Language Selection

English French German Italian Portuguese Spanish

February 2020

today's leftovers

Filed under
Misc
  • Destination Linux 162: Ikey Doherty Interview, Stuart Langridge Guest Host

    Topics covered in this episode:

    [...]
    Keeping Kids Safe Online

    [...]

    Interview:
    Ikey Doherty of Lispy Snake (formerly of Solus)

    Other Topics:
    GNOME 3.36 Preview
    ISP’s Claim Privacy Law Violates “Free Speech”

  • Daniel Stenberg: Expect: tweaks in curl

    One of the persistent myths about HTTP is that it is “a simple protocol”.

    [...]

    Background

    HTTP/1.1 is designed for being sent over TCP (and possibly also TLS) in a serial manner. Setting up a new connection is costly, both in terms of CPU but especially in time – requiring a number of round-trips. (I’ll detail further down how HTTP/2 fixes all these issues in a much better way.)

    HTTP/1.1 provides a number of ways to allow it to perform all its duties without having to shut down the connection. One such an example is the ability to tell a client early on that it needs to provide authentication credentials before the clients sends of a large payload. In order to maintain the TCP connection, a client can’t stop sending a HTTP payload prematurely! When the request body has started to get transmitted, the only way to stop it before the end of data is to cut off the connection and create a new one – wasting time and CPU…

    “We want a 100 to continue”

    A client can include a header in its outgoing request to ask the server to first acknowledge that everything is fine and that it can continue to send the “payload” – or it can return status codes that informs the client that there are other things it needs to fulfill in order to have the request succeed. Most such cases typically that involves authentication.

  • Environmental activist Shannon Dosemagen joins FSF conference keynote lineup

    Shannon Dosemagen is the second confirmed keynote speaker for the LibrePlanet conference. Dosemagen is the co-founder and current executive director of Public Lab, a nonprofit organization creating local environmental science solutions following the free software philosophy, and winner of the FSF's Award for Projects of Social Benefit. Shannon Dosemagen is an environmental health advocate and a community science champion, and is enthusiastic about free systems and technology that support the creation of a more just and equitable future. She is a previous Fellow at both the Harvard Berkman Klein Center for Internet and Society, and the Loyola University Environmental Communications Institute. During 2020, she will be a Fellow with the Shuttleworth Foundation, working on new concept.

    At LibrePlanet, Dosemagen will discuss her experience democratizing science to address environmental problem-solving. Her experiences and frustrations doing this work are very familiar to the free software community: "The work I do on the environment and health is being increasingly challenged by environmental deregulation and lack of cooperation. We're also seeing heightened pressure to drastically alter how society functions in an effort to curb the climate crisis. This is a profound moment, and critical to address at an event aptly themed 'Free the Future.'"

    "Shannon's work is very important, and is a testament to the success of community collaboration," says Zoë Kooyman, the FSF's program manager. "Public Lab's work towards free hardware solutions is a strong indicator of what the four freedoms can achieve, and how they can work towards a better future outside of software. Shannon is an experienced speaker and organizer, and we are proud to have her keynote at LibrePlanet."

  • GNU Health HMIS patchset 3.6.3 released with coronavirus COVID-19 coding information

    GNU Health 3.6.3 patchset has been released !

  • PCI Express 6.0 Reaches Version 0.5 Ahead Of Finalization Next Year

    Following the PCI Express 6.0 announcement from last summer that called for 64 GT/s transfer rates, version 0.5 of the PCIe 6.0 specification is now out for evaluation. 

    PCI Express 6.0 v0.5 is a "first draft" specification so that PCI-SIG members can review it and provide any feedback before delivering a complete draft in the months ahead and the v1.0 final draft in 2021. 

  • Mirantis Co-Founder Boris Renski Launches Enterprise LTE Network Startup

    There are no product details so far, but the plan is to leverage the newly opened CBRS spectrum to build 4G LTE wireless solutions and open-source most of the innovation.

Proprietary: Apple's 'Image' Obsession, TurboTax Scam, Nokia's Demise and Microsoft Being Microsoft

Filed under
Software
  • Apple Won't Allow Movie Villains to Use iPhones
  • TurboTax’s Bid to Buy Free Tax Prep Competitor Might Violate Antitrust Law, Experts Say

    TurboTax, the long-standing dominant player in the tax preparation software market, has recently faced a nascent threat to its lucrative business: A company that specializes in pitching its users financial products has entered the fray with a completely free tax prep service.

    This week, TurboTax’s parent company, Intuit, unveiled a solution to this problem: spending $7.1 billion to buy the rapidly growing upstart, Credit Karma, before it could become a major competitor.

  • Nokia to Weigh Strategic Options as Profit Pressure Mounts [Ed: Microsoft killed Nokia]

    The December announcement that Nokia Chairman Risto Siilasmaa would step down stirred speculation about deeper changes at the company. The firm is in a fierce rivalry with Ericsson and China’s Huawei Technologies Co., as the three dominant players seek to benefit from phone carriers’ investments in next-generation mobile networks.

  • 'Developers have lost hope Microsoft will do the right thing'... Redmond urged to make WinUI cross-platform

    Microsoft's roadmap for developing Windows applications is opposed by some programmers who want to see a cross-platform solution, rather than just being Windows-only.

    Spanish developer José Nieto this week raised an issue on GitHub, stating that WinUI, which Microsoft is positioning as “the native UI platform for Windows 10,” should target not only Windows, but also Linux, Mac, iOS, Android and WebAssembly – this last so it would also run in a web browser.

    This would go against the normal pattern, where a native UI platform is able to take advantage of all the features of the operating system, fits in seamlessly with its look and feel, and is optimized for performance. Supporting cross-platform is a burden that requires compromises.

openSUSE and LibreOffice: Citrix Workspace on openSUSE Tumbleweed, Open Build Service IP Changes, openSUSE + LibreOffice Conference and Navigator Improvements

  • Citrix Workspace on openSUSE Tumbleweed

    Some companies offer their employees to access their corporate computer work space remotely using a remote desktop connection. The company Citrix provides software for such a connection. To connect, the employees need the software Citrix Workspace on their terminal devices. The company provides on their download page also files for Linux including openSUSE. Unfortunately, their version 1912 from 12 December 2019 did not just work on my openSUSE Tumbleweed 64bit computer (and earlier versions I tried neither).

  • New IP addresses for build.opensuse.org

    People using this Open Build Service instance should normally not notice - but if you were crazy enough to add the old IP addresses to some firewall rules or configuration files, please make sure that you update your configuration accordingly.

  • Call for Papers, Registration Opens for openSUSE + LibreOffice Conference

    Planning for the openSUSE + LibreOffice Conference has begun and members of the open-source communities can now register for the conference. The Call for Papers is open and people can submit their talks until July 21.

  • Navigator imprevements by Jim Raykowski

    Jim Raikowski, one from LibreOffice's developers, has made many very nice Navigator improvements for Writer and Calc.

Debian: German Television, Freedb's Shutdown and Sparky News at Month's End

Filed under
Debian
  • Debian Edu on TV (NDR broadcast station, Germany)

    One of my Debian Edu customers has recently been on German television...

  • Freedb is closing its service

    Freedb, which is a free version of Cddb, and is used by the asunder cd-ripper (which I am the Debian maintainer of), is closing down it’s services March 31st.

  • Sparky news 2020/02

    The 2nd monthly report of 2020 of the Sparky project:

    • migration to a new, bigger vps done; make sure to install a new public key of Sparky repository -> https://sparkylinux.org/migration-to-a-new-vps/
    • Sparky 5.10.1 of the stable line released
    • Linux kernel updated up to version 5.5.7 & 5.6-rc3
    • added to our repos: Android Messages Desktop, MystiQ Video Converter
    • Nemomen keep translating Sparky Wiki pages to Hungarian, thanks a lot
    • Sparky 2020.02 and 2020.02.1 of the rolling line released
    • Sparky Special Editions 2020.02 GameOver, Multimedia & Rescue released

Mozilla: The Android Firefox Preview, Glean Spyware, and Firefox on Librem 5 (PureOS)

Filed under
Moz/FF
  • Firefox Preview for Android - Interesting

    After I've published my recent series of Firefox articles, mostly the review of versions 71 & 72, and the important essay on why you should be using it as your primary browser, I got a bunch of emails from readers suggesting I take Firefox Preview for a spin. This seems to be the next-gen edition of Firefox for Android, designed to be faster, lighter and more appealing, and hopefully endear a bunch of hearts to Mozilla's effort.

    While I'm not too keen on anything touch, I still want to be able to have a hassle-free, stupidity-free browsing experience anywhere, including the mobile, so I set about testing Firefox Preview. As the test device, I used my Motorola Moto G6 phone, which ought to be fairly representative of the kind of results we should be seeing. Let us begin, then.

  • William Lachance: This week in Glean (special guest post): mozregression telemetry (part 1)

    As I mentioned last time I talked about mozregression, I have been thinking about adding some telemetry to the system to better understand the usage of this tool, to justify some part of Mozilla spending some cycles maintaining and improving it (assuming my intuition that this tool is heavily used is confirmed).

    Coincidentally, the Telemetry client team has been working on a new library for measuring these types of things in a principled way called Glean, which even has python bindings! Using this has the potential in saving a lot of work: not only does Glean provide a framework for submitting data, our backend systems are automatically set up to process data submitted via into Glean into BigQuery tables, which can then easily be queried using tools like sql.telemetry.mozilla.org.

    I thought it might be useful to go through some of what I’ve been exploring, in case others at Mozilla are interested in instrumenting their pet internal tools or projects. If this effort is successful, I’ll distill these notes into a tutorial in the Glean documentation.

  • Desktop Firefox in Your Pocket with the Librem 5

    The first part tells Firefox to use the Wayland display stack instead of X11, which has fullscreen support with keyboard input. Finally --no-remote is a workaround to a Firefox bug. which has already been fixed and will find its way into Debian, as well as the PureOS and the Librem 5 soon.

Ubuntu Switches to a Snap’d Software Store for 20.04

Filed under
Ubuntu

The upcoming Ubuntu 20.04 release will ship with a Snap version of Ubuntu Software app by default.

But while Ubuntu’s default software management tool will become pre-seeded Snap app starting in 20.04 existing Snap builds of Calculator, Characters, and Logs will be reverted to their repo versions.

As noted on Ubuntu Discourse, the ubuntu-desktop and ubuntu-minimal meta-packages now pull in the Ubuntu Software Snap app in place of the regular apt/repo version.

To be clear: this is not a new app store. It is the same Ubuntu Software store as currently shipped, and is still based on GNOME Software. It just packaged as a Snap application.

Read more

Also: Ubuntu 20.04 Screenshots Tour

KDE: Plans for Qt 6, KDE Progress, and Setback for Qt Wayland

Filed under
KDE
  • KF6 Progress Report: February Edition

    It’s been two months since my previous KF6 progress report. Clearly an update is long overdue, it’s time to make it happen!

    An actual Qt 6 is not published yet and we didn’t branch for KF6 yet either. Still as can be seen on the KF6 Workboard there are plenty of tasks in our backlog which can be acted upon now. No need to wait to participate, all the work done now will make the transition to KF6 easier later on anyway.

  • This month in KDE Web: January-February 2020

    This is the first post in a monthly series about improvements to the KDE websites. I plan to publish it every last Saturday of the month. Since a lot happened in January and I didn’t mention it anywhere, I will also mention those things in this post.

  • January and February in KDE PIM

    Following the post about what happened in KDE PIM in November and December by Volker, let’s look into what the KDE PIM community has been up to in the first two months of the new year. In total 23 contributors have made 740 changes.

  • Qt Wayland's Maintainer Is Leaving The Company

    While the Qt5 tool-kit on Wayland is in fairly good shape in recent times, the Qt Wayland module that provides the Wayland platform abstraction and helpers for assembly Qt-based Wayland compositors could run the risk of regressing.

    The future of QtWayland was brought up on the Qt mailing list this week with QtWayland developer Johan Helsing leaving The Qt Company. The hope is there will be no reduced work on Qt Wayland support especially with several companies relying upon it as well as the community, but it was Johan that carried out much of the heavy lifting for this toolkit on Wayland.

DXVK 1.5.5 Released

Filed under
Graphics/Benchmarks
Gaming
  • DXVK 1.5.5 Released With Many Game Fixes

    DXVK 1.5.5 is out this weekend as a big update to this Direct3D-over-Vulkan translation layer widely used by Linux gamers in running Windows games with decent speed.

    DXVK 1.5.5 is a big update contrary to its version number in bringing many game-specific improvements and other fixes. There is also expanded Direct3D support.

  • Direct3D to Vulkan translation layer 'DXVK' version 1.5.5 is out with lots of bug fixes

    Developer Philip Rebohle today announced the release of DXVK 1.5.5, bringing with it plenty of bug fixes for this impressive Direct3D to Vulkan translation layer.

    On the games side, quite a number had specific issues addressed with this release. You should find less issues running: Book of Demons, Close Combat, Cross Racing Championship, Dungeons and Dragons: Temple of Elemental Evil, Elite Dangerous, Evil Genius, F1 2019, Hyperdimension Neptunia U Action Unleashed, Just Cause 1, Lumino City, Saint's Row III / IV, Shade Wrath of Angels, Sins of a Solar Empire, Rocket League and Vampire: The Masquerade Bloodlines which should see improved performance.

    Another tweak was done for Skyrim, this time fixing both crashes and incorrect rendering with the "d3d9.evictManagedOnUnlock" option, they say this is "useful for Skyrim with a large number of mods as an alternative to ENBoost".

More in Tux Machines

Security and Proprietary Issues

  • Surprise Capital One court decision spells trouble for incident response

    Break in case of emergency: Language is everything. Delineate clearly in all written comms between a ‘potential incident’ - and an actual one. Don’t start turning one of the hundreds of security events you see into a ‘security incident’ before the most essential facts are understood. Halpert’s threshold for incidents that need to be covered by legal privilege are: a) An incident that gives rise to an obligation to notify a regulator, or a contractual obligation to notify a business partner; or b) An incident that exposed trade secrets or otherwise would affect the share price of a company; or c) An incident that would cause significant reputational hit to the company; or d) An incident in which a crime is committed.

  • Judge rules Capital One must hand over Mandiant's forensic data breach report

    It’s a significant ruling that effectively affords the attorneys suing Capital One with a breakdown of which bank behaviors were successful, and which failed. It’s common for Fortune 500 companies to keep incident response firms like Mandiant on retainer, though it’s rare for those firms’ insights on high profile breaches to be made public. Similar rulings in the future could provide aggrieved customers with ammunition to seek higher pay-outs in court.

  • Retrotech: The Novell NetWare Experience

    In the simplest terms possible, NetWare was a dedicated network operating system. It was designed around fast and reliable network operations at the expense of almost everything else. Novell had invested massive amounts of research in figuring out how to do fast I/O and minimizing any delays from hardware related sources. The end result was a very lean system that remained stable and performant with a large number of clients attached. As networking was Novell's bread and butter, NetWare had excellent support for everything: clients were available for DOS, Windows, UNIX, Macintosh, OS/2 and probably other platforms I've never even heard of.

    The early history of NetWare is very muddled, and pre-2.0 versions have been lost to time. This compounded with poor documentation has made it very difficult to trace the early history of the product. However, while NetWare was not the first (or only) network product for IBM PCs, it quickly became the largest, displacing IBM's PC Network, and laughed at Microsoft's LAN Manager, and IBM OS/2 LAN Server.

    While NetWare did compete on UNIX, Sun had already gotten their foot in the door by porting NFS and making it the de-facto solution for all UNIXs of the era, as well as Linux. Meanwhile, Apple held onto AppleTalk which itself survived well into the early 2000s when NetWare had already disappeared into the aether. The explosion of Wintel PCs throughout the 90s had given NetWare a market position that should have been very difficult to dislodge.

    The full story of NetWare's fall from grace is a story for another time, but I do want to go into the more technical aspects that were both the boon and bane of NetWare. Much of NetWare's success can be attributed to its own IPX protocol which made networking plug and play and drastically lowered latencies compared to NetBIOS or even TCP/IP.

  • Polish malspam pushes ZLoader malware

    When enabling macros on the malicious Excel spreadsheet, the victim host retrieved the ZLoader DLL as shown in the previous section, saved the DLL to the victim's Documents folder, and ran it using rundll32.exe.

  • Microsoft Defender SmartScreen is hurting independent developers

    But what is SmartScreen?

    SmartScreen collects installation data from all Windows users in order to establish “reputation”. If the program does not have an established good reputation, you get this big warning message. By this time most users have deleted the .exe already thinking it is a malware, but SmartScreen can be bypassed by clicking on “More info” then “Run anyway”.

    The digital signature racket

    But let’s say you bite the bullet, you buy yourself an overpriced piece of prime numbers generated by a computer, sign your code and re-publish your application. You can now start getting users to install your app right? Wrong.

    But how do you build reputation? First of all, Microsoft needs to be able to gather information on who has published the app, and this is done by a code signing certificate. The most obvious implication is that unsigned apps will always trigger SmartScreen. The more insidious implication is that acquiring a code signing certificate is a big expense for an individual developer. There is currently no “Let’s Encrypt” equivalent to code signing certificates; so you have to purchase it from trusted authorities. The price range is wide but a certificate only valid for a year will typically go for about $100.

  • #Privacy: Michigan State University struck by ransomware attack

    It remains unclear as to how and when the attack happened, and what the ransom demand is.

    NetWalker is one of twelve ransomware gangs who threaten to publish data in revenge if organisations refuse to pay the ransom demand.

    MSU have not official disclosed the incident, however, an MSU spokesperson, Dan Olsen shared the following statement to EdScoop: “We are aware of a possible intrusion and we are actively looking into it.”

  • MSU: We won't pay [attacker] demanding ransom, threatening university over records

    University officials believe the latest breach occurred on Memorial Day and took relevant computer systems offline within hours of the intrusion, according to a news release. It compromised data associated with the Department of Physics and Astronomy, and information technology teams are coordinating with law enforcement to understand the scope of the breach. Investigators are notifying and providing support to affected MSU affiliates as they are identified.

    The cybersecurity breach, known as a ransomware attack, first became public May 27 when a [cr]acker-affiliated blog posted screenshots of files allegedly belonging to MSU affiliates. Images circulating on social media include a redacted passport and a list of transactions related to physics and astronomy projects. They also show a countdown clock that warns of “secret data publication” less than one week from when the screenshots were taken.

  • Michigan State target of ransomware attack threatening to release university data

    The ransom demanded was not specified, but the ransomware gang is prepared to release the university's documents.

    The NetWalker, a newer form of ransomeware sometimes labeled as Mailto, blog post threatened publication of 'secret' documents dated with a countdown clock with close to a week remaining.

  • Malware Team NetWalker Launches Ransomware Attack Against Weiz

    The Malware team NetWalker launched a new ransomware attack against the Austrian village of Weiz which affected the public service system and leaked a lot of the stolen data from building applications as we are about to read more in the following latest cryptocurrency news.

    According to the cybersecurity firm Panda Security, the Malware team managed to enter the town’s public network through phishing emails related to the Coronavirus pandemic. The subject of the emails which was ‘’information about the coronavirus’’ was used to bait the employees of the public infrastructure of the city into clicking on malicious links which triggered the ransomware.

    Panda Security claims that the ransomware attack belongs to a new version of a ransomware family that spreads by using VBScripts. If the infection is successful, it will spread through the entire windows network to which the infected machine is related. The report details that the ransomware terminates and services under Windows which encrypts files on all available disks thus eliminating the backups.

  • Inside a ransomware gang’s attack toolbox

    The crooks deployed a pirated copy of the Virtual Box virtual machine (VM) software to every computer on the victim’s network, plus a VM file containing a pirated copy of Windows XP, just to have a “walled garden” for their ransomware to sit inside while it did its cryptographic scrambling.

    But that’s far from everything that today’s crooks bring along for a typical attack, as SophosLabs was able to document recently when it stumbled upon a cache of tools belonging to a ransomware gang known as Netwalker.

  • Researchers Dive Into Evolution of Malicious Excel 4.0 Macros

    For more than five months, Lastline security researchers have tracked the evolution of malicious Excel 4.0 (XL4) macros, observing the fast pace at which malware authors change them to stay ahead of security tools.

    A central part of many organizations’ productivity tools, Excel opens the door for phishing attacks where victims are tricked into enabling macros in malicious documents, which can results in the attackers gaining a foothold on the network, in preparation for additional activities.

    During their five-month research, Lastline observed thousands of malicious samples, clustered into waves that provide a comprehensive picture of how the threat has evolved in both sophistication and evasiveness.

  • MSU won't pay ransom to [cr]acker who stole financial documents, personal information

    EdScoop reported the ransomware attack on May 27 and provided screenshots from a blog on the dark web, showing what appear to be a student's passport, MSU financial documents and files from the MSU network, as well as a countdown that had about one week remaining as of May 27.

  • Attackers Target 1M+ WordPress Sites To Harvest Database Credentials

    Attackers were spotted targeting over one million WordPress websites in a campaign over the weekend. The campaign unsuccessfully attempted to exploit old cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes, with the goal of harvesting database credentials.

    The attacks were aiming to download wp-config.php, a file critical to all WordPress installations. The file is located in the root of WordPress file directories and contains websites’ database credentials and connection information, in addition to authentication unique keys and salts. By downloading the sites’ configuration files, an attacker would gain access to the site’s database, where site content and credentials are stored, said researchers with Wordfence who spotted the attack.

    Between May 29 and May 31, researchers observed (and were able to block) over 130 million attacks targeting 1.3 million sites.

  • Denial of service attacks against advocacy groups skyrocket

    Distributed denial-of-service attacks against advocacy organizations increased by 1,120% since a Minneapolis police officer killed George Floyd by kneeling on his neck, sparking demonstrations throughout the U.S.

    In figures published Tuesday, the internet security firm Cloudflare said it blocked more than 135 billion malicious web requests against advocacy sites, compared to less than 30 million blocked requests against U.S. government websites, such as police and military organizations. The company did not disclose which websites were affected, specifically.

Reading about open source in French

English speakers have so many wonderful open source resources that it's easy to forget that communications in English aren't accessible to everyone everywhere. Therefore, I've been looking for great open source resources in Spanish and French, so I can recommend them when the need arises. One I've been looking at recently is LinuxFr.org, which seems to be a fine "agora" for all sorts of interesting conversations in French about open source specifically and open everything else as well. Read more

Open Source Password Manager Bitwarden Introduces Two New Useful Features: Trash Bin & Vault Timeout

Bitwarden is unquestionably one of the best password managers available for Linux. It’s also a cross-platform solution — so you can use it almost anywhere you like. You can also read our review of Bitwarden if you want to explore more about it. Now, coming back to the news. Recently, Bitwarden introduced two new major features that makes it even better. Read more

6 Kubernetes Security Best Practices Every Linux Administrator Should Know

Kubernetes is a popular container orchestration platform used by many professionals around the world. It’s an open-source platform that enables you to manage containerization, providing you with feature-rich controls. However, Kubernetes is not easy to learn and maintain. To properly secure Kubernetes operations, you need to adopt certain best practices. Read more