Professional Documents
Culture Documents
Linux USA 02 2024
Linux USA 02 2024
FR D
+
DV
EE
our maker-tech flight simulator
Intrusion
Detection
Protect your home network
with a Raspberry Pi
)*!'*''*
*(&** "*
$&( "( (#(( !($ #(
#'( '(($!(
(( '( ( " (% '(
( ($ (
EDITORIAL
Welcome
Info
[1] “AI Chatbot Got Election Info Wrong 30 Percent of the Time,
European Study Finds” by Will Oremus, Washington Post,
December 15, 2023: https://www.washingtonpost.com/
technology/2023/12/15/microsoft-copilot-bing-ai-
hallucinations-elections/ (paywalled)
[2] “Prompting Elections: The Reliability of Generative AI in the 2023
Swiss and German Elections,” AI Forensics: https://aiforensics.
org/work/bing-chat-elections
ON THE COVER
36 DNS Subdomain Hijacking 54 VeraCrypt
Protect yourself from the dangers of dangling Save your secrets with this powerful disk
DNS records with DNS Reaper. encryption tool.
NEWS REVIEWS
8 News 22 Distro Walk – Peppermint OS
• Hundreds of Consumer and Enterprise Devices Peppermint OS promotes user choice every step of the
Vulnerable to LogoFAIL way. Bruce talks to the Peppermint OS team about how
• Linux Mint 21.3 Beta Available the project has evolved over more than a decade.
• Arch Linux 2023.12.01 Released
• Zorin OS 17 Beta Available for Testing 26 Organizational Tools
• Red Hat Migrates RHEL from Xorg to Wayland If you need help staying organized, Linux does not let you
• PipeWire 1.0 Officially Released down with its large collection of organization and
• Rocky Linux 9.3 Available for Download scheduling tools.
• Ubuntu Budgie Shifts How to Tackle Wayland
• TUXEDO’s New Ultraportable Linux Workstation Released
IN-DEPTH
12 Kernel News
• Fonts in the Kernel 32 Command Line – tldr
• IA-64 Removed from the Kernel (Not) A simplified alternative to man pages, tldr provides the
• Jitter Patches most common command options at a glance.
80 Oh My Posh
Adapt the terminal’s appearance and feature set with
IN-DEPTH the Oh My Posh prompt theme engine.
70 Pi Flight Simulator
A Raspberry Pi 4B with Linux can solve the equations TWO TERRIFIC DISTROS
for real-time aircraft simulation, including emulation
of modern aircraft flight displays.
DOUBLE-SIDED DVD!
SEE PAGE 6 FOR DETAILS
95 Back Issues 97 Call for Papers
96 Events 98 Coming Next Month
GCC Toolset (version 13), LLVM Toolset 16.0.6, Rust Toolset 1.71.1, and Go Tool-
set 1.20.6.
A number of issues also have been fixed for the installer and image creator, secu-
rity, software management, shells and CLI tools, networking, and more.
One thing to keep in mind with this release is that there is no upgrade path to 9.3
from version 8. If you’re running Rocky Linux 8.x, you’ll need to do a fresh install to
migrate to version 9.3.
You can download an ISO of Rocky Linux 9.3 (https://rockylinux.org/download )
and read the full release notes (https://docs.rockylinux.org/release_notes/9_3/ ) for
more information.
virtually impossible for the kernel to existing problems (glibc, gcc) and others
ever be released under a license other also did their part in getting things fixed
than the GPL v2. The GNU project sug- for ia64 (grub). We gathered people
gests releasing code under the terms of a around us that have both the required
particular version, “or any later ver- machines and the interest to help out.
sion.” But Linus Torvalds chose not to And despite what others claim, we are
trust the future of the GNU project in users of this architecture and continue to
that way. And with each developer hold- be and we are not alone.
ing the copyright to their own patches, “We simply tried to take care of the ar-
the effort to find all of those people and chitecture in and outside of kernel space
get their permission to relicense their with the assumption that this was what
kernel patches would be a completely was needed to keep an architecture alive.
overwhelming task. It simply couldn’t be But apparently that was either not good
done. Like it or not, the Linux kernel is enough, not wanted or simply not
now and forever subject to the terms of enough to prevent its removal.
the GPL v2. So whenever something like “At the moment I am out of ideas what
Bagas’s font issue comes up, I’m always other options there are, actually I’m re-
curious about how it will all be resolved. ally puzzled here. Because what we tried
As I said before, BSD code can be reli- to accomplish, isn’t that what you want
censed, and for sure there is BSD code in for Linux: to arouse people’s interest in
Linux that has been relicensed under the working on the kernel and ecosytem?
terms of the GPL v2. There are other Well, you were successful with that for
“GPL-compatible” licenses that have ia64, but removed it anyhow.
code under their terms in the kernel as “So I ask the simple question:
well. The final result in any particular “What needs to be done to get ia64
case is never obvious ahead of time, and back into Linux?”
it’s always fascinating to watch the de- This response came as a surprise to
bates play out. Linus Torvalds, who had been under the
impression the architecture was well and
IA-64 Removed from the truly dead. He replied to Frank:
Kernel (Not) “Well, I’d have personally been willing
Arnd Bergmann posted a patch, an- to resurrect it, but I was told several times
nouncing, “The ia64 architecture gets its that other projects were basically just
well-earned retirement as planned.” His waiting for the kernel support to die.
patch removed all IA-64 support in the “Has the itanium situation really
kernel. The IA-64 platform is the Intel changed?
Itanium chip, developed with Hewlett- “The thing is, nobody doing new kernel
Packard in the early 2000s. It had a code wants to deal with itanium, so rele-
pretty good run. In fact, it represented a gating it to the same situation that i386
whole series of chips and a significant support was (‘it still works in old ker-
and ambitious departure from Intel’s nels’) doesn’t seem to be a huge issue for
previous approach to chip design, but it the people who actually want to use those
was discontinued by Intel in 2019. machines.
Arnd’s patch was accepted immedi- “That said, I’d be willing to resurrect
ately, to the dumbfounded dismay of itanium support, even though I person-
Frank Scheiner, who posted the follow- ally despise the architecture with a pas-
ing response: sion for being fundamentally based on
“So the ia64 removal happened despite faulty design premises, and an imple-
the efforts – not only from us – to keep it mentation based on politics rather than
alive in Linux. That is a – sad – fact good technical design.
now. “But only if it turns out to actually
“There was no real breakage for ia64 have some long-term active interest (ie
in the kernel that I know of since I’d compare it to the situation with m68k
[db3e33d] was merged five months ago etc – clearly dead architectures that we
and _if it ain’t broke, don’t fix it_. still support despite them being not rele-
“Well, it’s really broken now. vant – because some people care and they
“We built upon what others had accom- don’t cause pain).
plished before in the kernel and outside “So I’d be willing to come back to the
of the kernel. We started to take care of ‘can we resurrect it’ discussion, but not
immediately – more along the lines of a compile-time user configuration questions To which Linus grudgingly agreed,
‘look, we’ve been maintaining it out of too hard for users to answer. Linus said: saying:
tree for a year, the other infrastructure is “This is beyond annoying. “I think that would help the situation,
still alive, there is no impact on the rest “These are adding Kconfig questions but I assume the sizing for the jitter buf-
of the kernel, can we please try again’?” that don’t make sense. The whole jitter fer is at least partly due to trying to ac-
John Paul Adrian Glaubitz replied to thing is debatably useful in the first count for cache sizing or similar issues?
this with a whoop of glee, remarking, “I place, and now you just annoy users with “Which really means that I assume any
think this is a very reasonable approach. random questions. static compile-time answer to that ques-
If keeping the architecture alive is sus- “And I mean truly random – the whole tion is always wrong – whether you are an
tainable, it should be possible to do that jitter entropy is voodoo programming to expert or not. Unless you are just building
out of tree for a given period of time.” begin with, and having some crazy 8MB the thing for one particular machine.
And Tomáŝ Glozar also remarked to buffer for it is just ridiculous. “So I do think the problem is deeper
Linus, “I agree with Adrian, that sounds “Honestly, this all smells like some- than ‘this is a question only for experts’. I
very reasonable to me. If we want Ita- body’s PhD thesis, not a real life thing. definitely don’t think you should ask a
nium to stay in kernel and it is a burden “And no, we don’t make our Kconfig regular user (or even a distro kernel
to other developers, it is fair that we take questions more annoying for some PhD package manager). I suspect it’s likely
the burden on us for the time being even thesis. that the question is just wrong in general
if it means overhead from maintaining “We also don’t ask people questions – because any particular one buffer size
an out-of-tree patch.” that don’t have valid answers. Just be- for any number of machines simply can-
Breathing a sigh of relief, Frank said, cause the whole ‘what is entropy in the not be the right answer.
“That is really something. We’ll see first place’ isn’t clear-cut, we don’t then “I realize that the commit says ‘*allow*
where this goes. I always hope for the punt some tweaking question to the user. for configuration of memory size’, but I
best. (-:” “We have a very simple and stupid jitter really question the whole approach.
So there you have it. From the ashes of entropy thing AT BOOT TIME just to try to “But yes – hiding these questions from
doom has arisen the Itanium phoenix generate some amount of entropy to make any reasonable normal user is at least a
once again, breathing fiery life. boots non-repeatable (see ‘try_to_gener- good first step.”
This whole thread strikes me as hav- ate_entropy()‘ in drivers/char/random.c). And that was the end of that.
ing been a very public misunderstanding “Honestly, the whole crypto layer one is Linus’s attitude toward a lot of secu-
that would normally not have occurred. ridiculous overkill in the first place, but rity features is one of great skepticism.
An architecture with users and maintain- the annoying new questions have now There seem to be at least two schools of
ers does not fall out of the Linux kernel. literally made me consider just removing thought. Linus seems to feel that secu-
So it’s interesting for me to see how it entirely. rity patches should fix actual security ex-
quickly the situation was addressed and “Because no, IT IS NOT OK TO ASK ploits. If there is not a known exploit for
resolved, even granting that there will CRAZY QUESTIONS. If some developer something, Linus considers that there is
now be a new onus on the Itanium cannot come up with a reasonable an- not actually a security problem.
maintainers to do solid work for a period swer, a random user sure as hell cannot. On the other side, various developers
of time before their code can go back “And no, any question that says ‘do seem to believe that some aspects of
into the official source tree. you want to use 8MB of memory for jitter the kernel present tempting targets for
entropy’ is just batsh*t crazy. attackers who don’t yet themselves
Jitter Patches “This kind of crap needs to stop. know if there’s an exploitable bug or
Herbert Xu ran afoul of Linus Torvalds “If somebody wants to do this kind of not, but who will poke and prod the
when he posted an update to the crypto thing, just do it in user space. It’s ridicu- kernel in that area until they find
code. In fact it was not a simple patch, lously pointless in the kernel. something. These developers advocate,
but a large collection of patches by many “Convince me I’m wrong. But there is for example, randomizing virtual mem-
people – a perfectly normal code sub- no way in *hell* you will convince me ory, making it as difficult as possible
mission from Herbert – except for one that we should ask users about some jit- for any attacker to even know what
group that caught Linus’s attention. Spe- ter memory sizing. Allocating memory part of the kernel they might be poking
cifically, these patches dealt with Jitter. for timing analysis is silly to begin with, and prodding. They argue that this
Jitter is one of the crypto darlings: It since any kernel thing could just use the kind of protection reduces the size of
uses the unpredictable microscopic de- physical memory mapping we already the “attack surface” that an attacker
lays between instructions to generate have in the kernel. I suspect strongly that might explore.
cryptographically secure random num- all this code has been influenced by code It’s an ongoing and nearly religious
bers. These in turn can be used to do running in user space, where it belongs, debate. Linus has shown that he’s will-
useful things like randomize virtual and where you do need to allocate mem- ing to compromise and accept patches
memory addresses so that attackers are ory to have it available. that reduce attack surfaces, but he has
less able to predict where to launch “Please just make this noise go away.” also shown that there are significant
their attacks. Herbert replied, “Fair enough. How limits to what he’ll accept in the ab-
In this case, however, Linus felt that the about adding an EXPERT dependency sence of an actual known exploitable
jitter patches rendered some of the on this?” bug. Q Q Q
dd
M
ed
HA
|H
e|
om
tur
eA
ruc
u to
ra s t
mati
Systems and Inf
o n | I o T | Ke r n e l | L
i t y |
ur
o
c
w
S e
Le
|
v
es
e l
t
Sy
n e
s
e r
em t
u b
K
s
| |O
n t bs
e er
nm r va
e bil
ov G ity
| Ar p e n
ti ci
al Intelligence | O
LM50
socallinuxexpo.org
Smoke Alarm
An intrusion detection system was once considered too complicated and
too expensive for a home network, but nowadays you can use a Raspberry
Pi and the Suricata IDS for real-time notice of an incoming attack.
By Markus Stubbig
A
n intrusion detection system (IDS) works like a smoke to take on additional tasks, which might slow it down, depend-
detector. It detects a risk, issues a warning, but does ing on the make and model, but in a low-traffic setting like a
not take any further steps to prevent the attack. A full- home network, you might not notice the difference.
blown intrusion prevention system (IPS), on the other
hand, can take additional steps to stop the attack. However, an Equipment
IPS is much more elaborate (and often expensive), and it is The IDS needs compute power for its investigations. You will
often overkill for a small home network. For many users on want to use at least a Raspberry Pi 3B+, or preferably a fourth-
small networks, the notification is the most important part, generation Rasp Pi model. If you want to try some another
and an IDS can deliver that notification for far less trouble mini PC, you’ll need at least 1GB RAM and a dual-core CPU.
and a smaller learning curve. A recent Raspberry Pi OS or Debian without a graphical user
An IDS takes a deep look at the IP packets passing through. interface is fine as the operating system.
If the analyzed content appears suspicious, the system alerts After installing Raspberry Pi OS, the Raspberry Pi no longer
the user. The IDS references a database populated with needs a local console. You can configure it via SSH. As for the
known attack patterns to decide whether or not a packet choice of software: Make sure you reduce the power and flash
contains a possible attack. This makes it similar to a virus requirements. A 500MB IDS logfile will slow the system down
scanner, which examines data and compares the data and make it almost unusable. Elasticsearch might be the right
against known patterns. choice of back end for large installations, but a lightweight
An IDS is part of the standard equipment at any data center SQLite database is better suited for a Rasp Pi IDS.
today. At a modern data center, a fast appliance fields data
streams from all servers via a multi-gigabit network interface Suricata
card and reports its discoveries to the network operations Suricata [1] is an open source IDS tool that will serve as the
team. This might sound like an expensive solution, but the foundation for this Rasp Pi IDS. Suricata listens on a network
technology can just as easily be applied to home networks. adapter and compares the IP packets passing through with its
This article describes how to set up a simple Raspberry Pi or signature database. If the examined packet matches a signa-
comparable single-board system to act as an IDS. The down- ture, Suricata responds with the defined action, which could
sized IDS receives a copy of the incoming packets from the be, say, firing off an alert. This analysis depends heavily on the
router. You’ll need a router that is capable of capturing and for- quality of the signatures.
warding incoming packets to the Rasp Pi for monitoring pur- You first need to install the Suricata software on the Rasp Pi
poses. Some routers might include this feature directly. In other (Listing 1, line 1). The repository contains a recent version,
cases, you can set up forwarding on the router if it comes with which is fine for your home IDS. One special thing about
Bash scripting support. The examples in
this article are based on a Fritz!Box 7583 Listing 1: Install and Update Suricata
router. 01 # apt install suricata
Like many Rasp Pi scenarios, the setup 02 # sed -i -e 's/interface: eth0/interface: ids0/' /etc/suricata/suricata.yaml
presented in this article is more of a life
03 # ln -s /var/lib/suricata/rules/suricata.rules /etc/suricata/rules/
hack than an industrial-strength solu-
04 # suricata-update
tion, but it does the job. When you’re
05 # systemctl stop suricata
finished configuring it, you might find
06 [... see Listing 2 ...]
that you know a little more about IDS
07 # suricata -c /etc/suricata/suricata.yaml -i ids0 -v
systems and how they work. One note to
08 # systemctl start suricata
keep in mind: You are asking the router
group:emerging-info.rules
EOF
Listing 3: Packet Forwarding
# suricata-update
01 # apt install tcpreplay
02 # wget https://raw.githubusercontent.com/ntop/ntopng/dev/tools/fritzdump.sh
username for the script is dslf-config or
03 # sed -i -e 's/ntopng.*/nice tcpreplay --mbps 1000 -i ids0 -/' fritzdump.sh
fritz3103.
04 # install --mode=755 fritzdump.sh /usr/bin/
The script immediately starts pushing
05 # fritzdump.sh dslf-config
packets to the dummy NIC. You can use
06 # systemctl restart suricata
Tcpdump to check whether this is work-
07 # tcpdump -nnli ids0
ing; the command displays the pack-
ages on the terminal (line 7). For Fritz-
Fritz!Box has this feature, it will open up a web page if you type dump to resume its work after a reboot, you need an entry
http://fritz.box/html/capture.html in your browser (Figure 2). On in the /etc/rc.local file before the final exit statement.
the other hand, things look bad if you see a 404 error instead.
Given such a wide choice of interfaces, the question is, Ruleset
which one is the right one? Basically, an IDS examines the By default, the IDS uses all available signatures, including sig-
packets on the LAN side, as attacks are relatively normal on natures for protocols that are uncommon on home networks.
the WAN side. Accordingly, the right choice is the lan or This means that the IP packet scan goes through an unneces-
wifi0 interface. sary number of checks, which in turn slows down the IDS.
Inconveniently, the interface has another name internally, What’s even worse: Some signatures even complain about un-
and Fritzdump needs the exact notation. If you don’t want to expected values in the TCP header, bloating the eve.json log-
browse the HTML source code, click Start on the web page for file. This adds about 500MB to the file every day, which is way
the right interface and then look at the download link. The link too much for the Rasp Pi IDS.
contains the ifaceorminor parameter in the URL, followed by As a rule of thumb: Enable only the most important rules,
the name of the selected interface. otherwise eve.json will burst at the seams and EveBox will
Last but not least, you need to mod the script. It’s on GitHub stop responding. But what are the most important rules? You
and requires very little customization to fill its new role. Listing will simply have to try this out, because every home network
3 shows the installation and customization of the script to the uses different applications. If a specific alert from Suricata
Rasp Pi IDS. In the fritzdump.sh script, you need to enter the keeps getting posted in the log and the post is irrelevant or for
interface name from the previous section for the IFACE variable. information only, you can add the matching rule or rule group
The sed command from Line 3 removes Ntop NG and re- to the exception list. The example from Listing 4 disables three
places it with Tcpreplay, a tool that feeds packages from PCAP rule groups with purely informational content and then up-
files back into the network. When this happens, the packets dates the new streamlined signature list.
are routed beyond the
dummy interface to Su-
ricata. Since Tcpreplay
burns a massive
amount of compute
power, the nice process
management utility
slows it down and
makes the overall sys-
tem seem less sluggish.
Once the preparations
are complete, you can
launch fritzdump.sh and
Suricata (lines 5 and 6).
The script expects the
Fritz!Box username and
password as command
line arguments. If you
log in to your Fritz!Box
with a password, the
recommended Figure 2: If the Fritz!Box offers packet capture, the IDS can sniff and analyze the packets.
A minimal configura-
tion for the EveBox is
shown in Listing 6; you
need to store the con-
tents in the /etc/eve-
box/evebox.yaml file.
The values were chosen
carefully and are suit-
able for a Raspberry Pi.
After saving the file,
you need to tell EveBox
to restart by typing sys-
temctl restart evebox.
The web page http://pi_
ip_here:5636 is ready
and will notify you of
alerts in the future.
Strictly speaking, you
will not see the original
alerts from Suricata but
the list processed by
Figure 3: EveBox gives you a graphical view of the alert list from Suricata. EveBox.
tls:
enabled: false
host: 0.0.0.0
port: 5636
database:
type: sqlite
retention:
days: 7
input:
enabled: true
paths:
Figure 4: Suricata detects the test website, and EveBox
- "/var/log/suricata/eve.json*"
reports the pseudo-alarm.
displays it as GPL ATTACK_RESPONSE id check returned root more alarms that Listing 7: Setting Up M/Monit
(Figure 4). are false, unneces- # apt install monit
sary, or simply a # cat <<EOF >> /etc/monit/monitrc
Slimming Down nuisance, you can
set httpd port 2812 and
By default, Suricata stores a huge amount of information and add an entry to
use address 0.0.0.0
statistics, which bloats the logfiles in next to no time. On top the disable.conf
allow admin:monit
of this, the bloat makes it more difficult for EveBox to find the file and then up-
EOF
genuine alerts, and this results in more disk I/O to the flash date the signature
# systemctl restart monit
memory device. A RAM disk can help, but it definitely makes database.
more sense simply not to store the values you don’t need. If the Rasp Pi is
To do this, you have to modify the suricata.yaml configuration still sluggish after the cleanup, it makes sense to empty Eve-
file. The YAML format uses indentations and reads like an out- Box’s SQLite database in /var/lib/evebox/ or to create a new
line, with topics and bullet points. Suricata lists everything in- eve.json in /var/log/suricata/. In both cases, you will need to
tended for the eve.json logfile below outputs in the eve-log sub- restart the service using Systemctl.
section. For use on a Raspberry Pi, the recommendation is to Last but not least, check the load on the Fritz!Box when the
comment out all output formats listed in types, or to set them to IDS is enabled. Older models might be overtaxed by the contin-
false, with the exception of alert, anomaly, and drop (Figure 5). uous PCAP file download, leading to a reduced throughput
The next savings relate to the signatures. In the previous sec- rate. For example, a Fritz!Box 6591 on a 100Mbit/s cable con-
tion, I already ditched three control groups. If EveBox reports nection from Vodafone still achieves about 75Mbit/s in the
download direction with the home IDS
running. Obviously, the upload rate is
not affected at all. It is important to
weigh up whether security or perfor-
mance is your priority.
The IDS only works when the Fritz-
dump and Suricata processes are run-
ning. If not, the intrusion detection net-
work is worthless and dangerous IP
packets remain undetected. A small
monitoring tool like M/Monit [4] can
check for the critical processes and re-
start them if necessary (Listing 7).
A configuration file for all the home
IDS’s services is available in the down-
load section for this article [5]. You
need to store the monit_ids.conf file in
the /etc/monit/conf.d/ directory. M/
Monit uses it automatically on restart.
If you access the page at http://Ras_Pi_
IP:2812, or if you run the monit summary
CLI command, your watcher will give
Figure 5: Modifying the configuration files tells Suricata to ignore less you information about the status of the
important things, which in turn reduces the load on the Rasp Pi. services it is looking after (Figure 6).
Evaluating Alerts
EveBox uses color highlighting to show
the meaning of a message. Hints are
shown in turquoise in the Light Theme,
attacks in orange, and critical conditions
in red (Figure 3). The dark theme makes
it difficult to see the colors; important
messages no longer stand out suffi-
ciently. Clicking on the message takes
you to the detailed view with all the in-
formation that Suricata has recorded. Su-
ricata uses the Severity value to indicate
how threatening it considers an alert to
Figure 6: The Monit Service Manager monitors the IDS processes and be. EveBox uses this numerical value to
restarts them if necessary. color highlight the message.
Peppermint OS
Peppermint OS promotes user choice every step of the way. Bruce talks to Peppermint OS
about how the project has evolved over more than a decade. By Bruce Byfield
F
ew distributions have had the ups as LibreOffice are not included by de- Peppermint OS’s security is enhanced,
and downs of Peppermint OS [1] fault. Instead, a variety of options are because users know exactly what is in-
(Figure 1). Founded in 2010 dur- offered including six different web stalled. The result is one of the fastest
ing a pub discussion in North browsers (Figure 2), a choice of init distributions I have installed, aided by
Carolina, Peppermint OS enjoyed initial tools, and a selection of Snap, Flatpak, the default Xfce desktop and extensive
success only to decline after the death and AppImage packages repositories. use of Qt for development.
of one of its founders. A few years ago, At every point user choice is stressed – Peppermint began with the goal of
the project had shrunk to a single main- for instance, which LibreOffice mod- producing a hybrid of desktop and cloud
tainer, but the last few years have seen ules to install – even though the space services. That goal is most obvious in its
a resurgence of effort with the develop- saved is minimal. As a bonus, site-specific browsers (SSBs) [2], which
ment of a closely knit and active
community.
Throughout its history, though, Pep-
permint’s releases have shown several
points of continuity. Its source has al-
ways been a Debian derivative – cur-
rently, Debian and Devuan. In addi-
tion, it has always had a minimal in-
stallation in which standard apps such
Author
Lead Image © pixelrobot, 123RF.com
desktops. What does it borrow from Tommy: Peppermint does have a struc- has been to provide maximum choice
each? What is original with ture, with a project lead, a spokesman, a where acceptable – in other words, not so
Peppermint? webmaster, and a group of core develop- minimum that lots of time is consumed to
ers. Features, issues, and direction are build the system, and not so many pack-
cavy: Originally Peppermint was a mini openly discussed in the community on ages that a user is losing time undoing
LXDE. Later when the LXDE team left many occasions, but mainly with the the things we implemented. There are not
to join the LXQt team, it was left in a core team. Sometimes things are voted really too many distributions out there
dormant state, with little being done to on for decisions. If agreements cannot be that give a user that nice in-between; they
it between 2015 and 2020. PCNetSpec met, compromises are proposed to help either focus solely on new users or solely
introduced various Xfce, MATE, and meet that middle ground. on the veteran user.
Cinnamon components in an attempt to Really, Peppermint is not just a desk-
prolong the LXDE base and created what cavy: Even with all the good will in the top distro at all. It is a starting point for
became our signature custom look for world, being a benign dictator is the what the user needs, be it desktop or
Peppermint. Today, apart from the trib- only course of action. server – not too much stuff installed
ute to PCNetSpec in February 2022 with where time is lost removing things but
the custom component of the Nemo file LM: Who is the target audience? just enough stuff to generally have a
manager, we have reverted to a full plug-and-play working system to get
blown Xfce. Tommy & cavy: Anyone who has an in- them going.
terest in wanting a choice of how they We value choice. The user should
LM: How is Peppermint OS associated equip their computer, like the option of ei- be able to do the following with gen-
with the Portugese distribution AcorOS [3]? ther a systemd or a non-systemd-init OS. eral ease:
• Use Peppermint as a server system if
Tommy & cavy: Manuel Rosa is a part LM: Why should users try Peppermint they want. We are currently working
of the Peppermint team as well as the OS? to help users deploy Peppermint as a
project lead for AcorOS. Peppermint server environment.
has a concept of choice as the value cavy: It is intuitive and straightforward • Use Peppermint as a desktop and build
that we provide. Therefore, the things to use. It puts you in control of what it with ease to the user’s specs.
that we ship with sometimes do not goes into your computer. • Spin their version of Peppermint using
fully fit that out-of-the-box experience the ISO build tools we have.
that some users may want. AcorOS LM: Can you provide any stats about the • Choose init systems, hence the
fills that missing link, due to its focus distro, such as the number of downloads Devuan spin.
on an out-of-the-box fully functional or commits? We believe that these principles will help
experience, with preinstalled applica- Peppermint OS’s community grow and
tions, configurations, and settings that cavy: Peppermint OS averages approxi- continue as we roll into the future. Q Q Q
some users may prefer. In many ways mately over 20,000 downloads per
our build processes are similar month, with 60,775 in the last three Info
enough that we are able to work to- months, from September 5 to December [1] Peppermint OS:
gether and help each other’s commu- 3, 2023. https://peppermintos.com/
nities, as well as collaborate with
[2] SSBs: https://en.wikipedia.org/wiki/
ideas and testing. LM: Is there a future roadmap?
Site-specific_browser
LM: How is Peppermint organized? How Tommy: The goal from the beginning in [3] AcorOS: https://sourceforge.net/
are decisions made? the transition from Ubuntu to Debian projects/acor-os/files/AcorOS-6.0/
QQQ
AMSTERDAM RAI
REVIEW
Organizational Tools
Get Organized
If you need help staying organized, Linux does not let you down with its large collection of
organization and scheduling tools. By Erik Bärwaldt
P
lanning tools for the desktop function that draws your attention to up- the ./run_borg.sh script at the prompt or
have long since replaced the di- coming appointments. launch the application by typing
ary-style organizers that were The tools in this review are also capa-
often given away as promos in ble of organizing individual events in java -jar borg.jar
schedulers integrated into email clients. the java -version command in a terminal the scope of projects, which can consist
window will tell you if this is the case. If of several sub-projects (in a tree view).
Features no detailed version information appears, All of the dialog boxes appear in separate
The basic functions of an appointment you first need to add a Java runtime to tabs, and the tab structure extends to two
scheduler include a daily, weekly, and the system using your distribution’s pack- lines if there are many active lists.
monthly overview, where you can enter age manager. On the left side of the menubar, the
important dates. It should also be possi- Download the BORG ZIP package Action item reflects the functions of the
ble to set the time and duration of the from the project page on GitHub and buttonbar. This is followed by the Op-
event if needed. In addition, most orga- unzip it. Next, change to the newly cre- tions dialog for settings. Categories lets
nizers include some kind of reminder ated application directory and either run you assign the appointments to different
important details,
such as a field for
free text entry. You
can also define key-
words to help you
find the entry again.
In the lower area
there are several
configuration fields
in an integrated tab
structure, where you
can specify whether
the appointment re-
peats and add re-
minders. Enter addi-
tional participants in
a separate tab. How-
Figure 5: Filling out the schedule improves the task overview. ever, you can only
use this option if
is shown there whenever the computer buttonbar with just as much detail below KDE Plasma is installed, along with
is rebooted. Reminders appear as pop- it for quick access to the most important any specific programs you wish to ref-
ups on the desktop, while a mouse click functions. On the left, there is a monthly erence. If you want to link content to
on the calendar icon in the system tray overview consisting of three or four tiles the appointment, use the Attachments
displays a separate window with a list of arranged vertically. Below, in a free area, tab to link documents from external
reminders reflecting your configuration. you can see the details of the appoint- and local sources or embed files in the
Right-clicking on the icon opens a small ments you added and a list of the active dialog (Figure 7). A click on OK con-
settings window that helps you custom- categories. On the right side, KOrganizer firms the entry.
ize the icon functions. displays the actual calendar. By default, To manage your appointments, just
The main program window cannot be the software shows you the upcoming right-click on the desired calendar entry.
dragged from the system tray to the week, but you can change the view to You can then edit or delete the entry via
desktop. If you have closed the window, other time spans (Figure 6). the context menu and print the entry or
it can only be called up again using the The New Event button opens a win- enable the reminder function. To remove
desktop menu. dow to let you save an event. In addi- past appointments in a single step, you
tion to name, location, and time infor- can call the matching command in the
KOrganizer mation, an event record includes other File menu.
KOrganizer [3] is the
KDE Plasma Desk-
top’s calendar applica-
tion. You can use the
application with other
desktop environ-
ments, too, but KOr-
ganizer accesses other
KDE Plasma Desktop
applications that may
not be available on
other desktops.
The KOrganizer
window seems a little
cluttered. At first
glance, you will note
that KOrganizer is not
just a calendar appli-
cation, but a complete
organizer for several
users. This explains
why the program win-
dow has an extensive
menubar and a Figure 6: KOrganizer offers very sophisticated functionality.
Info
[1] BORG Calendar: https://github.com/
mikeberger/borg_calendar
[2] Gnome Calendar: https://apps.gnome.
org/app/org.gnome.Calendar/
[3] KOrganizer: https://apps.kde.org/
en-gb/korganizer/
[4] Osmo: https://osmo-pim.sourceforge.net/
Author
Erik Bärwaldt is a self-employed IT admin
Figure 9: The entry dialog for appointments in Osmo is limited to the and technical author living in the United
bare essentials. Kingdom. He writes for several IT
magazines.
Osmo lets you import and export data
and can be combined with other similar ap- Table 1: Graphical Scheduler Features
plications. You can export appointments by BORG Gnome KOrganizer Osmo
opening a file manager in Tasks | Export Calendar Calender
tasks and specifying the file name and path. License GPLv2 GPLv3 GPLv2 GPLv2
The application converts the data to ICS for- Different calendar views + + + +
mat before storing it in the target path. Categorization of appointments + Restrictions + +
Contacts can also be imported and ex- Data import + – + +
ported. When importing, use a file man- Data export + – + +
ager to select the desired file in CSV for- Notes for tasks + + + +
mat. To let you export a file, the applica- To-do lists + – – –
tion opens a separate dialog, where you Synchronization function + – – –
not only enter the name and path for the Optical reminder + + + +
file to be converted, but also select the Audible reminder + + + +
data fields you want Osmo to include in Variable reminder intervals + + + +
the file. Then Export the file to CSV, Data encryption + – – +
XHTML, or VCF format. Data backup + – Restrictions +
File attachments + + + –
Conclusions Search function (appointments/terms) + + + +
As Table 1 demonstrates, the graphical
schedulers available for Linux serve quite
different needs. If you are only looking for
a simple appointment management tool
without additional features, Gnome Cal-
endar is a good choice.
In terms of functionally, Osmo is a little
more sophisticated. This distribution-in-
dependent tool’s interface is very appeal-
ing, and the calendar offers contact man-
agement and a notes area for free text en-
tries linked to the appointments.
KOrganizer and BORG Calendar are suit-
able for professional groupware connec-
tions, which is why they come with many
additional features. Both of these tools can
send emails and add multiple participants
to appointments; both are useful as rudi-
mentary project planners thanks to their Figure 10: In a separate view, you can also see details of appointments
categorization functions. On the downside, in Osmo.
Cheat Sheet
A simplified alternative to man pages, tldr provides the most common command options at a glance.
By Bruce Byfield
T
oo long; didn’t read (TL;DR) is a The most common documentation for- calls, kernel routines, and daemons.
flippant Internet acronym for a mat, of course, is the man page, which Each page presents information in a rigid
summary that first came into use dates back to 1971 (Figure 1). Man pages format divided into further sections (see
about a decade ago. It seems to cover commands, libraries, and configu- Table 1), although not all sections are
be falling out of fashion but survives in ration files, usually aiming for an ency- mandatory. The Examples, Notes, and
tldr, the newest command and format clopedia-like summary of their topics. Bugs sections, for example, are fre-
for computer documentation. It is far One great advantage is that the pages are quently omitted. This consistent struc-
from the first documentation command, highly organized, arranged in nine sec- ture compensates for the often over-
but it fills a niche as a cheat sheet for the tions ranging from user commands and whelming detail of some man pages,
most common options for commands. system calls to system administration which can be over 1,000 lines long.
Table 1: Man Page Sections similar functions. Similar to whatis, tldr command or its own tldr command, or
NAME provides documentation closer to GNU – ironically – from a man page.
SYNOPSIS Info and man pages in the amount of de-
CONFIGURATION tail given. Writing tldr Pages
DESCRIPTION Like man, tldr benefits from a well-de-
OPTIONS Using tldr as a Reference fined structure (Figure 2). However, tl-
EXIT STATUS
Created by Romain Prieto in 2013, tldr dr’s structure is much simpler, making it
became one of the most popular projects clear that tldr is a supplement to man, not
RETURN VALUE
on GitHub by 2015. It received large a replacement. Only commands are in-
ERRORS
boosts in such a short period as to suggest cluded in the pages, with only the most
ENVIRONMENT
an organized promotional campaign. common use cases for each command.
FILES
Whatever the case, the project has re- Contributors wishing to set up a tldr
VERSIONS
mained popular ever since, and the com- page are encouraged to use the following
CONFORMING TO
mand is now readily available in many guidelines from the tldr GitHub page [2]:
NOTES
distributions. It is also available for An- “1. Try to keep pages at around 5 exam-
BUGS
droid, macOS, SunOS, and Windows. ples. Pages can be longer or shorter
EXAMPLES When used for the first time, tldr uses when appropriate, but don't exceed 8
AUTHORS online pages, resulting in a noticeable examples. Remember, it's OK if the
SEE ALSO lapse before results are displayed. How- page doesn't cover everything; that's
ever, the option --update (-u), with an what man is for.
GNU projects provide Info pages that optional LOCALE at the end, creates a local “2. When in doubt, keep new command-
have a similar purpose to man pages and cache in the current account at .local/ line users in mind. Err on the side of
often use more user-friendly language. share/tldr. The same option can be used clarity rather than terseness. For exam-
However, they can be less structured and to update the cache periodically with ple, commands that require sudo
concise and have not caught on nearly should include it directly in the
as much. In fact, even GNU projects --auto-update-interval DAYS examples.
often maintain both formats. The main “3. Try to incorporate the spelled-out ver-
advantage of Info pages is that they can With --platform (-p) PLATFORM, an operat- sion of single-letter options in the exam-
be read in Emacs using a mouse. ing system’s pages can be specified, but ple's description. The goal is to allow
Less common but useful in their own in practice this is rarely needed. By de- people to understand the syntax of the
way are whatis, which returns a one-sen- fault, results are printed in color, but the commands, not just memorize it.
tence definition of a command, and (ap- color can be turned off with --no-colors. “4. Introduce options gradually, starting
ropos) which, which lists commands with Help is on a summary listed by the bare with the simplest command
Figure 2: While much simpler than a man page, tldr offers a well-defined structure.
Figure 3: More complex commands are broken into subcommands on their base pages.
invocations, and using more complex preferred – for instance, denylist/allow- are entered in an order that is checked
examples progressively. list instead of blacklist/whitelist. The de- when a page is submitted for approval.
“5. Focus on details specific to the com- fault language is English, although other
mand, and avoid explaining general languages are encouraged. The Limits of tldr
Unix concepts that could apply to any Because tldr is written in Markdown, It is important not to expect too much
command (ex: relative/absolute the page structure is easy to learn – a ne- from tldr. The command is not a replace-
paths, glob patterns/wildcards, spe- cessity for a project that depends so heav- ment for man or GNU Info so much as a
cial character escaping, ...).” ily on outside contributions (Figure 4). quick reference guide. Just like many
In addition, more complex commands Input is done by lines. General information desktop applications, it makes no attempt
may be broken into subcommands, such can simply be entered as a line. Specific to cover every option. In fact, with com-
as git-commit and git-push (Figure 3). types of lines are identified by their first plicated commands, it can be less useful
These divisions should be listed on the character (Table 2), just as an initial # indi- than a man or Info page, becoming cum-
base page. Also, inclusive language is cates a comment in a text file. These lines bersome, even with base pages. More-
over, in some cases, a tldr page can
Table 2: tldr Syntax sometimes appear at first glance as ob-
Character Line Type scure as the command structure at the
# The name of the command. Alternatively, the first line that is not an top of a man page. Some might also dis-
example. like the lack of developer credit, both be-
> Other information including a general description (one to two lines cause credit is the traditional reward for
long) and a link to additional information – often but not always to a writing free software and for the practical
man page. reason that a developer’s credit can be
- An example followed by a general line that gives the example. Up to handy for those who want more detailed
eight examples can be included, with the most common use cases first. information or to file a bug.
Despite these limitations, tldr fills a
niche that was previously empty. Some-
times, what users need is only a quick
reminder that takes them away from
their work for the least time possible.
When that happens, tldr is the com-
mand to use. Q Q Q
Info
[1] tldr: https://github.com/tldr-pages
[2] Guidelines:
https://github.com/tldr-pages/tldr/
Figure 4: The template for tldr pages. blob/main/CONTRIBUTING.md
QQQ
Attackers can use poorly maintained DNS records to gain access to your IP address. The open source
DNS Reaper lets you monitor your records to ward off attacks. By Matthias Wübbeling
T
he Domain Name System (DNS), very large zone files. Often, remnants of still points to the provider’s IP address,
comparable to an address book, test setups or projects will remain in a this entry becomes a dangling record –
forms the backbone of today’s zone even after they are no longer in at least as long as the resource is not ac-
communication on the Internet. use. Combine this with external services, cessible. If a potential attacker gets the
With IPv4, IT administrators could mem- such as external hosting or cloud service newly freed IP address for their server,
orize their most important servers’ IPv4 providers, and outdated entries can be- the address can also be reached through
addresses, but there is no alternative to come dangerous. your company’s subdomain, but the ser-
DNS with IPv6. In this article, I will vices or content offered at the IP address
show you how attackers exploit old DNS Subdomain Hijacking are no longer under your control.
records to hijack parts of your domain, A simple example involves an A or If you rely on cloud providers for your
Photo by cdd20 on Unsplash
as well as show you how to protect your- AAAA entry from a subdomain on a projects’ resources, your subdomains
self against these attacks. cloud provider’s IP address. When a will come from the provider’s zone. A
DNS is divided into zones (a portion project ends, all paid services are can- generic domain such as xyz.example.
of the DNS namespace) managed by in- celed with no further access to the cloud com is then made available to let you ac-
dividual organizations or administra- server. If this DNS entry does not result cess your files. Of course, you could now
tions. New entries are quickly created, in explicit costs, users often simply for- resolve the IP address and add it as an A
and many projects sometimes result in get to delete the entry. Because the entry record for cloud.linux-magazine.com to
your DNS. However, cloud providers provider, checks may not be performed on your system. Punk Security also of-
usually operate a content delivery net- to ascertain whether use of the stored fers a pre-built image for use in a Docker
work (CDN), so your file is usually ac- name is actually legitimate. In addition, container, which lets you use DNS
cessible from multiple IP addresses, and the name can only be used if a CNAME Reaper directly without managing the
these addresses can change. record is stored for it in DNS. runtime environment and any depen-
To avoid dealing with these underlying dencies yourself. To view DNS Reaper’s
provider-side infrastructure changes, it Rebound Attack options and download the Docker image,
makes sense not to use A records. In- While the attacker will not get the same simply use the following command:
stead, you can use a CNAME record that subdomain xyz.example.com as you did
points directly to xyz.example.com. for your projects, it could be something docker run -ti U
Much like a shortcut on a filesystem, this like zyx. In fact, a real A record for your --rm punksecurity/dnsreaper --help
changes the name resolution for your xyz entry in your provider’s DNS zone
subdomain when the entries for xyz.ex- has never existed. Instead, wildcards You can use the output to get oriented
ample.com change. By doing this, you (*.example.com) simply resolve all the and identify potential arguments for
can still benefit from the dynamics of- requested subdomains to the availble IP your use case. Of course, DNS Reaper
fered by your cloud provider without addresses in your provider’s CDN. Your needs a way to check all the existing
having to worry about name resolution provider handles the actual assignment entries in your zone. A black box check
yourself. When you use your own do- to the data via the hostname supplied (i.e., without further knowledge of your
main name, you will not even notice the with the request – and this hostname is DNS zone’s structure) is not possible.
difference, because the resolving name now stored under the attacker’s account. While there are techniques to determine
server takes care of everything and sim- With the data available in the attack- different entries in the DNS, applying
ply returns the IP address that you need er’s project, which can be accessed them will not give you all of the exist-
to access the files. through your company’s domain, the at- ing entries.
tacker can now disseminate information For a comprehensive check, your best
Name Assignments in the claiming to be your company. They can bet is to export your entire zone from the
Cloud also specifically attack your company or DNS server and make it available to DNS
Your data in the cloud is stored along- your customers, for example, by embed- Reaper. If this is available in a BIND DNS
side data from your provider’s other cus- ding manipulated content from this do- compatible format, the software can use
tomers. The provider evaluates the host- main via a vulnerability in a web appli- it directly. To use a zone file named do-
name transmitted in the request in order cation. By using your subdomain, the main.zone in the Docker container, you
to determine what information needs to same-origin policies of modern web need to mount it as a volume in the
be delivered when the data is accessed. browsers may allow active content to be image. You can then start it using the fol-
However, this hostname is no longer xyz. executed in the context of your website. lowing command:
example.com but the name of your sub- In addition to attacks based on stored
domain, which resolves to the IP address files, the same techniques can be used docker run -it --rm -v ./domain.zone:/U
of xyz.example.com thanks to the for access by other services. CNAME re- domain.zone punksecurity/dnsreaper U
CNAME record. cords can be created for any type of bind --bind-zone-file /domain.zone
Once you have finished the project server, including the names of
and released the resources from the namespace (NS) or mail exchange (MX) Alternatively, you also use providers
cloud, the assignment to your subdo- records. Armed with these, an attacker supported by DNS Reaper, such as AWS
main also disappears from the provider’s can then control an entire subdomain or or Azure, by passing in your access cre-
system. Access is now no longer possible use one of your company’s subdomains dentials with the call. Transferring the
using the hostnames from your subdo- to send and receive email. zone directly from a DNS server is also
main. In many cases, however, the possible, but this requires intervention in
admin responsible for the DNS zone is Taking Countermeasures the server’s configuration to allow a
not notified, and the CNAME record con- In an ideal world, the DNS zone’s ad- zone transfer.
tinues to exist – your provider’s xyz sub- ministrators would immediately be noti-
domain is so long and random that it fied upon completion of a project and Conclusions
would probably never be assigned to subsequently would remove the CNAME Poorly maintained DNS records are more
anyone a second time. record, ensuring these attacks couldn’t dangerous than they might appear at
If an attacker sees that you connect to happen. Unfortunately, this sometimes first glance. Attackers can use dangling
your cloud provider via your domain’s does not happen in real life. On a posi- records to run attacks that look like they
CNAME record (e.g., by assigning the IP tive note, there are a number of tools to originated in your organization. DNS
address resolved by your subdomain to help admins to check active and passive Reaper helps you monitor your DNS re-
your provider), the attacker could at- DNS entries. cords to protect against attackers. Q Q Q
tempt to store the hostnames originally Punk Security’s DNS Reaper [1], an
used in your company’s subdomain actively maintained open source tool, is Info
under the attacker’s account with the one such solution. You can download [1] DNS Reaper: https://github.com/
same provider. Depending on your DNS Reaper from GitHub and install it punk-security/dnsReaper
Hunting and
Gathering
Cyberattacks often start with preliminary research on network assets and the people who use them.
We’ll show you some of the tools attackers use to get information. By Chris Binnie
W
hen sizing up potential tar- Google stated authoritatively (as the not be subject to eavesdropping, man-in-
gets, attackers try to get as main player in the search space): “Brows- the-middle attacks, or data modification.”
much information as pos- ing the web should be a private experience And, while this announcement pro-
sible without raising any between the user and the website and must vided an excellent incentive for website
alarms. The ability to passively research
the details of online resources and
their associated humans has never
been easier. If you’re wondering what
kind of information about you and
your network is available online right
now, the best way to find out is to look
for it yourself.
This article examines some online ser-
vices that tabulate known information
on users and websites. Some of these Figure 1: This website has used a number of different certificates.
services use information that is freely
available through online sources; others
delve into the dark web to find data that
has turned up in security breaches. For
privacy, and in order to demonstrate
richer examples, identifying information
in the output of the tools described in
Photo by Goh Rhy Yan on Unsplash
Certifiable
A few years ago, the mighty Google
announced [1] that it was putting more
weight on websites running HTTPS, as
opposed to the unencrypted HTTP al-
ternative, for its search engine index-
ing results. Figure 2: There’s a lot of information stored at crt.sh.
owners to move to solely using HTTPS, database of certificates that were discov- automate usage of the tool by passing
it had an unwelcome side effect that ered on websites (and potentially other the search query directly to the main
made life a little easier for attackers. At- services). Its splash page [2] tempts URL, such as:
tackers soon realized that, if each web- users with broad search criteria: “Enter
site uses HTTPS, the SSL certificates an Identity (Domain Name, Organization https://crt.sh/?q=domain.tld
(now TLS certificates) for every website Name, etc), a Certificate Fingerprint
could be captured and scrutinized. Un- (SHA-1 or SHA-256), or a crt.sh ID.” Figure 1 shows an example of a search.
like a simple DNS entry, certificates hold In other words, it is possible to search For a relatively quiet website, there’s lots
much more information. for companies (not just domain names), of information available for an attacker.
The first online tool that I will look at as well as by certificate fingerprints and It is immediately obvious that over the
is called crt.sh. The crt.sh service [2], other criteria. There are also a number years, the site used a variety of certifi-
which is run by the certificate company of advanced search options that I’d rec- cate providers, including Let’s Encrypt,
Sectigo Limited [3], maintains a massive ommend testing. It is possible to DigiCert, and RapidSSL.
The wealth of information available
just from the abbreviated output in
Figure 1 would surprise most crt.sh
users. Click on a link on the right side
of Figure 1, and you’ll see a tiny sam-
ple of what is known, including infor-
mation on which applications can
make use of the certificate authority
(Figure 2).
Back to the results in Figure 1, the
column entitled Common Name pro-
vides a plethora of information that just
Figure 3: A redacted example of DNSDumpster in action. keeps on giving. The field reports hun-
dreds, maybe thousands, of hostnames
that certificates have supported over the
years, along with timestamps to check
for the likely status. These hostnames
could include valuable information on
the domain path, such as accounts.do-
main.com or mail3.domain.org.
Each of these fully qualified names
present an attack surface that you can
Figure 4: DNSDumpster offers clever visualizations. extract from crt.sh. I’d encourage you to
try tools like this yourself to see if your
website has publicly leaked any unwel-
come information.
Going Dark
So far I have focused on certificates and
DNS, along with the outstanding OSINT
Framework, which is a topic all of its
own. If you’re willing to take a step
Figure 6: You should experiment with the clever DNS History service. down into the darkness, you can also
find information by rummaging deeper
relationships among the discovered re- Scroll a little further down the search on the dark web. Suppose I wanted to
sources in the form of graph. page to see some historical record refer- find information relating to a specific
If you are new to the term, OSINT ences that might be useful to you or an user via their email address. There are a
(Open Source Intelligence) provides “le- attacker (Figure 7). In some cases, number of services that collect
gally gathered information about an indi-
vidual or organization from free, public
sources.” If you discover intriguing infor-
mation within DNS for a domain name, I
recommend visiting an excellent OSINT
resource called OSINT Framework [5].
OSINT Framework is an eye-watering re-
source that you could spend several days
exploring. The site pulls together a vast
array of free online tools and resources.
Consider PassiveDNS as an example.
Figure 5 shows that, by expanding vari-
ous menu options relating to DNS, you
can see there are many pointers to free
online tools to help you perform passive
reconnaissance for DNS queries.
Click the DNS History button on the
right side of Figure 5, and you are
pointed at a site called DNS History [6],
which is run by 8086 Consultancy [7]. Figure 8: A heat map lets you see where domain names are commonly
Figure 6 shows how simple it is to use registered. (Source http://dnshistory.org/p/heatmaps)
the site if you need to query when
changes took place for a DNS entry.
Pwn Check
Entering a problematic email address
into Have I Been Pwned returns lots of
information about each breach associ-
ated with the address. For the address
used in this article, I also received this
warning: “Pwned in 18 data breaches
and found 2 pastes (subscribe to
search sensitive breaches)”. That’s re-
ally not good news, and if you didn’t
have unique passwords, it could be
even worse.
Have I Been Pwned also lets you set up
an alert to notify you if your email ad-
dress shows up in a data breach [10]
(see Figure 10).
These sources are well-known data data is not just alluded to either – the narrative that provides some additional
breaches that contained the email ad- findings are displayed for all to see. and useful context.
dress. (If you’re interested, check out the Dehashed lets you request that an
article at the CSO site on the 15 biggest entry be removed from its database, but Conclusion
data breaches this century [11].) of course, the data could still be present There are many ways of performing recon
Back to Dehashed, if you have an ac- in many other places online, including online without ever going near a potential
tive subscription, you can click on any of the dark web. Removing the visibility of target. Attackers will take advantage of
the items relating to breaches on the left the data in Dehashed only hides it from tools like the ones described in this article.
side of the screen, and the service will some security researchers and others If you’re serious about thinking like an at-
reveal what data was present in the data who are using Dehashed. tacker, you can use these tools to do your
breach (relating to the email address). Dehashed also provides a comprehen- own reconnaissance and determine how
Findings can include all sorts of data, sive (subscription-based) monitoring much of your data is exposed online. I en-
including: usernames, email addresses, service, alongside a fully fledged API. courage you to spend lots of time on the
IP Addresses, postal addresses, tele- The Dehashed Data Wells page [12] OSINT Framework site to gain a better un-
phone numbers, passwords (hashed and shows how much data was retrieved derstanding of the passive reconnaissance
in plain text), and human names. The from specific data breaches, along with a tools currently in use. Q Q Q
Figure 11: Dehashed has found some worrying data relating to the email address. (Source: https://www.
dehashed.com)
Info
[1] “Indexing HTTPS Pages by Default”:
https://developers.google.com/search/
blog/2015/12/indexing-https-pages-
by-default
[2] crt.sh: https://crt.sh
[3] Sectigo: https://sectigo.com
[4] DNSDumpster:
https://dnsdumpster.com
[5] OSINT Framework:
https://osintframework.com
[6] DNS History: http://dnshistory.org
[7] 8086 Consultancy:
http://www.8086.net
[8] Dehashed:
Figure 12: The breaches where the findings were discovered. (Source: https://www.dehashed.com
https://www.dehashed.com) [9] Have I Been Pwned?:
https://haveibeenpwned.com
[10] Notification at Have I Been Pwned?:
https://haveibeenpwned.com/
NotifyMe
[11] “The 15 Biggest Data Breaches of the
21st Century”: https://www.csoonline.
com/article/2130877/the-biggest-data-
breaches-of-the-21st-century.html
[12] Dehashed Data Wells: https://
dehashed.com/data
Author
Chris Binnie is a Cloud Native Security
Figure 13: The breaches that Dehashed references (Source: https:// consultant and coauthor of the book Cloud
dehashed.com/data): The “17 Database Breach,” where apparently, in Native Security: https://www.amazon.com/
2016, data related to a streaming app was exposed, including informa- Cloud-Native-Security-Chris-Binnie/dp/
tion about four million users. 1119782236.
QQQ
W
be repositioned and offers different
hy does LibreOffice Writer Styles can be set up to be applied auto- views of the available styles, including a
need a how-to? Aren’t mil- matically. When styles are used, a for- view of the styles used in the document.
lions familiar with it mat only needs to be changed once, in- At first, setting a Writer style may seem
through daily use? Not ex- stead of individually. Although styles a daunting task that requires dozens of
actly – many use LibreOffice inef- can take time to set up, they can be choices. However, Writer includes dozens
ficiently, ignoring the tools designed to saved as templates and reused. By using of defaults that can be customized with
make work easier, and do everything the styles, users can focus on developing only minimal changes. For instance, if
hard way. It’s like dragging your feet in- their thoughts, as well as save them- you do not want a particular feature, such
stead of using the brakes. selves time formatting their documents. as a background color, you can simply ig-
When using LibreOffice, or any word These benefits apply especially to Li- nore it. Moreover, a style can be used for
processor, most people type some text, breOffice Writer. Most word processors
pause to format the text before typing have paragraph and character styles, but
more, and then repeat the process, which Writer also has page, list, frame, and table
is slow and likely to interrupt one’s train styles. The story goes that when StarDiv-
of thought. To change the format, a user ision, LibreOffice’s original ancestor, was
must go through the document individu- developed, the programmers were told
ally updating every instance of the old they would have to use it to document
format. This method of working is known their efforts. As a result, they added every
as direct or manual formatting. useful tool they could think of, especially
Word processors in general, and Libre- for styles. The developers were so thor-
Office Writer in particular, are not pri- ough that many publishers today set their
marily designed for direct formatting. books using Writer. In fact, thanks to
They can be used that way and even styles, Writer is not so much a word
Photo by Nick Morrison on Unsplash
have tools to help users who insist on di- processor as a desktop publisher.
rect formatting. However, LibreOffice is
most efficient when using styles, its The Structure of Styles
equivalent of programming variables. Styles can be edited through Writer’s
Styles is a collection of formatting op- Styles window by pressing F11 (Fig-
tions, where one paragraph style might ure 1). The Styles window is also the Figure 1: Writer’s Styles window is
be Times Roman 12-point bold italic and most convenient way to apply styles, al- the most convenient place to
another Helvetica Regular 18-point. though you can also use the Styles menu apply styles.
years, so the effort upfront can save time have many features in common, this ar- example, if the First Page style is followed
and effort each time you use the style in rangement saves considerable time. by the Left Page style, and the Left Page
the future. In fact, a well-customized style Another useful field on the Organizer style followed by the Right Page, a docu-
can save you hours over the years. I still tab is the Next style field, which assigns ment is formatted in the background as
use a template with styles that I created the style that follows the current one. For you write (Figure 4). Once you apply the
20 years ago that probably has saved me
days of work.
When you are writing, the features of a
style are applied automatically. If, for in-
stance, a paragraph style indents the first
line, there is no need for a tab. Similarly,
if there are spaces following a paragraph
rather than an initial indent, the spaces
are applied when you press the Enter
key. In addition, on the Organizer tab of
any style (Figure 2), you can use the In-
herited from field to base a style on an
existing one, a feature that is useful
when creating related styles. In fact, sev-
eral groups of files are hierarchical, such
as the Heading, Table of Contents, Index,
and Text Body styles. Edit the Heading
style, for example, and your changes are
automatically applied to Heading 1
through Heading 10 (Figure 3). You only
need to edit Heading 1 through Heading
10 individually for their unique features.
Because such hierarchical styles usually Figure 2: The Organizer tab helps to automate the use of styles.
IN-DEPTH
Formatting with LibreOffice
finalize the styles, you will make so The more circumstances that apply, the
many changes that creating styles is clearer your decision will be.
mostly wasted effort.
• The document’s formatting is ex- A Different Way to Write
tremely simple, like an essay. You may need time to get used to the
On the other hand, I recommend using idea of styles. Instead of jumping right
styles for the following cases: into writing, using styles involves more
Figure 3: Because styles can be • A document is long (over three pages). preplanning than manual formatting.
hierarchical, changes to the top • A document will be used over and However, using styles allows you to con-
style are inherited by styles lower over. centrate on developing your thoughts
in the hierarchy. • A document will be edited by more rather than focusing on formatting. Once
than one person. you are used to the change, you should
First Page style, the rest is taken care of • A document will be edited weeks, start to see that word processing is more
for you. In the same way, you can set a months, or even years after the first than an electric typewriter. Moreover,
Title style to be followed by a Subtitle version. you’ll be working with LibreOffice,
style and then Text Body. • A document belongs to a standard class rather than against it. Q Q Q
Because setting all the styles in a docu- of documents, such as a letter or memo.
ment can take several hours, you won’t • A document must match that of other Author
want to do this each time you start a doc- documents from you or your company Bruce Byfield is a computer journalist and
ument. Instead, when the styles are per- or organization. a freelance writer and editor specializing
fected, you can save your effort in a tem- • A document will be used in a number in free and open source software. In
plate via File | Templates | Save As Tem- of different ways, each of which re- addition to his writing projects, he also
teaches live and e-learning courses. In his
plate. To reuse the template, select it from quires some minor changes (e.g.,
spare time, Bruce writes about Northwest
Files | New | Templates (Figure 5). You printing it on both a white and a red Coast art (http://brucebyfield.wordpress.
might also use File | Templates | Edit Tem- background). com). He is also co-founder of Prentice
plates to add other automatic features • A document is highly formatted, like a Pieces, a blog about writing and fantasy at
such as Fields to complement the styles. brochure. https://prenticepieces.com/.
Mini Miner
The Monero cryptocurrency lets you get in the game without spending thousands on
hardware. We’ll show you how. By Daniel LaSalle
W
hen I started mining Bitcoin article describes how to start mining Technical Requirements
13 years ago, the hardware XMR on a Debian-based Linux system. The most important asset for mining
standard was a bunch of cryptocurrencies is electricity. The sec-
Windows computers built A Little Bit More on XMR ond most important asset is a fast CPU
up around the best possible video cards The value of Monero is nowhere near chip [5] that you can overclock. You’ll
and power supplies. The end goal was to the range of Bitcoin’s value. The price of also need a means for dissipating the
achieve the most hashes per second (H/ XMR at the time I wrote this article was heat and keeping your environment dust
s, or sometimes expressed as kH/s or $142.30, whereas the price of Bitcoin free. Because mining is a process that
mH/s) [1]. To this day, it is easy to find ar- was $25,851.07. Some have wondered never sleeps and demands full capacity,
ticles explaining how to mine Bitcoin whether XMR would ever reach the it will be important to leave room for
using this classic setup. But few of the value of BTC, but since its inception in your hardware to remain in a cool,
mining tools are command-line based, 2014, it has failed to even reach the $500 friendly zone for the time it will be
which is a problem for Linux veterans mark [4]. However, projections are look- crunching its life away. While it does,
who wish to avoid GUI clutter. But rest ing solid, and Monero shouldn’t disap- and if it runs as dedicated, it will emit a
assured: A basic Debian system, with the pear any time soon. vast quantity of heat. The final factor
fastest CPU you can get your hands on,
is all you need to start mining
cryptocurrencies.
In the highly competitive universe of
crypto mining, major currencies like Bit-
coin are typically mined using specially
built Application-Specific Integrated Cir-
cuit (ASIC) systems, which require a sig-
nificant investment of the miner’s time
and money.
Lead Image © Chode, 123RF.com
affecting hashing performance is the This process will take a while – and even now and then, in order to avoid all this
clock speed of the RAM, although the longer if you are working with a slow hard synchronization.
RAM speed is less important than the drive. Alternatively, specifying Whatever you attempt to do while the
other features I’ve mentioned. blockchain finishes updating could end
A minimal system for mining XMR --data-dir /path/of/.bitmonero up not working immediately. Therefore
would have a 250GB SSD, 4GBs of RAM, the wisest thing to do is to allow it to
and the cheapest video card available. will simply download the delta since last complete. However, this process will
The high-grade components need to be update. That way you can always back take several hours and can take days,
the CPU and the power supply unit. In- up your downloaded blockchain every depending on your Internet connection.
vesting in a good mother-
board is optional yet vital if
you wish for your system to
beat the clock. Be advised
that, as time goes on, the
size of the decentralized
blockchain copy that you’ll
need to host locally will
eventually expand to over
250GB. Currently, it weighs
about 164GB, so it is safe to
say that a 250GB drive will
hold for another three to
four years at the very least –
unless there is a huge in-
crease in transactions.
Getting Started
The first step is to get the
system up. For that, you’ll
need to install the latest
Debian (bookworm) [6].
All you really need is the
SSH server and standard Figure 2: Monero v0.18.2.2 is the latest current version; it contains both the daemon
system utilities from the and the wallet binaries that are pivotal to mining Monero.
latest Debian netinstall
(Figure 1).
Once you’ve installed the
OS and logged into the
freshly installed system,
the work with Monero can
begin. Start by download-
ing the latest Monero dae-
mon [7] and extracting it
under the folder of your
choice (Figure 2). Then in-
stall the CPU miner (Fig-
ure 3).
The next steps truly initiate
the Monero footprint. The
very first thing is to download
the ~164Gbs blockchain,
and for that, a simple execu-
tion of ./monerod will handle
the task (Figure 4).
Launching the monerod
command without an existing
blockchain in your home
folder will result in it down- Figure 3: Even if last the update dates back to 2020, xmr-stak is still one of the
loading the entire blockchain. best cross-platform CPU miners for XMR.
By default monerod puts everything port forward TCP/18081 if you wish to Even when you have already down-
blockchain related under /home/you- have no errors, but those errors will not loaded 99 percent of the blockchain
ruser/.bitmonero. The last operation is to void some functions. and have not updated in 10 days, it can
take up to an hour for your
node to be synchronized
again. Because I am living
dangerously, I will proceed
immediately with the next
step: setting up a wallet
(Figure 5). In this case, I’ll
be running
~/Downloads/monero-x86_U
64-linux-gnu-v0.18.2.2/U
monero-wallet-cli
System Tweaks
Because the general idea
behind mining is to maxi-
mize all available re-
sources, you need to be
sure to go big. For that,
Figure 5: You’ll need to set up a wallet. you will need to switch to
Listing 2: /etc/security/limits.conf
* soft memlock 262144
* hard memlock 262144
And Then
Because I am building a dedicated
mining rig that runs 100 percent at
all times, I first need to confirm
that the values in cpu.txt match Figure 6: Questions answered, but you’ll need to make some changes before
the actual machine values. the miner is error free.
It’s also possible that I was in-
trepid in pursuit of enrichment
and immediately added the
--noTest switch to the first
launch of the xmr-stak-rx com-
mand. If no self test was done,
the cpu.txt never populated. Or
perhaps something worse hap-
pened? By nature, the content of
the cpu.txt file is very basic most
of the time (Figure 8).
Each CPU thread that you wish
to dedicate to mining XMR will
need to have a value defined
where the first core counts as 0.
Therefore, a 64-thread dedicated
mining machine would have 64
lines starting with 0 and ending
with 63. However, in this case, I
will make the educated guess that
this machine has 12 threads off,
and only the last 8 were config-
ured to be usable by xmr-stak-rx.
If you wish to know how many
usable threads your system can
run, enter: Figure 7: A better outcome after the changes.
# dmidecode -t processor are many other choices [8] to decide from, scratch, the only pieces required to re-
each with its own specifications. sume your XMR activities is a copy of
and look for the thread count, which is The next step is to visit https://xmr. both the wallet file and its key alongside
at the bottom, or simply run htop and nanopool.org/account/ followed by the the password or the 25 recovery words
look at the number of cores that are (very long) wallet name. For instance: that were generated at wallet generation.
shown at the top. Be warned however, that if you stop
Another thing I like doing is making https://xmr.nanopool.org/account/U mining from a pool while you haven’t
sure a mining rig requires minimal inter- 43wnFgp65TxiexxMmKshejBjRZY5ckv987U met the minimum payout and you do not
vention (e.g., when there is a power loss DQR4PMLKFuM5du8GWM8q56Ac3xZAYoELE1U contact them, you risk losing all of your
and your UPS can’t hold on long enough Tz8TxFzA6SZYWCVKiN9Z57NGfsh accumulated balance.
for the power to come back). Also, I like With Nanopool, you can always get a
the boxes to have minimal cabling, which After about 15 minutes, you will see the non-checkout balance value transferred to
implies just the power and the network. first results posted as an unconfirmed you. For that to happen, you need to have
Lastly, the systems will need room to balance (Figure 9). been inactive for 24 hours and contact
breath and adequate ventilation. Even though the option for solo min- them [9]. You will want to learn a little bit
To make sure I never lose a beat, I set ing is a possibility, it is a good idea to more about joining a mining pool; this is
the crontab entries in Listing 3 under join a mining pool to combine the com- perhaps the best advice that I can give you
my own user. puting power with other users. This for starting your mining journey.
When you’re finished with these steps, method is generally the fastest way for
shutdown the system and unplug every- crypto enthusiasts to get better payouts, Conclusion
thing. Set up the power and network ca- as each pool has its own terms of use. There are many considerations you’ll need
bles as required for your configuration, In the case of Nanopool, you need to to address if you wish to claim a piece of
and then plug the system in, power it have mined a full (that’s 1.00000000) XMR the cryptocurrency pie. But whichever
up, and feel it getting warmer and its unit, which will then be automatically path you choose, it always comes back
fans working harder. Congratulations, cashed in your wallet, given that your to the basics: The Plan. Q Q Q
you are now mining Monero. local blockchain is fully up to date.
If you also happen to have unlimited Info
Along with the electricity, CPU power, and room for venti- [1] “What is Crypto Hash Rate and Why Is
Cryptoriches! lation, and you wish to dedicate a mining It Important”: https://www.makeuseof.
Money doesn’t come easily and the same room, you can deploy additional systems, com/crypto-hash-rate-what-is-it/
applies to cryptocurrency. I decided to use but avoid installing monerod on them, as it [2] “Why Monero Is the Best”:
Nanopool as the mining pool, but there is only needed once in any environment. https://gomonero.com/why-monero/
Just make sure you [3] ASIC-resistant mining algorithm:
configure https://cointelegraph.com/news/
xmr-stak-rx to use monero-implements-hard-fork-
including-new-asic-resistant-mining-
your wallet ad-
algorithm
dress, and it won’t
[4] Monero price on CoinMarketCap:
be too long until
https://coinmarketcap.com/currencies/
you get your first monero/
payout.
[5] The Best CPUs for Mining Monero:
If disaster https://vicadia.com/best-cpu-for-
strikes one day mining-monero/
and you need to [6] Netinstall with Debian:
Figure 8: Inside the cpu.txt file. start back from https://www.debian.org/CD/netinst/
[7] Monero downloads: https://www.
getmonero.org/downloads/
[8] Mining pool options: https://
miningpoolstats.stream/monero
[9] Nanopool FAQ:
https://help.nanopool.org/hc/en-us/
articles/4898382873629-FAQ
Author
Daniel LaSalle was introduced to the
command prompt while in his 5th grade.
But his addiction to technology spans
over 30 years. In the last decade he's
been using Linux every day and freelanc-
ing as an infrastructure specialist. https://
Figure 9: First results appear with an unconfirmed balance. www.linkedin.com/in/daniellasalle/
Keeping
Secrets
Protect your data and operating system from prying
eyes with VeraCrypt. By Matthias Wübbeling
C
onfidentiality and integrity are way into Windows, TrueCrypt enjoyed and communication, you don’t want this
increasingly important when it great popularity right from the start, al- information falling into the wrong
comes to security. The ability to though the developers remained anony- hands.
encrypt data carriers is decisive mous for a long time and its source code Mobile devices and data carriers in
in this battle, especially for mobile de- was not freely available. Rumors later particular are exposed to a greater risk of
vices. This article shows you how to re- confirmed that TrueCrypt’s development loss or theft, especially if you have to
liably protect your data and operating originally came from criminal circles. hand the device over briefly, say, during
system with the open source VeraCrypt TrueCrypt announced the end of devel- international travel. In these cases, an
tool, as well as how to completely hide opment in 2014. encrypted system partition protects
the encrypted containers if necessary. In 2013, VeraCrypt, a fork based on an against uncontrolled manipulation, such
In response to the increase in aware- older, audited version of TrueCrypt, was as the installation of malware or spy-
ness of IT security, Microsoft began de- launched. Today, VeraCrypt is developed ware. Above all, however, it protects
veloping the software later known as by the open source community. Of par- against unauthorized access, for exam-
BitLocker [1] for encrypting files, parti- ticular interest, VeraCrypt supports the ple, to industrial secrets or personal data
tions, or entire hard disks in 2004. Bit- different Linux derivatives and macOS on the hard drive.
Locker came under suspicion during the as operating systems in addition to Of course, confidentiality and integrity
Snowden incident, when it was sus- Windows. As an added bonus, legacy are only ensured when the computer is
pected of possibly providing backdoors TrueCrypt containers can easily be re- switched off. If a device is switched on
or master keys for intelligence services. cycled thanks to VeraCrypt. and the encrypted data is unlocked for
However, this has never been confirmed daily work with a password, access is
and is unlikely to be confirmed any time Encryption for Data possible. A loss of confidentiality due to
soon. BitLocker is therefore often used in Protection user error or manipulation by malware is
corporate settings because it gives ad- Data confidentiality and system integrity then possible.
Lead Image © Stefan Redel, fotolia.com
download page [4] provided by the possible to deny the very existence of several methods. You have to decide for
IDRIX developers. This way you can the encrypted data if someone tries to yourself whether this makes sense cryp-
count on having a valid, signed version force you to hand over the data. To do tographically and for your application.
and avoid the trickery of dubious down- this, you need to create a hidden volume Ultimately, cascading increases key ma-
load platforms. on a standard volume. VeraCrypt creates terial and eliminates the mathematical
The installation is child’s play: Launch the matching structures in the container uncertainties of individual procedures in
the downloaded file with admin authori- headers regardless of which volume type an attack scenario. The same applies to
zation or confirm the prompt during the you choose, so the existence of these the choice of the hash method; again dif-
install. Then select the language that structures alone is not credible proof of ferent variants are available. Under nor-
suits you and install VeraCrypt with the the existence of a hidden volume. Tech- mal circumstances, AES and SHA-512 are
standard options. Alternatively, you can nically, the internal volume is simply a safe choices that achieve a good compro-
download the source code provided on storage area within a standard volume mise between security and performance.
GitHub [5] and create VeraCrypt on your and is protected with another secret. I will use these two methods in my
own system. If you enter both secrets when mount- example.
When you launch VeraCrypt, the pro- ing the volumes, VeraCrypt determines As the next step, you need to define
gram comes up with a tidy interface the byte limits of the two volumes within the size of the volume based on your es-
(Figure 1). You will see an overview of the container and you can safely access timated needs. Otherwise, you might use
the mounted drives; VeraCrypt uses the both volumes as required. If you only up a large amount of storage space on
classic drive letters from A to Z on Win- specify the secret for decrypting the your data carrier just to encrypt a few
dows and also offers the option of outer volume, there is a risk of overwrit- files or a bunch of small files. VeraCrypt
mounting or creating a container or an ing the hidden volume. VeraCrypt then also offers dynamic containers if you
encrypted partition. knows nothing about the corresponding can’t estimate the exact requirements
Pressing the Create Volume button byte limits and simply fills up the con- right now. These containers do not grab
opens a dialog that guides you through tainer, possibly also using up the area the entire storage space when they are
the process. The first step is to select the containing the hidden volume. created, but simply grow to the specified
type of storage you want for the volume. maximum size as required. Incidentally,
You can choose between a container file, Security vs. Performance you need to choose dynamic containers
an encrypted partition on your hard For my example, I’ll select Standard Ve- carefully, because if they end up exceed-
disk, or an encrypted system partition of raCrypt volume and then press Next. ing the actual hard disk capacity, there is
your Windows operating system. For Then I need to select the container file’s a risk of data loss. I will be using a con-
first time users, it makes sense to create storage location and specify the encryp- tainer size of 1GB.
an encrypted container. tion parameters. VeraCrypt offers a You now need to select the secret for
Next you need to define your contain- choice of algorithms. AES is the globally accessing the volume you created by fill-
er’s volume type. You have two volume recognized standard for block encryp- ing out the two input fields with your
options: standard and hidden (Figure 2). tion. The alternatives, Serpent and choice of password. Be sure to read the
Hidden volumes support two protection Twofish, were also candidates for the info at the bottom of the dialog to help
objectives: plausible deniability and con- AES standard at the time, so they are you choose a secure password. Good
fidentiality. A hidden volume makes it comparatively secure. passwords should not only consist of
If you do not many different characters, but should
trust any algo- also be as long as possible. Password
rithm on its own, length has a major influence on security
you can also select (see the “Password Security” box), al-
a cascade of though you are likely to find different
Figure 1: VeraCrypt comes up with a very tidy inter- Figure 2: Plausible deniability is definitely an option
face when first launched. with VeraCrypt.
recommendations for this in different or file attributes on Windows. Choose secret in order to mount it directly. The
places. VeraCrypt warns you if your the filesystem that best suits your re- container’s outer volume is not dis-
password has fewer than 20 characters. quirements. If required, check the boxes played or changed. However, if you want
As an alternative or in addition to the for quick formatting and the option to to include the outer volume (e.g., to
password, you can select further “se- dynamically grow the volume. Next, keep up appearances and store files)
crets” to protect your volume. In addi- move your mouse pointer to give the enter the secret for this outer volume
tion to a smartcard, any file or the files pseudo-random number generator for here. In Options, make sure you also
of an entire folder can be defined as key- the crypto operations further random specify the secret of the hidden volume
files (Figure 3). Of course, this increases data. Once the bar at the bottom of the for protection to avoid it being acciden-
the size of the input variable for encryp- window turns green, press Format. After tally overwritten (Figure 4).
tion immensely, but limits the secret to a short time, your volume is ready, and
be remembered to this one file or the se- you can press Exit to close the dialog. Encrypting Partitions and
lected combination of files. Because an After creating your container, you are Hard Disks
attacker with access to your computer taken back to the VeraCrypt start win- If you want to encrypt entire partitions
could try out any file as a secret, it is not dow. Now search for your previously or data carriers, select the Encrypt a Par-
a good idea to solely rely on one file as created container by clicking on Select tition/Drive option when creating a new
the secret. File, select the desired drive letter in the volume. In Windows, again confirm the
You can enhance security even fur- area above, and then press Mount. Enter User Account Control (UAC) dialog to let
ther by defining the Personal Iterations the password in the dialog box or browse VeraCrypt access your data carriers. As
Multiplier (PIM) yourself and selecting to the keyfiles you selected previously in a container, you can also create hid-
the Use PIM option. This lets you for the secret in Keyfiles. Clicking on OK den volumes. Then select the data
change the number of iterations of the tells the disk man-
key derivation function that generates ager to automati-
cryptographic keys from your input, cally mount the
thus making brute force attacks more volume, which
difficult. Having said this, the default you can access
number of iterations (500,000 rounds) directly.
offers a good compromise between per- If you created a
formance and security, so I wouldn’t hidden volume in
change anything here. the previous step,
you will now see
FAT, exFAT, or NTFS? two options when
Once you have defined a good password mounting. If you
and clicked Next, you can move on to se- want to access the
lecting the volume’s filesystem. FAT or contents of the
exFAT can be mounted on almost any hidden volume, Figure 3: Keyfiles can also be used in addition to
other system later. NTFS gives you the you need to enter passwords.
ability to use additional authorizations the matching
Password Security
Secure passwords are long. They are designed to provide pro-
tection against brute force attacks (i.e., attacks in which all pos-
sible character combinations are tested in an automated pro-
cess). This complexity results from the number of characters
that the attacker must try in all possible combinations. The
more characters you combine, the exponentially more difficult
the password becomes to crack.
However, a password’s security is not only determined by the
choice and number of characters, but also by the degree of
secrecy. Sufficiently complex, yet easy to remember pass-
words do not need to be written down. The sheer number of
password characters plays a greater role than the largest
possible character set: An 18-character password in which
you only use lowercase letters and numbers (i.e., 36 possible
characters each) has more combinations than a 14-character
password with 100 possible characters. To keep the secret, do
not use your passwords for multiple purposes, but create an
individual password for each account. Otherwise, the number
of attempts required to access your files will be exactly one if
your password falls into an attacker’s hands (i.e., if another Figure 4: Protect existing hidden volumes against
account that uses the same password is hacked).
accidental overwrites.
carrier to be encrypted. In my example, I Backup and Recovery after you enter the password. Vera-
will encrypt a USB memory stick. In this Now is a good time to think about back- Crypt displays a success message for
case, it is not necessary to partition the ing up the contents of your hard disk. If the test after the reboot.
storage space in advance; you can en- something goes wrong with the encryp- Click on Encrypt and say yes to warn-
crypt the entire drive directly. The parti- tion process, you will want to keep a ing prompts. The encryption process
tioning can then be changed within the backup of your files in order to be able then starts. You will need some patience,
encrypted area. VeraCrypt shows you to restore the system. The files can (or depending on the size of your data car-
available storage and partitions for should) of course also be stored on an rier. Once the process has completed,
selection. encrypted data carrier that can be easily you can close the dialog box and will see
Next you can choose whether to con- mounted by a booted system. your system partition mounted in the
tinue using the files that are already on Next, select whether you have one or drive overview. Of course, you cannot
the data carrier in the encrypted volume several operating systems installed on eject the drive. To protect your data, shut
(the in-place encryption option). Vera- your data carrier. Then click Next and down the system.
Crypt can create encrypted storage set the encryption parameters as de- After restarting, you will be prompted
media without you needing to manually scribed above. You are then taken to to enter the key. Remember that you
temporarily store the files and transfer the PIN entry screen. Of course, you must type the key with an English key-
them back. Note that this only works cannot select any files here, because board layout. In addition to the pass-
with NTFS on Windows, because the op- you do not have access to the hard disk word, you will be asked to enter a PIM if
erating system is only capable of shrink- at system boot time. you set one. If you have not set a PIM,
ing NTFS filesystems on the fly, which is VeraCrypt sets the keyboard layout to you can simply press Enter to confirm,
necessary to free up space for the en- English when you enter the password. otherwise you need to enter the correct
crypted volume on the data carrier. This is because only the BIOS settings are value here. The operating system then
If you want to continue without in- available at boot time before the operat- boots in the usual way, and you can
place encryption, select the other option ing system possibly adopts your choice of work with virtually no loss of
and press Next. Before formatting, you keyboard layout. You need to take this performance.
will be warned once again that all data into account, especially if you want to
currently on the medium will be perma- use nonstandard characters in your pass- Conclusions
nently deleted. If you are using a USB word. You will normally have an English Encrypting data, especially on mobile
memory stick, you are also told that a keyboard layout, but to be on the safe devices, is essential in the corporate en-
drive letter will still be assigned on Win- side and make sure that the BIOS is not vironment. As an alternative to Bit-
dows. However, you must not use the playing tricks on you with a country-spe- Locker, VeraCrypt offers a sophisticated
drive in this way. Windows does not rec- cific language setting, it is a good idea to approach to encrypting data carriers. It
ognize any content and offers to format display the password so that you can protects USB memory sticks, hard disks,
the stick directly when you connect it, enter the password with your local key- and your system partition (though only
which would delete the encrypted board layout in case of an emergency. when the computer is switched off or
volume. VeraCrypt also lets you create your not connected). Hidden volumes also
own VeraCrypt rescue medium. This give users the ability to credibly deny the
Protecting the System helps you to repair a defective VeraCrypt existence of any such volumes, should
Partition bootloader and also – with the correct someone attempt to force you to hand
Now that you have some experience password, of course – to permanently over your data.
with VeraCrypt, you can encrypt your decrypt the system partition again, for With the steps covered in this article,
entire operating system. To do this, se- example, to repair a defective Windows you can encrypt your computer with
lect Encrypt System Partition/Drive from system. You need to burn the ISO image VeraCrypt. Keep in mind, however, that
the System menu at the top. you create to a CD/DVD or transfer it to secure passwords are an important se-
VeraCrypt even offers to install a hid- a USB stick. If you encrypt several sys- curity aspect. Q Q Q
den operating system. This gives plausi- tems with VeraCrypt, you will need an
ble deniability at the operating system individual rescue medium for each Info
level to deny the existence of a hidden system. [1] BitLocker:
operating system installation. Before the encryption process starts, https://learn.microsoft.com/en-us/
For my example, I will use normal en- you need to define the delete options windows/security/operating-system-
cryption and then opt to encrypt the en- for the existing system files. You can security/data-protection/bitlocker/
tire data carrier and not just the system overwrite files multiple times to pre- [2] TrueCrypt:
partition. The entire data carrier then also vent an attacker from restoring them – https://truecrypt.sourceforge.net/
includes any recovery or boot partitions, even after overwriting the free disk [3] E4M:
which is why VeraCrypt recommends that areas with the encrypted volume. Now https://en.wikipedia.org/wiki/E4M
you only encrypt the system partition for take note of the recovery instructions [4] VeraCrypt download: https://www.
the recovery. Otherwise, depending on and warnings before starting the veracrypt.fr/en/Downloads.html
the BIOS configuration, you could lose ac- obligatory pre-test. The computer re- [5] VeraCrypt on GitHub: https://github.
cess to your system completely. boots and Windows launches again com/veracrypt/VeraCrypt
Patterns
in the
Archive
To help him check his Google Drive files with three
different pattern matchers, Mike builds a command-line
tool in Go to maintain a meta cache. By Mike Schilli
M
y digital library of scanned taking a trip into the world of pattern Regular Expressions (PCRE) [2] used in
paper books is stashed away matchers, of which there are, as we all programming languages. Funnily enough,
as PDF files in an account on know, a wide variety. For example, the they originated with the Perl scripting
Google Drive. So far, Google shell relies on a glob mechanism for language many years ago, but all modern
has done an exemplary job of keeping matching, while programming languages languages from Python to Java and C++
my data available, but I just can’t make typically rely on regular expressions (re-to Go support them as well.
friends with their search interface. In gexes). And sometimes, a simple string On the other hand, the wildcard of the
typical Google style, the browser shows matcher like the grep command is the regex world, .*, matches any string. The
you a search field that can be used to most practical solution. dot in the pattern allows arbitrary char-
quickly browse the indexed full text of acters, and the subsequent asterisk
all the files in all the folders. However, Parallel Regex Worlds stands for any number of occurrences
getting a simple answer to the question If you type ls *.jpg on the command (including none). The equivalent in shell
of whether I already have a certain book line, you expect the shell’s match mecha- globbing would be * as I explained in the
in my archive is more difficult. To do nism to find all files with a .jpg exten- *.jpg example, but note the caveat: The
this, I have to select the file names only sion. This pattern matching is fundamen- shell never matches beyond the path
and restrict the search to specific folders. tally different from Perl Compatible separator. Consequently, /tmp/f* does
Fortunately, though, Google provides not match /tmp/
an intuitive API [1] to access user data foo/bar.
in the Google Drive cloud. For quick In contrast, the
checks, a command-line tool comes in Unix grep com-
handy. While we’re at it, it’s worth mand matches
strings such as
Author foobarbaz with a
Mike Schilli works as a search pattern of
bar. It does not in-
Lead Image © Alphaspirit, 123RF.com
without anchoring; no need to pad the choose your matching strategy for Listing 1: gdls
pattern with *bar* as you would have to Google Drive data, Listing 1 provides 01 package main
in a shell pattern match. the --match command-line flag. It can 02 import (
take the values contains (default), 03 "flag"
Matches on Demand glob, or regex. Starting in line 29, the 04 "log"
To enable using the gdls binary com- code branches to a plain vanilla sub- 05 "os"
piled from the sources in this article to string match (using the strings. 06 "path"
07 "path/filepath"
08 "regexp"
09 "strings"
10 )
11 func main() {
12 matchMethod := flag.String("match",
"contains", "match method
(contains, glob, regex)")
14 flag.Parse()
15 gddb := NewGdDb()
16 defer gddb.Close()
17 if *update {
Figure 2: An SQLite database stores all the file paths on Google Drive.
18 gddb.Init()
19 updater(gddb)
20 return
21 }
22 pattern := ""
23 if flag.NArg() == 1 {
24 pattern = flag.Arg(0)
25 }
29 switch *matchMethod {
30 case "contains":
32 case "glob":
33 matches, err =
filepath.Match(re, s)
34 case "regex":
Figure 3: Enabling the Google Drive API before using it. 35 matches, err = regexp.
MatchString(re, s)
36 default:
37 log.Fatalf("Unknown: %s",
*matchMethod)
38 }
39 if err != nil {
41 }
43 }
44 gddb.Search(pattern)
45 }
48 if err != nil {
49 panic(err)
50 }
52 }
Figure 4: Registering the app on the Google Cloud console.
Contains() library function), a shell matching name, regardless of the which we will have with this custom
glob match (using Match() from the folder in which they reside. In contrast, RegexFu function by then.
standard filepath package), or a full the glob match with the shell-style as-
regex match from the Go regexp library terisk syntax and path restrictions in Show Your ID!
via regexp.MatchString(). the last line only finds files located in So how does the metadata from
Figure 1 shows the newly created the books/ folder. There is something Google Drive end up in the SQLite da-
gdls program in action. A substring there for everyone’s taste. tabase? Google allows access to Drive
match on bukowski will find all the To make the search commands in data to authorized users only. This
books by American writer Charles Bu- Figure 1 produce usable results, the Go means that a program that wants to
kowski, of which there are no fewer program does not reach out to Google fetch the names of the files stored in
than 15 in my library. To limit the Drive directly every time but uses a the cloud needs some form of
number of matches displayed, the third local cache with the file names in an authentication.
command pipes the matches into a SQLite database on the executing ma- To do this, you first need to create a
trailing grep command in good old chine. You can refresh this local cache project on the Google Cloud console [1],
Unix style. Matching on the substring whenever needed by calling gdls --up- enable the Google Drive API (Figure 3),
mad, the search leaves me with just one date. Then gdls contacts your Google and add a new client application (Fig-
book out of 15 from the original search Drive account, retrieves the names of ure 4). The server responds with a newly
whose title contains the string mad. all currently stored files, and feeds generated Client ID and a Client secret
Alternatively, the regex match with them into the files table of an SQLite (Figure 5).
bukowski.*mad in the fourth command database in the local ~/.gdrive.db file The client secret does not authorize
filters out the single match in advance. (Figure 2). access to the data, but it lets you re-
The expression finds files with a Listing 1 wraps the three different trieve an access token from the Google
queries as library API server. Later, if you include a
calls inside the token of this kind with the request to
RegexFu() func- Google Drive API calls, the server will
tion (starting in hand over the data. The access token is
line 26). Later, only valid for a limited period of time,
Listing 4 will reg- but it can be refreshed multiple times
ister it with the with the refresh token, obtained along-
SQLite database side the access token. The Client secret
engine. The is available for download in JSON for-
SQLite session in mat from the dialog in Figure 5; you
Figure 2 still need to store it in the creds.json file in
searches manu- the local directory.
ally and in typical When called for the first time with
SQL style for like gdls --update the program reads the
%bukowski% – a creds.json credentials file with the cli-
fourth pattern ent ID and client secret (Figure 6). At
matching this point, there is no access token, so
method! Later, gdls calls the getTokenFromWeb() func-
the Go program’s tion from Listing 2 (starting in line 20).
search queries It writes the credential activation URL
will be using to the standard output and prompts
Figure 5: The Client ID and Client secret act as ID SQLite’s built-in you to type the address into your web
badges for the app. regexp() function, browser’s input box. When contacted
in this way, the Google server then first It’s Complicated parameter. You can simply copy this
ensures that the Google Drive owner is If you agree to the process despite the code string into the input of the wait-
logged into their own account. Then it dire warnings (after all, the app is un- ing gdls program running in the termi-
asks in a dialog if it is OK to grant the signed and the developer is not pub- nal (Figure 6). The program then con-
new application appropriate rights. licly known), the server points the tacts the Google server and then re-
To do this, Google first posts a warn- browser to a predefined URL on local- ceives the eagerly awaited access token
ing (Figure 7) and then an OAuth Con- host. Alas, nothing is listening there in in exchange for the code. Armed with
sent dialog (Figure 8) that you must this instance, because the local config- this, you can now access the cloud
sign off on. This lets the API server uration is missing. The browser right- data, and gdls will start the sync pro-
know that you agree to allow an un- fully reports an error (Figure 9). cess immediately.
registered and therefore highly suspi- But never fear: The URL now dis- To avoid this rigamarole going for-
cious application to read your private played in the input window contains ward, gdls uses saveToken() (Listing 2,
Drive data. the authorization code in the code starting in line 30) to store the access
token along with the refresh token in
02 import ( 21 {
04 "encoding/json" AccessTypeOffline)
12 if err != nil { 29 }
14 } 31 f, err := os.Create(tokenFile)
19 } 36 }
10 "golang.org/x/oauth2/google" 37 panicOnErr(err)
16 panicOnErr(err) 42 } else {
18 panicOnErr(err) 45 }
19 client := getClient(config) 46 }
23 } 50 }
28 saveToken(tok) 55 panic(err)
29 } 56 }
scan all files on the Google Drive while By the way, the server is somewhat it returns it to the caller for future func-
keeping the folder structure in mind. surprisingly not obligated to return ex- tion calls from the package.
To do this, the listAllFiles() function actly 100 results per answer. This preset When the client calls gddb.Init() later
starts at the top folder (with the root ID) size acts as a maximum value, although (starting in line 20), the code uses an
to retrieve all the entries with the query the service can also go lower for effi- SQL command to delete the files table
in line 33. It recognizes any directories ciency reasons – a fairly common occur- (if an old version from previous runs ex-
found there thanks to the type check in rence, especially for API servers with ists) and create a new one that maps the
line 40 and calls itself recursively in this distributed data storage. Clients that full paths of the files in the drive to auto-
case to drill down further into the hierar- only request a continuation page after matically created unique IDs. Figure 2
chy. It syncs the names of normal files to finding 100 results (or that fail to check shows you the database schema.
the local SQLite cache with the gddb ob- for continuation pages) will return in- The Add() function starting in line 31
ject and its Add() function in line 44. complete data without an error message. adds newly found paths to the table as
Thanks to the folder paths looped This would leave users in the dark for- rows using the INSERT SQL command,
through on the call stack by the recur- ever, so make sure to cover this case in while Search() starting in line 35
sive flow, the absolute file paths on your applications. searches the entries using the pre-
Google Drive are now available. defined match algorithms and returns
Filed and Archived any matches to the caller. To do this,
Little by Little The tool then stores the file names and the function registers the user-defined
However, the Google API does not auto- paths found on Google Drive in the regex() function in the SQLite engine
matically return all the files in a folder in SQLite .gdls.db file in the user’s home and sets it to the Go function with the
response to a search query. It starts pagi- directory. Listing 4 presents the func- three match algorithms passed into the
nating the results by default if there are tions that access the database in an ob- constructor. Of these, one was already
more than 100 matches. If there is a ject-oriented format. The NewGdDb() con- preselected by the main program at
nextPageToken in a server response’s structor starting in line 12 opens the this point.
JSON, it’s the caller’s responsibility to connection to the database and stores When searching with SELECT in the
keep fetching page after page until all re- the handle in a structure of type GdDb SQL database, the engine then defers
sults are in. (defined starting in line 7). When done, to the user-defined function to
IN-DEPTH
Programming Snapshot – Google Drive Search Tool
evaluate the where clause and filters the Wrapping Up from the network and precompiled them.
matches accordingly. The for loop As always, the hat-trick of commands If necessary, you can further customize the
starting in line 56 iterates over the ap- shown in Figure 10 results in an execut- search functions. For example, it would be
proved matches and writes them to able program after the Go compiler has a good idea to ignore upper and lowercase.
standard output. loaded the libraries referenced in the code As always with DIY programs, there are
no limits to what you can do. Q Q Q
Info
[1] Google Cloud APIs: https://console.
cloud.google.com/apis
[2] PCRE:
https://en.wikipedia.org/wiki/Perl_
Figure 10: These three build commands create the Go binary. Compatible_Regular_Expressions
02 import ( 34 }
19 } 48 if pattern == "" {
29 panicOnErr(err) 58 panicOnErr(rows.Scan(&name))
30 } 59 fmt.Printf("%s\n", name)
QQQ
MakerSpace
Temperature and humidity
sensor comparison
Remeasured
Any application that collects a large number of measurements
is bound to have some anomalous measurements, but good
sensor breakouts should not output such values all the time.
We tested eight temperature and humidity sensors for
accuracy. By Bernhard Bablok
T
he data sheets of common deviations of up two units, which
temperature and humidity quickly gives rise to suspicions that your
sensors tend to brag about sensor lacks quality or was just too
accuracies in the range of a cheap, leaving you to wonder whether
tenth of a degree. A closer look at 21 mysteriously high measured values are
cases with eight different sensors the result of a poor product or if the data
shows which claims are true and which sheets are incorrect.
are just hot air from marketing. I looked into both lines of thought and
It isn’t complicated to wire up a sensor try to offer some recommendations. Up
and read the values cyclically. If you’ve to four examples of eight common sen-
ever done so, you’ve probably had the sor devices lined up to face the test (Fig-
feeling at some point that the numbers ure 1). Most devices are from BerryBase
didn’t add up. Deploying a second de- or Pimoroni and some of them have
vice only adds to the confusion, with been around for quite a while. Table 1 Lead Image © Jian Fan, 123RF.com
Figure 1: Some of the test candidates have been in my tinkering collection for quite some time.
shows an overview of the features, tech- of all specimens fall within the “typical” three-sigma limit is exemplary. On the
nical values, and prices. or “maximum” curve. other hand, the DS18B20 curve lacks tol-
In addition to temperature, many of the Figure 3 for the DS18B20, on the other erance values for borderline cases.
sensors measure humidity, and the Bosch hand, uses three-sigma values, and Additionally, numerous factors influ-
sensors can also measure air pressure. 99.73% of the sensors are within these ence accuracy, such as the type of quality
The BMP280 costs very little, which sug- limits [1]. Many vendors use the two- control, dependence on the supply volt-
gests that it is maybe a cheap clone. One sigma limit (95.45%), which makes the age, age of the sensors, structure of the
exotic candidate on the list is the sensor look better, so adopting a board (including additional components),
DS18B20: It does not have an I2C inter-
face and does not come as a breakout,
but as an integrated circuit (IC) in the
TO-92 format used in semiconductor
packages, mainly for transistors. The con-
nection uses a single-wire protocol.
In the lab, I tried to obtain as many ex-
amples of each product as possible, but
this effort was tricky because of cost and
time constraints. That said, I always sent
at least two examples into the fray, with
the exception of the most expensive sen-
sor, the SHT45. Additionally, the prod-
ucts do not cover all the application sce-
narios. If you want to build your own
soldering oven, for example, you need a
sensor with a completely different tem-
perature range. At the bottom of the tem-
perature scale, the selection’s range ends Figure 2: The accuracy curve of the HTU31D does not reveal the per-
at -40°C at the latest. centage of all specimens that lie within the curves. © TE Connectivity
Ltd. (data sheet HTU31D)
Accuracy and Precision
The terms “accuracy” and “precision”
appear in the data sheets – but not with-
out a risk of confusion. Accuracy refers
to the typical deviation from the true
value. Precision is the amount by which
repeat measurements of the same value
vary. The values in the data sheets are
difficult to compare because they typi-
cally use two expressions to define the
“typical” and “maximum” accuracy.
The providers often give you addi-
tional graphics, but without additional
information, these curves are incomplete
and leave room for interpretation. Nei-
ther Figure 2 nor the HTU31D data sheet Figure 3: The accuracy curve of the DS18B20 includes three-sigma values,
provide information on what percentage which makes it more accurate. © Maxim Integrated Products (data sheet DS18B20)
and soldering process. Sometimes you independent measurements is more ac- thermostat turned off the heat too late,
will find crucial information in footnotes. curate than any single measurement. which caused some damage to the sen-
Bosch notes, for example, that the tem- I distributed the 21 sensors in the test sor brackets.
perature readings of its sensors typically across four I2C buses and one, one-wire
lie above the ambient temperature. bus. Two Pi Picos with their two I2C Results
After studying numerous data sheets, buses each acted as data collectors. Con- The data and comparison graphs with
you begin to realize that you need to trolled by a real-time clock (RTC), data the results could fill many pages. This
treat the accuracy values as a guide acquisition took place almost simultane- article is therefore limited to a few inter-
rather than hard facts. ously. The data ended up on microSD esting insights. The details can be found
cards and were later merged. A data log- in the associated GitHub project [5].
Measuring Setup ger [2] provided the necessary tools. In two words, the results can be de-
Theory aside, the sensors had to prove However, I had to create the readout rou- scribed as “positively boring,” which
their value in various measurements. As- tines for some sensors, which was means the sensors in the measurement
sessing the absolute accuracy would quickly done thanks to online examples. range of the test fulfill the promises
have required a high-precision thermom- Pandas [3] was used for the computa- made by their data sheets. If you look
eter or a measuring chamber with pre- tions and Matplotlib [4] for the display. at the entire measurement period, it is
cisely adjustable temperature and hu- The measurements took place indoors, difficult to identify the individual test
midity. With neither available, my test is away from heat sources or drafts. Addi- specimens (Figure 4, AHT20). Zooming
by no means a scientific investigation. tionally, I put the sensors in the refriger- in makes individual gradients recog-
You have to evaluate the measured val- ator and in the oven. These phases can nizable. Figure 5 shows that the mea-
ues compared with the average of all be clearly identified in the evaluation. As surement results of the four AHT20
sensors. The theory behind this process a side note: The oven was set to its low- sensors are within 0.5°C (0.9°F). The
is known as “crowdsensing,” which ba- est temperature of 50°C (122°F). How- data sheet promises ~0.3°C (0.5°F),
sically means that the average of many ever, as the graphs show, the oven so that is OK.
Figure 4: The example of the overall view of the AHT20 reveals that the individual sensors are difficult to
distinguish.
Figure 5: The section for the AHT20 sensors reveals variations of 0.5°C.
A comparison of the mean values for cable will be exposed to too much waste
all sensors proves to be interesting. In heat in the long run. The single-board
Figure 6, you can see that the AHT20 computer is not a good basis for mea-
test specimens tended to underestimate surements, even if many suppliers offer
the temperature. It would be unreliable complete solutions for this purpose.
to draw a general conclusion from these Ideally, you would want the measur-
results because only four sensors were in ing computer to switch off between
the test. measuring intervals. If this is not an op-
When looking at the deviation from tion, it is best at least to switch the sen-
the mean, the most expensive sensor sor to sleep mode because many sen-
(SHT45) performed best, but the inex- sors lose accuracy if they are forced to
pensive DS18B20 also achieved similar run constantly in measurement mode.
precision values. Differences in humidity A closer look at the data sheets will
were somewhat greater, but even the help you in this regard. If in doubt,
poorest performers were no more than check the driver, because it sometimes
six percentage points off the average. sets a few well-meant settings during
Only the Bosch sensors measure the air initialization that are less than perfect
pressure, and they do it very well, typi- for the intended use case. Info
cally deviating from the official air pres- Operated correctly, all of the sensors [1] Normal distribution:
sure by only 1-2 hectopascals (hPa). tested are good for measuring tempera- https://en.wikipedia.org/wiki/Normal_
ture, humidity, and air pressure. The distribution
Recommendations and SHT45 is the measurement king of the [2] Data loggers: https://github.com/
Conclusions hill, with the BME280 winning the prize bablokb/pcb-pico-datalogger
Your choice of sensor must be based on for the best all-rounder (with some sacri-
[3] Pandas: https://pandas.pydata.org
the measuring range and the required fices in terms of accuracy). The DS18B20
accuracy. The price is less important for offers the best price-performance ratio. If [4] Matplotlib: https://matplotlib.org
home use. Going for an expensive model you use the BMx280, it is essential that [5] Test results:
probably has less effect on the measure- you check the initialization in the driver. https://github.com/bablokb/sensor-test
ment results than the way you operate Arduino sets a good example with a
the sensor. If you want a second opinion, number of selectable presets that follow Author
deploying a few of the affordable the recommendations of the data sheet. Bernhard Bablok retired from Allianz
DS18B20 models is a good idea. More informative results will be pro- Technology SE as an SAP HR developer.
Be sure to isolate sensors from sources vided by a second measurement cam- When he is not listening to music, riding
of interference. A sensor on a Pi HAT paign planned for the winter with its far his bike, or walking, he focuses on Linux,
will always return incorrect data. Even a lower temperatures. You will find the re- programming, and small computers. You
sensor connected to the Raspberry Pi by sults in the GitHub project [5]. Q Q Q can reach him at mail@bablokb.de.
Figure 6: Compared with the average of the other test candidates, the AHT20 models tend to return too low
a temperature value.
QQQ
MakerSpace
Flight simulation on the
Raspberry Pi
<ISMWЄ
A Raspberry Pi 4B with Linux can solve the equations for a
real-time nonlinear aircraft simulation, including the
emulation of modern aircraft flight displays. By Dave Allerton
F
light simulators range from Flight simulators have two important
games to airline operations, characteristics. First, the accuracy of the
and generally, you cannot (or simulation (known as fidelity) should
you are not permitted to) ensure that the performance and dy-
modify the software. Often, the code is namics of the simulator closely matches
proprietary and not accessible, or the the aircraft it simulates. For many flight
acquisition of data used in the simula- simulator games, the models are simpli-
tor is very costly, and the developers of fied, reducing the fidelity to a level un-
these simulators are understandably acceptable in engineering applications.
protective of their software. However, Second, the software must respond in
for a class of simulator known as an real time to inputs and solve all the un-
engineering flight simulator (EFS) – derlying equations at a sufficient rate
used by aircraft manufacturers, avion- (known as the frame rate), so that the
ics companies, research organizations, perceived motion is smooth and contin-
and universities to develop and evalu- uous, without any noticeable lag. If the
ate aircraft designs and aircraft sys- computations in simulation software are
tems – it is essential to have access to complex, the frame rate may not be sus-
the source code to modify the simula- tained, and delays (latency), which fur-
tor for a range of studies. ther reduce fidelity, are apparent. To
ameliorate this situation, a high-perfor-
Table 1: Module Functions mance computer with a state-of-the-art
Computer Function graphics card may be needed to achieve
I/O system Data acquisition of analog and digital inputs from the flight controls the required frame rate.
and USB inputs Having developed real-time software
Flight model Aerodynamic model, undercarriage model, equations of motion, for flight simulators at the universities
Lead Image © Oleksiy Tsupe, 123RF.com
flight control laws, primary flight display, and engine-indicating and of Southampton, Cranfield, and Shef-
crew-alerting system display field; Queen Mary University (Lon-
Engine model Engine dynamics and sound generation don); and the University of Newcastle
Navigation and Navigation equations, avionics, flight control unit, radio manage- (Australia), I evaluated the capabilities
avionics ment panel, and navigation flight display of the Raspberry Pi (RPi) computer
Instructor station Session control and monitoring, user interface and display, charts, with Linux to provide an acceptable
and flight data recording EFS. Details of the software for this EFS
Image generator Image generation of the external view by OpenSceneGraph (3 channels) are described in a recent textbook [1].
Matlab An optional interface that connects Matlab to the simulator The software referred to in this article
is open source and can be downloaded Data is broadcast by modules at the dots, lines, and triangles, shader pro-
from the Wiley Student Companion start of every frame as Ethernet packets grams must also be provided to define
Site [2]. The existing simulator soft- using a token-passing protocol based on how objects are rendered (the vertex
ware, which was developed for PCs the User Datagram Protocol (UDP). A shader) and how the pixels are written
and mostly written in C, ran under computer only broadcasts a packet to a frame store (the fragment shader).
Linux and, for compatibility with when it holds the token and otherwise To reduce the amount of detail in terms
Linux, also ran under the MSYS2 pro- listens for incoming UDP packets. In of GPU programming, a library glib was
gramming environment on Windows. fact, the token is simply the arrival of a developed specifically to emulate air-
The software for the aircraft displays broadcast packet from the preceding craft displays that includes functions for
was originally written in legacy node in the chain of transfers. Typically, the rendering of vectors (lines) and tri-
OpenGL but has been rewritten for these transfers occupy less than 2ms of angles and for applying textures to tri-
OpenGL v4 for the RPi to exploit the the 20ms frame (Figure 2). angles. Although OpenGL does not di-
power of the Broadcom graphics pro- The advantage of using broadcast rectly support the rendering of text,
cessing unit (GPU), increasing the ren- UDPs is that the simulator data is trans- standard fonts can be organized as tex-
dering rate of the graphics for the dis- mitted in five packet transfers (2,388 tures, known as a texture atlas, reduc-
plays by a factor of more than 10. The bytes/frame). Additionally, Ethernet pro- ing text generation to the rendering of
performance of the RPi has enabled the vides a 32-bit checksum to ensure data sub-textures of a texture atlas.
PCs to be replaced with off-the-shelf integrity. Although a UDP packet trans- Whereas objects rendered one-by-one
RPi computers. fer has no acknowledgement, with a in legacy OpenGL considerably slowed
dedicated network and a relatively low the interface between the host proces-
A Distributed Architecture level of traffic, the data error rate is sor and the graphics card, with OpenGL
By computing a simulation on n com- negligible. v4, objects can be written to a cache in
puters, the potential increase in perfor- the host computer and transferred to
mance is a factor of n compared with a OpenGL and GPUs the GPU as a single block when the
single computer. However, this simplifi- OpenGL has been used in 2D and 3D cache needs to be flushed. For aircraft
cation is based on two assumptions: computer graphics applications since displays, this organization of caching
First, the problem can be partitioned to the 1990s. However, since version 3, graphics reduces the computations in
run efficiently on n computers; second, OpenGL was repurposed to exploit the the host to a minimum, enabling the
any overhead from managing communi- power of the GPUs found on modern parallel processing of the GPUs to maxi-
cations between the computers is negli- graphics cards. In particular, GPUs pro- mize the rendering speed. From a pro-
gible. The architecture of most flight vide fast rendering of textured triangles. grammer’s perspective, glib provides a
simulators is particularly suited to a In addition to the software for rendering small set of primitives to draw lines and
configuration of
parallel pro-
cesses. Figure 1
shows a typical
organization of
simulator mod-
ules, where the
functions of the
computers are
summarized in Figure 2: The second column shows the timing of UDP broadcast transfers (in seconds) of
Table 1. five RPi computers during one frame.
data produced during testing. From the Octave and Matlab a further development was to combine
graphics perspective, these requirements During development of an EFS, particu- this software for a single RPi with a sin-
imply a user interface to control and larly for flight control laws, sometimes gle monitor (1920x1080 resolution),
monitor simulator sessions and the dis- it is more convenient to develop algo- where the PFD is rendered on the left-
play of charts and flight data. The graph- rithms with tools like Matlab or Octave, hand side of the display and either the
ics library glib, developed for aircraft dis- rather than coding directly in C. Be- NFD or the IOS is rendered on the right-
plays, is also used for the instructor oper- cause both Matlab and Octave are inter- hand side, as selected by the user. To
ating station (IOS; Figure 5). preted languages, care is needed to en- maximize reuse of the simulator soft-
In both displays, the lines for charts sure that any latency introduced by ware, packet passing was emulated by
and plotting are rendered as vectors, and these packages does not affect the simu- copying the relevant regions of memory
the navigation symbols are rendered lator frame rate. Although the develop- associated with each module. Although
from a texture atlas by glib functions. ment of detailed real-time nonlinear the parallelism could be retained by
The IOS also captures data from the flight models in Matlab may be imprac- treating the modules as POSIX threads, it
other simulator computers for the plot- ticable, small modules, such as auto- is simpler to execute the simulator code
ting and recording of flight data. In this matic flight control laws can be devel- sequentially, cycling through the mod-
case, raw 1KB blocks of data are written oped and tested in Matlab, where a ules. The main concern with this ap-
to memory every frame (3MB/min) and Matlab module acquires inputs from the proach is that the RPi is further loaded
subsequently copied to disk. The attrac- simulator and generates outputs for the with computations of the simulation,
tion of this method is that the frame rate simulator flight controls. particularly the additional graphics ren-
is unaffected, the data can also be A wrapper was developed with Matlab dering, compared with the multiple-pro-
viewed off-line by a similar set of plot- mex functions so Matlab could read flight cessor version.
ting tools, and the packets can be re- data from broadcast packets and transmit Figure 6 shows the overall frame time
trieved from a disk file, providing inputs a packet to the simulator. The network for the single RPi version for 1,000 frames
to the simulator software to replay any protocol was adapted to enable Matlab to (20s) of simulation, where the display
test or exercise. connect to, and disconnect from, the net- changes several times in response to in-
work without affecting the structor actions. The lower trace shows
integrity or speed of the the graphics rendering time and occupies
network protocol. The less than 6ms/frame. The upper trace
template in Listing 1 al- shows the overall computing time and oc-
lows a controller written in cupies less than 10ms/frame, leaving a
Matlab to be integrated margin of approximately 10ms. The large
with the simulator. excursions occurred when the simulator
files were loaded at the start of the simu-
Flight Simulator lation and when the aircraft position was
on a Single RPi reset after 140 frames.
Having developed real-
time simulator software Offline Simulation
running on five RPi com- Development of prototype software can
puters with three displays, take up a considerable amount of
Figure 7: An offline simulator: (a) The inputs are the pilot inputs to the flight controls, and the outputs are the
flight displays and the visual system imagery; (b) the inputs are specified in a script file, and the outputs are
files containing data and plotting information.
Listing 2: Simulator Script variables to be plotted, and the details wake vortex, derived from detailed vor-
set altitude 3000 ft
of the plots. The autotrim command tex data. Figure 9(a) shows the wake
set TAS 200 kts
sets the aircraft in the trimmed state at vortices shed by an aircraft, which were
set flaps 0.0
the start of the exercise. The plots implemented as billboards in the visual
set gear 0.0
show the response of the aircraft to an scene. Figure 9(b) shows the air flows
elevator pulse input of -10° for 2s, ap- and aircraft loading during a wake
plot pitch degs -5 20
plied after 2s. In
plot pitch_rate deg/s -10 10
addition to the
plot altitude ft 2500 3500
output data, a
plot elevator degs -20 20
further script is
time 120 secs
generated for
input elevator pulse 22 -10
gnuplot, so plots
autotrim
can be produced
as PNG files.
simulator time. In this situation, access
to an off-line desktop simulator, with Visualization
software that is identical to the flight Although an
simulator, can provide a valuable de- image generator
sign asset. Consider the two configura- (IG) is normally
tions shown in Figure 7. Two significant used to render the
points can be drawn from this example. external view seen
First, the main modules are identical from the flight
and can be interchanged between the deck, for an EFS,
flight simulator and the offline simula- the IG can also be
tor, and vice versa, without modifica- used to visualize
tion. Second, there are no real-time data in real time.
deadlines with an offline simulator, For example, in a
which can run faster than real time study of wake vor-
(e.g., simulating several hours of flight tex encounters, a
in a few minutes, typically as part of dedicated com-
automated testing). puter was con-
A typical output plot is shown in nected to the
Figure 8. Listing 2 is the script file to flight simulator
run the simulation, which defines the network to com-
initial conditions of the aircraft, the pute the flows of a Figure 8: Output for conditions defined in Listing 2.
vortex encounter. This visualization il- electronic flight instrument system (EFIS) Author
lustrates the direction and magnitude of displays. By providing the complete Dave Allerton
the air flows given by the white vectors; source code, the simulator modules and obtained a PhD from
the loading on the wings and tail result- aircraft displays can be modified for a the University of
ing from the encounter, which is color- range of applications. With the addition Cambridge in 1977
and worked in the
coded; and the extremities of the vortex of the acquisition, display, and recording
defense industry
field shown as a red wireframe volume. of flight data during simulations, an EFS before spending 10
Figure 10(a) is generated by Open- running on a single RPi can provide a years at the University
SceneGraph on an RPi with an Open- particularly valuable test bed for the de- of Southampton as a
Flight visual database of Bristol Lulsgate sign and analysis of aircraft and aircraft lecturer in computing. He was the
airport and achieves a frame rate of 69 systems. In a university, the EFS provides Professor of Avionics at Cranfield
both a powerful facility for student proj- University before moving to the University
frames/s (fps) for a display resolution of
of Sheffield as Professor of Computer
1280x1024. Figure 10(b) shows a similar ects and a totally programmable simula-
Systems Engineering, where he is
scene, which includes a head-up display tion environment for research in aircraft currently an Emeritus Professor. He is also
(HUD) rendered in OpenGL as a 2D design and system validation. Q Q Q a Visiting Professor at Cranfield University
overlay on the visual scene. and at Queen Mary University of London.
Info His research activities include flight
Conclusions [1] Allerton, D J. Flight Simulation Soft-
simulation, computer graphics, and real-
time computing. He is author of two
The RPi4B with Linux is clearly capable ware: Design, Development and
textbooks, Principles of Flight Simulation
of solving the equations for a real-time Testing. Wiley, 2022
(Wiley, 2009, ISBN 978-0-470-75436-8) and
highly nonlinear simulation of a four-en- [2] Flight simulation software: Flight Simulation Software: Design,
gine wide-body transport aircraft at 50fps, https://www.wiley.com/go/flightsim- Development and Testing (Wiley, 2022,
including the emulation of modern ulationsoftware ISBN 978-1-11973-767-4).
The command line has a stark and austere beauty all its
own, but many of us need a little more color and cheer. If
you want the simplicity of the terminal without the taxing
two-tone boredom, why not jazz it up a little with Oh My
Posh? The Oh My Posh prompt theme engine lets you
define a visual theme for your command-line environment,
which perks up the view and also makes the details easier Doghouse – Choosing an OS 79
Jon “maddog” Hall
to read and understand. Also in this month’s Linux Voice, A few considerations can help you choose
we dive down into System Monitoring Center and spell out the right OS.
some best practices for working Oh My Posh 80
with the SSH. Thorsten Scherf
Adapt the terminal’s appearance and
feature set with the Oh My Posh prompt
theme engine.
System Monitoring Center 82
Erik Bärwaldt
The System Monitoring Center combines
all the important information you need to
monitor a computer in a single state-of-the-
Image © Olexandr Moroz, 123RF.com
art interface.
FOSSPicks 86
Graham Morrison
This month Graham looks at Cardinal,
Celestia 1.7.0, Friture, Wavetable, Helix
Editor, Brogue CE, and more!
Tutorial – SSH Keys 92
Marcin Gastol
Verifying the security of your SSH
EQPƒIWTCVKQPCPFRGTHQTOKPITGIWNCT
audits are critical practices in maintaining
a secure Linux environment.
MADDOG’S
DOGHOUSE
A few considerations can help you choose the right OS.
Jon “maddog” Hall is an author,
educator, computer scientist,
and free software pioneer
who has been a passionate
advocate for Linux since 1994
BY JON “MADDOG” HALL when he first met Linus Torvalds
and facilitated the port of
Linux to a 64-bit system. He
t is inevitable that at every conference, every talk, I get next meeting. There is no guarantee that you will be so lucky,
Beautiful Colors
Adapt the terminal’s available feature set and appearance with the Oh My Posh
prompt theme engine. BY THORSTEN SCHERF
o matter which shell you use in a termi- the software can customize a variety of different
Listing 1: Install Oh My Posh and Themes The call installs both the Oh My Posh tool and the
01 sudo wget https://github.com/JanDeDobbeleer/oh-my-posh/releases/
available themes (Figure 1). On Linux, first down-
latest/download/posh-linux-amd64 -O /usr/local/bin/oh-my-posh load the software and then an archive with all the
02 themes, which you then unpack (Listing 1).
03 sudo chmod +x /usr/local/bin/oh-my-posh
10 ; ~/.poshthemes
11
To activate the changes, either start a new shell or
reload the modified configuration file with the
12 chmod u+rw ~/.poshthemes/*.omp.*
source ~/.bashrc command. The procedure is
13
similar if you use Zsh. Of course, in this case you
14 rm ~/.poshthemes/themes.zip
need to pass in Zsh as the init argument. A
Figure 1: Even with the default theme, Oh My Posh already gives you an appealing prompt.
complete overview showing you the configura- whether you want the segments to appear on
tions of all the shells supported by Oh My Posh is the left or right in the terminal or if you want to
available in the documentation [6]. distribute them across a single line or multiple
You can also call up the Oh My Posh tool inter- lines. You then determine the segment proper-
actively to define a whole bunch of configuration ties in the segments. In the simplest case, this
settings. For example, if you want to install a Nerd is the color in which you want to display the
Font on your system, simply run: segment.
The segments can be of different types; this
oh-my-posh font install means that you can define the logic to be used
within a segment. For example, the Git type lets
In the drop-down menu, select the font you you display status information about a Git reposi-
want to download. However, you will need to han- tory in a segment. You then use templates and
dle the configuration manually in the terminal you type-specific options to precisely define the de-
are using later. tails of the segment’s appearance. The documen-
tation lists all the available segment types and the
Selecting and Customizing Themes configuration options available for them. You will
To customize the prompt’s look, select a different also find an example of Git integration on the Oh
theme as the first step. If you saved the design My Posh site [7].
templates in the ~/ .poshthemes/ directory, select
the theme you want in the configuration file of the Conclusions
shell you are using when initializing the prompt Working at the command line can become bor-
engine: ing over time, at least visually. And prompts are
not always very informative. Oh My Posh gives
eval "$(oh-my-posh init bash U users a comprehensive prompt engine for a va-
--config ~/blue-owl.omp.json)" riety of platforms and shells. Themes help you
achieve appealing results very quickly, and
After parsing the changes, the new theme is en- modifying the designs is a surprisingly simple
abled. The design configuration is based on experience. Q Q Q
blocks where you define one or more segments.
In the segments, you then need to provide the de- Info
sired information. JSON is used for this by default.
[1] Powerline:
However, you can also choose to write the defini-
tion of the themes in YAML or TOML. https://powerline.readthedocs.io/en/master/
To customize a theme, you can create a copy of [2] Oh My Zsh: https://ohmyz.sh
the associated file and make the desired modifi-
[3] Oh My Posh: https://ohmyposh.dev
cations to the copy. Alternatively, you also have
the option to call the Oh My Posh tool with the [4] Nerd Fonts: https://www.nerdfonts.com
config export option to create a copy of the cur- [5] Meslo LGM Nerd Font:
rent theme:
https://github.com/ryanoasis/nerd-fonts/
QQQ
L
BY ERIK BÄRWALDT
plications than any other operating system. To install the Flatpak you need the appropriate
But the individual tools typically only focus runtime environment on the system. You can set
on specific components of a computer. For exam- this up on most distributions using the built-in
ple, programs such as the Gnome disk utility or package manager. Then search for System Moni-
the KDE partition manager take care of the con- toring Center in KDE Plasma Discover, Gnome
nected mass storage devices. The system moni- Software, or mintinstall and set it up by clicking In-
tor for the KDE Plasma desktop environment and stall. The routine also creates a starter in the desk-
the system monitoring tools for other desktop en- top environment’s menu. Clicking on the starter
vironments such as MATE or LXDE keep an eye on opens the main application window (Figure 1).
the CPU, RAM, and network throughput, but no (For the graphical app stores Gnome Software
more. Many of the tools integrated into the re- and KDE Plasma Discover, there are plugins that
spective environments for monitoring individual let you integrate the Flatpak infrastructure. The
components also look a little jaded. Flatpak packages available on Flathub are dis-
Compared to them, System Monitoring Center played there after doing so.)
[1], which is available as a Flatpak and can
therefore be used independently of your choice Interface
of distribution, offers a comprehensive overview The startup window first shows you an overview
of all important system statuses. A DEB pack- of the critical system data (i.e., the CPU and RAM
age with an older version of the 1.43.x branch is utilization levels). The application displays this in-
available for download from the project’s formation on a dial gage in the central area of the
GitHub page [2]. window and continuously updates the values. To
the right, you can see the mass storage device
data transfer rates at the top and the network in-
terface upload and download rates below them.
On the left side of the program window you will
also find the CPU, Memory, Disk, Network, GPU,
and Sensors categories. Clicking on one of the
buttons displays a line diagram in the window
panel to the right of it; the status values for the
component in question appear here. In the CPU
display, for example, the System Monitor breaks
down the utilization of the individual processor
cores separately, while the overview simply pro-
vides an overview for all CPU cores. You will also
find more detailed data here, such as the CPU’s
clock speed and the cache sizes (Figure 2).
The detailed display for the RAM shows both the
utilization and the RAM size. In the storage area, you
can see what volumes of data have already been
transferred to or read from the medium. These val-
ues are particularly important for modern SSDs be-
cause they can be used to predict failures caused by
a high number of write cycles. The software also
Figure 1: System Monitoring Center is visually up-to-date and functional. lists the read and write speeds for the current
Figure 2: When you call up the various categories, the software shows you Figure 3: The System Monitoring Center also provides detailed information
detailed information about the components in question. about processes and services.
partition. Here, too, values that deviate significantly information about the names, PID numbers, sta-
from the norm can indicate impending doom. tus, and users of the respective processes, but
In the upper part of the program window, you also about their memory requirements. The Pro-
will also find buttons that help you access infor- cess view also shows you the read and write
mation on the software and its versions. The pro- speeds (Figure 3).
cess and service information, which you can ac- System shows you useful information about the
cess via Processes and Services, not only provides computer system, such as the vendor and
LINUX VOICE SYSTEM MONITORING CENTER
architecture. In addition, data on the operating and storage throughputs are shown as figures
system such as the current kernel version, the on the right.
desktop environment, and the number of installed There is a hamburger menu on the right side of
packages appear here. The software lists Flatpaks the titlebar. It branches to a submenu where you
separately. can set up some basic features of the application
in General Settings. They include the ability to
Settings change the display update intervals and define the
The titlebar has a pretty unusual design. It dis- startup settings and the language locale (Figure
plays the current CPU and RAM load in small 4). By default, the language specified as the sys-
bar graphs on the left, while the network data tem default should be enabled. However, this did
not work in our lab. Despite explicitly selecting a
local language, the locale failed to activate even
after restarting the program.
Management
To manage individual processes and services, right-
click on the desired process or service. You can use
the context menu to stop, restart, or even reload ser-
vices. The Details entry in the context menu provides
detailed information about the selected service. This
is where you can find out, for example, which depen-
dencies exist. Details in the context menu also gives
you more detailed information for processes. Select
this option to view the RAM usage, CPU usage, and
hard disk space usage.
The application also outputs the file names
and paths of the respective process. You will also
see the files used by the process along with the
names of the users who opened them. This
means that, in case of problems, you can look
forward to a precise overview of the process’s
environment, which is a big help in troubleshooting.
The System Monitoring Center displays the indi-
vidual pieces of information grouped clearly in a
tab structure (Figure 5).
Conclusions
Figure 4: This section lets users set the language locale, System Monitoring Center combines all the crit-
among other things. However, this did not work during testing. ical details of your Linux system in a state-of-
the-art and clear-cut interface. The application
also lets you manage processes and services,
making it possible to cleanly terminate hanging
applications. The application’s only potential
shortcoming is the lack of language support.
Having said this, the interface is largely self-ex-
planatory and the terms used here follow com-
mon standards – which lets users quickly find
their way around, even if their preferred lan-
guage happens to be missing. Q Q Q
Info
[1] System Monitoring Center on Flathub:
https://flathub.org/apps/io.github.
hakandundar34coding.system-monitoring-
center
[2] DEB package:
Figure 5: The software provides detailed information on https://github.com/hakandundar34coding/
processes and services. system-monitoring-center/releases
After four years of Kickstarter and component delays, Graham finally gets
to build his dream Oberheim OB-X clone synthesizer. Don’t expect to see or
hear from him for another six months, however. BY GRAHAM MORRISON
Modular synth rack library expanded into its own store modules. But the base was still open source, and the ideal
Cardinal
where commercial and proprietary community solution was to create a fork that would reflect
recreations could be offered their values while also hopefully staying on friendly terms
alongside the community-devel- with the original project. Cardinal is that fork.
hysical Eurorack modules oped one. VCV Rack then became It’s been over two years since then. Cardinal is now a
Space exploration
Celestia 1.7.0
elestia is an old project, fit- volume. More performance also
Audio analysis
Friture
udio analysis software Friture contains five different
sbctl
nless you’re a security The problem is that accessing
Wavetable synth
Wavetable
here are lots of different Despite originating in the
Code editor
Helix Editor
ven when we have a multi- key. When this is pressed, Helix
Even from the terminal, Helix includes many built-in themes that can be Project Website
dynamically tested from its command mode. https://helix-editor.com
Classic Roguelike
Brogue CE
rom a developer’s per- get themselves hooked on proce-
Arcade emulator
MAME 0.260
ou already know MAME. MAME 0.260 is a particularly
Enhanced Security
Verifying the security of your SSH configuration and performing regular audits
are critical practices in maintaining a secure Linux environment.
ecure Shell, better known as SSH, has be- Beyond the encryption scheme, SSH in Linux
S
BY MARCIN GASTOL
come an indispensable tool in the toolkit of offers versatility. Using the protocol, professionals
any IT professional, especially in the Linux can run commands remotely (ssh user@hostname),
world. At its core, SSH is a protocol that allows for set up tunneling to encrypt other application’s
encrypted communications between two sys- data, securely transfer files with SCP or SFTP,
tems. While its applications are diverse, ranging and even mount remote directories with SSHFS.
from remote command execution to secure file
transfers, its primary value lies in its ability to se- Why SSH Is Crucial for Linux Systems
cure data in transit, protecting it from eavesdrop- In today’s cybersecurity landscape, the importance
ping and potential breaches. of securing communications cannot be overstated.
In the realm of Linux, where open source reigns With threats ranging from man-in-the-middle at-
supreme, SSH stands tall as the de facto method tacks to advanced persistent threats, the need for
for remote access. Whether you’re administering a robust, secure method of accessing and admin-
a cloud-based Linux server or performing routine istering systems remotely is paramount.
maintenance tasks, SSH is the bridge that con- SSH fills this need perfectly for several reasons:
nects you securely to that system. But as with any Q Everything transmitted over an SSH session,
powerful tool, its potential can be a double-edged whether command outputs, configuration de-
sword. Misconfigurations, weak key management, tails, or sensitive files, is encrypted. This means
and lax security practices can turn SSH into a po- that even if the data is intercepted, deciphering
tential vulnerability – which underscores the need the actual content without the encryption key is
for rigorous best practices. next to impossible.
Q SSH doesn’t just rely on passwords. With key-
Understanding SSH in Linux based authentication, users can set up a pri-
Originating in the late ‘90s as a response to the vate-public key pair, offering an authentication
insecure Telnet, SSH was created as a crypto- method that’s considerably harder to breach
graphic network protocol that emphasized se- than traditional passwords.
curity. In a Linux environment, the operational Q Beyond just a secure shell, SSH offers port for-
mechanism of SSH can be divided into two warding, tunneling, and a suite of utilities such
main components: the client (ssh) and the as SCP and SFTP, making it a Swiss Army knife
server (sshd). for IT professionals.
When a client wishes to establish a connection, Q While native to Unix-based systems, SSH clients
it begins by sending a request to the server. Upon and servers exist for a multitude of platforms,
receiving this request, the server presents its pub- reinforcing its position as a universal remote ac-
lic key to the client. If this is the first time the cli- cess tool.
ent is connecting to the server, it prompts the user In the context of Linux, with its diverse array of
to verify the authenticity of the key. Once verified, distributions, server setups, and use cases, SSH
the client generates a random session key, en- offers a unified method of secure access and ad-
crypts it using the server’s public key, and sends it ministration. Because it is the backbone of remote
back. The server, using its private key, decrypts Linux administration, understanding and securing
the session key. Both entities now possess a SSH is not just advisable, it’s imperative.
shared secret (the session key) without it ever
being transmitted in the clear. This process, Key Management Best Practices
known as asymmetric encryption, forms the bed- Proper key management is at the heart of SSH
rock of SSH’s security mechanism. security. Adopting stringent practices can
significantly reduce the chances of unauthorized Limiting Allowed Ciphers and Key Exchange
access. The following are some of those prac- Algorithms
tices and the code to implement them. Not all encryption methods are created equal. As the
digital landscape evolves, some older ciphers be-
Generating Strong SSH Keys come vulnerable. It’s vital to keep abreast of and use
RSA with at least 4,096 bits provides a formidable only the most secure and updated ciphers, such as:
level of encryption, ensuring that brute-force at-
tacks become computationally unfeasible. For pro- ciphers aes256-gcm@openssh.com,chacha20-U
mise the entire system it’s associated with. Set- AllowGroups sshgroup
ChrootDirectory /home/restricted_user
The Author
Using SSH Jump Hosts
In high-security environments, it’s common to Marcin Gastol is a Senior
use an SSH jump host (also known as a bastion DevOps Engineer and
host). This setup allows SSH access only Microsoft Certified Trainer
through the jump host, acting as a single point of with extensive experience in
entry and exit. It isolates the internal network Azure technologies and
teaching various IT subjects.
and provides a buffer against direct external at-
Marcin hosts a blog
tacks. By consolidating access through a jump
covering multiple IT areas at
host, auditing and monitoring become central- https://marcingastol.com/.
ized and more manageable. To do this, use:
QQQ
LINUX
NEWSSTAND
Order online:
https://bit.ly/Linux-Magazine-catalog
Linux Magazine is your guide to the world of Linux. Monthly issues are packed with advanced technical
articles and tutorials you won't find anywhere else. Explore our full catalog of back issues for specific
topics or to complete your collection.
#278/January 2024
Scientific Computing
A crypto mining rig is built for math. Can an old rig find a second life solving science problems?
That all depends on the problem. Also this month, we explore a few popular data analysis
techniques and stir up some analysis of our own with the R programming language.
On the DVD: Kubuntu 23.10 and Fedora 39
#277/December 2023
Low-Code Tools
Experienced programmers are hard to find. Wouldn’t it be nice if subject matter experts and
occasional coders could create their own applications? The low-code revolution is all about
lowering the bar for programming knowledge. This month we show you some tools that let
you assemble an application using easy graphical building blocks.
On the DVD: MX Linux MX-23_x64 and Kali Linux 2023.3
#276/November 2023
ChatGPT on Linux
Everybody’s talking about ChatGPT, and ChatGPT is talking about everything. Sure you can
access the glib and versatile AI chatbot from a web interface, but think of the possibilities if
you tune in from the Linux command line.
On the DVD: Rocky Linux 9.2 and Debian 12.1
#275/October 2023
Think like an Intruder
The worst case scenario is when the attackers know more than you do about your network. If you
want to stay safe, learn the ways of the enemy. This month we give you a glimpse into the mind of
the attacker, with a close look at privilege escalation, reverse shells, and other intrusion techniques.
On the DVD: AlmaLinux 8.2 and blendOS
#274/September 2023
The Best of Small Distros
Nowadays, all the attention is on big, enterprise distributions supported by professional
developers at big, enterprise corporations, but small distros are still a thing. If you’re shopping
for a Linux to run on old hardware, if you just want a simpler system that is more responsive
and less cluttered, or if you’re looking for a special Linux tailored for a special purpose, you’re
sure to find inspiration in our look at small and specialty Linux systems.
On the DVD: 10 Small Distro ISOs and 4 Small Distro Virtual Appliances
#273/August 2023
Podcasting
On the Internet, you don’t have to wait for permission to speak to the world. Podcasting lets you
connect with your audience no matter where they are. Whether you're in it to build community,
raise awareness about your skills, or just have some fun, the tools of the Linux environment
make it easy to take your first steps.
On the DVD: Linux Mint 21.1 Cinnamon and openSUSE Leap 15.5
FEATURED EVENTS
Users, developers, and vendors meet at Linux events around the world.
We at Linux Magazine are proud to sponsor the Featured Events shown here.
For other events near you, check our extensive events calendar online at
https://www.linux-magazine.com/events.
If you know of another Linux event you would like us to add to our calendar,
please send a message with all the details to info@linux-magazine.com.
Events
FOSDEM Feb 3-4 Brussels, Belgium https://fosdem.org/
IEEE Serious Open Source 2024 Feb 20-21 Mountain View California https://events.bizzabo.com/549239
Open Source Summit North America Apr 16-18 Seattle, Washington https://events.linuxfoundation.org
Contact Info
WRITE FOR US
Editor in Chief Linux Magazine is looking for authors to write articles on Linux and the
Joe Casad, jcasad@linux-magazine.com tools of the Linux environment. We like articles on useful solutions that
Copy Editors
Amy Pettle, Aubrey Vaughn
solve practical problems. The topic could be a desktop tool, a command-
News Editors line utility, a network monitoring application, a homegrown script, or
Jack Wallen, Amber Ankerholz anything else with the potential to save a Linux user trouble and time.
Editor Emerita Nomadica Our goal is to tell our readers stories they haven’t already heard, so we’re
Rita L Sooby
especially interested in original fixes and hacks, new tools, and useful ap-
Managing Editor
Lori White plications that our readers might not know about. We also love articles on
Localization & Translation advanced uses for tools our readers do know about – stories that take a
Ian Travis traditional application and put it to work in a novel or creative way.
Layout
Dena Friesen, Lori White We are currently seeking articles on the following topics for upcoming
Cover Design cover themes:
Lori White
Cover Image • Open hardware
© Akaratee Nithipanmangkorn, 123RF.com
and lexey111, Fotolia.com
• Linux boot tricks
Advertising • Best browser extensions
Brian Osborn, bosborn@linuxnewmedia.com
phone +49 8093 7679420 Let us know if you have ideas for articles on these themes, but keep in
Marketing Communications mind that our interests extend through the full range of Linux technical
Gwen Clark, gclark@linuxnewmedia.com topics, including:
Linux New Media USA, LLC
4840 Bob Billings Parkway, Ste 104 Security
•
Lawrence, KS 66049 USA
Publisher • Advanced Linux tuning and configuration
Brian Osborn • Internet of Things
Customer Service / Subscription Networking
For USA and Canada:
•
Email: cs@linuxnewmedia.com • Scripting
Phone: 1-866-247-2802 Artificial intelligence
(Toll Free from the US and Canada)
•
• Open protocols and open standards
For all other countries:
Email: subs@linux-magazine.com If you have a worthy topic that isn’t on this list, try us out – we might be
www.linux-magazine.com
interested!
While every care has been taken in the content of the
magazine, the publishers cannot be held responsible Please don’t send us articles about products made by a company you
for the accuracy of the information contained within
it or any consequences arising from the use of it. The work for, unless it is an open source tool that is freely available to every-
use of the disc provided with the magazine or any one. Don’t send us webzine-style “Top 10 Tips” articles or other superfi-
material provided on it is at your own risk.
cial treatments that leave all the work to the reader. We like complete so-
Copyright and Trademarks © 2024 Linux New Media
USA, LLC. lutions, with examples and lots of details. Go deep, not wide.
No material may be reproduced in any form
whatsoever in whole or in part without the written
Describe your idea in 1-2 paragraphs and send it to: edit@linux-magazine.com.
permission of the publishers. It is assumed that all Please indicate in the subject line that your message is an article proposal.
correspondence sent, for example, letters, email,
faxes, photographs, articles, drawings, are supplied
for publication or license to third parties on a non-
exclusive worldwide basis by Linux New Media USA,
LLC, unless otherwise stated in writing.
Linux is a trademark of Linus Torvalds.
All brand or product names are trademarks of their
Authors
respective owners. Contact us if we haven’t credited
your copyright; we will always correct any oversight. Dave Allerton 70 Jon “maddog” Hall 79
Printed in Nuremberg, Germany by Kolibri Druck.
Bernhard Bablok 66 Daniel LaSalle 48
Distributed by Seymour Distribution Ltd, United
Kingdom Erik Bärwaldt 26, 82 Vincent Mealing 77
Represented in Europe and other territories by:
Sparkhaus Media GmbH, Bialasstr. 1a, 85625 Zack Brown 12 Graham Morrison 86
Glonn, Germany.
Linux Magazine (Print ISSN: 1471-5678, Online Bruce Byfield 6, 22, 32, 44 Thorsten Scherf 80
ISSN: 2833-3950, USPS No: 347-942) is published
monthly by Linux New Media USA, LLC, and dis- Joe Casad 3 Mike Schilli 58
tributed in the USA by Asendia USA, 701 Ashland
Ave, Folcroft PA. Application to Mail at Periodicals Mark Crutch 77 Markus Stubbig 16
Postage Prices is pending at Philadelphia, PA and
additional mailing offices. POSTMASTER: send ad- Chris Binnie 38 Jack Wallen 8
dress changes to Linux Magazine, 4840 Bob Billings
Parkway, Ste 104, Lawrence, KS 66049, USA. Marcin Gastol 92 Matthias Wübbeling 36, 54
Plasma 6
A major release of KDE’s Plasma desktop
arrives with many new tools and some lasting
innovations. We’ll fill you in on the changes
coming to KDE’s innovative interface.
Preview Newsletter
The Linux Magazine Preview is a monthly email
newsletter that gives you a sneak peek at the next
issue, including links to articles posted online.
Sign up at: https://bit.ly/Linux-Update