Alpine Linux had null root password since 2015

Alpine Linux is quite often used to build Docker containers, because it’s so compact. The main thing that might prevent you using Alpine is that it doesn’t include glibc, which lots of software requires. So I wonder how many Docker containers are running a vulnerable version these days. Probably tens or hundreds of millions.

UPDATE 20190518 I checked both LXD and Docker Alpine Linux images, and both had null root passwords (root::) listed in /etc/shadow. Still exists days after the exposure of this oversight. They also both came with no network services enabled by default, so any flaw in security is really your own introduction, and failure to lock down the image and test security access during deployment.

Source: CVE-2019-5021

Matrix Synapse Chat Server

Tonight, I successfully navigated a myriad of online instructions, and finally got my Matrix Synapse encrypted chat server working. So, now, my wife and I can have truly private, end-to-end encrypted chats, without relying on Facebook owned WhatsApp anymore, or servers owned and operated by anyone else.

There are plenty of instructions on how to get Synapse installed, but all of them are just a little bit incomplete. I ran into a few unexpected issues, which were all solved eventually by googling and reading multiple sets of instructions, and a dozen or so bug reports.

Synapse is an open source server that implements the Matrix protocol. It supports chat, voice, and video chat. Since I have my own server, I can issue login credentials to anyone I desire, Optionally, I can even open up my system for anyone to register, but I don’t think I want to do that right now.

If you want to try out Matrix, you can register for a free account at https://riot.im/app/ and use the matrix.org chat server. You can also install the Riot.im Android or iOS mobile apps, and use that to join in the conversation.

Surprisingly, by default, all chats in Synapse default to being unencrypted. Turning on encryption requires you to verify all the participants encryption keys (the only real way to guarantee there is no “man in the middle” intercepting your messages). That part is a pain in the rear, and it’s easily skipped, but the paranoid among us won’t skip over that part.

The problem mostly turned out to be a DNS SRV record I needed, and a website file I needed to create, /.well-known/matrix/server

root@usgaalw123:/var/www/html/.well-known/matrix# cat server
{ “m.homeserver”: {“base_url”: “https://matrix.whistl.us”

I may need to contribute to ethereal patch stream for matrix protocol decodes. Still readng about he protocol.

A couple more Linux commands

This week, I learned about two (new to me) Linux commands that I am finding very helpful, in my system admin role.

“stdbuf” is a command that you can use to immediately adjust the default input/output buffer size in a pipeline of commands. For example, if you want to run “tail -F file” and pipe that to grep string, and pipe THAT to cut -c1-100, you’ll be frustrated, because while the tail command defaults to an output buffer of one line, because grep is outputting to another pipe, it defaults to a standard 4K buffer, and your screen output will pause until tail | grep passes 4K of data, then cut will read that and pass it through in one big unreadable chunk.

However, if you use stdbuf -oL grep string, you are running grep with line buffered output, and will get to see each line as soon as it is passed out of tail. Compare the behavior of these two slightly different commands:

tail -F /path/file | grep interestingstring | cut -c1-100
tail -F /path/file | stdbuf -oL grep interestingstring | cut -c1-100

Cool, huh?

Okay, the other one I just learned this morning is a simple way to list all block devices, and how they are used. Try this:

lsblk -f

It will display something like:

$ lsblk -f
NAME              FSTYPE LABEL UUID                      MOUNTPOINT
loop5             squash                                 /snap/cano
loop6             squash                                 /snap/core
sda                                                               
├─sda1            xfs          8fdebc8f-e44a-4771-8ade-702506563824 /boot
├─sda2                                                                
└─sda5            swap         f9727aaf-47c2-437a-9ce0-34c4b34a4b0b [SWAP]
sdb                                                                   
├─sdb1            xfs          f0c79706-7a42-4f4d-90be-a63f054e9f8f /
├─sdb2            LVM2_member  Q039DZ-RfAF-ryYE-IKXD-7Ii3-LOd5-5Xzblt 

Which shows my server has two disks, sda and sdb, and a couple of snap loopback filesystems mounted. The last entry is a Logical Volume Manager physical volume.

I think it’s cool, that after 30+ years of dealing with UNIX and almost that much dealing with Linux, there are still useful tricks to learn. Cheers!

Netflix, but TV style

I’ve decided to stop binge watching series on Netflix. Instead I’m watching a few episodes of multiple series every day. Right now, my playlist includes NCIS (season 2), Person of Interest (season 2), Bodyguard (BBC drama), Dark Matter (Canadian scifi), and Black Butler (japanese anime).

I’m enjoying all of them. It’s totally surreal watching season 2 of NCIS and keeping current with season 16 as well. Mark Harmon is really white haired and ancient looking these days. The jokes in the earlier seasons are much funnier than the later seasons.

new Netflix shows to pay attention to

I have stumbled onto a couple of really engaging Netflix titles. “Turn Up Charlie” stars Idris Elba as a washed up DJ dealing with life. It’s funny, and powerful. “Bodyguard” is a BBC action cop show that I’m fascinated by.

Give them both a watch, see if they click with you.

Try the Brave web browser

I am REALLY liking the Brave browser. It’s basically Chrome without all the spying. It works on Windows, Linux, MacOS, iPhones, and Android. It’s worth a try. Google has made enough money off your quite valuable personal information and online activity.

Mystery Science Theatre 3000

I have been watching some mysterious “collections” of MST3K on Netflix, and after suffering through collections 1 and 2, and starting #3, I have come to the conclusion that the Joel year (or 2) were superior to any of the later years. At first, they were really edgy, and unique. After that, they just got cheesy. It was like going from a real comedian to someone who just tells dad jokes.

Brave Web Browser, all the power of Chrome, without all the spying

I have been using Chrome on my Linux laptop at work, but tonight I installed the Brave browser, and after a few hours, have decided I love it, and as soon as I got home, I made it the default browser on my Mac too. I fully intend to install the iOS version on my phone today too.

Chrome is fast, but Google tracks everything you do. Not just every search you run at Google.com, but every website you visit, every password you save, every link you click. Brave is based on the open-source Chromium browser, same as Chrome (and Apple Safari, Microsoft Edge, Opera – basically everything except Firefox). Most Chrome extensions and themes work with it. I only use 2 extensions, LastPass and Privacy Badger.

I was pleasantly surprised to find a number of websites at work just work faster and better under Brave, compared to Chrome. The Red Hat Jboss Fuse GUI doesn’t log me out after 10 minutes of inactivity anymore. Apparently that was a Chrome “feature” I didn’t know about, stopping JavaScript on backgrounded webpages after a few minutes. I am Pickled Tink!

Welcome to the new Brave browser. Experience a faster, more private and secure browser for PC, Mac and iOS and Android. Block ads and trackers that slow you down, cost you money and invade your privacy. Join the Brave revolution, learn more.

Source: Secure, Fast & Private Web Browser with Adblocker | Brave Browser