As Linux adoption expands, it’s increasingly important for the kernel community to improve the security of the world’s most widely used technology. Security is vital not only for enterprise customers, it’s also important for consumers, as 80 percent of mobile devices are powered by Linux. In this article, Linux kernel maintainer Greg Kroah-Hartman provides a glimpse into how the kernel community deals with vulnerabilities.

There will be bugs

As Linus Torvalds once said, most security holes are bugs, and bugs are part of the software development process. As long as the software is being written, there will be bugs.

“A bug is a bug. We don’t know if a bug is a security bug or not. There is a famous bug that I fixed and then three years later Red Hat realized it was a security hole,” said Kroah-Hartman.

There is not much the kernel community can do to eliminate bugs, but it can do more testing to find them. The kernel community now has its own security team that’s made up of kernel developers who know the core of the kernel.

“When we get a report, we involve the domain owner to fix the issue. In some cases it’s the same people, so we made them part of the security team to speed things up,” Kroah Hartman said. But he also stressed that all parts of the kernel have to be aware of these security issues because kernel is a trusted environment and they have to protect it.

“Once we fix things, we can put them in our stack analysis rules so that they are never reintroduced,” he said.

Besides fixing bugs, the community also continues to add hardening to the kernel. “We have realized that we need to have mitigations. We need hardening,” said Kroah-Hartman.

Huge efforts have been made by Kees Cook and others to take the hardening features that have been traditionally outside of the kernel and merge or adapt them for the kernel. With every kernel released, Cook provides a summary of all the new hardening features. But hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That’s not happening.  

Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don’t include the additional hardening features, meaning all those phones are vulnerable. “People need to enable this stuff,” he said.

“I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel,” he said.  “I’m working through the whole supply chain trying to solve that problem because it’s a tough problem. There are many different groups involved — the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people.”

The good news is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It’s effortless to update and reboot with no downtime. It is, in fact, easier to keep things secure than it used to be.

Meltdown and Spectre

No security discussion is complete without the mention of Meltdown and Spectre. The kernel community is still working on fixes as new flaws are discovered. However, Intel has changed its approach in light of these events.

“They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,” Kroah-Hartman said. “The kernel has fixes for almost all of the big Spectre issues, but there is going to be a long tail of minor things.”

The good news is that these Intel vulnerabilities proved that things are getting better for the kernel community. “We are doing more testing. With the latest round of security patches, we worked on our own for four months before releasing them to the world because we were embargoed. But once they hit the real world, it made us realize how much we rely on the infrastructure we have built over the years to do this kind of testing, which ensures that we don’t have bugs before they hit other people,” he said. “So things are certainly getting better.”

The increasing focus on security is also creating more job opportunities for talented people. Since security is an area that gets eyeballs, those who want to build a career in kernel space, security is a good place to get started with.

“If there are people who want a job to do this type of work, we have plenty of companies who would love to hire them. I know some people who have started off fixing bugs and then got hired,” Kroah-Hartman said.

Check out the schedule of talks for Open Source Summit Europe and sign up to receive updates:

Time is precious, but hardly more so than in One Hour One Life. The mobile multiplayer survival game features an intriguing concept at its core. Your in-game lifespan is exactly as the title implies: one hour long. With each minute that ticks away representing an hour of time that’s passed in the game world,

As you struggle to make sense of your existence in this austere, hand-drawn world, you’ll try your best to leave some sort of memory behind, whether it’s in the form of your old children who follow you or the eventual technical advancements that will eventually come to the game. It’s all about relying on your fellow man to carry you – and carrying you in turn, which really results in something special.

The game can only be played online, meaning that all interactions that you have with other players will echo throughout the game for the foreseeable future. Yes, there’s permadeath, and yes, you’re going to die over and over. That’s a fact – best to get used to it early on. Following the game’s lengthy tutorial, you’re born into the world with one important goal: Survive, as long as you possibly can. Of course, this all greatly depends on what kind of mother you’re born to, oddly enough. This is a game that, like life itself, calculates success largely based on the hand you’re dealt at birth.

It’s possible the mother you’re born to is a robust fighter looking for another strong child to add to her brood, or you could even find that your new mom doesn’t care about you at all, can’t get you food, or even protect you from predators. Luckily, you can grow quickly to sustain yourself, but without your mother’s help early on death is almost certainly assured. This kind of game mechanic makes for some extremely interesting beginnings, especially as it means you must rely heavily on other, real people to make any progress through the game.

You’re not a helpless baby for long, though. Given that you age a year a minute, if you can survive long enough you’ll grow to an age where you’re no longer a burden on your mother and family and learn to help around the village gathering food supplies or at the very least not acting as a burden on other players. Until you’re past your early childhood years, you can’t even communicate properly with others – you’re relegated to basic words and phrases until you’ve survived long enough to receive that “privilege,” which may end up being for the best.

That’s the beauty of the game. You can act as you wish, whether it’s as a tyrant who destroys resources and steals food from other players, or you can play the role that was intended for you as you grow into an “elder” and find a place somewhere in the game where you can survive peacefully and act as a sort of beacon for others who make it as long as you do.

There’s a wide variety of crafting materials, and you’ll spend a lot of time tapping around to see exactly what you can create. The game’s environments are practically teeming with different things for you to use to make your own little life, including plants, animals, and organic materials practically begging you to create the basis for society with.

Ultimately, you’ll run into some difficult decisions during the game, and those are what make One Hour One Life such a harrowing title. It’s not dying of starvation in the middle of the woods or never surviving past your childhood. It’s having to decide, if you make it that far, whether your child should be wolf food or if you have enough resources to feed them and let them live to see old age (keeping in mind it’s another player). It’s having to figure out if you’re going to be patient enough to respect a village’s rules that were established long before you came around, or if you’re going to grief others and cause havoc during your entire time in-game.

The game itself is absolutely genius, with intriguing mechanics and survival elements that work together to make a functioning “society” full of real-life players, with those who are content to cause problems and others who just want to make it past their teens. Unfortunately, there are some particularly frustrating control elements when it comes to the touch controls, many of which have revolved around off-target taps and inaccurate swipes. Combining items with the crafting system can be a turnoff at first, because it simply feels like, at times, it isn’t working with you. Luckily, as you make additional attempts, it begins to feel a bit easier.

The game is actually based on a PC title by Jason Rohrer of the same name, and its mobile adaptation plays beautifully, just as mercilessly as the original, despite some touchy controls that could be worked out in a future update. Overall, however, it’s an intriguing social experiment disguised as a survival game that’ll really bring out some folks’ true colors.

If you’ve ever found yourself ruminating on the futility of life, this is certainly a game that’ll drive that point home even further. Prepare to have your spirits lifted in one minute, and then utterly destroyed in the next. Such is the nature of life.

Reviewer’s Note:  Following a lengthy amount of time spent playing OHOL for the review, I randomly became unable to access the game via servers on my iPhone X. The game was tested across multiple iOS devices, but I have since been unable to log into One Hour One Life, nor am I able to press the greyed-out “Start” button. I am continuing to pursue a way into the game and will likely be testing the game out on an Android device to discern what the problem could be. Since this doesn’t seem to be a widespread issue, we decided that it shouldn’t affect the review or the score for now.

Sockets are used for two different processes to share data or for shuttling information from one machine to another and the network. They are extremely useful and the basis of things like FTP, real-time network chat systems, secure shells, and so on.

For the fly-by programmer, sockets can be somewhat hard to get right, but by using a systemd’s socket units, you can make systemd do the heavy lifting.

Besides making sockets simpler to set up, systemd dumps whatever comes in through the socket to STDIN. This means you don’t have to bother with complicated socket management in you script; just pick up the data from STDIN and use it from there.

The other advantage is that systemd will make sure your socket is active only as long as necessary, waking it up when data is incoming, and closing it down again when it is done. This saves resources, as the server associated on the receiving side will be closed most of the time and will only be activated if a systemd socket unit detects activity on its port.

To see how all this works, first you’ll see how easy it is to send some strings of text over a systemd activated socket. Later, we’ll look at how to send a whole binary file. Finally, we will pick up the systemd-based surveillance system we have been developing over the past several installments and learn how to send the images it captures to your laptop.

DISCLAIMER: What you’ll see here are over-simplified examples created for teaching purposes only. Although they all work, there is no error-handling or security built into any of them. I don’t recommend you use them in a real-world scenario.

Sending Texts

Socket units are stupidly simple, or rather, they usually are. Although there are dozens of socket-specific directives you can use to fine tune your units, you will rarely use more than two, In this case, you do exactly that and use only a listening directive and the Accept directive:

# echo.socket

[Unit] Description = Echo server [Socket] ListenStream = 4444 Accept = yes [Install] WantedBy = sockets.target

That is what a basic socket file looks like. It has a [Socket] section where you specify what it has to listen for. Apart from streams, it cand listen for datagrams, sequential packages, and so on. On the other side of the = is where to listen from. You could specify a full IP address, file system socket or something else. A single number, like in this case, means a port. The socket unit above will be listening on the local machine to port 4444.

The other socket-specific directive is Accept. Accept by default is set to false, as this is used mostly for AF_UNIX sockets. Not to get into too much detail, but AF_UNIX sockets are sockets where the processes sharing the information reside on the same machine.

As you want to send information from one machine to another, you will be using an AF_INET, and for that the best thing to do is have Accept set to true or yes.

The service itself is also pretty basic:

# echo@.service

[Unit] Description=Echo server service [Service] ExecStart=/path/to/socketthing.py StandardInput=socket 

In most cases, the service will have the same name the socket unit, except with an @ and the service suffix. As your socket unit was echo.socket, your service will be echo@.service.

The service Type is simple, which is already the default, so there is no need to include it. ExecStart points to the socketthing.py script you will see in a minute, and the StandardInput for said script comes from the socket set up by echo.socket.

The socketthing.py script is barely three lines long:

#!/usr/bin/python

import sys

sys.stdout.write(sys.stdin.readline().strip().upper() + '\r\n')

What this does is read a line of text in from STDIN, which, as you saw, comes in via the socket. Then it strips all the spaces from the beginning and the end, and puts it into uppercase (sys.stdin.readline().strip().upper()). Finally it sends it back across the socket to the terminal of the sending computer (sys.stdout.write([...])). This means a user will connect to your receiving machine’s socket, type in a string, and will see it echoed back in CAPITAL LETTERS.

Start the socket unit with:

sudo systemctl start echo.socket

And echo.socket will automatically call echo@.service (which in turn runs socketthing.py) each time someone tries to push a string to the server through port 4444.

To do that, on the sending computer, you can use a program like socat:

$ socat - TCP:server_IP_address:4444

hello computer

HELLO COMPUTER

$

Although good for illustrating how to get started, this example is pretty pointless. Let’s do something a bit more useful and send over a whole file…

Transferring Files

For a systemd, there is no difference between sending a stream of text to a stream of binary data. In fact, to all practical effects the socket file is the same…

# filetrans.socket

[Unit] Description=File transfer server [Socket] ListenStream=4444 Accept=yes [Install] WantedBy=sockets.target

… As is the service unit:

# filetrans@.service

[Unit] Description=File transfer server service [Service] ExecStart=/path/to/socketfilething.py StandardInput=socket 

All you need to do is change the name and description of the services and have the “new” filetrans@.service point to a script that will handle the reception of the file.

In this case, the script, socketfilething.py, will handle PDFs coming from the sending computer:

#!/usr/bin/python

import sys output_file = open ("/path/to/store/test.pdf", "wb")

output_file.write(sys.stdin.buffer.read())

output_file.close()

You use sys.stdin.buffer.read() to read in a stream of binary data from STDIN, and, as you have opened test.pdf in write binary mode ("wb"), you can just write the stream passed down from the socket directly into the file.

To try this our, from the sending end of things, you can send the PDF file over the wire again using socat:

cat some.pdf | socat - TCP:192.168.1.111:4444

On the receiving end, a copy of some.pdf called test.pdf will pop up in the directory of your choice.

You can probably see where we are going with this and how we can use it in our systemd-powered surveillance system.

Surveillance Sockets

Again, on the receiving side, there is virtually no difference to either the socket unit:

# surveillance.socket #

[Unit] Description=Surveillance server [Socket] ListenStream=4444 Accept=yes [Install] WantedBy=sockets.target

… Or the service unit:

# surveillance@.service #

[Unit] Description=Surveillance server service [Service] ExecStart=/path/to/surveillancething.py StandardInput=socket 

Save for a change of name, description and the have it point to another script you can call surveillancething.py:

#!/usr/bin/python import sys from time import strftime fn = strftime("%Y_%m_%d_%H_%M_%S")+".jpg" output_file = open ("/path/to/store/" + fn, "wb")

output_file.write(sys.stdin.buffer.read()) output_file.close()

This new script is very similar to the prior one you used to send a PDF. The only difference is that, as the surveying machine sends an image every time it detects changes, you want to give each image you receive a unique name, preferably with a time stamp, hence the fn = strftime("%Y_%m_%d_%H_%M_%S")+".jpg" line.

On the surveying side, you only need to change the picmonitor.sh file so that it sends the new image over the socket:

#!/bin/bash

fn=`date|tr [:punct:][:space:] _`.jpg cp /home/[user name]/monitor/monitor.jpg /home/[user name]/monitor/$fn cat /home/[user name]/monitor/$fn | socat - TCP:192.168.1.111:4444

Start surveillance.socket on the server and picchanged.timer on the surveying machine, and you will start to receive images from your spying webcam.

Conclusion

And that’s it! Over the past few months, we have covered everything you need to know to get started writing systemd units. We have gone from the most basic service units, all the way through device event-activated services, timers, and more.

In case you missed anything, here’s an index to all the other systemd topics we have covered:

1. Basic Services: Writing Systemd Services for Fun and Profit
2. More Advanced Services: Beyond Starting and Stopping
3. Device aware services: Reacting to Change
4. Paths: Monitoring Files and Directories
5. Timers 1: Setting Up a Timer
6. Timers 2: Timers: Three Use Cases

Make the most of your time at Open Source Summit/ELC + OpenIoT Summit Europe!

Over a dozen events taking place alongside Open Source Summit and ELC+OpenIoT Summit Europe offer attendees even more ways to increase skills and connections – all in one trip. 300 conference sessions, 2000 attendees, 13 co-located events and dozens of event experiences; if you’re not registered yet, now is the time.

REGISTER NOW »

Sign up to receive updates on Open Source Summit Europe:

Co-Located Events:

Embedded Apprentice Linux Engineer Track – Mon., Oct. 22 & Tues., Oct. 23*

Are you an Embedded Engineer who is transitioning to using Linux? Embedded Apprentice Linux Engineer is a series of 8 seminars over 2 days taught by a professional Embedded Linux Instructor with years of practical experience.

OpenChain Workshop – The Supply Chain Compliance Solution (Not A Blockchain) – Tues., Oct. 23

The OpenChain Project defines the key requirements for a quality open source compliance program through a single, simple specification. This workshop will feature the latest developments around supply chain compliance and provide an excellent opportunity for attendees to both learn from and contribute to the project work teams.

Hyperledger Scotland Meetup – Tues., Oct. 23

Hyperledger is an open source collaborative effort created to advance cross-industry blockchain technologies. It is a global collaboration hosted by The Linux Foundation and including leaders in finance, banking, IoT, supply chains, manufacturing and technology. Hyperledger Meetup groups have an informal relationship with Hyperledger, and make up a key part of the Hyperledger ecosystem.

LF Energy Summit – Wed., Oct. 24*

The inaugural LF Energy Summit will focus on creating a shared vision to accelerate and transform the world’s relationship with energy by including the perspectives of power systems engineers and executives with open source developers. Together, we will identify the best paths to building a vibrant ecosystem with specific and practical outcomes for next steps and technical groups where companies and individuals can contribute. Space is limited, register today.

Linux in Safety-Critical Systems Summit – Wed., Oct. 24

This summit will inform interested developers and users about the activities and plans to support the use of Linux in safety-critical systems, presenting developments in the SIL2LinuxMP project and work from others that are valuable to the project.

IoT Apprentice Linux Engineer Track – Wed., Oct. 24*

The I-ALE program introduces Linux engineers to a more deeply embedded platform and programming. This series of 3 seminars will introduce you to a small micro controller on a board with various input and output devices which will allow you to build an Internet-connected device you can hang on your wall.

Linux Security Summit (LSS) Europe – Thurs., Oct. 25 & Fri, Oct. 26*

The Linux Security Summit (LSS) is a technical forum for collaboration between Linux developers, researchers, and end users. Its primary aim is to foster community efforts in analyzing and solving Linux security challenges.

Zephyr Hackathon – “Get Connected”  – Thurs., Oct. 25

Includes a Zephyr orientation session and the chance to learn the tips and tricks of setting up a development environment and working with Zephyr. Note: Currently Full, Waitlist Only.

Tracing Summit  – Thurs., Oct. 25

The goal of the Tracing Summit is to provide space for discussion between people of the various areas that benefit from tracing, namely parallel, distributed and/or real-time systems, as well as kernel development.

Linux Media Summit  – Thurs., Oct. 25

The Linux Media Summit is the premier forum to discuss the Linux multimedia development for cameras, audio and video streaming devices, analog/digital TV support, remote controller and HDMI Consumer Electronics Control (CEC) at the Linux Kernel and its userspace APIs.

Yocto Project Dev Day Europe 2018  – Thurs., Oct. 25*

A one day, hands-on training that puts you in direct contact with Yocto Project technical experts and developers. Its primary goal is to show developers how to create custom-build Linux distributions for embedded devices by using layers and recipes designed to resolve incompatibilities between different configurations.

Real-Time Summit  – Thurs., Oct. 25*

The Real-Time Summit is organized by the Linux Foundation Real-Time Linux (RTL) collaborative project. The event is intended to gather developers and users of the PREEMPT_RT patch, providing room for discussion between developers, tooling experts, and users. 

FOSSology – Hands on Training  – Thurs., Oct. 25*

This hands-on training session will provide this understanding of FOSSology, an open source license compliance software system and toolkit.

This hands-on training session will provide this understanding of FOSSology, an open source license compliance software system and toolkit.

*Co-located events with an additional fee are denoted with an asterisk.

In addition to all these great co-located event offerings, we want to remind you of all the other experiences that the conference provides for attendees.

Sunday, October 21

Better Together Diversity Social

Monday, October 22

Diversity Empowerment Summit

First-time Attendee Breakfast

Sightseeing Bus Tour

Women in Open Source Lunch

Attendee Opening Reception at the National Museum of Scotland

Tuesday, October 23

Open Source Career Breakfast

Diversity Empowerment Summit

Speed Networking & Mentoring

Onsite Attendee Reception & Sponsor + Technical Showcase

5K Fun Run

Partner Reception – Invitation Only

Wednesday, October 24

Morning Meditation

Diversity Empowerment Summit

REGISTER NOW »

Hey everyone!

I hope this note finds you well. For those who have been following and participating in our mixed reality journey, welcome to our new home in the Dynamics 365 blog! For those new to us, on behalf of everyone who works on mixed reality business applications at Microsoft it is our pleasure to meet you.

My name is Lorraine Bardeen, and I am the general manager of engineering for Mixed Reality Business Applications at Microsoft. I have the pleasure of working for James Phillips in the Business Applications Group and the privilege to lead a world-class team of engineers working to bring mixed reality to people and organizations across the globe.

I have been working on the mixed reality business for over six years and I still show up at work every day excited to work with customers, partners and developers to innovate and solve real problems using mixed reality. With mixed reality, we can understand data in context and simplify workflows to extend human ability. When this happens workers feel more effective, businesses see more progress and everyone has a chance to participate in the modern workplace.

Today marks an important day for all of us on the mixed reality business applications team. Today, we officially mark general availability of our first Dynamics 365 business applications: Dynamics 365 Remote Assist and Dynamics 365 Layout.

To celebrate this important milestone I wanted to write this post and share more about why mixed reality and Dynamics 365 have come together, what people can expect from these first mixed reality business applications, and how they are already being used and deployed.

Why mixed reality and Dynamics 365 have come together

A couple of weeks ago I had the opportunity to speak to press and analysts in San Francisco about mixed reality business applications at Microsoft. As part of that moment in time, Alysa Taylor talked about our vision for business applications and I had the chance to talk specifically about mixed reality. In particular I talked about why mixed reality and Dynamics 365 have come together and I wanted to share some of that with you here as well.

With Dynamics 365, customers are reimagining their business processes by leveraging modern, unified, intelligent and adaptable solutions that bring together the vast amounts of data across their organization to empower their employees with new tools to help them feel more effective at work. Factory and field service worker. Patient and provider. Storefront and supply chain. No silos — just customers, products, employees and data more closely connected than ever before. Mixed reality represents a totally new part of this solution because of the capabilities it provides.

We recognize that these employees need information in context to apply their knowledge and craft. Not only on a 2-D screen — but information and data in context, at the right place, and at the right time, that they can use hands-free so employees can produce even greater impact for their organizations. We’ve focused on integrating these mixed reailty business applications with the common data service that underlies Dynamics 365 so that companies get the full value of high-value data connecting the full workflow.

Introducing the general availability of Dynamics 365 Remote Assist

With today’s release of Dynamics 365 Remote Assist we are taking an important step forward in helping address some of the current, unmet needs of Firstline Workers. Firstline Workers represent more than 2 billion people in roles that make them the first points of contact between a company and the world it serves, between a company and its products. They are often the first to engage, the first to represent a company’s brand, the first on the scene to address a problem.

With Dynamics 365 Remote Assist we can enable technicians and remote experts to solve problems in real time with heads-up, hands-free video calling, annotations, and file sharing. By identifying and addressing issues accurately we can also eliminate the need for costly travel expenses while improving operational efficiency.

Organizations will be able to communicate securely with industry-leading identity and security measures, including Azure Active Directory. In addition, they will be able to leverage work order data from Dynamics 365 Field Service on-site using the common data service.

For business decision-makers looking for new ways to empower their employees and create more collaborative ways of problem-solving, this is pretty exciting stuff! But enough talking about it — here is Microsoft Dynamics 365 Remote Assist in action.

Introducing the general availability of Dynamics 365 Layout

Lastly, with today’s release of Dynamics 365 Layout we are now providing our customers and partners with a way to visualize room layouts in real-world scale. The ability to walk through proposed layouts in physical space or virtual reality. Review and make changes with stakeholders in real time, saving time and money. Move, resize and rotate 3-D models to edit layouts on the spot.

Here is a peek at Dynamics 365 Layout in action.

Mixed reality business applications being deployed

About four months ago we released the public preview of our two mixed reality business applications. During that time, we had the chance to work with and learn from many great companies, and I wanted to take a moment to spotlight a couple of them here.

ZF Group

A great way to see Remote Assist and Layout in action is through the work of ZF Group, a German car-parts manufacturer headquartered in Friedrichshafen. An early partner on our journey, ZF Group has been working with us over the past few months to help ensure these apps, even in preview, are crafted with insights from those who will be using them daily to get their work done. In developing these apps with customers, we are not only looking to make great software — we’re looking to empower the Firstline Workers using the apps.

Learn more about how ZF Group uses Microsoft mixed reality tools.

Chevron

Chevron is already achieving real, measurable results with its global HoloLens deployment. Previously it was required to fly in an inspector from Houston to a facility in Singapore once a month to inspect equipment. Now it has in-time inspection using Dynamics 365 Remote Assist and can identify issues or provide approvals immediately. In addition, remote collaboration and assistance have helped the company operate more safely in a better work environment, serving as a connection point between firstline workers and remote experts, as well as cutting down on travel and eliminating risks associated with employee travel.

Learn how Chevron is deploying Microsoft Dynamics 365 Remote Assist and Microsoft HoloLens.

This is just the beginning! We will have a lot more to share in the months ahead, and I am looking forward to sharing more then.

As always, I’m available on Twitter (@lorrainebardeen) and eager to hear about what you’re doing with mixed reality.

Learn more

Legendary AF. ? #Hellboy - In theaters April 12, 2019. pic.twitter.com/SxMCFet9wt

— Hellboy (@HellboyMovie) October 1, 2018