DistroWatch Weekly, Issue 658, 25 April 2016

Feature Story (by Jesse Smith)

Kali Linux 2016.1



Kali Linux, which was formally known as BackTrack, is a forensic and security-focused distribution based on Debian's Testing branch. Kali Linux is designed with penetration testing, data recovery and threat detection in mind. The project switched over to a rolling release model earlier this year in an effort to provide more up to date security utilities to the distribution's users.



I have been finding a lot of posts about Kali Linux from Linux newcomers on various forums and social media recently and this surprised me. Kali Linux is not marketed toward novice users, in fact the distribution has a fairly narrow focus (security, forensics and penetration testing) so I was eager to experiment with the distribution and see if I could find out why so many newcomers to Linux have been installing Kali as their first GNU/Linux distribution.



Kali Linux is available in two editions, with each edition available in 32-bit and 64-bit x86 builds. The main (or full) edition ships with the GNOME desktop and a large suite of security tools. The Light edition features fewer tools and the Xfce desktop. There is also an ARM port of Kali Linux. The 64-bit build of the main edition is 2.7GB in size and this is the ISO I downloaded for the purposes of my trial.



Booting from the Kali media brings up a menu where we can decide to launch a live desktop environment, launch a graphical installer or run a text installer. There are additional menu items for running a live desktop with persistent storage, either with or without the benefit of encryption. Selecting one of the live desktop options brings us to the GNOME Shell desktop. I found GNOME Shell worked well enough, but tended to be a bit sluggish when running from the live media. I was not able to find a system installer in the GNOME environment and so I rebooted and took the graphical installer option from the boot menu.





Kali Linux 2016.1 -- The application menu

(full image size: 2.3MB, resolution: 1280x1024 pixels)



Kali Linux uses Debian's system installer with its own custom branding. The installer walks us through its many screens, getting our preferred language, location, time zone and a password for the root account. Disk partitioning can be mostly automated via a guided partition option or we can manually partition our disk. I found the manual approach to be somewhat more complicated and involving more steps than what we would normally experience with other system installers. However, I was pleased to see Kali offers support for many file systems, including ext2/3/4, Btrfs, JFS and XFS. The system installer offers to connect to a software repository server to download fresh packages for the installation. I attempted this at first, but the repository mirrors my system tried to contact timed out and so I switched to simply making use of software available locally on Kali's DVD. Once Kali has been installed on our hard drive the installer offers to install the GRUB boot loader and we get to decide on which device GRUB will be placed. After that the system reboots and we can explore our local copy of Kali.



When our local copy of Kali boots, it brings us to a plain grey graphical login screen. From here we can start a GNOME Shell session. Though the login menu lists three sessions (GNOME, GNOME Classic and GNOME on Wayland), the GNOME on Wayland option returned me to the login screen and both the GNOME and GNOME Classic options presented me with very similar desktop environments. The Classic desktop featured an application menu and Activities menu while the GNOME Shell simply provided the Activities menu. Otherwise, for all practical purposes, the two GNOME sessions were identical.





Kali Linux 2016.1 -- Changing desktop settings

(full image size: 1.2MB, resolution: 1280x1024 pixels)



Since we only have a root user account upon installing Kali, one of the first things I did was venture into the GNOME control panel and open the account manager. This configuration module allowed me to set up a new user account and it insisted that I make an unusually long and complex password (without providing any tips on just how long or complex the password should be). This struck me as all the more frustrating as the account manager demands secure passwords while the operating system as a whole encourages the user to operate as the root user most of the time. I will come back to this design quirk later.



GNOME's application menu is divided into many categories of software. Actually, the menu is nested with multiple levels. At the top level we have categories of security-related software. For example, there is a Database Assessment category along with Password Attacks, Wireless Attacks, Forensics and so on. At the bottom of the menu is a category called Usual Applications. Most of the application launchers run command line applications which have short, cryptic names. This is made all the more frustrating as the application menu does not provide any description next to each application name to explain what the tool does. This means we are left to try to figure out what "dradis", "hamster" or "binwalk" might do, based on their executable names alone.





Kali Linux 2016.1 -- Running Metasploit

(full image size: 1.5MB, resolution: 1280x1024 pixels)



Under the Usual Applications section we find another menu tree with the usual categories and launchers one might find on any other Linux distribution running the GNOME desktop. The Usual Applications menu features the Iceweasel web browser, text editors and an image viewer. We also find the VLC and Totem media players. There is a launcher for configuring printers, but the printer configuration module does not work as there is no printing service enabled on the system. If we explore the system further we find Kali runs systemd 228 and version 4.3.0 of the Linux kernel.



Kali ships with a giant collection of utilities for cracking passwords, scanning networks, sniffing cookies from the network, scanning and testing databases, and deploying exploits. The majority of these tools are command line utilities and launching them from the application menu opens a terminal window in which the tool's help text is dumped to the screen. This approach is frustrating for two reasons. First, each tool usually has several pages of usage text which means we need to scroll back through it to find useful flags. Second, there are no examples or tips in the help text of these tools. In other words, if we haven't used the tool before there isn't anything to explain what the tool does or how it works. Kali's on-line documentation does point us toward some third-party resources, but for the most part we need to locate the websites of the utilities and hope they have useful documentation. There are a few utilities included with Kali Linux which feature nice, graphical interfaces. I used one for sniffing network packets and another for exploiting network connections and gathering cookies. The latter, a program called Fern, tended to lock up, but I was able to collect some web cookies on my network that were being passed over insecure connections.



Earlier I mentioned that when Kali's installer tried to contact a package mirror, it timed out, leaving me to install packages which were available locally on the Kali Linux DVD. This did not seem to be a problem at first, but it did mean that, post-install, the distribution's package manager was unable to install new software as it did not feature any default repositories. Kali's repositories then had to be manually added to the APT package manager's configuration.



Once I had set up repositories for Kali, I was able to use the GNOME Packages graphical package management front-end. GNOME Packages lists categories of software down the left side of its window and there is a search box in the upper-left corner we can use to find specific software by name. On the right side of the GNOME Packages window we find a list of software that has been found in the selected category or that has matched our search terms. We can click a box next to each package's entry to mark the software for installation or removal. I ran into several issues while trying to use GNOME Packages. The first and most obvious was that the interface was slow to respond and often sluggish when processing input. When installing new software, the Packages interface does not lock, but it will not perform any additional actions either. This means I tended to be left with an unresponsive interface while Packages was working and I was trying to search for a new application. Perhaps my biggest issue though was that sometimes, when I marked a package for installation, Packages would claim it had successfully installed the package, but the item could not be found on the system. Checking with the APT command line package management utilities would show the item had not been installed as the graphical utility had indicated. It also appears as though GNOME Packages does not process software upgrades and so I ended up using the command line APT utility almost exclusively for handling software packages.





Kali Linux 2016.1 -- Scanning for infected files

(full image size: 1.6MB, resolution: 1280x1024 pixels)



I tried running Kali on a desktop computer and in a VirtualBox virtual environment. Kali ran fairly well on the desktop machine. My screen's maximum resolution was detected and used, sound worked out of the box and Kali had no problem automatically setting up a network connection. Desktop performance was not great, but certainly usable. When running in VirtualBox, the distribution would run and was stable, but would not integrate with VirtualBox and Kali could not use my screen's full resolution. Adding the VirtualBox guest packages from the Kali repository fixed this and provided a much nicer (though often sluggish) experience. In either test environment, Kali Linux used approximately 580MB of memory when sitting idle at the GNOME desktop.



While Kali ships with an impressive arsenal of penetration testing software, there were a number of issues I ran into while using the distribution. Primary among them was the way the GNOME desktop kept getting in my way. Kali's GNOME Classic desktop has two application menus (the tree-style menu at the top of the screen and the Activities menu). Sometimes selecting the Activities menu would cause both menus to appear, competing for attention and making it difficult to select the application I wanted. I also found that moving my mouse over to the edge of the screen (particularly the top of the display) when I wanted to get the pointer out of the way or select something, would cause the Activities overview to engage. This basically stopped whatever I was doing in its tracks and required I switch back to the regular desktop view. Combined with GNOME's less than impressive responsiveness, it soon became frustrating trying to use Kali. I tried switching to GNOME Shell for a while, but since the forensics tools Kali ships with have cryptic names, the Activities menu, with its lack of tree-style categories, was nearly useless when it came to locating and launching Kali's utilities.



Another interesting quirk of Kali was that the distribution is designed to be run with root access all the time. This is quite unusual and an odd design choice for a distribution that is security oriented. I tried running Kali for a while with a non-root account and found most of the forensics and penetration testing tools would not run at all (or, if they did run, would not work properly) unless they were launched with root credentials.



Finally, Kali does not enable most background services by default and some of these, such as the PostgreSQL database, are required if we want to run some of distribution's key utilities. The Kali documentation helps us deal with this and get the necessary services up and running.



Conclusions



By the time I was finished my trial with Kali Linux I was more puzzled than when I started as to why I keep hearing about new Linux users installing the distribution. Nothing on the project's website suggests it is a good distribution for beginners or, in fact, anyone other than security researches. In fact, the Kali website specifically warns people about its nature.



That is not to say Kali isn't a good distribution. The project has a very precise mission: provide a wide variety of security tools in a live (and installable) package. As a live disc a professional can take with them to jobs and use from any computer, Kali does quite well. The catch is we need to already be familiar with the security tools Kali provides. Friendly and discoverable graphical applications are few and far between with Kali and almost everything is done from the command line.



Kali also presents us with an interesting situation where we can install the distribution on a hard drive, but it seems as though Kali Linux is designed to be used almost exclusively from a live USB/DVD medium. The distribution's focus on running tools as root and the nature of the packages it includes certainly make it a better live distribution than a day-to-day workstation operating system.



What I am dancing around is that what Kali is designed to do -- offer a huge buffet of security and penetration tools in a live environment -- the distribution does quite well. However, Kali is not designed to step outside of that niche. It is not a multi-purpose distribution, nor should it be, and I hope newcomers are discouraged from trying to use it as a regular desktop operating system.



Finally, I would like to mention something that using Kali Linux highlighted for me this week. Kali Linux is good at what it does: acting as a platform for up to date security utilities. But in using Kali, it became painfully clear that there is a lack of friendly open source security tools and an even greater lack of good documentation for these tools. Some of the tools Kali ships I had used before and some I had not. And, being exposed to the new tools, I was struck by just how unfriendly their help pages and documentation were for learning what each tool was and how it was to be used. This is not a fault of Kali Linux, but certainly a fault many upstream software projects share. I think we, as developers, need to be reminded that everyone uses our software for the first time once, and they're not likely to use it a second time if we do a poor job of making our software easy to learn. * * * * * Hardware used in this review



My physical test equipment for this review was a desktop HP Pavilon p6 Series with the following specifications: Processor: Dual-core 2.8GHz AMD A4-3420 APU

Storage: 500GB Hitachi hard drive

Memory: 6GB of RAM

Networking: Realtek RTL8111 wired network card

Display: AMD Radeon HD 6410D video card

Miscellaneous News (by Jesse Smith)

Debian elects new leader, OpenMandriva launches build farm, Fedora 24 feature preview and Nard reaches 1.0



The election for the next Debian Project Leader has concluded with Mehdi Dogguy winning the election. Admittedly, Dogguy was running unopposed, but it was likely nice for him to see over 250 Debian developers (about a quarter of the total Debian developers) turn out to vote him into office anyway. The statistics of the vote can be found on Debian's website. Dogguy will maintain the position of Debian Project Leader for one year, with his term concluding in April 2017. Congratulations to Mehdi Dogguy! * * * * * The OpenMandriva team has announced a new component of their infrastructure: an automated build farm (ABF). The new build farm will assist developers in creating and distributing open source packages as well as track tasks. " Personal repository provides you with an easy way to distribute your software among [a] great number of Linux users by means of standard ways of software delivery. ABF will take care of package dependencies from both main repositories or extra and personal ones. Published a new package version? Users will be automatically notified about available update. " Further details on the new automated build farm can be found in the project's announcement. * * * * * The Fedora team may still be polishing Fedora 24 (due to launch in June), but it is not too soon to look ahead to the next release. The release schedule for Fedora 25 has been posted with plans to release Fedora 25 around the start of November 2016. " We're currently planning on a beta release for Fedora 24 in two weeks, on May 3rd. This is running with a slightly tighter beta time frame than usual, with the aim of shipping the final release on June 7th. Remember that we always work to balance testing and quality with a predictable schedule. The first part of that means Fedora 24 may very well end up slipping another week, but the second means you can still expect Fedora 25 in early November - and then back on track for Fedora 26 in May, 2017. " * * * * * The Nard SDK project is not exactly a Linux distribution in the usual sense. Nard is " a software development kit (SDK) for Raspberry Pi. Unlike 'ordinary' Linux distributions Nard is intended entirely for the development of MOTSicon pcb embedded systems running day and night for years in remote locations. " The Nard project, which sits on our list of embedded Linux projects, hit a milestone last week, reaching version 1.0 after over two years of development. The project's lead developer, Ronny Nilsson, made the 1.0 release announcement and quickly outlined some of the project's features. * * * * * These and other news stories can be found on our Headlines page.





Guest Review (by Ivan D. Sanders)

elementary OS 0.3.2 "Freya" review



The most recent version of elementary OS, codenamed Freya, was released in December 2015 and is based on Ubuntu's 14.04 Long Term Support distribution. I downloaded the distro's ISO from their website, for a paltry fee of $0.00, and loaded it onto a USB using Unetbootin. After the quick Unetbootin boot-up screen, I found a familiar install process. elementary's installation process is beautiful, simple, and works. This is because the installation software, much like everything else in this distro, is based off of Ubuntu. Using the Ubuntu installer is very easy, but elementary turns it into an exercise in beauty as well. The install was quick, taking only about ten minutes to complete.



The first thing I noticed about elementary was the dock. The dock is located at the bottom of the screen and includes the applications that the elementary team thinks you will use most. Initially included on the dock are applications for music, pictures, videos, mail, the calendar, the web browser, and the settings panel.



The desktop environment on elementary is called Pantheon. Pantheon includes the dock at the bottom and the panel at the top. The panel at the top is a picture of sheer beauty, and I mean sheer. Where previously the panel was a solid bar at the top of the screen with text in it, it is now completely transparent. This gives the effect that the words are part of the screen. The panel includes the applications on the left, a clock in the middle, and the indicators on the right to show wi-fi, alerts, and battery life, among other things. Pantheon was overall a big hit for me, and I would love to see this desktop environment get ported over into other big distros. Unfortunately, Pantheon crashed many times during my use. Each time it automatically restarted and prompted me to send a bug report; I am disappointed by this instability.





elementary OS 0.3.2 -- An unexpected crash

(full image size: 1.4MB, resolution: 1366x768 pixels)



Out of the box, elementary OS is stunning, beautiful, and simple. Clicking on the applications portion of the panel to peer deeper into the system, I was very surprised. elementary does not come pre-loaded with a lot of software. This is a reassurance that in the world of computing, a beautiful OS can be created but still give the user freedom to decide what packages they want. Unfortunately, elementary takes this too far. The distro comes with no office software, one text editor called Scratch, and almost no extras.



The file manager is simple. Fitting with elementary's theme, it is very straight forward. The music and video programs are also very simple. The music program reminded me very much of an old, preferred, and easier version of Apple's iTunes.





elementary OS 0.3.2 -- Ubuntu Software Centre

(full image size: 818kB, resolution: 1366x768 pixels)



The package manager is APT/apt-get driven. Aptitude is not included in the install, but I was able to add it through the terminal without a problem. The Ubuntu Software Centre is standard on elementary OS. The search option on the Software Centre is easy to use, but I feel that the Software Centre is clunky. It is not my first choice when installing and searching for software. 90% of the time I still find myself skipping the Software Centre all together, I will search for the software I want on the Internet and use the terminal to install it with APT or Aptitude.



Typically on Linux I use Thunderbird as my mail client because it comes pre-loaded on many distros. elementary OS comes with Geary as its e-mail client. Though I had previously verified with Google and set my security exceptions for Thunderbird, Geary did not inherit these exceptions on my newly installed OS (which is correct). Had it automatically logged into Gmail when I put in my credentials, I would have been somewhat scared! There is some security built into Geary and there is a simple method to get your e-mail service provider to accept Geary as your mail handling client. Also, Geary supports many e-mail providers (Yahoo, Google, etc). I found that Geary was easy to use and simple, much like the rest of the OS overall. I did, however, find myself generally using my web browser as my mail client. Though Geary may not have the same features as Thunderbird, it is lightweight and elegant. For those who do not need all of Thunderbird's features, Geary may be the fast and usable e-mail software for you. I was so happy with Geary that I may be making the switch to Geary myself.





elementary OS 0.3.2 -- The settings panel

(full image size: 969kB, resolution: 1366x768 pixels)



Let's dive into Midori, the elementary OS web browser. Where elementary cultivates a refined, elegant look, Midori is one step back. It is simple and usable, but it is not pretty and it doesn't work with everything I use on the web. Simple meets clunky with Midori and I don't see anyone using this as their default browser past the time it requires them to search for "download Google Chrome" or to install Firefox. Midori does enable the user to search using the address bar and utilizes Google as its default search engine. Downloads are called "transfers" (only slightly confusing) and feature a bright red stop sign alongside the download's progress bar. The Midori icon is a Ying-Yang style blue globe on the left (Ying?) side and a green swoosh on the right (Yang?) side. As with the rest of Midori, I didn't even feel like the program's icon did any justice to elementary's graceful brand. Of the three big video providers (Netflix, Hulu, and YouTube), Midori was only able to stream videos from YouTube. Midori is an unrefined product overall; through my use of Midori it crashed to the bug report screen five times. Time to move on.



Like many modern Linux users, I use Steam to manage and supply me with all my gaming needs. When I say all, I mean all. It isn't because I have fully subscribed to some brand of Valve, but it is because Steam is organized, easy, and they have amazing sales. Also, I have been using Steam for eight years. It is established. I was able to download a Steam .deb file from their website (just by clicking Install Steam) and it again opened the Software Centre. The Software Centre, in turn, installed the Steam Launcher package and opened that program up. This program then downloaded the most recent Steam update, around 250-300MB worth of data (again, nothing strange here). But this is where I ran into trouble.



I never had any issues running Steam on any other Linux OS so far, but elementary gave me too many hiccups. My 32-bit libraries were not up to date, so I tried to install them. elementary had issues with the packages through APT, apt-get, and Aptitude, and they couldn't solve the issues without me removing tens of packages that appeared to be core to Pantheon and elementary. It took me about 30 minutes before I realized that this was going to be too much of an issue for a basic elementary user. elementary is supposed to be simple, easy to use, and chic; I am surprised by these software/desktop environment/driver integration issues.





elementary OS 0.3.2 -- Package management errors

(full image size: 1.3MB, resolution: 1366x768 pixels)



Conclusions



elementary OS is pretty, but the distro's software integration and usability are not refined enough for an intermediate or advanced user. elementary is great if you want something lightweight, easy to use, and it is very intuitive, but don't expect to get a complicated and customizable distro out of it. The lack of pre-loaded software is a breath of fresh air, but does elementary take it too far?



Pros: Beautiful. Built off of Ubuntu and uses their repositories. Less pre-loaded software. Fewer settings to mess with. Did I mention it is very pretty? The panel in elementary is the most elegant interpretation of a panel I have seen. The dock is simple and works (that's saying a lot for docks right now).



Cons: Software and driver integration for some systems. Lack of pre-loaded software. Installing .deb files takes users to the (Ubuntu) Software Centre. Was unable to install and use Steam without removing approximately 50 elementary or Pantheon packages, and potentially breaking the beauty of Pantheon. Poor pre-installed web browser (Midori). Desktop environment (Pantheon) crashes were somewhat common and more annoying than I have seen on any of the big distros.



The bottom line: elementary OS Freya (0.3.2) is pretty, but it lacks refinement. If you're looking for an OS that is easy to use, you're not looking for heavy customization, and you don't want much out of the box, elementary is a beautiful option. If you need an OS with more capabilities, integration, software, and support, you may want to look elsewhere. * * * * * Summary of hardware used for this review: ASUS Laptop K53E-BBR19-B1

Intel Core i5-2450M CPU @ 2.50GHz (Sandy Bridge)

Seagate Momentus 5400.6 ST9500325AS 500GB 5400 RPM 8MB Cache SATA 3.0Gb/s 2.5" Internal Notebook Hard Drive

Intel HD Graphics 3000 Shared system memory Integrated Card

8 GB (2x 4 GB) DDR3 RAM

Internal SATA DVD±R/RW

Qualcomm Atheros AR9485 Wireless Network Adapter

Qualcomm Atheros AR8151 v2.0 Gigabit Ethernet

HDA Intel PCH Internal Soundcard Memory (RAM) elementary OS used from my machine at rest after boot-up:

Used: 710MB; Free: 7051MB; Total: 7761MB





Torrent Corner

Weekly Torrents



Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.



Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.



With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files. For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed. To help us maintain and grow this free service, please consider making a donation.



The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.



Operating System Torrent MD5 checksum OpenIndiana 2016.04 OI-hipster-gui-20160421.iso e9a748169a4d1898ba140c636b72ea59 Void 20160420 void-live-x86_64-20160420.iso 5fe78ba113dda980f0d61f76b102f38a Quirky 8.0 xerus64-8.0.iso 87b28dbd636e383937a454b2356df129



Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.



Torrent Corner statistics:

Total torrents seeded: 187

Total data uploaded: 34.8TB

Released Last Week

Upcoming Releases and Announcements

Opinion Poll

Are you using HTTPS on DistroWatch?



At the start of the year we enabled secure web (HTTPS) connections for the DistroWatch website. Our security certificate is kindly provided by the Let's Encrypt project free of charge.



While we do not deal with any sensitive information such as credit card data, login credentials or ISO downloads, using HTTPS allows people to browse our website and know they are communicating with the correct web server. This week we would like to know how many of our readers are using the secure connection and, if not, then why? Are readers not using the secure connection unaware that it exists, on slow connections where HTTPS results in noticeably slower page loads, or simply unconcerned regarding potential risks? We hope you will share your point of view in the comments.



You can see the results of our previous poll on voting for projects on our waiting list here. All previous poll results can be found in our poll archives. Are you using HTTPS on DistroWatch?



I am using the HTTPS connection: 725 (46%) I was not but will now start: 524 (33%) I am not using HTTPS due to lack of security concerns: 202 (13%) I am not using HTTPS due to performance limitations: 35 (2%) Other: 104 (7%)

DistroWatch.com News