The Purism Librem Key

The Librem Key is a new hardware token for improving Linux security by adding a physical authentication factor to booting, login and disk decryption on supported systems. It also has some features that make it a good general-purpose OpenPGP smart card. This article looks at how the Librem Key stacks up against other multi-factor tokens like the YubiKey 5 and also considers what makes the Librem Key a unique trusted-computing tool.

Spy Games: the NSA and GCHQ Offer Their Software to the Open Source Community

Spies worth their salt are generally expected to be good at keeping secrets. With dead drops, encryption, cyanide pills and the like, openly sharing useful information isn’t supposed to be a part of the job description. So it caught more than a few of us off guard when a couple years ago, some of the top spy agencies began contributing code to GitHub, making it available to the masses by open-sourcing some of their software.

Some (Linux) Bugs Have All the Fun

Bugs happen. Every minute of every hour of every day, software bugs are hard at work, biting computer users in the proverbial posterior. Many of them go unnoticed (the bugs, not the posteriors). More still rise to the illustrious level of "bugs that are minor annoyances". Yet sometimes, when the stars align just so, a bug manifests itself in a truly glorious way. And when I say "glorious", I mean "utterly destructive and soul-obliterating". Nowhere are these bugs more insidious than when they are within the operating systems (and key components) themselves.

February 2019, #295: The Security Issue

On January 13th, 2018—at 8:07 am—an emergency alert was issued in Hawaii. The message, in its entirety: "BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL." Although this message—which showed up on smart phones across the state—was, indeed, not a also was not a real threat. There was no missile hurtling through the atmosphere towards Hawaii. It turns out someone had simply clicked the wrong option from a very poorly designed user interface and sent out a fake (but very real-looking) emergency alert.

Tamper-Evident Boot with Heads

Learn about how the cutting-edge, free software Heads project detects BIOS and kernel tampering, all with keys under your control. Some of the earliest computer viruses attacked the boot sector—that bit of code at the beginning of the hard drive in the Master Boot Record that allowed you to boot into your operating system. The reasons for this have to do with stealth and persistence. Viruses on the filesystem itself would be erased if users re-installed their operating systems, but if they didn't erase the boot sector as part of the re-install process, boot sector viruses could stick around and re-infect the operating system.

Five Trends Influencing Linux's Growth at the Endpoint

A recent IDC InfoBrief identified Linux as the only endpoint operating system growing globally. While Windows market share remains flat, at 39% in 2015 and 2017, Linux has grown from 30% in 2015 to 35% in 2017, worldwide. And the trend is accelerating.

Travel Laptop Tips in Practice

It's one thing to give travel advice; it's another to follow it. In past articles, I've written about how to prepare for a vacation or other travel when you're on call. And, I just got back from a vacation where I put some of those ideas into practice, so I thought I'd write a follow-up and give some specifics on what I recommended, what I actually did and how it all worked.

Weekend Reading: Privacy

Most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Enter this weekend's reading topic: Privacy. FOSS Project Spotlight: Tutanota, the First Encrypted Email Service with an App on F-Droid by Matthias Pfau

ModSecurity and nginx

nginx is the web server that's replacing Apache in more and more of the world's websites. Until now, nginx has not been able to benefit from the security ModSecurity provides. Here's how to install ModSecurity and get it working with nginx. Earlier this year the popular open-source web application firewall, ModSecurity, released version 3 of its software. Version 3 is a significant departure from the earlier versions, because it's now modularized. Before version 3, ModSecurity worked only with the Apache web server as a dependent module, so there was no way for other HTTP applications to utilize ModSecurity. Now the core functionality of ModSecurity, the HTTP filtering engine, exists as a standalone library, libModSecurity, and it can be integrated into any other application via a "connector". A connector is a small piece of code that allows any application to access libModSecurity.

3D-Printed Firearms Are Blowing Up

What's the practical risk with 3D-printed firearms today? In this opinion piece, Kyle explores the current state of the art. If you follow 3D printing at all, and even if you don't, you've likely seen some of the recent controversy surrounding Defense Distributed and its 3D-printed firearm designs.

Encrypting NFSv4 with Stunnel TLS

NFS clients and servers push file traffic over clear-text connections in the default configuration, which is incompatible with sensitive data. TLS can wrap this traffic, finally bringing protocol security. Before you use your cloud provider's NFS tools, review all of your NFS usage and secure it where necessary.

Extending Landlocked Processes

Mickaël Salaün posted a patch to improve communication between landlocked processes. Landlock is a security module that creates an isolated "sandbox" where a process is prevented from interacting with the rest of the system, even if that process itself is compromised by a hostile attacker. The ultimate goal is to allow regular user processes to isolate themselves in this way, reducing the likelihood that they could be an entry point for an attack against the system.

At Rest Encryption

Learn why at rest encryption doesn't mean encryption when your laptop is asleep. There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

The LJ Password Generator Tool

Mnemonic passwords generally stink. A random sequence of letters, digits and punctuation is more secure—just don't write down your passwords, like the knucklehead antagonist does in Ready Player One!

Data Privacy: Why It Matters and How to Protect Yourself

When it comes to privacy on the internet, the safest approach is to cut your Ethernet cable or power down your device. But, because you can't really do that and remain somewhat productive, you need other options. This article provides a general overview of the situation, steps you can take to mitigate risks and finishes with a tutorial on setting up a virtual private network.

The Fight for Control: Andrew Lee on Open-Sourcing PIA

When I learned that our new sister company, Private Internet Access (PIA), was opening its source code, I immediately wanted to know the backstory, especially since privacy is the theme of this month's Linux Journal. So I contacted Andrew Lee, who founded PIA, and an interview ensued. Here it is. DS: What made you start PIA in the first place? Did you have a particular population or use case—or set of use cases—in mind?

Generating Good Passwords, Part II

Passwords. They're the bane of computer users and a necessary evil, but they have risks and challenges associated with them. None of the choices are great. If it's up to your memory, you'll end up using the same password again and again. Use a password manager like 1Password, and you're reliant on its database security and portability. Two-factor? Um, can I borrow your phone for a minute?