You can Hack into a Linux Computer just by pressing 'Backspace' 28 times

So what would anyone need to bypass password protection on your computer?

It just needs to hit the backspace key 28 times, for at least the computer running Linux operating system.

Wait, what?

A pair of security researchers from the University of Valencia have uncovered a bizarre bug in several distributions of Linux that could allow anyone to bypass any kind of authentication during boot-up just by pressing backspace key 28 times.

This time, the issue is neither in a kernel nor in an operating system itself, but rather the vulnerability actually resides in Grub2, the popular Grand Unified Bootloader, which is used by most Linux systems to boot the operating system when the PC starts.

The source of the vulnerability is nothing but an integer underflow fault that was introduced with single commit in Grub version 1.98 (December 2009) – b391bdb2f2c5ccf29da66cecdbfb7566656a704d – affecting the grub_password_get() function.

Here's How to Exploit the Linux Vulnerability

If your computer system is vulnerable to this bug:

Just hit the backspace key 28 times at the Grub username prompt during power-up. This will open a "Grub rescue shell" under Grub2 versions 1.98 to version 2.02.

This rescue shell allows unauthenticated access to a computer and the ability to load another environment.

From this shell, an attacker could gain access to all the data on your computer, and can misuse it to steal or delete all the data, or install persistent malware or rootkit, according to researchers Ismael Ripoll and Hector Marco, who published their research on Tuesday.

Here's How to Protect Linux System

The Grub vulnerability affects Linux systems from December 2009 to the present date, though older Linux systems may also be affected.

The good news is the researchers have made an emergency patch to fix the Grub2 vulnerability. So if you are a Linux user and worried your system might be vulnerable, you can apply this emergency patch,available here.

Meanwhile, many major distributions, including Ubuntu, Red Hat, and Debian have also released emergency patches to fix the issue.

Linux is often thought to be a super secure operating system compare to others, and this Grub vulnerability could be a good reminder that it's high time to take physical security just as seriously as network security.

Read more

Ubuntu 16.04 LTS won't send local searches over the web by default

The Unity 8 desktop isn't ready yet, but all Ubuntu users will soon benefit from its more privacy-friendly approach.

 

• 
  
• 
  

With Ubuntu 16.04 LTS, the OS will no longer send your local searches over the web by default. This will eliminate those obnoxious product search results from online stores, and should make the EFF and other organizations that criticized the practice happy. Even better, the change is being made to the classic Unity 7 desktop, not just the new Unity 8 desktop.

A Unity 8 change comes to Unity 7

Canonical, the maker of Ubuntu, previously announced that Unity 8 wouldn't send searches over the Internet by default, but currently that interface is used only on Ubuntu phones and experimental Ubuntu desktop images. Unity 8 won’t arrive as a PC desktop for quite some time. Ubuntu 16.04 LTS will feature a choice of desktop environments, and most Ubuntu users will likely stick with the stable Unity 7 desktop for years to come.

Rather than make everyone wait for Unity 8 to get this change, Ubuntu’s developers are making Unity 7 a bit more like Unity 8 in Ubuntu 16.04 LTS.

In a blog post on his personal blog, Canonical’s Will Cooke explained that the change was conceptual. These online search results had evolved to allow for more user control in Unity 8, but it wasn’t possible to redesign Unity 7 to work exactly like Unity 8 without a lot of effort. So, Canonical has “taken the decision to gracefully retire some aspects of the Unity 7 online search features.”

The "Include online search results" option will now be off by default.

So what exactly is changing?

There are three major points here. First of all, online searches are completely off by default. Currently, they’re on by default. This change means that none of your dash searches will leave your computer without your express permission. If you like the online search results, you can re-enable them by opening the “System Preferences” window and changing the option under “Security & Privacy”—the same option you’d have to use to disable them today.

Second, even if you do enable online search results, product search results from Amazon and Skimlinks will remain disabled. You can toggle them back on again from the dash, if you wish. This means that Ubuntu is doubly disabling those widely disliked product search results.

Ubuntu is also discontinuing its homegrown music store, which sold individual music tracks. Purchase links for music files won’t appear, and many of the music scopes have now been moved to the universe repository.

But why now?

Will Cooke also explained why these changes are being made now. “By making these changes now we can better manage our development priorities, servers, network bandwidth, etc. throughout the LTS period.” That makes sense, but it’s actually a bit surprising. If the online search results and product links were actually profitable, saving money on network bandwidth and servers wouldn’t be an issue, presumably. Ubuntu must not be making much money from this stuff.

“We will not touch your existing settings,” the blog post says. So, if you upgrade to Ubuntu 16.04 without first disabling the online search results, you’ll need to do so after you upgrade. Previous releases of Ubuntu will still have online search results on by default. However, Canonical will be rolling out an update that removes the music store from previous versions of Ubuntu, too.

This is a big change to Ubuntu, and a welcome one. After all, when this feature was originally added to Ubuntu, there wasn’t even a graphical toggle to disable online search results. Users had to manually uninstall packages from their system, often using terminal commands, to remove results they didn’t want to see.

Read more

Apple's Swift programming language is now open-source and available on Linux

Swift can be downloaded from the Swift project website, and Apple is hosting the codeon GitHub. The code is licensed under version 2.0 of the Apache license.Apple unveiled its new Swift programming language to much developer interest last year. Initially a closed-source project that only ran on Mac OS X and iOS, it’s now an open-source project with an official Linux port. Apple is currently offering pre-built images forUbuntu 15.10 and 14.04 based on Swift 2.2.

It’s all about the servers

Don’t expect Linux to easily run those fancy new Mac OS X, iPhone, or iPad applications written in Swift. Those depend on various user interface libraries that aren’t being open-sourced. Just as when Microsoft open-sourced .NET, Apple isn’t open-sourcing the user interface bits required to bring existing desktop or mobile applications to other platforms.

Many servers run Linux, and it’s that market that Apple is targeting here. A developer could write both an app and the server-side code for an app in Swift, running that code on a Linux server. Open-sourcing the platform also allows developers to improve Swift and contribute those improvements back to Apple, which benefits.

That said, there doesn’t seem to be anything stopping the Linux community from taking this Swift code and running with it. It could be ported to other Linux distributions, and could even form the foundation for many Linux desktop applications in the future with some more work.

Swift could run on Windows and Android in the future, too. Apple probably won’t port it to other platforms itself, but other developers could now take that open-source code and do the work.

Read more