Episode 418 Show Notes
Welcome to mintCast
This is Episode 418!
This is Episode 418.5!
Recorded on Sunday, August 6th, 2023.
Loving Life I’m Joe, staying right at home, I’m Moss, … Bill, wandering the world, I’m Majid
— Play Standard Intro —
- First up in the news: Mint Monthly News, Fedora Asahi Remix debuts, Wine 8.13 releases, Debian makes RISC-V official, Inkscape 1.3 released, Canonical seizes LXD maintenance, Google will start deleting inactive accounts in December, Google does something “dangerous” to chromium, ChromeOS splits browser from OS, Derrick Wong leaves XFS,
- In security and privacy: Zenbleed: A new Flaw in AMD Zen 2 Processors,
- Then in our Wanderings: Joe fixes a van, Moss just tries to keep up, Bill, and Majid joins in the heatwave
- In our Innards section, we discuss the passing of Kevin Mitnik and a few of its repercussions to the Linux and security communities;
- And finally, the feedback and a couple of suggestions
— Play News Transition Bumper —
- Mint Monthly News – July 2023
- From Linux Mint Blog (via londoner)
- Quote from Clem:
- “Work started on LMDE 6. The upcoming version of our Debian-based distribution will be codenamed “Faye”. It will come with all the features and changes introduced in Linux Mint 21.2. There is no ETA for its release. Once everything is ready we’ll take the opportunity to work on additional features and see how much we want to further reduce the gap in functionality between Linux Mint and LMDE.
- In parallel to LMDE 6 we’re also planning to release an EDGE ISO for Linux Mint 21.2. This ISO will feature a kernel 6.2 and make it easier to boot Mint on brand new hardware.
- Looking further ahead (after LMDE 6 and the EDGE ISO), we’re likely to reduce the scope for Linux Mint 21.3 which is planned for Christmas 2023. We’ve got many exciting ideas, I’m sure some of the cool new features we have in mind will be implemented, but we want to prioritize some long-term aspects and dedicate some of our time to them. Namely, we want to update our ISO production tools and fix secureboot. We also want to spend time on studying the pros and cons of Wayland and to assess the work needed in its potential adoption. Last but not least we’re keeping an eye on Ubuntu, their increased focus on Snap, the quality of their 24.04 package base and what this means for us going forward.
- Note: We’ve got a vocal minority of LMDE users. As usual we’ll come up with a great release. I appreciate the fact that they love what we do. I ask them to please remain civil when it comes to criticizing Ubuntu and to understand that we do what’s best for Linux Mint as a whole, both when we work on LMDE, when we work on Linux Mint and when we form long term strategies. The news sometimes gets blown out of proportion and people can get really passionate over very little. If you look at the past you can appreciate how calm we are as a team and how serene we are with our development. We’re rarely affected by upstream decisions. When we are, or when we might be, we’re able to invest, to mitigate them and get to where we want to be. That’s how we’ve got something like LMDE already, whether we ever need it or not. Don’t panic, don’t lobby for rushed decisions based on fears or passion, we know who we are and we know what we’re doing.”
- Our new flagship distro: Fedora Asahi Remix
- from AsahiLinux.org
- You’ve all been waiting for it, many of you have guessed, and now, as announced at Flock To Fedora, it’s time to make it official:
- The new Asahi Linux flagship distribution will be Fedora Asahi Remix!
- We’re confident that this new flagship will get us much closer to our goal of a polished Linux experience on Apple Silicon, and we hope you will enjoy using it as much as we’re enjoying working on it.
- We’re still working out the kinks and making things even better, so we are not quite ready to call this a release yet. We aim to officially release the Fedora Asahi Remix by the end of August 2023. Look forward to many new features, machine support, and more!
- From the start of the Asahi Linux project, our goal has been to bring full Linux support to Apple Silicon machines, across all distributions. Supporting new hardware like this, especially hardware this special in the relatively young embedded ARM64 desktop Linux space is no easy task, and involves a huge amount of reverse engineering, development, and integration work, spanning all the way from bootloaders to desktop audio servers!
- Much of our initial work focused on the kernel and bootloaders, which can be shared between distros. But as we started reaching the point where kernel support was enough for a (bare-bones) usable system, we still had a lot of distro integration work left. Making hardware work out of the box requires a bunch of subtle integration engineering, as well as working together with userspace-level projects to improve them and add the features we need for these systems.
- Our goal is for all distros to eventually integrate all this work, so that users can use their choice of distro and be confident that it will work well on their machine. But, in order to kick off this process, we had to prototype what this integration looks like, which meant we had to create our own distro.
- And so, the Asahi Linux Arch Linux ARM remix was born. We took Arch Linux ARM, added our own overlay package repository, and packaged all of our integration work there. Notably, this is a fully downstream project: we have no significant involvement with upstream Arch Linux ARM or Arch Linux, and we directly use the Arch Linux ARM package repositories for the core distro. Our overlay just adds integration scripts, bootloader components, extra userspace support packages (for things like audio), and our forked kernel and Mesa packages.
- This worked well to bring Asahi Linux out into the world and the hands of eager users, but it was but a step along the way to our ultimate goal. After all, maintaining bespoke downstream distro remixes is a chore, and we can’t rely on unofficial third-party support to bring our work to every other distro. We’ve always had our sights on deeper cooperation with upstream distros to bring Apple Silicon support directly to them as an officially supported platform, and the Arch ARM integration was mainly intended to serve as a reference for this.
- It didn’t take long for some people to come knocking on our door…
- Very soon after Asahi Linux started (well before our Arch ARM-based release), Neal Gompa joined our IRC channels and we started talking about working towards integrating our work into Fedora. This was the very first offer to officially collaborate with a major upstream distro, and we were very excited! The Fedora Asahi project started in late 2021, and work began in 2022 alongside the Arch ARM release.
- Over the following year, we worked closely with the Fedora folks to fully integrate Apple Silicon support into Fedora, including all our custom packages, kernel and mesa forks, and special image packaging requirements, and now we’re finally on the final stretch before release.
- The Fedora Asahi effort is upstream-first, just like all of our kernel and Mesa work. Our bespoke tools, like the m1n1 low-level bootloader and our asahi-scripts tools, are already in upstream Fedora repositories and available directly to all Fedora users (though they won’t do much if you install them on a non-Apple machine!). Meanwhile, our hardware enablement package forks are kept in COPRs maintained by the Fedora Asahi SIG, built and served from Fedora infra.
- Collaborating with distro integration experts and using distro infra like this frees us up to continue focusing on what we do best: reverse engineer hardware and develop bespoke drivers and software. But not only that, it also means we can offer an even better experience for Linux on Apple Silicon users!
- Working directly with upstream means not only can we integrate more closely with the core distribution, but we can also get issues in other packages fixed quickly and smoothly. This is particularly important for platforms like desktop ARM64, where we still run into random app and package bugs quite often. ARM64 desktop Linux has been a niche platform (until now!), and with much less testing comes a higher propensity for bugs, so it’s very important that we can address these issues quickly. Fedora already has a very solid, fully supported ARM64 port with a large userbase in the server/headless segment, so it is an excellent base to build upon and help improve the state of desktop Linux on ARM64 for everyone.
- We’re very happy to have this level of collaboration with Fedora, and the Fedora folks have been an absolutely amazing team throughout this whole effort. We want to thank Davide Cavalca, Eric Curtin, Leif Liddy, Neal Gompa, and Michel Alexandre Salim for kicking off the Asahi SIG and making this all possible.
- We still have a lot of work to do, including integrating even more packages for new hardware support and more. Adventurous users can try out the Fedora Asahi Remix today, but please expect rough spots (or even complete breakage). We’re still very much in the process of integrating everything and a bunch of new features are coming, and things are expected to break while we get everything in shape. Please keep that in mind if you choose to try it ahead of time. We ask that reporters and bloggers wait for the official release before evaluating our work.
- We hope you enjoy our efforts when the time for our first official Fedora Asahi Remix release comes. You may be wondering what new features are coming, but we’ll have to keep that a secret until release time (stuff isn’t even integrated yet, you’re not going to get a sneak peek even if you install early). Until then, please hang tight and look forward to the release!
- Wine 8.13 is out now with plenty of bug fixes
- from GamingOnLinux
- The latest release in the continuous cycle of development of the Windows compatibility layer Wine is out with Wine 8.13 bringing plenty of fixes and a few new features. Reminder: once a year a new stable release is made with the next being Wine 9.0, and Wine is just one part of what allows Steam Play Proton to play some of the biggest games around on Linux desktop and Steam Deck.
- Highlights from the release notes:
- Wow64 support in WineGStreamer.
- WeakMap support in JScript.
- Georgian translation.
- Various bug fixes.
- Looking over the bug fixes issues have been solved for: Steam, Medieval II: Total War, Yu-Gi-Oh! ONLINE 3, Aliens versus Predator Classic 2000, League of Legends, S.T.A.L.K.E.R.: Call of Pripyat, Total War Shogun 2, Star Ocean The Last Hope HD, Fallout 3, Kena: Bridge of Spirits, Total Conflict: Resistance, Dying Light 2: Stay Human and more.
- RISC-V Is Now An Official Debian Architecture Moss
- from Phoronix
- Debian 13 “Trixie” has been aiming for official RISC-V support and indeed it will happen: RISC-V has now been promoted to an official Debian CPU architecture.
- While long available as a Debian port, as of this weekend RISC-V 64-bit is now considered an official Debian architecture.
- Debian developer Aurelien Jarno notes though in the announcement that the official archive for RISC-V 64-bit is rather bare at the moment but will be building out soon:
- “Before you rush to update your sources.list file, I want to warn you that the archive is currently almost empty, and that only the sid and experimental suites are available. The procedure is to rebootstrap the port within the official archive, which means we won’t import the full debian-ports archive.
- Therefore our next step is to build a minimal set of ~90 source packages using the debian-ports archive and then import them into the official archive. These packages will be signed with a special GPG key using [email protected] as the email address, enabling easy tracking. This process has already started, hence the few ACCEPTED mails on the mailing list. It will probably take a few days especially given that sid is constantly evolving.
- Once done, we’ll point the build daemons to the official archive. In the meantime you can just continue to use the debian-ports archive on your devices.”
- Debian Sid can be used if wanting this official RISC-V support once the package archive is built out while the Debian 13 release will be out as stable in about two year’s time with this milestone having been missed for the recent Debian 12 debut.
- Inkscape 1.3 Released As Latest Open-Source Software To Compete With Adobe Illustrator
- from Phoronix
- Inkscape 1.3 is now available as the newest feature release ot this open-source software focused on being a vector graphics editor that can rival the likes of Adobe Illustrator.
- Inkscape 1.3 delivers on better performance, improvements to existing features, and several new features. Among the new changes in Inkscape 1.3 are the Shape Builder tool for creating all sorts of different shapes, the new Document Resources Dialog, adding the search box back to the Layers and Objects dialog, and the PDF import code has been rewritten. There’s also been enhanced node deletion logic, the filter editor has been overhauled, and a wide range of other improvements.
- Overall this SVG-focused, open-source vector graphics editor continues advancing quite well and in November will mark 20 years for this wonderful open-source project as an alternative to the likes of the proprietary Adobe Illustrator.
- Downloads and more details on the Sunday release of Inkscape 1.3 via Inkscape.org.
- LXD Maintainership Being Limited To Canonical Employees
- from Phoronix
- Earlier this month Canonical asserted control over the LXD project. As another step in tightening up control over this container management extension for Linux Containers (LXC) is now apparently limiting LXD maintainership rights to only Canonical employees.
- LXD developers that continued working on the project when it was independent or kept up with LXD/LXC after leaving Canonical up until now still had maintainership rights with the project. But as part of Canonical asserting more control over the project, it now appears the maintainership is being restricted to Canonical employees.
- Christian Brauner as a former Canonical employee and LXC/LXD developer (among other projects) wrote on Mastodon:
- “Apparently I’m not a maintainer of #LXD anymore and neither is @stgraber. So it seems from now on it’s Canonical employees only.
- I’d like to point out that before Canonical moved LXD into github.com/canonical/lxd maintainership was completely independent of the company. If you went to work somewhere else you still were a maintainer. As it should be with any well-functioning OSS project.”
- Stéphane Graber as the project leader for Linux Containers recently left Canonical as the other cited by Brauner as having lost LXD maintainer rights.
- It appears LXD is being tightened up to be a Canonical/Ubuntu-only affair. At least though they are still accepting outside contributions such as with Graber today having seen this merge land for providing ZFS dataset delegation support as found in OpenZFS 2.2.
- Google warns again it will start deleting inactive accounts in December Moss
- from BleepingComputer
- In emails sent over the weekend, Google warned customers again that it would start deleting inactive accounts on December 1st, 2023.
- The company will only enforce this rule for accounts that haven’t been used or signed into within two years but will first notify the users their accounts are eligible for deletion.
- “If your account is considered inactive, we will send several reminder emails to both you and your recovery emails (if any have been provided) before we take any action or delete any account content. These reminder emails will go out at least 8 months before any action is taken on your account,” Google’s email reads.
- Once a Google Account is deleted, the associated Gmail address will become ineligible for use in creating a new Google Account.
- The easiest way to keep a Google Account active is to log in at least once every two years. As long as you have accessed your Google Account within the past two years, it will be considered active and will not be subject to deletion.
- Additional means to maintain your account’s activity status include reading or sending an email, using Google Drive, downloading apps from the Play Store, using Google Search and watching YouTube while logged on, sharing photos, or using Sign in with Google with third-party services.
- The rule also comes with certain exceptions, including Google Accounts with YouTube activity (channels, videos, or comments), holding a gift card with a monetary balance, that published apps on the Google Play store.
- The company first warned customers that it changed its inactive account policies in May, when Ruth Kricheli, Google’s VP for Product Management, said extended periods of inactivity might indicate that the accounts have been compromised.
- “This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two factor authentication set up, and receive fewer security checks by the user,” Kricheli said.
- “Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up.”
- Once compromised, threat actors can use Google accounts for a wide range of malicious purposes, from identity theft to sending spam or phishing emails.
- “We want to protect your private information and prevent any unauthorized access to your account even if you’re no longer using our services,” Google warned in the emails sent to Google users over the weekend.
- However, Google also allows users to download their data using the Google Takeout service, and it provides a feature known as the Inactive Account Manager that helps plan what happens with the account over a specific period of inactivity.
- Unpacking Google’s new “dangerous” Web-Environment-Integrity specification
- from Vivaldi blog, by Julien Picalausa
- Google seems to love creating specifications that are terrible for the open web and it feels like they find a way to create a new one every few months. This time, we have come across some controversy caused by a new Web Environment Integrity spec that Google seems to be working on.
- At this time, I could not find any official message from Google about this spec, so it is possible that it is just the work of some misguided engineer at the company that has no backing from higher up, but it seems to be work that has gone on for more than a year, and the resulting spec is so toxic to the open Web that at this point, Google needs to at least give some explanation as to how it could go so far.
- What is Web Environment Integrity? It is simply dangerous.
- The spec in question, which is described at https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md, is called Web Environment Integrity. The idea of it is as simple as it is dangerous. It would provide websites with an API telling them whether the browser and the platform it is running on that is currently in use is trusted by an authoritative third party (called an attester). The details are nebulous, but the goal seems to be to prevent “fake” interactions with websites of all kinds. While this seems like a noble motivation, and the use cases listed seem very reasonable, the solution proposed is absolutely terrible and has already been equated with DRM for websites, with all that it implies.
- It is also interesting to note that the first use case listed is about ensuring that interactions with ads are genuine. While this is not problematic on the surface, it certainly hints at the idea that Google is willing to use any means of bolstering its advertising platform, regardless of the potential harm to the users of the web.
- Despite the text mentioning the incredible risk of excluding vendors (read, other browsers), it only makes a lukewarm attempt at addressing the issue and ends up without any real solution.
- So, what is the issue?
- Simply, if an entity has the power of deciding which browsers are trusted and which are not, there is no guarantee that they will trust any given browser. Any new browser would by default not be trusted until they have somehow demonstrated that they are trustworthy, to the discretion of the attesters. Also, anyone stuck running on legacy software where this spec is not supported would eventually be excluded from the web.
- To make matters worse, the primary example given of an attester is Google Play on Android. This means Google decides which browser is trustworthy on its own platform. I do not see how they can be expected to be impartial.
- On Windows, they would probably defer to Microsoft via the Windows Store, and on Mac, they would defer to Apple. So, we can expect that at least Edge and Safari are going to be trusted. Any other browser will be left to the good graces of those three companies.
- Of course, you can note one glaring omission in the previous paragraph. What of Linux? Well, that is the big question. Will Linux be completely excluded from browsing the web? Or will Canonical become the decider by virtue of controlling the snaps package repositories? Who knows. But it’s not looking good for Linux.
- This alone would be bad enough, but it gets worse. The spec hints heavily that one aim is to ensure that real people are interacting with the website. It does not clarify in any way how it aims to do that, so we are left with some big questions about how it will achieve this.
- Will behavioral data be used to see if the user behaves in a human-like fashion? Will this data be presented to the attesters? Will accessibility tools that rely on automating input to the browser cause it to become untrusted? Will it affect extensions? The spec does currently specify a carveout for browser modifications and extensions, but those can make automating interactions with a website trivial. So, either the spec is useless or restrictions will eventually be applied there too. It would otherwise be trivial for an attacker to bypass the whole thing.
- Can we just refuse to implement it?
- Unfortunately, it’s not that simple this time. Any browser choosing not to implement this would not be trusted and any website choosing to use this API could therefore reject users from those browsers. Google also has ways to drive adoptions by websites themselves.
- First, they can easily make all their properties depend on using these features, and not being able to use Google websites is a death sentence for most browsers already.
- Furthermore, they could try to mandate that sites that use Google Ads use this API as well, which makes sense since the first goal is to prevent fake ad clicks. That would quickly ensure that any browser not supporting the API would be doomed.
- There is hope.
- There is an overwhelming likelihood that EU law will not allow a few companies to have a huge amount of power in deciding which browsers are allowed and which are not. There is no doubt that attesters would be under a huge amount of pressure to be as fair as possible.
- Unfortunately, legislative and judicial machineries tend to be slow and there is no saying how much damage will be done while governments and judges are examining this. If this is allowed to move forward, it will be a hard time for the open web and might affect smaller vendors significantly.
- It has been long known that Google’s dominance of the web browser market gives them the potential to become an existential threat to the web. With every bad idea they have brought to the table, like FLOC, TOPIC, and Client Hints, they have come closer to realizing that potential.
- Web Environment Integrity is more of the same but also a step above the rest in the threat it represents, especially since it could be used to encourage Microsoft and Apple to cooperate with Google to restrict competition both in the browser space and the operating system space. It is imperative that they be called out on this and prevented from moving forward.
- While our vigilance allows us to notice and push back against all these attempts to undermine the web, the only long-term solution is to get Google to be on an even playing field. Legislation helps there, but so does reducing their market share.
- Similarly, our voice grows in strength for every Vivaldi user, allowing us to be more effective in these discussions. We hope that users of the web realize this and choose their browsers consequently.
- The fight for the web to remain open is going to be a long one and there is much at stake. Let us fight together.
- ChromeOS is splitting the browser from the OS, getting more Linux-y
- from ArsTechnica
- It looks like Google’s long-running project to split up ChromeOS and its Chrome browser will be shipping out to the masses soon. Kevin Tofel’s About Chromebooks has spotted flags that turn on the feature by default for ChromeOS 116 and up. 116 is currently in beta and should be live in the stable channel sometime this month.
- The project is called “Lacros,” which Google says stands for “Linux And ChRome OS.” This will split ChromeOS’s Linux OS from the Chrome browser, allowing Google to update each one independently. Google documentation on the project says, “On Chrome OS, the system UI (ash window manager, login screen, etc.) and the web browser are the same binary. Lacros separates this functionality into two binaries, henceforth known as ash-chrome (system UI) and lacros-chrome (web browser).” Part of the project involves sprucing up the ChromeOS OS, and Google’s docs say, “Lacros can be imagined as ‘Linux chrome with more Wayland support.'”
- Previously ChromeOS was using a homemade graphics stack called “Freon,” but now with Wayland, it’ll be on the new and normal desktop Linux graphics stack. Google’s 2016 move to Freon was at a time when it could have moved from X11 (the old, normal desktop Linux graphics stock) directly to Wayland, but it decided to take this custom detour instead. Google says this represents “more Wayland support” because Wayland was previously used for Android and Linux apps, but now it’ll be used for the native Chrome OS graphics, too.
- On the browser side, ChromeOS would stop using the bespoke Chrome browser for ChromeOS and switch to the Chrome browser for Linux. The same browser you get on Ubuntu would now ship on ChromeOS. In the past, turning on Lacros in ChromeOS would show both Chrome browsers, the outgoing ChromeOS one and the new Linux one.
- Lacros has been in development for around two years and can be enabled via a Chrome flag. Tofel says his 116 build no longer has that flag since it’s the default now. Google hasn’t officially confirmed this is happening, but so far, the code is headed that way.
- Users probably won’t notice anything, but the feature should make it easier to update Chrome OS and might even extend the lifetime of old ChromeOS devices. This should also let Google more directly roll out changes on ChromeOS. Currently, there can be a delay while Google does the extra build work for ChromeOS, so the standalone browsers get security fixes first.
- Six Years In, Maintainer Darrick Wong Says ‘Goodbye’ to XFS
- from FossForce
- Yesterday Darrick Wong, the maintainer of the XFS file-system, announced in a patch series that he is calling it quits:
- “Hi all,
- “I do not choose to continue as maintainer.
- “My final act as maintainer is to write down every thing that I’ve been doing as maintainer for the past six years. There are too many demands placed on the maintainer, and the only way to fix this is to delegate the responsibilities. I also wrote down my impressions of the unwritten rules about how to contribute to XFS.
- “The patchset concludes with my nomination for a new release manager to keep things running in the interim. Testing and triage; community management; and LTS maintenance are all open positions.
- “This is an extraordinary way to destroy everything. Enjoy! Comments and questions are, as always, welcome.”
- For nearly 12 years Wong’s day job has been as a self-proclaimed “kernel hacker” at Oracle, where many of his duties have revolved around XFS, a high-performance 64-bit journaling file system created by Silicon Graphics in 1993. Before that, he spent eight years at IBM as an “open sourcer,” where he, “Wrote kernel code, mostly.”
- XFS was ported to the Linux kernel in 2001, and in 2002 Gentoo became the first Linux distro to make it available to its users as an option. These days it’s supported by most Linux distros, and since June 2014 it’s been the default file system in Red Hat Enterprise Linux — starting with the release of RHEL 7.
- Like many maintainers who’ve walked away from important but “unsexy” projects in recent years, Wong cited burnout caused by overwork as a major reason for his decision to quit:
- “I burned out years ago trying to juggle the roles senior developer, reviewer, tester, triager (crappily), release manager, and (at times) manager liaison. There’s enough work here in this one subsystem for a team of 20 FT, but instead we’re squeezed to half that. I thought if I could hold on just a bit longer I could help to maintain the focus on long term development to improve the experience for users. I was wrong.
- “Nowadays, people working on XFS seem to spend most of their time on distro kernel backports and dealing with AI-generated corner case bug reports that aren’t user reports. Reviewing has become a nightmare of sifting through under-documented kernel code trying to decide if this new feature won’t break all the other features. Getting reviews is an unpleasant process of negotiating with demands for further cleanups, trying to figure out if a review comment is based in experience or unfamiliarity, and wondering if the silence means anything.”
- Wong has recommended Chandan Babu, who for the last two years has been a XFS filesystem developer at Oracle, as his replacement.
— Play Security Transition Bumper —
- Zenbleed: A new Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk
- From the Hacker News (via londoner) Jul 25, 2023
A new security vulnerability has been discovered in AMD’s Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords. Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second.
The issue is part of a broader category of weaknesses called speculative execution attacks, in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers.
“Under specific microarchitectural circumstances, a register in ‘Zen 2’ CPUs may not be written to 0 correctly,” AMD explained in an advisory. “This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”
“Vectorized operations can be executed with great efficiency using the YMM registers,” Cloudflare researchers Derek Chamorro and Ignat Korchagin said. “Applications that process large amounts of data stand to gain significantly from them, but they are increasingly the focus of malicious activity.”
“This attack works by manipulating register files to force a mispredicted command. Since the register file is shared by all the processes running on the same physical core, this exploit can be used to eavesdrop on even the most fundamental system operations by monitoring the data being transferred between the CPU and the rest of the computer,” they added.
While there is no evidence of the bug being exploited in the wild, it’s essential that the microcode updates are applied to mitigate potential risk as and when they become available through original equipment manufacturers (OEMs).
- UPDATE A fix for this vulnerability is on the way. According to this article by Phoronix an optimal fix is with running the latest AMD processor Family 17h microcode. The Linux kernel has also just received a patch for this “Zenbleed” vulnerability for older AMD CPUs. Thanks to Dale Miracle for bringing this to our attention. What is interesting is that the first article states this can’t be patched until later this year, and the Phoronix article, written a day earlier, states it has already been fixed.
- From the Hacker News (via londoner) Jul 25, 2023
— Play Wanderings Transition Bumper —
30 minutes (~5-8 mins each)
- Well I had some time off but I was in some pain so did a lot of things that did not require a lot of moving around for a while
- I had some 3D printing fun of course. I made a Russian Nesting maze for my son for Christmas. It is a bit complicated but I did enjoy putting it together and taking it apart a couple of times. We are planning on putting something in it as well. There are 4 layers and they seem to get progressively harder to traverse and the thing looks solid when put all the way together. I may print it in another color
- I also was trying to print him a key chain of a bunny with a knife. The prints came out OK but I am working on the settings to see what I can improve. I am thinking that I will need to lower the temperature a little and slow the print down even more. I already went from 120mm/s to 75 and that showed minor improvements. I also tried a raft again because the feet were uneven but I had a problem removing the raft. I was using tree supports and I think that may still be better than regular support for removal but I think I will change the overhang angle from 63 to 45 and see if that smooths out some of the rougher parts.
- I am also working on printing out a wrist brace which I find interesting since you print it with no top and no bottom but more walls to fill in the supports. I have some foam that should work for the padding and I think I have some nylon strapping that will do the job. And some Velcro if I can find it.
- The first one I did the infill was too weak, I looked at others and I may try this one again but I am not sure what would be the best way to proceed. Probably increasing the width of the individual infill lines
- Well that is what I was going to do. My 3d printer stopped printing. It would start a print and then start printing in mid air and would grind the filament. I took apart the hot end and saw that the PTFE tubing was clogged and there was a bit of seepage around it. I cut the end of the tube and put it all back together only to have it happen again. I am getting some kind of heat creep. Maybe I put it back together wrong and there was just dome seepage. Maybe I should reduce my retraction. Yes a replaced the nozzle it tried that before I took it apart the first time. Going to try to take it apart and put back together one more time and if that doesn’t work I will replace the entire assembly again.. Maybe this time I will put on the quick connectors so I no longer have to take the thing all the way apart to get everything replaced
- My van went boom. My wife was driving when it started overheating. She was able to get the vehicle home thankfully and I was able to find the quick release connector that had popped on the coolant line leading into the engine. I did have to consult with some of my mintCast hosts to make sure that I was right about what it was but in the end I just removed the quick release connector and hooked the hose up straight so a zero cost fix. Besides I think the tube clamp is just as quick as the quick release and is much less annoying
- I say zero-cost, but after that I did the right thing and flushed the coolant system and put proper coolant and water mixture in there which cost around 40 dollars
- These things kept happening every time I started doing the research for the innards for this show
- It happened again the next day. Sat down to start writing and got a call from Jacki that the van had done it again. This time 20 minutes away at a gas station. So I grabbed my tools and got in my car and drove over there to see what had happened. This time a Y-coupler also for the coolant system had popped and all the coolant had leaked out. It was quite a bit more work to get this one out as the tubing had fused to the coupler that had deteriorated. It looks like my last fix was still working good but a new part had broke. The part fell apart more as I tried to remove the tube from the connector. I finally ended up cutting off two of the hoses and was able to properly remove the other piece by piece from the engine and the rotted connector. I had Jacki go get the new part while was taking it all the way apart and thankfully the parts store had one on hand. Talking to the clerk we were the fourth person that day to have a coolant system problem of some kind. This time I just put water in it because I want to make sure that there is not going to be another problem in the same system. I still have some coolant left over and if the thing survives a week I will do the correct thing again.
- Later I sat down again and I got a call from the lawyer regarding things that we are currently involved in that I am not able to speak about other than to say that we may have come to an agreement. That took a lot of time. Hopefully I am able to get this done
- My Dad came to visit on Friday but I was still able to get everything written. I did miss out on the lug cast but I told those guys that it might happen. I did request my dad to get on the podcast with me but he was not interested.
- I really don’t have much to report this week because of my inability to do much of anything productive with regards to tech. While I was off work the week before last for the truck show, my truck was dismantled and sent to two different specaility shops to get various things done. I will get my truck back tomorrow, monday as we record this episode. The truck I’ve been using these last couple of weeks didn’t have a usable workspace for me to do anything with my laptop, so it meant any projects I’ve been planning would have to be put on the back burner.
- I would like to say that I’ve been pleased so far with Mint 21.2. It seems as though flatpak is working a bit better than in previous releases. Although the Audacity flatpak is while better, still requiring you to install “flatseal” and change a setting removing the pipewire file association. From what I can tell, it only seems to be a problem with Mint. I’m considering moving to LMDE when version 6 releases to get more up to date packages. That way I don’t have to use the flatpak of Audacity any more. I’m somewhat conflicted on this topic. In the past, I’ve used Arch which dissolves all of these problems with regards to slowly developed hardware.
- Audacity continues to be a thorn in my side. I use the flatpak for now, I’ve even cowboy compiled it on Mint so as to get the most up to date version as there is new features that make editing a bit easier, and I’m digging the new sql lite database method they use to store projects now. There’s still some nagging, cringeworthy problems such as the fact that the horizontal scroll bar doesn’t appear until you unmaximise, then remaximise the window – maddening! The Audacity team is aware of the problem, but it doesn’t seem as though there’s a solution in site. They keep releasing iterative updates, but they seem to be more interested in adding features than fixing some glaring problems like this. I keep hearing about a re-base from the wx-widgets toolkit to something else; some say Qt, others say it’s something like “Muse toolkit.” I’ve seen nothing in any official Audacity communication to confirm either of those claims. At this point, the only thing keeping me on Audacity is that fact that I haven’t had time to learn Ardour, or Reaper. I’ve @’d them on twitter and Facebook, displaying my discontent. I really hope something comes of it soon. I really want darling FOSS projects like this to be worth taking seriously. I advocate for them to normal people, but it gets hard to do when they don’t get the basic things right. Anyway, my hope for the future is still intact.
- I have spent a bit of time getting acclimated to my new smart guitar. I’m getting to like it. It does not quite feel like a guitar but it almost looks and sounds like one. I got a good price, $426 rather than the $899.99 ($599.99 today on Amazon) list, but that’s mostly because they just came out with the 2nd Generation model. (The NEXG 2 is $899.99 today, but it also comes with a charger/stand and an effects box.)
- I got all my renewal paperwork done, almost in time. Apparently not in time for my phone appointment, as they did not call me at the appointed time.
- My wife’s father passed away August 1st, of lung cancer at age 87.
- I will be missing the next episode, as I will be off singing at a friend’s house in South Carolina. I will make the streamcast.
- Went Abroad! Went to Marrakesh, Morocco. Was a place I had been planning on going to for a long time, but never managed to. Finally a window came up where me and my sons could go. It was a really good holiday. Saw a lot of historical sites, participated in the madness of local bazaars, went on trek to the Atlas mountains, rode a camel in the desert and went quad biking. Not too expensive, especially as I had booked it only 3 weeks earlier. If I had planned it better, maybe would’ve got it cheaper. It was good spending time with my boys too. It was bloody hot! Around 105F (43C). Unlike the gulf countries, AC isn’t ubiquitous, and so we felt the heat. We ended up following a middle-eastern routine. Wake early, do stuff till midday, then take some rest/nap, then come back out in the evening. I’m already planning another trip back there!
- As much as I need to switch off from work, I couldn’t completely. Took my work phone just in case there were any important messages. There was one actually that it was useful I responded to out there. Our hospital department website. Seems as if our education department hadn’t paid the web hosting fees and this meant it was going to be shut down. This is especially a problem as we have just had a new flux of doctors rotating to us. Was able to sort it out quickly thankfully. (its wolvesgas.org.uk if anyone is interested.)
- The Mint experiment continues. I’ve added Ulauncher to my setup as I was missing the GNOME universal search/KDE Runner functionality. Not as good, but usable. Machine is lightening fast.
- It is with much shame that I have to admit that I still keep a windows installation on my main machine. This is because of my use of OneNote for note-taking for my work, and also my Islamic lessons. Generally the services (whether FOSS or properiatory)I use are OS-agnostic, things I can use on Android, Linux, Windows and (recently) Mac OS. Whether its music streaming (spotify) messaging (telegram) office (LibreOffice) etc, you get the drift. This was always because of my use of Android and Linux, and to avoid vendor lock-in. OneNote has bee the hold-out. It works great with stylus input, and integrates with all the different OSs. But this weekI was doing my annual appraisal paper-work (we have to do this once a year in the NHS) and realised that I couldn’t convert my OneNote notes into a PDF unless I had the desktop client of it (the web app doesn’t allow export to PDF), so I had to fire up a the windows partition on my machine to do it. I need to find a cross-platform replacement for OneNote, one that works well with pen-input. Any ideas?
- Similarly, I have used the MEGA Cloud service because of it works well cross-platform (I know Moss thinks its dodgy, and hes probably right). Recently though I have been getting sync errors,especially with on my Linux boxes. I only have 20GB space on there, so have no problem moving off it. But to what? I have a Google Drive with 100GB, but there doesn’t seem to be a proper Linux client (even with GNOME integration). I have an old OneDrive grandfathered plan which has 50GB, but Onedrive on Linux? Seems counter-productive. I know people will mention NextCloud, but how well does it work cross-platform? I’ve only used on Linux and Android. Dropbox used to have really good Linux integration when I used it a few years ago. But free storage is rubbish (2GB) so would need to pay for storage. Any other suggestions?
- Atypical Anaesthetist is a fantastic name…but I bit hard to spell, and often too long for social media handles. So I’m thinking of a re-brand. A2 (A-squared perhaps)?
- Speaking of islamic lessons, I have completed a work with my teacher which now gives me a chain of authority to teach that text, going back to 8th century. Bit of an acheivement for me!
- Finally, had out 20th wedding anniversary. I did the predictable and bought my wife some jewelry, she was insistent on buying something for me. She thought I’d want some tech, which I do, but I chop-n-change so much with buying and selling of tech, it didn’t seem a suitable type of gift. Wanted something a bit more permanent. In my younger days I had been into watches, so she bought me my first Swiss watch. Just a Tissot PRX, nothing too fancy, but something that feels more substantial then some tech that I will no doubt move on from shortly.
— Play Innards Transition Bumper —
30 minutes (~5-8 minutes each)
- Kevin Mitnick (August 6, 1963 – July 16, 2023)
- As some of you may know, Kevin Mitnick died on July 16th from pancreatic cancer. I have been hearing about Kevin for a large portion of my life and I wanted to show you all a bit about his life.
- I remember being in high school and hearing about the “Free Kevin” movement because he was being held without trial and was left there for years without any movement.
- Some of this came from the book and some of it came from various articles and also from wikipedia. I noticed that many of those articles and even wikipedia had a lot of the timings off or were so truncated that they didn’t really tell the whole truth. So some of the items in this article may be out of order or not quite correct. I tried to bring everything together as best I could
- He wrote several books that I have enjoyed and found helpful over the years but I will get to that in a minute.
- He first started social engineering people at a very early age. When he was 12 he convinced a bus driver to tell him where he could get one of the hole punches that were used by the public transit in LA for a school project and found a bunch of discarded transfer slips near the bus company allowing him to use the public transportation in LA for free.
- He was heavily involved with some high school aged friends that were into phone phreaking. mostly used for making free calls and pulling pranks
- He discussed one of his favorites often in interviews and that was when he used his HAM skills to take over a McDonalds drive through speaker while also being able to see it from a distance. He would tell people that their meal was free or if he saw that they were obese that they should probably order the McSalad instead. Also yelling about drugs whenever a police officer drove up
- A few years later at the age of 16 he was able to gain access to the ARK computer system owned by DEC used for developing operating systems for the PDP-11 minicomputers where he copied the companies software for which he was charged and convicted in 1988. 12 months in prison and 3 years of supervised release
- during the later portion of his release he illegally access Pacific Bell voice mail computers. This lead to a warrant being issued for his arrest and more than two years on the run.
- A lot of people would say that he hacked into Pacific Bell. Like he was running code cracking brute force software from his house to gain access to the system. What actually happened is that he walked in the office and took a bunch of computer manuals and codes that were lying around and used those to access the internal systems
- Mitnick always talked about how it was more of a social engineering exercise to get into the places that he wanted to access and that his goal was to access all of the major phone networks and gain access to their network switches. Which would give him complete control of the network
- That being said he talked a lot about how this was all a hobby for him and he never took anything to profit from it. Which led to some of the difficulties in prosecuting him later on
- During his time on the run he illegally accessed several systems and copied information for the sake of learning more in order to be a better hacker
- One of his favorite exploits that he talked about often in interviews was the time he hacked the local wifi towers and was able to get the phone numbers of the FBI agents that were tailing him as well as use those numbers to figure out who the mole was that was informing on him. Using the numbers of the FBI agents and the cell phones he was able to track all of their locations and set up some scripting to automatically warn him when the officers went to certain locations like his home apartment.
- After getting the alert that they had been near his apartment but had not arrested him and had not entered, he figured they must be getting a warrant to come inside so he was able to get rid of all of his electronics and put a box of donuts in the fridge labeled “FBI Donuts”. The FBI did show up but left the donuts untouched.
- I relistened to his book Ghost in the wires while writing this hoping to get some more inspiration on things that I could bring here. I also rewatched his interview on hak5 with Shannon Morse from about 11 years ago. I remember watching it the first time and I loved hearing him talk about how he was able to get people to give him access to things simply by convincing them. I have never been that quick on my feet when it comes to conversations and steering people to the things that I want but his discussions were good enough that I was able to see when people were trying to do it to me.
- He was able to to talk to security officials and secretaries and find the people he needed in order to get the access he wanted to be able to learn the things that would allow him to meet his goals of accessing various systems. He mentions several times that a lot of his exploits with friends were never about using the access that he acquired but about knowing that he could use the access that he acquired.
- A lot of his phone phreaking skills came in handy during this time as he was able to reroute numbers so that a call that he made would like it had come from a location internal to the network which would provide some level of assurance to the people he was calling that he was legitimate
- He did write a bunch of exploits and use and modify other peoples code and create programmatical back doors but in most cases he had to convince someone to install said back doors and the exploits still needed him to have gained access some how.
- Remember some of this later when it comes time to talk about his security lectures and consultation. He used what he learned doing this to create methods that I still see on a daily basis to improve security
- he spent two and half years on the run. He used the name Eric Weisz which was the birth name of Harry Houdini, as one of his identities. I found it interesting how he was able to make a new identity and get all the information for it, multiple times. Just as an example one of techniques he used to avoid suspicion was to convince the DMV to give him a learners permit since that was less suspicious and then take the refreshers course saying that he was just back from overseas and then using the DMV loaner to pass the test. Thus acquiring a new Drivers license under the new identity. It required a bit more work but that was what would avoid suspicion
- He has several jobs while on the run including process server. Which I find hilarious, being served legal documents from a federal fugitive.
- While maintaining his different identities he still continued to crack into various systems such as Sun Microsystems just to look at the source code. The Book ghost in the wires really goes into detail on all the ways that he was able to gain remote access to different systems.
- He also discussed the changing cell phones of the time and gaining the code for them microtac ultra light
- Many of the times that Mitnick got caught, and he was caught on several occasions, were due to the same exploit that he used against so many companies. The people he trusted around him. Many times it was friends or friends of friends that was his undoing. I am not going to go into any names on that because it was a very common theme
- There were also many people that Mitnick mentioned in a very fond way. People that he developed relationships with all over the world that he respected and talked or worked against in order gain access to places and things. Read the book.
- After his final arrest in 1995 he was held for 4 years where the prosecutors admitted that his rights were being violated and that they were going to make an example of him to the hackers of the world. Many of his earlier crimes were not covered by any laws and it was difficult to assess his current crimes due to the fact that there was no damages and no profit on his part.
- There were many claims against Mitnick that were false such as him traveling to Israel and a couple of hacks that were done by friends of his that he got the blame for. Such as hacking the federal government
- Later the prosecuting attorney plead to the judge that if Mitnick had access to a touch tone phone then he could call NORAD and whistle into the phone and launch nukes starting world war 3. This accusation was enough to get him put into solitary confinement for 8 months until he signed the plea deal.
- What he found fun during that time was: They limited his ability to call people to his mother his aunt his wife and his lawyer but only under supervision. But he was limited to only making calls during business hours when his wife was working. He found a way around this using a bit of phone phreaking.
- What he did was start walking around with the long cord of the phone and then scratching his back on the phone itself. He reached behind himself in front of the guard that was watching him and hung up the phone and knew that he had 18 seconds before the tine started. He would then surreptitiously continue to scratch behind himself while faking a continued conversation and dial behind his back to his wife’s work number and would time his conversation so that the word ‘Kevin’ would be the word spoken right after the operator said ‘whom should I say is calling’
- This worked for several weeks when he was approached by the staff at the prison and they asked him how he did it. He denied everything even though there were recordings of his conversations.
- Afterwards they put his own phone into solitary and would only allow him access to the handset. This was actually during his first time in prison..
- His second time they started with him isolated and were able to use that to coerce him
- He was denied a bail hearing which was the first time in history that happened. The people prosecuting him used that and told him that they would run him through every jurisdiction on every charge that they could and pursue the maximum sentence every time where he would be continued to be held without bail for the entire duration. Essentially saying that even if he got off on the charges he would still spend even more years in jail even if he won
- Eventually they were able to use that to convince him to make a plea deal since they had evidence against him. He was able to plea for time served along with supervised release. This happened in 2000 and that is when he started public speaking and advising on security.
- The time he was in prison there were many protests and many people that showed support for him. Bumper stickers, t-shirts, protests and even a banner in the sky that he could see from his cell
- During his probation there was a considerable amount of time that he was not able to use a computer with some minor exceptions. But the US government wanted him to give a presentation on how they could improve their own security as did many of the companies that he had infiltrated as well as many others. Despite the restrictions he was able to make a pretty good living on the talking circuit as well as travel which required the permission of his PO
- In the book Mitnick also discussed being able to overcome his crippling stage fright with the help of a speech coach
- After the end of his probation of not being able to touch a digital device he started his own security/pentesting firm and continued to do public speaking as well as advising on the best methods of implementing security
- I remember listening to one of his transcribed talked about inoculating employees at large companies against the types of attacks that he used on a regular basis by providing training and also having the company send out phony emails and having the employees catch them or learn from them if they made a mistake. This practice is still very much in use at many companies and I see it used all the time.
- This gets people used to the idea of catching these things and when a real one comes in they are more likely to catch and report it than they are to make a mistake.
- He also wrote and or co-authored four books.
- The art of Deception
- The Art of Intrusion
- Ghost in the Wires
- The Art of Invisibility
- I have enjoyed two of those books and we even reviewed one of those on the show and discussed the level of paranoia involved. It was a good episode and the books are extremely informative.
- One last thing of note is that Mitnick passed away at the age of 59 on July 16th and left behind a wife that was pregnant with their first child. He battled pancreatic cancer for 14 months.
— Play Vibrations Transition Bumper —
20 minutes (~5 minutes each)
- Howdy joe!I’m the one that sent you the Pine Phone, Just so happens i also intensely watch some of the top podcaster docs regarding health and diet. You did not say what meds you were taking for weight loss, Was that Ozempic or the other equivalents? New findings with precautions and explanations as to WHY those meds are bad!!, jeff in Orlando
- Phentermine. I refused the Ozempic because i did not want to contribute to the problems that people with diabetes have getting it. But yeah i saw some of those studies as well
— Play Check This Transition Bumper —
- Thank you for listening to this episode of mintCast!
- If you see something that you’d like to hear about, tell us!
Send us email at [email protected]
Join us live on Youtube
Post at the mintCast subreddit
Or post directly at https://mintcast.org
- Next Episode – 2 pm US Central time on Sunday, August 20, 2023.
- Get mintCast converted to your time zone
- for 418 Next Roundtable Live Stream – 2 pm US Central time on Saturday, August 12, 2023.
- Get the Roundtable Live Stream converted to your time zone
- for 418.5 Next Roundtable Live Stream – 2 pm US Central time on Saturday, August 26, 2023.
- Get the Roundtable Live Stream converted to your time zone
- Livestream information is at mintcast.org/livestream
- Joe – Tllts.org, linuxlugcast.com, MeWe, [email protected], Buy Joe a coffee
- Moss – Full Circle Weekly News, Distrohoppers’ Digest, [email protected], I’m on Mastodon as @zaiva[email protected], and other contact information can be found at It’s Moss dot com
- Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, @wchouser3 on Twitter, and wchouser3 on Facebook also – checkout my other podcasts Linux OTC and 3 Fat Truckers
- Majid – [email protected] @atypicaldoctor on twitter, AtypicalAnaesthetist on instagram and The Atypical Anaesthetist Podcast on Spotify
Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:
- Someone for our audio editing
- Archive.org for hosting our audio files
- Hobstar for our logo, initrd for the animated Discord logo
- Londoner for our time syncs
- Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
- The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>
— Play Closing Music and Standard Outro —