Welcome to mintCast

the Podcast by the Linux Mint Community for All Users of Linux

This is Episode 406!

This is Episode 406.5!

Recorded on Sunday the 19^th of February, 2023

in lots of pain im Joe, … Moss, lovin’ life and feelin’ good I’m Bill, and Special Guest, Danielle Foré

— Play Standard Intro —

• First up in the news
• Looks like the end for Mycroft, Proton offers Drive for everybody, MidnightBSD takes on helloSystem, Fedora 38 now with full Flathub access, new Transmission, Android 14 Preview, Framework has new SSDs, new versions of KaOS and Parrot, Ardour and Clonezilla have new releases, and systemd is the future;
• In security and privacy, several PyPI packages steal crypto;
• Then in our Wanderings, Joe’s back hurts, Moss is underworked, and Bill is not.

• In our Innards section, we have invited Danielle Fore to come and talk about her Elementary OS project, and other changes;
• And finally, the feedback and a couple of suggestions.

— Play News Transition Bumper —

The News

20 minutes

• Looks like the end for Mycroft
  • (from The Register via londoner)
  • Mycroft AI, creator of a Linux-based virtual assistant, announced on Friday (Feb 10) it would not be able to fulfill rewards for its Mark II Kickstarter campaign. Furthermore, without immediate new investment, the company will be forced to cease development by the end of the month. The company is now at bare-bones employee count: layoffs have reduced the staff down to two developers, one customer service agent and one attorney.
  • Mycroft AI ended up spending more time than intended on the Mark II hardware, and the move became expensive and detracted from software, which was what the company actually wanted to focus on, said CEO Lewis.
  • But what truly killed the company and product, he claimed, were expenses related to ongoing litigation. In 2020, Mycroft AI was sued for patent infringement from what it labeled a “patent troll.” The company suing Mycroft AI, Voice Tech Corporation, dropped its litigation, but not before costing the startup deeply to the tune of one million dollars.
• Use Proton Drive with any email address
  • from TechRadar
  • Proton Drive has been particularly successful since its launch in September last year, registering over 1 million files uploaded per day in less than two months.
  • Now, in a continuous effort to secure the online lives of more and more people, new Proton Drive users can sign up using any other third-party emails as username.
  • Prior to this, a Proton account was needed to access its file storage service. However, this created a barrier for those looking to only secure their sensitive documents instead. The provider believes that such a move will help internet users “to gradually reduce their exposure to Big Tech’s surveillance infrastructure,” one step at a time.
• Midnight BSD coming for … people who don’t like helloSystem?
  • from Phoronix
  • For those that may have tried the recent macOS-inspired helloSystem 0.8 release for that desktop-focused FreeBSD-based operating system, if that didn’t satisfy your desktop BSD desires, MidnightBSD 3.0 is working its way to release as another alternative.
  • MidnightBSD 3.0 is expected to be coming out soon as another BSD desktop OS that was previously forked from FreeBSD but continues pulling in new kernel/driver code. MidnightBSD is one of the few BSD distributions focused on desktop users and trying to make it a breeze carrying out daily desktop tasks. MidnightBSD 3.0 has been in development to succeed MidnightBSD 2.2 and there have been development snapshots published in recent months.
  • This weekend it was announced that MidnightBSD 3.0’s stable branch is “pretty much ready”. From that status update:
  • “The 3.0 stable branch is pretty much ready. We may update sqlite3 yet. The delay in the release has been due to issues with several mports. We’re still working through those problems, but one can’t ship a desktop OS without a working desktop….”
  • Mport is the package manager of MidnightBSD. In any event it looks like soon enough MidnightBSD 3.0 will be out as another easy-to-use desktop BSD option.
• Fedora 38 Offers Unfiltered Access to Flathub
  • from OMGLinux
  • Full, unrestricted access to Flathub is coming to Fedora.
  • The Fedora Engineering and Steering Committee (aka the folx in charge of approving changes to the RedHat-backed Linux distro) have OK’d the proposal to provide users with access to “Unfiltered Flathub” in the next release.
  • “Doesn’t Fedora already give me easy access to Flathub?”, you ask. Yes and no.
  • Since Fedora 35 (released back in 2021) you are able to enable access to Flathub as part the GNOME Initial Setup tool that runs after the first login, as well as from the software repositories panel in GNOME Software.
  • The problem? This does not enable access to the full version of Flathub, which most expect.
  • Without further configuration Fedora only offers permits access to a filtered (and significantly smaller) set of software from Flathub. This is because it’s complicated some software distributed through via Flathub is proprietary, unofficial, or subject to stricter licensing reqs.
  • To get unfettered access to the full range of 2,000 plus apps currently available on Flathub, you have to manually set-up Flathub from the command-line (or by downloading a .flatpakrepo file) — and enabling proper Flathub is one of the first things I do after installing Fedora!
  • Thankfully, that won’t be necessary in Fedora 38. When enabling Flathub during setup/via GNOME Software the distro will now give you access to the whole of Flathub and not just a heavily redacted slither.
  • There will still be a priority; apps will default to fetching the version from the Fedora Flatpak repo first, then the Fedora RPM repo, and then, Flathub. This won’t affect anyone too much as most of the apps on Flathub are not in the Fedora repo or Flatpak repo.
  • This simple yet important change will be reflected in the next major stable release, Fedora 38 Workstation, currently in development and due for release later this year.
• Transmission 4.0 Released
  • from 9to5 Linux
  • The popular Transmission open-source, free, and cross-platform BitTorrent client has been updated today to version 4.0, a major release that introduces numerous new features and performance improvements.
  • Coming more than two and a half years after Transmission 3.0, Transmission 4.0 introduces support for BitTorrent v2 and hybrid torrents, support for IPv6 blocklists, and a revamped Web client with full mobile support with full-screen and dark mode support.
  • Other new features include an option to omit potentially-identifying information like User-Agent and date created when creating new torrents, the ability to set “default” trackers that can be used to announce all public torrents, and the ability to specify the piece size when creating new torrents.
  • Furthermore, Transmission 4.0 introduces configurable anti-brute force settings, the ability to fetch metadata of stopped magnets, support for changing the progress bar color in the GTK client depending on the torrent state, and an updated Details dialog that includes the date a torrent was added and faster rendering of large file lists.
  • Transmission 4.0 also starts newly-added seeds immediately and verifies pieces on demand rather than using the old method where a full verification was required before seeding can begin. Moreover, there’s a new torrent-added-verify-mode setting to force-verify added torrents.
  • There are also many under-the-hood performance improvements to make Transmission use less memory and fewer CPU cycles. Also, the RPC API “table” mode is now used for both transmission-qt and transmission-web remote control GUIs, which results in smaller payloads and less bandwidth use.
  • In addition, the entire codebase has been migrated from C to C++, the GTK client was ported to GTK 4 and GTKMM, the Web client was rewritten in modern JavaScript, the Qt client now supports Qt 6, DHT bootstrapping was greatly improved, and ayatana-indicator is now preferred over appindicator.
  • Transmission 4.0 is available for download right now from the official website as a source tarball that you’ll have to manually compile. If that’s not your cup of tea, you’ll have to wait for the new version to arrive in the stable software repositories of your GNU/Linux distribution before updating from Transmission 3.0.
  • How to install from PPA on Mint & Ubuntu
• Android 14 Preview 1 is out, will officially ban installation of old apps
  • from ArsTechnica
  • Android 14 is here—or the first preview is, at least.
  • Google is kicking off the months-long developer preview process for Android’s latest version, which will get a final release in the second half of the year. Even with multiple previews, Google likes to keep the final set of Android features under wraps at least until its I/O conference in May, so we can’t look at the features here to determine the scope of Android 14. These are just some of the features Google wants developers to have a head start on.
  • The biggest news is that Android 14 will block the installation of old Android apps. As Android changes over the years, new APIs and increased security, privacy, or background processing restrictions could break old apps, but Android’s backward-compatibility system keeps these old apps running. Apps can declare the newest version of Android they support via a “Target SDK” flag.
  • To prevent old apps from breaking, new features and app restrictions in, say, Android 12 only apply to apps that target Android 12 or above. Older apps will continue to run with the older set of restrictions they’re used to. (A different setting, called “Minimum SDK,” determines if a new app can run on an old Android OS.) The system works great for honest developers, but if you’re building a piece of malware, it’s an easy decision to target a very old version of Android. While you’ll get access to fewer features, you’ll also be subject to fewer security and privacy restrictions.
  • For the first time, Android 14 will close this malware loophole by simply refusing to install old apps. The cutoff point is generous enough that it shouldn’t cause anyone problems; any app lower than the 8-year-old Android 6.0 target will be blocked. Google says it picked Android 6 because it’s the version that introduced runtime permissions, the allow/deny boxes that pop up asking for things like camera access. In addition, “some malware apps use a targetSdkVersion of [Android 5.1] to avoid being subjected to the runtime permission model introduced in 2015 by Android 6.0,” Google said.
  • Users who don’t sideload apps probably haven’t seen an Android 6.0 app in years—the apps certainly aren’t available in the Play Store. The Play Store implemented rolling minimum target SDK levels in 2018, requiring new and updated apps to target an Android version that’s a year old or newer. So in 2018, the minimum SDK version the Play Store would accept was Android 8.0, and since it goes up every year, the minimum level today is Android 12. That requirement for “new and updating apps” means abandonware was initially still visible on the Play Store, but Google started hiding old apps last year, and now any app that hasn’t been updated in two years will be hidden from the store.
  • It also sounds like the core Android OS will cull app support every year. 9to5Google discovered this feature when it first hit the Android codebase, and there was talk of a “progressive ramp up” for the minimum app level in the commit. If you somehow still have an Android 6.0 app on your phone and upgrade to Android 14, the app won’t be removed, Google says. If you really still want to install an app that old, an ADB command line flag—”adb install –bypass-low-target-sdk-block FILENAME.apk”—will bypass the block. That requires a USB cable, a PC, and an installed Android Developer SDK, so Google assumes you know what you’re doing if you go down that path.
  • The second most interesting feature is a new “non-linear font scaling” idea. Android has had a font-scaling feature for a while, but now, instead of linearly making everything bigger and blowing up heading text, the feature will scale small text more than big text. If you use the font-scaling feature, your problem is probably that some small font is too small to see, so this change makes a lot of sense. Along with this smarter font scaling, Google is bumping up the size limit, from 130 percent to 200 percent.
  • It’s hard to say too much about the remaining features. Documentation is not live, and we only have a vague blog post to work off of. There are many changes involving “streamlining background work,” with Google saying it wants to be “more opinionated about how foreground services should be used, reserving them for only the highest priority user-facing tasks so that Android can improve resource consumption and battery life.”
  • Android is updating to OpenJDK 17, and while that’s still a work in progress, Google says it is “working hard to fully enable Java 17 language features in upcoming developer previews.” Interestingly, the company plans to backport this work to older Android versions via the Project Mainline’s Android RunTime module. Google says that “over 600M devices are enabled to receive the latest Android Runtime (ART) updates”—ART became an updatable Mainline module in Android 12.
  • We also got a new release timeline. As usual, there will be a monthly release, with the easy-install “Beta” release starting in April. We’ll also highlight May as the Google I/O release, which usually has more in the way of consumer features. This says the final release will be sometime in August or later.
  • Flashable builds (which are not meant for your daily driver) should be available on the Android Developer site. Besides the emulator, Google says you’ll be able to try this first release on a Pixel 7 Pro, Pixel 7, Pixel 6a, Pixel 6 Pro, Pixel 6, Pixel 5a 5G, Pixel 5, or Pixel 4a (5G). Update: The Pixel 4a (5G) is getting the update, not the base model Pixel 4a. The Pixel 4a 5G launched alongside the Pixel 5, months apart from the Pixel 4a.
• Framework now offers Steam-Deck-sized SSDs, just because it can
  • from ArsTechnica
  • Steam Deck and Microsoft Surface owners looking to get more SSD storage than is typically offered (and for less money) have a new, unexpected source: Framework, the repairable laptop company.
  • Seeing the need for reputable vendors of smaller-size M.2 drives, the company decided to “add one more line item” to its typical Western Digital drive order. As such, the company has started offering a 2TB M.2 2230 drive for $300 in its US and Canada stores. As of this writing, the drives are sold out, but you can sign up to be notified when they’re back in stock.
  • Framework founder and CEO Nirav Patel describes the move as “an interesting opportunity to enable upgrades on another popular consumer electronics product: the Steam Deck.” Patel notes that “it can be difficult to find legitimate sources for larger capacity drives,” like the 2TB SN740 2230 models from Western Digital that Framework will offer. Patel links iFixit’s guides to upgrading the Steam Deck and Surface devices and asks Framework fans to let the company know about other ways to “help you with hard-to-find upgrades for other products.” We’ll presume “retail-price GPUS” isn’t worth mentioning.
  • As we noted in an article about the widening availability of teensy SSD drives, these drives aren’t cheap, but they still provide large savings over the big OEM vendors’ prices.
  • Upgrading the Surface Laptop Go 2 from a 128GB SSD to 256GB costs between $50 and $100 if you buy from Microsoft or another retailer, and higher-capacity drives aren’t available. Microsoft will charge $300 to upgrade the Surface Pro 9 from a 256GB SSD to 512GB and $600 to upgrade from 256GB to 1TB. The Steam Deck’s various price tiers come with other non-storage-related benefits, but going from the base model’s 64GB of slow eMMC storage to a 256GB SSD still costs at least $130.
  • Buying from a name like Western Digital via Framework is also likely to be a better bet than purchasing from lesser-known vendors on eBay or other marketplaces. While these drives are not Framework-labeled and thus don’t have the company’s one-year warranty, there is still a 30-day return policy and a wider number of support options. Framework’s warranty language suggests that actual malfunction or failure response would be handled by Western Digital.
• New Versions of KaOS Linux and Parrot
  • from 9to5 Linux and Parrot blog
  • KaOS:
  • The development team behind the Arch Linux-inspired, yet independently developed, and KDE-focused KaOS Linux distribution released today KaOS Linux 2023.02 as the newest ISO snapshot with the latest updates and GNU/Linux technologies.
  • Powered by the latest and greatest Linux 6.1 LTS kernel series, KaOS Linux 2023.02 is one of the first GNU/Linux distributions to ship with the just released KDE Plasma 5.27 LTS desktop environment, which is accompanied by the latest KDE Gear 22.12.2 and KDE Frameworks 5.103 software suites.
  • This is the second GNU/Linux distribution to my knowledge, after KDE neon, to offer a live, production-ready ISO image with the latest and greatest KDE Plasma desktop environment. More distributions will offer it in the coming days, but these are currently the first if you want to use KDE Plasma 5.27 LTS right now.
  • As usual, the ISO release comes with some of the latest GNU/Linux technologies, including NetworkManager 1.42, OpenSSH 9.2p1, CLang/LLVM 15.0.7, Busybox 1.36.0, GnuPG 2.4.0, OpenZFS 2.1.9, Python 3.10.10, SQLite 3.40.1, systemd 252.5, IWD 2.3, MPFR 4.2.0, Dracut 059, libtiff 4.5.0, and many others.
  • No other major changes or improvements appear to have been implemented in this release, which is here only for those who want to deploy KaOS Linux on new machines or wish to reinstall their systems for whatever reason.
  • Parrot:
  • What’s new in Parrot OS 5.2
    • The Calamares installer received several important updates to fix common installation issues.
    • The Linux kernel was updated to version 6.0
    • Several security updates were included to fix important bugs to Firefox, Chromium, sudo, dbus, nginx, libssl, openjdk and xorg.
    • Anonsurf, our popular anonymity tool, now includes better support to TOR bridges.
    • Wireless drivers for several Broadcom and Realtek cards not supported by debian received a major upgrade to include support for the 6.x Linux kernel, along with Virtualbox and Nvidia drivers
    • Pipewire, the popular pulseaudio alternative, fixed several stability bugs with a new version backported from Debian backports
  • Other products improvements
    • The Raspberry Pi images received important updates to improve system performance and fix the audio drivers
    • The HackTheBox edition received minor graphical updates.
    • There is an easy upgrade to the new version if you are already using 5.1.

• Ardour 7.3 Open-Source DAW Released with VST3 Multi-Bus Support, Searchable Preferences
  • from 9to5 Linux
  • The Ardour 7.3 open-source digital audio workstation (DAW) software arrived Feb. 16 with more new features and a bunch of improvements for all your music production needs.
  • Coming two months after Ardour 7.2, the Ardour 7.3 release is here to introduce support for VST3 plugins with multiple I/O busses to allow instrument plugins to have dedicated additional outputs, as well as sample rate independence so that audio hardware sample rate and session sample rate no longer have to match.
  • Ardour 7.3 also updates the UI to introduce support for searching items in the global Preferences and the Session Properties dialogs, the ability to reverse the polarity of an audio region, working undo/redo in the recording page, and the ability to directly use the MIDI tracer on physical MIDI ports.
  • Under the hood, this release brings support for the AVX-512 x86 instructions to enhance its performance. However, the developers note the fact that the official Linux binaries currently don’t include this feature, which will be added in the next release, Ardour 7.4.
  • Other improvements included in Ardour 7.3 are support for the Quick Export dialog to sort range markers by time, the ability to check all channel configurations before exporting, tapping tempo with a MIDI keyboard, as well as grouping of system ports by a common prefix (e.g. by device).
  • “When using PipeWire (or otherwise having multiple JACK clients exposing physical ports), the indices are even less meaningful than otherwise (as different devices could appear in arbitrary order), so also using pretty names for stereo bundles makes the UI less confusing in places where these bundle names are used (for example the menu when clicking on an IOButton), explained the devs.”
  • On top of that, the Plugin Setup dialog will now limit options to “stereo” and “all” when loading a plugin with more than two outputs. Ardour 7.3 also improves solo handling, monitor control, as well as the do not reset fader to unity on selection function for the Faderport 8 control surface.
  • Several bugs were fixed in this release and various language translations were updated. For more details, check out the full release notes. Ardour 7.3 is available for download from the official website as a source tarball that you’ll have to manually compile on your GNU/Linux distribution.
• Clonezilla Live 3.0.3 Disk Cloning Tool Adds Support for Multiple LUKS Devices, Linux 6.1 LTS
  • from 9to5 Linux
  • Clonezilla Live developer Steven Shiau announced the release of Clonezilla Live 3.0.3 Feb 16, as the third maintenance update in the latest Clonezilla Live 3.0 series of this open-source, free, and powerful partition and disk cloning/imaging live ISO distribution based on the Debian Sid repositories.
  • Clonezilla 3.0.3 comes more than three months after Clonezilla 3.0.2 and bumps the Linux kernel from the now deprecated Linux 6.0 to the long-term supported Linux 6.1 LTS. The live ISO ships with Linux kernel 6.1.11 by default.
  • Starting with this release, Clonezilla Live now supports mkinitcpio in the initramfs updating mechanism when restoring Arch Linux systems and derivatives. Also, the new release improves the LUKS mechanism to support multiple LUKS devices and no longer clone encrypted swap data.
  • A new program has been added in Clonezilla 3.0.3, called ocs-live-ver, which can be used to show the Clonezilla Live version currently running. Various other programs were updated to their latest versions, such as Memtest86+ 6.00 and Partclone 0.3.23.
  • Among other changes, Clonezilla Live now shows the swap partition in the saveparts dialog menu and adds a better mechanism to handle both ways of saving the swap partition, which is by keeping UUID/label or dumping by dd, adds a –powersave off option in setterm to prevent screen blanking in the console, adds the -j2 option in the restoreparts menu, and replaces the ocs-bttrack program with opentracker.
  • Several bugs were addressed as well in Clonezilla 3.0.3 to improve converting of a disk image to the BT format and to patch the live-config package to support the “usercrypted” parameter. You can download the new release below for all your partition and disk cloning/imaging needs.
  • Clonezilla Live supports a wide range of filesystems, including EXT2, EXT3, EXT4, ReiserFS, XFS, JFS, FAT, NTFS, HFS+, UFS, minix, and VMFS. It also supports LVM2, multicast, as well as 32-bit (x86) and 64-bit (x86_64) architectures for cloning GNU/Linux, macOS, and Windows systems.
• systemd 253: You’re looking at the future of enterprise Linux boot processes
  • from TheRegister
  • The first systemd release of 2023 is here, and it introduces a brand spanking new tool for building Unified Kernel Image (UKI) files.
  • Fresh versions of systemd appear roughly twice a year, apart from release candidates. We reported on the last version, systemd 252, in November last year. As we said at the time, systemd 252 brought in support for Agent P’s new, more secure Linux boot process. Those two stories have details of the UKI boot files and how they work.
  • The support and tooling for UKI continues to improve, and one of the headline features in version 253 is a tool for building these unified kernel images, which is called ukify. As the systemd release notes say:
  • A tool ukify tool to build, measure, and sign Unified Kernel Images (UKIs) has been added. This replaces functionality provided by dracut –uefi and extends it […]
  • From the new program’s manual page:
  • Note: this command is experimental for now. While it is intended to become a regular component of systemd, it might still change in behaviour and interface.
  • Like it or not, it certainly seems likely that UKIs will become the standard way to start many enterprise Linux distros, if only because of their support for automatically unlocking drives using Full Disk Encryption (FDE) by retrieving keys from the machines’ integrated TPM2 chips. Three of the last four new laptops that have landed on The Reg FOSS desk came with Windows’ Bitlocker FDE turned on by default. (The only one that didn’t was Tuxedo Computers’ Stellaris gen 4, a gaming laptop with a multicolor illuminated mechanical keyboard. As a machine intended to run Linux, that’s not really a surprise.)
  • Many users might never even notice it, unless they try to dual-boot the computer with a non-Windows OS and find that nothing else can read the disk. Never fear: we have described how to turn it off and make such a machine ready to dual-boot.
  • There are of course lots of other changes, but they should be less visible to most people. There’s a new option to limit the amount of memory assigned to the compression pool if you use zswap swap area compression, a feature added to “Linux for Workgroups”, AKA kernel 3.11 way back in 2013. We suggested enabling this last year as a way to improve the performance of desktops or laptops with limited RAM, and it can help quite a lot, but the price of reduced swap usage is increased CPU strain and the need for a block of memory for the compressed cache.
  • As described in some kernel patches last year, zswap is a complicated tool and its interactions on a system running lots of cgroup2 containers is not easy to debug.
  • Tweaks to the systemd OOM killer suggest that this is still causing issues, as it did even back in Fedora 33, which is why Linux Mint 21 disabled it altogether.
  • The systemd-boot tool, which is used in Pop!_OS and caused us grief, now supports other ways of loading the kernel in the Xen hypervisor and QEMU hypervisor/emulator, such as from locations other than the UEFI ESP.
  • Handling of several file system issues has been improved. If systemd finds a swap volume with a different page size to the one that system needs, it will automatically reformat it, and it has better handling of an initrd that isn’t a pure RAMdisk, such as an overlayfs. There’s also direct support for a technology we’d not met before: HS SRE, or to give it its full name, Lockheed-Martin Hardened Security for Intel processors.
  • Many won’t like it, but expect systemd 253 to appear in the next version of most mainstream distros. If that thought is too much to bear, there are still a decent selection of distros that don’t have it.

— Play Security Transition Bumper —

Security and Privacy

10 minutes

• 451 PyPi Packages Install Chrome Extensions to Steal Crypto
  • from Bleeping Computer
  • Over 450 malicious PyPI python packages were found installing malicious browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites.
  • This discovery is a continuation of a campaign initially launched in November 2022, which initially started with only twenty-seven malicious PyPi packages, and now greatly expanding over the past few months.
  • These packages are being promoted through a typosquatting campaign that impersonates popular packages but with slight variations, such as an altered or swapped character. The goal is to deceive software developers into downloading these malicious packages instead of the legitimate ones.
  • As Phylum explains in a report published on Friday, in addition to scaling up the campaign, the threat actors now utilize a novel obfuscation method that involves using Chinese ideographs in function and variable names.
  • Some of the popular packages impersonated in the current typosquatting include bitcoinlib, ccxt, cryptocompare, cryptofeed, freqtrade, selenium, solana, vyper, websockets, yfinance, pandas, matplotlib, aiohttp, beautifulsoup, tensorflow, selenium, scrapy, colorama, scikit-learn, pytorch, pygame, and pyinstaller.
  • The threat actors use between 13 and 38 typosquatting versions for each of the above, trying to cover a broad range of potential mistypes that would result in downloading the malicious package.
  • To evade detection, the threat actors have employed a new obfuscation method that wasn’t present in the November 2022 wave, now using a random 16-bit combination of Chinese ideographs for function and variable identifiers.
  • Phylum’s analysts discovered that the code uses built-in Python functions and a series of arithmetic operations for string generation. So, while the obfuscation creates a visually strong result, it’s not very hard to break.
  • “While this obfuscation is interesting and builds up extremely complex and highly obfuscated looking code, from a dynamic standpoint, this is trivial,” reads Phylum’s report.
  • “Python is an interpreted language, and the code must run. We simply have to evaluate these instances, and it reveals exactly what the code is doing.”
  • To hijack cryptocurrency transactions, the malicious PyPi packages will create a malicious Chromuim browser extension in the ‘%AppData%\Extension’ folder, similar to the November 2022 attacks.
  • It then searches for Windows shortcuts related to Google Chrome, Microsoft Edge, Brave, and Opera and hijacks them to load the malicious browser extension using the ‘–load-extension’ command line argument.
  • For example, a Google Chrome shortcut would be hijacked to “C:\Program Files\Google\Chrome\Application\chrome.exe –load-extension=%AppData%\\Extension”.
  • When a web browser is launched, the extension will load, and malicious JavaScript will monitor for cryptocurrency addresses copied to the Windows clipboard.
  • When a crypto address is detected, the browser extension will replace it with a set of hardcoded addresses under the threat actor’s control. This way, any sent crypto transaction amount will go to the threat actor’s wallet instead of the intended recipient.
  • A list of regular expressions used to detect cryptocurrency addresses in the Windows clipboard and replace them with the threat actor’s addresses can be seen below.
  • In this new campaign, the threat actor extended the number of supported wallets and has now added cryptocurrency addresses for Bitcoinm Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos.
  • For a complete list of the malicious packages that should be avoided, check the bottom section of Phylum’s report.

— Play Wanderings Transition Bumper —

Bi-Weekly Wanderings

30 minutes (~5-8 mins each)

• Joe
  • Pretty boring two weeks. My back has been hurting and I have started up physical therapy again. Turns out the disks in my lower spine are deteriorating. Slowly but surely. I am a little young for it but I have lived and this is the proof
  • I have ordered a couple of items for projects to work on including a low cost 512 Gb micro SD card that only cost 20 dollars. I have not noticed any issues with it yet but I have not used it much. I don’t want to put any important information on it but I do want to see how long it lasts. Prices are starting to come down for micro sd cards and I hope that longevity will be increasing as well.
  • I also ordered a Waveshare Gamepi 20 which takes a Pi Zero and turns it into a mini handheld. I thought it would be fun to try and we shall see. I did receive the item but I guess I was not paying attention when I was reading the description. It says that it needs a 14500 battery for power and that it did not come with it but came with everything else that you would need to put together. I ordered a pair of 14500 batteries and when the thing arrived it had the battery soldered on but did not have the header pins for the pi zero. So now I have to wait for that order to arrive before I can do the build. I have gotten stuff from waveshare before but I gave it to my son which was probably a bad idea. He destroyed it pretty quick.
  • I want to also design and print a case for the thing so I can throw it into a bag with no issues.
  • I am doing a lot more typing on it lately but it is getting more difficult to get the time in since I am having to go to the office more.
  • I also found another use for audiobookshelf. First some background. I have a very extensive collection of ebooks from when I was using a pda. But they were all in .lit format so I imported them all to calibre and then batch converted them to epub and then had audibookshelf point to the folder location so now my ebook library is also available from audiobookshelf. The next thing that I am going to do is have voice aloud look at the download folder for audiobookshelf and then try out a couple of ebooks
  • working on the next iteration for the laptop dock for the OneGX. It is not lacking in USB ports now. I have not mounted the last USB hub to the device but I have gotten the right angle USB 3.0 connector in place and attached to another 4 port hub that sits snugly in the front. I am not sure if I want to glue it into that position or make something so that I can turn the hub backwards after connecting some semi permanent USB devices. But as it sits right now it has 11 USB ports. 6 3.0 4 2.0 and one 3.1 and also has 2 HDMI ports, 2 micro SD card slots and a full size sd card slot. While only making it about an inch taller. I do want to add some rubber grips on the bottom to make sure that it doesn’t slide but I think that it is pretty good.
  • I really think it turned out well and almost looks commercially made. It really adds a lot of functionality without making it take up a lot more room.
  • I designed and 3-D printed some fat grips for my forearm workout device. Which is a wrist roller that is suspended from the ceiling to take out the shoulders from the exercise. I have had the device for years but always used a smaller grip on it but the larger grip does provide much more of a workout.
  • I also redesigned the wide grip pulldown handles that I had made and had a lot of problems trying to get it to print. It would break supports and make spaghetti every time. I eventually printed it standing up in such a way that there were no supports and then found out that my hole for adding a screw was at the wrong angle on the stl from when I was redesigning and I would either need to redesign and reprint or I would need to get out the drll and fix the issue. I chose the drill. But also the hole will not be in the center so I will not need to glue it into place to keep it at the correct angle. I did get this printed and it looked good. I made the infill to be 100 percent in the places where the stress would be the greatest but because of the size of the handgrips I tried to same some plastic and did a 30 percent infill. This worked well at first. Then when I put some heavier weight on the pull down one of the handles snapped along the point where it transitioned from 100 percent infill to 20 percent infill. It sliced my fingers pretty well. I am going to try to print again with the whole thing as 100 percent infill but I am also going to remember to wear gloves the first couple of times I use a 3d printed piece of equipment like that.
  • Also watched a video of someone designing things in tinkercad and I found out that I was missing out on a lot of functionality and a lot of things I was doing the hard way like centering has a much easier method that I did not know about. Plus a bunch of shapes that could make things a lot easier.
• Moss
  • I haven’t been doing much lately, just keeping up on my podcasts and almost forgetting about this one. We’ve had some minor things going on, auto maintenance and a rare rent hike. I had two days of teaching canceled due to weather, and still have only had one work day this calendar year.
  • I had an idea for the next Distrohoppers’ Digest that we should all take a stab at BlendOS, but we have each had different issues with it, so that might go by the boards. Maybe we expected too much of it, but the pedigree cannot be ignored.
  • Most of my free time has been taken up with reading. I’ve found a few authors I’ve never heard of who can really sling their words well and have written large numbers of books, some of which are series but not all.
• Bill
  • Well it’s been a bit since I’ve been on the show an all I really have to talk about is the work I’ve been doing on the new show “Linux OTC.” After the release of episode three, it was revealed that we had an echo intermittently coming from my mic as well as Leo’s. After some sleuthing around, we discovered the problem was coming from Norbert’s track. Norbert uses an omnidirectional mic which is useful when you need to put the mic in a central location and pick up every thing going on in the room, though in this case it was literally picking up Leo and I from his headphones. I was able to filter out the echos from his track with “noise gate” on Audacity with Leo’s guidance whereby fixing the problem. My next challenge is to make the theme music match the volume of the rest of the show. Right now the theme song is loud and there’s been a couple complaints. I want to find a way to normalize the volume without losing the quality of the sound. At any rate, I’ll have the problem solved by the time we release episode 4.
  • One thing that’s been on my mind lately is my choice with regards to hosting my other two shows. As many would remember from a previous episode of mintCast where I outlined how to set up a podcast, I Described how I decided to use RedCircle to host the media files and generate the RSS feed. mintCast is uploaded to archive.org, and the RSS feed is generated by a plugin we’ve got installed on mintcast.org. At first I thought it would be better to use a podcast provider to simplify the workload. Although this decision did provide some convenience, I’m starting to question the decision. When I set up the show I knew I wanted to distribute the content under the same Creative Commons license mintCast declares, but didn’t consider the idea that RedCircle may claim some intellectual rights to the content we upload. With archive.org we would never need to worry about this. It’s unfortunate I didn’t really know how to generate and maintain an RSS feed in the beginning otherwise I may have made a different choice. Switching to archive.org now would mean changing the RSS address. Listeners would have to search for, and re-add the show to their players. What I need is a solution allowing me to migrate from one feed to another with the least listener hassle possible. If anyone knows a possible solution, please email me [email protected] or hit me up on the socials.
• Dani
  • Lately in my personal life I’ve been pretty focused on my health and fitness. I’m a big Apple Watch user and I subscribe to Fitness+. I’ve been making use of an app called Streaks to develop a consistently exercise routine. Excited to say that I’ve lost all my COVID lockdown weight! I’ve consistently been cycling, walking, doing Yoga, completed a 30-day core challenge in January, and am trying to consistently get into Kickboxing.
  • I got into the bad habit of DoorDashing a lot over the lockdown as well and I’ve been doing my best to get back to cooking more. I love to cook and I’m pretty good at it, but I don’t always have the energy to get to the store and be around all the people. I’m gonna trial Hello Fresh next week to see if something like that could work for me.
  • One of my major goals this year is to explore my style more and build more skill with hair and makeup. I was using StitchFix for a while but I kind of got in a rut with them. The trends for this year are weird! I’ve definitely been wearing a lot more makeup recently though and feeling more confident about it. It’s tough to walk that line between too much and too little. I think the goal for a lot of things related to fashion and appearances is a kind of effortlessness right? The worst fear for me is looking like a clown! Haha
  • Other than that, the biggest thing I have coming up is surgery at the end of next week. I’ve been isolating to avoid getting COVID and delaying my surgery date and my recovery is supposed to be about 3 weeks so I’m feeling pretty cooped up already! I’m looking forward to being able to go out a bit more again as the weather gets nicer and hopefully do some active things like disc golf and spend more time with friends.

— Play Innards Transition Bumper —

Linux Innards

30 minutes (~5-8 minutes each)

• Interview with Danielle Foré from elementary, Inc.

1. What got you started in Linux?
2. What made you decide to make your own distro?
3. What are some of the design influences behind Pantheon
4. What are some of the major changes you would like to highlight for version 7?
5. Can you talk a little about “App Center” and how it works? (Paid apps, Free Apps, Sideloading, etc)
6. In the wider Linux world, Distros like elementary OS and Mint seems to get categorized together. What are some of the main things that you think set elementary OS apart?
7. Is there an easy (simple) way to upgrade from elementary OS 6 to elementary OS 7, and do you recommend doing it that way?
8. What is your release and upkeep process for elementary, Inc.? Online Banking, Mortgages, Personal Loans, Investing
9. How has your transitioning affected working on elementary OS?
10. (Why did we put that question last, when it took up most of our time in the streamcast?)
11. because you can’t follow an act like that
12. it would be like putting Nickelback on after Pink Floyd

— Play Vibrations Transition Bumper —

Vibrations from the Ether

20 minutes (~5 minutes each)

• Brad Alexander

I figured I would throw in another (lighter) email with a hardware recommendation. My lovely bride and I just celebrated our 36th wedding anniversary last week, on Jan 23rd. I had been looking to replace my e-reader, since I was still reading on my Nokia N900’s 4″ screen with tiny fonts. I decided that my eyes ain’t getting any younger, so I started looking at e-readers. I didn’t want anything with an ecosystem, since I have somewhere north of 1000 epubs and pdfs in my Calibre library, and amazon and B&N both have vested interests in you buying their own proprietary formats. Kindles only started supporting epub formats in late 2022, if you can call “converting the epub to azw3 format” support… So it came down to the Kobo Libra 2 and the Pocketbook Era, The reviews I read were neck-in-neck, and what finally pushed me toward the Era was that Kobo appears to want to develop their own ecosystem as well…You can only listen to kobo-branded audiobooks on kobo devices.

The Era has been great, with it’s e-ink carta screen. it not only has tap gestures to turn pages, but physical buttons, unlike the comparable kindle. Plus the accelerometer lets you rotate the reader to any direction and the text will adjust, but so do the buttons. It also has decent text-to-speech capabilities, and i have listened to it read to me while cooking or doing dishes. The only thing I wish it had that it doesn’t is “night mode,” where you have white text on a black background, but I am about to make a feature request.

Anyway, if you are looking for a 7″ e-reader, this one comes highly recommended…

–b

• Joe

Man crazy as this is i am going to be discussing converting my ancient .lib format ebook library to epub on the show. Also looking for an ereader for my daughter and am thinking of a cheap firetab

• Brad Alexander

Actually, if you use calibre, you can do the conversions pretty simply. In fact, I think you can do batch conversions. In fact, I just did several Plucker ebooks (talk about a blast from the past) to epub. They were from 2010, so most of them were outdated.

For your daughter, a firetab would probably be fine. For my old eyes, I wanted an e-ink and the ability to do (a little bit) larger fonts. But as I recall, I am in the same age range as Moss. For me, the text-to-speech is becoming one of my favorite features of the Pocketbook…Because I can fire up the bluetooth and have it read to me while I am cooking, or wandering around Costco, or whatever.

• Joe

Yeah I used calibre to batch convert all of them and it turned out pretty good. They are all from when I was using my PDA(Dell Axim X51v) on a regular basis, so sometime before or around 2010. I use voice aloud for my books that I cannot find in audio but I do it on my phone(examples Garrett PI and Aubrey Knight). There are also some audio books that are just poorly read or of terrible quality and I prefer the straight text aloud.

• Zen Floater2

I’m an older developer. Started coding in 1966 on Fortran for Ratheon.

I suppose I would have to agree that most people don’t give one shit about using SNAPS Versus Debian files on Ubuntu.

So, in that spirit, I’m using a chromebook.

I run OpenBSD for my server at home and use Slackware and Trisquel and sometimes Devuan and Fedora and even have Linux Mint on one of

my machines. But I now have 4 chromebooks and feel that a chromebook is a better alternative to Ubuntu if you want updated apps.

I’ve written proprietary software all my life and am Lawson and SAP.

I also drive a truck for a living now in my retirement and love to piss off brokers.

I personally don’t hate you people or Mintcast as a podcast. See, I’ve listened to TLLTS since the beginning and have

listened to Dan Wasko bitch about COBOL for at least 20 years and I”m just sick of his bitching. Just sick of it. Dan was one of the

last Slackware users and now he’s using Ubuntu servers and Mac’s for his main driver. He’s like Doc Searls in that they are all

using MacOSX now. And they bitch at us for helping develop MicroFocus COBOL for the cloud. Geeze.

I’m also a member of the FSF and support OpenBSD with cash money. I love both projects which makes me

some kind of TRANS FREEDOM PERSON, lol….

Google has promised to support my chromebook now for 8 years! 8 years! That’s longer than AlmaLinux and RHEL has support.

The older you get, the higher the walls become. X11 is being purged in favor of Wayland, disappointments there. SystemD just sucks.

I can remember when Pat on TLLTS was bitching about having to use PulseAudio. Pat felt ALSA was enough. We all have complaints.

At least with Chrome OS I don’t have to fuck with anything anymore. But they have absolutely NO GTK2 support in this thing.

So, anything you use, audacious in the winamp interface get’s stuck to the center of the screen like spilt lugies hanging from some elementary school

bathroom ceiling..

Slackware or Trisquel for my linux needs. But I find myself right here in the chromeos most of the time as it’s just dependable and light and

has extremely long battery life and everything is up to date and modern. Hard to beat.

Charlie

• Joe

We have a guest lined up for the next show but I think we would all love having you on as a guest or a host if you have the time. Bill might even ask you to do 3FT. I would love to discuss old Raytheon with you and sounds like you and Moss would get along talking about OS’s and we would love to hear more about your opinion in regards to chromebooks

• Zen Floater2

I appreciate it Joe but I can’t commit to any kind of schedule unfortunately with my life.

I will make a HPR episode at ODD HOURS of the EARLY MORNING sometimes, when I have time.

But, typically, I”m driving somewhere during the daytime and just can’t do this.

But, I also wanted to say the same thing you hear often on Desination LInux, IN THAT, typically the laptop hardware

you find on DELL and Lenova is adequate but not as brilliant as any of my 4 chromebooks. The screens on these things

are much better and easier to read and the microphone they build into them is high quality, GOOD SOUND TOO.

I have to admit Joe that I’m coming back to these chromebooks over my other laptops mainly because of their

brilliant hardware and exceptional battery life and just outstanding WIFI. So, here’s what I do. I have a thinkpenguin

laptop with Trisquel on it and I have easytether installed and I hook that laptop into my android phone’s internet using

easytether – THEN i hit the hotspot button on trisquel and log this chromebook into that and I get commercial bandwidth

on my chromebook. I keep thinking that the stupid bastards at google will give us a better bandwidth alternative on

the PIXEL 5G phones but, I don’t know if they actually did yet. They should. But, until I’m sure their going to treat

chromebooks with some bandwidth like their treating Android to the CELL TOWER bandwidth, I will keep doing what

I’ve been doing and use truckstop wifi at other times. The chromebooks all simply out perform my other laptops

when using truckstop wifi. It’s so great to be able to take a small chromebook into a resturant with me and use the

internet from their WIFI using a chromebook. Battery life is often in excess of 10 hours you know.

I should make a program where I take a PI 400 and put AlmaLInux on it, load the easytether driver on it, and permanently

turn on the WIFI using systemd and just use the PI as an interface modem for my purposed – interface to the cell bandwidth.

That would be a good thing for all of us to have. Then I could cut my stuff down to a PI, a cell phone, and a chromebook.

Charlie

• Joe

That does sound like an awesome setup. I have been a big fan of easytether in the past but have found that T-mobile can detect it and slow down the connection to tethered speeds. Maybe that has changed since the last time I tried.

I am glad to hear how useful chromebooks are and if you find yourself with some free time one of these Saturday afternoons jump on the discord while we are on and maybe talk about it there. Its free form and whoever jumps in can talk.

The pi 400 build as a dedicated easytether WAN/LAN setup sounds like it would be fun to do and super useful. Would love to talk about the setup and the scripting that would need to be done to make it work properly and maybe bounce some ideas back and forth. Mobile/travel networking is one of my more favorite topics and I have done some interesting things with fuse mounts and scripting auto connects based on network status. Plus I know the whole team would be interested in talking more about old school development and raytheon.

And the main reason I personally like Dell systems is most of them are lower cost and i have yet to find one that has trouble running linux. From tablets to xps 13’s. Not the greatest quality devices but they are workhorses that are easy to keep running and were built with repairability in mind for MOST of them. Easy to tear down, repair and put back together.

— Play Check This Transition Bumper —

Check This Out

10 minutes

Housekeeping & Announcements

• Thank you for listening to this episode of mintCast!
• If you see something that you’d like to hear about, tell us!

Send us email at [email protected]

Join us live on Youtube

Post at the mintCast subreddit

Chat with us on Telegram and Discord,

Or post directly at http://192.168.1.167:8181

• Next Episode – 2 pm US Central time on Sunday, March 5^th, 2023
• Get mintCast converted to your time zone
• Next Roundtable Live Stream – 2 pm US Central time on Saturday, February 25^th, 2023
• Get the Roundtable Live Stream converted to your time zone
• for xxx.5 Next Roundtable Live Stream – 2 pm US Central time on Saturday, March 11^th, 2023
• Get the Roundtable Live Stream converted to your time zone
• Livestream information is at mintcast.org/livestream

Wrap-up

• Joe – Tllts.org,  linuxlugcast.com, MeWe, [email protected], Buy Joe a coffee
• Moss – Full Circle Weekly News, Distrohoppers’ Digest, [email protected], @[email protected] on Mastodon, other information found at It’s Moss dot com
• Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, @wchouser3 on Twitter, and wchouser3 on Facebook also – checkout my other podcasts Linux OTC and 3ftpodcast.org

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:

• AudioFreak (Riyo) for our audio editing
• Archive.org for hosting our audio files
• Hobstar for our logo, initrd for the animated Discord logo
• Londoner for our time syncs
• Bill Houser for hosting the Linode which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
• The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem and co!>

— Play Closing Music and Standard Outro —