be advised
that, as time goes on, the
size of the decentralized
blockchain copy that you’ll
need to host locally will
eventually expand to over
250GB. Currently, it weighs
about 164GB, so it is safe to
say that a 250GB drive will
hold for another three to
four years at the very least –
unless there is a huge in-
crease in transactions.
Getting Started
The first step is to get the
system up. For that, you’ll
need to install the latest
Debian (bookworm) [6].
All you really need is the
SSH server and standard Figure 2: Monero v0.18.2.2 is the latest current version; it contains both the daemon
system utilities from the and the wallet binaries that are pivotal to mining Monero.
latest Debian netinstall
(Figure 1).
Once you’ve installed the
OS and logged into the
freshly installed system,
the work with Monero can
begin. Start by download-
ing the latest Monero dae-
mon [7] and extracting it
under the folder of your
choice (Figure 2). Then in-
stall the CPU miner (Fig-
ure 3).
The next steps truly initiate
the Monero footprint. The
very first thing is to download
the ~164Gbs blockchain,
and for that, a simple execu-
tion of ./monerod will handle
the task (Figure 4).
Launching the monerod
command without an existing
blockchain in your home
folder will result in it down- Figure 3: Even if last the update dates back to 2020, xmr-stak is still one of the
loading the entire blockchain. best cross-platform CPU miners for XMR.

IN-DEPTH
Mining Monero
By default monerod puts everything port forward TCP/18081 if you wish to Even when you have already down-
blockchain related under /home/you- have no errors, but those errors will not loaded 99 percent of the blockchain
ruser/.bitmonero. The last operation is to void some functions. and have not updated in 10 days, it can
take up to an hour for your
node to be synchronized
again. Because I am living
dangerously, I will proceed
immediately with the next
step: setting up a wallet
(Figure 5). In this case, I’ll
be running
~/Downloads/monero-x86_U
64-linux-gnu-v0.18.2.2/U
monero-wallet-cli
Upon first launch you are

asked to create a wallet, se-
cure it via a password, and
then configure it. Then you
are handed a 96-character
alphanumerical expression
that represents the actual
wallet address used for all of
your future transactions.
You are also provided
with 25 words that can be
used to recover access to
Figure 4: Downloading the blockchain with monerod. your wallet. Update your
password manager with that
information and take really
good care of it!
At the end of the creation
process, you will see your
balance and can start mak-
ing transfers, as long as the
node is in sync with the
Monero network. In the
event that everything went
smoothly, there will be two
mywallet files under pwd.
The next step is setting up
the miner, which you simply
execute and answer a couple
of questions. After you
choose the desired currency,
pool address, and wallet ad-
dress, the system gives the
infamous “MEMORY ALLOC
FAILED” (Figure 6), but you
can fix that right now.
System Tweaks
Because the general idea
behind mining is to maxi-
mize all available re-
sources, you need to be
sure to go big. For that,
Figure 5: You’ll need to set up a wallet. you will need to switch to

IN-DEPTH
Mining Monero
Listing 1: /etc/sysctl.conf Listing 3: crontab Entries

vm.nr_hugepages=1280 @reboot /opt/crypto/monero-latest/monerod --data-dir /opt/crypto/.bitmonero --detach
@reboot cd /opt/crypto/xmr-stak-latest && ./xmr-stak-rx --noTest
Listing 2: /etc/security/limits.conf
* soft memlock 262144
* hard memlock 262144
root and add values in both

/etc/sysctl.conf (Listing 1) and
/etc/security/limits.conf (List-
ing 2). Do not forget to enter
sysctl -p for the change to take
effect immediately. However, at
this point, due to the nature of
what’s coming, I like to save the
changes for a final reboot to test
it all out.
For the sake of coverage, Fig-
ure 7 shows how xmr-stak-rx
should properly behave once ev-
erything is nice and tidy.
Only when shortcuts are ap-
plied will cpu.txt be populated
and no errors shown at the con-
sole prompt.
And Then
Because I am building a dedicated
mining rig that runs 100 percent at
all times, I first need to confirm
that the values in cpu.txt match Figure 6: Questions answered, but you’ll need to make some changes before
the actual machine values. the miner is error free.
It’s also possible that I was in-
trepid in pursuit of enrichment
and immediately added the
--noTest switch to the first
launch of the xmr-stak-rx com-
mand. If no self test was done,
the cpu.txt never populated. Or
perhaps something worse hap-
pened? By nature, the content of
the cpu.txt file is very basic most
of the time (Figure 8).
Each CPU thread that you wish
to dedicate to mining XMR will
need to have a value defined
where the first core counts as 0.
Therefore, a 64-thread dedicated
mining machine would have 64
lines starting with 0 and ending
with 63. However, in this case, I
will make the educated guess that
this machine has 12 threads off,
and only the last 8 were config-
ured to be usable by xmr-stak-rx.
If you wish to know how many
usable threads your system can
run, enter: Figure 7: A better outcome after the changes.

IN-DEPTH
Mining Monero
# dmidecode -t processor are many other choices [8] to decide from, scratch, the only pieces required to re-
each with its own specifications. sume your XMR activities is a copy of
and look for the thread count, which is The next step is to visit https://xmr. both the wallet file and its key alongside
at the bottom, or simply run htop and nanopool.org/account/ followed by the the password or the 25 recovery words
look at the number of cores that are (very long) wallet name. For instance: that were generated at wallet generation.
shown at the top. Be warned however, that if you stop
Another thing I like doing is making https://xmr.nanopool.org/account/U mining from a pool while you haven’t
sure a mining rig requires minimal inter- 43wnFgp65TxiexxMmKshejBjRZY5ckv987U met the minimum payout and you do not
vention (e.g., when there is a power loss DQR4PMLKFuM5du8GWM8q56Ac3xZAYoELE1U contact them, you risk losing all of your
and your UPS can’t hold on long enough Tz8TxFzA6SZYWCVKiN9Z57NGfsh accumulated balance.
for the power to come back). Also, I like With Nanopool, you can always get a
the boxes to have minimal cabling, which After about 15 minutes, you will see the non-checkout balance value transferred to
implies just the power and the network. first results posted as an unconfirmed you. For that to happen, you need to have
Lastly, the systems will need room to balance (Figure 9). been inactive for 24 hours and contact
breath and adequate ventilation. Even though the option for solo min- them [9]. You will want to learn a little bit
To make sure I never lose a beat, I set ing is a possibility, it is a good idea to more about joining a mining pool; this is
the crontab entries in Listing 3 under join a mining pool to combine the com- perhaps the best advice that I can give you
my own user. puting power with other users. This for starting your mining journey.
When you’re finished with these steps, method is generally the fastest way for
shutdown the system and unplug every- crypto enthusiasts to get better payouts, Conclusion
thing. Set up the power and network ca- as each pool has its own terms of use. There are many considerations you’ll need
bles as required for your configuration, In the case of Nanopool, you need to to address if you wish to claim a piece of
and then plug the system in, power it have mined a full (that’s 1.00000000) XMR the cryptocurrency pie. But whichever
up, and feel it getting warmer and its unit, which will then be automatically path you choose, it always comes back
fans working harder. Congratulations, cashed in your wallet, given that your to the basics: The Plan. Q Q Q
you are now mining Monero. local blockchain is fully up to date.
If you also happen to have unlimited Info
Along with the electricity, CPU power, and room for venti- [1] “What is Crypto Hash Rate and Why Is
Cryptoriches! lation, and you wish to dedicate a mining It Important”: https://www.makeuseof.
Money doesn’t come easily and the same room, you can deploy additional systems, com/crypto-hash-rate-what-is-it/
applies to cryptocurrency. I decided to use but avoid installing monerod on them, as it [2] “Why Monero Is the Best”:
Nanopool as the mining pool, but there is only needed once in any environment. https://gomonero.com/why-monero/
Just make sure you [3] ASIC-resistant mining algorithm:
configure https://cointelegraph.com/news/
xmr-stak-rx to use monero-implements-hard-fork-
including-new-asic-resistant-mining-
your wallet ad-
algorithm
dress, and it won’t
[4] Monero price on CoinMarketCap:
be too long until
https://coinmarketcap.com/currencies/
you get your first monero/
payout.
[5] The Best CPUs for Mining Monero:
If disaster https://vicadia.com/best-cpu-for-
strikes one day mining-monero/
and you need to [6] Netinstall with Debian:
Figure 8: Inside the cpu.txt file. start back from https://www.debian.org/CD/netinst/
[7] Monero downloads: https://www.
getmonero.org/downloads/
[8] Mining pool options: https://
miningpoolstats.stream/monero
[9] Nanopool FAQ:
https://help.nanopool.org/hc/en-us/
articles/4898382873629-FAQ
Author
Daniel LaSalle was introduced to the
command prompt while in his 5th grade.
But his addiction to technology spans
over 30 years. In the last decade he's
been using Linux every day and freelanc-
ing as an infrastructure specialist. https://
Figure 9: First results appear with an unconfirmed balance. www.linkedin.com/in/daniellasalle/

IN-DEPTH
VeraCrypt
Encryption with VeraCrypt
Keeping
Secrets
Protect your data and operating system from prying
eyes with VeraCrypt. By Matthias Wübbeling
C
onfidentiality and integrity are way into Windows, TrueCrypt enjoyed and communication, you don’t want this
increasingly important when it great popularity right from the start, al- information falling into the wrong
comes to security. The ability to though the developers remained anony- hands.
encrypt data carriers is decisive mous for a long time and its source code Mobile devices and data carriers in
in this battle, especially for mobile de- was not freely available. Rumors later particular are exposed to a greater risk of
vices. This article shows you how to re- confirmed that TrueCrypt’s development loss or theft, especially if you have to
liably protect your data and operating originally came from criminal circles. hand the device over briefly, say, during
system with the open source VeraCrypt TrueCrypt announced the end of devel- international travel. In these cases, an
tool, as well as how to completely hide opment in 2014. encrypted system partition protects
the encrypted containers if necessary. In 2013, VeraCrypt, a fork based on an against uncontrolled manipulation, such
In response to the increase in aware- older, audited version of TrueCrypt, was as the installation of malware or spy-
ness of IT security, Microsoft began de- launched. Today, VeraCrypt is developed ware. Above all, however, it protects
veloping the software later known as by the open source community. Of par- against unauthorized access, for exam-
BitLocker [1] for encrypting files, parti- ticular interest, VeraCrypt supports the ple, to industrial secrets or personal data
tions, or entire hard disks in 2004. Bit- different Linux derivatives and macOS on the hard drive.
Locker came under suspicion during the as operating systems in addition to Of course, confidentiality and integrity
Snowden incident, when it was sus- Windows. As an added bonus, legacy are only ensured when the computer is
pected of possibly providing backdoors TrueCrypt containers can easily be re- switched off. If a device is switched on
or master keys for intelligence services. cycled thanks to VeraCrypt. and the encrypted data is unlocked for
However, this has never been confirmed daily work with a password, access is
and is unlikely to be confirmed any time Encryption for Data possible. A loss of confidentiality due to
soon. BitLocker is therefore often used in Protection user error or manipulation by malware is
corporate settings because it gives ad- Data confidentiality and system integrity then possible.
Lead Image © Stefan Redel, fotolia.com
ministrators the ability to create backup are fundamental protection goals of IT

keys and store them in Active Directory, security and must therefore be taken into Setup and First Steps
for example. account whenever an operating system Some corporate environments already
Created at virtually the same time, the is installed. Regardless of the industry, use VeraCrypt. There are different con-
free TrueCrypt [2] encryption tool was virtually everywhere you look there is figurations, depending on the intended
based on Encryption for the Masses sensitive data that needs protecting use. Various scenarios are outlined
(E4M) source code (which was allegedly (often for legal reasons). Whether con- below. To get started, you first need to
stolen from SecurStar) [3]. While it took struction plans, customer data, customer download VeraCrypt for installation on
BitLocker another three years to find its projects, or simply internal documents your operating system. Use the official

IN-DEPTH
VeraCrypt
download page [4] provided by the possible to deny the very existence of several methods. You have to decide for
IDRIX developers. This way you can the encrypted data if someone tries to yourself whether this makes sense cryp-
count on having a valid, signed version force you to hand over the data. To do tographically and for your application.
and avoid the trickery of dubious down- this, you need to create a hidden volume Ultimately, cascading increases key ma-
load platforms. on a standard volume. VeraCrypt creates terial and eliminates the mathematical
The installation is child’s play: Launch the matching structures in the container uncertainties of individual procedures in
the downloaded file with admin authori- headers regardless of which volume type an attack scenario. The same applies to
zation or confirm the prompt during the you choose, so the existence of these the choice of the hash method; again dif-
install. Then select the language that structures alone is not credible proof of ferent variants are available. Under nor-
suits you and install VeraCrypt with the the existence of a hidden volume. Tech- mal circumstances, AES and SHA-512 are
standard options. Alternatively, you can nically, the internal volume is simply a safe choices that achieve a good compro-
download the source code provided on storage area within a standard volume mise between security and performance.
GitHub [5] and create VeraCrypt on your and is protected with another secret. I will use these two methods in my
own system. If you enter both secrets when mount- example.
When you launch VeraCrypt, the pro- ing the volumes, VeraCrypt determines As the next step, you need to define
gram comes up with a tidy interface the byte limits of the two volumes within the size of the volume based on your es-
(Figure 1). You will see an overview of the container and you can safely access timated needs. Otherwise, you might use
the mounted drives; VeraCrypt uses the both volumes as required. If you only up a large amount of storage space on
classic drive letters from A to Z on Win- specify the secret for decrypting the your data carrier just to encrypt a few
dows and also offers the option of outer volume, there is a risk of overwrit- files or a bunch of small files. VeraCrypt
mounting or creating a container or an ing the hidden volume. VeraCrypt then also offers dynamic containers if you
encrypted partition. knows nothing about the corresponding can’t estimate the exact requirements
Pressing the Create Volume button byte limits and simply fills up the con- right now. These containers do not grab
opens a dialog that guides you through tainer, possibly also using up the area the entire storage space when they are
the process. The first step is to select the containing the hidden volume. created, but simply grow to the specified
type of storage you want for the volume. maximum size as required. Incidentally,
You can choose between a container file, Security vs. Performance you need to choose dynamic containers
an encrypted partition on your hard For my example, I’ll select Standard Ve- carefully, because if they end up exceed-
disk, or an encrypted system partition of raCrypt volume and then press Next. ing the actual hard disk capacity, there is
your Windows operating system. For Then I need to select the container file’s a risk of data loss. I will be using a con-
first time users, it makes sense to create storage location and specify the encryp- tainer size of 1GB.
an encrypted container. tion parameters. VeraCrypt offers a You now need to select the secret for
Next you need to define your contain- choice of algorithms. AES is the globally accessing the volume you created by fill-
er’s volume type. You have two volume recognized standard for block encryp- ing out the two input fields with your
options: standard and hidden (Figure 2). tion. The alternatives, Serpent and choice of password. Be sure to read the
Hidden volumes support two protection Twofish, were also candidates for the info at the bottom of the dialog to help
objectives: plausible deniability and con- AES standard at the time, so they are you choose a secure password. Good
fidentiality. A hidden volume makes it comparatively secure. passwords should not only consist of
If you do not many different characters, but should
trust any algo- also be as long as possible. Password
rithm on its own, length has a major influence on security
you can also select (see the “Password Security” box), al-
a cascade of though you are likely to find different
Figure 1: VeraCrypt comes up with a very tidy inter- Figure 2: Plausible deniability is definitely an option
face when first launched. with VeraCrypt.

IN-DEPTH
VeraCrypt
recommendations for this in different or file attributes on Windows. Choose secret in order to mount it directly. The
places. VeraCrypt warns you if your the filesystem that best suits your re- container’s outer volume is not dis-
password has fewer than 20 characters. quirements. If required, check the boxes played or changed. However, if you want
As an alternative or in addition to the for quick formatting and the option to to include the outer volume (e.g., to
password, you can select further “se- dynamically grow the volume. Next, keep up appearances and store files)
crets” to protect your volume. In addi- move your mouse pointer to give the enter the secret for this outer volume
tion to a smartcard, any file or the files pseudo-random number generator for here. In Options, make sure you also
of an entire folder can be defined as key- the crypto operations further random specify the secret of the hidden volume
files (Figure 3). Of course, this increases data. Once the bar at the bottom of the for protection to avoid it being acciden-
the size of the input variable for encryp- window turns green, press Format. After tally overwritten (Figure 4).
tion immensely, but limits the secret to a short time, your volume is ready, and
be remembered to this one file or the se- you can press Exit to close the dialog. Encrypting Partitions and
lected combination of files. Because an After creating your container, you are Hard Disks
attacker with access to your computer taken back to the VeraCrypt start win- If you want to encrypt entire partitions
could try out any file as a secret, it is not dow. Now search for your previously or data carriers, select the Encrypt a Par-
a good idea to solely rely on one file as created container by clicking on Select tition/Drive option when creating a new
the secret. File, select the desired drive letter in the volume. In Windows, again confirm the
You can enhance security even fur- area above, and then press Mount. Enter User Account Control (UAC) dialog to let
ther by defining the Personal Iterations the password in the dialog box or browse VeraCrypt access your data carriers. As
Multiplier (PIM) yourself and selecting to the keyfiles you selected previously in a container, you can also create hid-
the Use PIM option. This lets you for the secret in Keyfiles. Clicking on OK den volumes. Then select the data
change the number of iterations of the tells the disk man-
key derivation function that generates ager to automati-
cryptographic keys from your input, cally mount the
thus making brute force attacks more volume, which
difficult. Having said this, the default you can access
number of iterations (500,000 rounds) directly.
offers a good compromise between per- If you created a
formance and security, so I wouldn’t hidden volume in
change anything here. the previous step,
you will now see
FAT, exFAT, or NTFS? two options when
Once you have defined a good password mounting. If you
and clicked Next, you can move on to se- want to access the
lecting the volume’s filesystem. FAT or contents of the
exFAT can be mounted on almost any hidden volume, Figure 3: Keyfiles can also be used in addition to
other system later. NTFS gives you the you need to enter passwords.
ability to use additional authorizations the matching
Password Security
Secure passwords are long. They are designed to provide pro-
tection against brute force attacks (i.e., attacks in which all pos-
sible character combinations are tested in an automated pro-
cess). This complexity results from the number of characters
that the attacker must try in all possible combinations. The
more characters you combine, the exponentially more difficult
the password becomes to crack.
However, a password’s security is not only determined by the
choice and number of characters, but also by the degree of
secrecy. Sufficiently complex, yet easy to remember pass-
words do not need to be written down. The sheer number of
password characters plays a greater role than the largest
possible character set: An 18-character password in which
you only use lowercase letters and numbers (i.e., 36 possible
characters each) has more combinations than a 14-character
password with 100 possible characters. To keep the secret, do
not use your passwords for multiple purposes, but create an
individual password for each account. Otherwise, the number
of attempts required to access your files will be exactly one if
your password falls into an attacker’s hands (i.e., if another Figure 4: Protect existing hidden volumes against
account that uses the same password is hacked).
accidental overwrites.

IN-DEPTH
VeraCrypt
carrier to be encrypted. In my example, I Backup and Recovery after you enter the password. Vera-
will encrypt a USB memory stick. In this Now is a good time to think about back- Crypt displays a success message for
case, it is not necessary to partition the ing up the contents of your hard disk. If the test after the reboot.
storage space in advance; you can en- something goes wrong with the encryp- Click on Encrypt and say yes to warn-
crypt the entire drive directly. The partition process, you will want to keep a ing prompts. The encryption process
tioning can then be changed within the backup of your files in order to be able then starts. You will need some patience,
encrypted area. VeraCrypt shows you to restore the system. The files can (or depending on the size of your data car-
available storage and partitions for should) of course also be stored on an rier. Once the process has completed,
selection. encrypted data carrier that can be easily you can close the dialog box and will see
Next you can choose whether to con- mounted by a booted system. your system partition mounted in the
tinue using the files that are already on Next, select whether you have one or drive overview. Of course, you cannot
the data carrier in the encrypted volume several operating systems installed on eject the drive. To protect your data, shut
(the in-place encryption option). Vera- your data carrier. Then click Next and down the system.
Crypt can create encrypted storage set the encryption parameters as de- After restarting, you will be prompted
media without you needing to manually scribed above. You are then taken to to enter the key. Remember that you
temporarily store the files and transfer the PIN entry screen. Of course, you must type the key with an English key-
them back. Note that this only works cannot select any files here, because board layout. In addition to the pass-
with NTFS on Windows, because the op- you do not have access to the hard disk word, you will be asked to enter a PIM if
erating system is only capable of shrink- at system boot time. you set one. If you have not set a PIM,
ing NTFS filesystems on the fly, which is VeraCrypt sets the keyboard layout to you can simply press Enter to confirm,
necessary to free up space for the en- English when you enter the password. otherwise you need to enter the correct
crypted volume on the data carrier. This is because only the BIOS settings are value here. The operating system then
If you want to continue without in- available at boot time before the operat- boots in the usual way, and you can
place encryption, select the other option ing system possibly adopts your choice of work with virtually no loss of
and press Next. Before formatting, you keyboard layout. You need to take this performance.
will be warned once again that all data into account, especially if you want to
currently on the medium will be perma- use nonstandard characters in your pass- Conclusions
nently deleted. If you are using a USB word. You will normally have an English Encrypting data, especially on mobile
memory stick, you are also told that a keyboard layout, but to be on the safe devices, is essential in the corporate en-
drive letter will still be assigned on Win- side and make sure that the BIOS is not vironment. As an alternative to Bit-
dows. However, you must not use the playing tricks on you with a country-spe- Locker, VeraCrypt offers a sophisticated
drive in this way. Windows does not rec- cific language setting, it is a good idea to approach to encrypting data carriers. It
ognize any content and offers to format display the password so that you can protects USB memory sticks, hard disks,
the stick directly when you connect it, enter the password with your local key- and your system partition (though only
which would delete the encrypted board layout in case of an emergency. when the computer is switched off or
volume. VeraCrypt also lets you create your not connected). Hidden volumes also
own VeraCrypt rescue medium. This give users the ability to credibly deny the
Protecting the System helps you to repair a defective VeraCrypt existence of any such volumes, should
Partition bootloader and also – with the correct someone attempt to force you to hand
Now that you have some experience password, of course – to permanently over your data.
with VeraCrypt, you can encrypt your decrypt the system partition again, for With the steps covered in this article,
entire operating system. To do this, se- example, to repair a defective Windows you can encrypt your computer with
lect Encrypt System Partition/Drive from system. You need to burn the ISO image VeraCrypt. Keep in mind, however, that
the System menu at the top. you create to a CD/DVD or transfer it to secure passwords are an important se-
VeraCrypt even offers to install a hid- a USB stick. If you encrypt several sys- curity aspect. Q Q Q
den operating system. This gives plausi- tems with VeraCrypt, you will need an
ble deniability at the operating system individual rescue medium for each Info
level to deny the existence of a hidden system. [1] BitLocker:
operating system installation. Before the encryption process starts, https://learn.microsoft.com/en-us/
For my example, I will use normal en- you need to define the delete options windows/security/operating-system-
cryption and then opt to encrypt the en- for the existing system files. You can security/data-protection/bitlocker/
tire data carrier and not just the system overwrite files multiple times to pre- [2] TrueCrypt:
partition. The entire data carrier then also vent an attacker from restoring them – https://truecrypt.sourceforge.net/
includes any recovery or boot partitions, even after overwriting the free disk [3] E4M:
which is why VeraCrypt recommends that areas with the encrypted volume. Now https://en.wikipedia.org/wiki/E4M
you only encrypt the system partition for take note of the recovery instructions [4] VeraCrypt download: https://www.
the recovery. Otherwise, depending on and warnings before starting the veracrypt.fr/en/Downloads.html
the BIOS configuration, you could lose ac- obligatory pre-test. The computer re- [5] VeraCrypt on GitHub: https://github.
cess to your system completely. boots and Windows launches again com/veracrypt/VeraCrypt

IN-DEPTH
Programming Snapshot – Google Drive Search Tool
Query your Google Drive

with a Go command-line tool
Patterns
in the
Archive
To help him check his Google Drive files with three
different pattern matchers, Mike builds a command-line
tool in Go to maintain a meta cache. By Mike Schilli
M
y digital library of scanned taking a trip into the world of pattern Regular Expressions (PCRE) [2] used in
paper books is stashed away matchers, of which there are, as we all programming languages. Funnily enough,
as PDF files in an account on know, a wide variety. For example, the they originated with the Perl scripting
Google Drive. So far, Google shell relies on a glob mechanism for language many years ago, but all modern
has done an exemplary job of keeping matching, while programming languages languages from Python to Java and C++
my data available, but I just can’t make typically rely on regular expressions (re-to Go support them as well.
friends with their search interface. In gexes). And sometimes, a simple string On the other hand, the wildcard of the
typical Google style, the browser shows matcher like the grep command is the regex world, .*, matches any string. The
you a search field that can be used to most practical solution. dot in the pattern allows arbitrary char-
quickly browse the indexed full text of acters, and the subsequent asterisk
all the files in all the folders. However, Parallel Regex Worlds stands for any number of occurrences
getting a simple answer to the question If you type ls *.jpg on the command (including none). The equivalent in shell
of whether I already have a certain book line, you expect the shell’s match mecha- globbing would be * as I explained in the
in my archive is more difficult. To do nism to find all files with a .jpg exten- *.jpg example, but note the caveat: The
this, I have to select the file names only sion. This pattern matching is fundamen- shell never matches beyond the path
and restrict the search to specific folders. tally different from Perl Compatible separator. Consequently, /tmp/f* does
Fortunately, though, Google provides not match /tmp/
an intuitive API [1] to access user data foo/bar.
in the Google Drive cloud. For quick In contrast, the
checks, a command-line tool comes in Unix grep com-
handy. While we’re at it, it’s worth mand matches
strings such as
Author foobarbaz with a
Mike Schilli works as a search pattern of
bar. It does not in-
Lead Image © Alphaspirit, 123RF.com
software engineer in the

San Francisco Bay Area, terpret slashes in
California. Each month any special way
in his column, which has and is satisfied if
been running since 1997, the pattern
he researches practical applications of matches even a
various programming languages. If you fraction of an
email him at mschilli@perlmeister.com input line. In other
he will gladly answer any questions. Figure 1: Three different pattern matchers in action. words, grep does

IN-DEPTH
without anchoring; no need to pad the choose your matching strategy for Listing 1: gdls
pattern with *bar* as you would have to Google Drive data, Listing 1 provides 01 package main
in a shell pattern match. the --match command-line flag. It can 02 import (
take the values contains (default), 03 "flag"
Matches on Demand glob, or regex. Starting in line 29, the 04 "log"
To enable using the gdls binary com- code branches to a plain vanilla sub- 05 "os"
piled from the sources in this article to string match (using the strings. 06 "path"
07 "path/filepath"
08 "regexp"
09 "strings"
10 )
11 func main() {
12 matchMethod := flag.String("match",
"contains", "match method
(contains, glob, regex)")
13 update := flag.Bool("update", false,

"Update from Google Drive")
14 flag.Parse()
15 gddb := NewGdDb()
16 defer gddb.Close()
17 if *update {
Figure 2: An SQLite database stores all the file paths on Google Drive.
18 gddb.Init()
19 updater(gddb)
20 return
21 }
22 pattern := ""
23 if flag.NArg() == 1 {
24 pattern = flag.Arg(0)
25 }
26 gddb.RegexFu = func(re, s string)

(bool, error) {
27 var matches bool
28 var err error
29 switch *matchMethod {
30 case "contains":
31 matches = strings.Contains(s, re)
32 case "glob":
33 matches, err =
filepath.Match(re, s)
34 case "regex":
Figure 3: Enabling the Google Drive API before using it. 35 matches, err = regexp.
MatchString(re, s)
36 default:
37 log.Fatalf("Unknown: %s",
*matchMethod)
38 }
39 if err != nil {
40 return false, err
41 }
42 return matches, nil
43 }
44 gddb.Search(pattern)
45 }
46 func dbPath() string {
47 dir, err := os.UserHomeDir()
48 if err != nil {
49 panic(err)
50 }
51 return path.Join(dir, ".gdrive.db")
52 }
Figure 4: Registering the app on the Google Cloud console.

IN-DEPTH
Contains() library function), a shell matching name, regardless of the which we will have with this custom
glob match (using Match() from the folder in which they reside. In contrast, RegexFu function by then.
standard filepath package), or a full the glob match with the shell-style as-
regex match from the Go regexp library terisk syntax and path restrictions in Show Your ID!
via regexp.MatchString(). the last line only finds files located in So how does the metadata from
Figure 1 shows the newly created the books/ folder. There is something Google Drive end up in the SQLite da-
gdls program in action. A substring there for everyone’s taste. tabase? Google allows access to Drive
match on bukowski will find all the To make the search commands in data to authorized users only. This
books by American writer Charles Bu- Figure 1 produce usable results, the Go means that a program that wants to
kowski, of which there are no fewer program does not reach out to Google fetch the names of the files stored in
than 15 in my library. To limit the Drive directly every time but uses a the cloud needs some form of
number of matches displayed, the third local cache with the file names in an authentication.
command pipes the matches into a SQLite database on the executing ma- To do this, you first need to create a
trailing grep command in good old chine. You can refresh this local cache project on the Google Cloud console [1],
Unix style. Matching on the substring whenever needed by calling gdls --up- enable the Google Drive API (Figure 3),
mad, the search leaves me with just one date. Then gdls contacts your Google and add a new client application (Fig-
book out of 15 from the original search Drive account, retrieves the names of ure 4). The server responds with a newly
whose title contains the string mad. all currently stored files, and feeds generated Client ID and a Client secret
Alternatively, the regex match with them into the files table of an SQLite (Figure 5).
bukowski.*mad in the fourth command database in the local ~/.gdrive.db file The client secret does not authorize
filters out the single match in advance. (Figure 2). access to the data, but it lets you re-
The expression finds files with a Listing 1 wraps the three different trieve an access token from the Google
queries as library API server. Later, if you include a
calls inside the token of this kind with the request to
RegexFu() func- Google Drive API calls, the server will
tion (starting in hand over the data. The access token is
line 26). Later, only valid for a limited period of time,
Listing 4 will reg- but it can be refreshed multiple times
ister it with the with the refresh token, obtained along-
SQLite database side the access token. The Client secret
engine. The is available for download in JSON for-
SQLite session in mat from the dialog in Figure 5; you
Figure 2 still need to store it in the creds.json file in
searches manu- the local directory.
ally and in typical When called for the first time with
SQL style for like gdls --update the program reads the
%bukowski% – a creds.json credentials file with the cli-
fourth pattern ent ID and client secret (Figure 6). At
matching this point, there is no access token, so
method! Later, gdls calls the getTokenFromWeb() func-
the Go program’s tion from Listing 2 (starting in line 20).
search queries It writes the credential activation URL
will be using to the standard output and prompts
Figure 5: The Client ID and Client secret act as ID SQLite’s built-in you to type the address into your web
badges for the app. regexp() function, browser’s input box. When contacted
Figure 6: Fetching the access token on the first call.

IN-DEPTH
in this way, the Google server then first It’s Complicated parameter. You can simply copy this
ensures that the Google Drive owner is If you agree to the process despite the code string into the input of the wait-
logged into their own account. Then it dire warnings (after all, the app is un- ing gdls program running in the termi-
asks in a dialog if it is OK to grant the signed and the developer is not pub- nal (Figure 6). The program then con-
new application appropriate rights. licly known), the server points the tacts the Google server and then re-
To do this, Google first posts a warn- browser to a predefined URL on local- ceives the eagerly awaited access token
ing (Figure 7) and then an OAuth Con- host. Alas, nothing is listening there in in exchange for the code. Armed with
sent dialog (Figure 8) that you must this instance, because the local config- this, you can now access the cloud
sign off on. This lets the API server uration is missing. The browser right- data, and gdls will start the sync pro-
know that you agree to allow an un- fully reports an error (Figure 9). cess immediately.
registered and therefore highly suspi- But never fear: The URL now dis- To avoid this rigamarole going for-
cious application to read your private played in the input window contains ward, gdls uses saveToken() (Listing 2,
Drive data. the authorization code in the code starting in line 30) to store the access
token along with the refresh token in
Figure 8: Signing the agreement

Figure 7: Google warns about potentially dangerous apps. in the browser.
Listing 2: Token Query

01 package main 20 func getTokenFromWeb(config *oauth2.Config) *oauth2.Token
02 import ( 21 {
03 "context" 22 authURL := config.AuthCodeURL("state-token", oauth2.
04 "encoding/json" AccessTypeOffline)
05 "fmt" 23 fmt.Printf("Launch in browser and copy auth code:

\n%v\n", authURL)
06 "golang.org/x/oauth2"
24 var authCode string
07 "os"
25 fmt.Scan(&authCode)
08 )
26 tok, err := config.Exchange(context.TODO(), authCode)
09 const tokenFile = "token.json"
10 func readToken() (*oauth2.Token, error) { 27 panicOnErr(err)
11 f, err := os.Open(tokenFile) 28 return tok
12 if err != nil { 29 }
13 return nil, err 30 func saveToken(token *oauth2.Token) {
14 } 31 f, err := os.Create(tokenFile)
15 defer f.Close() 32 panicOnErr(err)
16 tok := &oauth2.Token{} 33 defer f.Close()
17 err = json.NewDecoder(f).Decode(tok) 34 err = json.NewEncoder(f).Encode(token)
18 return tok, err 35 panicOnErr(err)
19 } 36 }

IN-DEPTH
would return errors to the calling parts

of the program, instead of dropping ev-
erything and running away in panic().
Preserving the Catch

Armed with the access credentials, the
updater() function in Listing 3 can now
fetch the names of all the files scattered
across your Google Drive by calling
listAllFiles() (starting in line 32).
To do this, the google.ConfigFromJSON()
library function in line 17 first reads the
Figure 9: The browser reports an error because the local configuration client ID and client secret from the config-
is missing. uration file. Then getClient() starting in
line 24 first tries to find a valid access
the token.json file. This is where read- few seconds longer to access your token. If that fails, getTokenFromWeb() in
Token() in line 10 will load it from Google Drive. line 27 starts the previously mentioned
again later. The next time the program By the way, all the listings in this token dance with the browser.
is called, it uses the still valid access month’s column rely on the panicOn- The newly created client then uses the
token behind the scenes or submits the Err() utility function to handle errors drive/v3 library imported in line 11 to
refresh token to get a new access in order to save space. Fully mature handle the OAuth-specific communica-
token. You won’t notice anything, ex- applications would instead use the log tion. This library, officially released by
cept maybe that it occasionally takes a module for helpful messages and Google, makes it surprisingly tricky to
Listing 3: Google Drive Access

01 package main 31 }
02 import ( 32 func listAllFiles(service *drive.Service, gddb GdDb,
03 "context" folderID, parentPath string) {
33 query := fmt.Sprintf("trashed=false and '%s' in

04 "fmt"
parents", folderID)
05 "io/ioutil"
34 pageToken := ""
06 "net/http"
35 for {
07 "path/filepath"
36 r, err := service.Files.List().Q(query).
08 _ "github.com/mattn/go-sqlite3"
Fields("nextPageToken, files(id, name,
09 "golang.org/x/oauth2" mimeType)").PageToken(pageToken).Do()
10 "golang.org/x/oauth2/google" 37 panicOnErr(err)
11 "google.golang.org/api/drive/v3" 38 for _, file := range r.Files {
12 ) 39 fullPath := filepath.Join(parentPath, file.Name)
13 func updater(gddb GdDb) { 40 if file.MimeType == "application/vnd.google-apps.
14 credentialsFile := "creds.json" folder" {
15 data, err := ioutil.ReadFile(credentialsFile) 41 listAllFiles(service, gddb, file.Id, fullPath)
16 panicOnErr(err) 42 } else {
17 config, err := google.ConfigFromJSON 43 fmt.Printf("Adding %s\n", fullPath)
(data, drive.DriveReadonlyScope) 44 gddb.Add(fullPath)
18 panicOnErr(err) 45 }
19 client := getClient(config) 46 }
20 service, err := drive.New(client) 47 pageToken = r.NextPageToken
21 panicOnErr(err) 48 if pageToken == "" {
22 listAllFiles(service, gddb, "root", "") 49 break
23 } 50 }
24 func getClient(config *oauth2.Config) *http.Client { 51 }
25 tok, err := readToken() 52 }
26 if err != nil { 53 func panicOnErr(err error) {
27 tok = getTokenFromWeb(config) 54 if err != nil {
28 saveToken(tok) 55 panic(err)
29 } 56 }
30 return config.Client(context.Background(), tok) 57 }

IN-DEPTH
scan all files on the Google Drive while By the way, the server is somewhat it returns it to the caller for future func-
keeping the folder structure in mind. surprisingly not obligated to return ex- tion calls from the package.
To do this, the listAllFiles() function actly 100 results per answer. This preset When the client calls gddb.Init() later
starts at the top folder (with the root ID) size acts as a maximum value, although (starting in line 20), the code uses an
to retrieve all the entries with the query the service can also go lower for effi- SQL command to delete the files table
in line 33. It recognizes any directories ciency reasons – a fairly common occur- (if an old version from previous runs ex-
found there thanks to the type check in rence, especially for API servers with ists) and create a new one that maps the
line 40 and calls itself recursively in this distributed data storage. Clients that full paths of the files in the drive to auto-
case to drill down further into the hierar- only request a continuation page after matically created unique IDs. Figure 2
chy. It syncs the names of normal files to finding 100 results (or that fail to check shows you the database schema.
the local SQLite cache with the gddb ob- for continuation pages) will return in- The Add() function starting in line 31
ject and its Add() function in line 44. complete data without an error message. adds newly found paths to the table as
Thanks to the folder paths looped This would leave users in the dark for- rows using the INSERT SQL command,
through on the call stack by the recur- ever, so make sure to cover this case in while Search() starting in line 35
sive flow, the absolute file paths on your applications. searches the entries using the pre-
Google Drive are now available. defined match algorithms and returns
Filed and Archived any matches to the caller. To do this,
Little by Little The tool then stores the file names and the function registers the user-defined
However, the Google API does not auto- paths found on Google Drive in the regex() function in the SQLite engine
matically return all the files in a folder in SQLite .gdls.db file in the user’s home and sets it to the Go function with the
response to a search query. It starts pagi- directory. Listing 4 presents the func- three match algorithms passed into the
nating the results by default if there are tions that access the database in an ob- constructor. Of these, one was already
more than 100 matches. If there is a ject-oriented format. The NewGdDb() con- preselected by the main program at
nextPageToken in a server response’s structor starting in line 12 opens the this point.
JSON, it’s the caller’s responsibility to connection to the database and stores When searching with SELECT in the
keep fetching page after page until all re- the handle in a structure of type GdDb SQL database, the engine then defers
sults are in. (defined starting in line 7). When done, to the user-defined function to
IN-DEPTH
evaluate the where clause and filters the Wrapping Up from the network and precompiled them.
matches accordingly. The for loop As always, the hat-trick of commands If necessary, you can further customize the
starting in line 56 iterates over the ap- shown in Figure 10 results in an execut- search functions. For example, it would be
proved matches and writes them to able program after the Go compiler has a good idea to ignore upper and lowercase.
standard output. loaded the libraries referenced in the code As always with DIY programs, there are
no limits to what you can do. Q Q Q
Info
[1] Google Cloud APIs: https://console.
cloud.google.com/apis
[2] PCRE:
https://en.wikipedia.org/wiki/Perl_
Figure 10: These three build commands create the Go binary. Compatible_Regular_Expressions
Listing 4: Database Access

01 package main 33 return 0, err
02 import ( 34 }
03 "database/sql" 35 func (gddb GdDb) Search(pattern string) {
04 "fmt" 36 sql.Register("sqlite3_FunctionRegistration", &sqlite3.

SQLiteDriver{
05 "github.com/mattn/go-sqlite3"
37 ConnectHook: func(conn *sqlite3.SQLiteConn) error {
06 )
38 if err := conn.RegisterFunc("regex", gddb.RegexFu,
07 type GdDb struct {
true); err != nil {
08 Db *sql.DB
39 return 0, err
09 RegexFu func(re, s string) (bool, error)
40 }
10 TableName string
41 return nil
11 }
42 }})
12 func NewGdDb() GdDb {
43 db, err := sql.Open("sqlite3_FunctionRegistration",
13 db, err := sql.Open("sqlite3", dbPath()) dbPath())
14 panicOnErr(err) 44 panicOnErr(err)
15 return GdDb{Db: db, TableName: "files"} 45 defer db.Close()
16 } 46 query := fmt.Sprintf("SELECT path FROM %s", gddb.
17 func (gddb GdDb) Close() { TableName)
18 gddb.Db.Close() 47 var rows *sql.Rows
19 } 48 if pattern == "" {
20 func (gddb GdDb) Init() { 49 rows, err = db.Query(query)
21 sql := `DROP TABLE If EXISTS ` + gddb.TableName 50 } else {
22 _, err := gddb.Db.Exec(sql) 51 query += fmt.Sprintf(" WHERE regex(?, path)")
23 panicOnErr(err) 52 rows, err = db.Query(query, pattern)
24 sql = `CREATE TABLE ` + gddb.TableName + ` ( 53 }
25 id INTEGER PRIMARY KEY AUTOINCREMENT, 54 panicOnErr(err)
26 path TEXT 55 defer rows.Close()
27 );` 56 for rows.Next() {
28 _, err = gddb.Db.Exec(sql) 57 var name string
29 panicOnErr(err) 58 panicOnErr(rows.Scan(&name))
30 } 59 fmt.Printf("%s\n", name)
31 func (gddb GdDb) Add(path string) error { 60 }
32 _, err := gddb.Db.Exec("INSERT INTO "+gddb.TableName+" 61 panicOnErr(rows.Err())
(path) VALUES (?)", path) 62 }
QQQ

MAKERSPACE Sensor Shootout
MakerSpace
Temperature and humidity
sensor comparison
Remeasured
Any application that collects a large number of measurements
is bound to have some anomalous measurements, but good
sensor breakouts should not output such values all the time.
We tested eight temperature and humidity sensors for
accuracy. By Bernhard Bablok
T
he data sheets of common deviations of up two units, which
temperature and humidity quickly gives rise to suspicions that your
sensors tend to brag about sensor lacks quality or was just too
accuracies in the range of a cheap, leaving you to wonder whether
tenth of a degree. A closer look at 21 mysteriously high measured values are
cases with eight different sensors the result of a poor product or if the data
shows which claims are true and which sheets are incorrect.
are just hot air from marketing. I looked into both lines of thought and
It isn’t complicated to wire up a sensor try to offer some recommendations. Up
and read the values cyclically. If you’ve to four examples of eight common sen-
ever done so, you’ve probably had the sor devices lined up to face the test (Fig-
feeling at some point that the numbers ure 1). Most devices are from BerryBase
didn’t add up. Deploying a second de- or Pimoroni and some of them have
vice only adds to the confusion, with been around for quite a while. Table 1 Lead Image © Jian Fan, 123RF.com
Figure 1: Some of the test candidates have been in my tinkering collection for quite some time.

Sensor Shootout MAKERSPACE
Table 1: Test Candidates

Sensor I2C Address Temperature (°C)a Humidity (%rH)a Pressure (hPa) Price Number
BMP280 0x76/0x77 (-40) 0-65 (850)±1 – 300-1,100±1 EUR1.60 ($2) 4
BME280 0x76/0x77 (-40) 0-65 (85)±1 0-100±3 300-1,100±1 EUR5.60 ($4) 4
AHT20 0x38 (-40) 0-60 (85)±0.3 (0) 10-80 (100)±2 – EUR5.25 ($5) 4
MCP9808 0x18-0x20 -40 to 125±0.25) – – EUR5.90 ($5) 3
AM2320 0xB8 -40 to 80±0.5 0-99.9±3 – EUR4.18 ($4) 2
HTU31D 0x40 (-40) 0-100 (125)±0.2 (0) 20-100±2 – EUR7.10 ($4) 2
SHT45 0x44 (-40) 0-60 (120)±0.1 0-100/±1 – EUR14.90 ($13) 1
DS18B20 – (-55) -10 to 85 (155)±0.5 – – EUR2.40 ($10) 3
aThe values in parenthesis are the full measurement range. The internal range is the accuracy and precision guaranteed by the manufacturer.
shows an overview of the features, tech- of all specimens fall within the “typical” three-sigma limit is exemplary. On the
nical values, and prices. or “maximum” curve. other hand, the DS18B20 curve lacks tol-
In addition to temperature, many of the Figure 3 for the DS18B20, on the other erance values for borderline cases.
sensors measure humidity, and the Bosch hand, uses three-sigma values, and Additionally, numerous factors influ-
sensors can also measure air pressure. 99.73% of the sensors are within these ence accuracy, such as the type of quality
The BMP280 costs very little, which sug- limits [1]. Many vendors use the two- control, dependence on the supply volt-
gests that it is maybe a cheap clone. One sigma limit (95.45%), which makes the age, age of the sensors, structure of the
exotic candidate on the list is the sensor look better, so adopting a board (including additional components),
DS18B20: It does not have an I2C inter-
face and does not come as a breakout,
but as an integrated circuit (IC) in the
TO-92 format used in semiconductor
packages, mainly for transistors. The con-
nection uses a single-wire protocol.
In the lab, I tried to obtain as many ex-
amples of each product as possible, but
this effort was tricky because of cost and
time constraints. That said, I always sent
at least two examples into the fray, with
the exception of the most expensive sen-
sor, the SHT45. Additionally, the prod-
ucts do not cover all the application sce-
narios. If you want to build your own
soldering oven, for example, you need a
sensor with a completely different tem-
perature range. At the bottom of the tem-
perature scale, the selection’s range ends Figure 2: The accuracy curve of the HTU31D does not reveal the per-
at -40°C at the latest. centage of all specimens that lie within the curves. © TE Connectivity
Ltd. (data sheet HTU31D)
Accuracy and Precision
The terms “accuracy” and “precision”
appear in the data sheets – but not with-
out a risk of confusion. Accuracy refers
to the typical deviation from the true
value. Precision is the amount by which
repeat measurements of the same value
vary. The values in the data sheets are
difficult to compare because they typi-
cally use two expressions to define the
“typical” and “maximum” accuracy.
The providers often give you addi-
tional graphics, but without additional
information, these curves are incomplete
and leave room for interpretation. Nei-
ther Figure 2 nor the HTU31D data sheet Figure 3: The accuracy curve of the DS18B20 includes three-sigma values,
provide information on what percentage which makes it more accurate. © Maxim Integrated Products (data sheet DS18B20)

MAKERSPACE Sensor Shootout
and soldering process. Sometimes you independent measurements is more ac- thermostat turned off the heat too late,
will find crucial information in footnotes. curate than any single measurement. which caused some damage to the sen-
Bosch notes, for example, that the tem- I distributed the 21 sensors in the test sor brackets.
perature readings of its sensors typically across four I2C buses and one, one-wire
lie above the ambient temperature. bus. Two Pi Picos with their two I2C Results
After studying numerous data sheets, buses each acted as data collectors. Con- The data and comparison graphs with
you begin to realize that you need to trolled by a real-time clock (RTC), data the results could fill many pages. This
treat the accuracy values as a guide acquisition took place almost simultane- article is therefore limited to a few inter-
rather than hard facts. ously. The data ended up on microSD esting insights. The details can be found
cards and were later merged. A data login the associated GitHub project [5].
Measuring Setup ger [2] provided the necessary tools. In two words, the results can be de-
Theory aside, the sensors had to prove However, I had to create the readout rou- scribed as “positively boring,” which
their value in various measurements. As- tines for some sensors, which was means the sensors in the measurement
sessing the absolute accuracy would quickly done thanks to online examples. range of the test fulfill the promises
have required a high-precision thermom- Pandas [3] was used for the computa- made by their data sheets. If you look
eter or a measuring chamber with pre- tions and Matplotlib [4] for the display. at the entire measurement period, it is
cisely adjustable temperature and hu- The measurements took place indoors, difficult to identify the individual test
midity. With neither available, my test is away from heat sources or drafts. Addi- specimens (Figure 4, AHT20). Zooming
by no means a scientific investigation. tionally, I put the sensors in the refriger- in makes individual gradients recog-
You have to evaluate the measured val- ator and in the oven. These phases can nizable. Figure 5 shows that the mea-
ues compared with the average of all be clearly identified in the evaluation. As surement results of the four AHT20
sensors. The theory behind this process a side note: The oven was set to its low- sensors are within 0.5°C (0.9°F). The
is known as “crowdsensing,” which ba- est temperature of 50°C (122°F). How- data sheet promises ~0.3°C (0.5°F),
sically means that the average of many ever, as the graphs show, the oven so that is OK.
Figure 4: The example of the overall view of the AHT20 reveals that the individual sensors are difficult to
distinguish.
Figure 5: The section for the AHT20 sensors reveals variations of 0.5°C.

Sensor Shootout MAKERSPACE
A comparison of the mean values for cable will be exposed to too much waste
all sensors proves to be interesting. In heat in the long run. The single-board
Figure 6, you can see that the AHT20 computer is not a good basis for mea-
test specimens tended to underestimate surements, even if many suppliers offer
the temperature. It would be unreliable complete solutions for this purpose.
to draw a general conclusion from these Ideally, you would want the measur-
results because only four sensors were in ing computer to switch off between
the test. measuring intervals. If this is not an op-
When looking at the deviation from tion, it is best at least to switch the sen-
the mean, the most expensive sensor sor to sleep mode because many sen-
(SHT45) performed best, but the inex- sors lose accuracy if they are forced to
pensive DS18B20 also achieved similar run constantly in measurement mode.
precision values. Differences in humidity A closer look at the data sheets will
were somewhat greater, but even the help you in this regard. If in doubt,
poorest performers were no more than check the driver, because it sometimes
six percentage points off the average. sets a few well-meant settings during
Only the Bosch sensors measure the air initialization that are less than perfect
pressure, and they do it very well, typi- for the intended use case. Info
cally deviating from the official air pres- Operated correctly, all of the sensors [1] Normal distribution:
sure by only 1-2 hectopascals (hPa). tested are good for measuring tempera- https://en.wikipedia.org/wiki/Normal_
ture, humidity, and air pressure. The distribution
Recommendations and SHT45 is the measurement king of the [2] Data loggers: https://github.com/
Conclusions hill, with the BME280 winning the prize bablokb/pcb-pico-datalogger
Your choice of sensor must be based on for the best all-rounder (with some sacri-
[3] Pandas: https://pandas.pydata.org
the measuring range and the required fices in terms of accuracy). The DS18B20
accuracy. The price is less important for offers the best price-performance ratio. If [4] Matplotlib: https://matplotlib.org
home use. Going for an expensive model you use the BMx280, it is essential that [5] Test results:
probably has less effect on the measure- you check the initialization in the driver. https://github.com/bablokb/sensor-test
ment results than the way you operate Arduino sets a good example with a
the sensor. If you want a second opinion, number of selectable presets that follow Author
deploying a few of the affordable the recommendations of the data sheet. Bernhard Bablok retired from Allianz
DS18B20 models is a good idea. More informative results will be pro- Technology SE as an SAP HR developer.
Be sure to isolate sensors from sources vided by a second measurement cam- When he is not listening to music, riding
of interference. A sensor on a Pi HAT paign planned for the winter with its far his bike, or walking, he focuses on Linux,
will always return incorrect data. Even a lower temperatures. You will find the re- programming, and small computers. You
sensor connected to the Raspberry Pi by sults in the GitHub project [5]. Q Q Q can reach him at mail@bablokb.de.
Figure 6: Compared with the average of the other test candidates, the AHT20 models tend to return too low
a temperature value.
QQQ

MAKERSPACE Pi Flight Simulator
MakerSpace
Flight simulation on the
Raspberry Pi
<ISMWЄ
A Raspberry Pi 4B with Linux can solve the equations for a
real-time nonlinear aircraft simulation, including the
emulation of modern aircraft flight displays. By Dave Allerton
F
light simulators range from Flight simulators have two important
games to airline operations, characteristics. First, the accuracy of the
and generally, you cannot (or simulation (known as fidelity) should
you are not permitted to) ensure that the performance and dy-
modify the software. Often, the code is namics of the simulator closely matches
proprietary and not accessible, or the the aircraft it simulates. For many flight
acquisition of data used in the simula- simulator games, the models are simpli-
tor is very costly, and the developers of fied, reducing the fidelity to a level un-
these simulators are understandably acceptable in engineering applications.
protective of their software. However, Second, the software must respond in
for a class of simulator known as an real time to inputs and solve all the un-
engineering flight simulator (EFS) – derlying equations at a sufficient rate
used by aircraft manufacturers, avion- (known as the frame rate), so that the
ics companies, research organizations, perceived motion is smooth and contin-
and universities to develop and evalu- uous, without any noticeable lag. If the
ate aircraft designs and aircraft sys- computations in simulation software are
tems – it is essential to have access to complex, the frame rate may not be sus-
the source code to modify the simula- tained, and delays (latency), which fur-
tor for a range of studies. ther reduce fidelity, are apparent. To
ameliorate this situation, a high-perfor-
Table 1: Module Functions mance computer with a state-of-the-art
Computer Function graphics card may be needed to achieve
I/O system Data acquisition of analog and digital inputs from the flight controls the required frame rate.
and USB inputs Having developed real-time software
Flight model Aerodynamic model, undercarriage model, equations of motion, for flight simulators at the universities
Lead Image © Oleksiy Tsupe, 123RF.com
flight control laws, primary flight display, and engine-indicating and of Southampton, Cranfield, and Shef-
crew-alerting system display field; Queen Mary University (Lon-
Engine model Engine dynamics and sound generation don); and the University of Newcastle
Navigation and Navigation equations, avionics, flight control unit, radio manage- (Australia), I evaluated the capabilities
avionics ment panel, and navigation flight display of the Raspberry Pi (RPi) computer
Instructor station Session control and monitoring, user interface and display, charts, with Linux to provide an acceptable
and flight data recording EFS. Details of the software for this EFS
Image generator Image generation of the external view by OpenSceneGraph (3 channels) are described in a recent textbook [1].
Matlab An optional interface that connects Matlab to the simulator The software referred to in this article

Pi Flight Simulator MAKERSPACE
Figure 1: Flight simulator organization.
is open source and can be downloaded Data is broadcast by modules at the dots, lines, and triangles, shader pro-
from the Wiley Student Companion start of every frame as Ethernet packets grams must also be provided to define
Site [2]. The existing simulator soft- using a token-passing protocol based on how objects are rendered (the vertex
ware, which was developed for PCs the User Datagram Protocol (UDP). A shader) and how the pixels are written
and mostly written in C, ran under computer only broadcasts a packet to a frame store (the fragment shader).
Linux and, for compatibility with when it holds the token and otherwise To reduce the amount of detail in terms
Linux, also ran under the MSYS2 pro- listens for incoming UDP packets. In of GPU programming, a library glib was
gramming environment on Windows. fact, the token is simply the arrival of a developed specifically to emulate air-
The software for the aircraft displays broadcast packet from the preceding craft displays that includes functions for
was originally written in legacy node in the chain of transfers. Typically, the rendering of vectors (lines) and tri-
OpenGL but has been rewritten for these transfers occupy less than 2ms of angles and for applying textures to tri-
OpenGL v4 for the RPi to exploit the the 20ms frame (Figure 2). angles. Although OpenGL does not di-
power of the Broadcom graphics pro- The advantage of using broadcast rectly support the rendering of text,
cessing unit (GPU), increasing the ren- UDPs is that the simulator data is trans- standard fonts can be organized as tex-
dering rate of the graphics for the dis- mitted in five packet transfers (2,388 tures, known as a texture atlas, reduc-
plays by a factor of more than 10. The bytes/frame). Additionally, Ethernet pro- ing text generation to the rendering of
performance of the RPi has enabled the vides a 32-bit checksum to ensure data sub-textures of a texture atlas.
PCs to be replaced with off-the-shelf integrity. Although a UDP packet trans- Whereas objects rendered one-by-one
RPi computers. fer has no acknowledgement, with a in legacy OpenGL considerably slowed
dedicated network and a relatively low the interface between the host proces-
A Distributed Architecture level of traffic, the data error rate is sor and the graphics card, with OpenGL
By computing a simulation on n com- negligible. v4, objects can be written to a cache in
puters, the potential increase in perfor- the host computer and transferred to
mance is a factor of n compared with a OpenGL and GPUs the GPU as a single block when the
single computer. However, this simplifi- OpenGL has been used in 2D and 3D cache needs to be flushed. For aircraft
cation is based on two assumptions: computer graphics applications since displays, this organization of caching
First, the problem can be partitioned to the 1990s. However, since version 3, graphics reduces the computations in
run efficiently on n computers; second, OpenGL was repurposed to exploit the the host to a minimum, enabling the
any overhead from managing communi- power of the GPUs found on modern parallel processing of the GPUs to maxi-
cations between the computers is negli- graphics cards. In particular, GPUs pro- mize the rendering speed. From a pro-
gible. The architecture of most flight vide fast rendering of textured triangles. grammer’s perspective, glib provides a
simulators is particularly suited to a In addition to the software for rendering small set of primitives to draw lines and
configuration of
parallel pro-
cesses. Figure 1
shows a typical
organization of
simulator mod-
ules, where the
functions of the
computers are
summarized in Figure 2: The second column shows the timing of UDP broadcast transfers (in seconds) of
Table 1. five RPi computers during one frame.

triangles, load and render textures, load

fonts and render text, and apply graph-
ics transformations, including transla-
tion, rotation, scaling, and clipping of
graphics objects, but without any ex-
plicit calls to OpenGL.
Flight Simulator Displays

Figure 3 shows the primary flight display
(PFD) and the navigation flight display
(NFD) produced by a Raspberry Pi 4B
(RPi4B) for a Boeing 747-400. The PFD
uses vectors for the sliding scales and
text rendering for the digits. The rotating
digits in the airspeed and altitude win-
dows are implemented by clipping the
characters to the small windows. The
gray segments of the engine displays are
Figure 3: Boeing 747-400 flight displays. produced offline as SVG textures and
then rotated and clipped. Note the clear
lines of the engine displays, which are
also produced from SVG textures rather
than vectors.
The NFD also contains vectors and
text for the navigation display. The flight
control unit (FCU) panel, which provides
mouse or touchscreen interaction, is ren-
dered as a texture, with character gener-
ation applied to the three small panels.
The rendering of each display takes less
than 3ms of the 20ms frame.
Similar methods are used to emulate
the more classic displays found in light
aircraft (Figure 4). The instrument be-
zels, static scales, and pointers are ren-
dered as textures. The compass card is
also a single texture, which is rotated in
Figure 4: Light aircraft flight displays. a single operation, rather than rotating
all the characters and vec-
tors of the card. The artifi-
cial horizon is rendered as
a 3D sphere, which is illu-
minated to emphasize the
curvature of the sphere,
and the magnetic compass
in the top right corner of
the display is handled
similarly.
In airline flight simula-
tors, military simulators,
and an EFS, the instructor
plays an important role,
setting conditions, initiat-
ing events such as an en-
gine failure, and monitor-
ing the activity of the flight
crew. In an EFS, a further
Figure 5: IOS displays. (a) Pop-up menus are implemented by OpenGL and (b) requirement is to acquire,
drop-down menus by the GTK widget toolkit. display, and record flight

data produced during testing. From the Octave and Matlab a further development was to combine
graphics perspective, these requirements During development of an EFS, particu- this software for a single RPi with a sin-
imply a user interface to control and larly for flight control laws, sometimes gle monitor (1920x1080 resolution),
monitor simulator sessions and the dis- it is more convenient to develop algo- where the PFD is rendered on the left-
play of charts and flight data. The graph- rithms with tools like Matlab or Octave, hand side of the display and either the
ics library glib, developed for aircraft dis- rather than coding directly in C. Be- NFD or the IOS is rendered on the right-
plays, is also used for the instructor oper- cause both Matlab and Octave are inter- hand side, as selected by the user. To
ating station (IOS; Figure 5). preted languages, care is needed to en- maximize reuse of the simulator soft-
In both displays, the lines for charts sure that any latency introduced by ware, packet passing was emulated by
and plotting are rendered as vectors, and these packages does not affect the simu- copying the relevant regions of memory
the navigation symbols are rendered lator frame rate. Although the develop- associated with each module. Although
from a texture atlas by glib functions. ment of detailed real-time nonlinear the parallelism could be retained by
The IOS also captures data from the flight models in Matlab may be imprac- treating the modules as POSIX threads, it
other simulator computers for the plot- ticable, small modules, such as auto- is simpler to execute the simulator code
ting and recording of flight data. In this matic flight control laws can be devel- sequentially, cycling through the mod-
case, raw 1KB blocks of data are written oped and tested in Matlab, where a ules. The main concern with this ap-
to memory every frame (3MB/min) and Matlab module acquires inputs from the proach is that the RPi is further loaded
subsequently copied to disk. The attrac- simulator and generates outputs for the with computations of the simulation,
tion of this method is that the frame rate simulator flight controls. particularly the additional graphics ren-
is unaffected, the data can also be A wrapper was developed with Matlab dering, compared with the multiple-pro-
viewed off-line by a similar set of plot- mex functions so Matlab could read flight cessor version.
ting tools, and the packets can be re- data from broadcast packets and transmit Figure 6 shows the overall frame time
trieved from a disk file, providing inputs a packet to the simulator. The network for the single RPi version for 1,000 frames
to the simulator software to replay any protocol was adapted to enable Matlab to (20s) of simulation, where the display
test or exercise. connect to, and disconnect from, the net- changes several times in response to in-
work without affecting the structor actions. The lower trace shows
integrity or speed of the the graphics rendering time and occupies
network protocol. The less than 6ms/frame. The upper trace
template in Listing 1 al- shows the overall computing time and oc-
lows a controller written in cupies less than 10ms/frame, leaving a
Matlab to be integrated margin of approximately 10ms. The large
with the simulator. excursions occurred when the simulator
files were loaded at the start of the simu-
Flight Simulator lation and when the aircraft position was
on a Single RPi reset after 140 frames.
Having developed real-
time simulator software Offline Simulation
running on five RPi com- Development of prototype software can
puters with three displays, take up a considerable amount of
Figure 6: RPi4B computation times (standalone version).

Figure 7: An offline simulator: (a) The inputs are the pilot inputs to the flight controls, and the outputs are the
flight displays and the visual system imagery; (b) the inputs are specified in a script file, and the outputs are
files containing data and plotting information.
Listing 2: Simulator Script variables to be plotted, and the details wake vortex, derived from detailed vor-
set altitude 3000 ft
of the plots. The autotrim command tex data. Figure 9(a) shows the wake
set TAS 200 kts
sets the aircraft in the trimmed state at vortices shed by an aircraft, which were
set flaps 0.0
the start of the exercise. The plots implemented as billboards in the visual
set gear 0.0
show the response of the aircraft to an scene. Figure 9(b) shows the air flows
elevator pulse input of -10° for 2s, ap- and aircraft loading during a wake
plot pitch degs -5 20
plied after 2s. In
plot pitch_rate deg/s -10 10
addition to the
plot altitude ft 2500 3500
output data, a
plot elevator degs -20 20
further script is
time 120 secs
generated for
input elevator pulse 22 -10
gnuplot, so plots
autotrim
can be produced
as PNG files.
simulator time. In this situation, access
to an off-line desktop simulator, with Visualization
software that is identical to the flight Although an
simulator, can provide a valuable de- image generator
sign asset. Consider the two configura- (IG) is normally
tions shown in Figure 7. Two significant used to render the
points can be drawn from this example. external view seen
First, the main modules are identical from the flight
and can be interchanged between the deck, for an EFS,
flight simulator and the offline simula- the IG can also be
tor, and vice versa, without modifica- used to visualize
tion. Second, there are no real-time data in real time.
deadlines with an offline simulator, For example, in a
which can run faster than real time study of wake vor-
(e.g., simulating several hours of flight tex encounters, a
in a few minutes, typically as part of dedicated com-
automated testing). puter was con-
A typical output plot is shown in nected to the
Figure 8. Listing 2 is the script file to flight simulator
run the simulation, which defines the network to com-
initial conditions of the aircraft, the pute the flows of a Figure 8: Output for conditions defined in Listing 2.

vortex encounter. This visualization il- electronic flight instrument system (EFIS) Author
lustrates the direction and magnitude of displays. By providing the complete Dave Allerton
the air flows given by the white vectors; source code, the simulator modules and obtained a PhD from
the loading on the wings and tail result- aircraft displays can be modified for a the University of
ing from the encounter, which is color- range of applications. With the addition Cambridge in 1977
and worked in the
coded; and the extremities of the vortex of the acquisition, display, and recording
defense industry
field shown as a red wireframe volume. of flight data during simulations, an EFS before spending 10
Figure 10(a) is generated by Open- running on a single RPi can provide a years at the University
SceneGraph on an RPi with an Open- particularly valuable test bed for the de- of Southampton as a
Flight visual database of Bristol Lulsgate sign and analysis of aircraft and aircraft lecturer in computing. He was the
airport and achieves a frame rate of 69 systems. In a university, the EFS provides Professor of Avionics at Cranfield
both a powerful facility for student proj- University before moving to the University
frames/s (fps) for a display resolution of
of Sheffield as Professor of Computer
1280x1024. Figure 10(b) shows a similar ects and a totally programmable simula-
Systems Engineering, where he is
scene, which includes a head-up display tion environment for research in aircraft currently an Emeritus Professor. He is also
(HUD) rendered in OpenGL as a 2D design and system validation. Q Q Q a Visiting Professor at Cranfield University
overlay on the visual scene. and at Queen Mary University of London.
Info His research activities include flight
Conclusions [1] Allerton, D J. Flight Simulation Soft-
simulation, computer graphics, and real-
time computing. He is author of two
The RPi4B with Linux is clearly capable ware: Design, Development and
textbooks, Principles of Flight Simulation
of solving the equations for a real-time Testing. Wiley, 2022
(Wiley, 2009, ISBN 978-0-470-75436-8) and
highly nonlinear simulation of a four-en- [2] Flight simulation software: Flight Simulation Software: Design,
gine wide-body transport aircraft at 50fps, https://www.wiley.com/go/flightsim- Development and Testing (Wiley, 2022,
including the emulation of modern ulationsoftware ISBN 978-1-11973-767-4).
Figure 9: Wake vortex encounter.
Figure 10: Raspberry Pi OpenSceneGraph images.

INTRODUCTION LINUX VOICE
The command line has a stark and austere beauty all its
own, but many of us need a little more color and cheer. If
you want the simplicity of the terminal without the taxing
two-tone boredom, why not jazz it up a little with Oh My
Posh? The Oh My Posh prompt theme engine lets you
define a visual theme for your command-line environment,
which perks up the view and also makes the details easier Doghouse – Choosing an OS 79
Jon “maddog” Hall
to read and understand. Also in this month’s Linux Voice, A few considerations can help you choose
we dive down into System Monitoring Center and spell out the right OS.
some best practices for working Oh My Posh 80
with the SSH. Thorsten Scherf
Adapt the terminal’s appearance and
feature set with the Oh My Posh prompt
theme engine.
System Monitoring Center 82
Erik Bärwaldt
The System Monitoring Center combines
all the important information you need to
monitor a computer in a single state-of-the-
Image © Olexandr Moroz, 123RF.com
art interface.
FOSSPicks 86
Graham Morrison
This month Graham looks at Cardinal,
Celestia 1.7.0, Friture, Wavetable, Helix
Editor, Brogue CE, and more!
Tutorial – SSH Keys 92
Marcin Gastol
Verifying the security of your SSH
EQPƒIWTCVKQPCPFRGTHQTOKPITGIWNCT
audits are critical practices in maintaining
a secure Linux environment.

DOGHOUSE – CHOOSING AN OS LINUX VOICE
MADDOG’S
DOGHOUSE
A few considerations can help you choose the right OS.
Jon “maddog” Hall is an author,
educator, computer scientist,
and free software pioneer
who has been a passionate
advocate for Linux since 1994
BY JON “MADDOG” HALL when he first met Linus Torvalds
and facilitated the port of
Linux to a 64-bit system. He
Which OS do you use? serves as president of Linux

International®.
t is inevitable that at every conference, every talk, I get next meeting. There is no guarantee that you will be so lucky,
I asked the same question: “What distribution of GNU/Linux

do you use?”
I always answer back that I refuse to answer that question.
but in my estimation it is worth the effort.
After this you can search the Internet for articles with queries
like “Linux distributions for beginners.” This might return 9 or 10
The question was asked again less than a week ago, during a articles comparing different distributions and their advantages
talk on GNU/Linux to a class of undergraduate college students. and disadvantages. Take the time to read them and take notes
First of all, typically they are not really asking that specific on each distribution they mention. Make sure the distributions
question. They are really asking the question “What distribution they mention work well on your hardware with regards to the
should I use?” And the reason I do not answer is that I do not architecture type (Intel/AMD, ARM, etc.), 32- or 64-bit, main
know enough about them to give them a good answer. memory size, etc. If the computer you will be using for GNU/
I have been a consultant since I left Compaq (having come Linux has a small main memory, you may wish to look for
to the company when it acquired Digital Equipment Corpora- distributions that are considered “lightweight.”
tion) in 1999. I use the distribution that my customer uses, You can also look for a distribution that allows you to run it as
so I can duplicate the issues that they are having with their a “live distribution,” either off a CD or DVD or a USB thumb drive,
systems. so you can test it on your hardware without disturbing your cur-
The things I need and look for in a distribution would probably rent operating system.
be different than the things the beginning person might desire. Now that you have a short list of the distributions you might
For example, I typically work on different architectures, not use, go to the distributions’ websites and see what documenta-
just Intel/AMD. Therefore a distribution that supports multiple tion they might have for beginners. Many of the distributions
architectures is attractive to me. considered to be oriented toward beginners usually have a doc-
I do a fair amount of video capture and editing work, probably ument that suggests how you can get started with that distribu-
more than the typical office worker whose main needs can be tion. You may also find books (either online, electronic, or hard
met with a good office package and a web browser. copy) offered for beginners that will help you learn about GNU/
However, I do give the questioner hints. Linux using that distribution. Make sure the articles you are
First of all, think about your particular situation and what you reading are fairly recent.
want and need from your software. Are your needs simple or do Next you can go to DistroWatch.com (https://distrowatch.com/)
you need specialized applications that may be supported better and see an index of many distributions. Here you can find a dis-
by some specialized distribution? tribution, click on the name, and read something about it. You
In certain situations I also recommend an investigation of should pay attention to how active and popular the distribution
your surroundings. For example, if you are a student, your is. Make sure that the distribution you are looking at is still being
school may have a computer club where some (or all) of the downloaded, used, and developed.
members use GNU/Linux and may all be using the same distri- The next step is just to pick one, follow the instructions for
bution of GNU/Linux. Choosing the distribution they use may downloading the distribution, and make a live distribution from
get you a lot of help if you need it. it using the software that runs on your current system.
Also, there may be local Linux User Groups (LUGs) in your Boot that live distribution, checking to make sure it works with
area that have meetings or mailing lists where you may get ad- all of your hardware and services. You can easily try another
vice or help with your distribution. As an example, I recently had distribution later if this does not do what you want.
a reason to see if there was a local user group in a particular Once you are sure, you can take the next step of installing it as a
area. I typed into my browser’s search bar “Linux user group in dual-boot (maintaining your current operating system) or replacing
<name of the city>” and up popped a web page telling about the your current operating system (after backing up your data).
user group and when and where they were going to have their Carpe diem! Q Q Q

LINUX VOICE OH MY POSH
Prettify the Terminal with Oh My Posh
Beautiful Colors
Adapt the terminal’s available feature set and appearance with the Oh My Posh
prompt theme engine. BY THORSTEN SCHERF
o matter which shell you use in a termi- the software can customize a variety of different
N nal, the prompt probably looks very dull in

the vast majority of cases and only pro-
vides basic information – typically just telling you
status lines, also in the Vim editor. Oh My Zsh [2]
is a popular configuration tool for the Zsh. Similar
to Oh My Zsh, Oh My Posh [3] lets you customize
the current working directory. Fortunately, the vast the shell prompt. Unlike Oh My Zsh, however, it
majority of shells offer users a function for cus- doesn’t matter which shell you actually use in
tomizing the prompt. Prompt engines such as your environment.
Powerline or Oh My Zsh take advantage of this. As Like with most other prompt engines, it makes
a rule, they use various themes that give the envi- sense to use Nerd Fonts [4] in combination with
ronment a more appealing look. Oh My Posh. Nerd Fonts extends the regular char-
These engines can also display useful informa- acter set to include a variety of icons that you can
tion in the input line. The is then typically broken then use within each shell segment. Oh My Posh
down into different segments, which gives you the recommends the use of Meslo LGM [5], but you
opportunity to populate these segments with the can use any other font as long as it comes with a
kind of information you actually need. In the sim- good supply of icons. You can install the desired
plest case, you might display the date or time in font manually or via Oh My Posh – but more about
one segment. More complex configurations let that later.
you embed almost any kind of data. For example,
in Git directories, you could use a segment to dis- Cross-Platform Support
play the kind of information that you need for Git, Oh My Posh is a cross-platform tool; you can use
such as the status of the current repository. it on Linux, macOS, and in PowerShell on Win-
dows. On macOS, simply install the engine using
Theme Engines and Nerd Fonts the Homebrew package manager:
Powerline [1] provides a very powerful engine and
not only for customizing the shell prompt. Instead, brew install jandedobbeleer/oh-my-posh/oh-my-posh
Listing 1: Install Oh My Posh and Themes The call installs both the Oh My Posh tool and the
01 sudo wget https://github.com/JanDeDobbeleer/oh-my-posh/releases/
available themes (Figure 1). On Linux, first down-
latest/download/posh-linux-amd64 -O /usr/local/bin/oh-my-posh load the software and then an archive with all the
02 themes, which you then unpack (Listing 1).
03 sudo chmod +x /usr/local/bin/oh-my-posh
04 Activating the Shell Prompt

05 mkdir ~/.poshthemes
Now, to enable Oh My Posh in the shell you are
06
using, initialize the prompt engine in the shell’s
07 wget https://github.com/JanDeDobbeleer/oh-my-posh/releases/ latest/
configuration file. For example, if you use Bash,
download/themes.zip -O ~/.poshthemes/themes.zip add the following line to the ~/.bashrc file:
08
eval "$(oh-my-posh init bash)"
09 unzip ~/.poshthemes/themes.zip -d
10 ; ~/.poshthemes
11
To activate the changes, either start a new shell or
reload the modified configuration file with the
12 chmod u+rw ~/.poshthemes/*.omp.*
source ~/.bashrc command. The procedure is
13
similar if you use Zsh. Of course, in this case you
14 rm ~/.poshthemes/themes.zip
need to pass in Zsh as the init argument. A

OH MY POSH LINUX VOICE
Figure 1: Even with the default theme, Oh My Posh already gives you an appealing prompt.
complete overview showing you the configura- whether you want the segments to appear on
tions of all the shells supported by Oh My Posh is the left or right in the terminal or if you want to
available in the documentation [6]. distribute them across a single line or multiple
You can also call up the Oh My Posh tool inter- lines. You then determine the segment proper-
actively to define a whole bunch of configuration ties in the segments. In the simplest case, this
settings. For example, if you want to install a Nerd is the color in which you want to display the
Font on your system, simply run: segment.
The segments can be of different types; this
oh-my-posh font install means that you can define the logic to be used
within a segment. For example, the Git type lets
In the drop-down menu, select the font you you display status information about a Git reposi-
want to download. However, you will need to han- tory in a segment. You then use templates and
dle the configuration manually in the terminal you type-specific options to precisely define the de-
are using later. tails of the segment’s appearance. The documen-
tation lists all the available segment types and the
Selecting and Customizing Themes configuration options available for them. You will
To customize the prompt’s look, select a different also find an example of Git integration on the Oh
theme as the first step. If you saved the design My Posh site [7].
templates in the ~/ .poshthemes/ directory, select
the theme you want in the configuration file of the Conclusions
shell you are using when initializing the prompt Working at the command line can become bor-
engine: ing over time, at least visually. And prompts are
not always very informative. Oh My Posh gives
eval "$(oh-my-posh init bash U users a comprehensive prompt engine for a va-
--config ~/blue-owl.omp.json)" riety of platforms and shells. Themes help you
achieve appealing results very quickly, and
After parsing the changes, the new theme is en- modifying the designs is a surprisingly simple
abled. The design configuration is based on experience. Q Q Q
blocks where you define one or more segments.
In the segments, you then need to provide the de- Info
sired information. JSON is used for this by default.
[1] Powerline:
However, you can also choose to write the defini-
tion of the themes in YAML or TOML. https://powerline.readthedocs.io/en/master/
To customize a theme, you can create a copy of [2] Oh My Zsh: https://ohmyz.sh
the associated file and make the desired modifi-
[3] Oh My Posh: https://ohmyposh.dev
cations to the copy. Alternatively, you also have
the option to call the Oh My Posh tool with the [4] Nerd Fonts: https://www.nerdfonts.com
config export option to create a copy of the cur- [5] Meslo LGM Nerd Font:
rent theme:
https://github.com/ryanoasis/nerd-fonts/
# oh-my-posh config export U

releases/download/v3.0.2/Meslo.zip
--output ~/.my-theme.omp.json [6] Oh My Posh documentation:
https://ohmyposh.dev/docs/installation/
In the copy, you can then modify the existing
prompt
blocks and segments or add new ones. Each
block contains one or more segments. In the [7] Git configuration:
block configuration, you can then define, say, https://ohmyposh.dev/docs/segments/git
QQQ

LINUX VOICE SYSTEM MONITORING CENTER
Monitor your computers with System Monitoring Center
Everything under Control

The System Monitoring Center combines all the important information you need
to monitor a computer in a single state-of-the-art interface.
inux comes with more system control ap- Installation
L
BY ERIK BÄRWALDT
plications than any other operating system. To install the Flatpak you need the appropriate
But the individual tools typically only focus runtime environment on the system. You can set
on specific components of a computer. For exam- this up on most distributions using the built-in
ple, programs such as the Gnome disk utility or package manager. Then search for System Moni-
the KDE partition manager take care of the con- toring Center in KDE Plasma Discover, Gnome
nected mass storage devices. The system moni- Software, or mintinstall and set it up by clicking In-
tor for the KDE Plasma desktop environment and stall. The routine also creates a starter in the desk-
the system monitoring tools for other desktop en- top environment’s menu. Clicking on the starter
vironments such as MATE or LXDE keep an eye on opens the main application window (Figure 1).
the CPU, RAM, and network throughput, but no (For the graphical app stores Gnome Software
more. Many of the tools integrated into the re- and KDE Plasma Discover, there are plugins that
spective environments for monitoring individual let you integrate the Flatpak infrastructure. The
components also look a little jaded. Flatpak packages available on Flathub are dis-
Compared to them, System Monitoring Center played there after doing so.)
[1], which is available as a Flatpak and can
therefore be used independently of your choice Interface
of distribution, offers a comprehensive overview The startup window first shows you an overview
of all important system statuses. A DEB pack- of the critical system data (i.e., the CPU and RAM
age with an older version of the 1.43.x branch is utilization levels). The application displays this in-
available for download from the project’s formation on a dial gage in the central area of the
GitHub page [2]. window and continuously updates the values. To
the right, you can see the mass storage device
data transfer rates at the top and the network in-
terface upload and download rates below them.
On the left side of the program window you will
also find the CPU, Memory, Disk, Network, GPU,
and Sensors categories. Clicking on one of the
buttons displays a line diagram in the window
panel to the right of it; the status values for the
component in question appear here. In the CPU
display, for example, the System Monitor breaks
down the utilization of the individual processor
cores separately, while the overview simply pro-
vides an overview for all CPU cores. You will also
find more detailed data here, such as the CPU’s
clock speed and the cache sizes (Figure 2).
The detailed display for the RAM shows both the
utilization and the RAM size. In the storage area, you
can see what volumes of data have already been
transferred to or read from the medium. These val-
ues are particularly important for modern SSDs be-
cause they can be used to predict failures caused by
a high number of write cycles. The software also
Figure 1: System Monitoring Center is visually up-to-date and functional. lists the read and write speeds for the current

SYSTEM MONITORING CENTER LINUX VOICE
Figure 2: When you call up the various categories, the software shows you Figure 3: The System Monitoring Center also provides detailed information
detailed information about the components in question. about processes and services.
partition. Here, too, values that deviate significantly information about the names, PID numbers, sta-
from the norm can indicate impending doom. tus, and users of the respective processes, but
In the upper part of the program window, you also about their memory requirements. The Pro-
will also find buttons that help you access infor- cess view also shows you the read and write
mation on the software and its versions. The pro- speeds (Figure 3).
cess and service information, which you can ac- System shows you useful information about the
cess via Processes and Services, not only provides computer system, such as the vendor and
LINUX VOICE SYSTEM MONITORING CENTER
architecture. In addition, data on the operating and storage throughputs are shown as figures
system such as the current kernel version, the on the right.
desktop environment, and the number of installed There is a hamburger menu on the right side of
packages appear here. The software lists Flatpaks the titlebar. It branches to a submenu where you
separately. can set up some basic features of the application
in General Settings. They include the ability to
Settings change the display update intervals and define the
The titlebar has a pretty unusual design. It dis- startup settings and the language locale (Figure
plays the current CPU and RAM load in small 4). By default, the language specified as the sys-
bar graphs on the left, while the network data tem default should be enabled. However, this did
not work in our lab. Despite explicitly selecting a
local language, the locale failed to activate even
after restarting the program.
Management
To manage individual processes and services, right-
click on the desired process or service. You can use
the context menu to stop, restart, or even reload ser-
vices. The Details entry in the context menu provides
detailed information about the selected service. This
is where you can find out, for example, which depen-
dencies exist. Details in the context menu also gives
you more detailed information for processes. Select
this option to view the RAM usage, CPU usage, and
hard disk space usage.
The application also outputs the file names
and paths of the respective process. You will also
see the files used by the process along with the
names of the users who opened them. This
means that, in case of problems, you can look
forward to a precise overview of the process’s
environment, which is a big help in troubleshooting.
The System Monitoring Center displays the indi-
vidual pieces of information grouped clearly in a
tab structure (Figure 5).
Conclusions
Figure 4: This section lets users set the language locale, System Monitoring Center combines all the crit-
among other things. However, this did not work during testing. ical details of your Linux system in a state-of-
the-art and clear-cut interface. The application
also lets you manage processes and services,
making it possible to cleanly terminate hanging
applications. The application’s only potential
shortcoming is the lack of language support.
Having said this, the interface is largely self-ex-
planatory and the terms used here follow com-
mon standards – which lets users quickly find
their way around, even if their preferred lan-
guage happens to be missing. Q Q Q
Info
[1] System Monitoring Center on Flathub:
https://flathub.org/apps/io.github.
hakandundar34coding.system-monitoring-
center
[2] DEB package:
Figure 5: The software provides detailed information on https://github.com/hakandundar34coding/
processes and services. system-monitoring-center/releases

LINUX VOICE FOSSPICKS
FOSSPicks Sparkling gems and new

releases from the world of
Free and Open Source Software
After four years of Kickstarter and component delays, Graham finally gets
to build his dream Oberheim OB-X clone synthesizer. Don’t expect to see or
hear from him for another six months, however. BY GRAHAM MORRISON
Modular synth rack library expanded into its own store modules. But the base was still open source, and the ideal
Cardinal
where commercial and proprietary community solution was to create a fork that would reflect
recreations could be offered their values while also hopefully staying on friendly terms
alongside the community-devel- with the original project. Cardinal is that fork.
hysical Eurorack modules oped one. VCV Rack then became It’s been over two years since then. Cardinal is now a
P can be expensive, and you

need the space and time
to build your own configuration.
VCV Rack Pro, which ultimately
became closed source. The proj-
ect’s ambition started to generate
well-established VCV alternative that puts open source at
the heart of its mission. It’s been able to do this by com-
pletely re-engineering the external module system to cre-
The software emulation of Euro- some friction within the original ate a self-contained single binary system that’s better
rack created by VCV Rack solved community, especially when con- suited to both the spirit of open source and the way audio
all these problems, and conse- versations turned towards expan- plugins are expected to work. The Linux-friendly LV2 for-
quently became hugely popular. sions and reworking VCV into a pl- mat, for example, has been supported from the very be-
Many physical modules were rec- ugin that could be used within ginning, and Cardinal is now available as a CLAP, VST2,
reated within VCV. Thanks to so your favorite audio software. The VST3, and Audio Unit plugin, across Linux, Windows, and
many being open source, soft- external module library made this macOS. There are different plugin types too, depending on
ware recreations could run exactly difficult, and also allowed the host which kind of sounds you want to play with. These are
the same firmware as their physi- project, VCV Rack, to exert a level “main,” “synth,” and “fx,” designed to enable the full version
cal counterparts. VCV became of control that felt out of balance with eight outputs, or with two output versions built for
very successful, and the module with the developers creating the sound design and effects processing respectively. There’s
also a “mini” variant with a limited module selection. This
self-contained approach means Cardinal can better sup-
port multiple architectures, including builds for ARMHF
and ARM64, RISC64, and even FreeBSD!
This doesn’t mean you’ll need to forgo the huge VCV Rack
library, either, because Cardinal bundles 1,079 modules into
a single file, including replacement for all the core Rack
modules, some internal utilities, and many third-party mod-
ules. Creating and processing sounds in Cardinal is also
the same experience, albeit within a completely different
themed and rebranded environment. Inputs and outputs
consist of audio, MIDI, and control voltages (CVs). While
every module is different, oscillator modules will have the
same CV control for frequency and waveform control. There
are hundreds of variants, and you can connect and intercon-
nect everything with virtual patch cables and save your con-
figuration in a way that’s just not possible with the real hard-
ware. There’s even a dark theme, which the original doesn’t
offer, and support for control voltage in and out to real hard-
ware, outside the software realm. If you have a compatible
1. MIDI and CV: Native MIDI, audio, and even CV control are supported if you have the CV or audio interface, this means you can integrate the con-
hardware. 2. Light and dark themes: Change the entire UI for all the modules with a trol signals from your external Eurorack modules with the
simple switch. 3. Standalone or plugin: Cardinal does not use a plugin system and control signals in your virtual software Eurorack, which is
installs as a single binary or plugin. 4. Audio threading: Audio and MIDI locked to the another amazing addition, making Cardinal the default
host. 5. 1,079: The number of modules included in the latest release. 6. Open source: choice if you want to play with virtual Eurorack modules.
Cardinal is open source first, making it the ideal platform for open source Eurorack
modules from Mutable Instruments. 7. Beyond physical: With MPE support and Project Website
unlimited space, many modules go farther than their hardware-bound counterparts. https://github.com/DISTRHO/Cardinal

FOSSPICKS LINUX VOICE
Programming editor and closure of XML and HTML

tags, symbol lists, code navigation,
Geany 2 and many other language-specific

features.
Geany has been able to add these
e see so many new features while successfully re-
W text editors come and

go, it can be difficult to
focus on the well-established edi-
maining light on system re-
sources, as well as being fast and
easy to use. The new release has
tors that have been quietly doing put particular effort into this by
their thing for decades. Geany is splitting configuration files; updat-
one of those editors. This major ing GTK, Scintilla, and Lexilla ver-
2.0 release not only includes some sions; and updating file-types sup-
magnificent new features, but it port, including AutoIt, GDScript,
also coincides with the project’s and Markdown. The editor looks
18th birthday. Happy Birthday, fantastic, even on a non-GTK
Geany! While aiming for speed and desktop, and supports many dif- Like a Vim or Emacs for the desktop, Geany has become a powerful
efficiency, Geany has also endeav- ferent layouts, from adding IDE-re- and supremely adaptable text editor for all kinds of projects.
ored to be more than a simple lated functions such as project,
graphical text editor. In particular, code, and symbol navigation on on, for example, and there’s a plugin system to add new ele-
it’s always combined many of the the left, to folding code views on ments to the core functionality. This personal configurability
best language-specific features the right with compiler output follows a long tradition for powerful programmers editors,
you find in an IDE without itself be- below. In common with many such as Sublime Text or TextMate, that are more usually
coming a fully fledged IDE. It does other powerful editors, extra com- proprietary and available only on other operating systems.
this by understanding the syntax mands require user-configuration. Geany 2 is now as good as any of them.
of 200 separate languages, offer- The Build menu is designed to in-
ing best-in-class highlighting, clude your own custom com- Project Website
code-completion, automatic open mands for the projects you work https://www.geany.org
Space exploration
Celestia 1.7.0
elestia is an old project, fit- volume. More performance also
C tingly started in 2001. It

was one of the first astron-
omy applications that portrayed
meant more stars in the sky, which
could be zoomed through as you
traveled at many times the speed
space as infinitely more than a two- of light through the universe.
dimensional projection onto a sky- While often breathtaking, Celes-
box. Celestia empowered the ob- tia was also educational. It was
server to leave their two-dimen- one of the best ways to show that
sional viewpoint and terrestrial constellations were made mostly
homes to explore the stars through from stars in different planes, Unlike astronomy apps like Stellarium, Celestia is a true 3D-model
both space and time, letting them across vast distances and scales. of the solar system and the universe beyond.
see the solar system in three di- Similarly, it showed the sun’s loca-
mensions (or four!) from Jupiter’s tion along a fragile arm of the a code transfer to GitHub. Now an all-new website and a
viewpoint, from across the inter- Milky Way, and the celestial dance new stable binary release will hopefully reawaken the proj-
stellar divide, or from almost any- of our various solar system pas- ect. This is great news because Celestia could truly thrive in
where you could imagine. Graphics sengers as they rotate around a new world of super GPUs, augmented reality, and astro-
acceleration had only just made themselves, the sun, and the black nomical imagery. If not, then a similar project built for the
this possible in 2001, but the appli- hole at the center of our galaxy. web (https://www.ivoyager.dev/planetarium/) is worth book-
cation successfully tracked and up- Unfortunately, Celestia then be- marking as a backup plan for those of us who are still look-
dated GPU upgrades, utilizing any came cryogenically frozen and de- ing at the stars. But we’re pinning our hopes on Celestia.
extra memory with sublime planet velopment slowed to a crawl.
and nebula textures that could be Then more recently came a fork Project Website
layered for parallax or to simulate (Celestia Origin), a new owner, and https://celestiaproject.space

Audio analysis
Friture
udio analysis software Friture contains five different
A isn’t just useful for audio

engineers who may need
to study room acoustics or digital
audio visualization and analysis
tools that can be arranged into a
dynamic interface that can focus
signal processing. It’s just as use- on one or more of these tools.
ful for anyone who may want to The most useful is the 2D spec-
check their input or playback trogram, which is very similar to
quality, or whether an audio re- the spectrogram included in Au-
cording contains elements that dacity. It plots the input audio fre-
can’t be heard, or even what the quency over time so you can see
frequency response of the hard- any changes in pitch, but also the Friture can analyze mono and stereo signals directly from your
ware may be. Despite this, there pitch of any hum or background audio inputs, from either ALSA or Jack.
aren’t too many open source op- noise. These are also visible in
tions available. Audacity is likely the spectrum widget, which pro- any given moment. Additionally, there’s a delay estimator
the best known, but its audio anal- vides a real-time slice of the for calculating the latency between the left and right in-
ysis is only available after you’ve same data. The octave spectrum puts, which is useful for speaker alignment, and a general
made a recording, and not if you view shows a similar view with level view for peak power. This selection is perfect for
need to monitor the live sound spectrum data grouped into col- most nonprofessional tasks. Even if you don’t know what
input for your system. It’s also rel- umns that represent a fraction of you’re doing, they make excellent desktop eye candy or
atively limited in scope (pun in- an octave (and octave is a dou- music-visualization tools.
tended). Friture, however, is an bling of frequency). A scope view
audio analysis application that is also available, which shows Project Website
doesn’t have any such limitations. the shape of the waveform at https://friture.org/features.html
Secure Boot manager
sbctl
nless you’re a security The problem is that accessing
U expert, you can often do

more harm than good
when trying to administrate en-
whatever Secure Boot functional-
ity your system supports is typi-
cally dependent on your main-
cryption and security yourself. board manufacturer and the fea-
This isn’t usually a problem when tures they include in the BIOS or
you can pay an expert, but we UEFI options. This makes it diffi-
don’t have that luxury on our own cult to document and difficult to Use sbctl to create a
systems. This is why it can be so maintain, but is also the perfect Secure Boot configura- command accomplishes this
helpful when distributions set up motivator for a project that tion for your system and easily and can then be used to
encryption automatically or han- wants to make it all a little easier. to give you confidence in check on the status of your con-
dle the secure nature of our keys This is what sbctl, the Secure its integrity. figuration, as well as sign files
and drives without requiring our Boot Manager, has been devel- with the keys you have regis-
input. But the same isn’t true of oped to do. It’s a command-line tered in your Secure Boot config-
Secure Boot, the boot-loader pro- tool that enables you to access uration and then generate EFI
tocol that guarantees the integ- and configure your Secure Boot stub bundles. This is the signed
rity of your installation with keys configuration from your stan- bundle of kernel and boot utilities
held within a Trusted Platform dard user environment. This usu- needed to start your system, and
Module (TPM). Like many such ally starts with the creation and sbctl can both generate these
security systems, Secure Boot's enrollment of your own keys, and verify their validity.
management from a user’s per- which are then incorporated into
spective is best described as your EFI-bound Secure Boot con- Project Website
opaque. figuration on reboot. The sbctl https://github.com/Foxboron/sbctl

Modular synth tracker

are an artifact of the original demo
Sointu scene, where hackers needed to fit

their incredible creations into the
limited capabilities of the hardware,
oundTracker applications building an executable that in-
S are undoubtedly a product

of the late 1980s, when they
flourished as music creators for the
cludes the music within just 16, 32,
or 64K. In the modern-era, the high-
est accolade goes to those who
demo and cracking scenes. But the can squeeze their code into just 4K,
idea behind encoding music as col- which is just enough space to con-
umns of data has persisted and tain the raw text of this page.
has even become resurgent in re- Not only is Sointu a tracker de-
cent years. Their popularity is such signed to produce a 4K music file,
that the appearance of a new open it also has its own unique modular
source clone isn’t that unique. synth sound engine. It’s simplistic Alongside ASM output and a modular synth engine, Sointu includes
Sointu is the exception. It’s a fork of when compared to something like bitcrusher, clip, compressor, and gain effects.
another project, called 4klang, and Cardinal, but it’s a lot more power-
they both take the same approach ful than most trackers’ simple music data, all of which comes from the column view of
to the SoundTracker interface with sample playback. You create a numbers and controls, much like any other tracker. The
a couple of absolutely unique fea- sound by adding units, such as an sound and capabilities are, however, completely different
tures. The first is that they’re audio oscillator, filter, and envelope, and and entirely worth the learning curve if you’re looking for a
trackers designed specifically to joining them with send and receive diminutive music tool with a unique feature set.
output YML or ASM files, which opcodes. Sointu uses about 386
can then be compiled into 4K exe- bytes when compressed, leaving Project Website
cutables. These 4K executables you with just enough room for the https://github.com/vsariola/sointu
Wavetable synth
Wavetable
here are lots of different Despite originating in the
T kinds of synthesizers, but

the vast majority create
their sounds from either a VCO
1950s, and briefly flourishing in
the 1980s, wavetables remained
esoteric until the modern era
or a DCO. These are the sound when electronic musicians dis-
generators at the beginning of covered that they could be
the signal path, and they both es- brasher, more dynamic, and
sentially create the same set of thicker than those original VCO
sounds: sawtooth, pulse, and tri- sources. The foundation of this
angle waveforms, and some- movement is a software synthe- Unlike the equally brilliant Vital, you don’t need an online account to
times sine. These sources are sizer called Serum, but there’s get the most from Wavetable.
then filtered and manipulated to also the incredible and open
create what most people would source Vital, from the same de- UI shows a 3D view of each wavetable, and the location
consider the classic synth sound. veloper behind the more tradi- within each wavetable can be modulated with the mouse
But there are different forms of tional Helm synthesizer. And now or any other control. Wavetable even supports MPE to en-
synthesis too. There’s frequency we can add this eponymous Wa- able a compatible keyboard to control such aspects of
modulation (FM), made popular vetable synth to the list. First, the sound with individual keys. There’s a good range of
by Yamaha and early PC sound and most important, Wavetable presets, classic filters, and a standard set of envelopes,
cards, and sample-based synthe- sounds amazing. It captures that LFOs, and effects, presenting a much simpler environ-
sis is another. And then there are huge sawtooth and bass sound ment than Vital, for example. But this also makes it easier
wavetables. Wavetables replace that EDM has made famous. It to tweak and create great sounds and the perfect entry
the VCOs and DCOs with a two- has two separate wavetable os- point for anyone interested in wavetable synthesis.
or three-dimensional slice of cillators and includes a huge
data that can be moved through range of wavetables that hint at Project Website
and controlled separately. their sources in their names. The https://github.com/FigBug/Wavetable

Code editor
Helix Editor
ven when we have a multi- key. When this is pressed, Helix
E verse of other text editors,

including Geany, there is
always room for another. But it’s a
starts to list context options for
what you need, and it then be-
comes very intuitive to use, with
brave project that takes on the many of the features inspired by
decades-long command-line Vim and some of its most useful
dominance of Vim and Emacs. plugins. These include bracket
This is exactly what Helix is trying substitution, multiple selections,
to do, first by adding all kinds of processing text objects, lan-
unique features those older edi- guage documentation, and syn- Global operations, such as search, can operate on a set of
tors may never be capable of, and tax tables. There are also short- documents, allowing you to preview and dynamically open
second by gamely calling itself a cuts to help you traverse code results in multiple editing buffers.
“postmodern text editor.” This last trees, through language-specific
part seems to come from Helix server definitions and functions. searching for multiple instances
being written in Rust, a program- Code project navigation is of a term and then wanting to
ming language that also seems central to Helix’s advantage over edit them all simultaneously.
to position itself as a post-mod- other more generalist and estab- Helix does this by adding a new
ern version of C/C++. This at lished editors, because the ap- cursor at the current location
least means there are no other plication itself is able to take so with the Shift+C command. You
dependencies, and the editor will much from desktop-based de- can then press n for the next
work just as well over SSH as it velopment environments. Press- search result, followed by
will locally. ing the space bar before a for- Shift+C to create a new cursor.
Ironically for an editor that ward slash will start a global When you have multiple cursors
wants to improve long-standing search, for instance, and any re- on screen, anything you do at
shortcomings, newcomers will sults in your project are listed in the main cursor will be copied to
find the text-based UI unfathom- a new split-panel view with the all other cursor locations. This
able. There are no hints on what file name on the right and a pre- can be more convenient and in-
special keys may be required to view of the found location on tuitive than a global text pro-
save your file, or even to quit. the right. Central, too, is the idea cess, for example, and is ideal
These can be learnt by typing that Helix is a “multi cursor when you need to add the same
:tutor, which both initiates the modal editor,” which means it function or arguments to differ-
in-editor tutorial and tells you can process multiple locations ent locations. Pressing ,
that the command mode is in- at once. You may have encoun- (comma) will restore the single
voked with the very Vim-friendly : tered a need for this when cursor again. Multi-cursor or
modal editing is one of those
features you can’t go without
when you get used to it.
Helix does all of this without
supporting additional plugins,
which works in its favor because
it’s easier to build momentum
behind its standard set of fea-
tures. And it seems to be work-
ing. Many developers are now
using hx on the command line in-
stead of vim, even if its just to
work on code projects where it
might otherwise be too difficult
to set up your typical editor envi-
ronment. Helix will do it all from a
single binary.
Even from the terminal, Helix includes many built-in themes that can be Project Website
dynamically tested from its command mode. https://helix-editor.com

Classic Roguelike
Brogue CE
rom a developer’s per- get themselves hooked on proce-
F spective, Roguelike games

are difficult to get right,
but a lot of fun if they succeed.
durally generated entertainment.
Your quest in Brogue is to reach
the 26th level of the dungeon. As
They need to balance the player’s you move, new areas and re-
natural desire for exploration and sources become visible, with text
adventure with fairness and prog- descriptions that expand upon
ress in a randomly generated what you see, prompt you to take
world of random encounters. The potions, and ask when you need
genre’s progenitor, Rogue, obvi- to interact with an object or per-
ously got this right, and there have son. It feels authentic but at the
been many popular descendants same time contemporary as Press g to replace the ASCII rendering with graphics tiles, although
since its original release in 1980. areas light up and move dynami- this also removes a little of the original’s charm.
Brogue CE is one of these, and is cally. You can use the mouse and
itself the Community Edition of a even set paths through previously permadeath always just a dive or an encounter away. But
project that started in 2009. De- explored areas of the map. As this is also what makes Rogue games like these so unique,
spite being relatively recent, how- with the original Rogue, you soon and Brogue is undoubtedly one of the best modern imple-
ever, Brogue captures the true create a connection with your en- mentations of that original idea. If you’ve never played one
spirit of the original with its beauti- vironment, your progress, and any of these kinds of games before, Brogue is the best way to
fully executed and deceptively im- monkeys which you’ve freed and get started.
mersive ASCII-based text graph- who have chosen to become your
ics, making it a great first experi- friends. Progress is always diffi- Project Website
ence for players who have yet to cult and dangerous, with https://github.com/tmewett/BrogueCE
Arcade emulator
MAME 0.260
ou already know MAME. MAME 0.260 is a particularly
Y It’s the multi-platform

emulation behemoth
that’s famous for running most
exciting release, not just because
it includes synthesizer emulation
for the first time, in the shape of
of the original arcade games Casio’s humble CZ-101 complete
from the 1970s onwards. It re- with MIDI and SysEx support, but
quires legal access to the origi- because MAME finally allows for
nal ROMs, but when you have CHD delta. MAME can consume
these, MAME is unrivaled. Devel- over a terabyte of CHD files to
opers have even gone to the hold the disk images of many of This is a major release for MAME, including synth emulation, CHD
trouble of slicing and scanning the more advanced games, and deltas, and, most important, emulation of the Acorn Electron’s
the original chips in order to being able to use deltas across Cumana DFS floppy disk image.
work out the logic and timing, many different variants makes
and in many cases they’ve me- things much easier to manage. months of development effort. Alongside all these techni-
ticulously recreated every nu- Another big feature for shader cal innovations, of course, more and more games are
ance of the original hardware in support is that MAME can now continually being added to the compatibility database.
their software emulations. As a use BGFX video output with Way- MAME can now emulate over 32,000 individual systems
result, MAME has become one land. This follows on from recent from the last five decades. It’s utterly overwhelming and re-
of the most important open support for hard-sectored floppy markable what MAME has achieved in its mission to play
source projects and a vital ar- formats, Namco’s quiz games, old games, and the best place to start is to just dive in.
chive of late 20th-century and Psion Series 3 clamshell PDAs,
early 21st-century gaming. But and even the Motorola 88000 Project Website
it’s also a lot of fun. CPU. And that’s barely the last six https://www.mamedev.org/

LINUX VOICE TUTORIAL – SSH KEYS
SSH key management demands a rigorous protocol
Enhanced Security
Verifying the security of your SSH configuration and performing regular audits
are critical practices in maintaining a secure Linux environment.
ecure Shell, better known as SSH, has be- Beyond the encryption scheme, SSH in Linux
S
BY MARCIN GASTOL
come an indispensable tool in the toolkit of offers versatility. Using the protocol, professionals
any IT professional, especially in the Linux can run commands remotely (ssh user@hostname),
world. At its core, SSH is a protocol that allows for set up tunneling to encrypt other application’s
encrypted communications between two sys- data, securely transfer files with SCP or SFTP,
tems. While its applications are diverse, ranging and even mount remote directories with SSHFS.
from remote command execution to secure file
transfers, its primary value lies in its ability to se- Why SSH Is Crucial for Linux Systems
cure data in transit, protecting it from eavesdrop- In today’s cybersecurity landscape, the importance
ping and potential breaches. of securing communications cannot be overstated.
In the realm of Linux, where open source reigns With threats ranging from man-in-the-middle at-
supreme, SSH stands tall as the de facto method tacks to advanced persistent threats, the need for
for remote access. Whether you’re administering a robust, secure method of accessing and admin-
a cloud-based Linux server or performing routine istering systems remotely is paramount.
maintenance tasks, SSH is the bridge that con- SSH fills this need perfectly for several reasons:
nects you securely to that system. But as with any Q Everything transmitted over an SSH session,
powerful tool, its potential can be a double-edged whether command outputs, configuration de-
sword. Misconfigurations, weak key management, tails, or sensitive files, is encrypted. This means
and lax security practices can turn SSH into a po- that even if the data is intercepted, deciphering
tential vulnerability – which underscores the need the actual content without the encryption key is
for rigorous best practices. next to impossible.
Q SSH doesn’t just rely on passwords. With key-
Understanding SSH in Linux based authentication, users can set up a pri-
Originating in the late ‘90s as a response to the vate-public key pair, offering an authentication
insecure Telnet, SSH was created as a crypto- method that’s considerably harder to breach
graphic network protocol that emphasized se- than traditional passwords.
curity. In a Linux environment, the operational Q Beyond just a secure shell, SSH offers port for-
mechanism of SSH can be divided into two warding, tunneling, and a suite of utilities such
main components: the client (ssh) and the as SCP and SFTP, making it a Swiss Army knife
server (sshd). for IT professionals.
When a client wishes to establish a connection, Q While native to Unix-based systems, SSH clients
it begins by sending a request to the server. Upon and servers exist for a multitude of platforms,
receiving this request, the server presents its pub- reinforcing its position as a universal remote ac-
lic key to the client. If this is the first time the cli- cess tool.
ent is connecting to the server, it prompts the user In the context of Linux, with its diverse array of
to verify the authenticity of the key. Once verified, distributions, server setups, and use cases, SSH
the client generates a random session key, en- offers a unified method of secure access and ad-
crypts it using the server’s public key, and sends it ministration. Because it is the backbone of remote
back. The server, using its private key, decrypts Linux administration, understanding and securing
the session key. Both entities now possess a SSH is not just advisable, it’s imperative.
shared secret (the session key) without it ever
being transmitted in the clear. This process, Key Management Best Practices
known as asymmetric encryption, forms the bed- Proper key management is at the heart of SSH
rock of SSH’s security mechanism. security. Adopting stringent practices can

TUTORIAL – SSH KEYS LINUX VOICE
significantly reduce the chances of unauthorized Limiting Allowed Ciphers and Key Exchange
access. The following are some of those prac- Algorithms
tices and the code to implement them. Not all encryption methods are created equal. As the
digital landscape evolves, some older ciphers be-
Generating Strong SSH Keys come vulnerable. It’s vital to keep abreast of and use
RSA with at least 4,096 bits provides a formidable only the most secure and updated ciphers, such as:
level of encryption, ensuring that brute-force at-
tacks become computationally unfeasible. For pro- ciphers aes256-gcm@openssh.com,chacha20-U
fessionals managing sensitive infrastructure, the poly1305@openssh.com
strength of the key directly correlates to the secu- kexAlgorithms curve25519-sha256,curve25519-U
rity of the system. To generate strong keys, use: sha256@libssh.org
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa_custom Enabling and Configuring AllowUsers and

AllowGroups
Storing and Backing Up Private Keys Securely Allow only the necessary users or groups, using:
A private key, as the name suggests, must remain
private. Any inadvertent exposure can compro- AllowUsers user1 user2
mise the entire system it’s associated with. Set- AllowGroups sshgroup
ting restrictive permissions ensures that only the

rightful user can access it, mitigating the risks of Setting Up 2FA
internal breaches. Use: The principle of least privilege dictates that only
essential personnel should have access. By allow-
chmod 600 ~/.ssh/id_rsa_custom ing specific users or groups, you’re minimizing po-
tential entry points. After ensuring you have a
For backups, consider encrypting the key using PAM module for two-factor authentication (2FA)
tools such as GPG before storing in a safe location. such as Google Authenticator, add:
Periodic Key Rotation AuthenticationMethods publickey,password U

Key rotation is like changing the locks on your publickey,keyboard-interactive
doors periodically. Even if someone has a copy of

your key, it becomes useless after the change. Regularly Updating SSH
This is especially vital for businesses where staff Software isn’t static. Vulnerabilities are discov-
turnover might be high or where keys might be ered and patches are released. Regular updates
shared among teams. ensure you’re shielded from known exploits. Keep
the SSH package up-to-date to ensure vulnerabili-
Using Agents and Agent Forwarding Safely ties are patched:
SSH agents store decrypted private keys and pro-
vide them to clients without exposing the private sudo apt update && sudo apt upgrade openssh-server
key itself. However, agent forwarding should be

used judiciously, because it can be exploited in Limiting User Access via SSH
chained attacks. Start the agent with: Every user with SSH access is a potential door-
way, either for productive work or, if compro-
eval $(ssh-agent) mised, for malicious intent.
ssh-add ~/.ssh/id_rsa_custom
Firewalls and SSH’s Built-In Features

SSH Configuration Tuning for Optimal A firewall acts as a sentinel, allowing or denying
Security traffic based on set rules. Restricting SSH access
The configuration file, sshd_config, located typi- to specific IPs ensures that even if credentials are
cally in /etc/ssh/, dictates the behavior of the SSH compromised, only allowed IPs can initiate a con-
daemon. Fine-tuning this file enhances security. nection. Uncomplicated Firewall (ufw) on Ubuntu
is an example. To allow only a specific IP use:
Disabling Root Login
The root user is the superuser with absolute pow- sudo ufw allow from 192.168.1.100 to any port 22
ers. Allowing direct root login is akin to leaving the

keys to your kingdom outside the castle. Disabling Setting Up and Configuring Chroot
it forces attackers to guess both a valid username Environments for SSH Users
and its password/key. To disable root login, use: A chroot environment limits a user to a specific
directory, restricting their movements. In sshd_
PermitRootLogin no config use:

LINUX VOICE TUTORIAL – SSH KEYS
Match User restricted_user ssh -J user@jumphost user@targethost
ChrootDirectory /home/restricted_user
AllowTCPForwarding no PKI for SSH

PasswordAuthentication yes In large organizations or environments with
many users and hosts, managing individual
Implementing Account Expiration for SSH keys can become cumbersome. Imple-
Temporary SSH Access menting a public key infrastructure (PKI) simpli-
Temporary accounts are a double-edged sword. fies this. PKI involves a certificate authority
While they provide short-term access, they often get (CA) that issues and verifies digital certificates.
forgotten and become a long-term security risk. By Instead of trusting individual keys, your sys-
setting expiration dates, these accounts auto-deac- tems trust the CA, and any key signed by that
tivate, ensuring no lingering vulnerabilities. Use: CA is inherently trusted. This centralizes and
streamlines key management while maintaining
sudo usermod -e YYYY-MM-DD temporary_user high security levels.
Monitoring and Auditing SSH Access Logs Host Certificates

Logs offer a retrospective view of all SSH activi- Just as users can be authenticated with keys,
ties. Regularly monitoring them can unearth sus- hosts can be authenticated using host certifi-
picious patterns, repeated login attempts, or un- cates. This prevents man-in-the-middle attacks by
authorized access, allowing timely interventions ensuring that you’re connecting to the genuine
and investigations. server and not an imposter.
Regularly inspecting /var/log/auth.log on
Debian/Ubuntu or /var/log/secure on CentOS/ Conclusion
Red Hat can give insights into access patterns SSH isn’t merely a tool – it’s a foundation upon
and potential breaches. which the secure infrastructure of modern busi-
Each of these technical aspects, when correctly nesses is built. Its versatility, ranging from secure
configured, plays a pivotal role in safeguarding your command-line access to intricate tunnels for data,
Linux systems against unauthorized SSH access. makes it a staple in the toolkit of IT professionals.
However, with such power comes responsibil-
Advanced SSH Features for Enhanced ity. It’s paramount that IT professionals not only
Security understand the capabilities of SSH but also the
Port Forwarding and Tunneling best practices associated with its use. Key man-
SSH isn’t just for shell access. One of its power- agement, configuration tuning, user access re-
ful features is the ability to forward ports, es- strictions, and advanced features all play a pivotal
sentially creating encrypted tunnels for other role in crafting a resilient security posture.
protocols. This can be used to securely access In today’s digital age, where threats are
databases, web interfaces, and other services evolving and becoming increasingly sophisti-
without exposing them to the open Internet. cated, a proactive approach to SSH security
However, while this feature enhances security, isn’t just recommended, it’s essential. By dili-
it’s crucial to use it judiciously to prevent unin- gently applying the best practices and tech-
tentional data leaks or unwanted access. To ac- niques discussed, professionals can ensure
complish this, use: the sanctity of their systems, data, and opera-
tions, paving the way for a secure and efficient
ssh -L local_port:remote_host:remote_port U IT ecosystem. Q Q Q
user@ssh_server
The Author
Using SSH Jump Hosts
In high-security environments, it’s common to Marcin Gastol is a Senior
use an SSH jump host (also known as a bastion DevOps Engineer and
host). This setup allows SSH access only Microsoft Certified Trainer
through the jump host, acting as a single point of with extensive experience in
entry and exit. It isolates the internal network Azure technologies and
teaching various IT subjects.
and provides a buffer against direct external at-
Marcin hosts a blog
tacks. By consolidating access through a jump
covering multiple IT areas at
host, auditing and monitoring become central- https://marcingastol.com/.
ized and more manageable. To do this, use:
QQQ

SERVICE
Back Issues
LINUX
NEWSSTAND
Order online:
https://bit.ly/Linux-Magazine-catalog
Linux Magazine is your guide to the world of Linux. Monthly issues are packed with advanced technical
articles and tutorials you won't find anywhere else. Explore our full catalog of back issues for specific
topics or to complete your collection.
#278/January 2024
Scientific Computing
A crypto mining rig is built for math. Can an old rig find a second life solving science problems?
That all depends on the problem. Also this month, we explore a few popular data analysis
techniques and stir up some analysis of our own with the R programming language.
On the DVD: Kubuntu 23.10 and Fedora 39
#277/December 2023
Low-Code Tools
Experienced programmers are hard to find. Wouldn’t it be nice if subject matter experts and
occasional coders could create their own applications? The low-code revolution is all about
lowering the bar for programming knowledge. This month we show you some tools that let
you assemble an application using easy graphical building blocks.
On the DVD: MX Linux MX-23_x64 and Kali Linux 2023.3
#276/November 2023
ChatGPT on Linux
Everybody’s talking about ChatGPT, and ChatGPT is talking about everything. Sure you can
access the glib and versatile AI chatbot from a web interface, but think of the possibilities if
you tune in from the Linux command line.
On the DVD: Rocky Linux 9.2 and Debian 12.1
#275/October 2023
Think like an Intruder
The worst case scenario is when the attackers know more than you do about your network. If you
want to stay safe, learn the ways of the enemy. This month we give you a glimpse into the mind of
the attacker, with a close look at privilege escalation, reverse shells, and other intrusion techniques.
On the DVD: AlmaLinux 8.2 and blendOS
#274/September 2023
The Best of Small Distros
Nowadays, all the attention is on big, enterprise distributions supported by professional
developers at big, enterprise corporations, but small distros are still a thing. If you’re shopping
for a Linux to run on old hardware, if you just want a simpler system that is more responsive
and less cluttered, or if you’re looking for a special Linux tailored for a special purpose, you’re
sure to find inspiration in our look at small and specialty Linux systems.
On the DVD: 10 Small Distro ISOs and 4 Small Distro Virtual Appliances
#273/August 2023
Podcasting
On the Internet, you don’t have to wait for permission to speak to the world. Podcasting lets you
connect with your audience no matter where they are. Whether you're in it to build community,
raise awareness about your skills, or just have some fun, the tools of the Linux environment
make it easy to take your first steps.
On the DVD: Linux Mint 21.1 Cinnamon and openSUSE Leap 15.5

SERVICE
Events
FEATURED EVENTS
Users, developers, and vendors meet at Linux events around the world.
We at Linux Magazine are proud to sponsor the Featured Events shown here.
For other events near you, check our extensive events calendar online at
https://www.linux-magazine.com/events.
If you know of another Linux event you would like us to add to our calendar,
please send a message with all the details to info@linux-magazine.com.
State of Open Con 2024 FOSS Backstage SCaLE 21x

Date: February 6-7, 2024 Date: March 4-5, 2024 Date: March 14-17, 2024
Location: London, United Kingdom Location: Berlin, Germany Location: Pasadena, California
Website: https://stateofopencon.com/ Website: https://24.foss-backstage.de/ Website: https://www.socallinuxexpo.org/
scale/21x
OpenUK's State of Open Con 2024 will What makes an open source project
take place at The Brewery in London. flourish? We want to encourage more SCaLE is the largest community-run open-
Don't miss the UK's Open Technology discourse about the non-coding source and free software conference in
Conference focused on Open Source aspects of successful open source North America. It is held annually in the
Software, Open Hardware, and Open projects. The sixth edition of FOSS greater Los Angeles area. Join us for the
Data. Join us in London for or outstand- Backstage will take place in Berlin (and 21st Annual Southern California Linux
ing content, amenities, and delegate in- online) on 4th and 5th March 2024. Expo March 14-17. In addition to
teractive experiences with world-class Join us for two days of exciting talks presentations, there are numerous co-
speakers. and discussions. located events on a variety of topics.
Events
FOSDEM Feb 3-4 Brussels, Belgium https://fosdem.org/
State of Open Con 24 Feb 6-7 London, United Kingdom https://stateofopencon.com/
IEEE Serious Open Source 2024 Feb 20-21 Mountain View California https://events.bizzabo.com/549239
DeveloperWeek SF Bay Area Feb 21-23 San Francisco, California https://www.developerweek.com/
Academy Software Foundation Feb 22 Los Angeles, California https://events.linuxfoundation.org

Open Source Forum & Virtual
KickStart Europe 2024 Feb 26-27 Amsterdam, Netherlands https://www.kickstartconf.eu/
DeveloperWeek Live Online Feb 27-29 Virtual Event https://www.developerweek.com/
FOSS Backstage Mar 4-5 Berlin, Germany https://24.foss-backstage.de/
Energy HPC Conference Mar 5-7 Houston, Texas https://www.energyhpc.rice.edu/
SCaLE 21x Mar 14-17 Pasadena, California https://www.socallinuxexpo.org/scale/21x
CloudFest 2024 Mar 18-21 Europa-Park, Germany https://www.cloudfest.com/
AppDeveloperCon Mar 19 Paris, France https://events.linuxfoundation.org
BackstageCon Mar 19 Paris, France https://events.linuxfoundation.org

Images © Alex White, 123RF.com
Cloud Native AI Day Mar 19 Paris, France https://events.linuxfoundation.org
KubeCon + CloudNativeCon Europe Mar 19-22 Paris, France https://events.linuxfoundation.org/
Embedded Open Source Summit Apr 16-18 Seattle, Washington https://events.linuxfoundation.org
Open Source Summit North America Apr 16-18 Seattle, Washington https://events.linuxfoundation.org
Open Source Camp on Kubernetes April 18 Nürnberg, Germany https://opensourcecamp.de/

SERVICE
Contact Info / Authors
Contact Info
WRITE FOR US
Editor in Chief Linux Magazine is looking for authors to write articles on Linux and the
Joe Casad, jcasad@linux-magazine.com tools of the Linux environment. We like articles on useful solutions that
Copy Editors
Amy Pettle, Aubrey Vaughn
solve practical problems. The topic could be a desktop tool, a command-
News Editors line utility, a network monitoring application, a homegrown script, or
Jack Wallen, Amber Ankerholz anything else with the potential to save a Linux user trouble and time.
Editor Emerita Nomadica Our goal is to tell our readers stories they haven’t already heard, so we’re
Rita L Sooby
especially interested in original fixes and hacks, new tools, and useful ap-
Managing Editor
Lori White plications that our readers might not know about. We also love articles on
Localization & Translation advanced uses for tools our readers do know about – stories that take a
Ian Travis traditional application and put it to work in a novel or creative way.
Layout
Dena Friesen, Lori White We are currently seeking articles on the following topics for upcoming
Cover Design cover themes:
Lori White
Cover Image • Open hardware
© Akaratee Nithipanmangkorn, 123RF.com
and lexey111, Fotolia.com
• Linux boot tricks
Advertising • Best browser extensions
Brian Osborn, bosborn@linuxnewmedia.com
phone +49 8093 7679420 Let us know if you have ideas for articles on these themes, but keep in
Marketing Communications mind that our interests extend through the full range of Linux technical
Gwen Clark, gclark@linuxnewmedia.com topics, including:
Linux New Media USA, LLC
4840 Bob Billings Parkway, Ste 104 Security
•
Lawrence, KS 66049 USA
Publisher • Advanced Linux tuning and configuration
Brian Osborn • Internet of Things
Customer Service / Subscription Networking
For USA and Canada:
•
Email: cs@linuxnewmedia.com • Scripting
Phone: 1-866-247-2802 Artificial intelligence
(Toll Free from the US and Canada)
•
• Open protocols and open standards
For all other countries:
Email: subs@linux-magazine.com If you have a worthy topic that isn’t on this list, try us out – we might be
www.linux-magazine.com
interested!
While every care has been taken in the content of the
magazine, the publishers cannot be held responsible Please don’t send us articles about products made by a company you
for the accuracy of the information contained within
it or any consequences arising from the use of it. The work for, unless it is an open source tool that is freely available to every-
use of the disc provided with the magazine or any one. Don’t send us webzine-style “Top 10 Tips” articles or other superfi-
material provided on it is at your own risk.
cial treatments that leave all the work to the reader. We like complete so-
Copyright and Trademarks © 2024 Linux New Media
USA, LLC. lutions, with examples and lots of details. Go deep, not wide.
No material may be reproduced in any form
whatsoever in whole or in part without the written
Describe your idea in 1-2 paragraphs and send it to: edit@linux-magazine.com.
permission of the publishers. It is assumed that all Please indicate in the subject line that your message is an article proposal.
correspondence sent, for example, letters, email,
faxes, photographs, articles, drawings, are supplied
for publication or license to third parties on a non-
exclusive worldwide basis by Linux New Media USA,
LLC, unless otherwise stated in writing.
Linux is a trademark of Linus Torvalds.
All brand or product names are trademarks of their
Authors
respective owners. Contact us if we haven’t credited
your copyright; we will always correct any oversight. Dave Allerton 70 Jon “maddog” Hall 79
Printed in Nuremberg, Germany by Kolibri Druck.
Bernhard Bablok 66 Daniel LaSalle 48
Distributed by Seymour Distribution Ltd, United
Kingdom Erik Bärwaldt 26, 82 Vincent Mealing 77
Represented in Europe and other territories by:
Sparkhaus Media GmbH, Bialasstr. 1a, 85625 Zack Brown 12 Graham Morrison 86
Glonn, Germany.
Linux Magazine (Print ISSN: 1471-5678, Online Bruce Byfield 6, 22, 32, 44 Thorsten Scherf 80
ISSN: 2833-3950, USPS No: 347-942) is published
monthly by Linux New Media USA, LLC, and dis- Joe Casad 3 Mike Schilli 58
tributed in the USA by Asendia USA, 701 Ashland
Ave, Folcroft PA. Application to Mail at Periodicals Mark Crutch 77 Markus Stubbig 16
Postage Prices is pending at Philadelphia, PA and
additional mailing offices. POSTMASTER: send ad- Chris Binnie 38 Jack Wallen 8
dress changes to Linux Magazine, 4840 Bob Billings
Parkway, Ste 104, Lawrence, KS 66049, USA. Marcin Gastol 92 Matthias Wübbeling 36, 54

NEXT MONTH
Issue 280
Available Starting
Issue 280 / March 2024
February 9
Plasma 6
A major release of KDE’s Plasma desktop
arrives with many new tools and some lasting
innovations. We’ll fill you in on the changes
coming to KDE’s innovative interface.
Preview Newsletter
The Linux Magazine Preview is a monthly email
newsletter that gives you a sneak peek at the next
issue, including links to articles posted online.
Sign up at: https://bit.ly/Linux-Update
Image © tamersale and jossdim, 123RF.com

NEW

Linux USA 02 2024

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Linux USA 02 2024

Uploaded by

Copyright:

Available Formats

Soar High with Pi: We complete

ISSUE 279 – FEBRUARY 2024

Passive Reconnaissance: DNS Hijacking: A poorly

HOW DEEP IS YOUR CHAT?

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 3

38 Passive Reconnaissance 70 Flight Simulator

48 Mining Monero 92 SSH Keys

36 DNS Subdomain Hijacking

4 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

54 VeraCrypt 82 System Monitoring Center

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 5

EndeavourOS 11 and Arch Linux 2023.12.01

EndeavourOS 11 Arch Linux 2023.12.01

Defective discs will be replaced. Please send an email to subs@linux-magazine.com.

6 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

THIS MONTH’S NEWS

09 • Arch Linux 2023.12.01

10 • Red Hat Migrates RHEL

Linux Mint 21.3 Beta Available with Latest

8 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

Arch Linux 2023.12.01 Released with a

Network Security in the Google Cloud

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 9

Red Hat Migrates RHEL from Xorg to Wayland

PipeWire 1.0 Officially Released

Rocky Linux 9.3 Available for Download

10 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

Ubuntu Budgie Shifts How to Tackle Wayland

TUXEDO’s New Ultraportable Linux

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 11

Zack’s Kernel News

12 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 13

14 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

Don't miss North America's largest annual

SOUTHERN CALIFORNIA LINUX EXPO  SponsorExhibit Volunteer  

Detecting intruders with a Raspberry Pi IDS

16 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 17

Listing 2: Setting up a Dummy Interface Listing 4: Creating an Exception List

# systemctl enable NetworkManager group:stream-events.rules

# systemctl start NetworkManager group:decoder-events.rules

18 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

Listing 5: Setting Up Repository and GPG Keys IDS Test

Listing 6: EveBox Configuration

size: "500 MB"

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 19

20 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

The next step is to find out which cli-

$ grep signature_ID /etc/suricata/rules/*

The result is the syntax of the signature

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 21

A choice-driven hybrid distro

Bruce Byfield is a computer journalist and

22 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

whether] to employ and use the

LINUX-MAGAZINE.COM ISSUE 279 FEBRUARY 2024 23

24 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

| TRENDS | INVESTMENTS | CLOUD |

Scheduling tools for Linux

the past. These electronic organizers freely definable categories to distinguish

26 FEBRUARY 2024 ISSUE 279 LINUX-MAGAZINE.COM

SOUTHERN CALIFORNIA LINUX EXPO SponsorExhibit Volunteer