Category Archives: Linux

Linux Foundation’s Secure Boot Pre-Bootloader Released

The Linux Foundation’s UEFI Secure Boot pre-bootloader for independent Linux distros and software developers has finally been released. Announcing the release of the secure boot system James Bottomley noted that the signed pre-bootloader was delivered by Microsoft on February 6th. Bottomley has released two validated files PreLoader.efi and HashTool.efi.

Bottomley has also created a bootable mini-USB image that provides “an EFI shell where the kernel should be and uses Gummiboot to boot.” Just last week the pre-bootloader had to be rewritten to accommodate booting of all versions of Linux.

Moving the Linux Kernel Console To User-Space

David Herrmann has provided an update on his ambitious initiative to kill of the Linux kernel console. Herrmann has long been working on making the Linux kernel CONFIG_VT option unnecessary for providing a Linux console by punting it off to user-space. The Linux kernel VT console hasn’t been changed much in the past two decades and Herrmann is hoping to see it replaced with a user-space solution he’s been developing that would allow for multi-seat support, a hardware-accelerated console, full internalization, and other features.

CONFIG_VT has been part of the Linux kernel going back to the early 90’s but hasn’t really advanced much in that time. David Herrmann, a developer that got going on this new initiative as a student part of Google Summer of Code, wants a new solution that’s built with multi-seat and multiple monitors in mind, incorporates Unicode font rendering, XKB-like keyboard handling, graphics hardware acceleration, VT220-VT510 compatibility, and other features.

Among his principal complaints about the current terminal is that it’s a user-interface in kernel-space, the code is poorly maintained, handles keyboards badly, produces bad font rendering, misses out on mode-setting and multi-head support, contains no multi-seat awareness, and only has limited hot-plugging handling, limited to VT102 compliance.

More on Phoronix

Fragmentation Leads To Android Insecurities

Vendor fragmentation leads to security vulnerabilities and other exploits. This situation is ‘…making the world’s most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software’ unlike Apple’s iOS which they note has widely available updates several times a year. In light of many companies’ Bring Your Own Device initiatives ‘You have potentially millions of Androids making their way into the work space, accessing confidential documents,’ said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. ‘It’s like a really dry forest, and it’s just waiting for a match.’

In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones — a practice called “smishing” that can ensnare consumers in fraud.

Google’s security officials replied in minutes, confirming the flaw and promising to correct it. Within days they had incorporated a fix into the latest version of the Android operating system, Jelly Bean 4.2, and made available a security update for earlier versions.

But for most Android phones, the fix never arrived. For many, it never will.

That is because it is not clear which company — Google, the smartphone maker or the wireless carrier that sells it — bears ultimate responsibility for the costly process of getting security updates to an Android device. Fixes to known security flaws can take many months to reach individual smartphones, if they arrive at all.

The problem, security experts say, has contributed to making the world’s most popular mobile operating system more vulnerable than its rivals to hackers, scam artists and a growing universe of malicious software.

Breaches remain more common on traditional computers than on smartphones, which have been engineered to include security features not found on desktop or laptop machines, experts say.

But outdated software can undermine such protections. If there was a major outbreak of malicious software, the fractured nature of the system for delivering updates could dramatically slow efforts to protect information carried on Android phones — including documents, passwords, contact lists, pictures, videos, location data and credit card numbers.

The risks are particularly serious for businesses and government agencies, whose increasingly popular bring-your-own-device policies have created new potential portals for espionage aimed at secure computer systems.

“You have potentially millions of Androids making their way into the work space, accessing confidential documents,” said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. “It’s like a really dry forest, and it’s just waiting for a match.”

Google engineers designed Android to resist hackers and have continually improved it. The company also has worked to purge malicious software from its app store, Google Play, minimizing the risk from one possible route of infection.

“We’ve built the system from Day One to deal with this kind of world,” said Hiroshi Lockheimer, vice president of Android engineering. “The health of the Android ecosystem is really important to us.”

Yet while each new generation of Android delivers improvements that close off newly discovered avenues of attack, the company has struggled to get updated software to smartphones already in the hands of consumers.

‘Fragmentation’ leaves Android phones vulnerable to hackers, scammers