All the News that Matters

• SciLinux: SLSA-2021-1512-1 Important: postgresql on SL7.x x86_64>
  postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694) * postgresql: Multiple features escape "security restricted operation" sandbox (CVE-2020-25695) * postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other [More...]

• openSUSE: 2021:0672-1 important: ceph>
  An update that solves one vulnerability and has two fixes is now available.

• RedHat: RHSA-2021-1515:01 Important: Openshift Logging Bug Fix Release>
  Openshift Logging Bug Fix Release (5.0.3) This release includes a security update. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,

• RedHat: RHSA-2021-1512:01 Important: postgresql security update>
  An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability

• Debian LTS: DLA-2651-1: python-django security update>
  It was discovered that there was potential directory-traversal vulnerability in Django, a popular Python-based web development framework.

• SUSE: 2021:143-1 suse/sle15 Security Update>
  The container suse/sle15 was updated. The following patches have been included in this update:

• Testssl.sh – Testing TLS/SSL Encryption Anywhere on Any Port
  testssl.sh is a free and open-source, feature-rich command-line tool used for checking TLS/SSL encryption enabled services for supported ciphers, protocols, and some cryptographic flaws, on Linux/BSD servers. It can be run on macOS X and Windows using MSYS2 or Cygwin.

• What is fog computing?
  In the early days, computers were big and expensive. There were few users in the world, and they had to reserve time on a computer (and show up in person) to have their punchcards processed. Systems called mainframes made many innovations and enabled time-shared tasks on terminals (like desktop computers, but without their own CPU).

• Microsoft embraces Linux kernel's eBPF super-tool, extends it for Windows
  This early-stage project is not a fork, Redmond insists. Microsoft on Monday launched an open source project to make a Linux kernel tool known as eBPF, short for Extended Berkeley Packet Filter, work on Windows.…

• Use the Alpine email client in your Linux terminal
  Email is an important communications medium and will remain so for the foreseeable future. I have used many different email clients over the last 30 years, and Thunderbird is what I have used the most in recent years. It is an excellent and functional desktop application that provides all the features that most people need—including me.

• Updated Axel – A Command-Line File Download Accelerator for Linux
  If you are the kind of person who enjoys downloading and trying out several Linux distributions, we are sure you will welcome with open arms a download accelerator that talks the talk and walks the walk – one that does what its description says.

• How to generate and backup a gpg keypair on Linux
  Gnu Privacy Guard (gpg) is the Gnu project free and open source implementation of the OpenGPG standard. The gpg encryption system is called “asymmetric” and it is based on public key encryption: we encrypt a document with the public key of a recipient which will be the only one able to decrypt it, since it owns the private key associated with it. In this tutorial we will see how to generate and create a backup of a gpg keypair.

• How to Install Vagrant in Linux
  This series is focused on Vagrant with VirtualBox as the Provider. From the previous article, you might have an understanding of what is a provider. Virtualbox is the default provider with Vagrant and it is cross-platform and can run in Windows, Linux, and macOS

• Freespire 7.5 Linux Distro Released with Xfce 4.16, Based on Xubuntu 20.04 LTS
  PC OpenSystems LLC, the makers of the Linspire and Freespire Linux distributions, released today Freespire 7.5 as a new release of this Xubuntu-based distro featuring the latest Xfce desktop environment.

• Some thoughts on VR with the Valve Index on Linux
  Virtual Reality is still mostly in its infancy, especially on Linux - so here's some initial thoughts on the experience.

• Linux Kernel 5.13 RC1 Released with Apple M1 SoC Support and Many Improvements
  The Linux Kernel 5.13 RC1 - first release candidate is here for you. You can download and test now. We take a look at the new features in this Kernel release.

• 5 totally useless Linux commands
  Linux has perhaps hundreds of essential and useful commands. These are not.

• 'A fair amount of stuff, all over the place': Torvalds closes merge window for Linux 5.13 with support for Apple M1
  5.10 lifespan also extended to six years, up from two. Linus Torvalds has closed the merge window for Linux 5.13 with the first release candidate, which includes initial support for Apple's M1 processor along with "a fair amount of stuff, all over the place."…

• Linux Beginners: Manage files using the terminal on CentOS 8
  In this article, you will learn how to manage files using commands like ls, cd, rm, etc., and how to install the Midnight Commander file manager on CentOS 8.

• Bodhi Linux 6.0 Released with Fresh New Look, Based on Ubuntu 20.04.2 LTS
  Believe it or not, the minimalist and enlightened Bodhi Linux 6.0 distribution is now available for download with a fresh new look and fresh new base.

• Accidentally wiped an app's directory? Hey, just play the 'unscheduled maintenance' card. Now you're a hero
  It soothed this raging roomful of wannabe lawyers anyway. Who, Me? The oversized rear of Monday is obstructing our view of the receding weekend. Never mind, pour yourself a beverage, select a pastry and settle in for a morning with the Regomiser and another edition of Who, Me?…

• LFCA: Basic Security Tips to Protect Linux System – Part 17
  Now more than ever, we are living in a world where organizations are constantly bombarded by security breaches motivated by the acquisition of highly sensitive and confidential data which is highly valuable and makes for a huge financial reward.

• How to create a custom rpm repository on Linux
  Rpm is the acronym of RPM Package Manager: it is the low-level package manager in use in all the Red Hat family of distributions, such as Fedora and Red Hat Enterprise Linux. An rpm package is a package containing software that is meant to be installed using this package management system, and rpm packages are usually distributed via software repositories. In this tutorial we learn how to create a custom rpm repository and how to configure our distribution to use it as a software source.

• Run Linux on Refurbished Mini PCs – Storage – Part 4
  In this article we consider hard disk drives which form a central part of every modern PC. If you have lots of documents, music, photos and videos, you’ll need plenty of disk space. This series recommends what to choose when buying a refurbished Mini PC to run Linux as a desktop computer.

• Linus Torvalds Announces First Linux Kernel 5.13 Release Candidate
  Two weeks after the release of Linux kernel 5.12 series, the merge window for the next major version, Linux kernel 5.13, is now closed and Linus Torvalds just announced today the general availability for public testing of the first Release Candidate (RC).

• My Little Contribution to GNOME 40
  GNOME 40 is finally out and I'm happy to say a small contribution of mine made it into the release. My contribution adds a new feature to GNOME System Monitor version 40. Few articles about GNOME 40 mention it, but some power users might find my contribution useful.

• NASA's OSIRIS-REx Spacecraft Heads For Earth With Asteroid Sample
  Obipale shares a press release from NASA: After nearly five years in space, NASA's Origins, Spectral Interpretation, Resource Identification, Security, Regolith Explorer (OSIRIS-REx) spacecraft is on its way back to Earth with an abundance of rocks and dust from the near-Earth asteroid Bennu. On Monday, May 10, at 4:23 p.m. EDT the spacecraft fired its main engines full throttle for seven minutes -- its most significant maneuver since it arrived at Bennu in 2018. This burn thrust the spacecraft away from the asteroid at 600 miles per hour (nearly 1,000 kilometers per hour), setting it on a 2.5-year cruise towards Earth. After releasing the sample capsule, OSIRIS-REx will have completed its primary mission. It will fire its engines to fly by Earth safely, putting it on a trajectory to circle the sun inside of Venus' orbit. After orbiting the Sun twice, the OSIRIS-REx spacecraft is due to reach Earth Sept. 24, 2023. Upon return, the capsule containing pieces of Bennu will separate from the rest of the spacecraft and enter Earth's atmosphere. The capsule will parachute to the Utah Test and Training Range in Utah's West Desert, where scientists will be waiting to retrieve it. "OSIRIS-REx's many accomplishments demonstrated the daring and innovate way in which exploration unfolds in real time," said Thomas Zurbuchen, associate administrator for science at NASA Headquarters. "The team rose to the challenge, and now we have a primordial piece of our solar system headed back to Earth where many generations of researchers can unlock its secrets." To realize the mission's multi-year plan, a dozen navigation engineers made calculations and wrote computer code to instruct the spacecraft when and how to push itself away from Bennu. After departing from Bennu, getting the sample to Earth safely is the team's next critical goal. This includes planning future maneuvers to keep the spacecraft on course throughout its journey.
        
  
  Read more of this story at Slashdot.
  

• Biden Administration Approves Nation's First Major Offshore Wind Farm
  The Biden administration gave approval Tuesday to the nation's first commercial-scale offshore wind farm, which is scheduled to begin construction this summer. The New York Times reports: he Vineyard Wind project calls for up to 84 turbines to be installed in the Atlantic Ocean about 12 nautical miles off the coast of Martha's Vineyard, Mass. Together, they could generate about 800 megawatts of electricity, enough to power about 400,000 homes. The administration estimates that the work will create about 3,600 jobs. The project would dwarf the scale of the country's two existing wind farms, off the coasts of Virginia and Rhode Island. Together, they produce just 42 megawatts of electricity. In addition to Vineyard Wind, a dozen other offshore wind projects along the East Coast are now under federal review. The Interior Department has estimated that by the end of the decade, some 2,000 turbines could be churning in the wind along the coast from Massachusetts to North Carolina.   Electricity generated by the Vineyard Wind turbines will travel via cables buried six feet below the ocean floor to Cape Cod, where they would connect to a substation and feed into the New England grid. The company said that it expects to begin delivering wind-powered electricity in 2023. The Biden administration said that it intended to fast-track permits for other projects off the Atlantic Coast and that it would offer $3 billion in federal loan guarantees for offshore wind projects and invest in upgrades to ports across the United States to support wind turbine construction. [...] The administration has pledged to build 30,000 megawatts of offshore wind in the United States by 2030. It's a target the White House has said would spark $12 billion in capital investments annually, supporting 77,000 direct and indirect jobs by the end of the decade. If Mr. Biden's offshore wind targets are met, it could avoid 78 million metric tons of carbon dioxide emissions, while creating new jobs and even new industries along the way, the administration said.
        
  
  Read more of this story at Slashdot.
  

• Ford Patents Tech That Could Scan Billboards and Show Associated In-Car Ads
  An anonymous reader quotes a report from Motor1: Roads are lined with unattractive billboards many of us ignore on our daily commutes, but Ford's new tech will make sure we don't miss them anymore. The system works by scanning the billboards, interpreting the information on the sign, and delivering the most useful bits right into the vehicle's display. It sounds invasive and distracting, with a side of Orwellian creepiness tossed on top for good measure. For now, though, this is just a patent application and may never see implementation, but it's not difficult to see how this could be useful to automakers and advertisers. Ford's application says the tech could display an advertiser's products or services, directions to the store, or the phone number.   It's not a stretch to imagine a future where you're driving down the road, and your car sees a sign for your favorite restaurant, prompting you to place an order because the vehicle knows Thursday is take-out night. Cars are only getting infused with more technology designed to assist people in their day-to-day lives, and this would be another avenue to do just that, creating a tailored driving experience. It could also force advertisers to pay Ford to access to its fleet of billboard-scanning-equipped cars, expanding revenue streams beyond the car itself. In a comment to Motor1, Ford says the company submits "patents on new inventions as a normal course of business, but they aren't necessarily an indication of new business or product plans."
        
  
  Read more of this story at Slashdot.
  

• Forests the Size of France Regrown Since 2000, Study Suggests
  An area of forest the size of France has regrown naturally across the world in the last 20 years, a study suggests. The BBC reports: The restored forests have the potential to soak up the equivalent of 5.9 gigatons (Gt) of carbon dioxide - more than the annual emissions of the US, according to conservation groups. A team led by WWF used satellite data to build a map of regenerated forests. Forest regeneration involves restoring natural woodland through little or no intervention. This ranges from doing nothing at all to planting native trees, fencing off livestock or removing invasive plants.   The Atlantic Forest in Brazil gives reason for hope, the study said, with an area roughly the size of the Netherlands having regrown since 2000. In the boreal forests of northern Mongolia, 1.2 million hectares of forest have regenerated in the last 20 years, while other regeneration hotspots include central Africa and the boreal forests of Canada. The researchers warned that forests across the world face "significant threats." "Despite 'encouraging signs' with forests along Brazil's Atlantic coast, deforestation is such that the forested area needs to more than double to reach the minimal threshold for conservation," the report says.
        
  
  Read more of this story at Slashdot.
  

• Apple Faces UK Class Action for App Store Overcharging
  Apple is facing a London lawsuit over claims it overcharged nearly 20 million U.K. customers for App Store purchases, yet another legal headache for the tech giant fighting lawsuits across the world. Bloomberg reports: Apple's 30% fee is "excessive" and "unlawful" the claimants said in a press release Tuesday. The claim, filed at London's Competition Appeal Tribunal on Monday, calls for the U.S. firm to compensate U.K. iPhone and iPad users for years of alleged overcharging. They estimate that Apple could face paying out in excess of 1.5 billion pounds ($2.1 billion). "Apple is abusing its dominance in the app store market, which in turn impacts U.K. consumers," Rachael Kent, the lead claimant in the case and a professor at King's College London. She teaches the ways in which consumers interact and depend upon digital platforms.   The legal challenges come as Apple faces a backlash -- with billions of dollars in revenue on the line -- from global regulators and some developers who say its fees and other policies are unjust and self-serving. Last month, the European Commission sent a statement of objections to the firm, laying out how it thinks Apple abused its power as the "gatekeeper" for music-streaming apps on its store. The suit alleges that Apple deliberately shuts out potential competition and forces ordinary users to use its own payment processing system, generating unlawfully excessive levels of profit for the company. The claimants say any U.K. user of an iPhone or iPad who purchased paid apps, subscriptions or made other in-app purchases since October 2015 is entitled to compensation. "We believe this lawsuit is meritless and welcome the opportunity to discuss with the court our unwavering commitment to consumers and the many benefits the App Store has delivered to the U.K.'s innovation economy," Apple said in an emailed statement. "The commission charged by the App Store is very much in the mainstream of those charged by all other digital marketplaces," Apple said. "In fact, 84% of apps on the App Store are free and developers pay Apple nothing. And for the vast majority of developers who do pay Apple a commission because they are selling a digital good or service, they are eligible for a commission rate of 15%."
        
  
  Read more of this story at Slashdot.
  

• Some Countries Have No COVID-19 Jabs At All
  The World Health Organization says nearly a dozen countries -- many of them in Africa -- are still waiting to get vaccines. Those last in line on the continent along with Chad are Burkina Faso, Burundi, Eritrea and Tanzania. From a report: "Delays and shortages of vaccine supplies are driving African countries to slip further behind the rest of the world in the COVID-19 vaccine rollout and the continent now accounts for only 1% of the vaccines administered worldwide," WHO warned Thursday. And in places where there are no vaccines, there's also the chance that new and concerning variants could emerge, said Gian Gandhi, UNICEF's COVAX coordinator for Supply Division.   "So we should all be concerned about any lack of coverage anywhere in the world," Gandhi said, urging higher-income countries to donate doses to the nations that are still waiting. While the total of confirmed COVID-19 cases among them is relatively low compared with the world's hot spots, health officials say that figure is likely a vast undercount: The countries in Africa still waiting for vaccines are among those least equipped to track infections because of their fragile health care systems. Chad has confirmed only 170 deaths since the pandemic began, but efforts to stop the virus entirely here have been elusive. Although the capital's international airport was closed briefly last year, its first case came via someone who crossed one of Chad's porous land borders illegally.
        
  
  Read more of this story at Slashdot.
  

• California Ban On Gas-Powered Cars Would Rewrite Plug-In Hybrid Rules
  An anonymous reader quotes a report from CNET: As of now, California wants to implement an 80-20 mix where 80% of new cars sold will be totally electric or hydrogen-powered, and 20% may still feature a plug-in hybrid powertrain. Essentially, automakers will still be able to plop an engine under the hood come 2035. However, PHEVs will need to follow far more stringent definitions of the powertrain. California wants any plug-in hybrid to achieve 50 miles of all-electric range to meet the categorization -- a huge ask. Only two plug-in hybrids in recent years meet that criteria: the Chevrolet Volt (no longer on sale) and the Polestar 1 (soon to exit production). To achieve such a lofty range, automakers need to fit larger batteries, and when you're talking about a big battery and an internal-combustion engine, things get complex (and costly) quickly.   But, that's not all the state will need. Future PHEVs to qualify under these regulations will need to be capable of driving under only electric power throughout their charged range. So, no software to flick on the engine for a few moments to recoup some lost energy. While these regulations would actually benefit drivers to shift PHEVs away from "compliance cars" to something far more usable, the complexities may just turn automakers to focus exclusively on EVs. It all remains to be seen, however since the plans remain open for public comment until June 11 of this year. After that, the board will vote and detail a full proposal later this year.
        
  
  Read more of this story at Slashdot.
  

• Impossible Burgers Are Coming To US Schools
  Impossible Foods has secured Child Nutrition Labels for its Impossible Burger products, which means they can now be part of school nutrition programs in the US. Engadget reports: To obtain the CN Labels, USDA's Food and Nutrition Services had to evaluate the plant-based meat's product formulation, as well as the company's quality control procedures and manufacturing processes. Now that it has acquired CN Labels for its products, the company is launching K-12 pilot programs this month in partnership with several school districts. The Palo Alto Unified School District in California, the Aberdeen School District in Washington, the Deer Creek Public Schools in Edmond, Oklahoma and the Union City Public Schools in Union City, Oklahoma will be using Impossible's faux meat in a variety of dishes for their menu. Those dishes include tacos, frito pies and spaghetti with Impossible meat sauce. Other school districts can easily obtain Impossible products from suppliers to add them to their menus, as well.
        
  
  Read more of this story at Slashdot.
  

• eBay Embraces NFTs
  eBay is joining the NFT frenzy, telling Reuters today that going forward it will allow the sales of NFTs on its platform, a mainstream embrace that follows billions of dollars in NFT purchases over the past few months. TechCrunch reports: The e-commerce company seems poised to slowly build up sales of digital collectibles on the platform, starting with a smaller group of verified sellers on the platform. "In the coming months, eBay will add new capabilities that bring blockchain-driven collectibles to our platform," eBay exec Jordan Sweetnam told them. eBay has invested heavily in infrastructure for physical collectibles like trading cards, as well as items like sneakers and watches which they help verify for buyers.
        
  
  Read more of this story at Slashdot.
  

• Amazon and Others Ordered To Slash Diesel Pollution From Warehouse Trucks
  Southern California has adopted a new air pollution rule aimed at slashing noxious emissions from warehouse trucks that move goods sold by Amazon and other e-commerce retailers. Ars Technica reports: Diesel pollution from heavy trucks causes everything from asthma to heart attacks, and even Parkinson's disease. Previously, such pollution tended to be concentrated around shipping ports and highways, but the growth of e-commerce has created a new source that is affecting neighborhoods farther inland. There are nearly 34,000 warehouses enclosing 1.17 billion square feet of space in the Los Angeles region alone. The rule, which was adopted late last week by a 9-4 vote of the South Coast Air Quality Management District (AQMD), would cover around 3,300 warehouses that are larger than 100,000 square feet. The rule seeks to reduce the amount of diesel particulate matter and nitrogen oxides produced by trucks serving these facilities. The district covers more than 17 million people, or nearly half the state's population.   The way the South Coast AQMD is approaching warehouse-related pollution is novel. Rather than attempting to control traffic flow to and from the facilities, the regulator will require warehouse owners to take various steps to reduce pollution in the area. That could include buying electric or fuel-cell trucks, adding solar panels to the building roofs, or installing air filters at nearby homes, hospitals, and schools. Each of these measures is assigned a point value, and warehouse operators must achieve a certain total to offset the emissions from their truck traffic. If they cannot meet the goal through mitigation measures, they can pay a fee instead. South Coast AQMD is phasing in compliance depending on the size of the facility. Warehouses that are over 250,000 square feet must meet their goals by June 30, 2022. Warehouses over 150,000 square feet must comply by the same day the following year, and those over 100,000 square feet get until June 30, 2024. Amazon's typical warehouses, for example, range in size from 600,000 to 1 million square feet. [...] The new rule is expected to save 150 to 300 lives and prevent 2,500 to 5,800 asthma attacks between 2022 and 2031. Overall, the public health benefits could be as large as $2.7 billion over the same timeframe.
        
  
  Read more of this story at Slashdot.
  

• Army of Fake Fans Boosts China's Messaging on Twitter
  China's ruling Communist Party has opened a new front in its long, ambitious war to shape global public opinion: Western social media. From a report: Liu Xiaoming, who recently stepped down as China's ambassador to the United Kingdom, is one of the party's most successful foot soldiers on this evolving online battlefield. He joined Twitter in October 2019, as scores of Chinese diplomats surged onto Twitter and Facebook, which are both banned in China. Since then, Liu has deftly elevated his public profile, gaining a following of more than 119,000 as he transformed himself into an exemplar of China's new sharp-edged "wolf warrior" diplomacy, a term borrowed from the title of a top-grossing Chinese action movie. "As I see it, there are so-called 'wolf warriors' because there are 'wolfs' in the world and you need warriors to fight them," Liu, who is now China's Special Representative on Korean Peninsula Affairs, tweeted in February. His stream of posts -- principled and gutsy ripostes to Western anti-Chinese bias to his fans, aggressive bombast to his detractors -- were retweeted more than 43,000 times from June through February alone. But much of the popular support Liu and many of his colleagues seem to enjoy on Twitter has, in fact, been manufactured.   A seven-month investigation by the Associated Press and the Oxford Internet Institute, a department at Oxford University, found that China's rise on Twitter has been powered by an army of fake accounts that have retweeted Chinese diplomats and state media tens of thousands of times, covertly amplifying propaganda that can reach hundreds of millions of people -- often without disclosing the fact that the content is government-sponsored. More than half the retweets Liu got from June through January came from accounts that Twitter has suspended for violating the platform's rules, which prohibit manipulation. Overall, more than one in ten of the retweets 189 Chinese diplomats got in that time frame came from accounts that Twitter had suspended by Mar. 1. But Twitter's suspensions did not stop the pro-China amplification machine. An additional cluster of fake accounts, many of them impersonating U.K. citizens, continued to push Chinese government content, racking up over 16,000 retweets and replies before Twitter kicked them off late last month and early this month, in response to the AP and Oxford Internet Institute's investigation.
        
  
  Read more of this story at Slashdot.
  

• Voice Actor Reportedly Responsible For Amazon Alexa Revealed
  An anonymous reader quotes a report from The Verge: Amazon's Alexa has a voice familiar to millions: calm, warm, and measured. But like most synthetic speech, its tones have a human origin. There was someone whose voice had to be recorded, analyzed, and algorithmically reproduced to create Alexa as we know it now. Amazon has never revealed who this "original Alexa" is, but journalist Brad Stone says he tracked her down, and she is Nina Rolle, a voiceover artist based in Boulder, Colorado. The claim comes from Stone's upcoming book on the tech giant, Amazon Unbound, an excerpt of which is published here in Wired. Neither Amazon nor Rolle confirmed or denied Stone's reporting, which he says is based on conversations with the professional voiceover community, but Rolle's voice alone makes for a compelling case.   Here's how Stone writes up the process in selecting Alexa's voice: "Believing that the selection of the right voice for Alexa was critical, [then-Amazon exec Greg] Hart and colleagues spent months reviewing the recordings of various candidates that GM Voices produced for the project, and presented the top picks to Bezos. The Amazon team ranked the best ones, asked for additional samples, and finally made a choice. Bezos signed off on it. Characteristically secretive, Amazon has never revealed the name of the voice artist behind Alexa. I learned her identity after canvasing the professional voice-over community: Boulder, Colorado -- based voice actress and singer Nina Rolle. Her professional website contains links to old radio ads for products such as Mott's Apple Juice and the Volkswagen Passat -- and the warm timbre of Alexa's voice is unmistakable. Rolle said she wasn't allowed to talk to me when I reached her on the phone in February 2021. When I asked Amazon to speak with her, they declined."
        
  
  Read more of this story at Slashdot.
  

• Chinese TV Maker Skyworth Under Fire For Excessive Data Collection That Users Call Spying
  Chinese television maker Skyworth has issued an apology after a consumer found that his set was quietly collecting a wide range of private data and sending it to a Beijing-based analytics company without his consent. From a report: A network traffic analysis revealed that a Skyworth smart TV scanned for other devices connected to the same local network every 10 minutes and gathered data that included device names, IP addresses, network latency and even the names of other Wi-Fi networks within range, according to a post last week on the Chinese developer forum V2EX. The data was sent to the Beijing-based firm Gozen Data, the forum user said. Gozen is a data analytics company that specialises in targeted advertising on smart TVs, and it calls itself Chinaâs first "home marketing company empowered by big data centred on family data."   The user did not identify himself, and efforts to contact the person received no reply. However, the post quickly picked up steam, touching a nerve among Chinese consumers and prompting angry comments. "Isn't this already the criminal offence of spying on people?" asked one user on Sina.com, a Chinese financial news portal. "Whom will the collected data be sold to, and who is the end user of this data?"
        
  
  Read more of this story at Slashdot.
  

• East Coast Facing Gas Shortage Due To Ransomware Attack
  New submitter TheCowSaysMoo writes: Gas stations from Florida to Virginia began running dry and prices at the pump jumped on Tuesday as the shutdown of the biggest U.S. fuel pipeline by hackers extended into a fifth day and sparked panic buying by motorists. About 7.5% of gas stations in Virginia and 5% in North Carolina had no fuel on Tuesday as demand jumped 20%, tracking firm GasBuddy said. Prices rose to their highest in more than six years, and Georgia suspended sales tax on gas until Saturday to ease the strain on consumers. North Carolina declared an emergency. Colonial Pipeline has forecast that it will not substantially restore operations of the 5,500-mile pipeline network that supplies nearly half of the East Coast's fuel until the end of the week. The company preventively shut the pipeline on Friday after hackers locked its computers and demanded ransom, underscoring the vulnerability of U.S. energy infrastructure to cyberattack.
        
  
  Read more of this story at Slashdot.
  

• Google Plans To Double AI Ethics Research Staff
  Alphabet's Google plans to double the size of its team studying artificial-intelligence ethics in the coming years, as the company looks to strengthen a group that has had its credibility challenged by research controversies and personnel defections. From a report: Vice President of Engineering Marian Croak said at The Wall Street Journal's Future of Everything Festival that the hires will increase the size of the responsible AI team that she leads to 200 researchers. Additionally, she said that Alphabet Chief Executive Sundar Pichai has committed to boost the operating budget of a team tasked with evaluating code and product to avert harm, discrimination and other problems with AI. "Being responsible in the way that you develop and deploy AI technology is fundamental to the good of the business," Ms. Croak said. "It severely damages the brand if things aren't done in an ethical way." Google announced in February that Ms. Croak would lead the AI ethics group after it fired the division's co-head, Margaret Mitchell, for allegedly sharing internal documents with people outside the company. Ms. Mitchell's exit followed criticism of Google's suppression of research last year by a prominent member of the team, Timnit Gebru, who says she was fired because of studies critical of the company's approach to AI. Mr. Pichai pledged an investigation into the circumstances around Ms. Gebru's departure and said he would seek to restore trust.
        
  
  Read more of this story at Slashdot.
  

Engadget"Engadget"

• Waymo and Cruise may soon offer autonomous rides and deliveries in California
  Waymo and Cruise have asked California's DMV for permission to start charging for rides and deliveries with their autonomous vehicles in California.

• Instagram lets users add pronouns to their profile
  Instagram is adding a new feature that lets people choose pronouns to display next to their name on their profile.

• WiFi vulnerability may leave millions of devices open to 'frag attacks'
  A prolific security researcher has discovered a new flaw in the WiFi standard that affects most devices and protocols dating back to 1997.

• US government agrees to lift ban on Xiaomi
  The US government has agreed to remove Xiaomi from a Trump administration blocklist after the company filed a lawsuit earlier this year.

• Subaru teases its first EV
  Subaru has revealed that its first all-electric vehicle will called Solterra.

• Vizio makes nearly as much money from ads and data as it does from TVs
  Vizio monetizes its cheap smart TVs and free video options by collecting viewer data and selling ads.

• Smart home networking standard Project CHIP rebrands as 'Matter'
  Open smart home standard Project Connected Home over IP (CHIP) is now known as Matter.

• The Nanit Pro baby monitoring system is $100 off at Amazon
  Save big on the Nanit Pro baby monitoring system, which is $100 off at Amazon.

• Ubisoft's oft-delayed 'Skull and Bones' won't come out before 2022
  Ubisoft now expects to release the game sometime between during its 2022-2023 fiscal year.

• TikTok is reportedly testing a job recruitment tool
  You'll be able to post resume videos on your profile, according to 'Axios.'

• Microsoft is giving Xbox One Insiders a chance to reserve a Series X/S
  There are no guarantees, of course.

• TikTok rolls out a Guardian's Guide to help parents understand the platform
  The TikTok Safety Center is also receiving a spit-shine.

• Blizzard will dive into 'Overwatch 2' PvP on May 20th
  The team will stream two hours of action, offering an in-depth look at the future of 'Overwatch.'

• Samsung won’t attend MWC in Barcelona this summer
  Samsung won't have a physical presence at MWC 2021 in Barcelona.

• YouTube will open a $100 million fund to pay Shorts creators
  It could be looking to lure creators away from TikTok and Snapchat.

• LucasArts classic 'Zombies Ate My Neighbors' heads to current consoles this summer
  Lucasfilm Games is bringing back one of its 90s classics to modern platforms.

• Xbox Series X/S May update makes Quick Resume even faster
  Plus, passthrough audio for media apps is live.

• Fatal Frame is coming back, but as a pachinko machine
  It's been seven years since the last game in the survival horror series, but someone thought a slot machine was the way to revive it.

• ‘New World’ trailer shows off gameplay and story beats from Amazon’s upcoming MMO
  Amazon Game Studios has released a new trailer for its upcoming New World MMO ahead of the game’s August 31st release date.

• The White House, Uber and Lyft team up for free rides to COVID-19 vaccine sites
  The program will start soon and run until July 4th.

• HTC Vive's Pro 2 and Focus 3 are high-powered 5K VR headsets for pros
  HTC Vive is doubling down on professional-grade VR with the Vive Pro 2 and Focus 3 headsets.

• Bose built the first FDA-cleared hearing aids that won't require a doctor's visit
  Bose has unveiled its first hearing aids, and they're the first in the US that don't require a doctor's visit or prescription — you can buy SoundControl directly.

• Learn everything you need to trade currencies with one app
  Currency Heatwave consolidates all the information a currency trader needs into one convenient location that's color coded, detailed and reliable.

• Facebook ordered to stop collecting data on German WhatsApp users
  An emergency ban will be in place for three months.

• Akai brings classic MPC looks to its One groovebox
  Akai has introduced an MPC One Retro that fuses a 1980s look with 2020s music production technology.

• eBPF for Advanced Linux Infrastructure Monitoring
  by Odysseas Lamztidis   
  A year has passed since the pandemic left us spending the better part of our days sheltering inside our homes. It has been a challenging time for developers, Sysadmins, and entire IT teams for that matter who began to juggle the task of monitoring and troubleshooting an influx of data within their systems and infrastructures as the world was forced online. To do their job properly, free, open-source technologies like Linux have become increasingly attractive, especially amongst Ops professionals and Sysadmins in charge of maintaining growing and complex environments. Engineers, as well, are using more open-source technologies largely due to the flexibility and openness they have to offer, versus commercial offerings that are accompanied by high-cost pricing and stringent feature lock-ins.
  
  One emerging technology in particular - eBPF - has made its appearance in multiple projects, including commercial and open-source offerings. Before discussing more about the community surrounding eBPF and its growth during the pandemic, it’s important to understand what it is and how it’s being utilized. eBPF, or extended Berkley packet filtering, was originally introduced as BPF back in 1992 in a paper by Lawrence Berkeley Laboratory researchers as a rule-based mechanism to filter and capture network packets. Filters would be implemented to run inside a register-based Virtual Machine (VM), which itself would exist inside the Linux Kernel. After several years of non-activity, BPF was extended to eBPF, featuring a full-blown VM to run small programs inside the Linux Kernel. Since these programs run from inside the Kernel, they can be attached to a particular code path and be executed when it is traversed, making them perfect to create applications for packet filtering and performance analysis and monitoring.
  
  Originally, it was not easy to create eBPF programs, as the programmer needed to know an extremely low-level language. However, the community around that technology has evolved considerably through their creation of tools and libraries to simplify and speed up the process of developing and loading an eBPF program inside the Kernel. This was crucial for creating a large number of tools that can trace system and application activity down to a very granular level. The image that follows demonstrates this, showing the sheer number of tools that exist to trace various parts of the Linux stack.
      Go to Full Article          

• How to set up a CrowdSec multi-server installation
  by Manuel Sabban    Introduction  CrowdSec is an open-source & collaborative security solution built to secure Internet-exposed Linux services, servers, containers, or virtual machines with a server-side agent. It is a modernized version of Fail2ban which was a great source of inspiration to the project founders.
  CrowdSec is free (under an MIT License) and its source code available on GitHub. The solution is leveraging a log-based IP behavior analysis engine to detect attacks. When the CrowdSec agent detects any aggression, it offers different types of remediation to deal with the IP behind it (access prohibition, captcha, 2FA authentication etc.). The report is curated by the platform and, if legitimate, shared across the CrowdSec community so users can also protect their assets from this IP address.
  A few months ago, we added some interesting features to CrowdSec when releasing v1.0.x. One of the most exciting ones is the ability of the CrowdSec agent to act as an HTTP rest API to collect signals from other CrowdSec agents. Thus, it is the responsibility of this special agent to store and share the collected signals. We will call this special agent the LAPI server from now on.
  Another worth noting feature, is that mitigation no longer has to take place on the same server as detection. Mitigation is done using bouncers. Bouncers rely on the HTTP REST API served by the LAPI server.
  Goals  In this article we’ll describe how to deploy CrowdSec in a multi-server setup with one server sharing signal.
  Both server-2 and server-3 are meant to host services. You can take a look on our Hub to know which services CrowdSec can help you secure. Last but not least, server-1 is meant to host the following local services:
    the local API needed by bouncers
      the database fed by both the three local CrowdSec agents and the online CrowdSec blocklist service.  As server-1 is serving the local API, we will call it the LAPI server.
   We choose to use a postgresql backend for CrowdSec database in order to allow high availability. This topic will be covered in future posts. If you are ok with no high availability, you can skip step 2.
      Go to Full Article          

• Develop a Linux command-line Tool to Track and Plot Covid-19 Stats
  by Nawaz Abbasi    It’s been over a year and we are still fighting with the pandemic at almost every aspect of our life. Thanks to technology, we have various tools and mechanisms to track Covid-19 related metrics which help us make informed decisions. This introductory-level tutorial discusses developing one such tool at just Linux command-line, from scratch.
  We will start with introducing the most important parts of the tool – the APIs and the commands. We will be using 2 APIs for our tool - COVID19 API and Quickchart API and 2 key commands – curl and jq. In simple terms, curl command is used for data transfer and jq command to process JSON data.
  The complete tool can be broken down into 2 keys steps:
  
  1. Fetching (GET request) data from the COVID19 API and piping the JSON output to jq so as to process out only global data (or similarly, country specific data).
   $ curl -s --location --request GET 'https://api.covid19api.com/summary' | jq -r '.Global'  {   "NewConfirmed": 561661,   "TotalConfirmed": 136069313,   "NewDeaths": 8077,   "TotalDeaths": 2937292,   "NewRecovered": 487901,   "TotalRecovered": 77585186,   "Date": "2021-04-13T02:28:22.158Z"  } 
  2. Storing the output of step 1 in variables and calling the Quickchart API using those variables, to plot a chart. Subsequently piping the JSON output to jq so as to filter only the link to our chart.
   $ curl -s -X POST \   -H 'Content-Type: application/json' \   -d '{"chart": {"type": "bar", "data": {"labels": ["NewConfirmed (${newConf})", "TotalConfirmed (${totConf})", "NewDeaths (${newDeath})", "TotalDeaths (${totDeath})", "NewRecovered (${newRecover})", "TotalRecovered (${totRecover})"], "datasets": [{"label": "Global Covid-19 Stats (${datetime})", "data": [${newConf}, ${totConf}, ${newDeath}, ${totDeath}, ${newRecover}, ${totRecover}]}]}}}' \   https://quickchart.io/chart/create | jq -r '.url'  https://quickchart.io/chart/render/zf-be27ef29-4495-4e9a-9180-dbf76f485eaf    That’s it! Now we have our data plotted out in a chart:
  
      Go to Full Article          

• FSF’s LibrePlanet 2021 Free Software Conference Is Next Weekend, Online Only
  by George Whittaker    On Saturday and Sunday, March 20th and 21st, 2021, free software supporters from all over the world will log in to share knowledge and experiences, and to socialize with others within the free software community. This year’s theme is “Empowering Users,” and keynotes will be Julia Reda, Nathan Freitas, and Nadya Peek. Free Software Foundation (FSF) associate members and students attend gratis at the Supporter level. 
  You can see the schedule and learn more about the conference at https://libreplanet.org/2021/, and participants are encouraged to register in advance at https://u.fsf.org/lp21-sp. 
  The conference will also include workshops, community-submitted five-minute Lightning Talks, Birds of a Feather (BoF) sessions, and an interactive “exhibitor hall” and “hallway” for socializing.
      Go to Full Article          

• Review: The New weLees Visual LVM, a new style of LVM management, has been released
  by George Whittaker    Maintenance of the storage system is a daily job for system administrators. Linux provides users with a wealth of storage capabilities, and powerful built-in maintenance tools. However, these tools are hardly friendly to system administrators while generally considerable effort is required for mastery.
  As a Linux built-in storage model, LVM provides users with plenty flexible management modes to fit various needs. For users who can fully utilize its functions, LVM could meet almost all needs. But the premise is thorough understanding of the LVM model, dozens of commands as well as accompanying parameters.
  The graphical interface would dramatically simplify both learning curve and operation with LVM, in a similar approach as partition tools that are widely used on Windows/Linux platforms. Although scripts with commands are suitable for daily, automatic tasks, the script could not handle all functions in LVM. For instance, manual calculation and processing are still required by many tasks.
  Significant effort had been spent on this problem. Nowadays, several graphical LVM management tools are already available on the Internet, some of them are built-in with Linux distributions and others are developed by third parties. But there remains a critical problem: desire for remote machines or headless servers are completely ignored.
  This is now solved by Visual LVM Remote. Front end of this tool is developed based on the HTTP protocol. With any smart device that can connect to the storage server, Users can perform management operations.
  Visual LVM is developed by weLees Corporation and supports all Linux distributions. In addition to working with remote/headless servers, it also supports more advanced features of LVM compared with various on-shelf graphic LVM management tools.
  Dependences of Visual LVM Remote  Visual LVM Remote can work on any Linux distribution that including two components below:
    LVM2
      Libstdc++.so
   UI of Visual LVM Remote  With a concise UI, partitions/physical volumes/logical volumes are displayed by disk layout. With a glance, disk/volume group information can be obtained immediately. In addition, detailed relevant information of the object will be displayed in the information bar below with the mouse hover on the concerned object.
      Go to Full Article          

• Nvidia Linux drivers causing random hard crashes and now a major security risk still not fixed after 5+ months
  Image       The recent fiasco with Nvidia trying to block Hardware Unboxed from future GPU review samples for the content of their review is one example of how they choose to play this game. This hatred is not only shared by reviewers, but also developers and especially Linux users.
  The infamous Torvalds videos still traverse the web today as Nvidia conjures up another evil plan to suck up more of your money and market share. This is not just one off shoot case; oh how much I wish it was. I just want my computer to work.
  If anyone has used Sway-WM with an Nvidia GPU I’m sure they would remember the –my-next-gpu-wont-be-nvidia option.
  These are a few examples of many.
  The Nvidia Linux drivers have never been good but whatever has been happening at Nvidia for the past decade has to stop today. The topic in question today is this bug: [https://forums.developer.nvidia.com/t/bug-report-455-23-04-kernel-panic-due-to-null-pointer-dereference]
  This bug causes hard irrecoverable crashes from driver 440+. This issue is still happening 5+ months later with no end in sight. At first users could work around this by using an older DKMS driver along with a LTS kernel. However today this is no longer possible. Many distributions of Linux are now dropping the old kernels. DKMS cannot build. The users are now FORCED with this “choice”:
  {Use an older driver and risk security implications} or {“use” the new drivers that cause random irrecoverable crashes.}
  This issue is only going to get more and more prevalent as the kernel is a core dependency by definition. This is just another example of the implications of an unsafe older kernel causing issue for users: https://archlinux.org/news/moving-to-zstandard-images-by-default-on-mkinitcpio/
  If you use Linux or care about the implications of a GPU monopoly, consider AMD. Nvidia is already rearing its ugly head and AMD is actually putting up a fight this year.
        #Linux  NVIDIA  News                   

• Parallel shells with xargs: Utilize all your cpu cores on UNIX and Windows
  by Charles Fisher    Introduction  One particular frustration with the UNIX shell is the inability to easily schedule multiple, concurrent tasks that fully utilize CPU cores presented on modern systems. The example of focus in this article is file compression, but the problem rises with many computationally intensive tasks, such as image/audio/media processing, password cracking and hash analysis, database Extract, Transform, and Load, and backup activities. It is understandably frustrating to wait for gzip * running on a single CPU core, while most of a machine's processing power lies idle.
  This can be understood as a weakness of the first decade of Research UNIX which was not developed on machines with SMP. The Bourne shell did not emerge from the 7th edition with any native syntax or controls for cohesively managing the resource consumption of background processes.
  Utilities have haphazardly evolved to perform some of these functions. The GNU version of xargs is able to exercise some primitive control in allocating background processes, which is discussed at some length in the documentation. While the GNU extensions to xargs have proliferated to many other implementations (notably BusyBox, including the release for Microsoft Windows, example below), they are not POSIX.2-compliant, and likely will not be found on commercial UNIX.
  Historic users of xargs will remember it as a useful tool for directories that contained too many files for echo * or other wildcards to be used; in this situation xargs is called to repeatedly batch groups of files with a single command. As xargs has evolved beyond POSIX, it has assumed a new relevance which is useful to explore.
  
  
  Why is POSIX.2 this bad?  A clear understanding of the lack of cohesive job scheduling in UNIX requires some history of the evolution of these utilities.
      Go to Full Article          

• Bypassing Deep Packet Inspection: Tunneling Traffic Over TLS VPN
  by Dmitriy Kuptsov   
  In some countries, network operators employ deep packet inspection techniques to block certain types of traffic. For example, Virtual Private Network (VPN) traffic can be analyzed and blocked to prevent users from sending encrypted packets over such networks.
  
  By observing that HTTPS works all over the world (configured for an extremely large number of web-servers) and cannot be easily analyzed (the payload is usually encrypted), we argue that in the same manner VPN tunneling can be organized: By masquerading the VPN traffic with TLS or its older version - SSL, we can build a reliable and secure network. Packets, which are sent over such tunnels, can cross multiple domains, which have various (strict and not so strict) security policies. Despite that the SSH can be potentially used to build such network, we have evidence that in certain countries connections made over such tunnels are analyzed statistically: If the network utilization by such tunnels is high, bursts do exist, or connections are long-living, then underlying TCP connections are reset by network operators.
  
  Thus, here we make an experimental effort in this direction: First, we describe different VPN solutions, which exist on the Internet; and, second, we describe our experimental effort with Python-based software and Linux, which allows users to create VPN tunnels using TLS protocol and tunnel small office/home office (SOHO) traffic through such tunnels.
  I. INTRODUCTION
  Virtual private networks (VPN) are crucial in the modern era. By encapsulating and sending client’s traffic inside protected tunnels it is possible for users to obtain network services, which otherwise would be blocked by a network operator. VPN solutions are also useful when accessing a company’s Intranet network. For example, corporate employees can access the internal network in a secure way by establishing a VPN connection and directing all traffic through the tunnel towards the corporate network. This way they can get services, which otherwise would be impossible to get from the outside world.
  II. BACKGROUND
  There are various solutions that can be used to build VPNs. One example is Host Identity Protocols (HIP) [7]. HIP is a layer 3.5 solution (it is in fact located between transport and network layers) and was originally designed to split the dual role of IP addresses - identifier and locator. For example, a company called Tempered Networks uses HIP protocol to build secure networks (for sampling see [4]).
      Go to Full Article          

• How to Save Time Running Automated Tests with Parallel CI Machines
  by Artur Trzop   
  Automated tests are part of many programming projects, ensuring the software is flawless. The bigger the project, the larger the test suite can be.This can result in automated tests taking a lot of time to run. In this article you will learn how to run automated tests faster with parallel Continuous Integration machines (CI) and what problems can be encountered. The article covers common parallel testing problems, based on Ruby & JavaScript tests.
  Slow automated tests
  Automated tests can be considered slow when programmers stop running the whole test suite on their local machine because it is too time consuming. Most of the time you use CI servers such as Jenkins, CircleCI, Github Actions to run your tests on an external machine instead of your own. When you have a test suite that runs for an hour then it’s not efficient to run it on your computer. Browser end-to-end tests for your web project can take a really long time to execute. Running tests on a CI server for an hour is also not efficient. You as a developer need a fast feedback loop to know if your software works fine. Automated tests should help you with that.
  Split tests between many CI machines to save time
  A way to save you time is to make CI build as fast as possible. When you have tests taking e.g. 1 hour to run then you could leverage your CI server config and setup parallel jobs (parallel CI machines/nodes). Each of the parallel jobs can run a chunk of the test suite. 
  
  You need to divide your tests between parallel CI machines. When you have a 60 minutes test suite you can run 20 parallel jobs where each job runs a small set of tests and this should save you time. In an optimal scenario you would run tests for 3 minutes per job. 
  
  How to make sure each job runs for 3 minutes? As a first step you can apply a simple solution. Sort all of your test files alphabetically and divide them by the number of parallel jobs. Each of your test files can have a different execution time depending on how many test cases you have per test file and how complex each test case is. But you can end up with test files divided in a suboptimal way, and this is problematic. The image below illustrates a suboptimal split of tests between parallel CI jobs where one job runs too many tests and ends up being a bottleneck.
      Go to Full Article          

• The KISS Web Development Framework
  by Blake McBride   
  Perhaps the most popular platform for applications is the web. There are many reasons for this including portability across platforms, no need to update the program, data backup, sharing data with others, and many more. This popularity has driven many of us to the platform.
  
  Unfortunately, the platform is a bit complex. Rather than developing in a particular environment, with web applications it is necessary to create two halves of a program utilizing vastly different technologies. On top of that, there are many additional challenges such as the communications and security between the two halves.
  
  A typical web application would include all of the following building blocks:
  Front-end layout (HTML/CSS)  Front-end functionality (JavaScript)  Back-end server code (Java, C#, etc.)  Communications (REST, etc.)  Authentication  Data persistence (SQL, etc.) 
  All these don't even touch on all the other pieces that are not part of your application proper, such as the server (Apache, tomcat, etc), the database server (PostgreSQL, MySQL, MongoDB, etc), the OS (Linux, etc.), domain name, DNS, yadda, yadda, yadda.
  
  The tremendous complexity notwithstanding, most application developers mainly have to concern themselves with the six items listed above. These are their main concerns.
  
  Although there are many fine solutions available for these main concerns, in general, these solutions are siloed, complex, and incongruent. Let me explain.
  
  Many solutions are siloed because they are single-solution packages that are complete within themselves and disconnected from other pieces of the system.
  
  Some solutions are so complex that they can take years to learn well. Developers can struggle more with the framework they are using than the language or application they are trying to write. This is a major problem.
  
  Lastly, by incongruent I mean that the siloed tools do not naturally fit well together. A bunch of glue code has to be written, learned, and supported to fit the various pieces together. Each tool has a different feel, a different approach, a different way of thinking.
  
  Being frustrated with all of these problems, I wrote the KISS Web Development Framework. At first it was just various solutions I had developed. But later it evolved into a single, comprehensive web development framework. KISS, an open-source project, was specifically designed to solve these exact challenges.
  
  KISS is a single, comprehensive, fully integrated web development framework that includes integrated solutions for:
  
  Front-end
  Custom HTML controls  Easy communications with the back-end with built-in authentication  Browser cache control (so the user never has to clear their cache)  A variety of general purpose utilities 
  Back-end
      Go to Full Article