Damn Vulnerable Linux is a security distro, which can be an excellent learning tool. The distro includes older version of popular software like Apache web server, MySQL, PHP and others. The objective to create such a distro is to let users try out known hacks and vulnerabilities on these technologies and hone their skills.
The distro is explained as,
DVL is a live CD available as a 1,8 GB ISO. It contains older, easily breakable versions of Apache, MySQL, PHP, and FTP and SSH daemons, as well as several tools available to help you compile, debug, and break applications running on these services, including GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa, and more.
DVL is made by people with significant black hat backgrounds, incorporating the community of ReverseEngineering.net and Crackmes.de. It contains a huge amount of lessons, including lesson descriptions and solutions if the level has been solved by a community member at Crackmes.de.
Apparently the distro has been made vulnerable to attacks and can be used to teach thread hijacking, buffer overflow, SQL injection and other forms of exploits.
The distro is sized at 1.8 GB and is available as a zip file. Head over to the Damn Vulnerable Linux (DVL) page to read more and download the distro.
According to Nate Lawson and Taylor Nelson from Root Labs, OpenID and OAuth, used to authenticate third party web applications and desktop applications to use web services like Twitter and Digg are under a risk of a severe security threat. In fact, the security flaw affects a host of other open source authentication services. The matter will be brought up at an upcoming security conference.
The flaw is based on the very controversial timing attack according to which, the attacker checks for the time required to analyze signatures and estimates if the first few characters of his attempted signature is correct or not. This process, if repeated can lead to a successful hack in theory. However, in practice, it is very hard to carry out or, that was the common belief until three years ago.
Three years ago, a timing attack was used to hack into Xbox and the people who did this became geek gods. However, that was a direct interaction with the host. In case of a network, we need to consider many factors like network load, jitter and a varying latency.
What is remarkable is that Lawson and Nelson have claimed that they have executed this on a network as well as on a cloud and have gained sensitive information successfully. Any further details on this will be revealed at the upcoming BlackHat conference at Las Vegas.
For those of you who still miss the Windows applications in Linux, there is good news.
After some delay, the stable version of Wine 1.2 has finally been released. This the first major Wine update in two years, and with 3000 bug fixes and 23,000 changes from the previous stable release, it is indeed a major release.
Here are some of the more important improvements/new features in Wine 1.2:
- Support for 64-bit applications.
- New icons based on Tango for better integration with the Unix look.
- Applications Control Panel to manage installed applications.
- Subpixel font rendering is now supported. This will make texts look better.
- Digital playback of audio CDs is supported.
- Many new OpenGL extensions are now supported.
You can view the release note with the list of changes here.
Unfortunately it is not available for Ubuntu yet, but if you want to compile from the source, here is the link to it.
The Ubuntu Software Center for Maverick just keeps getting and better. Today a new version, Ubuntu Software Center 2.1.5, has just been released. While it does not have much visual change to offer compared to the earlier versions, it has some new features underneath.
The biggest and most interesting new feature is probably the introduction of plugins support. The plugins support in the Ubuntu Software Center is needed for the OneConf integration which will be introduced in Maverick Meerkat.
OneConf is a rather interesting feature that will be introduced in Ubuntu 10.10 Maverick Meerkat. Using OneConf users can save their application related informations with their Ubuntu One account, and can sync that information with other systems if needed.
As I have mentioned above not much has changed in terms of the look. Nonetheless, there are still a few changes. The installation dates for the installed applications are nor indicated below the application name. The application screenshot is also made a bit smaller and you will also notice that the history section is also a bit more organized.
You can see the complete changelog here and, if you want to try it out in Lucid, here is the installation instructions.
This week in FOSS, we see a variety of happenings. As always, Ubuntu is generating buzz with the latest Unity theme and Mandriva Linux, which appeared dead earlier has resurrected.
GPL causes tension between WordPress and Thesis creator DIY Themes
GPL has some confusing rules and terms. WordPress creator Matt Mullenweg has accused Chris Pearson of DIY Themes for GPL infringement. He has raised an issue citing that WordPress is released under GPL and Thesis is based around WordPress but is closed.
However, Chris Pearson has a strong defense pointing out that WordPress is like a platform and Thesis is based around WordPress but does not inherit any code from it. That makes it free of any GPL bindings. However, upsetting WordPress creators will land Thesis in an uncomfortable position.
Mandriva comes back, planning to stay afloat for now
Mandriva Linux went into oblivion a few months ago when the company behind it shut down. However, some organizations depended on Mandriva for their business and decided to bring Mandriva back on track.
Therefore, Mandriva will live for now. However, it will be distributed exclusively and will be available on OEMs from now onwards.
Unity Ubuntu theme aims for features
Unity theme for Ubuntu will be available from the next version onwards and has an impressive lightweight interface. However, the folks at Ubuntu have decided to focus on features and functionality of the theme now. With that in mind, the theme sports new features like Quicklists and global search.
The openSUSE Project has announced the release of the final version of openSUSE 11.3 today. openSUSE 11.3 includes a number of changes, updates and improvements over openSUSE 11.2 which was released in November last year.
openSUSE 11.3 is based on Linux kernel 2.6.34 and has KDE Software Compilation 4.4.4 as the default desktop environment. A GNOME version is also available and it uses GNOME 2.30.1. In terms of the default applications, it comes with Thunderbird 3.0.5, Firefox 3.6.4 and OpenOffice 3.2.1 to name a few. openSUSE 11.3 also gives the user the choice of using Btrfs during installation.
You can view the complete changelog here or read the release note. A screenshot tour of openSUSE 11.3 have also been put up.
openSUSE is widely regarded as one of the best KDE based Linux distros. So, if you want to give openSUSE 11.3 a go, you can download it from here -> Download openSUSE 11.3.
CentOS is a Red Hat based free operating system which enjoys widespread use among servers. It does not have the recognition of Ubuntu, Fedora etc. since it focuses entirely on servers not on desktops.
According to a report from W3 Techs, CentOS is now the most popular linux distro used in web servers. It has overtaken Debian which is now at second place. According to their statistics, CentOS is used 30% of the linux based web servers.
As you can see, CentOS has been gaining popularity quite rapidly. Ubuntu is also enjoying a little increase in server deployment. There is very little change for Debian, Gentoo and SUSE. However, Red Hat and Fedora are having a decline in popularity.
W3 Techs also published details of which distros lost out to CentOS and by how much. According to their statistics, CentOS is gaining primarily from Red Hat and Fedora. While 5.03% of the servers which are using CentOS now was running on Red Hat and 1.53% of the CentOS users were using Fedora.
Another interesting thing is that CentOS is not as popular in large websites as compared to smaller websites. While 9.7% of the top 100,000 websites uses CentOS, only 6% of the top 1000 use it.
We cannot say how accurate these statistics are, but yes CentOS has been gaining popularity in server deployment recently.
OpenSolaris has had a bad time ever since Oracle acquired Sun. There were reports of free CD’s from Open Solaris being halted. However, Oracle responded to some questions regarding OpenSolaris assuring that OpenSolaris will live. However, we have come a long way from then and there are no visible efforts from Oracle to save OpenSolaris. It seems like; Oracle has just left OpenSolaris to let it die alone!
The OpenSolaris governing board is left clueless in this situation and has issued an ultimatum to Oracle that if it does not nominate a contact person, the board will dissolve itself putting OpenSolaris under the responsibility of Oracle directly.
The Oracle and OpenSolaris teams did not start with a friendly term and this is affecting OpenSolaris.
However, contrary to many beliefs, I think Oracle is doing great. Firstly, it bought a plummeting company, which needs some applause. The deal included a host of services and technologies, which are managed by communities. MySQL, OpenSolaris, they all fall under this category and this is outside the realms of Oracle’s business model. They have not done this business earlier and are taking their time to get things back on track.
We can clearly see results here! MySQL fans have stopped complaining. OpenSolaris will have its turn soon too. We need to trust Oracle. At least, that is the best we can do right now.
In a move of desperation, the OpenSolaris Governing Board (OGB) has threatened to dissolve itself if Oracle does not appoint a person to take decisions regarding OpenSolaris by the 16th of August.
There has been no official update to OpenSolaris for thirteen months. The last update was OpenSolaris 2009.06 when Sun Microsystems was not under Oracle. After Oracle took over Sun Microsystems, not much has happened to OpenSolaris. There was supposed to be a new update in February as OpenSolaris2010.02. Then it was pushed back to March as OpenSolaris2010.03. However that too did not happen. After taking over Sun Microsystems, it seems Oracle has dropped everything related to OpenSolaris. In almost a year, Oracle has not made any kind of communications to the developers or end-users regarding OpenSolaris.
On top of all these, it has been reported that Jeb Dabsteel, Oracle senior Vice President and Chief Customer Officer did not turn up for the OpenSolaris Governing Board meeting after confirming that he will attend it. Obviously the OpenSolaris Board is disturbed by all these and have issued the following statement:
The OGB is keen to promote the uptake and open development of OpenSolaris and to work on behalf of the community with Oracle, as such the OGB needs Oracle to appoint a liaison by August 16, 2010, who has the the authority to talk about the future of OpenSolaris and its interaction with the OpenSolaris community otherwise the OGB will take action at the August 23 meeting to trigger the clause in the OGB charter that will return control of the community to Oracle.
Oracle has not given any official response to the OpenSolaris Board’s threat. But it will be interesting to see what they do next. Will Oracle crumble under the pressure or will they simply not care?