Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

Show Descriptions... (Show All/All+Images) (Single Column)

LinuxSecurity - Security Advisories

  • Debian LTS: DLA-2710-2: rabbitmq-server regression update>
    It was discovered that the previous upload of the package rabbitmq-server versioned 3.6.6-1+deb9u1 introduced a regression in function fmt_strip_tags. Big thanks to Christoph Haas for the reporting an issue and for testing the update.


  • Mageia 2021-0369: golang security update>
    encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method (CVE-2021-27918).


  • Mageia 2021-0368: lib3mf security update>
    A use-after-free vulnerability exists in the NMR::COpcPackageReader::releaseZIP() functionality of 3MF Consortium lib3mf 2.0.0. A specially crafted 3MF file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability (CVE-2021-21772).


  • Debian: DSA-4944-1: krb5 security update>
    It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a




LWN.net

  • K-9 5.800 released
    After a long pause, the K-9 Android mail client project has released version5.800. "The user interface has been redesigned. Some of you willlove it, some will hate it. You’re welcome and sorry." There arealso a number of improvements to make background operation work better oncurrent Android systems.


  • [$] Using DAMON for proactive reclaim
    The DAMON patch set was first covered herein early 2020; this work, now in its34th revision, enables the efficient collection of information aboutmemory-usage patterns on Linux systems. That data can then be used toinfluence the kernel's memory-management subsystem; one possible way to dothat is to more aggressively reclaim memory that is not being used. Tothat end, DAMON author SeongJae Park is proposing aDAMON-based mechanism to perform user-controllable proactive reclaim.


  • Security updates for Friday
    Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, kernel, thunderbird, transfig, and wireshark), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and kernel-container), SUSE (bluez, curl, kernel, qemu, thunderbird, transfig, and wireshark), and Ubuntu (curl).


  • [$] The core of the -stable debate
    Disagreements over which patches should find their way into stable updatesare not new — or uncommon. So when the topic came up again recently, therewas little reason to expect anything but more of the same. And, for themost part, that is what ensued but, in this exchange, we were also able tosee the core issue that drives these discussions. There are, in theend, two fundamentally different views of what the stable tree should be.


  • Security updates for Thursday
    Security updates have been issued by Debian (pillow and redis), Fedora (kernel-headers, kernel-tools, kernelshark, libbpf, libtraceevent, libtracefs, nextcloud, and trace-cmd), Gentoo (chromium and singularity), Mageia (kernel, kernel-linus, and systemd), openSUSE (caribou, chromium, curl, and qemu), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and systemd), Slackware (curl), SUSE (curl, kernel, linuxptp, python-pip, and qemu), and Ubuntu (ruby2.3, ruby2.5, ruby2.7).



  • [$] The Sequoia seq_file vulnerability
    A local root hole in the Linux kernel, called Sequoia, was disclosedby Qualys on July 20. A full system compromise is possible untilthe kernel is patched (or mitigations that may not be fully effective are applied). Atits core, the vulnerability relies on a path through the kernel where64-bit size_t values are "converted" to signed integers, which effectivelyresults in an overflow. The flaw was reported to Red Hat on June 9,along with a localsystemddenial-of-service vulnerability, leading to a kernel crash, found at the same time.Systems with untrusted local users need updates for both problems applied as soon asthey are available—out ofan abundance of caution, other systems likely should be updated as well.


  • Security updates for Wednesday
    Security updates have been issued by Arch Linux (ant, code, dino, firefox-ublock-origin, go, libuv, nextcloud-app-mail, nodejs-lts-erbium, nodejs-lts-fermium, openvswitch, putty, racket, telegram-desktop, and wireshark-cli), Debian (kernel, linux-4.19, and systemd), Fedora (kernel, kernel-headers, kernel-tools, and krb5), Gentoo (systemd), Mageia (perl-Convert-ASN1 and wireshark), openSUSE (caribou, containerd, crmsh, fossil, icinga2, kernel, nextcloud, and systemd), Red Hat (389-ds:1.4, glibc, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel-rt, kpatch-patch, libldb, perl, RHV-H, rpm, shim and fwupd, and systemd), Slackware (kernel), SUSE (caribou, containerd, crmsh, curl, dbus-1, kernel, qemu, and systemd), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-gke-5.3, linux-hwe, linux-lts-xenial, linux-kvm, linux-oracle, linux-raspi, linux-raspi2-5.3, linux-oem-5.10, nvidia-graphics-drivers-390, nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-460, nvidia-graphics-drivers-460-server, nvidia-graphics-drivers-470, and systemd).


  • Rosenzweig: Reverse-engineering the Mali G78
    Alyssa Rosenzweig goesinto the details of the reverse-engineering of the Mali "Valhall" GPUinstruction set. Valhall linearizes Bifrost, removing the Very Long Instruction Word mechanisms of its predecessors. Valhall replaces the compiler’s static scheduling with hardware dynamic scheduling, trading additional control hardware for higher average performance. That means padding with “no operation” instructions is no longer required, which may decrease code size, promising better instruction cache use.
    A document describing the instruction set has been released, along with anassembler and disassembler.


  • [$] Tor gets financial support for Arti development
    There is a lot of buzz around the Rust programming language thesedays—which strikes some folks as irritating, ridiculous, or both. But theidea of a low-level language that can replace C, with fewer built-in security pitfalls, isattractive for any number of projects. Recently, the Tor Project announced the Arti project as acomplete Rust rewrite of Tor's core protocols, which provideinternet privacy and anonymity. In addition, Tor announced that Arti received a grantto support its development over the next year or so.



LXer Linux News

  • Using Pacman on Arch Linux and Manjaro
    In this guide, you’ll learn how to use pacman on Arch Linux, Manjaro, and other distros based on Arch. Read on to master pacman with commands to install packages, remove packages, update the system, etc.



  • How to install and use ClamAV on Ubuntu 20.04
    ClamAV is an open-source and free antivirus software toolkit able to detect many types of malicious software, including viruses, trojans, malware, adware, rootkits and other malicious threats. In the following tutorial, you will learn how to configure ClamAV on Ubuntu 20.04 LTS. The same principle will work for the newer version Ubuntu 21.04 (Hirsute Hippo).



  • How to Fix yay: error while loading shared libraries: libalpm.so.12
    If you are running Arch Linux in a system for a longer time, things can break due to its rolling release nature combined with your hardware support. If you use the AUR Helper Yay, then sometimes, yay can be corrupted due to several installations, upgrade of other packages. This quick guide is to help you to fix yay error – while loading shared libraries: libalpm.so.12.



  • Assembly of Python External C++ procedure returning the vector of strings objects
    This post is an immediate followup for the most recent post at Lxer.com regarding return of one string. Consider the task already been treated with 2D vector and dumping the content of vector to disk file. This approach would allow us to solve the same task via to straight forward returning vector of strings from C++ procedure to Python module.


  • How to Install and use Maldet on Ubuntu 20.04
    Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. In the following tutorial, you will learn how to configure Maldet on Ubuntu 20.04 LTS. The same principle will work for the newer version Ubuntu 21.04 (Hirsute Hippo).


  • How To Setup Backup Server Using Rsnapshot In Linux
    Rsnapshot is a filesystem snapshot utility based on rsync for Linux and Unix-like operating systems. It allows you to easily create periodic snapshots of local machines, and remote machines over ssh. This guide explains what is Rsnapshot, how to install Rsnapshot in Linux , and how to setup backup server using Rsnapshot in Linux.


  • 5 useful ways to manage Kubernetes with kubectl
    Kubernetes is software to help you run lots of containers in an organized way. Aside from providing tools to manage (or orchestrate) the containers you run, Kubernetes also helps those containers scale out as needed. With Kubernetes as your central control panel (or control plane), you need a way to manage Kubernetes, and the tool for that job is kubectl. The kubectl command lets you control, maintain, analyze, and troubleshoot Kubernetes clusters.read more



Slashdot

  • Colonial Pipeline Sued by Customers Affected by Its Ransomware Incident
    The owner of the EZ Mart gas station is suing Colonial Pipeline, accusing it of lax security, reports the Washington Post: He and his lawyers are hoping to also represent the hundreds of other small gas stations that were hurt by the hack. It's just one of several class-action lawsuits that are popping up in the wake of high-profile ransomware attacks. Another lawsuit filed against Colonial in Georgia in May seeks to get damages for regular consumers who had to pay higher gas prices. A third is in the works, with law firm Chimicles Schwartz Kriner & Donaldson-Smith LLP seeking to mount a similar effort.   Colonial isn't the only company that's been targeted. Another suit was launched in June against the San Diego based hospital system Scripps Health after it was hit by a ransomware attack...   In the case of Colonial Pipeline, hundreds of gas stations were shut down, leading to huge lines of cars waiting for what little fuel remained. The rise in suits may mean companies and organizations that are hacked are no longer just on the hook for reimbursing people who had their data stolen. They could now be liable for all kinds of damages that go well beyond a heightened risk of identity theft or credit card fraud...  The potential for lawsuits will keep growing as ransomware attacks do. And if lawyers can reasonably show that a company made some kind of mistake in protecting its system, victims will have an avenue to sue.
          

    Read more of this story at Slashdot.


  • SANS Institute Hopes to Find New Cybersecurity Talent With a Game
    storagedude writes: Alan Paller, founder of the cybersecurity training SANS Technology Institute, has launched an initiative aimed at finding and developing cybersecurity talent at the community college and high school level — through a game developed by their CTO James Lyne. A similar game was already the basis of a UK government program that has reached 250,000 students, and Paller hopes the U.S. will adopt a similar model to help ease the chronic shortage of cybersecurity talent. And Paller's own Cyber Talent Institute (or CTI) has already reached 29,000 students, largely through state-level partnerships.   But playing the game isn't the same as becoming a career-ready cybersecurity pro. By tapping high schools and community colleges, the group hopes to "discover and train a diverse new generation of 25,000 cyber stars by the year 2025," Paller told eSecurity Planet. "SANS is an organization that finds people who are already in the field and makes them better. What CTI is doing is going down a step in the pipeline, to the students, to find the talent earlier, so that we don't lose them. Because the way the education system works, only a few people seem to go into cybersecurity. We wanted to change that.   "You did an article earlier this month about looking in different places for talent, looking for people who are already working. That's the purpose of CTI. To reach out to students. It's to go beyond the pipeline that we automatically come into cybersecurity through math, computer science, and networking and open the funnel much wider. Find people who have not already found technology, but who have three characteristics that seem to make superstars — tenacity, curiosity, and love of learning new things. They don't mind being faced with new problems. They like them. And what the game does is find those people. So CTI is just moving to earlier in the pipeline."
          

    Read more of this story at Slashdot.


  • RNA Breakthrough Creates High-Yield, Drought-Tolerant Rice, Potatoes
    "Thanks to a breakthrough in RNA manipulation, crop scientists have developed new potato and rice varieties with higher yields and increased drought tolerance," reports UPI:  By inserting a gene responsible for production of a protein called FTO, scientists produced bigger rice and potato plants with more expansive root systems. In experiments, the plants' longer roots improved their drought resistance.  Test results — detailed Thursday in the journal Nature Biotechnology — showed the RNA-manipulated plants also improved their rate of photosynthesis, boost yields by as much as 50 percent...  In the lab, the manipulated rice plants grew at three times their normal rate. In the field, the rice plants increased their mass by 50 percent. They also sprouted longer roots, increased their photosynthesis rate and produced larger yields. When they repeated the experiments with potato plants, the researchers got similar results, suggesting the new gene manipulation method could be used to bolster a variety of crops.   The researchers hope this could help crops survive climate change, and even prevent forests from being cleared for food production, according to the article. And one of the study's co-authors adds "This really provides the possibility of engineering plants to potentially improve the ecosystem as global warming proceeds."
          

    Read more of this story at Slashdot.


  • Virtual Comic-Con Includes Trailers For 'Blade Runner' Series, 'Dune' Movie - and NASA Panels
    Comic-Con went virtual again in 2020. (San Diego businesses will miss the chance to profit from the 100,000 visitors the convention usually attracted.) And NPR reports the convention has gotten smaller in other ways: Both Marvel Studios and DC are staying away; as it did last year, DC is again directing its resources towards its own event, DC FanDome, set for mid-October. But fans of shows like Doctor Who, Dexter and Comic-Con stalwart The Walking Dead will have lots to look forward to.   Rotten Tomatoes and The Verge have gathered up the trailers that did premier. Some of the highlights:  Blade Runner: Black Lotus , an upcoming anime television series set to premiere in late 2021 on Crunchyroll and Adult Swim (co-producing it with Alcon Television Group).The upcoming remake of Dune J.J. Abrams' new four-part Showtime documentary about UFOs.Season 2 of Star Trek: Lower Decks and the new Star Trek: Prodigy, a CGI-animated series about a group of aliens who escape captivity onboard the Enterprise. But interestingly, one of the more visibile presenters was: NASA. Current and former NASA officials made appearances on several different panels, according to Space.com, including one on modern space law, U.N. treaty-making, and how it all stacks up against the portrayal we get in our various future-space franchises. And NASA also touted its virtual simulation platform Ed-Tech, "where students can have access to the same tools that professionals use and in the case of space are given the opportunity to solve real problems related to missions to our Moon, Mars, and beyond... from piloting to terra-forming to creating habitats and spacecraft."   There was also a panel of four NASA engineers titled "No Tow Trucks Beyond Mars," on "how we go boldly where thereâ(TM)s no one around to fix it. Hear stories from the trenches of the heartbreaks, close calls, and adventures of real-life landing (and flying!) on Mars and our round-table discussion of what Netflix got right in their movie Stowaway."   Sunday's panels will include an astronomer, an astrobiologist, and a geologist/paleontologist discussing "The Science of Star Wars" with the concept designer for Star Wars episodes 7-9, Rogue One, and Solo.
          

    Read more of this story at Slashdot.


  • 'Nuclear Power's Reliability is Dropping as Extreme Weather Increases'
    A comprehensive new analysis published in Nature "calculates that the frequency of climate-related nuclear plant outages is almost eight times higher than it was in the 1990s," reports Ars Technica.   "The analysis also estimates that the global nuclear fleet will lose up to 1.4 percent — about 36 TWh — of its energy production in the next 40 years and up to 2.4 percent, or 61 TWh, by 2081-2100."  The author analyzed publicly available databases from the International Atomic Energy Agency to identify all climate-linked shutdowns (partial and complete) of the world's 408 operational reactors. Unplanned outages are generally very well documented, and available data made it possible to calculate trends in the frequency of outages that were linked to environmental causes over the past 30 years. The author also used more detailed data from the last decade (2010-2019) to provide one of the first analyses of which types of climate events have had the most impact on nuclear power.   While the paper doesn't directly link the reported events to climate change, the findings do show an overall increase in the number of outages due to a range of climate events. The two main categories of climate disruptions broke down into thermal disruptions (heat, drought, and wildfire) and storms (including hurricanes, typhoons, lightning, and flooding). In the case of heat and drought, the main problem is the lack of cool-enough water — or in the case of drought, enough water at all — to cool the reactor. However, there were also a number of outages due to ecological responses to warmer weather; for example, larger than usual jellyfish populations have blocked the intake pipes on some reactors. Storms and wildfires, on the other hand, caused a range of problems, including structural damage, precautionary preemptive shutdowns, reduced operations, and employee evacuations. In the timeframe of 2010 to 2019, the leading causes of outages were hurricanes and typhoons in most parts of the world, although heat was still the leading factor in Western Europe (France in particular). While these represented the most frequent causes, the analysis also showed that droughts were the source of the longest disruptions and thus the largest power losses.   The author calculated that the average frequency of climate-linked outages went from 0.2 outages per year in the 1990s to 1.5 outages in the timeframe of 2010 to 2019. A retrospective analysis further showed that, for every 1 degree C rise in temperature (above the average temperature between 1951 and 1980), the energy output of the global fleet fell about 0.5 percent.
          

    Read more of this story at Slashdot.


  • Does the Open Source Movement Need to Evolve?
    A cloud company's CTO argues on CTO that the "hypocrite commits" controversy "is symptomatic, on every side, of related trends that threaten the entire extended open-source ecosystem and its users."  That ecosystem has long wrestled with problems of scale, complexity and free and open-source software's (FOSS) increasingly critical importance to every kind of human undertaking. Let's look at that complex of problems:   - The biggest open-source projects now present big targets.  - Their complexity and pace have grown beyond the scale where traditional "commons" approaches or even more evolved governance models can cope.  - They are evolving to commodify each other. For example, it's becoming increasingly hard to state, categorically, whether "Linux" or "Kubernetes" should be treated as the "operating system" for distributed applications. For-profit organizations have taken note of this and have begun reorganizing around "full-stack" portfolios and narratives.  - In so doing, some for-profit organizations have begun distorting traditional patterns of FOSS participation. Many experiments are underway. Meanwhile, funding, headcount commitments to FOSS and other metrics seem in decline.  - OSS projects and ecosystems are adapting in diverse ways, sometimes making it difficult for for-profit organizations to feel at home or see benefit from participation.  Meanwhile, the threat landscape keeps evolving:   - Attackers are bigger, smarter, faster and more patient, leading to long games, supply-chain subversion and so on.  - Attacks are more financially, economically and politically profitable than ever.  - Users are more vulnerable, exposed to more vectors than ever before.  - The increasing use of public clouds creates new layers of technical and organizational monocultures that may enable and justify attacks.  - Complex commercial off-the-shelf solutions assembled partly or wholly from open-source software create elaborate attack surfaces whose components (and interactions) are accessible and well understood by bad actors.  - Software componentization enables new kinds of supply-chain attacks. Meanwhile, all this is happening as organizations seek to shed nonstrategic expertise, shift capital expenditures to operating expenses and evolve to depend on cloud vendors and other entities to do the hard work of security. The net result is that projects of the scale and utter criticality of the Linux kernel aren't prepared to contend with game-changing, hyperscale threat models.   Among other things, the article ultimately calls for a reevaluation of project governance/organization and funding "with an eye toward mitigating complete reliance on the human factor, as well as incentivizing for-profit companies to contribute their expertise and other resources." (With whatever culture changes this may require.) It also suggests "simplifying the stack" (and verifying its components), while pushing "appropriate" responsibility for security up to the application layer.  Slashdot reader joshuark argues this would be not so much the end of Open Source as "more turning the page to the next chapter in open-source: the issues of contributing, reviewing, and integrating into an open-source code base."
          

    Read more of this story at Slashdot.


  • Amazon Wants Apartment Buildings to Install a 'Key' System that Lets Them Enter the Lobby
    "Amazon is tired of ringing doorbells," reports the Associated Press. "The online shopping giant is pushing landlords around the country — sometimes with financial incentives — to give its drivers the ability to unlock apartment-building doors themselves with a mobile device."  The service, dubbed Key for Business, is pitched as a way to cut down on stolen packages by making it easy to leave them in lobbies and not outside. Amazon benefits because it enables delivery workers to make their rounds faster. And fewer stolen packages reduce costs and could give Amazon an edge over competitors. Those who have installed the device say it reduces the constant buzzing by delivery people and is a safer alternative to giving out codes to scores of delivery people.   But the Amazon program, first announced in 2018, may stir security and privacy concerns as it gains traction. The company said that it does background checks on delivery people and that they can unlock doors only when they have a package in hand to scan. But tenants may not know that Amazon drivers have access to their building's front doors, since Amazon leaves it up to the building to notify them...   Amazon didn't respond to questions about potential hacking. The company has already installed the device in thousands of U.S. apartment buildings but declined to give a specific number... Amazon salespeople have been fanning out to cities across the country to knock on doors, make cold calls or approach building managers on the street to urge them to install the device. The company has even partnered with local locksmiths to push it on building managers while they fix locks. Amazon installs the device for free and sometimes throws in a $100 Amazon gift card to whoever lets them in.
          

    Read more of this story at Slashdot.


  • Church Official Exposed Through America's 'Vast and Largely Unregulated Data-Harvesting'
    The New York Times' On Tech newsletter shares a thought-provoking story:  This week, a top official in the Roman Catholic Church's American hierarchy resigned after a news site said that it had data from his cellphone that appeared to show the administrator using the L.G.B.T.Q. dating app Grindr and regularly going to gay bars. Journalists had access to data on the movements and digital trails of his mobile phone for parts of three years and were able to retrace where he went.   I know that people will have complex feelings about this matter. Some of you may believe that it's acceptable to use any means necessary to determine when a public figure is breaking his promises, including when it's a priest who may have broken his vow of celibacy. To me, though, this isn't about one man. This is about a structural failure that allows real-time data on Americans' movements to exist in the first place and to be used without our knowledge or true consent. This case shows the tangible consequences of practices by America's vast and largely unregulated data-harvesting industries. The reality in the United States is that there are few legal or other restrictions to prevent companies from compiling the precise locations of where we roam and selling that information to anyone.   This data is in the hands of companies that we deal with daily, like Facebook and Google, and also with information-for-hire middlemen that we never directly interact with. This data is often packaged in bulk and is anonymous in theory, but it can often be traced back to individuals, as the tale of the Catholic official shows...   Losing control of our data was not inevitable. It was a choice — or rather a failure over years by individuals, governments and corporations to think through the consequences of the digital age.   We can now choose a different path.   "Data brokers are the problem," writes the EFF, arguing that the incident "shows once again how easy it is for anyone to take advantage of data brokers' stores to cause real harm." This is not the first time Grindr has been in the spotlight for sharing user information with third-party data brokers... But Grindr is just one of countless apps engaging in this exact kind of data sharing. The real problem is the many data brokers and ad tech companies that amass and sell this sensitive data without anything resembling real users' consent.   Apps and data brokers claim they are only sharing so-called "anonymized" data. But that's simply not possible. Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don't include a legal name. In particular, there's no such thing as "anonymous" location data. Data points like one's home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations. Another piece of the puzzle is the ad ID, another so-called "anonymous" label that identifies a device. Apps share ad IDs with third parties, and an entire industry of "identity resolution" companies can readily link ad IDs to real people at scale.    All of this underlines just how harmful a collection of mundane-seeming data points can become in the wrong hands... That's why the U.S. needs comprehensive data privacy regulation more than ever. This kind of abuse is not inevitable, and it must not become the norm.
          

    Read more of this story at Slashdot.


  • Three Die After Untreatable 'Superbug' Fungus Infections in Two Different Cities
    "U.S. health officials said Thursday they now have evidence of an untreatable fungus spreading in two hospitals and a nursing home," reports the Associated Press:  The "superbug" outbreaks were reported in a Washington, D.C, nursing home and at two Dallas-area hospitals, the Centers for Disease Control and Prevention reported. A handful of the patients had invasive fungal infections that were impervious to all three major classes of medications. "This is really the first time we've started seeing clustering of resistance" in which patients seemed to be getting the infections from each other, said the CDC's Dr. Meghan Lyman...    Health officials have sounded alarms for years about the superbug after seeing infections in which commonly used drugs had little effect. In 2019, doctors diagnosed three cases in New York that were also resistant to a class of drugs, called echinocandins, that were considered a last line of defense. In those cases, there was no evidence the infections had spread from patient to patient — scientists concluded the resistance to the drugs formed during treatment. The new cases did spread, the CDC concluded....  Those cases were seen from January to April. Of the five people who were fully resistant to treatment, three died — both Texas patients and one in Washington.   Lyman said both are ongoing outbreaks and that additional infections have been identified since April. But those added numbers were not reported.    The fungus, Candida auris, "is a harmful form of yeast that is considered dangerous to hospital and nursing home patients with serious medical problems," they add — and it's spread through contaminated surfaces or contact with patients.   Newsweek points out that while it's only recently appeared in America, "infections have occurred in over 30 countries worldwide."
          

    Read more of this story at Slashdot.


  • Kaspersky Warns Fake Windows 11 Installers Are Spreading Malware
    Long-time Slashdot reader Ammalgam writes: If you're planning to install Windows 11, you should make sure you download it from official sources. This is because, people who are using pirated or fake methods to get Windows 11 are also downloading malware along with it, according to Kaspersky. The particular file referenced is called 86307_windows 11 build 21996.1 x64 + activator.exe. While it sounds like it includes Windows 11 build 21996.1, and an installer that will automatically activate Windows for you there are some red flags. First, it's only 1.75GB, so while people who want to install Windows 11 might think that's a large file that could be Windows, a real Windows 11 ISO is about 4.87GB...   "The 1.75 GB file looks legitimate. But most of this space consists of one DLL file that contains a lot of useless information," explains Mint.   And Kaspersky adds that "it even comes with a license agreement (which few people read) calling it a 'download manager for 86307_windows 11 build 21996.1 x64 + activator' and noting that it would also install some sponsored software. If you accept the agreement, a variety of malicious programs will be installed on your machine."
          

    Read more of this story at Slashdot.


The Register









  • Anyone fancy a Snowmobile full of Bags O'Crap? It'll be on the list somewhere
    Reg reader reveals colossal 821-item collection of Amazon trademarks tucked away on its site
    Recently, a Reg reader* contacted us at Vulture (virtual) Towers with something odd they'd found online – a page tucked away in the little-visited “Legal Policies” section of Amazon's website containing a "non-exhaustive" list of all the trademarks held by the company.…




Linux.com offline for now

Phoronix

  • Ubuntu vs. Arch Linux On The ASUS ROG Strix G15 / Ryzen 9 5900HX
    This past week were the initial Linux benchmarks of the Ryzen 9 5900HX with the ASUS ROG Strix G15 laptop. Ubuntu was used as the default test platform as usual given its popularity and arguably the most relevant Linux distribution to use given that it's the most common Linux distribution at the moment for preloads on laptops by multiple vendors. In any case, as usual many users were quick to say "but Arch Linux!" as if it was going to make a dramatic difference in my findings. Well, here are some Ubuntu 21.04 versus Arch Linux benchmarks on that AMD Advantage laptop.



  • Loongson 3A5000 Benchmarks For These New Chinese CPUs Built On The LoongArch ISA
    While Loongson has been known for their MIPS-based Loongson chips that are open-source friendly and have long been based on MIPS, with MIPS now being a dead-end, the Chinese company has begun producing chips using its own "LoongArch" ISA. The first Loongson 3A5000 series hardware was just announced and thanks to the company apparently using the Phoronix Test Suite and OpenBenchmarking.org we have some initial numbers...







  • Trying Out The "Folios" Patches On An AMD Linux Server
    One of the low-level exciting kernel advancements being worked on at the moment is the new "folios" struct for improving Linux memory management. Tests by those involved found that in some conditions Linux kernel builds for example could be up to 7% faster. Given the recent folios v14 patches being published, I took them for a spin on an AMD EPYC server to see the impact on overall performance...


  • Ubuntu Touch Planning Path For VoLTE/4G Support
    In addition to still working on moving from Ubuntu 16.04 to 20.04 LTS for its base, Ubuntu Touch has also begun engaging in another important project: supporting Voice over LTE (VoLTE) with Ubuntu Touch...



Engadget"https://www.engadget.com/"?

  • Las Vegas police solve an old murder case using record-low volume of DNA
    Las Vegas police appear to have smashed a record while using ancestry to find cold case suspects. BBC Newsreports that Vegas law enforcement claims to have solved the 1989 murder of 14-year-old Stephanie Isaacson (pictured here) using the smallest known volume of DNA. Investigators sent just 0.12 nanograms of DNA samples, or about 15 cells, to Othram9s gene sequencing lab to help find a match. For context, a typical home DNA testing kit collects at least 750 nanograms.

    Othram used the sequences to comb through ancestry databases and pinpoint the suspect9s cousin and identify Darren Roy Marchand as the culprit. The team confirmed the match by comparing the sample against Marchand9s DNA from an arrest for a 1986 murder case. Marchand was never convicted and died in 1995.

    Vegas police launched the investigation after resident Justin Woo donated money to help law enforcement solve cases using "minimal" DNA levels. The investigation at Othram started on January 19th, but it wasn9t until July 12th that the company identified a suspect.

    Othram chief David Mittlemen characterized the effort as a "huge milestone" in a discussion with the BBC. This could theoretically solve cold cases where the samples were previously thought too small to be usable.

    The breakthrough won9t necessarily thrill everyone, however. There have been concerns that law enforcement might violate privacy when conducting these tests, and the Justice Department has established guidelines precisely to prevent those kinds of abuses. While there9s no indication Vegas authorities crossed boundaries in the Richardson case, a much larger range of potentially solvable cases also widens the potential for more privacy violations.


  • WhatsApp says NSO spyware was used to attack officials working for US allies
    The NSO Group has denied that its spyware was used to compromise many politicians9 phones, but WhatsApp is telling a different story. The chat giant9s CEO, Will Cathcart, told The Guardian in an interview that governments allegedly used NSO9s Pegasus software to attack senior government officials worldwide in 2019, including high-ranking national security officials who were US allies. The breaches were reportedly part of a larger campaign that compromised 1,400 WhatsApp users in two weeks, prompting a lawsuit.

    The reporting on the NSO "matches" with findings from the 2019 attack on WhatsApp, Cathcart said. Human rights activists and journalists were also believed to be victims.

    The executive was responding to allegations that governments used Pegasus to hack phones for 37 people, including those of women close to murdered Saudi journalist Jamal Khashoggi. Those targets were also on a 2016 list of over 50,000 phone numbers that included activists, journalists and politicians, although it9s not clear that anyone beyond the 37 fell prey to attacks.

    NSO has strongly rejected claims about the hacks and the list, insisting that there9s "no factual basis" and that the list was too large to be focused solely on potential Pegasus targets. It also directly challenged Cathcart, asking if the WhatsApp exec had "other alternatives" to its tools that would help thwart "pedophiles, terrorists and criminals" using encrypted software.

    Cathcart, however, didn9t buy that explanation — he pointed to the 1,400 people as possible evidence that the number of targets was "very high." Whatever the truth, it9s safe to say WhatsApp won9t shy away from its lawsuit (or a war of words) any time soon.


  • GM sues Ford over the name of its hands-free driving feature
    Ford might be excited about its BlueCruise hands-free driving tech, but GM is less than thrilled about it. The Super Cruise feature and its autonomy-focused Cruise company.

    GM was holding mediated talks with Ford to reach a "good-faith" arrangement, according to DFP sources. The two sides reportedly didn9t make a deal before a July 24th deadline, however, prompting the lawsuit. A GM spokesperson said the company had "no choice" but to sue Ford after trying to resolve the dispute "amicably."

    Ford9s representative, meanwhile, argued that GM9s lawsuit was "meritless and frivolous." People understood that "cruise" was short for cruise control, Ford said, and BlueCruise was ultimately the "next evolution" of its Intelligent Adaptive Cruise Control feature. The automaker added that GM didn9t seem to have issues with other brands9 naming schemes, such as BMW9s Active Cruise Control and Hyundai9s Smart Cruise Control.

    The attention to Ford isn9t surprising. Both companies see hands-free driving as a major selling point for their cars, with full self-driving a long-term goal. It9s also no secret that the two Detroit brands have been fierce rivals for a long time — neither Ford nor GM will want to cede ground, at least not quickly. We wouldn9t be surprised if the lawsuit ends with a settlement, but not before the companies have traded some verbal jabs.


  • Oculus makes it easier to create mixed reality apps
    Expect to see more mixed reality apps in the future, at least for the Oculus Quest 2. WinFuturenotes that Oculus has unveiled a toolkit, Passthrough API Experimental, that will make it relatively easy to "seamlessly" merge VR with the real world view from the Quest 29s cameras.

    You can project images on flat surfaces, create composite layers that float in space, and even apply visual styles (akin to social media filters) to real scenes. You could give yourself a virtual monitor to use with your real-world keyboard, for instance, or turn your home into a psychedelic dreamscape by flicking a virtual switch.

    Privacy shouldn9t be an issue, Oculus claimed. The API only processes raw camera footage on-device, and apps can9t access, store or view imagery of the world around you. A rogue app shouldn9t transmit video of your home, to put it another way.

    Oculus expects to deliver the framework to Unity engine developers with its next software development kit release. It will take a while for finished apps to surface, but don9t be surprised if mixed reality games and productivity tools become relatively commonplace as a result of Oculus9 new tools.


  • Audi hopes its off-road hybrid will win the 2022 Dakar Rally
    The Volkswagen group9s desire to crush records with electrified cars now extends to one of the world9s toughest off-road challenges. Autoblogreports that Audi has started testing the RS Q E-Tron, a from-scratch hybrid off-roader it hopes will score overall victory in the 2022 Dakar Rally. If so, it would be the first electrified vehicle to win the gruelling competition.

     The RS Q E-Tron relies on an electric drivetrain with two modified Formula E motors, one at each axle. As you won9t find a charging station in the middle of the desert, however, Audi uses a race-ready TFSI engine as part of an energy converter that charges the battery while driving and braking. This isn9t a zero-emissions car, then, but it stays in a relatively efficient power band (between 4,500RPM and 6,000RPM) that should reduce the racer9s environmental impact.

    The machine should be highly adaptable, too. Unlike many EVs, the front and rear axles aren9t mechanically connected — software handles torque distribution instead. That not only allows for an easily reconfigurable center differential, but saves the bulk that would normally be used for a conventional differential and propshaft.

    Audi plans to enter the machine into multiple cross-country rallies in 2021 before participating in the Dakar Rally in January.

    If Audi is successful, the RS Q E-Tron will make a stronger case for eco-friendly endurance racing. While not a pure EV, it will handle extremely long stages (up to 500 miles) with a significantly reduced emissions footprint. It also won9t surprise you to hear that Audi wants more than just bragging rights. It expects lessons learned from the car to reach production cars. We wouldn9t count on something with a similar drivetrain when the VW group is transitioning to EVs, but it9s easy to imagine electric SUVs and crossovers that are better-suited to off-roading.


  • Hitting the Books: Digital youth activism can help save America from itself
    Social media routinely proves itself a cesspool of racist, bigoted and toxic opinions — and that9s just coming from the adults. But for the younger generations that have never lived in an unconnected world, these seemingly unnavigable platforms have proven to be a uniquely potent tool for organizing and empowering themselves to change the real world around them. In Digital For Good: Raising Kids to Thrive in an Online World by Richard Culatta. Copyright 2021 Harvard Business School Publishing Corporation. All rights reserved.


    Young Voices Matter

    The first step for creating engaged digital citizens is making sure we’re teaching young people that their contributions and opinions matter. I think deep down we all believe this and want it to be true. But there are many elements of our society that are set up to communicate the opposite message. Much of school is designed in a way that tells our kids that they are to apply the skills they are learning some day in their hypothetical future, not now. They are taught to learn math because they will need it to get into college. They are taught to write because it will be an important skill when they get a job. In history, the people they learn about are always adults, not kids. They have little choice or control over the learning experience itself; they are handed a schedule, given assignments (that they didn’t have any input in designing), and told to complete by a date that they didn’t choose. The message that young voices don’t matter is reinforced by the fact that they can’t vote until they are eighteen. One of the most important tenets of democracy is the idea that everyone has a voice. We teach that to our children, yet we offer very few ways to actually use that voice before they’re no longer kids. Fortunately, the digital world gives a wide set of tools that can help change that narrative. These tools allow youth to have a voice and learn how to make a meaningful impact on their community, family, and in some cases, the world as a whole—right now, not decades down the road. 

    Just Some Students from Florida

    In February 2018, Marjory Stoneman High School in Parkland, Florida, was in the news worldwide when nineteen-year-old Nikolas Cruz entered the school with a semiautomatic rifle, killing seventeen people and injuring seventeen others. This horrific event became one of the deadliest school shootings in US history. Yet there was a unique ending to this tragic story that set it apart for another reason. In other school shootings, traditional news media and political leaders quickly shape the national conversation around the event. A narrative emerges around what actually happened, with speculation about the causes, who is to blame, and the political responses to justify action (or lack thereof). But in the case of Parkland, it was the students who shaped the national conversation. Frustrated about viewpoints and conclusions from adults that they did not share or agree with, they used their access to social media to reset and redirect the conversation into what has now become one of the most powerful examples of youth engagement ever seen. Within a week of the shooting, the students had appeared on nearly every major news program and had raised more than $3 million in donations to support their cause. Emma Gonzáles, one of the most recognizable faces of the movement, has over 1.5 million Twitter followers—about twice as many as the National Rifle Association. 

    Not long after the shooting, I met Diane Wolk-Rogers, a history teacher at Stoneman High School. As she explained, nobody could have prepared these students for the horror they faced on that day. But they had been prepared to know how to use technology to make their voices heard. Wolk-Rogers says, “They are armed with incredible communication skills and a sense of citizenship that I find so inspiring.” So when it was time to act, they knew the tools of the trade. 

    Engaged digital citizens know how to use technology to identify and propose solutions and promote action around causes that are important to them and their communities. Micro-activism is a term used to describe small-scale efforts that, when combined, can bring about significant change. While young people might not be able to vote or run for office, they have a whole range of micro-activism opportunities—all made possible by their participation in the digital world. For youth who have access to social media, micro-activism can be as simple as using their digital platforms to call awareness to issues that matter to them—eradicating racism, protecting our planet, or funding their school, and so on. Most states have a function on their website to submit ideas or feedback directly to the office of the governor. Through sites like Change.org anyone, regardless of age, can submit suggestions to political leaders or private sector entities. You can also add your name in support of other petitions that are gaining momentum. There are many compelling stories of youth who have used Change.org to call attention to issues that matter to them. Examples include a ten-year-old who used the platform to convince Jamba Juice to switch from Styrofoam cups to a more environmentally friendly alternative. Or a seventh grader who used Change.org to successfully petition the Motion Picture Association to change the rating on a movie about school bullying so students in her junior high would be allowed to see it.

    Not all acts of micro-activism will immediately result in a desired change. But regardless of the outcome, learning how to impact community issues using digital tools is an important skill to develop in and of itself. The ability to motivate others to act for good in a virtual space will be a significant (if not the significant) determining factor in the effectiveness of future civic leaders. Young people need to practice using tech to make a difference now, if they are going to be prepared to lead our society when they grow up. 


  • Apple Watch Series 6 Product Red drops to $265 at Amazon
    Now might be a good time to buy the Apple Watch Series 6 — at least, if you9re fond of red. Amazon is selling the 40mm Product Red edition of the Apple smartwatch for just $265 at checkout, well below the official $399 price. That9s lower than the price we saw in April, and makes it more affordable than a brand-new Apple Watch SE. Unless you find a huge sale for the SE, this is clearly the better buy.

    Buy Apple Watch Series 6 at Amazon - $265

    The Series 6 is ultimately a subtle evolution of the Series 5, but that9s not a bad thing. The always-on display is still very helpful, and on Series 6 is brighter to help you see it during outdoor expeditions. It9s slightly faster, lasts slightly longer on battery and charges quickly. We9d add that the Apple Watch remains the go-to wristwear for iPhone users between the tight integration, deep app ecosystem and wide range of bands and accessories.

    Timing is the main concern at this point. It9s no secret that the Series 6 is nearly a year old, and Series 7 is likely just a couple of months away. If money isn9t your main concern, it might be worth waiting for the updated hardware. With that said, the Series 7 likely won9t see discounts like this for a long while — the Series 6 is still a good value if you either can9t afford to wait or just want a full-featured Apple Watch at the lowest possible price.

    Follow @EngadgetDeals on Twitter for the latest tech deals and buying advice.



  • 'Blade Runner: Black Lotus' anime trailer reveals a replicant on the run
    Adult Swim and Crunchyroll has released the first trailer for Blade Runner: Black Lotus, the anime series they9re co-producing, at San Diego Comic-Con this year. The show is set in Los Angeles in the year 2032, putting its events in between the original Harrison Ford movie set in 2019 and the sequel film starring Ryan Gosling set in 2049. It features a new replicant named Elle known as the "Black Lotus," who was created with special powers. She seems to have escaped from her creators, and is currently being hunted down by authorities.

    In the action-packed trailer, you9ll see Elle take down foe after foe — she goes from not knowing how she9s able to knock a handful of men completely out cold to wielding a katana — in a backdrop of smoke, fog and neon lights. Elle is voiced by Jessica Henwick (Iron Fist) in the English version and Arisa Shida in the Japanese version. The show will run for 13 episodes, which will be directed by Shinji Aramaki (Ultraman, Ghost in the Shell: SAC 2045) and Kenji Kamiyama (Ghost in the Shell: Stand Alone Complex, SAC_2045). It9s produced by Alcon Entertainment and animation studio Sola Digital Arts, with Shinichiro Watanabe (Cowboy Bebop) serving as a creative producer.

    When Blade Runner: Black Lotus debuts this fall, you can watch it in English on Adult Swim and in Japanese on Crunchyroll.



  • SpaceX will launch NASA's Europa Clipper mission to Jupiter's moon
    A SpaceX Falcon Heavy rocket will be launching NASA9s long-awaited mission to Europa, Jupiter9s icy moon that may have the conditions to support life. The agency has been planning to send a probe to the Jovian moon for years and finalized its plans in 2019. In its announcement, NASA said the Europa Clipper spacecraft is scheduled to launch in October 2024 on top of a Falcon Heavy rocket from Kennedy Space Center9s Launch Complex 39A. It has also revealed that the contract will cost the agency approximately $178 million — a bargain, compared to what it would9ve cost to launch the mission on top of NASA9s Space Launch System rocket.

    As estimated a single SLS launch to cost a whopping $2 billion. Far from ideal, especially since the SLS would need gravity assist from Venus and travel farther to be able to reach its goal, whereas the Falcon Heavy wouldn9t. In addition, NASA told Ars that the SLS would need $1 billion worth of additional modifications to be able to complete the mission. 

    If Europa Clipper launches in October 2024 as planned, it will reach Jupiter9s orbit in April 2030. The probe will then investigate whether the icy moon truly has conditions suitable for life. It9ll capture "high-resolution images of Europa9s surface, determine its composition, look for signs of recent or ongoing geological activity, measure the thickness of the moon9s icy shell, search for subsurface lakes, and determine the depth and salinity of Europa9s ocean."


OSnews

  • Loongson 3A5000 benchmarks for these new Chinese CPUs built on the LoongArch ISA
    While Loongson has been known for their MIPS-based Loongson chips that are open-source friendly and have long been based on MIPS, with MIPS now being a dead-end, the Chinese company has begun producing chips using its own LoongArch! ISA. The first Loongson 3A5000 series hardware was just announced and thanks to the company apparently using the Phoronix Test Suite and OpenBenchmarking.org we have some initial numbers. Announced this week was the Loongson 3A5000 as their first LoongArch ISA chip that is quad-core with clock speeds up to 2.3~2.5GHz. Loongson 3A5000 offers a reported 50% performance boost over their prior MIPS-based chips while consuming less power and now also supporting DDR4-3200 memory. The Loongson 3A5000 series is intended for domestic Chinese PCs without relying on foreign IP and there is also the 3A5000LL processors intended for servers. Performance isnt even remotely interesting  for now. The Loongson processors will improve by leaps and bounds over the coming years, if only because it will have the backing of the regime. I hope some enterprising people import these to the west, because Id love to see them in action. Nothing in technology excites me more than odd architectures.


  • Google will update very few devices to Wear OS 3
    Google has provided a few more details about the upcoming release of Wear OS 3, which combines Samsungs Tizen with Googles Wear OS. Sadly, but not unexpectedly, pretty much no existing Wear OS devices will be updated to Wear OS 3. Wear OS devices that will be eligible for upgrade include Mobvoi’s TicWatch Pro 3 GPS, TicWatch Pro 3 Cellular/LTE, TicWatch E3 and follow on TicWatch devices, as well as Fossil Group’s new generation of devices launching later this year. It would seem existing devices simply arent powerful enough, so the four existing Wear OS users  Im one of them  are shit out of luck.


  • Google messed up all those Chromebooks yesterday because of a single typo
    Google cant seem to catch a break when it comes to Chrome OS 91. First we saw many users reporting their devices using an egregious amount of CPU after upgrading to 91.0.4472.147. While Google pulled the update shortly thereafter and rolled everyone back to 91.0.4472.114, that managed to lock out Linux apps. Now were seeing the arrival of 91.0.4772.165, and this update introduces an awful bug thats breaking Chromebooks left and right. So what happened? Thanks to the work of an eagle-eyed user on Reddit, we now know that a single typo appears responsible for locking so many users out of their Chromebooks. By looking at the diff in this file, we can see that Google forgot to add a second 8! to the conditional statement, preventing Chrome OS from decrypting your login information (required to log you in). This kind of sloppiness is what you get in an industry where there really arent any consequences to speak of for screwing things up. Its not like software development is a real industry with strict product safety laws or anything.


  • California sues Activision Blizzard over a culture of ‘constant sexual harassment’
    California’s Department of Fair Employment and Housing (DFEH) says that renowned game publishing studio Blizzard Entertainment, and its owner Activision Blizzard, have created a culture of “constant sexual harassment” and gender-based discrimination, in a new lawsuit filed Tuesday that claims top executives were aware and/or involved. And in the hours since the suit was revealed, numerous women have already stepped forward to corroborate the allegations. The details are so disturbing that we’re going to start with a trigger warning right now. The idea that male employees held “cube crawls” is one of the tamer allegations in the lawsuit. This is by far the worst case of structural sexual abuse at a gaming company to date, and you really need to the read the full complaint to understand just how criminal the behaviour of male Activision Blizzard employees and managers has been, but some of these examples should give you a good idea. It even led to the suicide of one of the female employees at the company. The abuse was so widespread, so pervasive, so depraved, and so institutionalised, that in my view, were dealing with a criminal organisation that ought to be shut down and banned, much like any other criminal organisation. The fact this is a company (or a religious institution, for that matter) should be of no consequence. The complain itself is the result not of a single employee or one particular case, but of a two year investigation by California’s Department of Fair Employment and Housing.


  • Plasma Mobile 21.07 released
    Plasma Mobile 21.07 has been released, with a ton of improvements and fixes. The shell is now more responsive, by improving performance of the panel. On top of that, theres countless fixes and improvements in the various applications, such as the podcasts application, the dialer, the SMS app, and more.


  • Reverse-engineering the Mali G78
    After a month of reverse-engineering, we’re excited to release documentation on the Valhall instruction set, available as a PDF. The findings are summarized in an XML architecture description for machine consumption. In tandem with the documentation, we’ve developed a Valhall assembler and disassembler as a reverse-engineering aid. Valhall is the fourth Arm Mali architecture and the fifth Mali instruction set. It is implemented in the Arm Mali-G78, the most recently released Mali hardware, and Valhall will continue to be implemented in Mali products yet to come. Excellent and important work.


  • Windows 11 is getting an LTSC version, but not yet
    When Windows 11 arrives this holiday season, there is going to be a ton of changes. It looks totally different, supports Android apps, and more. There are also changes coming to how Windows 11 is updated and how it’s supported, so just in case you were worried about it, you’ll be pleased to know that there will be a Windows 11 Long-Term Servicing Channel (LTSC) version. Good news for people not interested in Microsofts update schedule.


  • From idea to icon: 50 years of the floppy disk
    Fifty years ago, IBM introduced the first-ever floppy disk drive, the IBM 23FD, and the first floppy disks. Floppies made punched cards obsolete, and its successors ruled software distribution for the next 20 years. Here’s a look at how and why the floppy disk became an icon. Its still amazing to me just how quickly they fell out of favour.


  • Revealed: leak uncovers global abuse of cyber-surveillance weapon
    Human rights activists, journalists and lawyers across the world have been targeted by authoritarian governments using hacking software sold by the Israeli surveillance company NSO Group, according to an investigation into a massive data leak. The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists. Pegasus is a malware that infects iPhones and Android devices to enable operators of the tool to extract messages, photos and emails, record calls and secretly activate microphones. Is anyone really surprised? Smartphones are the ideal tools for authoritarian regimes  cameras, microphones, GPS, and other sensors in one neat little package, always on the person, ready to be exploited. Of course criminal regimes are going to abuse them, and of course no smartphone is safe.


  • The perils of M1 ownership
    In the next few days those using M1 Macs will be updating to Big Sur 11.5, blissfully ignorant of how, as an admin user, their Mac could refuse to update. Because now, in addition to regular users, admin users and root, there’s another class of admin user: the Owner. Let me explain. Just something to be aware of.



Linux Journal - The Original Magazine of the Linux Community

  • SQLite Extraction of Oracle Tables Tools, Methods and Pitfalls
        by Charles Fisher    Introduction
    The SQLite database is a wildly successful and ubiquitous software package that is mostly unknown to the larger IT community. Designed and coded by Dr. Richard Hipp, the third major revision of SQLite serves many users in market segments with critical requirements for software quality, which SQLite has met with compliance to the DO-178B avionics standard. In addition to a strong presence in aerospace and automotive, most major operating system vendors (including Oracle, Microsoft, Apple, Google, and RedHat) include SQLite as a core OS component.

    There are a few eccentricities that may trip up users from other RDBMS environments. SQLite is known as a “flexibly-typed database, unlike Oracle which rigidly enforces columnar datatypes; character values can be inserted into SQLite columns that are declared integer without error (although check constraints can strengthen SQLite type rigidity, if desired). While many concurrent processes are allowed to read from a SQLite database, only one process is allowed write privilege at any time (applications requiring concurrent writers should tread carefully with SQLite). There is no network interface, and all connections are made through a filesystem; SQLite does not implement a client-server model. There is no “point in time recovery,” and backup operations are basically an Oracle 7-style ALTER DATAFILE BEGIN BACKUP that makes a transaction-consistent copy of the whole database. GRANT and REVOKE are not implemented in SQLite, which uses filesystem permissions for all access control. There are no background processes, and newly-connecting clients may find themselves delayed and responsible for transaction recovery, statistics collection, or other administrative functions that are quietly performed in the background in this “zero-administration database.” Some history and architecture of SQLite can be found in audio and video records of Dr. Hipp's discussions.
        Go to Full Article          


  • Vulnerability Detection and Patching: A Survey Of The Enterprise Environment
        by Joao Correia    Detecting vulnerabilities and managing the associated patching is challenging even in a small-scale Linux environment. Scale things up and the challenge becomes almost unsurmountable. There are approaches that help, but these approaches are unevenly applied.
    In our survey, State of Enterprise Vulnerability Detection and Patch Management, we set out to investigate how large organizations handle the dual, linked security concerns of vulnerability detection and patch management.
    The results produced interesting insights into the tools that organizations depend on to effectively deal with vulnerability and patch management at scale, how these tools are used, and which restrictions organizations face in their battle against threat actors. Download the copy of the report here.
    Vulnerability management is an enterprise responsibility  Before we dive into the results of our survey, let’s take a quick look at why vulnerability management operations matter so much in large organizations.
    Vulnerabilities are widespread and a major cybersecurity headache. In fact, vulnerabilities are such a critical problem that laws and regulations are in place to ensure that covered organizations adequately perform vulnerability management tasks – because the failure to do so can hurt a company’s customers.
    Each industry has different rules that apply to it – with organizations that handle personal data such as healthcare records and financial service firms operating under the strictest rules. It has an impact on day-to-day vulnerability management operations – some organizations must act much faster and more thoroughly than others.
    This is one of the points we explored in the survey, trying to understand how different industry compliance requirements affect vulnerability operations on the ground.
    The survey  Early in 2021, we kicked off a survey with the intention to study three key factors in vulnerability and patch management operations. We examined patch deployment practices, how maintenance windows are handled, and tried to get a view into the overall level of security awareness of the organizations that responded.
    The survey was advertised publicly to IT professionals around the world and it continues to run, even though we have published the initial results.
        Go to Full Article          


  • Live Patching Requires Reproducible Builds – and Containers Are the Answer
        by Joao Correia    We know that live patching has real benefits because it significantly reduces the downtime associated with frequent patching. But live patching is relatively difficult to achieve without causing other problems and for that reason live patching is not implemented as frequently as it could be. After all, the last thing sysadmins want is a live patch that crashes a system.
    Reproducible builds are one of the tools that can help developers to implement live patching consistently and safely. In this article, I explain why reproducible builds matter for live patching, what exactly reproducible builds are, and how containers are coming to the rescue.
    Live patching: a key threat management tool  Patching is a critical part of systems maintenance because patching fixes faulty and buggy code. More importantly, security teams rely on patching to plug security holes, and there is a real urgency to it. Waiting for a convenient maintenance window to patch is risky because it leaves an opportunity for hackers to take advantage of an exploit.
    It creates a difficult conundrum: maintain high availability but run a security risk, or patch frequently but end up with frustrated stakeholders. Live patching bridges that gap. With live patching, the offending code is swapped out while a process is actively running, without restarting the application or service that depends on that process.
    Implementing live patching isn’t easy  Live patching is not that straightforward to accomplish – the drop-in code must “fit” in a like-for-like manner, or all sorts of unwanted things can happen. Get it wrong, and the application – or entire server – will crash.
    The code behind a running process usually comes from a binary executable file – a machine-readable block of code compiled from source code. A kernel, for example, has thousands of source files all compiled into a few binaries.
    With live patching, the live patch code must fit in at an exact level. Yes, the binary file containing the patch code will be different from the binary file containing the bad code. Nonetheless, the new code must slot into place precisely and must depend on the same version of imported libraries. The live patch code must also be compiled using the same compiler options and flags. Bit endianness matters too – the binary file must be ordered in exactly the same way.
    In principle, all this is achievable – but in practice, it is a challenge. For example, day-to-day system updates often impact libraries. These libraries could be slightly different, in turn producing binaries that are slightly different when compiling code.
        Go to Full Article          


  • An Abridged Guide to the Enterprise Linux Landscape
        by Rod Cope    Whether you are welcoming CentOS Stream or looking for alternatives, the recent decision from the CentOS community to focus on CentOS Stream has forced a lot of technical leaders to rethink their Enterprise Linux strategy.  Beneath that decision, the business landscape involving Linux has shifted and expanded since its enterprise debut in the late 90s, when IBM would invest $1 billion in its development.
    Today, Linux comes in every shape and size imaginable — with the kernel running on tiny low power computers and IoT devices, mobile phones, tablets, laptops all the way up to midrange and high-power mainframe servers.
    Cutting through that expansive selection to understand which Linux distributions truly align with the needs of a business can lead to more frictionless deployments and successful execution while minimizing waste in maintenance cycles and optimizing overall cost.
    This abridged guide to the Enterprise Linux landscape can give businesses an overview of which flavor (or flavors) of Linux will most adequately match their use cases.
    For those looking for a more comprehensive guide, be sure to check out the Decision Maker’s Guide to Enterprise Linux.
    Finding the Right Linux Flavor  Committing to a flavor can introduce many concerns. Beyond managing the deployments host-by-host, administrators must also consider the ecosystem components available to support the implementation at scale.
    What mechanisms will be available for automatic patching? Can you optimize bandwidth by mirroring the distributions repository? Is remote desktop a concern?  What about the kernel version requirements? Linux Kernel 4 contains optimizations that lead directly to dollars saved on cloud deployments, can you take advantage of that?
    Are you looking at a container strategy, thinking of deploying your apps into Kubernetes, or other multi-cloud strategies? What about options for embedded Linux
    Nowadays there’s a preferred flavor of Linux for each of these concerns. A single flavor of Linux is really the Linux kernel surrounded by a curated suite of other free software. That other free software is what makes one flavor of Linux distinct from another.
        Go to Full Article          


  • Systemd Service Hardening
        by Alessio Greggi    Introduction
    In an age where hacker attacks are a daily occurrence, it is of fundamental importance to minimize the attack surface. Containerization is probably the best way to isolate a service provided for the public, but this is not always possible for several reasons. For example, think of a legacy system application developed on systemd. This could make the most of the capabilities provided by a systemd-based operative system and it could be managed via a systemd unit, or it could automatically pull updates using a systemd timer, and so on.

    For this reason, we are going to explain how to improve the security of a systemd service. But first, we need to step back for a moment.  With the latest releases systemd has implemented some interesting features relating to security, especially sandboxing. In this article we are going to show step-by-step how to strengthen services using specific directives, and how to check them with the provided systemd suite.
    Debugging
    Systemd provided an interesting tool named systemd-analyze. This command analyzes the security and the sandboxing settings of one or more specified services. The command checks for various security-related service settings, assigning each a numeric "exposure level" value, depending on how important the setting is. It then calculates an overall exposure level for the whole unit through an estimation in the range 0.0…10.0, which tells us how exposed a service is security-wise.

     

    This allows us to check the improvements applied to our systemd service step-by-step. As you can see, several services are now marked as UNSAFE, this is probably due to the fact that not all of the applications are applying the features provided by systemd.
    Getting Started
    Let's start from a basic example. We want to create a systemd unit to start the command python3 -m http.server as a service:
     [Unit] Description=Simple Http Server Documentation=https://docs.python.org/3/library/http.server.html  [Service] Type=simple ExecStart=/usr/bin/python3 -m http.server ExecStop=/bin/kill -9 $MAINPID  [Install] WantedBy=multi-user.target
    Save the file and place it under the specific systemd directory of yor distribution.

    By checking the security exposure through systemd-analyze security we get the following result:
        Go to Full Article          


  • eBPF for Advanced Linux Infrastructure Monitoring
        by Odysseas Lamztidis   
    A year has passed since the pandemic left us spending the better part of our days sheltering inside our homes. It has been a challenging time for developers, Sysadmins, and entire IT teams for that matter who began to juggle the task of monitoring and troubleshooting an influx of data within their systems and infrastructures as the world was forced online. To do their job properly, free, open-source technologies like Linux have become increasingly attractive, especially amongst Ops professionals and Sysadmins in charge of maintaining growing and complex environments. Engineers, as well, are using more open-source technologies largely due to the flexibility and openness they have to offer, versus commercial offerings that are accompanied by high-cost pricing and stringent feature lock-ins.

    One emerging technology in particular - eBPF - has made its appearance in multiple projects, including commercial and open-source offerings. Before discussing more about the community surrounding eBPF and its growth during the pandemic, it’s important to understand what it is and how it’s being utilized. eBPF, or extended Berkley packet filtering, was originally introduced as BPF back in 1992 in a paper by Lawrence Berkeley Laboratory researchers as a rule-based mechanism to filter and capture network packets. Filters would be implemented to run inside a register-based Virtual Machine (VM), which itself would exist inside the Linux Kernel. After several years of non-activity, BPF was extended to eBPF, featuring a full-blown VM to run small programs inside the Linux Kernel. Since these programs run from inside the Kernel, they can be attached to a particular code path and be executed when it is traversed, making them perfect to create applications for packet filtering and performance analysis and monitoring.

    Originally, it was not easy to create eBPF programs, as the programmer needed to know an extremely low-level language. However, the community around that technology has evolved considerably through their creation of tools and libraries to simplify and speed up the process of developing and loading an eBPF program inside the Kernel. This was crucial for creating a large number of tools that can trace system and application activity down to a very granular level. The image that follows demonstrates this, showing the sheer number of tools that exist to trace various parts of the Linux stack.
        Go to Full Article          


  • How to set up a CrowdSec multi-server installation
        by Manuel Sabban    Introduction  CrowdSec is an open-source & collaborative security solution built to secure Internet-exposed Linux services, servers, containers, or virtual machines with a server-side agent. It is a modernized version of Fail2ban which was a great source of inspiration to the project founders.
    CrowdSec is free (under an MIT License) and its source code available on GitHub. The solution is leveraging a log-based IP behavior analysis engine to detect attacks. When the CrowdSec agent detects any aggression, it offers different types of remediation to deal with the IP behind it (access prohibition, captcha, 2FA authentication etc.). The report is curated by the platform and, if legitimate, shared across the CrowdSec community so users can also protect their assets from this IP address.
    A few months ago, we added some interesting features to CrowdSec when releasing v1.0.x. One of the most exciting ones is the ability of the CrowdSec agent to act as an HTTP rest API to collect signals from other CrowdSec agents. Thus, it is the responsibility of this special agent to store and share the collected signals. We will call this special agent the LAPI server from now on.
    Another worth noting feature, is that mitigation no longer has to take place on the same server as detection. Mitigation is done using bouncers. Bouncers rely on the HTTP REST API served by the LAPI server.
    Goals  In this article we’ll describe how to deploy CrowdSec in a multi-server setup with one server sharing signal.
    Both server-2 and server-3 are meant to host services. You can take a look on our Hub to know which services CrowdSec can help you secure. Last but not least, server-1 is meant to host the following local services:
      the local API needed by bouncers
        the database fed by both the three local CrowdSec agents and the online CrowdSec blocklist service.  As server-1 is serving the local API, we will call it the LAPI server.
     We choose to use a postgresql backend for CrowdSec database in order to allow high availability. This topic will be covered in future posts. If you are ok with no high availability, you can skip step 2.
        Go to Full Article          


  • Develop a Linux command-line Tool to Track and Plot Covid-19 Stats
        by Nawaz Abbasi    It’s been over a year and we are still fighting with the pandemic at almost every aspect of our life. Thanks to technology, we have various tools and mechanisms to track Covid-19 related metrics which help us make informed decisions. This introductory-level tutorial discusses developing one such tool at just Linux command-line, from scratch.
    We will start with introducing the most important parts of the tool – the APIs and the commands. We will be using 2 APIs for our tool - COVID19 API and Quickchart API and 2 key commands – curl and jq. In simple terms, curl command is used for data transfer and jq command to process JSON data.
    The complete tool can be broken down into 2 keys steps:

    1. Fetching (GET request) data from the COVID19 API and piping the JSON output to jq so as to process out only global data (or similarly, country specific data).
     $ curl -s --location --request GET 'https://api.covid19api.com/summary' | jq -r '.Global'  {   "NewConfirmed": 561661,   "TotalConfirmed": 136069313,   "NewDeaths": 8077,   "TotalDeaths": 2937292,   "NewRecovered": 487901,   "TotalRecovered": 77585186,   "Date": "2021-04-13T02:28:22.158Z"  } 
    2. Storing the output of step 1 in variables and calling the Quickchart API using those variables, to plot a chart. Subsequently piping the JSON output to jq so as to filter only the link to our chart.
     $ curl -s -X POST \   -H 'Content-Type: application/json' \   -d '{"chart": {"type": "bar", "data": {"labels": ["NewConfirmed (${newConf})", "TotalConfirmed (${totConf})", "NewDeaths (${newDeath})", "TotalDeaths (${totDeath})", "NewRecovered (${newRecover})", "TotalRecovered (${totRecover})"], "datasets": [{"label": "Global Covid-19 Stats (${datetime})", "data": [${newConf}, ${totConf}, ${newDeath}, ${totDeath}, ${newRecover}, ${totRecover}]}]}}}' \   https://quickchart.io/chart/create | jq -r '.url'  https://quickchart.io/chart/render/zf-be27ef29-4495-4e9a-9180-dbf76f485eaf    That’s it! Now we have our data plotted out in a chart:

        Go to Full Article          


  • FSF’s LibrePlanet 2021 Free Software Conference Is Next Weekend, Online Only
        by George Whittaker    On Saturday and Sunday, March 20th and 21st, 2021, free software supporters from all over the world will log in to share knowledge and experiences, and to socialize with others within the free software community. This year’s theme is “Empowering Users,” and keynotes will be Julia Reda, Nathan Freitas, and Nadya Peek. Free Software Foundation (FSF) associate members and students attend gratis at the Supporter level. 
    You can see the schedule and learn more about the conference at https://libreplanet.org/2021/, and participants are encouraged to register in advance at https://u.fsf.org/lp21-sp
    The conference will also include workshops, community-submitted five-minute Lightning Talks, Birds of a Feather (BoF) sessions, and an interactive “exhibitor hall” and “hallway” for socializing.
        Go to Full Article          


  • Review: The New weLees Visual LVM, a new style of LVM management, has been released
        by George Whittaker    Maintenance of the storage system is a daily job for system administrators. Linux provides users with a wealth of storage capabilities, and powerful built-in maintenance tools. However, these tools are hardly friendly to system administrators while generally considerable effort is required for mastery.
    As a Linux built-in storage model, LVM provides users with plenty flexible management modes to fit various needs. For users who can fully utilize its functions, LVM could meet almost all needs. But the premise is thorough understanding of the LVM model, dozens of commands as well as accompanying parameters.
    The graphical interface would dramatically simplify both learning curve and operation with LVM, in a similar approach as partition tools that are widely used on Windows/Linux platforms. Although scripts with commands are suitable for daily, automatic tasks, the script could not handle all functions in LVM. For instance, manual calculation and processing are still required by many tasks.
    Significant effort had been spent on this problem. Nowadays, several graphical LVM management tools are already available on the Internet, some of them are built-in with Linux distributions and others are developed by third parties. But there remains a critical problem: desire for remote machines or headless servers are completely ignored.
    This is now solved by Visual LVM Remote. Front end of this tool is developed based on the HTTP protocol. With any smart device that can connect to the storage server, Users can perform management operations.
    Visual LVM is developed by weLees Corporation and supports all Linux distributions. In addition to working with remote/headless servers, it also supports more advanced features of LVM compared with various on-shelf graphic LVM management tools.
    Dependences of Visual LVM Remote  Visual LVM Remote can work on any Linux distribution that including two components below:
      LVM2
        Libstdc++.so
     UI of Visual LVM Remote  With a concise UI, partitions/physical volumes/logical volumes are displayed by disk layout. With a glance, disk/volume group information can be obtained immediately. In addition, detailed relevant information of the object will be displayed in the information bar below with the mouse hover on the concerned object.
        Go to Full Article          


Page last modified on October 08, 2013, at 07:08 PM