Tag / Security

  • IoTivity 1.3.1 has been released, and with it comes some important new changes. First, you can rebuild packages from sources, with or without my hotfixes patches, as explained recently in this blog post. For ARM users (of ARTIK7), the fastest option is to download precompiled packages as .RPM for fedora-24 from my personal repository, or check ongoing works for other OS. Copy and paste this snippet to install latest IoTivity from my personal repo:

    I also want to thank JFrog for proposing bintray service to free and open source software developers. Standalone Apps In a previous blog post, I explained how to run examples that are shipped with the release candidate. You can also try with other existing examples (rpm -ql iotivity-test), but some don’t work properly. In those cases, try the 1.3-rel branch, and if you’re still having problems please report a bug. At this point, you should know […]

    Read More
  • December 14, 2017 - Shuah Khan

    One Small Step to Harden USB Over IP on Linux

    The USB over IP kernel driver allows a server system to export its USB devices to a client system over an IP network via USB over IP protocol. Exportable USB devices include physical devices and software entities that are created on the server using the USB gadget sub-system. This article will cover a major bug related to USB over IP in the Linux kernel that was recently uncovered; it created some significant security issues but was resolved with help from the kernel community. The Basics of the USB Over IP Protocol There are two USB over IP server kernel modules: usbip-host (stub driver): A stub USB device driver that can be bound to physical USB devices to export them over the network. usbip-vudc: A virtual USB Device Controller that exports a USB device created with the USB Gadget Subsystem. There is one USB over IP client kernel module: usbip-vhci: A […]

    Read More
  • After my previous blog post, you should now be using SSH and Tor all the more often, but things are probably slow when you are trying to setup a secure connection with this method. This may well be due to your computer lacking a proper source of entropy to create secure cryptographic keys. You can check the entropy of your system with the following command.

    This will return a number, hopefully it’s above 3,000 because that’s what is likely needed to keep up with your needs. So what do you do if it’s not high enough? This article will cover two tips to improve your computer’s entropy. All examples in this guide are for Linux distributions that use systemd. rngd rngd is a tool designed to feed the system with more entropy from various sources. It is part of the rng-tools package. After installing it, the rngd service needs to […]

    Read More
  • January 24, 2017 - Cedric Bail

    Improving the Security of Your SSH Configuration

    Most developers make use of SSH servers on a regular basis and it’s quite common to be a bit lazy when it comes to the admin of some of them. However, this can create significant problems because SSH is usually served over a port that’s remotely accessible. I always spend time securing my own SSH servers according to some best practices, and you should review the steps in this article yourself.  This blog post will expand upon these best practices by offering some improvements. Setup SSH Server Configuration The first step is to make the SSH service accessible via only the local network and Tor. Tor brings a few benefits for an SSH server: Nobody knows where users are connecting to the SSH server from. Remote scans need to know the hidden service address Tor uses, which reduces the risk of automated scan attacks on known login/password and bugs in the ssh server. It’s always […]

    Read More
  • February 23, 2016 - Tom Hacohen

    Running letsencrypt as an Unprivileged User

    Running letsencrypt as an unprivileged user (non-root) is surprisingly easy, and even more surprisingly undocumented. There is no mention in the official documentation, nor was I able to find anything online. There are alternative clients that were designed to be run as unprivileged, but they are not as beginner-friendly as the official one. Personally, I’ve switched to acme-tiny (and created an AUR package for it). Its much smaller and lets me have an even more secure setup. Why would you want to bother with this? One word: security. You should always strive to run every process with the lowest privileges possible because this reduces the chances of data loss as a result of a bug. More importantly, this reduces the chances of your server being compromised and thus improves overall security. Summary In this tutorial we will setup letsencrypt to run as an unprivileged user using the webroot plugin. This […]

    Read More
  • The usage of https has been so far somewhat restricted on open source projects, because of the cost of acquiring and maintaining certificates. As a result of this and the need to improve Internet security, several projects are working on providing free valid certificates. Among those projects, Let’s Encript launched a public beta last week on December, 3 2015. The Let’s Encrypt Approach Let’s Encrypt is a Linux Foundation Collaborative project that started to fulfill an Electronic Frontier Foundation – EFF long-term mission to Encrypt the Web. According with EFF, the “aim is to switch hypertext from insecure HTTP to secure HTTPS. That protection is essential in order to defend Internet users against surveillance of the content of their communications; cookie theft, account hijacking and other web security flaws; cookie and ad injection; and some forms of Internet censorship.”. With that goal in mind, the Let’s Encrypt project is providing […]

    Read More
  • October 26, 2015 - Habib Virji

    The Essentials of IoTivity Connectivity

    This article is part 1 of a 3 part series on how IoTivity handles security for the connected IoT world. IoTivity is a Linux Foundation Collaborative Project that implements the Open Interconnect Consortium (OIC) standard. OIC is a consortium of over 100 companies that are working together to develop a standard for interoperability between the IoT devices. It includes a certification program to check interoperability between devices from different manufacturers. The OIC has various task groups that each address different areas in the IoT domain. The primary group is the core group which defines the base layer and lays the foundation for the other task groups. The other prominent task groups include security and remote connectivity. The security task group defines the base security layer that is expected in each device; this allows devices to secure trust and provide an access control policy for other devices in a house. Remote […]

    Read More
  • October 19, 2015 - Tom Hacohen

    Using OpenPGP Keys For SSH Authentication

    If you already use OpenPGP, there is no need for you to create an additional SSH key. You can just consolidate your identity and use the same key for SSH authentication. The main benefits that come to mind are: Preparing yourself for your eventual migration to using an OpenPGP smart card (hereby: SmartCard) like the YubiKey NEO. Having one less key to worry about. The rest of this post assumes: You use GnuPG version 2.1 or later (run gpg –version to verify). You already have an OpenPGP key (plenty of tutorials online). You already use gpg-agent as your SSH agent (plenty of tutorials online). Create an Authentication subkey We first need to open the relevant key for editing in expert mode:

    Now we are going to add a new authentication key:

    Select (8) RSA (set your own capabilities).

    Select (S), (E) and (A) until the current allowed […]

    Read More
  • Open Source Wrap Up: August 29 – September 4, 2015 Sleepy Puppy: A New Open Source XSS Flaw Detection Tool Netflix has released Sleepy Puppy: a tool for detecting flaws in XSS. The tool has been created in an effort to fight malicious cross-site scripting, which is a type of vulnerability that allows attackers to execute arbitrary scripts in a victim’s browser. XSS vulnerabilities have been one of the leading security vulnerabilities for more than 10 years, with an estimated 47% of all websites containing a vulnerability of this type. Sleepy Puppy helps prevent these attacks by providing an XSS payload management framework that makes it simpler for engineers to capture, manage, and track XSS propagation. Netflix seeks outside involvement in the development of this software, and the code is hosted on their GitHub account. For more information, read the official blog post from Netflix. New Version of Hack: Open […]

    Read More
  • Open Source Wrap Up: May 20 – June 5, 2014 Automotive Grade Linux Released Automotive Grade Linux (AGL) is a collaborative environment to bring a Linux software stack to the connected car. The project has released its own open source In-Vehicle Infotainment (IVI) software that features a dashboard, home screen, navigation map, media playback, audio controls, and more. Each feature also includes detailed design requirement documents with descriptions, use cases, graphical assets, and architecture diagrams, all available on the project wiki. Moving forward, the project will focus on developing standardized instruments clusters in an effort to expand the role of AGL into more aspects of the car ecosystem as a part of the push towards autonomous cars. Read more from the Linux Foundation. Fedora 22 Released Fedora 22, the latest version of a popular Linux distribution that’s backed by Red Hat, has been released. It includes quite a few improvements, […]

    Read More