This week in Linux and open source, the ‘Big 4″ accounting firms are becoming power players in blockchain, Oracle expands open source container efforts, and more in this weekly digest!
1) The four largest accounting firms in the world are active members of the blockchain revolution– Including Deloitte, which joined the Hyperledger Project.
3) Hyperledger’s Indy “is all about giving identity owners independent control of their personal data and relationships.” Explains Doc Searls in his op-ed about the availability of Linux for all users.
The Linux command line is a tool that every system administrator should get to know. With the power of commands at your fingertips, there’s very little you cannot do. However, along with that power comes the need to remember those commands. When you take into consideration how complicated those commands can get, it’s understandable that some admins have trouble recalling what they have done or need to do at the Bash prompt.
You may have to issue the command:
iptables -A OUTPUT -o eth0 -p tcp -m multiport
--sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
Or, maybe you recently secure shelled into a server, but don’t recall the IP address off hand. What do you do? Most Linux admins would immediately tell you to look to your Bash history; and that would be sage advice. By typing the command history, you are presented with the last X amount of command you have run on the system. The X is determined within the ~/.bashrc file, in the line:
HISTSIZE=1000
The history command is, in fact, a great way to see what commands you’ve issued. You can comb through that, find the command you need, copy it, and then paste it back into the prompt. Or, you can, at the command prompt, simply start tapping the up arrow on your keyboard until you land on the command you need.
What if I told you there was a much, much, much easier way? There is, and it’s called fish. Fish is a friendly, interactive shell that can be installed on your Linux machine and features:
Autosuggestions
Scriptability
Man page completions
VGA color
Web-based configuration
Ease of use
I’m going to walk you through the installation and usage of the fish shell; once you’ve started using this handy tool, chances are you’ll never go back to the standard old Linux shell again.
Installation
Fish can be installed on Ubuntu, Debian, Fedora, RHEL, openSUSE, CentOS, Arch Linux, Gentoo Linux, and even mac OS and Windows. I will be demonstrating the installation on Elementary OS, so the installation for your distribution will vary (you can get instructions for all the supported platforms from the fish main page). The installation for Elementary OS (as well as most Debian-based systems) is as follows:
Open up a terminal window
Add the necessary repository with the command sudo apt-add-repository ppa:fish-shell/release-2
Update apt with the command sudo apt-get update
Install fish with the command sudo apt-get install fish
That’s it; fish is now installed and ready to serve.
First steps
You’re at the Bash prompt, with fish installed, and you have no idea how to make use of it. That’s because you’re still in your bash prompt. To make use of fish, you have to enter the fish prompt. How do you do that? Type the command fish and you will see your prompt change (Figure 1).
Figure 1: Your change may be dramatic or subtle, depending on how you have your Bash prompt configured.
At this point, you’re ready to start using fish. The best way to do this is to start typing a command. You will see that fish does a great job of completing the command, bashed on your history. For example, if I start typing ssh, fish will complete the command with the most recent matching entry from bash history (Figure 2).
Figure 2: Fish makes great use of the Bash history.
If that’s the command you’re looking for, hit the right arrow key to accept and then hit Enter. The one caveat to fish is that, once it makes a suggestion, you cannot scroll through the history of similar commands (which would be a nice feature).
One really cool thing you can do with fish is get suggestions for commands, based on what you type. Say, for instance, there’s an ssh tool you want to use, but you can’t remember the name of the command (but you know it starts with “ssh”). Type ssh and then hit the tab key. Fish will present to you suggestions, one of which might be the command you are looking for (Figure 3).
Figure 3: Fish command suggestions.
There are so many things you can do with fish. To learn them all, your best bet is to walk through the official fish tutorial (which offers up plenty of examples that will empower your fish experience).
Once you’re done with the fish prompt, you can return to bash by typing exit.
Configuring fish
One task you should definitely undertake is the configuration. Out of the box, fish is an incredibly powerful and handy tool to use. However, fish offers plenty of customizations that can be tweaked with the web-based configuration tool. To get to the web interface, enter the fish shell and then type fish_config. Hit Enter on your keyboard and your default browser will open to the fish configuration page (Figure 4).
Figure 4: The fish web-based configuration tool.
I highly recommend altering your fish prompt so that the differences between it and the standard prompt aren’t so subtle. To do this, click on the prompt tab, scroll down until you find a style that suits you, select that prompt, and then click the Set Prompt button (Figure 5).
Figure 5: Differentiating your fish prompt from your Bash prompt.
Once you’ve made the changes, close the browser window (or tab), go back to your terminal window, and hit Enter. The new prompt configuration will be set and you’re ready to go.
There are quite a lot of other options to be configured within the web-based tool. From here you can also set up abbreviations (aliases) for commands. This can also be done from the fish prompt, but using the web-based interface makes it a bit easier. Say, you regularly ssh to a particular server with the command:
ssh -v olivia@192.168.1.101
With abbreviations, you could shorten that to, say ssho. With this in place, you would only need type ssho(within the fish shell), hit enter, and the full command will run. To create an abbreviation, run the fish_configcommand (from the fish prompt), go to the abbreviations tab in the web-based tool, and then type your abbreviation in the left text area and the full command in the right text area (Figure 6). Hit the Save button and your abbreviation is ready.
Figure 6: Adding a command abbreviation for even more fish efficiency.
Make sure you close the browser window (or tab) and then hit Enter (on your keyboard) back at the fish prompt.
Keep learning
To get the most out of fish, it would behoove you to read through the official fish documentation (just type help at the fish prompt and hit Enter). You’ll be pleasantly surprised at how much this shell can do for you.
Mark my word, the fish prompt will very quickly become a must-have tool to aid you in your daily Linux administrative tasks.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Over the past few years, anecdotal evidence has suggested that security threats to Linux devices are on the rise. Last fall’s Mirai botnet attacks, which turned thousands of Linux devices into a zombie army used to attack infrastructure via Distributed Denial of Service (DDoS), were particularly effective in waking up the Linux community.
Now, we’re seeing quantitative statistics to support the Linux malware trend. On the heels of a WikiLeaks release detailing the CIA’s OutlawCountry and Gyrfalcon hacking tools aimed at Linux, both AV-Test and WatchGuard have released reports claiming that Linux computers are among the fastest growing targets of malware over the past year and a half.
According to AV-Test, MacOS computers saw the largest increase in malware targeting in 2016 with a 370 percent increase, but Linux was close behind with a 300 percent rise from the previous year — triple the number in 2015. WatchGuard’s Internet Security Report, which instead focuses on Q1 2017, claims that Linux malware made up more than 36 percent of the top threats.
A decade ago, Linux was obscure outside the server world, but Tux lovers could at least console themselves with the security of their beloved OS compared to Windows. This helped reinforce the generally true, but somewhat counterintuitive, claim that by inviting anyone to bug check the code, you could build a more secure platform than with a proprietary OS.
A worthy target
The first crack in the Linux armor came in the Android world where many apps revealed themselves to be pestilent. It wasn’t just the app platform — and Android fragmentation — that fueled the increase, however, but Android’s popularity. In recent years, as more and more Linux-based routers, home automation gizmos, and other devices entered the relatively unprotected home scene, hackers have increasingly found Linux to be a worthy target.
The problem is not that Linux is unsafe compared to other platforms. The Linux kernel and other components are regularly updated to meet the latest threats, which are more easily identified thanks to the greater participation afforded by open source. Developers are continually improving system update and integrity protectionmechanisms, and protecting against other emerging security threats.
Although more remains to be done, the main issue is that vendors release routers, consumer electronics, and IoT gear with outdated Linux kernels and either no or limited security protections on top of the Linux stack. IoT vendors rarely offer kernel updates, and if they do, there’s usually no over-the-air (OTA) mechanism. The user must be sufficiently motivated to find out about the update, and then download and install it. In addition, consumers tend to leave their devices unprotected by passwords or else use easily hacked passwords.
CIA’s OutlawCountry and Gyrfalcon exposed
The CIA’s OutlawCountry exploit, which was exposed in a Vault7 release by WikiLeaks on June 30, focuses on Red Hat Embedded Linux (RHEL) and the RHEL-based CentOS in their 6.x versions, which primarily run on servers. On July 6, WikiLeaks added a report detailing the CIA’s Gyrfalcon implant, which targets OpenSSH clients on a wider variety of Linux platforms.
As described in a ZDNet story on OutlawCountry, the mechanism takes advantage of the Red Hat distributions’ aged 64-bit 2.6.32 version of the Linux kernel. Before OutlawCountry can do its work, however, the server must have already been compromised with the infiltration of a malicious module, as well as the acquisition of root privileges. OutlawCountry then redirects outbound traffic to a CIA-controlled server by creating a hidden iptables or netfilter table in the Linux kernel’s networking stack. Red Hat is working on a resolution for OutlawCountry, which was internally documented by the CIA two years ago, and has released a command so users can check for infections.
Earlier this year, WikiLeaks released info on the CIA’s Weeping Angel exploit, which attacks Samsung’s Tizen-based Smart TVs, as well as a CIA Dark Matter project that affects the Mac. A few others are general networking exploits that could affect Linux devices, but most of the 15 CIA exploits detailed in WikiLeaks’ 8,000-plus Vault7 documents target Windows.
According to AV-Test, Windows represented 70 percent of the online threats detected by AV-Test anti-malware security systems in 2016. There was a 15 percent drop in Windows attacks in 2016 as malicious hackers turned their attention to Linux and the Mac. Yet, any relief in the Windows world may be short lived — Windows made up 77 percent of attacks in Q1 2017.
The WannaCry ransomware attacks were the biggest scourge on Windows in 2016, but these have slowed greatly. While ransomware is often the most devastating malware, it represents a very small number of attacks, says AV-Test.
In the Linux world, the Mirai botnet appears to have faded somewhat, but other malware is targeting the same IoT devices. These include the Bashlite malware and the older, but ever resilient, Tsunami backdoor. The overall percentage of Linux or MacOS attacks were not listed, but presumably both make up the bulk of the 24.4 percent of 2016 attacks not represented by Windows or Android.
Android attacks
The Linux numbers do not include Android, which represented 5.65 percent of all malware in 2016. That may not seem like much, but it was double the number of attacks in 2015, says AV-Test.
The most infamous Android malware of the last two years — StageFright — has actually infected very few devices, or so Google claims. However, security firm Check Point reports that a type of Android malware called CopyCat last year infected 14 million devices, despite never making it to Google Play. CopyCat ended up rooting more than half of them, or about eight million devices. Most victims were in Southeast Asia, but 280,000 were in the United States. The CopyCat creators earned about $1.5 million, primarily through ad fraud.
Security threats in general dropped by 14 percent in 2016 compared to the 2015 high water mark. However, that’s still the second highest total since AV-Test started its surveys, and Q1 has shown an uptick. The company estimates that some 640 million malware programs were active in 2016.
The WatchGuard Technologies Internet Security Report, which was based on feedback from 26,500 WatchGuard UTM appliances worldwide, suggests that Linux malware is growing even faster than the AV-Test measurements indicate. Linux was said to be the target of 36 percent of malware detected in the first quarter, with IoT devices and servers receiving the lion’s share of attacks.
Other trends include an increase in attacks on web servers, totaling 82 percent of all network attacks. The report also detected seasonal trends: Most malware hits in Q4, followed by a Q1 slowdown.
It’s probably a good idea for all of us to learn more about security. One angle is covered in this recently updated cryptography overview for newbies from TheBestVPB.com.
By any measure, the rise of open source software as an alternative to the old, proprietary ways has been remarkable. Today, there are tens of millions of libraries hosted at GitHub alone, and the number of major projects is growing rapidly. As of this writing, the Apache Software Foundation hosts over 300 projects, while the Linux Foundation supports over 60. Meanwhile, the more narrowly focused OpenStack Foundation boasts 60,000 members living in more than 180 countries.
So, what could possibly be wrong with this picture?
What’s missing is enough awareness that, while open source software can meet the great majority of user demands, standing alone it can’t meet all of them. Worse yet, too many members of the open source community (business leads as well as developers) have no interest in making use of the most appropriate tools available to close the gap.
Everyone knows that Google is a leader in the open source world. But what is it that makes it a distinct player in the fast-growing developer community? Will Norris, the engineering manager at Google’s Open Source Programs Office, reveals some secrets in an exclusive talk with Jagmeet Singhof OSFY. Edited excerpts…
Q What is the development model for open source technologies at Google?
Open source development at Google is both very diverse and distributed. The larger projects that we release generally have dedicated teams developing and supporting the project, working with their external developer communities and providing internal support to other Googlers. Many of the smaller projects include just one or two engineers working on something experimental or just a fun, side project.
Our MySQL infrastructure is a critical component to GitHub. MySQL serves GitHub.com, GitHub’s API, authentication and more. Every git request touches MySQL in some way. We are tasked with keeping the data available, and maintaining its integrity. Even while our MySQL clusters serve traffic, we need to be able to perform tasks such as heavy duty cleanups, ad-hoc updates, online schema migrations, cluster topology refactoring, pooling and load balancing and more. We have the infrastructure to automate away such operations; in this post we share a few examples of how we build trust in our infrastructure through continuous testing. It is essentially how we sleep well at night.
Thousands of developers who publish JavaScript packages in the npm repository have had their passwords reset since May because their login credentials were too weak or had been publicly exposed. The affected accounts were in control of tens of thousands of Node.js modules that, in turn, were direct or indirect dependencies for half of the entire npm ecosystem.
The incident highlights why developers need to improve their security posture and practices, especially since it is estimated that more than 80 percent of any modern application consists of open-source code, most of it consumed from component repositories.
The npm registry, which is the main source of Node.js modules, hosts almost half a million JavaScript packages — building blocks that are used by developers from around the world to develop everything from websites and mobile apps to APIs for controlling internet-of-things devices and robots.
Continuous testing is the process of executing automated tests as part of the software delivery pipeline in order to obtain feedback on the business risks associated with a software release candidate as rapidly as possible.
Why Do We Need to Rethink Our Approach to Testing?
The expectations associated with testing are changing–but legacy testing platforms aren’t keeping up. Legacy testing platforms take a “heavy” approach to testing. They rely on brittle scripts, deliver slow end-to-end regression test execution, and produce an overwhelming level of false positives. As a result, they’ve achieved limited success with test automation. The overall test automation rate is 18%, on average–8% for enterprises. In a polling question, the audience confirmed that the results of test automation have been so-so, at best.
Our story so far: We have learned the important bits about TCP/IP, IPv6, and IPv4 and IPv6 LAN Addressing, which is all very excellent. But, if you want your computers to talk to each other, then you must know about routing.
Simple Test Lab
Now we have a good use for the ip command. ip assigns multiple addresses to network interfaces, which is totally groovy because you can practice setting up and testing routing without needing a herd of computers. All you need to get started is two computers connected to the same Ethernet switch. In the following examples, I’m using a desktop PC and a laptop connected to an old 8-port gigabit switch. Yes, I know, there are newer switches that are so fast they reach the future before we do. Any Ethernet switch you want to use is fine.
If you are using Network Manager it will try to find a DHCP server when you plug in your Ethernet cables, so don’t run any name services on your test lab.
Assigning and Removing IP Addresses
First check your network interface names. The output is snipped for clarity:
$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP>
[...]
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP>
[...]
3: wlx9cefd5fe8f20: <BROADCAST,MULTICAST,UP,LOWER_UP>
[...]
My Ubuntu system likes to give network interfaces strange names. enp0s25 is my wired Ethernet interface. Let’s give it an IPv6 address from the range reserved for examples and documentation (see Practical Networking for Linux Admins: Real IPv6):
$ sudo ip -6 addr add 2001:0db8::1/64 dev enp0s25
Let us admire our new address (again with trimmed output), and note also how the link local address is assigned automatically:
$ ip addr show
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP>
link/ether d0:50:99:82:e7:2b brd ff:ff:ff:ff:ff:ff
inet6 2001:db8::1/64 scope global
inet6 fe80::d250:99ff:fe82:e72b/64 scope link
Assign an address to the second host:
$ sudo ip -6 addr add 2001:0db8::2/64 dev eth0
Now the two hosts can ping each other. Remember, ping6 requires specifying the network interface, even if you only have one:
$ ping6 -I enp0s25 2001:db8::2
PING 2001:db8::2(2001:db8::2) from 2001:db8::1 enp0s25: 56 data bytes
64 bytes from 2001:db8::2: icmp_seq=1 ttl=64 time=1.01 ms
You can also ping the link local addresses:
$ ping6 -I enp0s25 fe80::ea9a:8fff:fe67:190d
PING fe80::ea9a:8fff:fe67:190d(fe80::ea9a:8fff:fe67:190d)
from fe80::d250:99ff:fe82:e72b enp0s25: 56 data bytes
64 bytes from fe80::ea9a:8fff:fe67:190d: icmp_seq=1 ttl=64 time=0.531 ms
link/ether is the MAC address. Note the scope values of global and link. global is a routable address, while link is the link local address that operates only within a single network segment. In IPv4 networks this is called a broadcast domain, which contains all hosts within a single logical network segment. Unlike IPv4 networks, IPv6 does not use a broadcast address. IPv4 has three address types: unicast, multicast and broadcast. As the excellent TCP/IP Guide says:
“Broadcast addressing as a distinct addressing method is gone in IPv6. Broadcast functionality is implemented using multicast addressing to groups of devices.”
Delete an address this way:
$ sudo ip -6 addr del 2001:0db8::1/64 dev enp0s25
Create Route
Now we’ll add a second address to one of our test machines that’s in a different subnet. In the 2001:0db8::0/64 network, the first four octets define the network, and the last four are the host addresses. The “2” in the host address on my second test machine helps me remember which machine is which, so I’ll recycle that for the new subnet:
$ sudo ip -6 addr add 2001:db8:0:1::2/64 dev eth0
I ping the new address from the first test machine, to no avail:
$ ping6 -I enp0s25 2001:db8:0:1::2
connect: Network is unreachable
So, I’ll create a route to the new subnet. Run ip -6 route show first to see your existing routing table, and copy it for a reference. Then create the new route:
$ sudo ip -6 route add 2001:db8:0:1::0/64 dev enp0s25
Now look what ping does:
$ ping6 -I enp0s25 2001:db8:0:1::2
PING 2001:db8:0:1::2(2001:db8:0:1::2) from 2001:db8::1 enp0s25: 56 data bytes
64 bytes from 2001:db8:0:1::2: icmp_seq=1 ttl=64 time=0.583 ms
Success! We are networking nerds deluxe! Just to make sure, delete the route and try ping again:
$ sudo ip -6 route del 2001:db8:0:1::0/64 dev enp0s25
$ ping6 -I enp0s25 2001:db8:0:1::2
connect: Network is unreachable
None of these configurations survive a reboot. This is good news when you want to wipe everything and start over, but not so good news when you want to keep them. Every Linux distribution has its own special way of configuring IP addresses and static routes. If you’re running Network Manager you can configure everything with it. You can also push all of this to clients with a DHCP server, such as the excellent Dnsmasq, which provides name services, router advertisement, and network booting. All of which are large topics for another day. Until then, be well and enjoy being an IPv6 guru.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Do you use or contribute to open source technologies? Or, are you responsible for hiring open source professionals? If so, please take a minute to complete a short open source jobs survey from Dice and The Linux Foundation and make your voice heard.
During the past decade, open source development has experienced a massive shift, becoming a mainstay of the IT industry. Flexibility in accommodating new technologies and adapting to a changing market make open source software vital to modern companies, which are increasingly investing in open source talent.
To gather more information about the changing landscape and opportunities for developers, administrators, managers, and other open source professionals, Dice and The Linux Foundation have partnered to produce two open source jobs surveys — designed specifically for hiring managers and industry professionals.
As a token of our appreciation, $2,000 in Amazon gift cards will be awarded to survey respondents selected at random after the closing date. Complete the survey for a chance to win one of 10 $100 gift cards, or one of two $500 gift cards.
The survey results will be compiled into the 2017 Open Source Jobs Report. This annual report evaluates the state of the job market for open source professionals and examines what hiring managers are looking for and what motivates employees in the industry. You can download the 2016 Open Source Jobs Report for free.
Survey responses must be received by Thursday, July 27, at 12:00 pm Eastern time.
