Episode 437 Show Notes
Welcome to mintCast
the Podcast by the Linux Mint Community for All Users of Linux
This is Episode 437!
This is Episode 437.5!
Recorded on Sunday, May 12, 2024
Its already hot here Im Joe, Wishing it was still Friday I’m Bill, surrounded by Northern Lights, I’m Majid.
— Play Standard Intro —
- First up in the news: Mint Monthly News for April, Ubuntu 24.04 released, Ubuntu 24.10 Codename Revealed, systemd introduces run0, Google threatens RISC-V support for Android, RISC-V OS arrives, and BitWarden launches MFA for Android & iOS;
- In security and privacy: a new ransomware threat is found, and a GitLab maximum security flaw is found;
- Then in our Wanderings: Majid Endeavours to Fail, Bill Endeavours to succeed, Joe.
- In our Innards section: we’re going to discuss some best practices for good hygiene and safety when utilizing technology.
- And finally, the feedback and a couple of suggestions
— Play News Transition Bumper —
The News
20 minutes
- Mint Monthly News – April 2024
- The BETA test for the new Fastly repositories is continuing. This is a long test and the more people join it, the better. The Fastly CDN (Content Delivery Network) and its caching mechanism are extremely impressive. Unlike the current Mint repository servers which are located in one place and have a maximum bandwidth capacity, the Fastly network replicates and caches data to make it available anywhere in the World, consistently at fast speed, without downtime or slow-downs.
- A new partnership with Datadog was announced. Datadog specializes in… data. It’s not just monitoring and log analysis, they provide an incredibly customizable set of tools which lets you define your own parsers, metrics, dimensions and basically get the information you want, analyzed and monitored in real time.
- The stats Mint shared last month, which showed the popularity of each Linux Mint edition, were powered by Datadog. Note: This data comes from the traffic on the download pages of the Mint websites. No telemetry is collected inside the OS.
- Mint 22 will feature a preinstalled Web App for Matrix using Element as a front-end. If you want to use a different Matrix client, you’ll be able to modify it or delete it. Of course, you don’t need to wait for Mint 22 to connect to the Linux Mint space on Matrix. You can simply head over to https://app.element.io/#/room/#linuxmint-space:matrix.org.
- Clem talks about giving XApps more independence to enable them to work better with more distributions. “XApp should be its own organization, with its own github repositories, chat room, website, etc. It should be a space which facilitates collaboration, compatibility and the development of application which works everywhere, not just apps which are needed or maintained by us.”
- “If we want other developers and other projects to work together on compatible software and common solutions, we need a space like XApp. But this space needs to be independent of any DE and any distribution for everyone to feel equal and to feel welcome. Not just on paper, but in general, in discussions, empowerment and decision-making.”
- Xapp is on Matrix at https://matrix.to/#/#xapp:matrix.org. Everyone is welcome.
- Clem goes on to talk about libAdwaita is for GNOME only. The Adwaita theme will be removed from the list of available themes in Cinnamon 6.2. Adwaita will be blaclisted in Cinnamon. MATE and Xfce should probably also do it since it looks just as bad on any non-GNOME desktop.
- Finally, the importance of Flatpak verification is discussed. In Flathub, a verified app is an app that is published by its original developer or a third party approved by the developer. Right now, only 42% of Flatpaks have been verified by Flathub. The store is actively trying to verify apps, especially now after the XZ story and the multiple times malware was injected in the Snap Store.
- In Mint 22, the Software Manager will not show unverified Flatpaks by default. This will be an opt-in. When shown, unverified apps will have a score of 0. The score can help a user build trust towards the application, but the issue here isn’t the application, it’s the fact that the maintainers aren’t who people think they are. When shown, unverified apps will be clearly marked as unverified. By the time any malware hits Flathub, we hope these measures and the measures taken by Flathub will have minimized the number of exposed users and raised awareness around the risks which are being taken. The Mint team is fully aware this goes against convenience and will hurt Linux Mint a little bit. It might not be a popular decision but they think it’s a very important one.
- Ubuntu 24.04 LTS (Noble Numbat) released
- from Ubuntu News
- Ubuntu 24.04 LTS, codenamed “Noble Numbat”, is here. This release continues Ubuntu’s proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, together with the community and our partners, to introduce new features and fix bugs.
- Our 10th Long Term Supported release sets a new standard in performance engineering, enterprise security and developer experience.
- Ubuntu Desktop brings the Subiquity installer to an LTS for the first time. In addition to a refreshed user experience and a minimal install by default, the installer now includes experimental support for ZFS and TPM-based full disk encryption and the ability to import auto-install configurations. Post install, users will be greeted with the latest GNOME 46 alongside a new App Center and firmware-updater. Netplan is now the default for networking configuration and supports bidirectionality with NetworkManager.
- Ubuntu now enables frame pointers by default on 64-bit architectures to enable CPU and off-CPU profiling for workload optimisation, alongside a suite of critical performance tools pre-installed. The Linux 6.8 kernel now enables low-latency features by default. For IoT vendors leveraging 32-bit arm hardware, our armhf build has been updated to resolve the upcoming 2038 issue by implementing 64-bit time_t in all necessary packages.
- As always, Ubuntu ships with the latest toolchain versions. .NET 8 is now fully supported on Ubuntu 24.04 LTS (and Ubuntu 22.04 LTS) for the full lifecycle of the release and OpenJDK 21 and 17 are both TCK certified to adhere to Java interoperability standards. Ubuntu 24.04 LTS ships Rust 1.75 and a simpler Rust toolchain snap framework to enable future rust versions to be delivered to developers on this release in years to come.
- The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today. More details can be found for these at their individual release notes under the Official Flavours section.
- Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud and Ubuntu Core. All the remaining flavours will be supported for 3 years. Additional security support is available with ESM (Extended Security Maintenance).
- Ubuntu 24.10 Codename Revealed as Development Begins
- From OMGUbuntu (via londoner)
- Joey Sneddon writes:- Although Ubuntu 24.04 LTS has only just been released the pace of development marches ever on. Ubuntu developers are already beginning to bootstrap the base on which the next short-term release of the popular Linux distribution will be built. Ubuntu 24.10 will be released in October, 2024 and, upon release, receive 9 months of updates.
- Of course, as we all know: every new Ubuntu release gets its own alliterative codename made up of an adjective and an animal (real or mythological). For Ubuntu 24.10 they’ve settled on “Oracular Oriole”.Cute, but what does it mean?
- Oracular – Adjective relating of/to an oracle
- Oriole – A bird
- In contexts I’ve seen it used, oracular acts as an arcane-sounding synonym for words like prophetic, divinatory, sibylline, augural, etc., as well as a way to infer that a statement is intentionally ambiguous or intended to be mysterious, etc.
- As for birds, orioles are known for vivid, colourful plumage that lend a dramatic presence amongst the muted, earthy tones of the trees and bushes they live in. Orioles are also famed for melodious song (and if this were 2020 I’d 100% make a Twitter/tweets joke).
- In popular culture it’s ‘new world’ orioles that people generally think of/mean when talking about orioles. It’s birds from this genus, related to blackbirds, which serve as inspiration for the names of famous sports teams, like Baltimore Orioles baseball team.
- But why “Oracular Oriole” for Ubuntu 24.10? Perhaps ‘oracular’ foreshadows the arrival of innovative features and insightful solutions that will, like the ‘oriole’, captivate and impress all those who see it. Just my interpretation; for now the real reasoning behind the codename is a mystery.
- Systemd v256 Introduces run0: A Safer Alternative to sudo
- from Linuxiac
- The sudo command is widely regarded as a fundamental tool in our everyday Linux operations, so much so that we almost take its presence for granted. But what if I told you that its days might well be numbered, and new versions of systemd may mark the beginning of its sunset? No, I’m not rambling. Here’s what it’s all about.
- In his latest post, Lennart Poettering, the mastermind behind systemd, shares a thoughtful critique and robust replacement for the longstanding sudo command.
- He argues that the core issue with sudo lies in its SUID nature, which allows a process to execute with elevated privileges partially controlled by unprivileged code, demanding meticulous manual cleanup—a recipe for potential security breaches.
- “I personally think that the biggest problem with sudo is the fact it’s a SUID binary though – the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse…”
- In light of this, his vision for a more secure system involves completely eliminating SUID binaries, pushing for an architecture where privileged code operates independently of unprivileged interference.
- “So, in my ideal world, we’d have an OS entirely without SUID. Let’s throw out the concept of SUID on the dump of UNIX’ bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.”
- Enter run0, systemd’s latest innovation slated for release in v256. It is not just a new tool but a reimagined systemd-run, accessible via a symlink, that mimics sudo without actually being an SUID binary.
- It operates by requesting the service manager to execute commands under the target user’s UID, creating a new PTY (pseudoterminal), and transferring data between the original TTY and this PTY.
- This setup ensures that the command executes in an isolated environment, freshly forked off from PID 1, without inheriting any problematic context from the client.
- Moreover, run0 eschews traditional configuration complexities by utilizing polkit for authorization, streamlining user interactions, and further securing the execution process.
- The tool also adds a touch of user-friendly flair: when operating with elevated privileges, it modifies the terminal background to a reddish hue, serving as a visual cue of one’s elevated status—a simple yet effective reminder to manage privileges responsibly.
- In conclusion, one thing is certain—this will spark further debate within the Linux community. Another certainty is that systemd v256 is now 88% complete, with little left until its final stable release. And what will happen after that remains to be seen.
- For detailed information, here is Poettering’s post.
- RISC-V support in Android just got a big setback
- from Android Authority
- Back in early 2023, Google announced that it was working on enabling support for the RISC-V architecture in Android. RISC-V is an open instruction set architecture that’s grown in popularity in recent years since hardware makers don’t need to pay a licensing fee to build RISC-V chips. Some Android devices already ship with chipsets based on RISC-V, though these chipsets typically run something other than Android and act as a co-processor to the device’s main, typically Arm-based processor.
- Late last year, chip maker Qualcomm announced that it was designing a wearable chipset based on RISC-V and that this chipset would run on Google’s Android-based Wear OS platform. Once released, these Wear OS smartwatches would be the first commercial RISC-V hardware to run a Google-certified Android build. To make that happen, though, Google must devote a lot of engineering resources to make Android — and its underlying Linux kernel fork — boot on RISC-V hardware. Google has already done much of the work to enable RISC-V support in Android, though there’s quite a bit of work still ahead.
- Google continues to work on RISC-V, with several patches being submitted in the last few days and weeks.
- Although Google has shown significant progress in recent weeks in improving RISC-V support in Android, it seems that we’re still quite a bit away from seeing RISC-V hardware running certified builds of Android. Earlier today, a Senior Staff Software Engineer at Google who, according to their LinkedIn, leads the Android Systems Team and works on Android’s Linux kernel fork, submitted a series of patches to AOSP that “remove ACK’s support for riscv64.” The description of these patches states that “support for risc64 GKI kernels is discontinued.”
- ACK stands for Android Common Kernel and refers to the downstream branches of the official kernel.org Linux kernels that Google maintains. The ACK is basically Linux plus some “patches of interest to the Android community that haven’t been merged into mainline or Long Term Supported (LTS) kernels.” There are multiple ACK branches, including android-mainline, which is the primary development branch that is forked into “GKI” kernel branches that correspond to a particular combination of supported Linux kernel and Android OS version. GKI stands for Generic Kernel Image and refers to a kernel that’s built from one of these branches. Every certified Android device ships with a kernel based on one of these GKI branches, as Google currently does not certify Android devices that ship with a mainline Linux kernel build.
- Since these patches remove RISC-V kernel support, RISC-V kernel build support, and RISC-V emulator support, any companies looking to compile a RISC-V build of Android right now would need to create and maintain their own fork of Linux with the requisite ACK and RISC-V patches. Given that Google currently only certifies Android builds that ship with a GKI kernel built from an ACK branch, that means we likely won’t see certified builds of Android on RISC-V hardware anytime soon.
- Our initial interpretation of these patches was that Google was preparing to kill off RISC-V support in Android since that was the most obvious conclusion. However, a spokesperson for Google told us this:
- Android will continue to support RISC-V. Due to the rapid rate of iteration, we are not ready to provide a single supported image for all vendors. This particular series of patches removes RISC-V support from the Android Generic Kernel Image (GKI).
- While the company’s statement doesn’t go into detail about the rationale behind this decision, it’s good to get confirmation that RISC-V support in Android isn’t being killed off entirely. Still, the statement alludes to the fact that there’s still a ton of work that needs to be done before Android is ready for RISC-V. Even once it’s ready, Google will need to redo the work to add RISC-V support in the kernel anyway. At the very least, Google’s decision likely means that we might need to wait even longer than expected to see commercial Android devices running on a RISC-V chip.
- RISC-V OS V5.30 arrives – with RPi Wi-Fi support
- from The Register
- RISC OS 5.30 is the latest release of Acorn’s original native operating system for its Arm processors. Original, but not first: As Acornsoft project lead Paul Fellows told the Reg in 2022, what was then called “Arthur” supplanted a far more ambitious project called ARX, which never shipped. ROS 5.30 is the first stable release from the RISC OS Open (aka ROOL) project since version 5.28 in 2020. (If you have that, you can upgrade in place.)
- RISC OS Open project leader Steve Revill, who The Register interviewed last year, said:
- This stable release has been in the works for a long time – we wanted to get it right! The Wi-Fi support comes from a successful combination of partnerships with companies in the RISC OS scene and generous donations from community members to support our bounties. We really hope the welcome addition of Wi-Fi on the Pi makes it easier for people who’ve never tried this little OS to give it a spin.
- Acorn’s original, and very comprehensive, documentation has been updated for this release, too:
- There’s also a complete User Guide PDF included in our RISC OS Pi download – a 618 page book, also available in print from ROOL or Amazon. We take pride in the quality of our user documentation and believe this sets us apart from many Open Source projects.
- New owners RISC OS Developments made RISC OS 5 open source in 2018 and it’s still in active development under RISC OS Open. That is no trivial project: Although by modern standards this desktop operating system is tiny, significant chunks of it were hand-coded in Arm assembly code – for 20th century hardware. Version 5.30 supports seven platforms: Post-1994 Acorn machines with the IOMD chipset, the Iyonix and Beagleboard hardware we described in 2010, and Elesar’s Titanium PC, plus three Arm development boards (the IGEPv5, the OMAP 5432, and the Pandaboard). And, of course, the Raspberry Pi, which is by some distance the cheapest member of the family. For now, RISC OS does not support the Raspberry Pi 5, but it does run on the Pi Zero, 1, 2, 3 and 4, and it’s fast and responsive on all of them.
- We found the new support for the Wi-Fi controllers in the Raspberry Pi 3 and 4 a little clunky – for instance, changes to the network configuration require a reboot. Even so, it’s a lot better than nothing. First, you enable the SDIO WLAN interface; then, after a restart, a new Wi-Fi icon appears on the left of the icon bar, which allows you to connect to both 2.4 and 5GHz networks.
- This is a fairly modernized and refurbished late-1980s single-user GUI-based OS, and that implies some limitations. It was first released the same year as OS/2 1.0, long before Apple System 7 or Windows 3.0. In fact, it’ll remind you of Windows 3 on MS-DOS: it’s a single-tasking text-mode OS, with networking, on top of which is a graphical desktop that does cooperative multitasking. RISC OS gives applications access to much of the memory map, and so if a program accidentally scribbles over the wrong parts of that address space, the whole computer can freeze up – which in testing our Pi 400 did several times.
- But saying that, it’s an admirably complete OS, with quite a rich portfolio of applications. RISC OS 5.30 comes with a selection of productivity apps, plus development tools, including a choice of editors, Python, Lua, and a C compiler – and of course with a 32-bit version of BBC BASIC V, a fully structured interpreter which also supports inline Arm assembly language.
- This is, in a way, a mature OS with an ecosystem and an aftermarket. (Which, we feel we must explicitly spell out, means that quite a few of those third-party applications and drivers will cost you money.) There are emulators that will let you run 20th century Acorn apps that you can find online, but this isn’t an emulated vintage environment like Amiga Forever. It’s not meant for running games from thirty years ago. This is a native bare-metal OS, built on 1980s roots but updated for 21st century hardware. It’s also not an experimental project with little practical use, like Redox OS or Serenity OS, interesting though those are.
- The RISC OS GUI – called simply the WIMP – will take some getting used to. It has no application menu bars at all, for example. You middle click on things to get at the relevant menu; this GUI only has context menus, nothing else. (What menu is easier to hit than whacking the mouse pointer up to the top of the screen? One where you don’t move the mouse at all! The menu is always where your mouse already is.) And yes, there is an icon bar along the bottom where you can bring up menus and windows for running programs and other things; but when you want to do something in an app, you click the menu mouse button in the context of that application rather than look for a menu bar.
- The idea of having a directory navigation right in the save dialog, so you can choose where to put the file, was a hack invented for the original 128kB Macintosh, because it didn’t have enough RAM to show a filer window alongside your app. RISC OS didn’t need that: In 1987, it ran on a 32-bit RISC workstation with a meg of RAM, so its Save dialog just has an icon that you drag to the directory window you want.
- Similarly, this is the OS whose original GUI some like to think may have inspired NeXTstep’s Dock, which in turn inspired the Windows 95 taskbar. RISC OS doesn’t work like them, because it’s often thought they got their ideas from RISC OS.
- When you run a RISC OS application, all that happens is that it puts an icon in the icon bar. Middle-click that new icon for global options, or in most apps, just left-click it to open a new empty window. The right button doesn’t go unused: it’s called Adjust and it modifies what a left-click would do. So, for example, left-click a scrollbar to move in that direction, but right-click it to move the other direction. Left-click an “OK” button to save your settings, but right-click it to Apply them without closing. It’s odd, but in its way, it’s more elegant than any other mouse-driven desktop.
- RISC OS is a fascinating glimpse into another world. It has almost no influence from the worlds of 32-bit Windows, or MacOS 7 or Mac OS X, or Linux – because they hadn’t been invented yet. It has a superbly elegant graphical desktop, but it’s almost totally unlike anything else you’ve ever seen.
- Imagine if the classic 1980s Motorola 68000 computers – the Atari ST, the Amigas, or the Classic MacOS pre-PowerPC Macs – and their CPUs had kept on developing and evolving into the present day, completely separately from modern world of 64-bit chips and both FOSS and proprietary OSes. That’s what RISC OS is: A time-traveler from the 1980s, alive and well, modernized and updated, but almost completely free of any influence from the rest of the 32-bit World Wide Web era. You will find it very disorienting, especially if all you know is post-1990s OSes, but that’s part of the fun. Almost everything you could want – web browsers, email, office-type apps, games, dev tools – it’s all there, and enough to get you started is here, free and open source.
- The 2024 release of RISC OS runs fine on a £12 ($15) Raspberry Pi Zero – and the same SD card will boot any model up to the Pi 4 or 400. (But not, for now, the new, 64-bit-only Pi 5.) If you don’t have one of those, but have an old Pi 1, 2 or 3 lying in a drawer somewhere, dusty and neglected, dig it out and put RISC OS onto an SD card – even a 2GB card will do – and give it a try.
- Bitwarden launches new MFA Authenticator app for iOS, Android
- from Bleeping Computer
- Bitwarden has just launched a new multi-factor authenticator app called Bitwarden Authenticator, which is available for iOS and Android devices.
- The app uses time-based one-time passwords (TOTPs) for accounts registered by scanning a QR code to provide users with an extra layer of security during authentication.
- “By leveraging widely adopted standards such as TOTP, Bitwarden can work seamlessly everywhere, including legacy applications,” reads the launch announcement.
- “Enterprises can remain nimble, without having to re-architect current systems while adopting strong passwordless options such as passkeys, FIDO2 hardware keys, magic links, biometrics, and beyond.”
- Although TOTP authentication was already available in the Bitwarden Password Manager, it was a premium feature only available to paying users.
- In contrast, the Bitwarden Authenticator app is available for free to all users, even those without a Bitwarden account, and can be used as a standalone app.
- Bitwarden’s CTO Kyle Spearrin said the launch of the new app “provides immediate value to the Bitwarden user base who has been asking for a standalone app for several years” and promised new features and enhancements in future releases.
- Bitwarden Authenticator is considered a stable release at this point but it lacks advanced features commonly found in other products in this space.
- Currently, it generates TOTPs for online services that support MFA apps, including the Bitwarden Password Manager, while backups are handled by the OS’s backup services.
- The app settings also give users the capability to add biometrics as an additional security step, while exporting is also available.
- The published roadmap for future releases includes an import function, push-based 2FA, account recovery, Bitwarden account (and vault) syncing, and workforce (enterprise-grade) authentication options.
- Although the lack of some of the mentioned features may make adopting or migrating TOTP authentication to the new tool challenging for some users, it shouldn’t be a big hurdle for most.
- The Bitwarden Authenticator app is available on Google Play for Android phones and on the Apple App Store for iPhones and iOS devices in general.
- Being an open-source project, the code for the two apps is available on public GitHub repositories. Those interested in looking at the code can find it here for the iOS version and here for the Android app.
— Play Security Transition Bumper —
Security and Privacy
10 minutes
- Cybersecurity researchers spotlight a new ransomware threat – be careful where you upload files
- from The Conversation
- You probably know better than to click on links that download unknown files onto your computer. It turns out that uploading files can get you into trouble, too.
- Today’s web browsers are much more powerful than earlier generations of browsers. They’re able to manipulate data within both the browser and the computer’s local file system. Users can send and receive email, listen to music or watch a movie within a browser with the click of a button.
- Unfortunately, these capabilities also mean that hackers can find clever ways to abuse the browsers to trick you into letting ransomware lock up your files when you think that you’re simply doing your usual tasks online.
- The threat applies to Google’s Chrome and Microsoft’s Edge browsers but not Apple’s Safari or Mozilla’s Firefox. Chrome accounts for 65% of browsers used, and Edge accounts for 5%. To the best of my knowledge, there have been no reports of hackers using this method so far.
- Several security researchers have communicated with the developers responsible for the File System Access API, and they have expressed support for our work and interest in our approaches to defending against this kind of attack. We also filed a security report to Microsoft but have not heard from them.
- Today’s browsers are almost operating systems unto themselves. They can run software programs and encrypt files. These capabilities, combined with the browser’s access to the host computer’s files – including ones in the cloud, shared folders and external drives – via the File System Access API creates a new opportunity for ransomware.
- Imagine you want to edit photos on a benign-looking free online photo editing tool. When you upload the photos for editing, any hackers who control the malicious editing tool can access the files on your computer via your browser. The hackers would gain access to the folder you are uploading from and all subfolders. Then the hackers could encrypt the files in your file system and demand a ransom payment to decrypt them.
- Today’s web browsers are more powerful – and in some ways more vulnerable – than their predecessors.
- Ransomware is a growing problem. Attacks have hit individuals as well as organizations, including Fortune 500 companies, banks, cloud service providers, cruise operators, threat-monitoring services, chip manufacturers, governments, medical centers and hospitals, insurance companies, schools, universities and even police departments. In 2023, organizations paid more than US$1.1 billion in ransomware payments to attackers, and 19 ransomware attacks targeted organizations every second.
- It is no wonder ransomware is the No. 1 arms race today between hackers and security specialists. Traditional ransomware runs on your computer after hackers have tricked you into downloading it.
- A team of researchers led by Selcuk Uluagac at the Cyber-Physical Systems Security Lab at Florida International University, including postdoctoral researcher Abbas Acar and Ph.D. candidate Harun Oz, in collaboration with Google Senior Research Scientist Güliz Seray Tuncay, have been investigating this new type of potential ransomware for the past two years. Specifically, we have been exploring how powerful modern web browsers have become and how they can be weaponized by hackers to create novel forms of ransomware.
- In our paper, RøB: Ransomware over Modern Web Browsers, which was presented at the USENIX Security Symposium in August 2023, we showed how this emerging ransomware strain is easy to design and how damaging it can be. In particular, we designed and implemented the first browser-based ransomware called RøB and analyzed its use with browsers running on three different major operating systems – Windows, Linux and MacOS – five cloud providers and five antivirus products.
- Our evaluations showed that RøB is capable of encrypting numerous types of files. Because RøB runs within the browser, there are no malicious payloads for a traditional antivirus program to catch. This means existing ransomware detection systems face several issues against this powerful browser-based ransomware.
- They proposed three different defense approaches to mitigate this new ransomware type. These approaches operate at different levels – browser, file system and user – and complement one another.
- The first approach temporarily halts a web application – a program that runs in the browser – in order to detect encrypted user files. The second approach monitors the activity of the web application on the user’s computer to identify ransomware-like patterns. The third approach introduces a new permission dialog box to inform users about the risks and implications associated with allowing web applications to access their computer’s file system.
- When it comes to protecting your computer, be careful about where you upload as well as download files. Your uploads could be giving hackers an “in” to your computer.
- GitLab flaw allowing account hijacking under active exploitation
- from Ars Technica
- A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January.
- A change GitLab implemented in May 2023 made it possible for users to initiate password changes through links sent to secondary email addresses. The move was designed to permit resets when users didn’t have access to the email address used to establish the account. In January, GitLab disclosed that the feature allowed attackers to send reset emails to accounts they controlled and from there click on the embedded link and take over the account.
- While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.
- On Wednesday, the US Cybersecurity and Infrastructure Security Agency said it is aware of “evidence of active exploitation” and added the vulnerability to its list of known exploited vulnerabilities. CISA provided no details about the in-the-wild attacks. A GitLab representative declined to provide specifics about the active exploitation of the vulnerability.
- The vulnerability, classified as an improper access control flaw, could pose a grave threat. GitLab software typically has access to multiple development environments belonging to users. With the ability to access them and surreptitiously introduce changes, attackers could sabotage projects or plant backdoors that could infect anyone using software built in the compromised environment. An example of a similar supply chain attack is the one that hit SolarWinds in 2020 and pushed malware to more than 18,000 of its customers, 100 of whom received follow-on hacks. Other recent examples of supply chain attacks are here, here, and here.
- These sorts of attacks are powerful. By hacking a single, carefully selected target, attackers gain the means to infect thousands of downstream users, often without requiring them to take any action at all.
- According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances.
— Play Wanderings Transition Bumper —
Bi-Weekly Wanderings
30 minutes (~5-8 mins each)
- Bill
- So these last couple weeks I’ve worked on a couple of projects. The first was to take advantage of the work that has been done in the opensource community to bring first-class support to Linux for the Focusrite brand of audio interfaces. For anyone who doesn’t know, Focusrite is probably one of the best and arguably the most prolific makers of audio interface equipment out there. A couple of us on the show use their audio interfaces in creation of the shows we’re a part of. They make a line of products called the “Scarlett.” There are several iterations of the devices, depending on your needs. An audio interface is the device that sits between your input, which in this case is the microphone I’m talking on and the computer. It provides the pre-amp functinality as well as handling other aspects of the audio going in and out of the computer. The operating system literally recognizes it as a sound card type device to simplify it further, perhaps overly so. These devices are USB Class compliant. Which for the most part means you can simply plug them in, and they work without any need for additional software. Which is true. If your needs are simple, you’ll not have to fool around much at all. The problem, however is that Focusrite hides away some of the functionality in a software layer that you do need separate software for, and it should come as no surprise – Focusrite only distributes the software for Windows and Mac. Fortunately, an opensource project sprung up some time ago by Geoffry Bennet and others to bring first class support of these devices to Linux. The whole thing depends on two pieces of software: The alsa driver for the devices, which as of kernel 6.7 is part of the tree by default, and the alsa-scarlett-gui which is the userspace tool for initializing and configuring the devices. Unfortunately, Mint 21.3 only offers kernel version 6.5 as the highest available, so the kernel module and firmware has to be installed separately, and functionality is a bit less than what it would be with a more recent kernel. Fortunately, there are .deb’s for the low level stuff as well as the alsa-scarlett-gui. Oh and a flatpak for the gui application as well. I haven’t tried that though. I got it all up and running, and am happy with the results. To be clear, you don’t have to have this stuff to make the devices work, however now with the driver alsamixer is able to control all the individual confusing input and output streams the device is capable of handling. It is also capable of keeping the internal firmware of the device up to date, which is probably the most important thing.
- In the most recent episode of Linux OTC, Majid described his woes with installing Endeavour OS on a machine, with the goal of dual-booting it with Windows. He was not successful until he decided to nuke and pave the system, making Endeavour the only os on the machine, which was successful. I’ve seen this problem before, so I thought I’d try to replicate his problems and try to find a solution to the problem. In the next couple weeks, I’m planning to make a video where I go through the steps one at a time to get the whole thing to work correctly. Majid will cover some of this in depth during his Wanderings, but for the sake of conversation, I’ll outline a couple of key things to remember here.
- Turn off Secureboot
- use the Windows partition tool to resize the windows partition
- use the “manual partitioning” during the installation of Endeavour
- flag the free space as “root” and mount it to /
- flag the 100MB windows boot partition as “boot” and mount it to /boot/esp
- use grub as the boot manager
- The Arch-wiki also outlines some necessary steps to take once both operating systems are installed to make the whole thing work well, such as setting Windows to use UTC instead of localtime so that there isn’t any time-related problems when switching back and forth from Windows and Linux.
- I’ll let everyone know when I get the video done and where to watch it. I’ll probably put it up on the Linux OTC Youtube page, but perhaps I’ll put it up on mintCast as well.
- Joe
- My 3d printer was acting up again. My print quality was starting to go down. Parts were too high and parts were too low and there was a lot of places where it was just not aligned. Did not matter what I was printing and I went through the whole checking the belts, making sure the beds not warped etc etc. Nothing seemed to improve the issue. I was even about to try and redo all of my settings in cura thinking that might be causing it
- Then during one of my prints I finally saw something since I was sitting at just the right angle. The entire hotend was shifting back and forth. I let the print finish but then I took off the fang fan assembly and checked and it was very loose. In attempting to tighten the bolt that holds it it would not get tight enough. Turns out it was stripped. Thankfully I keep bolts of the correct size sitting around for projects. That and a washer should hold until I find replacements. In looking at the other bolt that was there it seems the head is stripped and it is going to be very fun to try and remove it when the time comes to replace it.
- Maybe I will get the whole backplate assembly and hot end assembly and get it all ready to go for the next time. The fix greatly improved my prints and i should be able to add speed back to the prints
- That being said while I did print a couple of other things most of what I have been printing is for a new project that I have started. Jackie was able to get a DVD duplicator with 8 dvd trays and a control tray in it for free. No I don’t want to replicate DVDs but I do want to make a DAS or a direct attached storage device. I think this is the lowest cost option especially since I got the case and power supply for free.
- Looking at the available options on how to set it up I think that the lowest cost will be for me to get a sas pcie card from ebay for about 15 dollars and then two 6ft long sas to sata 4 way splitter cables for about 20 dollars each. The hard drives that I want will then be the largest expense and will have to be purchased over a long time. In the mean time for testing purposes and to get the thing up and running I have grabbed a couple of my own drives and I got sent a few from Bill and maybe Moss and I will use them and replace them as I can.
- I am also 3d printing 8 drive tray adapters that will work with the 5.25 inch bays and convert them to either 3.5 or 2.5 inch drives and a set of 9 drive bay covers.
- Brings my total cost to less than 60 dollars after the parts and plastic. I could probably calculate the cost of the plastic to get an exact price but I don’t want to. Its not much.
- I also got my credit card number stolen. Evidently it was skimmed somewhere and used to buy sporting goods in multiple states across the US on a Sunday night. I understand that that is the common way to do it in the past when banks were not open on a Sunday and there was little you could do until the following day but my bank was able to catch it fairly quickly and there was only about 300 dollars removed from my account. Which still sucks. There were other attempts but I was able to lock my card and the bank quickly canceled it after a simple phone call. It should take a couple of days but I should get the money back. I mean unless I learned to teleport it obviously wasnt me. I guess it could have been online orders
- This also prevented me from ordering the rest of the parts that I need for the DAS.
- I did however get a couple of USB adapters for the broken Razer Nari ultimates that i have. I had originally found a set of 3 broken headsets that were listed on ebay for 2 dollars. I bought them quickly only to have the order canceled due to the price being wrong. But that was the reason that i had ordered the usb dongles as replacements. 2 dollars was too good to pass up. But with them ordered i decided to take another look at my old one and the broken ones that i had in storage. I found them while looking for a specific headset for Moss
- The one that i used to use had an issue with the USB dongle. But after taking another look at it. i pulled out my needle files and cleaned up the connections and reshaped the outer casing so that it fit a little bit tighter and it is working again.
- The other Broken ones that i will be paring to the new USB dongles all have broken hinges, but i think that i will be able to mix and match the hinges until i have 3 working Nari headsets.
- Majid
- We’ve finally been getting some nice weather in the UK, but I’m sure it wont last long. The clear night skies has meant it has been able to see the Northern Lights at night here. I think I missed the best views which were on friday night, but it still amazing nonetheless. I do think the pictures look better then what we could actually see though.
- Ive changed up some of the devices I have. I found a good deal on an XPS 13 7390, and so used this as an opportunity to sell my Asus Zenbook, which I managed to sell very quickly to a family friend. This was the machine I used to run Mint on, even a GNOME session of Mint just for the lolz, but I reverted it back to Windows 11 prior to selling. The new buyer seems pleased with it.
- I’ve also been changing things up at the moment from a distro perspective. I have been feeling the intense peer pressure about running Arch from the rest of the team(!). Also I wanted to try the new Ubuntu 24.04 LTS (bearing in mind the issues around upgrading to from 23.10 which is whats running on my work machine. I therefore decided I would try endeavourOS. I also decided that the work machine (a Lenovo Yoga with an AMD Ryzen 5) would be the on I would use this for. Because, what could possibly go wrong? Well it seems that even though the installer is Calamares, and took care of all the partitioning (as I wanted to dual boot) it kept coming up that “Installation failed”. I discussed this with Bill and the others on OTC and he was of the opinion that its because Arch doesn’t do well in dual boots. I mean I have run Manjaro as a dual boot before without issues, but after failing twice, I decided to abandon it. I wanted to use KDE, so went for KDE Neon. Thats working absolutely fine, I still wish there were more touchpad gestures and configuration of them, but its working fine.
- I then decided that I would try Endeavour OS on this podcasting rig as a nuke n pave. No issues with that, initially tried the Budge desktop, but wasnt too impressed with it, so decided to go for KDE. The installation was smooth. But this a far more complicated arch-based distro compared to Manjaro which I had used before. Manjaro really seemed like it was trying to make things more user friendly. This isnt. Theres not graphical software manager and if you want software you have to use the command line. Theres not a lot of bundled software on the distro (no libreoffice for example). I found myself a bit uncomfortable using just the command line as I was just copying-pasting commands without much knowledge on what exactly I was doing. I then therefore decided that I will install a graphical software package manager. I went for pamac which I used in Manjaro. Installing that took longer then the install of the base system, and there were multiple prompts and again I didn’t really know what I was doing. I cant imagine this staying too long on my system as fundamentally I’m took much of a noob and I’m sure I’ll end up borking the system. Its very different to Ubuntu land.
- Speaking of Ubuntu land, I decided that I’ll put Ubuntu 24.04 on the “new” Dell XPS. Pretty easy installation, and it works well with the high DPI screen. I decided to try and stick with snaps (after our discussions with Popey last time). Snaps themselves seem to work fine, but I can see the concern that many have about the maintenance of the software. I went to downloads some software that turned out to be 3 years out of date. I think it isnt going to be long before I end up getting flatpaks on the system.
- Speaking of flatpak, both the libreoffice flatpak and snap seem to have some odd behaviour when using. Especially the top menu bar disappearing. Shouldve just got the deb package I think.
- I got bored listening to my wife complaining about her HP Elite, so I made her join the thinkpad cult. Got a T570 for about 200 bucks on ebay. 15In display, core i5 8th gen, 256gb ssd. On windows 10, and it will stay on it, I’m giving it to her to maintain and am going to try not be the tech support for it. Fat chance I suppose!
- I’m looking forward to the new Mint 22 release based on 24.04. When discussing with Bill yesterday at the meeting, I realised I could get Ubuntu cinnamon 24.04 and theme it like Mint and hey presto I would Linux Mint 22! I know theres a lot more work involved in making Mint, but seemed like a good experiment to do, I mean what could possibly go wrong!?
- I saw the Apple event regarding the new iPads and it made me reflect on my own tablet choices. I have a Samsung Galaxy Tab S8+ which has a great 12 in screen which is great for media…. And not much else. Its just a bit too big and unwieldy for reading or playing games. I then found that OnePlus are heavily discounting their OnePlus Pad and its accessories. At 11in I think that makes it a better form factor for reading and playing games (I mean I miss the “old” days of 8in tablets) so bought one of them with the keyboard and stylus. Very early days, but it looks a lot more flexible then the tab s8+. Who knows, I might even get some productivity done on it!
- My Mega cloud service was playing up a bit, I don’t know if its because I have registering a whole new bunch of devices or what, but I was having sync errors, and doubling of files. I managed to get it sorted out in the end (and found out that Mega hadnt logged me out of any of the previous devices I had had installed it on over the past 4 years!)
- I do have 100gb of Google Drive storage (which I pay for) and 100Gb of Onedrive (which I got as a promotion for free) so tried mounting them. I am not sure exactly the different between mounting and syncing, but thought it was worth a shot. So worked easily in gnome online accounts, but not in kde, apparently a known bug, so had to abandon. Just as well I suppose that Mega seemed to fix itself and so there we go!
- After about 5 years of bullying, we finally have a Cat!
- I was planning on going to an islamic event up north this weekend, but it wouldve required setting off back home quite late, so decided against it.
- Work has been ok, but I’m not enjoying the management and teaching as much as I thought. Th eClinical stuff is so much more fulifilling, so may have to drop them.
- Eric
— Play Innards Transition Bumper —
Linux Innards
30 minutes (~5-8 minutes each)
- This week we’re going to discuss some best practices for good hygiene and safety when utilizing technology. More specifically – we are going to discuss some things that can be done to help keep your family safe when using all of the devices and services that have become prolific in today’s society. We will each, then describe some of the things we’ve done in effort to keep our families safe in a world where there’s arguably more ways to get into trouble than there is ways to not.
- Online Safety
- Websites with malicious code
- emails from people you don’t know
- children interacting with people they don’t know, often in games and content consumption platforms.
- DNS – What is it? What does it do? What can you do to improve your online safety as it relates to DNS?
- Downloading of files – specifically games and other content
- if it seems too good to be true, it probably is
- Limiting time children can use technology – admit it! Everyone is terrible at it. Set boundries
- blue light – how does it affect people’s sleep habits?
- PASSWORDS!
- Use passwords a human cannot remember!
- Use a password manager such as Bitwarden, or Keepass
- Change your passwords regularily
- VPN
- What are vpn’s, and how can they help keep you safe?
- Learn to be realistic in your expectations.
- Encryption
- What is encryption? How do I implement it?
- Money
- What are some best practices for managing payments, and payment methods online?
- What to watch out for. How to understand who your giving your financial information to.
- Place abstractions between your money and the people you’re paying. (paypal)
- Use Credit Cards!
- keep an eye on transactions
- keep an eye on the less tech-savvy!
- be vigilant with your transaction history
— Play Vibrations Transition Bumper —
Vibrations from the Ether
20 minutes (~5 minutes each)
— Play Check This Transition Bumper —
Check This Out
10 minutes
- Seven Linux commands just for fun
- From both.org written by Don Watkins
- Steam locomotive (sl)
- Fireplace (aafire)
- Yes
- Fortune
- Lolcat
- Figlet and banner
- Espeak – a command to add speech capabilities to your command line funnies
Note: espeak is no longer developed and has been replaced by espeak-ng, which has support for over 100 languages. Both programs are in the Mint repositories. Wikipedia link
Housekeeping & Announcements
- Thank you for listening to this episode of mintCast!
- If you see something that you’d like to hear about, tell us!
Send us email at [email protected]
Join us live on Youtube
Post at the mintCast subreddit
Chat with us on Telegram and Discord,
Or post directly at https://mintcast.org
- Next Episode – 2 pm US Central time on Sunday, May 26, 2024.
- Get mintCast converted to your time zone
- for 437 Next Roundtable Live Stream – 2 pm US Central time on Saturday, May 18, 2024.
- Get the Roundtable Live Stream converted to your time zone
- for 437.5 Next Roundtable Live Stream – 2 pm US Central time on Saturday, June 1, 2024.
- Get the Roundtable Live Stream converted to your time zone
- Livestream information is at mintcast.org/livestream
Wrap-up
- Joe – Tllts.org, linuxlugcast.com, [email protected]
- Moss – Full Circle Weekly News, Distrohoppers’ Digest, [email protected], Mastodon @[email protected],
- Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, also – checkout my other two podcasts Linux OTC and 3 Fat Truckers
- Majid – [email protected] @atypicaldr870on twitter, AtypicalDr on instagram and The Atypical Doctor Podcast on Spotify and also Linux OTC.
- Eric – You can hear and see me on this and the Linux OTC podcasts as well as the Linux Saloon and LinuxLUGCast streams. If you’d like to get in touch with me I can be reached by email at [email protected], Discord (eric_adams), Telegram (https://t.me/ericadams), Matrix (@esa1975:matrix.org), and Mastodon (https://fosstodon.org/@ericadams). Links in the show notes.
Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:
- Someone for our audio editing
- Archive.org for hosting our audio files
- Hobstar for our logo, initrd for the animated Discord logo
- Londoner for our time syncs and various other contributions
- Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
- The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>
— Play Closing Music and Standard Outro —
Recent Comments