text/html 341a2

Welcome to mintCast

the Podcast by the Linux Mint Community for All Users of Linux

This is Episode 417!

This is Episode 417.5!

Recorded on Sunday, July 23, 2023

Enjoying the cooler weather im Joe; getting ready for school, I’m Moss; Building the Network, I’m Bill; Singing the Internationale, it’s Majid

— Play Standard Intro —

• First up in the news: Mint 21.2 Victoria released, Canonical’s Leading LXD Engineer Quits, Ubuntu Plans to Ditch its ‘Minimal’ Install Option, a new BlendOS v3, SUSE forks Red Hat;
• In security and privacy, Avrecon malware affects 70,000 Linux servers, turns them into a botnet, and we meet RCE Flaw and PyLoose Malware;
• Then in our Wanderings Joe has a bad reaction, Moss, Bill, Majid pretends to be a socialist

• In our Innards section, we talk “ethical telemetry”;
• And finally, the feedback and a couple of suggestions

— Play News Transition Bumper —

The News

20 minutes

• Mint 21.2 Victoria released
  • from linuxmint.com (via londoner)
  • On July 21st, all three versions of Mint 21.2 codenamed Victoria were released. The blog posts of the announcement are at:
    • Linux Mint 21.2 “Victoria” Cinnamon released!
    • Linux Mint 21.2 “Victoria” MATE released!
    • Linux Mint 21.2 “Victoria” Xfce released!
  • New Features include:
    • Slick Greeter, which is in charge of the login screen, was given support for multiple keyboard layouts. The indicator located on the top-right corner ner of the screen opens a menu which lets you switch between layouts.
    • Touchpad support was also improved. Tap-to-click is detected and enabled automatically in the login screen.
    • The layout used for Onboard, the on-screen keyboard is configurable.
    • The Software Manager was given a UI refresh.
    • Pix, which was originally based on gThumb 3.2.8, was rebased on gThumb 3.12.2.
    • The new gThumb UI was adopted. It uses headerbars and buttons instead of toolbars and menubars. It’s slightly less discoverable for newcomers but it looks very clean and remains quite intuitive.
    • In Cinnamon, folder icons no longer feature a stripe. Instead, each color received beautiful two-tones icons. New color variants were introduced for popular colors.Tooltips looked slightly different depending on where they came from (GTK2, GTK3, Cinnamon). They also featured a grey border which didn’t look clean around their yellow background.
    • Consistency issues across the various GTK versions and Cinnamon were fixed. We took inspiration from Adwaita and made our tooltips bigger, rounder and with larger margins.
    • All the applications and projects developed by Mint now use symbolic icons. This ensures they look fine with any themes, whether the themes are dark, light or light and dark.
    • Cinnamon 5.8 introduces a new concept called “styles”. A style has up to three modes: mixed, dark and light. Each of these modes can contain color “variants”. A variant is a combination of themes which work well together.
    • Mint-Y-Legacy was renamed Mint-L.
    • The Cinnamon notifications were redesigned to feature the accent color.
    • Nemo features multi-threaded thumbnails. Instead of generating each thumbnail one by one, Nemo now generates multiple thumbnails in parallel. This uses more CPU but it results in loading directory content faster, especially for directories which contain a large amount of media files.
    • XDG Desktop Portal support was added to XApp for Cinnamon, MATE and Xfce. This provides better compatibility between desktop environments and non-native applications such as flatpaks or GNOME apps (libhandy/libadwaita apps).
    • Gesture support was added for window management, workspace management, tiling and media controls. Gestures are supported on touchpads, touchscreens and tablets.
  • The SUSE security team recently performed a review of the Warpinator codebase and highlighted some concerns. Discussions followed and decisions were taken to harden the security in Warpinator.Linux Mint 21.2 features full support for HEIF and AVIF image files.
  • If you prefer, an upgrade path is also available. Check in System Reports, or use the link shown in the Edit menu of the Update Manager.
    
• Canonical’s Leading LXD Engineer Quits
  • By Joey Sneddon from OMG Ubuntu (via londoner)
  • Stéphane Graber has announced his resignation from Canonical after 12 years of working at the company, mostly on LXD.
  • His announcement follows news (on July 4) that Canonical had taken the LXD project in-house after years of it existing as a community endeavour under the Linux Containers (LXC) umbrella.
  • Stéphane’s engineering expertise and enthusiasm for LXD (and containers in general) has arguably made him the “face” of LXD. In social media replies to his (somewhat unexpected) decision, many have commented on this and thanked him for his contributions and help over the years.
  • Clearly a major loss for Canonical (though a talented team remains) – what prompted it?
  • “As I’ve told colleagues and upper management, Canonical isn’t the company I excitedly joined back in 2011 and it’s not a company that I would want to join today, therefore it shouldn’t be a company that I keep working for either.” Graber writes in a blog post.
  • Which is fair enough.
  • They also comment on Canonical taking control of LXD.
  • “I obviously wish that [change] hadn’t happened, I strongly see value in having a project like LXD be run in a more open, community environment where everyone’s opinion is valued and everyone’s contribution, no matter the size, is welcome.”
  • To be fair, Graber is far from the only one miffed at that move.
  • The good news is that Graber intends to remain an active user of LXD (and Ubuntu) and plans to contribute fixes and file issues. They don’t plan to sign Canonical’s (deeply contentious) Contributor License Agreement so, one hopes, this won’t be a barrier to their continued involvement.
  • As for what’s next for Stéphane: devoting time to neglected pet projects, and pursuing freelance consultancy and training work.
    • Ubuntu Plans to Ditch its ‘Minimal’ Install Option
  • By Joey Sneddon from OMG Ubuntu (via londoner)
  • The introduction of a “minimal install” mode in the Ubuntu installer has been one of the distro’s best-received features in years.
  • When selected during initial install Ubuntu’s ‘minimal install’ gives users a complete, fully-functioning Ubuntu system with fewer pre-installed apps. The exact same ISO also delivers a ‘full installation’ mode stacked with swathe of software – this is the default, recommended option.
  • So having added a feature that users like Ubuntu is now, umm, thinking about removing it.
  • The plan: a new “unified default install”. This, from the sounds of things, will focus on a minimal install by default, with a “choose your own apps” experience. Not an awful ideal granted – it’s an approach I’ve seen many Linux users advocate for over the years.
  • The rub is that the new experience will be powered by Ubuntu’s all-new Snap Store app — and that won’t please everyone.
  • New Approach: Choose Your Own Apps
  • Ubuntu’s Director of Engineering says the current ‘minimal or full’ choice as “not-quite-right”. Thus they plan — read: have already decided — to try a new unified install approach that lets users select apps to install/add during install time.
  • “With widespread Internet access today, obtaining the necessary apps is no longer a hurdle. This streamlined approach could reduce ISO size, decrease testing needs, and simplify the installation process,” he says.
  • Smaller ISO sizes are a vaunted aim (and something Ubuntu could do with) but would getting users to select their own software actually “simplify the installation process”?
  • To me it sounds like it’d slow it down as you’d need to stop and think about whether you need a video player (and if so, which one), try and evaluate your office suite needs, and so on.
  • Plus, it’s already possible for users to select the apps they want — and has been since forever. It’s what apt and the Ubuntu Software app are for.
  • The proposal talks up a minimal default install but later mentions that some apps need to come pre-installed in order to “offer a coherent out-of-the-box experience”.
  • I’d argue the the current default install, in both minimal and full-fat editions, already offers a coherent out-of-the-box experience — so what problem is this actually solving? I’m not sure.
  • With a cynical hat on I have to say this effort sounds like an unsubtle way to try and on-board users into using Snap versions of software since, as mentioned, this whole effort will be powered by and fronted using the new “Snap-first” app store.
  • We learned this week that the new store will demote DEB software in its search results. Thus when a user looks for software they know, such as LibreOffice, only the Snap version is presented as available to install — one way to get those Snap install numbers up.
  • Ubuntu Does Need Better Defaults
  • I’ve long felt Ubuntu has needed to shake up the software it ships with. Totem for example is no-one’s favourite video player and superior open-source alternatives exist.
  • But Ubuntu was hitherto all about shipping sane defaults that “just work” for most people and, notably in this case, providing the best open-source software has to offer.
  • I accept not everyone needs all of the software Ubuntu currently comes with — I don’t think I’ve ever opened LibreOffice Draw, for example — but a curated set of apps has upsides, like ensuring good-quality open-source software gets seen and used.
  • Prompting users to pick their own apps from the (to be blunt, rather weak) selection of apps available in the new Snap Store feels regressive. It’d be like a ‘browser ballot’ for everything – but how many people know whether they should use X vs Y vs Z?
    Still, this is all in flux. I expect we’ll learn more about this effort in the coming months.
    • Blend OS v3 Bhatura released
  • https://blendos.co/blend-os-v3/
  • blendOS v3 “Bhatura” has now been released, with a host of new features, including the ability to switch between 7 desktop environments with system track, seamless atomic background updates, support for 10 container distributions and Nix, reproducible systems (containers and dotfiles), new developer-friendly CLI utilities for system and user operations and a lot more.
  • Just like with the previous release, this one is named after another popular dish (or to be precise, bread) in the Indian subcontinent, the “bhatura”
  • Unlike traditional Linux distributions, blendOS uses ISOs for updates, with your system being rebuilt on an update. Thanks to zsync, the update download size usually hovers around 10-100 MiBs, contrary to what you might have assumed.
  • Updates are downloaded in the background, and on the next boot, replace the current root filesystem while keeping any custom system packages you install (more on that later).
  • This update architecture resolves a major flaw with rolling-release distributions like Arch Linux, and allows us to confirm an update isn’t going to render your system unusable prior to rolling it out, thus providing a great deal of stability.
  • blendOS now supports 7 desktop environments, including GNOME, KDE Plasma, Cinnamon, XFCE, Deepin, MATE and LXQt. You can switch between desktop environments easily and instantaneously with system track.
  • Now, you can simply double-click a DEB, RPM, pkg.tar.zst or an APK to install it to a container. (for APKs, you need to initialize Android app support from the blendOS Settings app)
  • blendOS v3 introduces two new command line utilities, system and user, and both of these are designed to make the lives of developers much, much easier.
  • system allows you to install packages on the host itself, such as drivers and virtualization software from the Arch Linux repositories (system install and system remove). Speaking of which, unlike quite a few other immutable distributions, blendOS supports software such as VirtualBox if installed on the host.
  • user is a replacement for the old blend CLI (was deprecated in v2). It allows you to create and manage containers and associatiions, as well as generate and move dotfiles and containers between different blendOS machines, as touched upon in the previous section.
  • The following distributions are now supported for containers, and you can use Nix too with a single/multi-user installation, just like on any regular Linux distribution:
    • Arch
    • AlmaLinux 9
    • Crystal Linux
    • Debian
    • Fedora 38
    • Kali Linux (rolling)
    • Neurodebian Bookworm
    • Rocky Linux
    • Ubuntu 22.04
    • Ubuntu 23.04
• In a Blow to IBM, SUSE is Forking Red Hat Enterprise Linux
  • from ItsFOSS.com
  • Fresh on the heels of Red Hat’s source code lockout, SUSE has decided to undertake something entirely novel.
  • Over the coming years, they plan to invest over $10 million into an RHEL-compatible distro free of restrictions.
  • What’s Happening: Earlier today, SUSE, the company behind SUSE Linux, made an announcement that they would be forking publicly available Red Hat Enterprise Linux (RHEL) and developing/maintaining an RHEL-compatible distro that would be available without any restrictions.
  • Over the coming years, they plan to invest over $10 million into this project while working with the open-source community to develop a long-term, reliable alternative to RHEL and CentOS.
  • On this, the CEO of SUSE, Dirk-Peter van Leeuwen, had this to add:
    • For decades, collaboration and shared success have been the building blocks of our open source community. We have a responsibility to defend these values.
    • This investment will preserve the flow of innovation for years to come and ensures that customers and community alike are not subjected to vendor lock-in and have genuine choice tomorrow as well as today.
  • Yep, the last part looks like a direct jab at Red Hat. 🤭
  • They have already started the collaboration part by partnering with CIQ, the folks behind Rocky Linux.
  • The CEO of CIQ, and founder of Rocky Linux, Gregory Kurtzer mentioned:
    • CIQ is bringing stability to our partners, customers, and community, by building a broad coalition of like-minded companies, organizations, and individuals. SUSE has embodied the core principles and spirit of open source; CIQ is thrilled to collaborate with SUSE on advancing an open enterprise Linux standard.
  • But, they are not limiting the collaboration to that. They have also invited the open-source community to actively contribute to developing this upcoming RHEL-compatible distribution.
  • When to expect: Well, in the coming years would be my best guess as this is a massive undertaking that will need a significant investment of time and resources.
  • Though, SUSE mentions one more thing that caught my eye. They have said that any future expectations/plans are subject to change due to essential factors such as economic downturns, pricing pressures, the possibility of undetected software issues, and more.
  • If I were you, I would chalk this up to your run-of-the-mill disclaimer notice on many corporate press releases.
  • You may dive into the announcement blog to learn more about this project.
  • SUSE has taken us all by surprise with this move; I really hope this project benefits the overall Linux ecosystem and can act as a fine example of how such large-scale open-source projects are to be executed.

— Play Security Transition Bumper —

Security and Privacy

10 minutes

Before we get started, we should shout out an RIP to Kevin Mitnick, who passed this week from pancreatic cancer.

• Avrecon infects 70,000 Linux Servers, turns them into a botnet
  • Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service.
  • This allows its operators to hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.
  • According to Lumen’s Black Lotus Labs threat research team, while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
  • The malware has largely managed to evade detection since it was first spotted in May 2021 when it was targeting Netgear routers. Since then, it went undetected for over two years, slowly ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.
  • “We suspect the threat actor focused on the type of SOHO devices users would be less likely to patch against common vulnerabilities and exposures (CVEs),” Black Lotus Labs said.
  • “Instead of using this botnet for a quick payout, the operators maintained a more temperate approach and were able to operate undetected for more than two years. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth.”
  • Once infected, the malware sends the compromised router’s info to an embedded command-and-control (C2) server. After contact making contact, the hacked machine is instructed to establish communication with an independent group of servers, known as second-stage C2 servers.
  • The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021, based on x.509 certificate information.
  • Lumen’s Black Lotus security team also addressed the AVrecon threat by null-routing the botnet’s command-and-control (C2) server across their backbone network.
  • This effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.
  • “The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we have null-routed the command and control (C2) nodes and impeded traffic through the proxy servers, which rendered the botnet inert across the Lumen backbone,” Black Lotus Labs said.
  • In a recently issued binding operational directive (BOD) published last month, CISA ordered U.S. federal agencies to secure Internet-exposed networking equipment (including SOHO routers) within 14 days of discovery to block potential breach attempts.
  • Successful compromise of such devices would enable the threat actors to add the hacked routers to their attack infrastructure and provide them with a launchpad for lateral movement into their internal networks, as CISA warned.
  • The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders’ ability to detect malicious activities.
  • The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel SOHO network equipment to hide their malicious activity within legitimate network traffic, according to a joint advisory published by Five Eyes cybersecurity agencies (including the FBI, NSA, and CISA) in May.
  • The covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.
  • “Threat actors are using AVrecon to proxy traffic and to engage in malicious activity like password spraying. This is different from the direct network targeting we saw with our other router-based malware discoveries,” said Michelle Lee, threat intelligence director of Lumen Black Lotus Labs.
  • “Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking.”
• OpenSSH Agent RCE Flaw Let Attackers Execute Arbitrary Commands
  • from CyberSecurityNews.com
  • Researchers at Qualys discovered a new Remote Code Execution flaw in the OpenSSH.
  • This flaw exists in OpenSSH’s forward ssh-agent. This flaw allows an attacker to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent.
  • OpenSSH has been used in several servers and applications for remote login and file transfer, along with encryption. This vulnerability exists in the ssh-agent program that allows authentication to remote servers without entering the passphrase every time.
  • CVE-2023-38408: Remote Code Execution
  • This vulnerability exists in the ssh-agent due to the PKCS#11 feature in OpenSSH version 9.3p2 that has insufficient trustworthy search path. This issue exists due to an incomplete fix in CVE-2016-10009.
  • The CVSS Score for this vulnerability is yet to be confirmed.
  • The ssh-agent is a key manager who holds the PKCS#11 (Public-Key Cryptographic Standard) keys that are readily usable for remote server connections. An attacker can inject a malicious library in the ssh-agent, which makes the entire thread executable that remains even after the dclose().
  • In addition to this, many shared libraries are marked as “nodelete” by the loader, which makes this malicious library permanent until deleted by a superuser. These libraries exist in the /usr/lib* folder, which can allow the threat actor to dlopen() any library even when executing the SUID-root program.
  • Once the library is executed, the threat actor will get the same privilege as the user who initiated the ssh-agent. This vulnerability has been patched by OpenSSH.
  • A complete report has been published by Qualys which explains in detail the complete threat vector, background and the exploitation of this vulnerability.
  • Users of OpenSSH forward ssh-agent are recommended to upgrade to the latest version for preventing malicious activities.
• PyLoose Linux Malware Mines Crypto Directly From Memory
  • from BleepingComputer.com
  • A new fileless malware named PyLoose has been targeting cloud workloads to hijack their computational resources for Monero cryptocurrency mining.
  • PyLoose is a relatively simple Python script with a precompiled, base64-encoded XMRig miner, a widely abused open-source tool that uses CPU power to solve complex algorithms required for cryptomining.
  • According to researchers at Wiz, PyLoose’s direct execution from memory makes it incredibly stealthy and challenging to detect by security tools.
  • Fileless malware leaves no physical footprint on the system’s drives, so it’s less vulnerable to signature-based detection and typically utilizes legitimate system tools (living off the land) to inject malicious code into legitimate processes.
  • Wiz’s security researchers first detected PyLoose attacks in the wild on June 22nd, 2023, and have since confirmed at least 200 cases of compromise by the novel malware.
  • “As far as we know, this is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild, and our evidence shows close to 200 instances where this attack was used for cryptomining,” explains the new Wiz report.
  • Wiz observed attacks that began by gaining initial access to devices through publicly accessible Jupyter Notebook services, which failed to restrict system commands.
  • The attacker uses an HTTPS GET request to fetch the fileless payload (PyLoose) from a Pastebin-like site, “paste.c-net.org,” and load it straight into Python’s runtime memory.
  • The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance’s memory using the “memfd” Linux utility, a known fileless malware technique in Linux.
  • “The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage,” explains Wiz in the report.
  • “Once the payload is placed within a memory section created via memfd, attackers can invoke one of the exec syscalls on that memory content, treating it as if it were a regular file on disk, and thereby launch a new process.”
  • This enables attackers to perform payload execution straight from memory, evading most traditional security solutions.
  • The XMRig miner loaded into the compromised cloud instance’s memory is a fairly recent version (v6.19.3) that uses the ‘MoneroOcean’ mining pool to mine for Monero.
  • Wiz could not attribute the PyLoose attacks to any particular threat actor, as the attacker left no useful evidence behind.
  • The researchers comment that the adversary behind PyLoose appears highly sophisticated and stands out from the typical threat actors engaging in cloud workload attacks.
  • Cloud instance administrators are recommended to avoid the public exposure of services susceptible to code execution, use strong passwords and multi-factor authentication to protect access to those services, and place system command execution restrictions.

— Play Wanderings Transition Bumper —

Bi-Weekly Wanderings

30 minutes (~5-8 mins each)

• Bill
  • This weekend was the Expeditor expo where we, 3 Fat Truckers set up a booth and did some filming. We had a great time interviewing folks and learning more about the “expedited” niche of the trucking industry in the US. Expeditors are the people you see with the straight trucks that haul very small loads, usually emergency freight. Often times a company will need to order a less than truck load quantity of freight. These loads are often an emergency; meaning it might be a single skid of product, or even just a document in a n envelope that if not “expedited” to the customer, could have catestrophic consequences. Often a customer will order an insufficent amount of product to complete their manufacturing and if they don’t get that last bit they need, their production line will shut down. This is especailly impactful in industries such as metals because if they have to shut down their line, they have to power down their furnaces which can take up a day to restart. The cost can reach into the millions. Expeditors offer the necessary way to ship that crucial quantity of whatever the customer needs to keep production moving. We were approached by the coordinator of the show while we were down at the Mid America Trucking show earlier this year and offered a booth free of charge at the Expo which is alltogether close to a $1500 value. We set up in mainly the same way we did at the MATS show. We did lots of interviews and got to meet lots of people in that particular niche of the industry.
  • Since the truck show was right here in Fort Wayne, I was able to get a couple things done. One of which was a complete re-build of our network, here at home. I have fiber going to the house providing a semitrical 500Mb connection. Prior to the rebuild, the connection went from the gear provided by Frontier in the basement to a Linksys WRT AC3200 wireless router which was doing the work of routing and wifi. From there, ethernet went to a switch upstairs, which then fed into 6 devices including a second wireless access point. Another ethernet connection went downstairs here to me where it connected to a switch that fed all the machines down here including the servers, finally – another line went to a switch under the tv in the living room whre the router was located wich fed all the devices in that room such as the Nvidia Shield, the Blueray player, the surround system, as well as the tv itself. Every thing else utilized wifi, which is worth mentioning; not wifi6. It worked fine for some time, but as our needs have become progressively more complicated, the time for an upgrade was at hand. My desire was to seperate wifi and routing into two seperate devices, and relocate the wireless access point to a more centralized location in the house, whereby removing the need for two seperate AP’s. This signifigantly reduces the attack surface of my network, while simultaniously perhaps reduces power consumption. My new network consists of a TP-Link ER7206 Professional Wired router, that you can see here behind me. From there, Cat 8 ethernet goes out to the switch on the second floor, the switch under the livingroom tv, my daughter’s tv in her room on the first floor, the switch you see under the router here in the basement, as well as straight to the new TP-Link TL-WA3001 WiFi 6 Access point, hanging on the wal in the central hallway on the first floor. These new devices give me enterprise features and greatly improve performance on my network. I’m really enjoying the upgrade.
  • If anyone notices a change in my audio, it’s because I’m trying out a new microphone my oldest son talked me into buying. After we did the last episode of mintCast it was clear the Neewer NW-700 I got for $18 on Amazon wasn’t exactly fit for purpose. This new microphone is a classical “ribbon” mic made by a company called “The Golden Age Project” which specailizes in building classic style microphones, utilizing the old technology while also adding modern bits to improve quaility and performance. This particular model is the R1 Active MK III. I’m not sure I’m digging the size of this thing – it’s the size of a can of energy drink, and weighs about as much as a six pack of beer, but I think the sound quality is magical. We’ll give it a try and see what happens.
  • I replaced the chair here at my desk, which was probably the best of all my decisions this weekend. Previously, I was using a Tuoze Office Desk Racing Style High Back Leather chair which was ok but a big guy will start to sweat in the bottom region when sitting on a chair like this for long periods of time such as when recording mintCast. Also, the tilt base had broken somehow and if I wasn’t careful, would tilt sideways. This new chair is an Amazon Basics Ergonomic Adjustable High-Back Chair. I’m loving this thing because it is mesh on the back lumbar, as well as the bottom seat – allowing ventillation to the crucial areas to prevent overheating. This chair is twice the price of the other one, but some things are worth every penny and more.
• Joe
  • I have been somewhat inactive the last two weeks. Haven’t been on Discord or Telegram as much as I should have but I had some stuff going on. I had to stop taking that medication that I got from the VA. I had a bad reaction.
  • I had very severe mood swings and depression and anxiety to go along with random rages and boughts of near weeping. It was a nightmare and took me a little while to equate what was going on to the medication.
  • Especially when you consider that the normal dose for this is 37.5mg and I was taking only 15mg. I thought I had done my research on this medication and I had but when I went back and looked again using my symptoms as keywords I found a rabbit hole of information showing that I was not the only person to have this type of reaction
  • Some of it was likely due to the fact that that I was uninformed when it came to this stuffs reaction in regards to caffiene. It makes it much worse
  • I also lost 15 lbs in 16 days. While some may think that is a good thing it is not. That kind of weight loss is very dangerous and should not happen
  • I had my 42nd birthday which was nice. My daughter found one of the recipes that I like for lemon cake and made me some. It was incredible.
  • I also got an interesting phone case which has an emulator on the back. Completely self contained in the case. So I have been playing Mario, Contra, Galaga. 1942 and Pacman on it.
  • Jackie was able to find a Bowflex Xtreme for free. This is normally a 1600 dollar device and we got it for free. Some of the reviews say that it does not have enough resistance on it but I am not worried because I will use the pulleys that I already have set up and use some weights to supplement it as needed and I will still do my regular free weight lifting but this will help with flys and pulldowns.
  • There is also one set of pulleys missing that are for the curls/squats but I can work around it with what is there.
  • The only issue is the large size. I did need to cleanup a large part of my garage to get it in and I will need to push it into and out of place when I want to use it but my gym is very configurable as it is.
  • My pile of need-to-fix LG headphones is starting to get large again. Lots of ones sides out again so I will probably work on that some in the near future so long as this heatwave calms down. It was over 100 degrees for more than 10 days in a row and yesterday was the first day in a while that it stayed in the 90s.
  • I also pulled out my old portable monitor because I wanted to test out the state of displaylink drivers on Linux. Still abysmal. I hooked it up to my phone and it wont do Dex. I hooked it up to my dell venue and it needed an external power to properly run. I hooked it to my desktop in the garage and it worked since I do have powered hubs but there was a lot of artifacting and also high CPU usage. I am also going to check it on the OneGX which is where I want to use it but I am still disappointed that the drivers and optimizations have not improved. I may have to look into something that does not use displaylink but works over something like USB-C but those are more expensive.
  • Something happened to my audiobookshelf instance. After the most recent update all my user data was removed but one. The user that was left was not mine but I was able to find out which one it was and log in. That user had been made root somehow and I needed to change it and another backup user in.
  • I also needed to rescan my library and I lost all the manual work that I did with matching titles. It kinda sucks.
• Moss
  • I received a check in the mail in the Yahoo! Breach settlement. $61.79. I wasn’t expecting that.
  • I’ve been buying gobs of necessary stuff from Amazon. Waiting until Prime Day only saved me a few dollars. I now have a scooter, easily assembled and usable for any grocery or department store. We even picked up a Philips powered digital TV antenna, in case we get tired of paying for Hulu and need a reminder of how bad things could be.
  • On top of that, my back has been in not quite constant seizure, especially low on the right side. This makes assembling my new scooter, made necessary by the back spasms, into an even more painful experience.
  • I did get a new guitar, an Enya Music NEXG “Smart Guitar”. I’m slightly underwhelmed by it, but I haven’t really gotten all the way into it. This thing has bells and whistles… well, at least drum tracks and fuzz settings… We paid $420 for this guitar, list price is $599.99. This also means I will be selling off as many of my other instruments as I can, keeping only the NEXG and my Classical guitar, plus my harp. Just got too much stuff around here!
  • I also had to do more trainings to keep my substitute teaching job, and I got them all done. I still have two massive paperwork projects to get done. I was further invited to join an international singing project, and I’m hoping I get everything left on my to-do list caught up enough to be able to do that.
• Majid
  • I too have been buying unnecessary stuff from Amazon. A Robot Vacuum cleaner to be precise. It has been quite difficult to get this working. For some reason it wants to be connected to a 2.4GHz wireless network. Wouldnt connect to a phone with Android 12, but did to one witha custom ROM (Lineage 20 based on Android 13). Having said that did seem pretty cool to use.
  • So after almost a decade away from using it as a daily driver, I’ve gone back to Linux Mint.
  • So first off I bette explain why I have done so. Well first of all i’m on MintCast, and so it seemed that I would be doing a disservice to our listeners if I didnt at least try Mint, espeically when I realised how long it had been. I hadnt realised how long it had been.
  • Secondly, jank. That well known “je ne sais quoi” ability of many Linux distributions to have random issues. You guys have been hearing some of the audio problems I’ve been having. Now I was running Kubuntu 23.04 on this podcasting rig, and so I wasnt expecting issues. The main Ubuntu edition has always been my go-to for “it just works”. But even thoughthis is an official flavour, this didnt seem as stable. The odd random thing would pop-up and so I decided (after discussion on last weeks livestream) that I’d put it on this.
  • In the past putting Mint on a machine was normally the easiest distro to put on. Not this time. And I’m not entirely sure why. Probably my noob-ness
  • So even though Joe had advised me to nuke and pave (cos who needs Windows), I have been dual booting on this rig. Just a bit of a safety blanket forif I want to sell on and replace devices.
  • So first I went to make my live-usb. I chose the 21.2 Cinnamon edition, as I feel thats the best showcase for Mint. Firstly I started using the KDE Start-up disk creator. Then after it being done, when I went to oot into it, it didnt work, just kept getting a grub menu. I thought its either the KDE start-up disk utility or the iso being corrupted. I tried rufus, balana etcher, ventoy (which I couldnt install for some reason – more jank) every time the same situation. I used a different a usb stick. I redownloaded the ISO, used a different machine, even tried another distro (FerenOS) just in case it was mint specific problem
  • At this point the BIOS on the machine stopped “seeing” the USB and stopped giving me the option to choose boot device and boot order. I wondered if the dualboot was the issue , I got rid of my Kubuntu partition. Still no luck. I then changed over to legacy boot, at that time, I also tried to dd the ISO. Im not sure which of the two it was, but finally I could load into the live-usb, and then was able to install it….finally!
  • So whats it like on Mint? Well it seems to be quite boring…in a good way. It works (most of the time) is incredibly performant, gets out of my way, and I can get stuff done.Installing flatpack software has been really easy. Hardware working fine. None of the “jank”. It is still early days, but I am enjoying it so far. I have tried to jazzit up with some effects. Of course its no KDE but eye-pleasing nonetheless.Though I do notice the font rendering is a bit off (if you change from the Ubuntu standard)
  • I got to fulfil a childhood fantasy by going on strike! The attendings are now on strike in the NHS. As mentioned previously, we have not had a pay rise since 2008. leading to a real times decrease of 30%. frankly our demands have been less militant then the residents and junior doctors. They want the ful 30% pay restoration. We have just asked for above inflation rise. Inflation being about 9%. our PM responded by offering us 6% and said that was it. It meant that anyone on the fence was motivated to strike. #epicfail by the tories. The fact that they lost two by-elections during the week also hasnt made them any more conciliatory. This despite the fact many of have been getting job offers for North America, Australasia and the middle east which are easily double the salaries we are getting here (sometimes even 3x)
  • We didn’t have a proper picket line at our hospital, there was a central picket demo at one of the hospitals in a neighboruing city, but I didnt go, so I didnt get to fulfil the fantasy of singing socialist songs!.
  • Unfortunately the strike ended just in time for me to have my standby (on-call) weekend at the hospital, so if I leave in the middle of the show, you know why!
  • Been doing a bit of podcast moonlighting too. Academic friend of mine from South Africa wanted me on his “Scholar & the Student” podcast where we discussed theology and heavy metal!

— Play Innards Transition Bumper —

Linux Innards

30 minutes (~5-8 minutes each)

• this week we have a discussion about “ethical telemetry.”
  • https://fedoraproject.org/wiki/Changes/Telemetry
• The summary on the fedora wiki reads:
  • The Red Hat Display Systems Team (which develops the desktop) proposes to enable limited data collection of anonymous Fedora Workstation usage metrics. Fedora is an open source community project, and nobody is interested in violating user privacy. We do not want to collect data about individual users. We want to collect only aggregate usage metrics that are actually needed to achieve specific Fedora improvement objectives, and no more. We understand that if we violate our users’ trust, then we won’t have many users left, so if metrics collection is approved, we will need to be very careful to roll this out in a way that respects our users at all times. (For example, we should not collect users’ search queries, because that would be creepy.) We believe an open source community can ethically collect limited aggregate data on how its software is used without involving big data companies or building creepy tracking profiles that are not in the best interests of users.
  • Users will have the option to disable data upload before any data is sent for the first time. Our service will be operated by Fedora on Fedora infrastructure, and will not depend on Google Analytics or any other controversial third-party services. And in contrast to proprietary software operating systems, you can redirect the data collection to your own private metrics server instead of Fedora’s to see precisely what data is being collected from you, because the server components are open source too. Keep in mind this Fedora change proposal is just that: a proposal. It must undergo community review and must be approved by the community-elected Fedora Engineering Steering Committee (FESCo) before it can be implemented, just like any other Fedora change proposal. We welcome community participation and fully expect this proposal may need to be modified significantly depending on Fedora community feedback.
• An article as a talking point:
  • Wireless Carriers Face $200M Fine for Selling Location Data.
  • Top Industries and Companies That Sell Your Data
    • 1. Facebook
    • To the surprise of no one, Facebook has built an advertising juggernaut as a first-party data miner. The platform aggregates data from its users’ interactions and messages, then shares those insights with partners and individual advertisers interested in reaching its 2.78 billion monthly active viewers. CNET has a great in-depth guide for scrubbing your Facebook data.
    • 2. Google
    • From search and email to maps and video, Google has integrated itself into our cultural lexicon at nearly every stage. With ad profits coming in from search placements, YouTube video advertising, YouTube TV ads, and more, the company thrives on using its technology to create curated advertising experiences—and shares that data with its active partners. You can manage what data Google can access here.
    • 3. PayPal
    • PayPal processes billions of dollars in financial transactions every year. With that power comes access to billions of personal and financial records that PayPal regularly shares with its third-party partners around the world. Those partners include banks and other payment processors like Wells Fargo and Bank of America, marketers like Salesforce and LinkedIn, and even government agencies.
    • 4. Oracle
    • Unlike the other three big tech brands, Oracle openly sells data to marketers worldwide. The Oracle Data Cloud equips business-to-business marketers with over 400 million business profiles and thousands of audience segment profiles. Opt-out here.
    • 5. Acxiom
    • Similar to Oracle, Acxiom boasts “the most expansive and compliant data offering in the world ”. With over 10,000 attributes covering more than 2.5 billion consumers, Acxiom’s database covers more than 62 countries and 68% of the world’s digital population. That data is collected and sold to marketers for audience analysis and strategic planning. Opt-out here.
    • 1. Equifax
    • The most notorious of the three, Equifax made headlines in 2017 after a data breach exposed the social security numbers, birthdays, addresses, credit card credentials, and other personal data from over 145.4 million Americans.
    • 2. Experian
    • Likewise, Experian collects personal data from over a billion people and organizations, then sells that information in bulk to banks and credit card companies like Citigroup or Capital One.
    • 3. TransUnion
    • Sometimes the easiest way to gather customer information is to just ask for it. Be it an e-book, webinar, video series, brush pack, or promotional code, companies regularly collect personal data simply by gating it behind a registration form. By filling out the form and registering for the incentive, audiences enter themselves into the company’s lead generation system for future engagement.
  • How Companies Profit and Use Your Personal Data
    • In order to continue to receive services like Facebook and Google for no free, the use of our personal data seems to be a price users are forced to pay as companies that do not produce any actual products seek profitability. But are a few targeted ads an acceptable price to pay for access to the largest library of knowledge and communal space in human existence? Without the ability to sell us products and services using our personal information, users would be faced with either being confronted with a scatter-gun approach to advertising or having to pay a fee- as for Netflix- for traditionally free services such as search engines and social media. By using our personal data, companies can argue that they are giving us a better customer experience and keeping the internet largely free at point of entry. The inherent concept of our personal sentiments and interests being used to increase up-selling opportunities is one that many people will find distasteful and would prefer not to participate in, despite the possibility of a change in the way they can make purchases, as they feel their data is being used without their consent and is a violation of privacy. However, it is worth remembering that monetisation of customer data is as old as the grocery store loyalty card and hardly a new invention of the internet; the only difference being that we notice the advertising online as we use it almost constantly, as compared to just once a week at a grocery store.
  • The State of Consumer Data Privacy Laws in the US (And Why It Matters)
  • Importance of Ethical Data Collection
    • There are several ethical considerations related to data collection in place. Ethical considerations are the ethical practices that govern how data is gathered, stored, and exchanged. These can include obtaining unambiguous and informed consent, storing data securely, and obtaining permissions to use or share data.
    • While gathering and analyzing personal data can provide valuable customer insights and perhaps enhance the quality of service that firms deliver to those customers, it can only be contemplated if the data acquired is secure.
    • Where would the data be procured?
    • Which data collection techniques should be used?
    • Is it necessary to obtain consent?
    • Who will be in charge of hosting, accessing, and controlling the data?
    • Are all of our actions transparent and auditable?
  • Data Anonymization: Use Cases and 6 Common Techniques
    • Data anonymization is a method of information sanitization, which involves removing or encrypting personally identifiable data in a dataset. The goal is to ensure the privacy of the subject’s information. Data anonymization minimizes the risk of information leaks when data is moving across boundaries. It also maintains the structure of the data, enabling analytics post-anonymization.
      • Typical uses
        • Medical research—researchers and healthcare professionals examining data related to the prevalence of a disease among a certain population would use data anonymization. This way they protect the patient’s privacy and adhere to HIPAA standards.
        • Marketing enhancements—online retailers often seek to improve when and how they reach their customers, via digital advertisement, social media, emails, and their website. Digital agencies use insights gained from consumer information to meet the increasing need for personalized user experience and to refine their services. Anonymization allows these marketers to leverage data in marketing while remaining compliant.
        • Software and product development—developers need to use real data to develop tools that can deal with real-life challenges, perform testing, and improve the effectiveness of existing software. This information should be anonymized because development environments are not as secure as production environments, and if they are breached, sensitive personal data is not compromised.

— Play Vibrations Transition Bumper —

Vibrations from the Ether

20 minutes (~5 minutes each)

• Alan Gilchrist
  • Hi all.

Just a wee note to try to clarify your Bitwarden discussion in ep. 416 (I think).

Majid – yes, Bitwarden is free and open source, and free as in beer.

Bill – yes, you can pay $10 per year for the Premium version, which the Destination Linux guys will happily tell you has 1Gb enc. file storage, 2 step login…, vault health reports , etc.

So you were both correct !

Regards from Scotland,

Alan Gilchrist

— Play Check This Transition Bumper —

Check This Out

10 minutes

Housekeeping & Announcements

• Thank you for listening to this episode of mintCast!
• If you see something that you’d like to hear about, tell us!

Send us email at [email protected]

Join us live on Youtube

Post at the mintCast subreddit

Chat with us on Telegram and Discord,

Or post directly at https://mintcast.org

• Next Episode – 2 pm US Central time on Sunday, August 6, 2023
• Get mintCast converted to your time zone
• for 417 Next Roundtable Live Stream – 2 pm US Central time on Saturday, July 29, 2023
• Get the Roundtable Live Stream converted to your time zone
• for 417.5 Next Roundtable Live Stream – 2 pm US Central time on Saturday, August 12, 2023
• Get the Roundtable Live Stream converted to your time zone
• Livestream information is at mintcast.org/livestream

Wrap-up

• Joe – Tllts.org,  linuxlugcast.com, MeWe, [email protected], Buy Joe a coffee
• Moss – Full Circle Weekly News, Distrohoppers’ Digest, [email protected], I’m on Mastodon as @[email protected], and other contact information can be found at It’s Moss dot com
• Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, @wchouser3 on Twitter, and wchouser3 on Facebook also – checkout my other podcasts Linux OTC and 3 Fat Truckers
• Majid – [email protected] @atypicaldoctor on twitter, AtypicalAnaesthetist on instagram and The Atypical Anaesthetist Podcast on Spotify

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:

• Someone for our audio editing
• Archive.org for hosting our audio files
• Hobstar for our logo, initrd for the animated Discord logo
• Londoner for our time syncs
• Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
• The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>

— Play Closing Music and Standard Outro —