Linux User Group of Mauritius

  • Informative and Restrained as opposed to Superficial and Flashy

    Infotech 2017 has started.

    And I am happy to notice that, except for one or two stands, things are much more “Informative and Restrained” compared to previous editions where things tended to be “Superficial and Flashy”.

    Allow me to explain.

    In Mauritius, for the past few years, we have become a nation of seminars, workshops, conferences and exhibitions and, unfortunately, many of them are quite superficial and very very flashy indeed. For the past six months, I have been to many such events where the venue was beautiful (a nice hotel with a beautiful view of the lagoon), the food was excellent, the hostesses out of this world but where, personally, I felt that there was not much to listen to and learn from, except from a minority of the speakers. This is what I call “Superficial and Flashy”.

    What I would prefer to have, from a personal point of view, is the kind of chaotic geekish meetup as pictured above. An event where intelligent people of all horizons can meet, exchange views, share ideas and move forward together. Of course, there is a need for a venue and some food but nothing ostentatious. This is what I call “Informative and Restrained”.

    The thing is that it is easier to do “Superficial and Flashy” than “Informative and Restrained”. The reason for that is that to be informative, the speakers need to be of high-caliber and need to be properly prepared.

    This is your typical Googler. Similar people are changing our worlds everyday at Google, Facebook, Amazon, Apple, etc. but also in the IT division of most of the companies in the world. And, before you laugh, let me remind you that they run the world.

    Pictured above are some of the people who have basically built the world as it is known today. Without them, we would still be waiting for The A-Team to be shown on TV on Saturday night. They are Steve Jobs (Apple), Sergey Brin (Google), Bill Gates (Microsoft), Larry Page (Google), Mark Zuckerberg (Facebook) and Jeff Bezos (Amazon). The missing ones being Linus Torvalds (Linux) and Richard Stallman (Free Software Foundation).

    Of course, we won’t have Steve (RIP), Sergey, Bill, Larry, Mark, Jeff, Linus or Richard at Infotech. Maybe next year…

    But we’ll have the 2nd best thing: the (real) innovators of Mauritius, each on his/her respective “Informative and Restrained” stand and willing to share his/her passion with you.

    You just have to put aside your tendency to value the “Superficial and Flashy”, walk toward them and talk to them.

    Enjoy 🙂

    (First photo, courtesy of Le Méridien. Second photo, courtesy of Concept7. Third photo, courtesy of Business Insider. Fourth photo, courtesy of Youth Connect. Fifth photo, courtesy of PC Risk).

  • How to reduce the amount of disk space used by the systemd journal

    We, Linux people, generally use systemd now and one of its components is the journal controlled by the journalctl command line tool.

    As explained on the Arch wiki,

    systemd has its own logging system called the journal. The /var/log/journal/directory is a part of the systemd package and the journal will write to /var/log/journal/

    The journal is always appended and therefore grows in size. On my laptop, the journal was taking 1.8Gb of space and was full of details which, I believe, I’ll never need. So I decided to clear all old contents (which the systemd people call a vacuum). I issued:

    journalctl --disk-usage
journalctl --vacuum-size=64M
journalctl --disk-usage

    And the journal immediately became smaller. I then issued a

    journalctl --verify

    which made me realise that some of the remaining journal files were corrupted (for some reason). There is no journal repair tool in systemd so I simply removed the offending files (with rm).

    Now, I can easily check my journal entries for today and I know everything will be all fine:

    journalctl --since today

  • Ghost Desktop on Xubuntu 17.04 won’t start

    Ghost Desktop on Xubuntu 17.04 won't start

    Already before the migration from Joomla to Ghost last weekend I run the Ghost Desktop application on Windows. Now, after the successful completion it was about time to get going on my other machines. You know, the ones away from the main rig… Usually used during the evening hours, just for fun, or experimenting.

    Tonight, I decided to give one of my Linux systems some attention, started to upgrade some packages, and installed new software. Among those also Ghost Desktop App for Linux. On the Ghost website you get version 1.3.0 (as of writing), and it’s a Debian package.

    Knowing that the desktop app is an Electron-based application, and I already packaged a few Electron apps myself, it would run on any Ubuntu-based system, too.
    Note: This post was written in Ghost Desktop running on Xubuntu 17.04 64bit

    Installation of Ghost Desktop

    Either you double-click on the downloaded .deb package and your system will prompt you to open/install the application in Software, or you can run the following command in the Terminal:

    $ sudo dpkg -i ~/Downloads/ghost-desktop-1.3.0-debian.deb

    Ghost Desktop can then be launched via the Application Menu/Launcher under ghost-desktop or if you prefer the terminal:

    $ Ghost

    The problem: Ghost Desktop won’t start

    If you try to launch the application via the menu or any other GUI launcher you won’t get any response at all. The software just isn’t executed, it seems.

    Compared to running it in the Terminal. This might produce the following output:

    $ Ghost
A JavaScript error occurred in the main process
Uncaught Exception:
Error: Unable to find a valid app
    at Object.<anonymous> (/usr/lib/Ghost/resources/electron.asar/browser/init.js:121:9)
    at Object.<anonymous> (/usr/lib/Ghost/resources/electron.asar/browser/init.js:173:3)
    at Module._compile (module.js:571:32)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)
    at tryModuleLoad (module.js:447:12)
    at Function.Module._load (module.js:439:3)
    at Module.runMain (module.js:605:10)
    at run (bootstrap_node.js:424:7)
    at startup (bootstrap_node.js:147:9)

    The solution: Set permissions

    Fortunately, this has been reported already on GitHub by user letsjustfixit. The issue is caused by a missing permission bit on the Electron app. A temporary workaround has been documented until the package is going to be fixed.

    Run the following chmod to set read and execute bits on the Electron app and dependent components. Then launch Ghost Desktop again.

    $ sudo chmod -R +rx /usr/lib/Ghost/resources/app
$ Ghost 

 ⚡️  Welcome to Ghost  👻

    Happy blogging!

    It’s great to see that such issues are handled on GitHub, and the "fix" is easily done.

    As maintainer of own Electron-based applications I’m interested in the root cause. So far, I didn’t come across a similar problem (touching wood!). Thankfully, I’m going to add this to my notes on Electron.

    If you’re familiar with this kind of problem regarding Electron packaging on Linux, give it try to fix it. On my side, I already cloned the Ghost-Desktop repository. Let’s see whether I’m able to create a pull request for the Ghost community.

  • Open and not extract .docx, .xlsx and .pptx files in the latest Gnome 3

    In the latest version of Gnome 3, a subtle change was brought to Nautilus, the file manager, to automatically extract the content of a ZIP file in a new folder when it is double-clicked on instead of open an application to do so. The problem is that Microsoft Office files (.docx, .xlsx, .pptx, etc.) are ZIP files. This means that double-clicking on a .pptx file extracts its content instead of opening the file in, say, LibreOffice Impress!

    This makes life miserable for all those who need to open Microsoft Office files on a regular basis and, of course, this is a bug (as acknowledged by the Gnome people  and the Red Hat / Fedora people).

    Fortunately, it is quite easy to make Nautilus become sane again. Open Preferences and in the Behavior tab, unselect “Extract the files on open” in the Compressed Files section.

    Phew!

  • World Creativity and Innovation Day

    20160421-panelists

    Every 21 April, we celebrate the World Creativity and Innovation Day in Mauritius.

    This year, the Mauritius Research Council organised a workshop on Creativity and Innovation and the the ICT Advisory Council, which I preside, was given a slot of 30 minutes. I quickly prepared a few slides like I like them to be (beautiful, memorable and witty) and I asked Logan Velvindron and Ish Sookun, both members of the ICT Advisory Council, to join me in a panel on Creativity and Innovation among Youth.

    20160421-albert-einstein

    The first topic was about having fun when learning and creating. I mentioned that school and teachers can be boring, especially in our age of having Wikipedia and YouTube in our pockets. I said that it was time for our education system to become fun again, where young people can enjoy creating and learning a lot of new things in the process. Both Ish and Logan explained how fun they have everyday at work and how important this is for them.

    20160421-steve-jobs

    The second topic was about not to be afraid to be different. In Mauritius, we have a culture of conformism. Women have specific roles to play. Kids also. And, of course, everyone should remain at his place. This is bullshit! Our world is created by people who think differently and who are not afraid to take risks and disrupt existing establishments… Logan and Ish told the audience how they discovered computers, decided to become geeks and do things differently from others. They were very thankful to have supportive parents who didn’t try to impose anything on them.

    20160421-linus-torvalds

    The third topic was about being a geek and the value of open source software for a country like Mauritius. I explained that open source software is free and this is very important for Mauritius which is not a very rich country. But I also explained how having access to the source code of software is essential for Computer Science teachers like me to create the new generation of top programmers which Mauritius will need in the future. Young people cannot learn complex programming just by reading a book or listening to a teacher: they need to see real source code of real complex software. Logan and Ish explained how they got involved in open source software and how we all now form part of organisations such the Linux User Group of Mauritius and Hackers.mu and the value those organisations have.

    20160421-sheryl-sandberg

    The last topic was about being a doer rather than a talker and that aiming for perfection, while sometimes a good thing, can sometimes prevent us from achieving. This is something I have noticed over the years in Mauritius: we love our committees. Doers are not revered though. This mentality has to change. I told the audience that we are as good as anyone from anywhere, whether it is the USA or France or India. But we should stop focusing on doing speeches. We should identify small but important problems and find feasible solutions for them.

    After the panel, I got a question from Anibal Martinez who is collaborating with the Government to set up an incubator. He asked me how we can solve the Computer Science education issue in Mauritius.

    I told him that in the short term, a lot can be done with ad-hoc training courses, such as the ones that I provide at Knowledge Seven. But this is not a viable model for the country. In the medium to long term, state-funded universities should find a way to revamp their Computer Science departments, which are absolutely substandard at this moment, to produce an adequate number of very competent computer scientists every year. The industry is ready to move up a level but there are not enough competencies.

    Thanks to Ish and Logan for participating in the panel.

  • Big news ahead

    We will be present together with Avinash Meetoo at the world innovation day !

  • LUGM Statement on Ish Sookun

    The Managing Committee of The Linux User Group Meta (Mauritius) notes that one of its members, Ish Sookun, is currently being detained under The Prevention of Terrorism Act. Ish Sookun is a valued member of the LUGM and has actively participated for the promotion of open source software and technology in general in Mauritius. The Association appeals to the authorities for the investigation to be conducted in accordance with all laws and also taking into consideration the rights of all parties while safeguarding public interest.

  • Tell your SSL vendor to randomize the serial number of your certificate !

    Are you using SSL for your business ?

    Like many of you, we rely on SSL for checking our mails, and doing bank transfers. As I said previously, local banks reduce the amount of money spent of papers by actively encouraging clients to use Internet Banking. I have the latest Android on my mobile phone, and I can connect to Internet Banking using the latest security technologies. However, not everybody can afford the latest android smartphone. A lot of people are still using Android KitKat in Mauritius. If tomorrow, MCB or SBM decide to deprecate SHA-1 for their SSL (a hash algorithm which is getting dangerously weak), and go with SHA 256 (a more secure hash algorithm) only, a lot of clients might not be able to connect to Internet Banking. Why ? It’s because many widely-used software do not support SHA-256 very well.

    What can we do with certificates with SHA-1 hash ?

    CloudFlare proposed here that generating certificates containing SHA-1 hash should randomize the serial number to make it more difficult to forge those digital certificate and impersonate your business. Note that this does not mean that you should not advise your clients to upgrade their hardware and software and relax. It buys your clients more time to properly budget for their upgrade costs of their hardware and software to be SHA 256 ready.

    For example, hackers.mu uses SSL. We asked on our SSL vendor forum about randomizing the serial number. We recommend to Banks such as MCB and SBM to ask their SSL vendors about the possibility of randomizing the serial number, with 20-bit entropy. Any other businesses that rely on SSL for their business should consider formulating the same request to their SSL vendors. If your SSL vendor flatly refuses, then you have a reasonable argument for moving to another SSL vendor.

  • Wrong advice on Tor Usage from hacklog.mu

    Hacklog.mu presentation on Tor

    Hacklog.mu has a presentation on tor on the following page . On the same page, SM mentions that HTML5 elements could be used to leak information about an Internet User even with Tor. This is correct. Several developers were aware of the problem, and there were plans to fix this in orweb. See this URL for : details . This vulnerability was reported in 2013, and fixed in the same year . The presentation, by hacklog.mu, took place in 2014.

    Firefox as the solution ?

    Hacklog.mu uses firefox from Google Playstore, and configures it to work with Tor. From a security perspective, Firefox leaks more metadata than Orweb or tor-browser, due to the lack of patches that Orweb has. In fact, if you look at Tor-browser, you will realize that it’s a modified version of Firefox, with a number of patches added on to protect the privacy of the users. Those patches are not in Firefox. Those patches provide several additional layers of security that Firefox on Android DOES NOT provide. The tor project constantly reworks the patches for their Tor-browser and applies the same design principles in Orweb/Orfox. See the design requirements for Orweb, OrFox and Tor-browser here We tested with Orweb & Orfox, and both do not leak, according to browserleaks.org. It is highly questionable to use Firefox, even with a Mobile proxy, as by default, Firefox is not designed to be as secure as Orweb, Orfox, and Tor-browser.

    Conclusion

    We recommend Internet users who want to remain anonymous to use orweb/orfox on Android and Tor-browser on their PCs instead of Firefox, and avoid the example presented on hacklog.mu. ^-^

  • Juniper backdoor explanation

    A simple explanation of a backdoor

    Irshaad Abdool contacted hackers.mu concerning the Juniper vulnerability here Unfortunately, reverse engineering a firmware image, and explaining assembly code doesn’t cut it for a lot of the young IT folks 🙂

    The vulnerability

    A strcmp() call was inserted. strcmp() is used for string comparisons. If it’s successful, you can proceed, if Not, you are denied. In this particular case, this was inserted right before the normal authentication with SSH (or telnet). So you had your normal login, that went through the normal SSH (and telnet) code, but right before that, you had a special user that could login, and bypass the normal SSH and telnet login. That’s in summary how this vulnerability works.

    If you have any questions, please send them to us 🙂