Episode 444 Show Notes (no images)
Welcome to mintCast
the Podcast by the Linux Mint Community for All Users of Linux
This is Episode 444!
This is Episode 444.5!
Recorded on Sunday, August 18, 2024.
… Joe; stretching the boundaries of insanity, I’m Moss; There’s no place like home, I’m Bill; Coming in clutch, I’m Dale
— Play Standard Intro —
- First up in the news: Canonical Moves To Shipping Very Latest Upstream Kernel Code, Google Search is playing Monopoly, Wordstar7 is open sourced, SuSE goes way long, Chrome blocks uBlock, GitLab is on the market and Funtoo is back (sort of)
- In security and privacy: Hackers leak 2.7 billion data records with Social Security numbers, and there are lots of zeros attacking Mac and Linux browsers;
- Then in our Wanderings: Bill is broken down Joe goes virtual, Moss has stopped watching, Majid is in India and will be back next month, Eric …, and Dale …;
- In our Innards section: Home networking: tips, tricks, dos and don’ts
- And finally, the feedback and a couple of suggestions
- Please remember if you want to follow along with our discussions, the full show notes for this episode are linked in the show’s description [better location for this announcement]
— Play News Transition Bumper —
The News
20 minutes
- Canonical Moves To Shipping Very Latest Upstream Kernel Code For Ubuntu Releases
- From Michael Larabel at Phoronix (via londoner)
- Following decisions like exploring -O3 package builds for Ubuntu Linux, another newly-announced change by Canonical that must be applauded is their decision to commit to shipping the very latest upstream kernel code at release time.
- Ubuntu up to now for each release has shipped with the latest upstream kernel release as of kernel freeze time. But in some cases this means even shipping with a ~2 month old kernel version even if a new upstream Linux kernel release is near and will be stable ahead of the next planned Ubuntu Linux release. So now there’s a shift in course by Canonical’s kernel team for Ubuntu to accommodate that difference so the Ubuntu Linux release will be shipping with the very latest upstream kernel at release time.
- This is great and the right move though it stops short of Ubuntu Linux shifting to a policy like new kernel versions coming down as stable release updates over the lifetime of Ubuntu releases.
- Today’s kernel version selection announcement sums it up as:
- Current Policy: The way the CKT has historically chosen an upstream Linux kernel version was with a conservative ‘wait and see’ approach. Given the month-long stabilization window required, an upstream kernel version all but certain to be released would be the tentative selection, with a possible last minute jump to a more recent version should it turn out to release in a workable time-frame. This approach would guarantee stability on the appointed release day, but was proving unpopular with consumers looking to adopt the latest features and hardware support as well as silicon vendors looking for a firmer version commitment to align their Ubuntu support.
- New Policy: The intent behind this post is to describe a new policy the CKT is taking in regards to kernel version selection for an upcoming Ubuntu release. To provide users with the absolute latest in features and hardware support, Ubuntu will now ship the absolute latest available version of the upstream Linux kernel at the specified Ubuntu release freeze date, even if upstream is still in Release Candidate (RC) status.
- This is a nice improvement to see by Canonical for ensuring the freshest upstream kernel version is shipped as of the Ubuntu release time. In turn this means for the upcoming Ubuntu 24.10 release it should solidly be the Linux 6.11 kernel. It would still be nice if Ubuntu would commit resources to allow shipping new upstream kernel versions down as stable release updates, but that is a battle for another day.
- Google’s online search monopoly is illegal, US judge rules
- from BBC
- A US judge has ruled Google acted illegally to crush its competition and maintain a monopoly on online search and related advertising.
- The landmark decision on Monday is a major blow to Alphabet, Google’s parent company, and could reshape how technology giants do business.
- Google was sued by the US Department of Justice in 2020 over its control of about 90% of the online search market.
- It is one of several lawsuits that have been filed against the big tech companies as US antitrust authorities attempt to strengthen competition in the industry.
- This case has at times been described as posing an existential threat to Google and its owner given its dominance of the search and online advertising business.
- It is unclear yet what penalties Google and Alphabet will face as a result of the decision. The fines or other remedies will be decided in a future hearing.
- The government has asked for “structural relief” – which could, in theory at least, mean the break-up of the company.
- In his decision, US District Judge Amit Mehta said Google had paid billions to ensure it is the default search engine on smartphones and browsers.
- “Google is a monopolist, and it has acted as one to maintain its monopoly,” Judge Mehta wrote in his 277-page opinion.
- Alphabet said it plans to appeal against the ruling.
- “This decision recognises that Google offers the best search engine, but concludes that we shouldn’t be allowed to make it easily available,” the statement from the company said.
- US Attorney General Merrick Garland, the country’s top prosecutor, hailed the ruling as a “historic win for the American people”.
- “No company – no matter how large or influential – is above the law,” Mr Garland said in a statement on Monday. “The Justice Department will continue to vigorously enforce our antitrust laws.”
- Federal antitrust regulators have filed other pending lawsuits against Big Tech companies – including Meta Platforms, which owns Facebook, Amazon.com and Apple Inc – accusing them of operating unlawful monopolies.
- Monday’s ruling comes after a 10-week trial in Washington DC, in which prosecutors accused Google of spending billions of dollars annually to Apple, Samsung, Mozilla and others to be pre-installed as the default search engine across platforms.
- The US said Google typically pays more than $10bn (£7.8bn) a year for that privilege, securing its access to a steady stream of user data that helped maintain its hold on the market.
- Doing so, prosecutors said, meant other companies have not had the opportunity or resources to meaningfully compete.
- “The best testimony for that, for the importance of defaults, is Google’s cheque book,” argued Department of Justice lawyer Kenneth Dintzer during the trial.
- Google’s search engine is a big revenue generator for the company, bringing in billions of dollars thanks in large part to advertising displayed on its results pages.
- Google’s lawyers defended the company by saying that users are attracted to their search engine because they find it useful, and that Google is investing to make it better for consumers.
- “Google is winning because it’s better,” said Google’s lawyer John Schmidtlein during closing arguments earlier this year.
- Mr Schmidtlein also argued during the trial that Google still faces intense competition, not just from general search engine firms, such as Microsoft’s Bing, but more specialised sites and apps that people use to find restaurants, airline flights and more.
- In his ruling, Judge Mehta concluded that being the default search engine is “extremely valuable real estate” for Google.
- “Even if a new entrant were positioned from a quality standpoint to bid for the default when an agreement expires, such a firm could compete only if it were prepared to pay partners upwards of billions of dollars in revenue share,” Judge Mehta wrote.
- Another case against the technology company over its advertising technology is scheduled to go to trial in September. In Europe, meanwhile, Google has been fined billions in monopoly cases.
- WordStar 7, the last ever DOS version, is re-released for free Moss
- from The Register
- Before WordPerfect, the most popular work processor was WordStar. Now, the last ever DOS version has been bundled and set free by one of its biggest fans.
- WordStar 7.0d was the last-ever DOS release of the classic word processor, and it still has admirers today. A notable enthusiast is Canadian SF writer Robert J Sawyer, who wrote the book that became the TV series Flashforward.
- Thanks to his efforts you can now try out this pinnacle of pre-Windows PC programs for professional prose-smiths. Sawyer has taken the final release, packaged it up along with some useful tools — including DOS emulators for modern Windows – and shared the result. Now you, too, can revel in the sheer unbridled power of this powerful app.
- Sawyer says:
- The program has been a big part of my career – not only did I write all 25 of my novels and almost all of my short stories with it (a few date back to the typewriter era), I also in my earlier freelance days wrote hundreds of newspaper and magazine articles with WordStar.
- The download is 680MB, but as well as the app itself, full documentation, and some tools to help translate WordStar documents to more modern formats, it also includes copies of two FOSS tools that will let you run this MS-DOS application on modern Windows: DOSbox-X and vDosPlus. Regular Register readers may recognize both from our story on how to run DOS on a 64-bit OS from last year. Sawyer also offers a handy command reference [PDF].
- WordStar has a long and exceptionally involved history, as the Wordstar.org fan site used to chronicle. It started out on CP/M, was ported to DOS, multiple incompatible programs of the same name launched, and later still ported to Windows. The last ever release was part of an obscure office suite. Sawyer is correct: the final DOS version really is the true classic.
- MicroPro, the company behind WordStar, was repeatedly acquired. At one point it was part of SoftKey, which was acquired and became the Learning Company, which was bought by Mattel in what BusinessWeek called “the worst acquisition of all time.” As a result, the software business was spun off again and bought by Houghton Mifflin Riverdeep. Sawyer says:
- It was last updated in December 1992, and the company that made it has been defunct for decades; the program is abandonware.
- While it certainly has been abandoned since the end of the 20th century, the term “abandonware” isn’t a legal one. It’s not clear to us who owns the intellectual property. We doubt it’s one of the surviving offshoots, today’s Houghton Mifflin Harcourt, but it could be another offshoot, Software MacKiev. Either way, it’s very unlikely that the owners will care.
- If the many changes of ownership weren’t enough, the program itself had many offshoots. A rewrite in C became the incompatible Wordstar 2000, that abandoned the keyboard-centric UI which was WordStar’s hallmark. MicroPro also acquired a student’s Modula-2 project and rebadged it WordStar Express, which Amstrad PC 1512 owners may remember: Amstrad got a licence cheaply and bundled it as “WordStar 1512”. Even WordStar 7 isn’t based on the original code: MicroPro bought a rival clone of the program called NewWord, and made it the official WordStar 4 – as still used by George R R Martin.
- While many folks in the Unix world have Vi keystrokes engraved in their muscle memory, those for WordStar are the equivalent for CP/M and MS-DOS users of a certain age. Ctrl+S/ E/D/X for navigation, Ctrl+K, B to mark the start of a block, Ctrl+K, K to mark the end, then Ctrl+K, C to copy it or Ctrl+K, V to move it; and Ctrl+K+S to Save. The modern Joe text editor still uses them, for instance. It hasn’t got all the functionality, but if you don’t want to struggle with an emulator to run a DOS app, the FOSS clone WordTsar comes close, and has versions for Windows, Linux and macOS.
- By modern standards, WordStar doesn’t do much, but it does everything many writers want. The Reg FOSS desk is rather fond of Robert Sawyer’s novels, as well as George R R Martin’s come to that, but those less given to genre fiction may recognize William F Buckley Jr and Ralph Ellison, both keen users.
- Google is discontinuing the Chromecast line
- from The Verge
- Google is done making Chromecasts. In a post on Tuesday, Google says it’s “ending production of Chromecast” after over a decade of selling the streaming dongles.
- Even though Chromecast devices will now be available “while supplies last,” Google says it will continue to push software and security updates to its newer devices without specifying which ones. The most recent update to the lineup was the Chromecast with Google TV released in 2022.
- But now, Google says “technology has evolved dramatically” since the launch of the original Chromecast in 2013. “We invested heavily in embedding Google Cast technology into millions of TV devices, including Android TV,” Google writes. “We are taking the next step in evolving how streaming TV devices can add even more capabilities to your smart TV, built on top of the same Chromecast technology.”
- In place of the Chromecast, the company will offer the newly announced $99.99 Google TV Streamer, which launches on September 24th. The set-top box comes with some significant spec bumps over the Chromecast with Google TV, such as a processor that’s 22 percent faster, along with Thread and Matter integration.
- While the Google TV Streamer is a major upgrade to the Chromecast — and may finally even rival the pricier Apple TV 4K — it’s a shame Google is getting rid of its dongle. With a price of just $29.99, the Chromecast with Google TV offers entry-level access to an all-in-one streaming hub.
- SUSE upgrades its distros with 19 years of support – no other Linux comes close
- from ZDNet
- At SUSECon in Berlin, SUSE, a global Linux and cloud-native software leader, announced significant enhancements across its entire Linux distribution family. These new capabilities focus on providing faster time-to-value and reduced operational costs, emphasizing the importance of choice in today’s complex IT landscape.
- SUSE Linux Enterprise Server (SLES) 15 Service Pack (SP) 6 is at the heart of these upgrades. This update future-proofs IT workloads with a new Long Term Service (LTS) Pack Support Core. How long is long-term? Would you believe 19 years? This gives SLES the longest-term support period in the enterprise Linux market. Even Ubuntu, for which Canonical recently extended its LTS to 12 years, doesn’t come close.
- You may ask yourself, “Why 19 years?” SUSE General Manager of Business Critical Linux (BCL) Rick Spencer, explained in an interview that the reason is that on 03:14:08 Greenwich Mean Time (GMT, aka Coordinated Universal Time) Tuesday, January 19, 2038, we reach the end of computing time. Well, not really, but Linux, and all the other Unix-based operating systems, including some versions of MacOS, reach what’s called the Epoch.
- That’s when the time-keeping code in 32-bit Unix-based operating systems reaches the end of the seconds it’s been counting since the beginning of time — 00:00:00 GMT on January 1, 1970, as far as Linux and Unix systems are concerned — and resets to zero. Just like the Y2K bug, that means that all unpatched 32-bit operating systems and software will have fits. The Linux kernel itself had the problem fixed in 2020’s Linux 5.6 kernel, but many other programs haven’t dealt with it.
- Until then, though, if you’re still running SLES 15 SP6, you’ll be covered. I strongly suggest upgrading before then, but if you want to stick with that distro to the bitter end, you can.
- In addition, the new SLES boasts an updated 6.4 kernel version. It also includes new libraries, such as OpenSSL 3.1, ensuring security in compliance with strict regulations.
- As for security, SLES now boasts superior confidential computing support, which encrypts your data not only when it’s stored or in transit on the internet, but in memory as well. SLES provides this extra level of security on systems using Intel TDX (Trust Domain Extensions) and AMD SEV (Secure Encrypted Virtualization) processors. This includes remote attestation with SUSE Manager, ensuring end-to-end capabilities for maximum security and compliance.
- SAP users will also be happy to see SLES for SAP Applications 15 SP6: This release provides SAP customers and partners with a secure and reliable Linux platform for running mission-critical SAP workloads, from the data center to the cloud. It includes access to the latest innovations from Trento, an open-source web application that helps system administrators avoid common infrastructure problems with SAP systems that can result in delayed service implementations or unplanned downtime.
- If you prefer a more lightweight Linux distro for edge computing or smaller servers, SUSE also released SUSE Linux Enterprise Micro 6.0. This immutable, lightweight, and secure open-source host operating system is optimized for containerized and virtualized workloads. It simplifies standalone container deployments and provides a stable platform for Kubernetes deployments. It also includes full disk encryption support to strengthen your data security.
- SUSE is also building its own platform for AI using its Linux distros called SUSE AI. This is not your usual AI play. Instead of coming up with its own Large Language Model (LLM) and chatbot, SUSE is providing the tools companies need to build their own private and secure AI programs. For example, if you want to use your own data without worrying about someone looking over your virtual shoulder to create an AI-smart troubleshooter for your products, SUSE enables you to build just that.
- On one side of the main SUSE family is SUSE’s latest Linux release, SUSE Liberty Lite Linux. This distro is a replacement for CentOS 7, which, while still very popular, will reach the end of its supported life on June 30. SUSE’s answer is a true drop-in replacement. You can literally just change your repositories from CentOS to Liberty Lite and keep operating.
- Moreover, Liberty Linux Lite is the first Linux distro built on the Open Enterprise Linux Association (OpenELA) Linux code base. In OpenELA, CIQ, Oracle, and SUSE joined forces to create a Linux code base for RHEL clones.
- Regardless of what SLES you’re running, you can use SUSE Manager 5.0 to keep tabs on your server and Linux instances. Indeed, SUSE Manager supports far more than just the SLES family. It now supports over 16 different Linux distributions. These include Red Hat Enterprise Linux (RHEL), its numerous clones; Debian; Mint; and Ubuntu Linux. Indeed, you can even use it with Raspberry Pi OS, formerly Raspian, so you can manage your Raspberry Pis as well as your big iron.
- SUSE Manager, based on the Salt DevOps systems, delivers automated patch and compliance management for any Linux, anywhere and at any scale. It is containerized for increased resilience, scalability, and portability, and adds remote attestation capabilities for SLEX 15 SP6.
- Get the picture? SUSE remains fully committed to the SLES. In fact, the company is already working on additional innovations for the next major release of its flagship business-critical Linux platform: SLES 16 and SLES for SAP Applications 16, coming in 2025. Tomorrow looks bright for both SUSE and Linux.
- Google is killing one of Chrome’s biggest ad blockers
- from PCWorld’s Michael Crider
- Most people on the internet use the Chrome browser, and most Americans are using ad blockers. And even though advertising puts food on my table, I can’t blame them — because I block ads, too.
- Google, as the world’s biggest advertising company, doesn’t appreciate that. That’s why recent policy changes in Chrome are going to impact one of the browser’s most popular ad blockers.
- A change in Chrome’s extension support — from the Manifest V2 framework to the newer V3 — is being billed as a way to make browser add-ons safer, more efficient, and compliant with modern APIs. But it’s also deprecating features that complex extensions reply upon.
- One of those extensions is uBlock Origin, an ad-blocking tool with over 30 million users according to its Chrome Web Store page (and presumably many more users across other browsers).
- uBlock Origin still works as of this writing, but it will soon be automatically disabled by Chrome updates. Users will have the option to manually re-enable it for a little while, but that will disappear at some point in the near future. When that happens, uBlock Origin fans will need to find a different ad blocker… or a different web browser.
- The maker of uBlock Origin is trying to weather this storm, and has already created a Manifest V3-compliant version of the tool called uBlock Origin Lite. This one uses the same core ad-blocking filters, but lacks certain features like dynamic filters for blocking scriptlet injection.
- uBO Lite is also less capable of getting around anti-ad-blocking systems, like the infamous Admiral ad-blocker-blocker. Google has given uBO Lite the “Featured” badge on the Chrome Web Store.
- uBlock Origin’s developer Raymond Hill could simply replace the Chrome Web Store page with the new Lite version, but according to an explainer post on GitHub, he’s not interested:
- “I consider uBO Lite to be too different from uBO to be an automatic replacement. You will have to explicitly find a replacement to uBO according to what you expect from a content blocker. uBO Lite may or may not fulfill your expectations.”
- uBlock Origin should continue to work fine on other browsers, including Firefox, Edge, Opera, and other Chromium-based browsers that support extensions, like my new browser bestie Vivaldi.
- Google’s move to Manifest V3 support doesn’t appear to be entirely driven by attempts to make ad blockers obsolete, but it seems likely that it helped prod decisions in this direction.
- Google has had a lot of drama surrounding ads recently, like dropping a years-long initiative to replace tracking cookies and trying to force advertising past ad blockers on YouTube.
- For a quick and easy switch to Firefox, check out this link and get your block back.
- GitLab is reportedly up for sale Moss
- from Developer Tech
- GitLab has reportedly garnered interest from buyers and is considering a sale. As AI and cloud computing fuel acquisitions in the technology sector, these mergers and acquisitions are increasingly under review.
- At a valuation of about $8 billion, GitLab has positioned itself as an essential player in the software development space. Its platform automatically integrates various tools and provides a common tool for software design by development, operations, and security teams. GitLab has over 30 million registered users and is used by over half of the Fortune 100 companies, making it a significant player in this space.
- Interestingly, GitLab’s headquarters are based in San Francisco, but it runs as a completely remote company with all its employees working from different parts of the globe. This unique structure has helped position GitLab as a tech industry trailblazer in the remote work movement.
- People familiar with the matter said GitLab has engaged investment bankers to help. There are several prospective buyers in the mix for the company, but apparently, there may now be a leading candidate—cloud monitoring firm Datadog, with a market value of $44 billion. Its customer-service software allows computer programmers and others to work together using cloud-based tools while keeping tabs on their productivity, especially when more people work remotely.
- The chances of a deal are said to be weeks away, if not non-existent. The confidential nature of these discussions highlights just how thorny and high-stakes negotiations with tech giants can be.
- The impact on GitLab’s stock has started: Shares initially surged as much as 11.5% before settling for a gain of around 7% in midday trading when news first broke that the company was exploring options, sources said. The fact that the stock responded in this way implies that investors, for one, saw a sale as good news.
- Needham analyst Mike Cikos said the acquisition has been anticipated for years. This may seem somewhat counterintuitive to many investors, perhaps thinking of companies like AWS and Google Cloud as much more likely buyers. However, Cikos sees synergies between GitLab and Datadog, showcasing the combination in scale-ups that have caught some by surprise in tech sector consolidations.
- Competitive landscape and challenges
- Given its position in the market, GitLab still faces significant challenges. The company’s shares have fallen 16% this year as investors worry about potential cuts in customer spending. In contrast, the S&P 500 Application Software index rose nearly 3% over the same period.
- GitLab has sharp rivals to contend with, including Microsoft, which, thanks in no small part to its 2018 purchase of GitHub for $7.5 billion. Consequently, this competitive pressure has also presented pricing headwinds for GitLab, as reported in the company’s most recent financial statements.
- The San Francisco-based company’s last reported revenue was $169.2 million, up 33% from the same period a year earlier, for its last quarter, and it announced it was cash flow-positive for the first time ever. However, the company also disclosed the pricing headwinds it is facing as competition increases in its industry.
- GitLab’s unique ownership structure makes the possibility of a deal even more fascinating. The founder and CEO, Sid Sijbrandij, retains 45.51% of the voting stock via dual-class shares. This further complicates any potential deal because Alphabet — Google’s parent company, which includes a venture capital arm — maintains a 22.2% voting stake in GitLab.
- A sale of GitLab would be part of a broader wave of consolidations in the tech sector. According to Dealogic, in the first half of 2024, the technology sector accounted for the highest share of global M&A activity, involving $327.2 billion worth of deals. This represents a substantial year-on-year increase, with the sector’s deal value jumping by just under 42%.
- Such a prevalence of M&A deals is motivated by the necessity for companies to broaden their range of offered services due to the quickly changing landscape of global business with significant players in numerous industries, from artificial intelligence to cloud computing. For instance, the technology conglomerate Alphabet is said to have been in advanced talks to purchase cybersecurity upstart Wiz for an estimated $23 billion. Previously, Alphabet was rumoured to have considered a purchase proposal for the marketing software maker HubSpot.
- The tech industry is consolidating, and GitLab’s potential sale would be one of the largest events in software development tools and cloud services this year. Whether this particular deal occurs or not, and what its implications for the technology community at large are, remains to be determined.
- Robbins Changed His Mind, Funtoo Shifts to “Hobby Mode”
- From Linuxiac (via londoner)
- On our last show, we reported that Daniel Robbins had announced the cessation of Funtoo Linux; Three weeks later, however, he has changed that original intention. Funtoo Linux, the brainchild of its Benevolent Dictator For Life (BDFL) Daniel Robbins and the original founder of Gentoo Linux, is taking a step back to what its founder describes as “Hobby Mode.”
- “I’ve decided to keep Funtoo Linux going in a limited capacity. Funtoo Linux will be entering “Hobby Mode”. It will continue as a personal project of mine, maintained for myself. You will still be able to
ego sync
and get periodic updates. You can still use it if you want to.” - Okay, what does this “Hobby Mode” mean? In short, it will continue to receive his personal attention and maintenance. Funtoo users will still be able to perform updates and maintain their systems, ensuring that despite the scaled-back approach, the OS will remain functional and largely up-to-date for those who choose to stick with it. However, significant changes are on the horizon for the Funtoo community infrastructure. The project will discontinue its bug tracker and community code repositories, shifting the forums and wiki to read-only mode.
- This move suggests a departure from active community collaboration, directing users towards platforms like Reddit for self-support and discussion rather than the project’s Discord channel. Robbins has offered a lifeline for those deeply integrated into the Funtoo ecosystem, particularly those using Funtoo containers. He is prepared to maintain certain container hosting services and plans new infrastructure to support future projects.
- So, what can we conclude from this situation? We’re looking at a one-man-show operating system, calling it a personal project, and now it’s cutting off its official community channels. Honestly, this sounds more like “Coma Mode” than “Hobby Mode” tthe author writes. Given these circumstances, uncertainty about the project’s future, and the owner’s unpredictable moves, it’s challenging to see who would rely on Funtoo from here on out. But, whether we like it or not, these things are part of the open-source world. Anyway, thanks for everything, Funtoo!
- For more information, refer to the Robbins’ announcement.
— Play Security Transition Bumper —
Security and Privacy
10 minutes
- Hackers leak 2.7 billion data records with Social Security numbers
- From Bleeping Computer.com (via londoner)
- Almost 2.7 billion records of personal information for people in the United States, UK & Canada were leaked on a hacking forum, exposing names, social security numbers, all known physical addresses, and possible aliases. The data allegedly comes from National Public Data, a company that collects and sells access to personal data for use in background checks, to obtain criminal records, and for private investigators. National Public Data is believed to scrape this information from public sources to compile individual user profiles for people in the US and other countries.
- In April, a threat actor known as USDoD claimed to be selling 2.9 billion records containing the personal data of people in the US, UK, and Canada that was stolen from National Public Data. At the time, the threat actor attempted to sell the data for $3.5 million and claimed it contained records for every person in the three countries. USDoD is a known threat actor who was previously linked to an attempted sale of InfraGard’s user database in December 2023 for $50,000. BleepingComputer, at the time, contacted National Public Data and never received a response to our email.
- Since then, various threat actors have released partial copies of the data, with each leak sharing a different number of records and, in some cases, different data. On August 6th, a threat actor known as “Fenice” leaked the most complete version of the stolen National Public Data data for free on the Breached hacking forum. However, Fenice says the data breach was conducted by another threat actor named “SXUL,” rather than USDoD. The leaked data consists of two text files totaling 277GB and containing nearly 2.7 billion plaintext records, rather than the original 2.9 billion number originally shared by USDoD.
- While BleepingComputer can’t confirm if this leak contains the data for every person in the US, numerous people have confirmed to us that it included their and family members’ legitimate information, including those who are deceased. Each record consists of the following information – a person’s name, mailing addresses, and social security number, with some records including additional information, like other names associated with the person. None of this data is encrypted. Previously leaked samples of this data also included phone numbers and email addresses, but these are not included in this 2.7 billion record leak.
- It is important to note that a person will have multiple records, one for each address they are known to have lived. This also means that this data breach did not impact 3 billion people as has been erroneously reported in many articles that did not properly research the data. Some people have also told BleepingComputer that their social security numbers were associated with other people they don’t know, so not all the information is accurate.
- Finally, this data may be outdated, as it does not contain the current address for any of the people we checked, potentially indicating that the data was taken from an old backup. The data breach has led to multiple class action lawsuits against Jerico Pictures, which is believed to be doing business as National Public Data, for not adequately protecting people’s data. If you live in the US, this data breach has likely leaked some of your personal information. As the data contains hundreds of millions of social security numbers, it is suggested that you monitor your credit report for fraudulent activity and report it to the credit bureaus if detected. Furthermore, as previously leaked samples also contained email addresses and phone numbers, you should be vigilant against phishing and SMS texts attempting to trick you into providing additional sensitive information.
- 0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices
- from The Hacker News
- Cybersecurity researchers have discovered a new “0.0.0.0 Day” impacting all major web browsers that malicious websites could take advantage of to breach local networks.
- The critical vulnerability “exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices,” Oligo Security researcher Avi Lumelsky said.
- The Israeli application security company said the implications of the vulnerability are far-reaching, and that it stems from the inconsistent implementation of security mechanisms and a lack of standardization across different browsers.
- As a result, a seemingly harmless IP address such as 0.0.0.0 could be weaponized to exploit local services, resulting in unauthorized access and remote code execution by attackers outside the network. The loophole is said to have been around since 2006.
- 0.0.0.0 Day impacts Google Chrome/Chromium, Mozilla Firefox, and Apple Safari, all of which enable external websites to communicate with software that runs locally on macOS and Linux. It does not affect Windows devices as Microsoft blocks the IP address at the operating system level.
- Particularly, Oligo Security found that public websites using domains ending in “.com” are able to communicate with services running on the local network and execute arbitrary code on the visitor’s host by using the address 0.0.0.0 as opposed to localhost/127.0.0.1.
- Browser Vulnerability
- It’s also a bypass of Private Network Access (PNA), which is designed to prohibit public websites from directly accessing endpoints located within private networks.
- Any application that runs on localhost and can be reached via 0.0.0.0 is likely susceptible to remote code execution, including local Selenium Grid instances by dispatching a POST request to 0.0.0[.]0:4444 with a crafted payload.
- Put differently, the issue is as simple as a malicious web page sending requests to 0.0.0.0 and a port of its choosing that could then be processed by services running locally on that same port, leading to unintended consequences.
- In response to the findings in April 2024, web browsers are expected to block access to 0.0.0.0 completely, thereby deprecating direct access to private network endpoints from public websites.
- “When services use localhost, they assume a constrained environment,” Lumelsky said. “This assumption, which can (as in the case of this vulnerability) be faulty, results in insecure server implementations.”
- “By using 0.0.0.0 together with mode ‘no-cors,’ attackers can use public domains to attack services running on localhost and even gain arbitrary code execution (RCE), all using a single HTTP request.”
— Play Wanderings Transition Bumper —
Bi-Weekly Wanderings
30 minutes (~5-8 mins each)
- Special Guest Host Dale Miracle
- I arrived home yesterday afternoon after working almost 5 weeks. It was a week longer due to my company’s truck having sensor malfunctions and a leaking air valve. I had a few days in the provided hotel room. So I binge watched YouTube videos.
- Now that I have the correct settings in my Tailscale Tailnet. I am able to use the Tailscale app on my phone 24/7. It has been working well with acceptable battery usage.
- I have been testing the Nextcloud Notes app on my phone as a replacement for Standard Notes. I have nothing against Standard Notes. The only thing that is missing is Markdown support of which is a pay feature. The Nextcloud Notes app has that built-in and my Nextcloud is self-hosted out of my apartment. So it is a win win for free and open source. I will have more details about my Tailscale setting in episode 54 of Distrohoppers’ Digest, which will be the next episode. Perhaps it could also be a good future Innards topic.
- Since the Notes app has been working well. I have been moving my notes from Standard Notes to Nextcloud Notes. Anything that is needing more privacy is being saved in the Secure Notes feature of Bitwarden.
- I helped a friend begin the initial stages of organizing his garage. The 14 years of clutter was finally too much for him to tollerate. I did aquire some items that are going to be taken to the local E-Cycling center. The others are needing closer inspection to see if they are still usable. These include a 16 port switch, 8 port switch, 5 port switch, 4 laptops, and a Acer Aspire desktop from 2009. They may end up being taken there. I know the person though not personally that manages the E-Cycling center. He is a fellow computer geek and has a collection of vintage computers. He is often approached for needing props for movies, tv or print media. So not everything is considered E-waste and I don’t feel bad for dispossing of them. I would also like to send them to people who could use them. Once I know they are usable.
- Bill
- Well if I’m reading this on the air it’s because the old gods and/or the new have shone down their favor, and I’ve made it home after one of the most grueling weeks of my considerable career. As many would be aware, I drive a semi-truck for a living and most weeks I’m out at least 3 nights a week. This week started slightly different from most, in that I trained a younger guy in hauling what we call “roll off” most people likely have seen the steel boxes on trailers that are able to slide them on and off, and have referred to them as “dumpsters.” They are typically seen at construction sites or wherever large scale cleanup is being done. Other applications exist as well, such as the ones we were hauling, which contained the wastewater solids from the factory that makes the Silverado, and Sierra pickup trucks. We take the boxes to Cape Girardeau, Missouri to dump at a quarry. All went well, and I did other things after returning from that but on Thursday, I set off to do another box on my own. Shortly after dumping my box and heading down to the truck stop on the south side of town, I lost all of my engine coolant. It turns out the air compressor, which supplies the pressure for the brakes, and the air-ride system had begun pumping air into the coolant system, and in turn, was taking coolant into the air system. The fix for this is a new air compressor, which isn’t always easy to find – especially on the road. I was resolved to wait until Monday for a new part given I was able to overcome the problem with the goal of keeping the motor running by simply removing the radiator cap to allow the pressure from the air compressor to escape while not pushing out my coolant. This is sufficient for sitting still and running my electricity such as I used when I wrote this, as well as for my refrigerator and television. I would not be a good enough fix to get me home from three states away. Again, if you’re hearing this from my lips, it means I got this all fixed and made it home.
- Joe
- Things started out pretty well over the last two weeks.
- I decided to see if could get VR working on an old samsung galaxy gear vr, the old model that only allowed for micro USB phones to be connected. I ended up pulling out an old S7 to do it. I was able to get the S7 wiped and logged in but as soon as I plugged it into the Gear VR it would load the screen that say disconnect and install all the software.
- I tried to let it go through the process but it would say that the connection had failed and such and such an application failed to be installed. I did some research and found out that most of the applications are not available anymore for that. I looked and some people had gotten it to work by installing the apps manually, but when I went and looked at the sites where you could get the applications it seemed a little sketchy
- So Backup plan. Google cardboard is not as good an environment as what4 gets created by Samsung’s software but it will allow for individual applications that can be run and many people are developing for it. The problem then becomes when the USB is connected for the gear, it starts the process automatically. I still want to use the gear because it has good lenses and a way to focus and is also comfortable to wear.
- Looking online for suggestions on what to do, most peoples answers were: buy something newer they are not that expensive. Well I may do that one day I still like making old stuff work so I continued searching. Someone gave the obvious answer. If the usb doesnt connect then you can use it however you want. Can’t use the buttons and things but its better than nothing. A simple hair tie to work as a spacer and everything is good to go. Not the easiest to use but with a mouse paired I can do a lot of things and I can also go back and forward with a click.
- Two shows back I was discussing creating magsafe phone mounts using some magnetic rings that I ordered from aliexpress. Well I have completed that project. The first design that I did before the the magnets arrived after modding someone elses STL worked but not in the way that I wanted. Because the design put the magnet under some plastic it did not have the gripping force that I thought was safe. So I ended up gluing a second magnet to the front and that worked much better but I dont want to use 2 magnets for every mount. Instead I went back to the STL and moved the 17mm ball mount to the other side and learned a better way to get two flat surfaces to touch in TinkerCAD. After that I reprinted and everything works great. Made 3 or four so far and moved the manufactured one out to the car.
- Then we start getting into the fun things in my life. First, I was driving the Mini Cooper and it started over heating. After a couple of false starts in trying to find the issue and refilling the resivoir several times, I was able to find the leak. One of the retention brackets had broken and the front radiator reservoir hose had fallen down and was scraping the ground until it ruptured and I lost all the coolant.
- Thankfully this happened right outside of a Walgreens and I was able to get into the parking lot and get to work. This being the Mini I did not have my usual toolbox with me but I did have a knife and a multi tool with pliers in my pocket. Getting my hands under a Mini is difficult but I was able to get the hose cut at the hole and reattached to the center coupler. After 3 hours in the middle of the day in Texas at 104 in the parking lot. I now have a lovely tan.
- Next day I find out that the van has dying alternator and I will get to replace that as well. I looked up the instructions online and it is not that hard of a job. If the van was two years newer I would have to go through the wheel well to get the job done but this should be easy as long as I can find the right tools. Still the alternator comes out to 150ish dollars after the core return.
- Then later that I night I found out that one of my airconditioners died. From what I can tell it is the compressor but thankfully I have a warranty company for that. But sadly they will not be able to come out to fix it until monday as everyone elses airconditioners are dying too. Really glad I have the warranty company because looking up the prices of those, we are talking well over 1k dollars just for the parts. And I try not to play with mains power.
- All of this has kinda made me realise that I need to look into a new job. My current job is offering new employees more than what I am making but will not give me a raise due to budget constraints. Much less interested in retention than in hiring. But if I cant afford some simple emergencies that come along because I am living paycheck to paycheck then it is time to start looking elsewhere for a career. So I have started applying and will probably need to shave the beard and cut the hair before interviews start.
- God I hate job hunting.
- Moss
- Crazy time. I did manage to work one day this biweek, and turned down another because it came in so late in the morning.
- I got my passport applied for (wait 6-8 weeks). Lots of other stressful things.
- My PineTime died. I’m sad. I have never so fond of a watch as I was of this. I’m working with the community to find out what to do next. Apparently they have a 14-day refund-and-return policy and a 30-day warranty, so I’m SOL, having had it for 5 weeks. I was told to keep it for parts and buy another, but I’m not inclined to do so on the premise that $25 plus shipping every 5 weeks will get expensive.
- Our new kitten did not work out. She was not getting along with our other cats, and Suzanne’s allergies flared up again. We took her to a local no-kill animal shelter. I miss her, but she was one cat too many and I knew it when I tried to keep her.
- I still haven’t loaded Ken McConnell’s books (Destroyer series, books 4-6 of the entire series) onto my PineTab 2. Just dragging my feet, or overwhelmed, or something.
- I recorded and produced FCWN 379 using Audacity 3.6.1 (Flatpak). What a headache that was – the screen kept going blank, and I had to resize the window to get it back, over and over and over. I also could not see my breaths, which were easy to see in 2.x.x, and I cut those out to help get the podcast short enough. I’m looking for alternatives, might just find an old copy of 2.4.2 or even 2.3.2 and run with that. I looked at Tenacity again, but last I’ve read it is still having problems loading in Mint. I wish MuseGroup had just gone the other way and not purchased Audacity.
— Play Innards Transition Bumper —
Linux Innards
30 minutes (~5-8 minutes each)
- Home networking: tips, tricks, dos and don’ts
- Bill’s Home Network
- ISP: Frontier Communications with symmetrical 500mb, and static IP on Business account
- Router: TP Link ER7206 Gigabit Router
- Wifi Access point: TP-Link TL-WA3001 WiFi 6 Wireless Gigabit Access Point
- Switch: TP-Link 24 Port Gigabit Ethernet Switch Linksys LGS108: 8-Port Business Desktop Gigabit Ethernet Unmanaged Switch 2x Linksys SE3005: 5-Port Gigabit Ethernet Unmanaged Switch
- Router: From Frontier
- Moss
- Modem (from Fiberoptic company (KUB)) (AdTran SDX822v) Router (from Bill) Linksys WRT3200ACM Belkin network switch (inherited upon John Noggle’s passing)
- ATT fiber modem
- RT-AX86U router dual band
- GL.iNet GL-SFT1200 (Opal) Secure Travel WiFi Router – AC1200 Dual Band Gigabit Ethernet Wireless Internet | IPv6 USB 2.0 MU-MIMO DDR3 |128MB Ram Repeater Bridge Access Point Mode
- NETGEAR 5-Port Gigabit Ethernet Unmanaged Switch
- pihole
- wireguard
- Bill’s Home Network
- Dale
- ISP:
Spectrum residential cable modem with 1 Gbit down and 30 Mbit up with a dynamic IP. The modem doesn’t have any routing capabilities aka not a gateway. You need to ask for this specifically. The default is one that is a gateway with an included AP. - Router:
A Xeon E3-1231 V3 3.4 Ghz, 16 GB of DDR3 memory, 240 GB Kingston A400 SSD, and a Intel Quadport 82576 Gbit network card running PfSense 2.7.2-RELEASE. - WiFi Access Point:
Ubiquiti Unifi Access Point Long Range WiFi 5 (UAP-AC-LR) - Switch:
Ubiquiti Unifi Lite 8 port POE (USW-Lite-8-PoE) - Ubiquiti Unifi Switch 8 port 60W (US-8-60W)
Ubiquiti Unifi Flex Mini 5 port (USW-Flex-Mini) - My 24 port patch panel, 8 port switch, and 2 Lenovo Thinkcentre Tinys. One of the Tiny’s runs the Unifi Management software. It is accessed via a web browser.
- ISP:
— Play Vibrations Transition Bumper —
Vibrations from the Ether
20 minutes (~5 minutes each)
- We received two very short but pleasant emails from Lune Jernberg, about her first and second time listening to mintCast. Hang in there, Lune, we’re just getting good.
— Play Check This Transition Bumper —
Check This Out
10 minutes
- Evolution of Linux Mint (via londoner)
- A 5 minute video on YouTube showing the evolving desktops of Linux Mint from 1.0 Ada to the current 22 Wilma.
Housekeeping & Announcements
- Thank you for listening to this episode of mintCast!
- If you see something that you’d like to hear about, tell us!
Send us email at [email protected]
Join us live on Youtube
Post at the mintCast subreddit
Chat with us on Telegram and Discord,
Or post directly at https://mintcast.org
- Next Episode – 2 pm US Central time on Sunday, September 1, 2024.
- Get mintCast converted to your time zone
- for 444 Next Roundtable Live Stream – 2 pm US Central time on Saturday, August 24.
- Get the Roundtable Live Stream converted to your time zone
- for 444.5 Next Roundtable Live Stream – 2 pm US Central time on Saturday, September 7.
- Get the Roundtable Live Stream converted to your time zone
- Livestream information is at mintcast.org/livestream
Wrap-up
- Joe – Tllts.org, linuxlugcast.com, [email protected], Buy Joe a coffee
- Moss – Full Circle Weekly News, [email protected], Mastodon @[email protected], occasionally on HPR
- Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, also – checkout my other two podcasts Linux OTC and 3 Fat Truckers
- Majid – [email protected] @[email protected], AtypicalDr on Instagram and Threads and The Atypical Doctor Podcast on Spotify and also Linux OTC.
- Eric – You can hear and see me on the Distrohoppers’ Digest and Linux OTC podcasts as well as the Linux Saloon and LinuxLUGCast streams. I can be reached by email at [email protected].
Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:
- Bill for our audio editing
- Archive.org for hosting our audio files
- Hobstar for our logo, initrd for the animated Discord logo
- Londoner for our time syncs and various other contributions
- Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
- The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>
— Play Closing Music and Standard Outro —
Recent Comments