Episode 443 Show Notes

Welcome to mintCast

the Podcast by the Linux Mint Community for All Users of Linux

This is Episode 443!

This is Episode 443.5!

Recorded on Sunday, August 4th 2024

Feeling the heat im Joe; ready for school, I’m Moss; Willing to pay real money for a back rub, I’m Bill; overworked and underpaid, but running on “Grrders”, I’m Majid; and conspiring with our future AI overlords, I’m Eric

— Play Standard Intro —

  • Please remember if you want to follow along with our discussions, a link to the full show notes is in the show’s description
  • First up in the news: Linux Mint 22 “Wilma” released, Switzerland now requires all government software to be open source, Intel suffers stock losses, Intel admits to damage on 13th and 14th gen processors, Funtoo calls it quits, and SerpentOS makes its first appearance;
  • In security and privacy: SecureBoot is broken on over 200 computers from 5 major vendors, new Android malware drains bank accounts and wipes your device afterwards, and TGRat attacks Linux;
  • Then in our Wanderings: Bill loves the image, Joe works too hard, Moss does upgrades, Majid sells stuff, and Eric wants to becomes one with AI.
  • In our Innards section: We talk Mint 22
  • And finally, the feedback and a couple of suggestions

— Play News Transition Bumper —

The News

20 minutes

  • Linux Mint 22 “Wilma” released
    • From the Mint blog and OMG Ubuntu (via londoner)
    • On Thursday, July 25, the stable version of Linux Mint 22 “Wilma” was officially released in the usual three desktop environments of Cinnamon. MATE and Xfce. As always, it is a long term support release which will be supported until 2029.
    • This major update is built on Ubuntu 24.04 LTS and sees Linux Mint 22 inherit big updates to underlying packages, libraries, tooling, and core technology stacks. There’s also a new Linux kernel (6.8), and a fresh set of graphics drivers. Wayland support has improved but is still considered experimental. In a notable break with past tradition, the distro plans to release new kernel updates every 6 months through the Ubuntu hardware enablement (HWE) stack.
    • Mint 22 ships with a new version of the Cinnamon desktop (6.2, featuring new options), a suite of new and improved apps (plus a few downgrades and removals), and makes some notable security changes (like no more guest login by default).
    • On the audio front, PipeWire is now used as the default sound server. PipeWire delivers lower latency, improved performance, and better compatibility with a wider range of Bluetooth devices, apps, and online services than PulseAudio, which it replaces.
    • Any unused language packs (other than English and the language you select during installation) are removed after installation. This change reduces the disk space a new installation requires, which is a nice low-level improvement.
    • Other changes in Linux Mint 22 include:
      Guest sessions are disabled by default
      Translations optimised to take up less disk space
      22 new desktop backgrounds
      Themes updated to support GTK4
      All apps using libsoup2 have been migrated to libsoup3
      Better HiDPI support in Plymouth and the login screen
      Shutdown timeout reduced to 10 seconds
    • As you’d expect, there are lots of bug fixes, performance buffs, and translation tweaks bundled up in this update. While invisible (and hard to screenshot) those are welcome.
    • The Cinnamon 6.2 desktop is at the heart of Linux Mint 22. While it offers no “showy” new features, there are lots of smaller, quality improvements baked-in to help enhance its usability and make it easier (and more fun) to use.
    • You can now organise Nemo actions (file manager scripts) using a new, dedicated tool. The new Nemo actions layout editor supports ordering/sorting, dividers, grouping actions into submenus, editing their text labels, and changing the icon shown for an action.
    • The corner bar applet (far right of the bottom panel) now lets you choose which action is triggered when holding the shift key clicking on the button – show desktop, show desklets, show the workspace switcher, or show the window picker.
      Mint Menu now has a ‘Science’ category
      User applet has an option to show user profile pic on panel
      Power applet more precise at reporting battery state
      Startup Applications now shows search bar when adding entries
      Screen lock delay now offers 5 second & 10 second options
      Cinnamon Spices (add-ons) now support configurable keybindings
      Keyboard shortcuts panel gains a search feature
      Active VPN connections denoted by padlock on network icon
      OSK picks up a toggle to disable the OSK
    • The Software Manager hides unverified Flathub listings by default, even if you explicitly search for something. You can choose to see and install unverified Flatpak apps using the toggle newly added to the (newly expanded) Software Manager settings panel. Mint caution against this; a warning text informs you of the potential security risk from opting-in.
    • Elsewhere, Linux Mint now maintains its own DEB package of the Thunderbird e-mail client. This is because upstream Ubuntu switched to a Thunderbird snap, and made the Thunderbird DEB in its repos a transition package that (re)installs the snap.
    • Two new apps make their debut in Linux Mint 22. The first is a new XApp named GNOME Online Accounts GTK. This wraps the latest GOA functionality (from GNOME 46) in a vanilla GTK4 user-interface that fits in with the rest of the Cinnamon desktop. The second is a new preinstalled web app for Element, a cloud-based client for the Matrix chat platform, and hardcoded to load the official Linux Mint Matrix channel on launch. This app replaces Hexchat (IRC client, now removed) to provide real-time support.
    • In an unexpected move, Mint 22 downgrades some of its preinstalled apps to older versions — not something most of us would expect when installing a newer version of a Linux distribution! Why has this happened? Many of the latest versions of these apps adopt GTK4/libadwaita for their UI, which Linux Mint dislikes, feeling it impacts the look, feel, and integration of apps with the rest of the non-GNOME desktops like Cinnamon – they stand out like a sore thumb, basically. As a result, many apps have been downgraded to older GTK3 builds. Apps downgraded to older versions (than the ones present in the Ubuntu 24.04 repos) include Celluloid, GNOME Calculator, Simple Scan, Disk Usage Analyser, System Monitor, GNOME Calendar, and the archive extraction/compression tool File Roller.
    • Apart from the above, here are other changes to default apps in Linux Mint 22 : – Warpinator adds a ‘restart’ item to its menu
      Nemo has a JXL thumbnailer
      Pix now supports opening of JXL images
      Sticky notes lets you choose the default screen position
      Time Shift asks for confirmation when deleting backups
      Xed text editor gains a keyboard shortcut to toggle the mini-map
    • Upgrade instructions:
      If you are running the BETA you don’t need to upgrade, use the Update Manager to apply available updates.
      Upgrade instructions from Linux Mint 21.3 have also been posted at https://blog.linuxmint.com/?p=4732.
    • Link to detailed instructions at https://linuxmint-user-guide.readthedocs.io/en/latest/upgrade.html
    • Link to What’s new in Linux Mint 22.
    • Link to Release Notes for Linux Mint 22”.
  • Switzerland now requires all government software to be open source
    • From ZD Net (via londoner)
    • Several European countries are betting on open-source software. In the United States, eh, not so much. In the latest news from across the Atlantic, Switzerland has taken a major step forward with its “Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks” (EMBAG). This groundbreaking legislation mandates using open-source software (OSS) in the public sector. This new law requires all public bodies to disclose the source code of software developed by or for them unless third-party rights or security concerns prevent it. This “public money, public code” approach aims to enhance government operations’ transparency, security, and efficiency.
    • Making this move wasn’t easy. It began in 2011 when the Swiss Federal Supreme Court published its court application, Open Justitia, under an OSS license. The proprietary legal software company Weblaw wasn’t happy about this. There were heated political and legal fights for more than a decade. Finally, the EMBAG was passed in 2023. Now, the law not only allows the release of OSS by the Swiss government or its contractors, but also requires the code to be released under an open-source license “unless the rights of third parties or security-related reasons would exclude or restrict this.”
    • Professor Dr. Matthias Stürmer, head of the Institute for Public Sector Transformation at the Bern University of Applied Sciences, led the fight for this law. He hailed it as “a great opportunity for government, the IT industry, and society.” Stürmer believes everyone will benefit from this regulation, as it reduces vendor lock-in for the public sector, allows companies to expand their digital business solutions, and potentially leads to reduced IT costs and improved services for taxpayers.
    • In addition to mandating OSS, the EMBAG also requires the release of non-personal and non-security-sensitive government data as Open Government Data (OGD). This dual “open by default” approach marks a significant paradigm shift towards greater openness and practical reuse of software and data.
    • Implementing the EMBAG is expected to serve as a model for other countries considering similar measures. It aims to promote digital sovereignty and encourage innovation and collaboration within the public sector. The Swiss Federal Statistical Office (BFS) is leading the law’s implementation, but the organizational and financial aspects of the OSS releases still need to be clarified.
    • Other countries in Europe have long supported open source. For example, in 2023, French President Macron stated, “We love open source,” and France’s National Gendarmerie (Think FBI if you’re an American) uses Linux on its PCs. The European Union (EU) has long worked on securing OSS via the EU’s Free and Open Source Software Auditing (FOSSA) project. That said, it’s not all wine and roses in the EU. There’s some worry that the European Commission will cut funding for the NGI Zero Commons Fund, an important funding source for OSS projects.
    • In the US, there’s some support for open source, but not nearly as much as in Europe. The Federal Source Code Policy, for instance, requires federal agencies to release at least 20% of new custom-developed code as open-source software. It doesn’t, however, mandate the use of open source. Similarly, the General Services Administration (GSA) has an OSS Policy that requires GSA organizations to account for and publish their open-source code. This policy promotes an “open first” approach for new custom code development.
    • So, while this legislative move positions Switzerland at the forefront of the global open-source movement, more work needs to be done both in Europe and the US.
  • Intel Suffers Major Stock Loss Due to Workforce Restructuring
    • Text summarized by Eric from several articles, as listed at the end.
    • Intel is undergoing significant restructuring as it faces substantial challenges in the competitive semiconductor market. The company announced plans to cut over 15% of its workforce, translating to approximately 17,500 jobs, as part of a broader strategy to save $10 billion by 2025. This decision follows a disappointing financial performance, including a second-quarter net loss of $1.6 billion, a stark contrast to a profit of $1.5 billion in the same period the previous year. The layoffs will primarily affect sales, marketing, and administrative roles, and are expected to be completed by the end of 2024.
    • CEO Pat Gelsinger emphasized that these painful decisions are necessary to align Intel’s cost structure with its new operating model, particularly as the company struggles to capitalize on trends like artificial intelligence (AI). There is also pressure from chip maker ARM with the recent advent of the CoPilot PC powered by Snapdragon’s X processor line as well as Apple’s highly successful M series chips. Intel had previously failed to capitalize on the smartphone market as well.
    • Despite the layoffs, Gelsinger assured that the company remains committed to its turnaround plan, which includes a focus on developing advanced AI processors and enhancing its foundry services. However, analysts have expressed skepticism about whether these measures will be sufficient to restore Intel’s competitive edge against rivals like Nvidia and AMD, especially given the company’s lagging position in the AI chip market.
    • In addition to workforce reductions, Intel will suspend its dividend starting in the fourth quarter. This move is part of a concerted effort to improve its balance sheet and manage rising costs associated with its foundry operations. The company has also been impacted by external factors, such as reduced spending in the data center segment and challenges in its China operations due to revoked export licenses. As a result, Intel’s stock plummeted nearly 20% in after-hours trading following the announcement, reflecting investor concerns about the company’s future prospects.
    • Intel’s strategic pivot includes leveraging significant government support through the CHIPS Act, which has allocated up to $8.5 billion in funding to bolster domestic chip manufacturing. This financial backing aims to help Intel build new facilities across the U.S. and create thousands of jobs, although the realization of these plans will take time and require substantial investment in infrastructure and workforce development.
    • Citations:
  • Proton Now Has a Bitcoin Wallet
    • from HowToGeek
    • Proton might be best known for its Mail and VPN services, but the company now has an entire ecosystem of privacy-preserving apps and services. The latest addition is certainly questionable, though: a bitcoin wallet.
    • Proton has just announced Proton Wallet, a digital wallet for sending, receiving, and storing Bitcoin cryptocurrency. Bitcoin can be purchased in “150+ countries” through Proton’s “licensed third parties.” Proton Wallet also supports ‘Bitcoin via Email,’ which allows people to send and receive Bitcoin using the email address tied to their Proton account, instead of more complex Bitcoin wallet addresses.
    • The company said in a press release, “Proton occupies a unique spot among wallet providers. It is not a crypto company, has never issued a cryptocurrency, does not trade or speculate in crypto, nor is it an exchange. It is not profit-driven either, as its primary shareholder is the non-profit Proton Foundation whose mission is to preserve privacy and freedom online. From this perspective, Proton is maybe the last organization one would expect to enter the Bitcoin space, but it hopes through the launch of Proton Wallet, to provide exactly what the space needs to gain mainstream trust and acceptance.”
    • Bitcoin is a decentralized cryptocurrency that is most often used as a speculative investment or as payments to criminals (either for ransomware or illegal purchases), with regular peer-to-peer payments making up a smaller percentage of transactions. It also uses significantly more electricity than comparable transactions in the regular (fiat) global banking system, thanks to its proof-of-work model, and that electricity often comes from coal plants and other non-renewable energy sources. Cryptocurrency as a concept might have some merit, but Bitcoin is arguably the worst implementation of cryptocurrency, largely because it was the first one out of the gate.
    • Bitcoin has had roughly 15 years to prove itself as a viable alternative to fiat currency, and it has failed at almost every opportunity. Proton pointed out in its announcement that it has accepted payments in Bitcoin since its initial funding round in 2014, but that’s not the same as convincing people to enter the ecosystem for the first time, or hoping Bitcoin can finally “gain mainstream trust and acceptance.” Proton Wallet is also a significant departure from Proton’s other apps and services, which mostly serve as alternatives to big tech services like Gmail and Google Calendar. Google and Microsoft have never launched a crypto wallet, and Meta’s ambitions for cryptocurrency payments fell apart in 2019.
    • The lack of proper banking infrastructure and user protections also makes Bitcoin wallets a common target for hackers and scammers, in a practice known as wallet draining. Proton says it has beefed up security with two-factor authentication and “Proton Sentinel, which uses advanced machine learning and AI, along with human analysis, to block malicious login attempts with high accuracy.” That likely won’t mitigate all hacking and social engineering attempts, though.
    • Proton Wallet is rolling out now in early access to users on the Proton Visionary plan, and users with access can invite up to 10 other people to join.
  • Intel admits damage to unstable 14th-gen and 13th-gen CPUs is permanent – incoming patch is a preventative, not a cure – majid
    • from TechRadar
    • Intel provided a statement earlier this week on the instability problems with 14th-gen and 13th-gen CPUs, but some further details have come to light since then – including a clarification that any damage done to high-end CPUs is permanent.
    • In case you missed it, Intel’s previous announcement pinned down ‘elevated operating voltage’ as a key cause (not necessarily the only one, mind) for these Core i9 processors (and lower-tier chips too) crashing and generally going awry.
    • Team Blue also assured us that a fix in the form of a microcode update is inbound for these chips and should arrive around the middle of August.
    • What’s been made clear now, however, is that this is a preventative measure, as opposed to a cure. By which we mean that it’ll prevent the instability issue with Raptor Lake and Raptor Lake Refresh processors, but it won’t reverse any damage already done to a CPU that has already been affected, and won’t make it stable – the misfiring chip will continue to crash.
    • Or so The Verge reports, having fired a bunch of questions at Intel, and received a fair few answers from an Intel spokesperson, Thomas Hannaford – some of which may not comfort you much. For starters, the tech site points to Tom’s Hardware’s recent assertion that degradation of an affected Intel CPU is irreversible, with The Verge noting that Hannaford “did not deny that when we asked.”
    • One of the key questions posed by The Verge was: “Does Intel anticipate the fix will be effective for chips that have already been in service but are not yet experiencing symptoms (i.e., invisible degradation)? Are those CPUs just living on borrowed time?”
    • Hannaford’s reply was as follows: “Intel is confident that the microcode patch will be an effective preventative solution for processors already in service, though validation continues to ensure that scenarios of instability reported to Intel regarding its Core 13th/14th Gen desktop processors are addressed.
    • Receive email from us on behalf of our trusted partners or sponsors
    • By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    • “Intel is investigating options to easily identify affected or at-risk processors on end user systems.
    • “It is possible the patch will provide some instability improvements to currently impacted processors; however customers experiencing instability on their 13th or 14th Generation desktop processor-based systems should contact Intel customer support for further assistance.”
    • So, what do we make of that statement? While Intel might be ‘confident‘ the patch will work as a preventative, the issue of ‘invisible degradation’ for us is whether potential damage could have been done – which isn’t yet detectable – that could be a problem down the line. In other words, while the microcode update may well stop any further damage being caused to the chip, our concern is if some damage has already been done – but nothing that actually has an observable effect – this might, in the long run, mean the CPU doesn’t last as long as it otherwise would have done.
    • We find this whole episode a bit unsettling in this respect, and compounding these kinds of concerns, when it came to The Verge’s question on whether Intel might extend warranty coverage for 13th-gen or 14th-gen processors, the company didn’t supply an answer. The spokesperson simply declined to comment.
    • It’s also worth noting that the final paragraph of the above statement doesn’t completely rule out that the microcode update might just help out Intel processors that are already affected by instability issues – and that it is ‘possible’ the patch could ‘provide some instability improvements’ which would at least be something.
    • But really, if you have a processor that’s already exhibiting problems, the safest course of action seems to be to try and get it returned and replaced.
    • Other notable revelations from The Verge’s Q&A session with Intel include Team Blue admitting that any 13th-gen or 14th-gen CPU with a power usage (TDP) of 65W or greater could be affected by the issue with potentially damaging elevated voltages.
    • That includes not just Core i9 and i7 chips, but also Core i5 models, such as the Intel Core i5-14600 – and we have seen reports of other Core i5 CPUs being hit. That said, it appears that the higher-end the chip, and the higher the TDP, the more risk there seems to be of a poor outcome with the stability blues.
    • Intel also said it won’t be engaging in any kind of recall over this issue, and the company hasn’t halted chip shipments or sales while the microcode update is being finished off and validated.
    • That microcode patch will roll out via motherboard vendors (in BIOS updates) next month as mentioned, and meanwhile, Hannaford confirmed to The Verge that Intel is still investigating possible other causes that may run alongside the uncovered ‘key’ problem with the voltage issue.
    • Intel’s problem here is that it can’t let this drag on – not with the battle of Arrow Lake versus Ryzen 9000 on the horizon. As this episode could be pretty off-putting for those looking to buy a next-gen chip, perhaps pushing them to favor Ryzen when they might not have done before all this happened.
  • Funtoo Calls It Quits
    • from drobbins
    • All good things must come to an end. I’ve decided to end the Funtoo Linux project. Funtoo started as a philosophy to create a fun community of contributors building something great together. For me, it’s no longer that so I need to move on to other things. There is not a successor BDFL for Funtoo nor am I interested in trying to find one, or hand the project off to someone else. You can expect the project to wind down through August. If you have a Funtoo container, it will continue to be online through the end of August so you have time to find another hosting solution if you need one.
  • The long-awaited Linux distro Serpent OS is finally here – Majid
    • from Notebook Check
    • Unlike most current Linux distributions, Serpent OS does not use existing distributions like Ubuntu or Debian. Ikey Doherty and his team have been writing Serpent OS from scratch for the past four years. This fact allows Serpent OS to boast features not found on other Linux distros. The team hopes that thanks to this, the user will benefit from a more efficient system that can leverage cutting-edge tools to increase productivity, lower development time, and create a system that isn’t “broken” by updates.
    • The Serpent OS pre-alpha ships with GNOME 45.3, which is not the latest environment, but this may change in the final release. The minimal desktop includes a pre-installed app selection following suit. Notable apps include Mozilla Firefox and Zed code editor, the latter only recently available to users of Mac OS. Much like Serpent OS, Zed editor provides a clean and fast user experience while leveraging the performance enhancements of the Rust programming language.
    • MOSS, the package manager, is also written in Rust and is unique to the distribution. For every package management operation, MOSS creates a new self-contained transaction. MOSS allows the system to offer rollbacks to an earlier state if the package or package update is unsafe to apply. This feature alone could prevent systems from crashing from an update. Rust also ensures that the processes are quick and memory-safe.
    • However, this is a pre-alpha build of the OS and has limitations. Currently, there is no graphical installer. Users are required to partition their drives for installation. There is also no support for other desktop environments besides GNOME. Thankfully, there are plans to support System76’s upcoming COSMIC environment and other popular Linux desktops. To learn more or try the distro yourself, please be so kind as to check the links below.

— Play Security Transition Bumper —

Security and Privacy

10 minutes

  • Secure Boot is completely broken on 200+ models from 5 big device makers
    • from ArsTechnica
    • In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
    • The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren’t only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
    • Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn’t signed with a pre-approved digital signature. To this day, key players in security—among them Microsoft and the US National Security Agency—regard Secure Boot as an important, if not essential, foundation of trust in securing devices in some of the most critical environments, including in industrial control and enterprise networks.
    • On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down.
    • The repository included the private portion of the platform key in encrypted form. The encrypted file, however, was protected by a four-character password, a decision that made it trivial for Binarly, and anyone else with even a passing curiosity, to crack the passcode and retrieve the corresponding plain text. The disclosure of the key went largely unnoticed until January 2023, when Binarly researchers found it while investigating a supply-chain incident. Now that the leak has come to light, security experts say it effectively torpedoes the security assurances offered by Secure Boot.
    • “It’s a big problem,” said Martin Smolár, a malware analyst specializing in rootkits who reviewed the Binarly research and spoke to me about it. “It’s basically an unlimited Secure Boot bypass for these devices that use this platform key. So until device manufacturers or OEMs provide firmware updates, anyone can basically… execute any malware or untrusted code during system boot. Of course, privileged access is required, but that’s not a problem in many cases.”
    • Binarly researchers said their scans of firmware images uncovered 215 devices that use the compromised key, which can be identified by the certificate serial number 55:fb:ef:87:81:23:00:84:47:17:0b:b3:cd:87:3a:f4. A table appearing at the end of this article lists each one.
    • The researchers soon discovered that the compromise of the key was just the beginning of a much bigger supply-chain breakdown that raises serious doubts about the integrity of Secure Boot on more than 300 additional device models from virtually all major device manufacturers. As is the case with the platform key compromised in the 2022 GitHub leak, an additional 21 platform keys contain the strings “DO NOT SHIP” or “DO NOT TRUST.”
    • These keys were created by AMI, one of the three main providers of software developer kits that device makers use to customize their UEFI firmware so it will run on their specific hardware configurations. As the strings suggest, the keys were never intended to be used in production systems. Instead, AMI provided them to customers or prospective customers for testing. For reasons that aren’t clear, the test keys made their way into devices from a nearly inexhaustive roster of makers. In addition to the five makers mentioned earlier, they include Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro.
    • Cryptographic key management best practices call for credentials such as production platform keys to be unique for every product line or, at a minimum, to be unique to a given device manufacturer. Best practices also dictate that keys should be rotated periodically. The test keys discovered by Binarly, by contrast, were shared for more than a decade among more than a dozen independent device makers. The result is that the keys can no longer be trusted because the private portion of them is an open industry secret.
    • In an interview, Binarly founder and CEO Alex Matrosov wrote:
    • “Imagine all the people in an apartment building have the same front door lock and key. If anyone loses the key, it could be a problem for the entire building. But what if things are even worse and other buildings have the same lock and the keys?”
    • Matrosov said his team found identical test platform keys on both client and server-related products. Team members also determined that at least one test key was used in devices sold by three distinct manufacturers.
    • “If the key will be leaked, it’s impacting the ecosystem,” he explained. “It’s not impacting a single device.”
    • Binarly has named its discovery PKfail in recognition of the massive supply-chain snafu resulting from the industry-wide failure to properly manage platform keys. The report is available here. Proof-of-concept videos are here and here. Binarly has provided a scanning tool here.
    • More article can be found at the link.
  • New Android malware wipes your device after draining bank accounts – Majid
    • from Bleeping Computer
    • A new Android malware that researchers call ‘BingoMod’ can wipe devices after successfully stealing money from the victims’ bank accounts using the on-device fraud technique.
    • Promoted through text messages, the malware poses as a legitimate mobile security tool and can steal up to 15,000 EUR per transaction.
    • According to researchers analyzing it, BingoMod is currently under active development, with its author focusing on adding code obfuscation and various evasion mechanisms to drop detection rate.
    • Researchers at Cleafy, an online fraud management and prevention solution, found that BingoMod is distributed in smishing (SMS phishing) campaigns and uses various names that typically indicate a mobile security tool (e.g. APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo).
    • In one instance, the malware uses the icon for the free AVG AntiVirus & Security tool available on Google Play.
    • During the installation routine, the malware requests permission to use Accessibility Services, which provides advanced features that allow extensive control of the device.
    • Once active, BingoMod steals any login credentials, takes screenshots, and intercepts SMS messages.
    • To perform on-device fraud (ODF), the malware establishes a socket-based channel to receive commands and an HTTP-based channel to send a feed of screenshots, enabling almost real-time remote operation.
    • ODF is a common technique used for initiating fraudulent transactions from the victim’s device, which fools standard anti-fraud systems that rely on identity verification and authentication.
    • Cleafy researchers explain in a report today that “the VNC routine abuses Android’s Media Projection API to obtain real-time screen content. Once received, this is transformed into a suitable format and transmitted via HTTP to the TAs’ [threat actor’s] infrastructure.”
    • One feature of the routine is that it can leverage Accessibility Services “to impersonate the user and enable the screen-casting request, exposed by the Media Projection API.”
    • The commands that the remote operators can send to BingoMod include clicking on a particular area, writing text on a specified input element, and launching an application.
    • The malware also allows manual overlay attacks through fake notifications initiated by the threat actor. Additionally, a device infected with BingoMod could also be used to further spread the malware through SMS.
    • BingoMod can remove security solutions from the victim’s device or block activity of apps that the threat actor specifies in a command.
    • To evade detection, the malware’s creators have added code-flattening and string obfuscation layers, which, based on scan results on VirusTotal, achieved the intended goal.
    • If the malware is registered on the device as a device admin app, the operator can send a remote command to wipe the system. According to the researchers, this function is executed only after a successful transfer and impacts only the external storage.
    • For a complete wipe, it is possible that the threat actor uses the remote access capability to erase all data and reset the phone from the system settings.
    • Although BingoMod is currently at version 1.5.1, Cleafy says that it appears to be in an early development stage.
    • Based on the comments in the code, the researchers believe that BingoMod may be the work of a Romanian developer. However, it is also possible that developers from other countries are contributing.
    • Update 8/2: Google has confirmed that Play Protect detects and blocks BingoMod.
  • Telegram-Controlled TgRat Attacking Linux Servers to Exfiltrate Data
    • from CyberSecurity News
    • TgRat, a Telegram-controlled trojan, was discovered attacking Linux servers in an attempt to steal data from a compromised system.
    • The TgRat trojan was first identified in 2022.
    • Although the original version of the trojan was small and designed for Windows, the latest version uses the widely used messaging app Telegram to target Linux servers.
    • “The trojan is controlled through a private Telegram group to which the bot is connected. Using the messenger, attackers can issue commands to the trojan.
    • It can download files from a compromised system, take a screenshot, remotely execute a command, or upload a file as an attachment”, Dr. Web shared with Cyber Security News.
    • Given the popularity of the Telegram application and the regular traffic to its servers, it is not unusual for threat actors to use it as a vector to distribute malware and steal sensitive data.
    • This is because it is simple to hide malware on a compromised network. The trojan is made to target particular computers; upon startup, it verifies the computer name’s hash with an embedded string.
    • If the values do not match, TgRat terminates the process. If not, it establishes a network connection and employs a peculiar approach to communicate with its control server, which is a Telegram bot.
    • Attackers can give commands to the trojan using the messenger. It can upload data as attachments, capture screenshots, remotely run commands, and download files from a hacked system.
    • Attackers issue commands to multiple bots, unlike their Windows counterparts. Researchers stated that this trojan used the bash interpreter to run commands and was encrypted using RSA, allowing the execution of entire scripts in a single message.
    • Because every trojan instance had a distinct ID, attackers could instruct several bots to join a single chat room by sending commands to each one of them.
    • Even though the trojan and control server’s method of interaction is unusual, the attack can be identified by closely examining network traffic.
    • While data exchange with Telegram’s servers may be commonplace for user computers, it is not conventional for a local network server.
    • It is challenging for victims to identify the infection because of this special control mechanism that allows attackers to send commands to the compromised system silently.
    • Therefore, it is advised to install antivirus software on every local network node to prevent infection.

— Play Wanderings Transition Bumper —

Bi-Weekly Wanderings

30 minutes (~5-8 mins each)

  • Bill
    • Well, I haven’t done much these last two weeks with regards to tech due to work, and real life stuff, but I did get Mint 22 installed on this, my “main rig” machine, replacing the Arch installation I’d been enjoying for nearly a month. Although Arch has been fun, and I’ve enjoyed the bleeding edge access to new software, much of what I considered an advantage is more likely a distraction. One thing I was having trouble with was Audacity. As some may be aware, there’s been a recent, major release of the audio software bringing much needed improvements and fixes. Well, on Arch there was a bug where the entire GUI would simply turn blank. As part of the effort to fix the bug I was one of a couple people testing the 3.6.2 branch of the project, not yet available as a package yet. With Arch, you can install the git version of most packages and with a simple change to the “pkgbuild” file, you can install from a particular github “branch.” Oddly, the AppImage, downloaded from the audacity website doesn’t seem to suffer from the same bug, though there are some problems getting certain AppImages to work on Arch, and Audacity is one of them. Now that I’m back on Mint, I’m enjoying excellent AppImage support again. The lesson to be learned from all of this is that there is a price to be paid for easy access to bleeding-edge packages, and that is that sometimes you end up riding the lightening.
    • As I discussed in the previous episode of mintCast, I was waiting for my PineTime smartwatch to arrive, and so it has arrived. I’m really enjoying the advantages of a smartwatch. I hadn’t worn a watch since my early 20’s but I’m really enjoying this one. Part of the appeal is the company behind the project. Pine64 is a fantastic organization. Their commitment to open source is the reason I have purchased all of the devices I currently own from them. I’ve yet to attempt the firmware upgrade, which is the thing about devices like these – you have to do it yourself. For now, there’s no automatic update mechanism for the device. I will report back when I’ve taken the time to make the attempt. Though she never said so, I could tell my wife liked the watch, so I ordered one for her as well. The watch came two days ago via Fed Ex, as we record this. I also ordered an assortment of colored bands to add a touch of fashion to her experience. So far I think she loves it. She must, she hasn’t removed it, which is about as well of praise as you are likely to get from her.
  • Joe
    • Fun couple of weeks. Work has been crazy again between a couple of projects and some quarterly paperwork that is due. Still working a lot of weekends but at least those are from home so I can kick off the 3D print if things get slow.
    • But I did get some things done. In looking at the project to modify that keyboard to Bluetooth I found that I do not have a battery of the correct size or that will work well enough in that position and I don’t want to modify the project until I have done it the way the writer intended. So I will be ordering a battery and continuing. I also may purchase some different single core cable a little bit thicker just as a preference.
    • I was also able to find another really good web camera at one of the resale shops with a mounting hole on the bottom that fits standard 1/4 inch adapters. On the camera that I was using previously for my 3D printer, I had been using a 3D printed go pro style articulated arm attached to a spring clip but I had been moving that camera back and forth between the pi and my garage computer for podcasting.
    • I could have recreated the whole setup but I did have a gooseneck light and phone mount that was already there with the phone mount portion unused. But it uses 17mm ball mount adapters instead of 1/4 drive. In the past I have purchased adapters for this but I checked Thingiverse to see if there was a 3D printed solution since it would be easy enough to design.
    • Strangely no I could not find one. So of course I immediately said to hell with wasting my time and purchased 2 of the adapters for 8 dollars and went and took a lovely nap. No, I went to Tinkercad and designed one myself. It actually was pretty easy and worked well the first time. Although I did go back and make the shaft hole a little larger for the next time I download and print in order make assembly a little bit easier
    • This adapter allowed me to mount the camera to the gooseneck and adjust as needed for my 3D printer. I will be printing more of them. The 17mm ball mount is a very common easily affordable part that I use often and the adapter gives me a plethora of other tools that I can use with it.
    • My dad came to visit and to drop off my son before the start of school. While he was here we spent a lot of time watching TV from my Plex. There were a lot of issues with buffering and and stalling and the video just plain not working. I would have to downgrade the quality and usually kill chrome and restart it to get every video to play. I found that switching to Firefox alleviated many of these issues and was a much better viewing experience all around.
    • I am thinking that it the device that I am using to stream but it should be more than powerful enough. I think I will try a reformat and see if that helps. It is one of the Dell Latitudes, its not overheating and the ram should not be filling up when I am not using chrome.
  • Moss
    • I had a back-to-school safety training. Learned a few things, some tricks to make a bit more money, got a new ID badge photo.
    • I did upgrades on all the home machines (except the currently-unused Kudu 3). All of them worked well except my wife’s T590, which apparently uses the i915 video driver which has problems with the 6.8 kernel. I have applied a workaround suggested by Londoner, as I don’t have the skillset to change kernels at this time, and it seems to have worked. I had a problem on 3 machines with the Workspaces indicators on the taskbar being shrunk in width from a 5:3 or 6:3 ration to a 2:3 ratio, in other words, from looking like a shrunk monitor to looking like a thin ribbon.
    • I got new headphones, disliked them, sent them back, got another set and I’m keeping them. The bad set was by Phoinikas, and had a great microphone but the speakers in the ears were pretty bad. I certainly could not use them for audio editing. The good set is Turtle Beach, probably still not the best for sound but significantly better, and with a plugin microphone with a weak friction fit which I don’t even care about.
  • Majid
  • Eric
    • I have spent a good bit of time trying different ways to run AI LLMs, or large language models for the uninitiated, locally on my desktop PC. I’ll get into why after I talk about how I’ve done it. There are quite a few ways to do this, from full desktop applications like GPT4ALL and Alpaca, to container based systems that use a web interface or client-server setup such as llama.cpp and Ollama.
    • I’m many cases, setting up the software is fairly straightforward. That’s especially true of the desktop applications. The more daunting part has been understanding the models themselves. There are literally hundreds if not thousand of models available for a variety of purposes and from a multitude of sources. Some are focused on general knowledge and chat, such as what you’ve maybe used yourself like OpenAI’s ChatGPT, Google’s Gemini, and Microsoft’s CoPilot. Others are focused on software development or scientific pursuits. Compounding the variety and specialization of models, most models also have different sizes and variations as well as multiple file formats. Saying it’s complicated is an understatement, especially as a beginner. I could spend an hour on the subtleties but, suffice to say, there’s a lot to understand. After having spent many, many hours wrapping my head around all of this, I have come to some conclusions as to what works best for me, so far at least.
    • Desktop applications have the advantage of being self-contained and most include ways to manage models, the chat interface, local documents, and so on. These applications usually provide a curated list of models that are known to work well on consumer grade hardware. Most people who have a strong interest in running their own LLMs either have powerful hardware themselves or use cloud services to access that type of equipment. There are some projects, these desktop apps in particular, that are bridging the gap between regular consumer hardware and data center level gear. They allow you to run the models using just the CPU and, while this is way, way slower than using a GPU, it does work. They essentially make it possible for just anyone to run an AI instance on their local system, whatever that may be.
    • The client/server options are usually container based meaning something like Docker. They are way more complicated to install and configure when compared to the desktop applications. The main advantage of these is to be able to run the container on more powerful hardware and then use a web-based client or even a desktop app via an API. This lets you run the server on whatever hardware is best suited for the task and then access it via a client from basically any device. There is essentially no overhead on the client side and most of the web clients are mobile friendly so you can use your smartphone for example.
    • My desktop has 6 core Ryzen 5 5600 CPU, 16 GB of RAM, and an RTX 2060 that has 6 GB of GPU RAM. It’s not a slouch for most use cases but only having 6 GB of GPU memory isn’t great. Ideally, you want at least 16 GB, definitely more if you can afford it. Models can be partially offloaded to the GPU, even if there isn’t enough for it to be fully loaded in RAM but ideally, you want them model to be able to be fully loaded in memory. I’m going to see what a card with more memory costs but I’m assuming it’s not cheap.
    • There are a variety of reasons why I want to run models myself. One of the main ones is functionality. Most of the AI providers limit the number of interactions you can have within a certain time frame or what types of things you can do. I don’t really want to pay for the upgrades that would remove those limitations. Another concern is privacy. I assume that anything I do on their systems is logged. I don’t necessarily mind if they use my interactions to train the models but I don’t like that the data is associated with me specifically. The last main reason for doing this is to just better understand how these things work. It’s a developing field that is only going to get bigger. I feel like it’s important for me to have at least a basic understanding of the moving parts.
    • The specific use cases that I have had recently are reviewing and summarizing large bodies of text, such as Terms of Service. AI is able to provide a summary and then has the body of text in memory allowing me to ask specific questions like what a company is permitted to do with my data, according to their TOS. Another use case is generating text for things like creating web pages and blog posts, show notes, text blurbs, SEO titles, and so on. AI excels at these tasks and I find myself using these tools more and more. The last things, and this is perhaps a bit odd, is chatting. It’s interesting to me to have conversations about science or philosophy. You’d be surprised how much you can get out of one of these conversations.
    • I expect I will continue exploring this topic so expect to hear more about it in future episodes. Also, if you have any suggestions for me or questions about what I’ve been doing specifically then please get in touch. I’d love to hear about your experience of running your own AI setup.

— Play Innards Transition Bumper —

Linux Innards

30 minutes (~5-8 minutes each)

  • Mint 22
    • Kernel 6.8
    • Pipewire
    • Under the hood improvements.
    • i915 kernel bug for kernel 6.8 link
      • edit GRUB by sudo nano /etc/default/grub
      • Find the line beginning with GRUB_CMDLINE_LINUX_DEFAULT=”.
      • To the end of that line (but before the closing quotes) add: i915.enable_dc=0 intel_idle.max_cstate=2
      • Save file
      • run sudo update-grub
      • reboot
    • No new artwork
    • LMDE 6 also received the upgrade to Cinnamon 6.2
  • Upgrade issues
    • Joe
      • I tried to use the upgrade tool mintupgrade on two separate machines to got from 21.3 to 22. One of them I went from 21.2 to 21.3 to 22 and while the upgrade went well from 21.2 to 21.3, both machines failed to install 22 correctly. Both got hung during the install process, one was frozen and the other just sat there doing nothing
      • One of them was an easy enough fix, this machine that I am using right now just needed me to ctrl-alt-f4 to force it down to command line after the desktop would not load. After that a simple matter of
        • sudo dpkg –configure -a
        • sudo apt install –fix-broken
        • Sudo apt udate && sudo apt upgrade -y && sudo apt autoremove -y
      • And things were working again. First boot took a long time but things sped up again after
      • The other machine which is my little mini laptop the onegx. Well for some reason it had a major issue installing the linux-generic-headers and I think that I will just be doing a full wipe on it and starting over from scratch with a clean install. Should not be that difficult but I am trying to fix things first
      • I may also use the time shift tool and go back to 21.3 and try the update again. Although maybe purging those versions of the headers and doing a reinstall will work. I also removed most of the applications that were installed while trying to fix so I may do a fresh install anyway
    • Moss – no issues with upgrade from 21.3 to 22 on all four machines, had to run the i915 fix on my wife’s T590.

— Play Vibrations Transition Bumper —

Vibrations from the Ether

20 minutes (~5 minutes each)

— Play Check This Transition Bumper —

Check This Out

10 minutes

  • Check out Gear Lever, an app to manage your appimages and integrate them into the menu system? Available as a flatpak. It’s available as a flatpak and is in the Mint Software Manager.
  • “An utility to manage AppImages with ease! Gear lever will organize and manage AppImage files for you, generate desktop entries and app metadata, update apps in-place or keep multiple versions side-by-side.”
  • https://flathub.org/apps/it.mijorus.gearlever

Housekeeping & Announcements

  • Thank you for listening to this episode of mintCast!
  • If you see something that you’d like to hear about, tell us!

Send us email at [email protected]

Join us live on Youtube

Post at the mintCast subreddit

Chat with us on Telegram and Discord,

Or post directly at https://mintcast.org

Wrap-up

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:

  • Bill for our audio editing
  • Archive.org for hosting our audio files
  • Hobstar for our logo, initrd for the animated Discord logo
  • Londoner for our time syncs and various other contributions
  • Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
  • The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>

— Play Closing Music and Standard Outro —

Linux Mint

The distribution that spawned a podcast. Support us by supporting them. Donate here.

Archive.org

We currently host our podcast at archive.org. Support us by supporting them. Donate here.

Audacity

They’ve made post-production of our podcast possible. Support us by supporting them. Contribute here.

mintCast on the Web

This work is licensed under CC BY-SA 4.0

This Website Is Hosted On:

Thank You for Visiting