Security update regenerates stale SSH ECDSA host key

Peter Lieven from discovered a problem with TurnKey 13.0 where the OpenSSH ECDSA key is not regenerated on firstboot like the RSA and DSA host keys.

We've issued a signed hotpatch to TurnKey Core 13.0 that regenerates the ECDSA SSH host key. TurnKey deployments that have not disabled automatic security updates (it's on by default) will have their ECDSA SSH host key regenerated automatically within the next 24 hours.

Backdoor in my Medialink router

Just because you're paranoid doesn't mean they aren't out to getcha.

Here's another example of why we need free software running the Internet. When I bought my Medialink router it was the most popular brand of wireless router on It is created by a Chinese corporation called Tenda.

And it comes with a root shell backdoor, which I just tested:

The closest you can get to perfectly secure Bitcoin transactions (without doing them in your head)

@pa2013 helpfully posted Alon's BitKey announcement from last week to the Bitcoin Reddit, which sparked an interesting discussion regarding whether or not you can safely trust BitKey to perform air-gapped transactions. I started responding there but my comment got so long I decided to turn it into a blog post.

Enabling Debian 6.0 LTS Security Support

This announcement is for Debian 6.0 (AKA Squeeze / TurnKey 12) users who have not yet upgraded to Debian 7.0 (AKA Wheezy / TurnKey 13):

~# cat /etc/
Debian GNU/Linux 6.0

Support for security updates to Debian 6.0 officially ended on Saturday May 31 2014.

As you may have heard, for the first time Debian is experimenting with a five year Long Term Support (LTS) program that will extend support until Feb 2016:

TurnKey 13 critical security issue (Heartbleed / CVE-2014-0160)

Without action, your TurnKey 13 installations may remain vulnerable to the critical Heartbleed OpenSSL attack (DSA-2896-1 CVE-2014-0160). This is not a theoretical attack.

Blog Tags: 

Important security notice: Your TurnKey system may no longer be receiving automatic security updates

I have some bad news and some good news. The bad news is that if your TurnKey installation is older than 2 weeks you may no longer be receiving security updates.

The good news is that you are reading this and there is a very easy fix. Either reboot your system, or log in and restart the cron service:

/etc/init.d/cron start

Until you start recron, security updates and other scheduler related services (e.g., daily backups) will not work.

Secure, flexible and scalable Amazon EC2 instance preseeding

I'd like to introduce Joe. He is a good looking, experienced sys-admin and like all good sysadmins, he has more stuff to do than time to do it.

Joe wants to get up and running on Amazon EC2 with a Wordpress installation, and chooses to do so with a pre-configured appliance. These are the steps Joe performs:

Making TurnKey more turnkey - the end to default passwords

In our quest to make the upcoming TurnKey 11.0 release more "turnkey", I set out to extend the firstboot inithooks to include application specific configuration hooks such as setting of the admin password, email and domain to serve (where applicable).

I'm glad to announce that the quest is now over, and that puts the end to default passwords.

Passphrase dictionary attack countermeasures in tklbam's keying mechanism

Background: how a backup key works

In TKLBAM the backup key is a secret encrypted with a passphrase which is uploaded to the Hub.  Decrypting the backup key yields the secret which is passed on to duplicity (and eventually to GnuPG) to be used as the symmetric key with which backup volumes are encrypted on backup and decrypted on restore.