1 2 3 4

Encrypting NFSv4 with Stunnel TLS

Monday, 13 August 2018 - 11:30 AM - (Security)

NFS clients and servers push file traffic over clear-text connections in the default configuration, which is incompatible with sensitive data. TLS can wrap this traffic, finally bringing protocol security. Before you use your cloud provider's NFS tools, review all of your NFS usage and secure it where necessary.

The Network File System (NFS) is the most popular file-sharing protocol in UNIX. Decades old and predating Linux, the most modern v4 releases are easily firewalled and offer nearly everything required for seamless manipulation of remote files as if they were local.

The most obvious feature missing from NFSv4 is native, standalone encryption. Absent Kerberos, the protocol operates only in clear text, and this presents an unacceptable security risk in modern settings. NFS is hardly alone in this shortcoming, as I have already covered clear-text SMB in a previous article. Compared to SMB, NFS over stunnel offers better encryption (likely AES-GCM if used with a modern OpenSSL) on a wider array of OS versions, with no pressure in the protocol to purchase paid updates or newer OS releases.

NFS is an extremely common NAS protocol, and extensive support is available for it in cloud storage. Although Amazon EC2 supports clear-text and encrypted NFS, Google Cloud makes no mention of data security in its documented procedures, and major initiatives for the protocol recently have been launched by Microsoft Azure and Oracle Cloud that raise suspicion. When using these features over untrusted networks (even within the hosting provider), it must be assumed that vulnerable traffic will be captured, stored and reconstituted by hostile parties should they have the slightest interest in the content. Fortunately, wrapping TCP-based NFS with TLS encryption via stunnel, while not obvious, is straightforward.

The performance penalty for tunneling NFS over stunnel is surprisingly small—transferring an Oracle Linux Installation ISO over an encrypted NFSv4.2 connection is well within 5% of the speed of clear text. Even more stunning is the performance of fuse-sshfs, which appears to beat even clear-text NFSv4.2 in transfer speed. NFS remains superior to sshfs in reliability, dynamic idmap and resilience, but FUSE and OpenSSH delivered far greater performance than expected.


Extending Landlocked Processes

Friday, 03 August 2018 - 12:00 PM - (Security)

Mickaël Salaün posted a patch to improve communication between landlocked processes. Landlock is a security module that creates an isolated "sandbox" where a process is prevented from interacting with the rest of the system, even if that process itself is compromised by a hostile attacker. The ultimate goal is to allow regular user processes to isolate themselves in this way, reducing the likelihood that they could be an entry point for an attack against the system.

Mickaël's patch, which didn't get very far in the review process, aimed specifically at allowing landlocked processes to use system calls to manipulate other processes. To do that, he wanted to force the landlocked process to obey any constraints that also might apply to the target process. For example, the target process may not allow other processes to trace its execution. In that case, the landlocked process should be prevented from doing so.

Andy Lutomirski looked at the patch and offered some technical suggestions, but on further reflection, he felt Mickaël's approach was too complicated. He felt it was possible that the patch itself was simply unnecessary, but that if it did have a value, it simply should prevent any landlocked process from tracing another process' execution. Andy pointed to certain kernel features that would make the whole issue a lot more problematic. He said, "If something like Tycho's notifiers goes in, then it's not obvious that, just because you have the same set of filters, you have the same privilege. Similarly, if a feature that lets a filter query its cgroup goes in (and you proposed this once!), then the logic you implemented here is wrong."

Andy's overall assessment of landlock was, "I take this as further evidence that Landlock makes much more sense as part of seccomp than as a totally separate thing. We've very carefully reviewed these things for seccomp. Please don't make us do it again from scratch."

But Mickaël felt that landlock did have some valid use cases Andy hadn't mentioned—for example, "running a container constrained with some Landlock programs". Without his patch, Mickaël felt it would be impossible for users in that situation to debug their work. As he put it, "This patch adds the minimal protections which are needed to have a meaningful Landlock security policy. Without it, they may be easily bypassable, hence useless."

And as for folding landlock into seccomp, Mickaël replied, "Landlock is more complex than seccomp, because of its different goal. seccomp is less restrictive because it is more simple."


At Rest Encryption

Wednesday, 18 July 2018 - 11:45 AM - (Security)

Learn why at rest encryption doesn't mean encryption when your laptop is asleep.

There are many steps you can take to harden a computer, and a common recommendation you'll see in hardening guides is to enable disk encryption. Disk encryption also often is referred to as "at rest encryption", especially in security compliance guides, and many compliance regimes, such as PCI, mandate the use of at rest encryption. This term refers to the fact that data is encrypted "at rest" or when the disk is unmounted and not in use. At rest encryption can be an important part of system-hardening, yet many administrators who enable it, whether on workstations or servers, may end up with a false sense of security if they don't understand not only what disk encryption protects you from, but also, and more important, what it doesn't.

What Disk Encryption Does

In the context of Linux servers and workstations, disk encryption generally means you are using a system such as LUKS to encrypt either the entire root partition or only a particularly sensitive mountpoint. For instance, some Linux distributions offer the option of leaving the root partition unencrypted, and they encrypt each user's /home directories independently, to be unlocked when the user logs in. In the case of servers, you might leave root unencrypted and add encryption only to specific disks that contain sensitive data (like database files).

In a workstation, you notice when a system is encrypted at rest because it will prompt you for a passphrase to unlock the disk at boot time. Servers typically are a bit trickier, because usually administrators prefer that a server come back up after a reboot without manual intervention. Although some servers may provide a console-based prompt to unlock the disk at boot time, administrators are more likely to have configured LUKS so that the key resides on a separate unencrypted partition. Or, the server may retrieve the key from the network using their configuration management or a centralized secrets management tool like Vault, so there is less of a risk of the key being stolen by an attacker with access to the filesystem.

The main thing that at rest encryption protects you from is data loss due to theft or improper decommissioning of hard drives. If someone steals your laptop while it's powered off, your data will be protected. If someone goes into a data center and physically removes drives from a server with at rest encryption in place, the drives will spin down, and the data on them will be encrypted. The same goes for disks in a server that has been retired. Administrators are supposed to perform secure wiping or full disk destruction procedures to remove sensitive data from drives before disposal, but if the administrator was lazy, disk encryption can help ensure that the data is still protected if it gets into the wrong hands.


Removing Support for Dead Hardware

Thursday, 05 July 2018 - 12:00 PM - (Hardware)

Arnd Bergmann submitted a patch to remove the Linux ports for a variety of architectures, including blackfin, cris, frv, m32r, metag, mn10300, score and tile. To do this, he worked directly with the former maintainers of each port to make sure the code removal was done right and didn't break anything in the mainline kernel or anywhere else.

The bottom line was that no one used those architectures anymore. He offered his analysis of why this had happened, saying:

It seems that while the eight architectures are extremely different, they all suffered the same fate: There was one company in charge of an SoC line, a CPU microarchitecture and a software ecosystem, which was more costly than licensing newer off-the-shelf CPU cores from a third party (typically ARM, MIPS, or RISC-V). It seems that all the SoC product lines are still around, but have not used the custom CPU architectures for several years at this point. In contrast, CPU instruction sets that remain popular and have actively maintained kernel ports tend to all be used across multiple licensees.

Linus Torvalds had no objection to ripping those architectures out of the kernel, but he did say, "I'd like to see that each architecture removal is independent of the others, so that if somebody wants to resurrect any particular architecture, he/she can do so with a revert."

Linus pulled the patch into the main kernel tree and noted with glee that it took a half-million lines of code out of the kernel.

Linus was not the only one who wanted to ensure the possibility of easily resurrecting those architectures. Geert Uytterhoeven wanted to know exactly what would be required, since he had an interest in the formerly removed and later resurrected arch/h8300 architecture, currently still in the kernel and going strong. And he pointed out, "In reality, a resurrection may not be implemented as a pure revert, but as the addition of a new architecture, implemented using modern features."

To which Pavel Machek complained, "By insisting on new features instead of pure revert + incremental updates, you pretty much make sure resurrection will not be possible."

But Arnd pointed out, "now that the other architectures are gone, a lot of changes can be done more easily that will be incompatible with a pure revert, so the more time passes, the harder it will get to do that."

And he added, "Some of the architectures (e.g. tile or cris) have been kept up to date, but others had already bitrotted to the point where they were unlikely to work on any real hardware for many releases, but a revert could still be used as a starting point in theory."


The LJ Password Generator Tool

Thursday, 21 June 2018 - 13:08 PM - (Security)

Mnemonic passwords generally stink. A random sequence of letters, digits and punctuation is more secure—just don't write down your passwords, like the knucklehead antagonist does in Ready Player One!

In the password generating tool from my last article, at its most simple, you specify the number of characters you want in the password, and each is then chosen randomly from a pool of acceptable values. With the built-in RANDOM in the Linux shell, that's super easy to do:


while [ $length -ge 0 ]
   letter="${okay:$RANDOM % $ltrs:1}"
   length=$(( $length - 1 ))

echo "Result: $result"

In the actual script, I set okay to a single value rather than build it in two steps; this is just for formatting here online. Otherwise, ltrs is set to the length of $okay as a speedy shortcut, and the result is built up by using the string slicing syntax of:


To extract just the fourth character of a string, for example, ${string:4:1}, this works fine and is easy. The result speaks for itself:

$ sh lazy-passwords.sh
Result: Ojkr9>|}dMr

And, a few more:

Result: Mi8]TfJKVaH
Result: >MWvF2D/R?r
Result: h>J6\p4eNPH
Result: KixhCFZaesr

Where this becomes a more complex challenge is when you decide you don't want to have things randomly selected but instead want to weight the results so that you have more letters than digits, or no more than a few punctuation characters, even on a 15–20 character password.

Which is, of course, exactly what I've been building.

I have to admit that there's a certain lure to making something complex, if nothing else than just to see if it can be done and work properly.

Adding Weight to Letter Choices

As a result, the simple few lines above changed to this in my last article:


Open Hardware: Good for Your Brand, Good for Your Bottom Line

Wednesday, 20 June 2018 - 12:15 PM - (Hardware)

With the rise of IoT, we're inside a short window where "open" is a strong differentiator for hardware products. Is your company ready to take advantage of it?

I don't know how to put this, but Hardware is kind of a Big Deal, and thanks to the Internet of Things (aka IoT), it's getting bigger every year. The analyst firm IDC expects spending on IoT to reach nearly $800 billion USD by the end of 2018. A study by Intel shows that by 2025, the global worth of IoT technology might be as high as more than $6 trillion USD; whereas Forbes reports that the global market could be nearly $9 trillion USD in 2020.

These statistics are based on the traditional model of closed design and development of the chips, boards and objects that will make these devices a reality. However, what if hardware developers were to learn from and leverage the popularity of free and open-source software (aka FOSS)? What if the future of IoT were Open? It's my belief that the device developers who apply the lessons of FOSS to hardware development will be those best positioned to become the powerhouses of that $9 trillion market. Similarly to software, open hardware will be seen first as a differentiator (rather than an eccentricity) and later, as the industry matures, as the default operating mode for hardware development.


Linux Gets Loud

Wednesday, 13 June 2018 - 13:08 PM - (Hardware)

Exploring the current state of musical Linux with interviews of developers of popular packages.

Linux is ready for prime time when it comes to music production. New offerings from Linux audio developers are pushing creative and technical boundaries. And, with the maturity of the Linux desktop and growth of standards-based hardware setups, making music with Linux has never been easier.

Linux always has had a place for musicians looking for inexpensive rigs to record and create music, but historically, it's been a pain to maintain. Digging through arcane documentation and deciphering man pages is not something that interests many musicians.

Loading up Linux is not as intimidating as it once was, and a helpful community is going strong. Beyond tinkering types looking for cheap beats, users range in experience and skill. Linux is still the underdog when it comes to its reputation for thin creative applications though.

Recently, musically inclined Linux developers have turned out a variety of new and updated software packages for both production and creative uses. From full-fledged DAWs (Digital Audio Workstations), to robust soft-synths and versatile effects platforms, the OSS audio ecosystem is healthy.

A surge in technology-focused academic music programs has brought a fresh crop of software-savvy musicians into the fold. The modular synth movement also has nurtured an interest in how sound is made and encouraged curiosity about the technology behind it.

One of the biggest hurdles in the past was the lack of core drivers for the wide variety of outboard gear used by music producers. With USB 2.0 and improvements in ALSA and JACK, more hardware became available for use. Companies slowly have opened their systems to third-party developers, allowing more low-level drivers to be built.


In terms of raw horsepower, the ubiquity of multicore processors and cheap RAM has enabled Linux to take advantage of powerful machines. Specifically, multithreaded software design available to developers in the Linux kernel offer audio packages that offload DSP and UI to various cores. Beyond OS multithreading, music software devs have taken advantage of this in a variety of ways.

A well known API called Jack Audio Connection Kit (JACK) handles multiple inter-application connections as well as audio hardware communication with a multithreaded approach, enabling low latency with both audio DSP and MIDI connections.

Ardour has leveraged multithreaded processing for some time. In early versions, it was used to distribute audio processing and the main interface and OS interaction to separate cores. Now it offers powerful parallel rendering on a multitude of tracks with complex effects.


Data Privacy: Why It Matters and How to Protect Yourself

Tuesday, 05 June 2018 - 12:00 PM - (Security)

When it comes to privacy on the internet, the safest approach is to cut your Ethernet cable or power down your device. But, because you can't really do that and remain somewhat productive, you need other options. This article provides a general overview of the situation, steps you can take to mitigate risks and finishes with a tutorial on setting up a virtual private network.

Sometimes when you're not too careful, you increase your risk of exposing more information than you should, and often to the wrong recipients—Facebook is a prime example. The company providing the social-media product of the same name has been under scrutiny recently and for good reason. The point wasn't that Facebook directly committed the atrocity, but more that a company linked to the previous US presidential election was able to access and inappropriately store a large trove of user data from the social-media site. This data then was used to target specific individuals. How did it happen though? And what does that mean for Facebook (and other social-media) users?

In the case of Facebook, a data analysis firm called Cambridge Analytica was given permission by the social-media site to collect user data from a downloaded application. This data included users' locations, friends and even the content the users "liked". The application supposedly was developed to act as a personality test, although the data it mined from users was used for so much more and in what can be considered not-so-legal methods.

At a high level, what does this all mean? Users allowed a third party to access their data without fully comprehending the implications. That data, in turn, was sold to other agencies or campaigns, where it was used to target those same users and their peer networks. Through ignorance, it becomes increasingly easy to "share" data and do so without fully understanding the consequences.

Getting to the Root of the Problem

For some, deleting your social-media account may not be an option. Think about it. By deleting your Facebook account, for example, you may essentially be deleting the platform that your family and friends choose to share some of the greatest events in their lives. And although I continue to throw Facebook in the spotlight, it isn't the real problem. Facebook merely is taking advantage of a system with zero to no regulations on how user privacy should be handled. Honestly, we, as a society, are making up these rules as we go along.


The Fight for Control: Andrew Lee on Open-Sourcing PIA

Wednesday, 30 May 2018 - 13:08 PM - (Security)

When I learned that our new sister company, Private Internet Access (PIA), was opening its source code, I immediately wanted to know the backstory, especially since privacy is the theme of this month's Linux Journal. So I contacted Andrew Lee, who founded PIA, and an interview ensued. Here it is.

DS: What made you start PIA in the first place? Did you have a particular population or use case—or set of use cases—in mind?

AL: Primarily PIA was rooted in my humble beginnings on IRC where it had quickly become important to protect one's IP from exposure using an IRC bouncer. However, due to jumping around in various industries thereafter, I learned a lot and came to an understanding that it was time for privacy to go mainstream, not in the "hide yourself" type of sense, but simply in the "don't watch me" sense.

DS: Had you wanted to open-source the code base all along? If not, why now?

AL: We always wanted to open-source the code base, and we finally got around to it. It's late, but late is better than never. We were incredibly busy, and we didn't prioritize it enough, but by analyzing our philosophies deeply, we've been able to re-prioritize things internally. Along with open-sourcing our software, there are a lot of great things to come.

DS: People always wonder if open-sourcing a code base affects a business model. Our readers have long known that it doesn't, and that open-sourcing in fact opens more possibilities than leaving code closed. But it would be good to hear your position on the topic, since I'm sure you've thought about it.

AL: Since Private Internet Access is a service, having open-source code does not affect the business' ability to generate revenue as a company aiming for sustainable activism. Instead, I do believe we're going to end up with better and stronger software as an outcome.

DS: Speaking of activism, back in March, you made a very strong statement, directly to President Trump and Congress, with a two-page ad in The New York Times, urging them to kill off SESTA-FOSTA. I'm curious to know if we'll be seeing more of that and to hear what the response was at the time.

AL: Absolutely! We ran a few newspaper campaigns, including one for the Internet Defense League. It's a very strong place to mobilize people for important issues for society. As a result of the campaign, many tweets from concerned Americans were received by President Trump. I would say it was a success, but from here it's up to our President. Let's hope he does the right thing and vetoes it. That said, if the bill is signed in its current form [which it was after this interview was conducted], the internet is routing, and the cypherpunks have the power of the crypto. We will decentralize and route around bad policy.


Generating Good Passwords, Part II

Tuesday, 29 May 2018 - 13:08 PM - (Security)

Passwords. They're the bane of computer users and a necessary evil, but they have risks and challenges associated with them. None of the choices are great. If it's up to your memory, you'll end up using the same password again and again. Use a password manager like 1Password, and you're reliant on its database security and portability. Two-factor? Um, can I borrow your phone for a minute?

Still, having complex and random passwords is definitely more secure than having a favorite phrase or variation you've been using for years. You know what I mean, just own it; you've been using the same PIN and password forever, right?

Last time, I built a script that could produce a random character from one of a set of character sets. For example, a random uppercase letter can be produced like this:


${uppercase:$(( $RANDOM % ${#uppercase} )):1}

Add lowercase and a constrained set of punctuation and some rules on how many of each you want, and you can make some pretty complicated passwords. To start, let's just focus on a random sequence of n uppercase letters.

That's easily done:

while [ ${#password} -lt $length ] ; do
   letter=${uppers:$(( $RANDOM % ${#uppers} )):1}

Remember that the ${#var} notation produces the length of the current value of that variable, so this is an easy way to build up the $password variable until it's equal to the target length as specified in $length.

Here's a quick test run or two:

$ sh makepw.sh
password generated = HDBYPMVETY
password generated = EQKIQRCCZT
password generated = DNCJMMXNHM

Looks great! Now the bigger challenge is to pick randomly from a set of choices. There are a couple ways to do it, but let's use a case statement, like this:

while [ ${#password} -lt $length ] ; do
  case $(( $RANDOM % 4 )) in
     0 ) letter=${uppers:$(( $RANDOM % ${#uppers} )):1}  ;;
     1 ) letter=${lowers:$(( $RANDOM % ${#lowers} )):1}  ;;
     2 ) letter=${punct:$((  $RANDOM % ${#punct}  )):1}  ;;
     3 ) letter=${digits:$(( $RANDOM % ${#digits} )):1}  ;;

Since you're basically weighing upper, lower, digits and punctuation the same, it's not a huge surprise that the resultant passwords are rather punctuation-heavy:

$ sh makepw.sh
password generated = 8t&4n=&b(B
password generated = 5=B]9?CEqQ
password generated = |1O|*;%&A

These are all great passwords, impossible to guess algorithmically (and, yeah, hard to remember too, but that's an inevitable side effect of this kind of password algorithm).


Privacy Plugins

Monday, 28 May 2018 - 11:30 AM - (Security)

Protect yourself from privacy-defeating ad trackers and malicious JavaScript with these privacy-protecting plugins.

Although your phone is probably the biggest threat to your privacy, your web browser is a close second. In the interest of providing you targeted ads, the web is littered with technology that attempts to track each site you go to via a combination of cookies and JavaScript snippets. These trackers aren't just a privacy threat, they are also a security threat. Because of how ubiquitous these ad networks are, attackers have figured out ways to infiltrate some of them and make them serve up even more malicious code.

The good news is that a series of privacy plugins work well with Firefox under Linux. They show up as part of the standard list of approved add-ons and will help protect you against these kinds of threats. Many different privacy plugins exist, but instead of covering them all, in this article, I highlight some of my personal favorites—the ones I install on all of my browsers. Although I discuss these plugins in the context of Firefox, many of them also are available for other Linux browsers. Because all of these plugins are standard Firefox add-ons, you can install them through your regular Firefox add-on search panel.

Privacy Badger

The EFF has done a lot of work recently to improve privacy and security for average users online, and its Privacy Badger plugin is the first one I want to cover here. The idea behind Privacy Badger is to apply some of the tools from different plugins like AdBlock Plus, Ghostery and others that inspect third-party JavaScript on a page. When that JavaScript comes from a known tracking network or attempts to install a tracking cookie on your computer, Privacy Badger steps in and blocks it.

If so many other plugins do something similar, why re-invent the wheel with Privacy Badger? Well, the downside to many of the other tools is that they often require user intervention to tweak and tune. Although it's great for people who want to spend their time doing that, average users probably rather would spend their time actually browsing the web. Privacy Badger has focused on providing similar protection without requiring any special tweaking or tuning. As you browse the web, it keeps track of these different sites, and by observing their behavior, decides whether they are tracking you.


Tor Hidden Services

Wednesday, 23 May 2018 - 12:00 PM - (Security)

Why should clients get all the privacy? Give your servers some privacy too!

When people write privacy guides, for the most part they are written from the perspective of the client. Whether you are using HTTPS, blocking tracking cookies or going so far as to browse the internet over Tor, those privacy guides focus on helping end users protect themselves from the potentially malicious and spying web. Since many people who read Linux Journal sit on the other side of that equation—they run the servers that host those privacy-defeating services—system administrators also should step up and do their part to help user privacy. Although part of that just means making sure your services support TLS, in this article, I describe how to go one step further and make it possible for your users to use your services completely anonymously via Tor hidden services.

How It Works

I'm not going to dive into the details of how Tor itself works so you can use the web anonymously—for those details, check out https://tor.eff.org. Tor hidden services work within the Tor network and allow you to register an internal, Tor-only service that gets its own .onion hostname. When visitors connect to the Tor network, Tor resolves those .onion addresses and directs you to the anonymous service sitting behind that name. Unlike with other services though, hidden services provide two-way anonymity. The server doesn't know the IP of the client, like with any service you access over Tor, but the client also doesn't know the IP of the server. This provides the ultimate in privacy since it's being protected on both sides.

Warnings and Planning

As with setting up a Tor node itself, some planning is involved if you want to set up a Tor hidden service so you don't defeat Tor's anonymity via some operational mistake. There are a lot of rules both from an operational and security standpoint, so I recommend you read this excellent guide to find the latest best practices all in one place.

Without diving into all of those steps, I do want to list a few general-purpose guidelines here. First, you'll want to make sure that whatever service you are hosting is listening only on localhost ( and isn't viewable via the regular internet. Otherwise, someone may be able to correlate your hidden service with the public one. Next, go through whatever service you are running and try to scrub specific identifying information from it. That means if you are hosting a web service, modify your web server so it doesn't report its software type or version, and if you are running a dynamic site, make sure whatever web applications you use don't report their versions either.


Generating Good Passwords, Part I

Thursday, 17 May 2018 - 11:45 AM - (Security)

Dave starts a new method for generating secure passwords with the help of 1Password.

A while back I shared a script concept that would let you enter a proposed password for an account and evaluate whether it was very good (well, maybe "secure" would be a better word to describe the set of tests to ensure that the proposed password included uppercase, lowercase, a digit and a punctuation symbol to make it more unguessable).

Since then, however, I've really been trying personally to move beyond mnemonic passwords of any sort to those that look more like gobbledygook. You know what I mean—passwords like fRz3li,4qDP? that turn out to be essentially random and, therefore, impossible to crack using any sort of dictionary attack.

Aiding me with this is the terrific password manager 1Password. You can learn more about it here, but the key feature I'm using is a combination of having it securely store my passwords for hundreds of websites and having a simple and straightforward password generator feature (Figure 1).

Figure 1. 1Password Password Generation System

If I'm working on the command line, however, why pop out to the program to get a good password? Instead, a script can do the same thing, particularly if I again tap into the useful $RANDOM shortcut for generating random numbers.

Generating Secure Passwords

The easiest way to fulfill this task is to have a general-purpose approach to generating a random element from a specific set of possibilities. So, a random uppercase letter might be generated like this:


letter=${uppers:$(( $RANDOM % 26 )):1}

The basic notational convention used here is the super handy Bash shell variable slicing syntax of:


To get the first character only of a variable, for example, you can simply reference it as:


That's easy enough. Instead of a fixed reference number, however, I'm using $(( $RANDOM % 26 )) as a way to generate a value between 0–25 that's different each time.

Add strings that contain all the major character classes you seek and you've got a good start:

punct="()./?;:[{]}|=+-_*&^%$#@!~"  # skip quotes

To get even fancier, there's another notation ${#variable} that returns the number of characters in a variable, so the following shows that there are 24 characters in that particular string:


Review: the Librem 13v2

Thursday, 03 May 2018 - 12:00 PM - (Security)

Review: the Librem 13v2

Shawn Powers Thu, 05/03/2018 - 07:00

The Librem 13—"the first 13-inch ultraportable designed to protect your digital life"—ticks all the boxes, but is it as good in real life as it is on paper?

I don't think we're supposed to call portable computers "laptops" anymore. There's something about them getting too hot to use safely on your lap, so now they're officially called "notebooks" instead. I must be a thrill-seeker though, because I'm writing this review with the Librem 13v2 directly on my lap. I'm wearing pants, but apart from that, I'm risking it all for the collective. The first thing I noticed about the Librem 13? The company refers to it as a laptop. Way to be brave, Purism!

Why the Librem?

I have always been a fan of companies who sell laptops (er, notebooks) pre-installed with Linux, and I've been considering buying a Purism laptop for years. When our very own Kyle Rankin started working for the company, I figured a company smart enough to hire Kyle deserved my business, so I ordered the Librem 13 (Figure 1). And when I ordered it, I discovered I could pay with Bitcoin, which made me even happier!

Photo of Librem 13

Figure 1. The 13" Librem 13v2 is the perfect size for taking on the road (photo from Purism)

There are other reasons to choose Purism computers too. The company is extremely focused on privacy, and it goes so far as to have hardware switches that turn off the webcam and WiFi/Bluetooth radios. And because they're designed for open-source operating systems, there's no "Windows" key; instead there's a meta key with a big white rectangle on it, which is called the Purism Key (Figure 2). On top of all those things, the computer itself is rumored to be extremely well built, with all the bells and whistles usually available only on high-end top-tier brands.

No Windows key here! This beats a sticker-covered Windows logo any day.

Figure 2. No Windows key here! This beats a sticker-covered Windows logo any day (photo from Purism).

My Test Unit

Normally when I review a product, I get whatever standard model the company sends around to reviewers. Since this was going to be my actual daily driver, I ordered what I wanted on it. That meant the following:

  • i7-6500U processor, which was standard and not upgradable, and doesn't need to be!
  • 16GB DDR4 RAM (default is 4GB).
  • 500GB M.2 NVMe (default is 120GB SATA SSD).
  • Intel HD 520 graphics (standard, not upgradable).
  • 1080p matte IPS display.
  • 720p 1-megapixel webcam.
  • Elantech multitouch trackpad.
  • Backlit keyboard.

The ports and connectors on the laptops are plentiful and well laid out. Figure 3 shows an "all sides" image from the Purism website. There are ample USB ports, full-size HDMI, and the power connector is on the side, which is my preference on laptops. In this configuration, the laptop cost slightly more than $2000.

There are lots of ports, but not in awkward places (photo showing ports)

Figure 3. There are lots of ports, but not in awkward places (photo from Purism).

The Physical Stuff and Things

The Case

The shell of the Librem 13 is anodized aluminum with a black matte texture. The screen's exterior is perfectly plain, without any logos or markings. It might seem like that would feel generic or overly bland, but it's surprisingly elegant. Plus, if you're the sort of person who likes to put stickers on the lid, the Librem 13 is a blank canvas. The underside is nearly as spartan with the company name and little else. It has a sturdy hinge, and it doesn't feel "cheap" in any way. It's hard not to compare an aluminum case to a MacBook, so I'll say the Librem 13 feels less "chunky" but almost as solid.

The Screen

Once open, the screen has a matte finish, which is easy to see and doesn't have the annoying reflection so prevalent on laptops that have a glossy finish. I'm sure there's a benefit to a glossy screen, but whatever it might be, the annoying glare nullifies the benefit for me. The Librem 13's screen is bright, has a sufficient 1080p resolution, and it's pleasant to stare at for hours. A few years back, I'd be frustrated with the limitation of a 1080p (1920x1080) resolution, but as my eyes get older, I actually prefer this pixel density on a laptop. With a higher-res screen, it's hard to read the letters without jacking up the font size, eliminating the benefit of the extra pixels!

The Keyboard

I'm a writer. I'm not quite as old-school as Kyle Rankin with his mechanical PS/2 keyboard, but I am very picky when it comes to what sort of keys are on my laptop. Back in the days of netbooks, I thought a 93%-sized keyboard would be perfectly acceptable for lengthy writing. I was horribly wrong. I didn't realize a person could get cramps in their hands, but after an hour of typing, I could barely pick my nose much less type at speed.

The Librem 13's keyboard is awesome. I won't say it's the best keyboard I've ever used, but as far as laptops go, it's right near the top of the pile. Like most (good) laptops, the Librem 13 has Chicklet style keys, but the subtleties of click pressure, key travel, springiness factor and the like are very adequate. The Librem 13v2 has a new feature, in that the keys are backlit (Figure 4). Like most geeks, I'm a touch typist, but in a dark room, it's still incredibly nice to have the backlight. Honestly, I'm not sure why I appreciate the backlight so much, but I've tried both on and off, and I really hate when the keyboard is completely dark. That might just be a personal preference, but having the choice means everyone is happy.

Photo of Keyboard

Figure 4. I don't notice the keyboard after hours of typing, which is what you want in a keyboard (photo from Purism).

The Trackpad

The Librem 13 has a huge (Figure 5), glorious trackpad. Since Apple is known for having quality hardware, it's only natural to compare the Librem 13 to the Macbook Pro (again). For more than a decade, Apple has dominated the trackpad scene. Using a combination of incredible hardware and silky smooth software, the Apple trackpad has been the gold standard. Even if you hate Apple, it's impossible to deny its trackpads have been better than any other—until recently. The Librem 13v2 has a trackpad that is 100% as nice as MacBook trackpads. It is large, supports "click anywhere" and has multipoint support with gestures. What does all that mean? The things that have made Apple King of Trackpad Land are available not only on another company's hardware, but also with Linux. My favorite combination is two-finger scrolling with two-finger clicking for "right-click". The trackpad is solid, stable and just works. I'd buy the Librem 13 for the trackpad alone, but that's just a throwaway feature on the website.

Photo of Trackpad

Figure 5. This trackpad is incredible. It's worth buying the laptop for this feature alone (photo from Purism).

The Power Adapter

It might seem like a silly thing to point out, but the Librem 13 uses a standard 19-volt power adapter with a 5.5mm/2.5mm barrel connector. Why is that significant? Because I accidentally threw my power supply away with the box, and I was worried I'd have to special-order a new one. Thankfully, the dozen or so power supplies I have in my office from netbooks, NUCs and so on fit the Librem 13 perfectly. Although I don't recommend throwing your power supply away, it's nice to know replacements are easy to find online and probably in the back of your tech junk drawer.

Hardware Switches

I'm not as security-minded as perhaps I should be. I'm definitely not as security-minded as many Linux Journal readers. I like that the Librem 13 has physical switches that disconnect the webcam and WiFi/Bluetooth. For many of my peers, the hardware switches are the single biggest selling point. There's not much to say other than that they work. They physically switch right to left as opposed to a toggle, and it's clear when the physical connection to the devices have been turned off (Figure 6). With the Librem 13, there's no need for electrical tape over the webcam. Plus, using your computer while at DEFCON isn't like wearing a meat belt at the dog pound. Until nanobots become mainstream, it's hard to beat the privacy of a physical switch.

Photo of physical switch on the laptop

Figure 6. It's not possible to accidentally turn these switches on or off, which is awesome (photo from Purism).

I worried a bit about how the operating systems would handle hardware being physically disconnected. I thought perhaps you'd need special drivers or custom software to handle the disconnect/reconnect. I'm happy to report all the distributions I've tried have handled the process flawlessly. Some give a pop-up about devices being connected, and some quietly handle it. There aren't any reboots required, however, which was a concern I had.


I don't usually watch videos on my laptop, but like most people, I will show others around me funny YouTube videos. The audio on the Librem 13 is sufficiently loud and clear. The video subsystem (I mention more about that later) plays video just fine, even full screen. There is also an HDMI port that works like an HDMI connection should. Modern Linux distributions are really good at handling external displays, but every time I plug in a projector and it just works, my heart sings!


The Librem 13 comes with Purism's "PureOS" installed out of the box. The OS is Debian-based, which I'm most comfortable using. PureOS uses its own repository, hosted and maintained by Purism. One of the main reasons PureOS exists is so that Purism can make sure there is no closed-source code or proprietary drivers installed on its computers. Although the distro includes tons of packages, the really impressive thing is how well the laptop works without any proprietary code. The "purity" of the distribution is comforting, but the standout feature is how well Purism chose the hardware. Anyone who has used Linux laptops knows there's usually a compromise regarding proprietary drivers and wrappers in order to take full advantage of the system. Not so with the Librem 13 and PureOS. Everything works, and works well.

PureOS works well, but the most impressive aspect of it is what it does while it's working. The pre-installed hard drive walks you through encryption on the first boot. The Firefox-based browser (called "Purebrowser") uses HTTPS: Everywhere, defaults to DuckDuckGo as the search engine, and if that's not sufficient for your privacy needs, it includes the Tor browser as well. The biggest highlight for me was that since Purebrowser is based on Firefox, the browsing experience wasn't lacking. It didn't "feel" like I was running a specialized browser to protect my identity, which makes doing actual work a lot easier.

Other Distributions

Although I appreciate PureOS, I also wanted to try other options. Not only was I curious, but honestly, I'm stuck in my ways, and I prefer Ubuntu MATE as my desktop interface. The good news is that although I'm not certain the drivers are completely open source, I am sure that Ubuntu installs and works very well. There are a few glitches, but nothing serious and nothing specific to Ubuntu (more on those later).

I tried a handful of other distributions, and they all worked equally well. That makes sense, since the hardware is 100% Linux-compatible. There was an issue with most distributions, which isn't the fault of the Librem 13. Since my system has the M.2 NVMe as opposed to a SATA SSD, most installers have a difficult time determining where to install the bootloader. Frustratingly, several versions of the Ubuntu installer don't let the manual selection of the correct partition to be chosen either. The workaround seems to be setting up hard drive partitions manually, which allows the bootloader partition to be selected. (For the record, it's /dev/nvme0n1.) Again, this isn't Purism's fault; rather, it's the Linux community getting up to speed with NVMe drives and EFI boot systems.


There are a few oddities with a freshly installed Librem 13. Most of the quirks are ironed out if you use the default PureOS, but it's worth knowing about the issues in case you ever switch.

NVMe Thing

As I mentioned, the bootloader problem with an NVMe system is frustrating enough that it's worth noting again in this list. It's not impossible to deal with, but it can be annoying.

Backslash Key

The strangest quirk with the Librem 13 is the backslash key. It doesn't map to backslash. On every installation of Linux, when you try to type backslash, you get the "less than" symbol. Thankfully, fixing things like keyboard scancodes is simple in Linux, but it's so strange. I have no idea how the non-standard scancode slipped through QA, but nonetheless, it's something you'll need to deal with. There's a detailed thread on the Purism forum that makes fixing the problem simple and permanent.

Trackpad Stuff

As I mentioned before, the trackpad on the Librem 13 is the nicest I've ever used on a non-Apple laptop. The oddities come with various distributions and their trackpad configuration software. If your distribution doesn't support the gestures and/or multipoint settings you expect, rest assured that the trackpad supports every feature you are likely to desire. If you can't find the configuration in your distro's setup utility, you might need to dig deeper.

The Experience and Summary

The Librem 13 is the fastest laptop I've ever used. Period. The system boots up from a cold start faster than most laptops wake from sleep. Seriously, it's insanely fast. I ran multiple VMs without any significant slowdowns, and I was able to run multiple video-intensive applications without thinking "laptops are so slow" or anything like that.

The only struggle I had was when I tried to use the laptop for live streaming to Facebook using OBS (Open Broadcast Studio). The live transcoding really taxed the CPU. It was able to keep up, but normally on high-end computers, it's easier to offload the transcoding to a discrete video card. Unfortunately, there aren't any non-Intel video systems that work well without proprietary drivers. That means even though the laptop is as high-end as they get, the video system works well, but it can't compare to a system with a discrete NVIDIA video card.

Don't let the live streaming situation sour your view of the Librem 13 though. I had to try really hard to come up with something that the Librem 13 didn't chew through like the desktop replacement it is. And even with my live streaming situation, I was able to transcode the video using the absurdly fast i7 CPU. This computer is lightning fast, and it's easily the best laptop I've ever owned. More than anything, I'm glad this is a system I purchased and not a "review copy", so I don't have to send it back!


May 2018 Issue: Privacy

Tuesday, 01 May 2018 - 18:57 PM - (Security)

May 2018 Issue: Privacy

Linux Journal May Issue: Privacy
Carlie Fairchild Tue, 05/01/2018 - 13:57

Most people simply are unaware of how much personal data they leak on a daily basis as they use their computers. Enter our latest issue with a deep dive into privacy.

After working on this issue, a few of us on the Linux Journal team walked away implementing some new privacy practices--we suspect you may too after you give it a read.

In This Issue:

  • Data Privacy: How to Protect Yourself
  • Effective Privacy Plugins
  • Using Tor Hidden Services
  • Interview: Andrew Lee on Open-Sourcing PIA
  • Review: Purism's Librem 13v2
  • Generating Good Passwords with a Shell Script
  • The GDPR and Open Source
  • Getting Started with Nextcloud 13
  • Examining Data with Pandas
  • FOSS Project Spotlights: Sawmill and CloudMapper
  • GitStorage Review
  • Visualizing Molecules with EasyChem

Subscribers, you can download your May issue now.

Not a subscriber? It’s not too late. Subscribe today and receive instant access to this and ALL back issues since 1994!

Want to buy a single issue? Buy the May magazine or other single back issues in the LJ store.

Image removed.


1 2 3 4