DistroWatch Weekly, Issue 603, 30 March 2015

Feature Story (by Jesse Smith)

Privacy and Tails 1.3



Privacy and security are difficult to come by in our progressively connected world. Advertisers track our browsing habits, employers monitor productivity and government agencies monitor our communications. Most operating systems do not take steps to protect our privacy or our identities, two things which are increasingly difficult to guard. Tails is a Linux distribution that is designed to help us stay anonymous on-line and protect our identity. Tails is a Debian-based live disc that we can use to scrub our files of meta data, browse the web with some degree of anonymity and send private messages. According to the project's website, "Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to: use the Internet anonymously and circumvent censorship; all connections to the Internet are forced to go through the Tor network; leave no trace on the computer you are using unless you ask it explicitly; use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging."



The latest release of Tails, version 1.3, ships with the Electrum Bitcoin wallet and an updated web browser that limits reading & writing data to specific directories. The developers of Tails go out of their way to point out that while Tails should help to keep people anonymous and secure when on-line, the software does have limitations. In other words, Tails is one tool that can be used to help keep our on-line activities private, but it is not perfect and additional precautions should be taken.





Tails 1.3 -- Browsing the web through Tor

(full image size: 153kB, resolution: 1280x1024 pixels)



I downloaded the 910MB image of Tails 1.3. Booting from the live media brings up a graphical screen. A menu then appears asking if we would like to configure the Tails environment. If we select "No" on this screen, then we are immediately brought to GNOME 3's Classic desktop environment. Selecting "Yes" brings up a configuration screen with a short list of options. The configuration screen allows us to set an administrative password on our live session and enable "camouflage" which makes the desktop environment resemble Windows 8. We can also enable/disable the spoofing of MAC addresses and configure network settings such as the operating system's firewall and proxy settings. At the bottom of the display we find options for switching between two languages (English and German) and changing our keyboard's layout.



Tails uses the GNOME Classic desktop with the application menu and system tray positioned at the top of the screen. The task switcher panel is placed at the bottom of the screen. The desktop's wallpaper is a neutral blue and on the desktop we find icons for opening the file manager, reporting bugs and accessing the Tails documentation. Clicking the icon for reporting a bug opens a web browser which displays the Tails documentation and support portal. The documentation icon opens a local copy of the project's Getting Started guide. In the upper-right corner of the screen we can find an icon that resembles an onion. This onion icon indicates whether we are connected to the Tor network and clicking the icon allows us to view information about Tor and change our network settings as they relate to Tor.



I experimented with running Tails with the Windows 8 themed desktop. I think the Windows theme holds up fairly well, at least if another person merely glances at the screen. The desktop generally resembles Windows 8 and the only icon on the desktop is a recycle bin. The task switcher and system tray are positioned at the bottom of the screen. The main thing which gives away the fact we are not running Windows is the desktop's traditional application menu.





Tails 1.3 -- Blending into the crowd with the Windows desktop theme

(full image size: 533kB, resolution: 1280x1024 pixels)



During my trial, I tried running Tails on a physical desktop computer and in a VirtualBox virtual machine. In both environments Tails performed well. Networking and audio functioned out of the box and my screen was set to its maximum resolution. Tails integrates with VirtualBox well and I was pleased to see Tails will detect when it is running in a virtual machine and display a warning, letting the user know the operating system is running on virtual hardware. When the operating system shuts down it ejects our live media and wipes the computer's memory in an attempt to remove all trace Tails was being used. I found the distribution required about 220MB of memory when sitting idle at the GNOME Classic desktop.



Tails ships with quite a number of applications. We are given the Firefox web browser (version 31), the Claws Mail e-mail application, the Electrum Bitcoin wallet, the Pidgin instant messaging software and the Gobby collaborative document editor. Tails provides us with a copy of the LibreOffice productivity suite, a document viewer, the GNU Image Manipulation Program and the Inkscape vector drawing software. The distribution ships with the Scribus desktop publishing application, a sound recorder and a meta data removal tool to scrub identifying information from files. In the application menu we find the Audacity audio editor, the Brasero disc burning software, the Totem video player and the PiTiVi video editor. The distribution also ships with an audio CD ripper, the Traverso audio recording and editing software and a full compliment of multimedia codecs. The WhisperBack application is available to help us send encrypted bug reports and there are tools for creating and removing persistent volumes. The persistent volume utility appears on only work if we are running Tails from a USB flash drive. Tails ships with accessibility tools, including a virtual keyboard, the Orca screen reader and the Dasher predictive text selection program. Further, Tails ships with an archive manager, a calculator, a text editor and the KeePassX password manager. There is also a program for verifying the checksum hashes of files and text. Java is available with the distribution and there are a number of small configuration tools for changing the look of the GNOME Classic desktop. In the background we find the Linux kernel, version 3.16.





Tails 1.3 -- Scrubbing meta data from files

(full image size: 141kB, resolution: 1280x1024 pixels)



I found the software that ships with Tails generally works well and I did not run into any serious bugs. I do feel there are some applications and characteristics of the distribution that are worth mentioning. One is that the Firefox web browser can be run in one of two modes, Tor and Unsafe. The Unsafe version of the browser does not run network traffic through Tor and should probably not be used if we wish to remain anonymous. The Unsafe version of Firefox has a red theme to remind us it is not the recommended way to browse the web. The Tor version of the browser looks like plain, regular Firefox, but the browser does ship with extra add-ons enabled. The Firefox web browser has AdBlock Plus, HTTPS-Everywhere and NoScript enabled. In addition, the browser has a Tor button in the upper-left quadrant of the window that allows us to change our security settings and select a new Tor identity.



Another aspect of the distribution worth mentioning is Tails allows us to install additional software using the Synaptic package manager. To work with Synaptic we should set a password on the root account first using the configuration screen that is available when we first boot Tails. Using Synaptic we can connect to the Debian, Tails and Tor software repositories to download additional applications. Since Tails is usually run as a live disc the programs we install will not persist across a reboot and should be small enough to fit inside our computer's memory.



I think it should be noted that while our web traffic and, I think, our messaging traffic are routed through Tor, we can still access services on the local network. For example, I was able to connect to OpenSSH servers on my local network by specifying the remote host's IP address. This direct access to servers can be convenient, but it side-steps the anonymity of Tor and should be avoided.





Tails 1.3 -- Checking messages with Claws Mail

(full image size: 172kB, resolution: 1280x1024 pixels)



Conclusions



Tails is one of my favourite types of distributions to review. The project has a clear set of goals: providing anonymous browsing and secure messaging without leaving behind any trace of our activity. The distribution worked well in my test environments, I did not run into any problems and all the software that shipped with Tails worked as expected.



For most people I think setting up something like Tor is probably going to be confusing and some people will make mistakes trying to add security software to their computers. Having a project like Tails means a person interested in privacy can download (or otherwise acquire) a copy of the live disc, put it in their computer and just start using it. While Tails cannot provide perfect security and anonymity, it is probably one of the best "boot and go" security distributions currently available.



I like that the Firefox web browser ships with several extra add-ons to further protect the user and provide additional guards against tracking and man-in-the-middle attacks. I further appreciate that Claws Mail makes it easy to encrypt e-mail messages, assuming we have access to another person's public security keys. I also like that Claws Mail will warn us that parts of our e-mail message may not be encrypted, depending on our settings.



The one thing I missed while using Tails was a simple key/encryption utility such as KGpg. While Claws Mail will send encrypted messages and do some basic key handling for us, I think having a dedicated encryption/key application would be beneficial.



Perhaps my favourite Tails feature is the project's documentation. The user guide is well organized and explains concepts clearly, in a way I feel most users (even less technical minded ones) will understand. It is easy to make mistakes when trying to be secure on-line and the Tails documentation does a great job of warning people about potential dangers and explaining both the features and limitations of the Tails distribution. For people who need to communicate privately on-line, I believe Tails to be a very useful tool. * * * * * Hardware used in this review



My physical test equipment for this review was a desktop HP Pavilon p6 Series with the following specifications: Processor: Dual-core 2.8GHz AMD A4-3420 APU

Storage: 500GB Hitachi hard drive

Memory: 6GB of RAM

Networking: Realtek RTL8111 wired network card

Display: AMD Radeon HD 6410D video card

Miscellaneous News (by Jesse Smith)

Kubuntu prepares to roll out Plasma 5, Debian's Project Leader election update and a web-based LibreOffice in the works



Jonathan Riddell, Kubuntu's lead developer, blogged last week and talked about some of the important changes coming to the Kubuntu distribution. One such change is the switch from using KDE 4 to Plasma 5. Riddell claims Kubuntu will be the first Linux distribution to offer a stable release with the Plasma 5 desktop. Riddell also had some thoughts to share on Ubuntu adopting systemd: " Last week Ubuntu switched over to systemd for [its] boot system. It's complex and faffy but at least we have the same complex and faffy as the rest of the world. There was a strange issue during the switchover where login manager SDDM suddenly disabled itself from starting. If you get that just run: `systemctl enable sddm'. " * * * * * The election for the next Debian Project Leader (DPL) is now in full swing. The campaigning part of the election where candidates get to discuss their platforms is nearly at an end. Later this week, starting April 1st, Debian developers will begin casting their votes for their next Fearless Leader. There are three nominees for DPL and they have presented their platforms. The nominees are: Mehdi Dogguy, Gergely Nagy and Neil McGovern. The election for DPL will conclude on April 14th. * * * * * The Fedora Magazine reported last week that an on-line version of LibreOffice will soon be available. LibreOffice Online will serve as a competitor to Google Docs and Microsoft's Office 365. LibreOffice Online is being developed as a joint project between Collabora and IceWarp and both organizations say they will be working closely with the upstream LibreOffice project. Collabora's announcement has more details: " The lightweight document management features already built into the collaboration and messaging solution, IceWarp Server, allow users to store, manage and preview office documents in the web browser, without having any office suite installed on their computers. To edit the documents, IceWarp provides a seamless connection between its web-based storage and productivity applications installed on [the] user's computer. The growing popularity of these features lead IceWarp developers to consider how best to do without an office suite completely, and move it into the browser. " The proposed solution could be attractive to people who need to work from the road or collaborate on documents with peers.





Humour (by Jesse Smith)

The systemd Project Forks the Linux Kernel



The systemd project began as an alternative implementation of init, the software which brings an operating system on-line when a computer boots. Traditionally, Linux distributions have used either the SysV init software or Upstart. While these older init systems had their benefits, systemd developers saw room for improvement and the chance to leverage several underutilized features available to modern Linux distributions. Using systemd, distributions are able to more easily start services in parallel, simplify service dependencies and make easier use of cgroups.



Many people in the Linux community have welcomed the improvements systemd's init implementation brings and have praised the speed and ease of use systemd provides to the distributions adopting the new init implementation. The benefits of systemd have caused most mainstream Linux distributions, including Fedora, openSUSE, Mageia and Debian, to replace their ageing init software with systemd packages. Later this year, Ubuntu will switch from using Upstart to systemd, with Ubuntu community distributions expected to follow. Only a few conservative or experimental distributions such as Slackware and Void have stuck with alternative init software.



Despite systemd's many benefits and modern features, some people in the Linux community are wary of the project and its rapid expansion. One common concern is the systemd project has a habit of taking on additional features outside the scope of a traditional init implementation. To date, systemd has taken on logging, time synchronization, mounting partitions, a console daemon (replacing the Linux virtual terminal), login sessions and seats, network configuration and device management. Some people feel the systemd project should focus on performing one task well while allowing separate projects to handle other tasks. Detractors of systemd point out the UNIX Philosophy recommends each project have a narrow focus and try to do one thing well while playing nicely with other projects. Lennart Poettering, the founder and lead developer of systemd, argues the systemd project is more UNIX-like than the way Linux distributions have traditionally been developed, in large part because systemd brings many small projects under one umbrella: " In fact the design of systemd as a suite of integrated tools that each have their individual purposes, but when used together are more than just the sum of the parts, that's pretty much at the core of UNIX philosophy. Then, the way our project is handled (i.e. maintaining much of the core OS in a single git repository) is much closer to the BSD model (which is a true UNIX, unlike Linux) of doing things (where most of the core OS is kept in a single CVS/SVN repository) than things on Linux ever were. "



The systemd developers have occasionally bumped heads with developers working on other projects, perhaps most notably Linus Torvalds, lead developer of the Linux kernel. Since systemd's init software works to bring the operating system on-line at boot time, systemd needs to work closely with the kernel and this can cause problems. In fact, some conflict and proposed solutions have resulted in at least one systemd developer getting banned from contributing to the Linux kernel.



Now it appears as though the systemd developers have found a solution to kernel compatibility problems and a way to extend their philosophy of placing all key operating system components in one repository. According to Ivan Gotyaovich, one of the developers working on systemd, the project intends to maintain its own fork of the Linux kernel. " There are problems, problems in collaboration, problems with compatibility across versions. Forking the kernel gives us control over these issues, gives us control over almost all key parts of the stack. "



In essence, systemd will gain another component, the Linux kernel, which can be patched as needed to work better with other systemd components. Having both the init software and the kernel managed by one project will also allow bug fixes to be addressed more quickly and avoid conflict between Linux and systemd developers. Ivan says systemd developers plan to merge improvements and changes from Torvalds' kernel into the systemd project and, in an e-mail, confirmed systemd developers will make their own patches public so they can be merged back into Linus' Linux.



Having two versions of the Linux kernel raises concerns about compatibility, but Ivan Gotyaovich states the systemd developers will work hard to maintain ABI compatibility and avoid breaking any userspace packages. He also states this could be an exciting time for Linux users: " Since until now development of GNU/Linux has been fragmented, slowed by poor communication and conflicting designs. Our systemd project offers distributions a united core where almost all key components live. Soon we will not need dozens of separate userland components talking with an alien kernel. All components will work together by design. We will no longer need GNU/udev/ntpd/NetworkManager/syslogd/Linux. Instead we will soon have GNU/systemd, [a] much simpler, unified platform. GNU/systemd will be a better target for third-party developers and easier to support. "



While some members of the Linux community may not like the idea of a further expanding systemd project, it is hard to deny GNU/Linux has been a difficult platform for independent software vendors, particularly game developers. Products like WPS and Steam tend to target one or two specific distributions and leave porting and compatibility issues up to individual distributions to solve. Having one united core operating system for Linux users may make the platform more attractive to a wider range of companies and developers who do not have the resources to properly support the hundreds of permutations of software found across GNU/Linux distributions.



What do you think of a united GNU/systemd operating system? Is this a way for Linux distributions to become more standardized, the way other platforms like OS X and FreeBSD are? Or is the systemd project expanding too far, taking on more than its developers should? Leave us a comment below with your thoughts on the subject.





Book Review (by Jesse Smith)

Linux Firewalls (Fourth Edition)



Last November I talked about an educational text called The Book of PF. The Book of PF talks about firewalls and packet filtering on OpenBSD, FreeBSD and other operating systems in the BSD family. The book is filled with short examples and bits of practical wisdom that guide the reader through setting up packet filtering on the BSD family of operating systems. Despite its powerful nature and straight forward syntax, PF is not available on Linux and so I wanted to explore another text that would talk about the powerful firewall technologies available to Linux users. To that end, I picked up a copy of "Linux Firewalls: Enhancing Security with nftables and Beyond" by Steve Suehring.



While I have used Linux for many years and set up many a firewall using Linux distributions, I tend not to deal with the low-level commands that are at the heart of Linux firewalls. In my work I can usually get away with using a convenient front-end to Linux firewall technology such as UFW or FirewallD. It is not often I need to descend deeper to work with iptables and I have not, to date, ever had the need to work with the more modern nftables, which appeared in version 3.13 of the Linux kernel. Reading the book Linux Firewalls seemed like a good opportunity to learn about the benefits of nftables.



One of the first things to stand out about Linux Firewalls is that the author tends to take a high level approach when discussing topics. The book talks a lot about theory and general ideas, more so than diving into practical examples. I suspect the author did this because networking concepts stay more or less the same over time while specific implementations of firewalls and networking tools change. By taking an abstract view of networking, the material covered in Linux Firewalls will probably remain relevant even after iptables and nftables become obsolete. The abstract approach is perhaps most apparent in the chapter on virtual private networks (VPNs). The book talks a bit about what a VPN is and why we might use one and even mentions three VPN packages available for Linux. However, there is no discussion about how to set up a VPN or how to securely configure a VPN. Such information, which is likely to be distribution and/or package specific, is left for the reader to look up in other resources.



Another thing I noticed about Linux Firewalls is the book appears to work from the assumption we are passingly familiar with other firewall technologies, such as iptables, and that we are reading this book to either polish our knowledge of iptables or we want to learn about nftables while using iptables as a reference point. In this way Linux Firewalls is probably not intended as a beginner text and is better suited to either freshen up our existing knowledge or expand our knowledge from one packet filter implementation to another. People already somewhat familiar with iptables will likely appreciate this direct approach and lack of hand holding. However, newcomers to Linux and/or firewalls may feel overwhelmed as the book dives quickly into the subject matter.



One aspect of Linux Firewalls I appreciated was that there are reference implementations of complex firewalls in the book's Appendix B. The Appendix provides a number of examples and scripts for setting up complete firewalls. The scripts include variables and flags we can set, customizing the scripts to our specific network. By just adjusting two or three lines of the provided scripts we can tailor the provided firewall recipe to our network and quickly enable or disable specific services. Usually I recommend against copy/pasting code from a reference into a live network environment, but these examples appear flexible enough to work in many cases with minimal adjustments.



On the other hand, I found Linux Firewalls was often terse in is explanations and instructions. I had the impression the author assumed the reader would have a strong working knowledge of Linux and feel comfortable performing tasks I would consider advanced concepts. As an example, early on we are told we may need to enable a specific feature by "using make config, make menuconfig or make xconfig and then recompile and install the new kernel". To an experienced Linux system administrator this idea may seem straight forward, but less experienced users may be wondering where they can download the kernel's source code, what to select after they run "make menuconfig", what the difference is between "make config" and "make xconfig" and how to compile and install a kernel from source code. The answers to these questions are provided elsewhere and the book does not dive into the details, instead sticking to higher level concepts and moving on to tackle the next firewall-related topic.



Earlier I mentioned The Book of PF and that is mostly so I can contrast the two texts. The Book of PF has a very "hands on" approach to dealing with firewalls. We are shown brief examples and the mechanics of those examples are explored. As the book goes on the examples grow and we see the pieces of firewall configuration snap together like building blocks. The Book of PF shows us the differences between PF implementations and is written for specific versions of PF, OpenBSD and FreeBSD. By comparison, Linux Firewalls is quite a different sort of resource. In Linux Firewalls we deal more with abstract concepts and then we get to see firewall configurations which demonstrate these concepts. While Linux Firewalls does provide examples, I feel individual components are explored less, in favour of dealing with more topics such as security, network monitoring and packet forwarding. I think Linux Firewalls covers more territory as far as big-picture networking is concerned and the material covered is less tied to a specific distribution or technology.



To put it another way, I feel Linux Firewalls is like a chemistry text book where we learn about atoms and molecules bonding and we get to see instructions on how to cause certain reactions. The Book of PF is more like a home chemistry set where we touch and mix bits of material together to see what happens. Both approaches are valid and both are good teaching tools, but chances are each person will have a preference for one style of learning over the other.



I want to stress that one nice thing about Linux Firewalls is the book is distribution agnostic. The nftables examples provided in the text should work with any modern Linux distribution and the iptables examples should work with every Linux distribution. This is nice as it makes the book practical for any Linux administrator without tying us to one distribution. This book does jump straight into advanced concepts, making it more of a resource for upgrading our skills rather than a beginner guide. This is also one of the few texts I've encountered that explores the relatively young nftables packet filtering technology in Linux and I found it useful for exploring the topic. * * * * * Title: Linux Firewalls: Enhancing Security with nftables and Beyond (Fourth Edition)

Author: Steve Suehring

Published by: Pearson

Pages: 432

ISBN-10: 0-13-400002-1

ISBN-13: 978-0-13-400002-2

Available from: InformIT and Amazon

Ask A Leader

Ask A Leader: Introduction



At DistroWatch we talk about a lot of open source operating systems and we have a great time sharing new technology with you. We always try to focus on distributions and features we feel our readers will find interesting. However, sometimes we overlook things people later tell us they are interested in and, other times, we hear from distribution developers asking why we have not mentioned a special aspect of their project. We love talking about technology, but we just can't cover every characteristic of every distribution.



With this in mind we are going to try an experiment where our readers have a more direct way to communicate with leaders in the open source community. You will be able to ask questions and developers can share their cool new features. We are calling our new column Ask A Leader. Through this column readers will have a chance to submit questions on any subject to a member of the open source community. The open source leader or developer will respond to the questions and talk about the cool new projects they are working on. We will then post their answers and comments here in the Ask A Leader column.



This week we are happy to present several leaders who have kindly volunteered to answer your questions. They are: Matthew Miller of the Fedora Project

Jeff Hoogland from Bodhi Linux

Sunit Kumar Nandi of the SuperX distribution

Dru Lavigne from the PC-BSD project To ask these leaders a question, please leave a comment below with "Ask A Leader" in the subject line along with the name of the person you want to answer your question. For example, "Ask A Leader: Matthew Miller". Feel free to ask as many questions as you like. You can also e-mail your questions to jsmith@distrowatch.com and put "Ask A Leader" in the subject line of the e-mail with the name of the community leader (or leaders) you wish to have answer your question. Feel free to ask anything about their projects, open source, licenses or community issues.



We will collect your questions, forward them to the community leaders and, in a future edition of DistroWatch Weekly, we will publish their responses and comments.



We also welcome open source developers and community leaders to join in the discussion. If you are an open source distribution developer and would like to answer some questions, please drop us a line at jsmith@distrowatch.com and let us know you are available to respond to our readers' queries.





Torrent Corner

Weekly Torrents



Bittorrent is a great way to transfer large files, particularly open source operating system images, from one place to another. Most bittorrent clients recover from dropped connections automatically, check the integrity of files and can re-download corrupted bits of data without starting a download over from scratch. These characteristics make bittorrent well suited for distributing open source operating systems, particularly to regions where Internet connections are slow or unstable.



Many Linux and BSD projects offer bittorrent as a download option, partly for the reasons listed above and partly because bittorrent's peer-to-peer nature takes some of the strain off the project's servers. However, some projects do not offer bittorrent as a download option. There can be several reasons for excluding bittorrent as an option. Some projects do not have enough time or volunteers, some may be restricted by their web host provider's terms of service. Whatever the reason, the lack of a bittorrent option puts more strain on a distribution's bandwidth and may prevent some people from downloading their preferred open source operating system.



With this in mind, DistroWatch plans to give back to the open source community by hosting and seeding bittorrent files for distributions that do not offer a bittorrent option themselves. This is a feature we are experimenting with and we are open to feedback on how to improve upon the idea.



For now, we are hosting a small number of distribution torrents, listed below. The list of torrents offered will be updated each week and we invite readers to e-mail us with suggestions as to which distributions we should be hosting. When you message us, please place the word "Torrent" in the subject line, make sure to include a link to the ISO file you want us to seed and please make sure the project you are recommending does not already host its own torrents. We want to primarily help distributions and users who do not already have a torrent option. To help us maintain and grow this free service, please consider making a donation.



The table below provides a list of torrents we currently host. If you do not currently have a bittorrent client capable of handling the linked files, we suggest installing either the Transmission or KTorrent bittorrent clients.



Operating System Torrent MD5 checksum Pinguy Pinguy_OS_14.04.2-LTS-x86-64.iso 966360e3ee2f8910e3e8c1539adbc4db SuperX SuperX_3.0_Grace_64-bit.iso 374c1930e558f21ce226e2aa2855295b NethServer nethserver-6.6-x86_64.iso 4fe92b816eaf03164d73a18b67db1d6c



Archives of our previously seeded torrents may be found here. All torrents we make available here are also listed on the very useful Linux Tracker website. Thanks to Linux Tracker we are able to share the following torrent statistics.



Torrent Corner statistics:

Total torrents seeded: 36

Total downloads completed: 18,543

Total data uploaded: 3.5TB

Released Last Week

Upcoming Releases and Announcements

DistroWatch.com News