Episode 449 Show Notes

Welcome to mintCast

the Podcast by the Linux Mint Community for All Users of Linux

This is Episode 449!

This is Episode 449.5!

Recorded on Sunday, October 27, 2024.

Breaking the nets im Joe; can’t get rid of me, I’m Moss; and bravely running away, I’m Eric

— Play Standard Intro —

  • First up in the news: Ubuntu 25.04 gets perfect name, WinAmp deletes entire Github code, Ubuntu 24.10 released for Snapdragon X Elite, Arm cancels Qualcomm’s architecture license, Paranoia and Fear inhabit Automattic, Internet Archive breached again, Rand removal of Russian coders spurs debate about Linux kernel’s politics;
  • In security and privacy: Concerns raised over Bitwarden, Fortigate Admins Report Active Zero-Day Exploit;
  • Then in our Wanderings: Joe mods, Moss gets edumacated, and Eric times out.
  • In our Innards section:
  • And finally, the feedback and a couple of suggestions
  • Please remember if you want to follow along with our discussions, the full show notes for this episode are linked in the show’s description

— Play News Transition Bumper —

The News

20 minutes

  • Ubuntu 25.04 Codename is Revealed – And It’s Pretty Perfect – Eric
    • from OMGUbuntu
    • Ubuntu 24.10 may have only just been released, but development on the next version is getting underway and the codename for Ubuntu 25.04 revealed.
    • Since codenames are alphabetical (as of Ubuntu 6.06 LTS; restarted at ‘A’ with 17.10) it means the Ubuntu 25.04 codename will start with the letter ‘P’…
      • Praying for a Piquant Pika? You’ll be perplexed to hear it wasn’t picked…
      • Pining for a Percipient Panda? You’ll be put-out to know it got passed over…
      • Prefer the sound of a Plucky Puffin? You’ll be pleased as punch because…
    • Ubuntu 25.04 is the ‘Plucky Puffin’.
    • Yup, it seems a fellow feathered mascot is following in the footsteps – or rather the talon steps – of the ‘Oracular Oriole’.
    • The ‘Plucky Puffin’ is only the 2nd ‘P’ codename in Ubuntu’s 20 year history, the other one being Ubuntu 12.04 LTS ‘Precise Pangolin’.
    • But what does the name mean, and does it indicate what we can expect from the next release?
    • “Plucky” is an adjective often used to refer to someone/something showing courage, determination, or assurance in the face of challenges or obstacles. In some contexts it’s also a synonym of Gutsy, the adjective used in the Ubuntu 7.10 codename (and my first Ubuntu release).
    • A “Puffin” is a small seabird known with a brightly coloured beak, black and white feathers, and a somewhat squat shape. I’ve heard them (informally) described as “sea parrots” due to their coastal habitats and their vivid beaks.
    • Although the exact word and animal used in codenames no longer relate to the upcoming release as they once did, perhaps Ubuntu 25.04 will facing (and overcoming) a challenges of its own during the next development cycle.
    • There was talk of the first public preview of an Ubuntu Core Desktop image in 2025…
    • Why does Ubuntu use codenames at all?
    • Ubuntu version numbers are date based. Ubuntu 25.04 will (aim to) be release in the 4th month of 2025 – April.
    • However, when Mark Shuttleworth began his Super Secret Debian Startup1 20 years ago, there was no name, no release date, no version number. Some sort of label was needed for repos, files, discussions, etc, so a codename was chosen.
    • “Warty” was a fitting choice since the first release of what-was-to-become-known-as Ubuntu would likely arrive in a fairly raw, unpolished state compared to future release, i.e., released ‘warts and all’.
    • But the animal mascot element in the codename came a bit later – why?
    • It depends on who you ask.
    • One version (told over a drink with a member of the original Ubuntu team so accuracy may be moot) is flying developers to South Africa to ‘sprint’ in a small room working on warm laptops in temperate climes meant people sweated.
    • Because of that the original Ubuntu development team were often referred to as ‘the warthogs’ (an animal known for being a bit smelly) and to honour of their effort the final Ubuntu release launched as the Warty Warthog.
    • The other version? Branding: the warthog is native to Africa, Ubuntu’s founder Mark Shuttleworth is South African, ‘Ubuntu’ is an African word, initial development/sprint work took place there, and a ‘mascot’ helps with marketing.
    • Regardless of how ‘warthog’ came to be, an animal mascot stuck and is now a key part of branding/marketing each release.
    • The adjective parts is less superfluous since it is integral to differentiating each release in Ubuntu’s development infrastructure and configuration files, and effectively hardcoded to require a distinct one – though the Ubuntu wallpaper filename remains warty_final.png!
    • Plus, muscle memory is a powerful thing: witness how often I write “24.04” instead of “25.04” in upcoming coverage. No major drama – but if I was a developer committing code or editing a vital configuration file, such a typo could cause issues.
    • Opting for a completely new, unique word lessens the chances of that.
    • So yeah: as goofy and gimmicky as Ubuntu codenames can seem, they’re both an important and indelible part of Ubuntu’s iconic lineage and a vital part of its development infrastructure.
    • Next year, Ubuntu’s playful personality is fronted by a Plucky Puffin – a fitting choice, IMO.
  • Winamp deletes entire GitHub source code repo after a rocky few weeks Moss
    • from ArsTechnica
    • Winamp, through its Belgian owner Llama Group, posted the source for its “Legacy Player Code” on September 24 so that developers could “contribute their expertise, ideas, and passion to help this iconic software evolve.”
    • Less than a month later, that repository has been entirely deleted, after it either bumped up against or broke its strange hodgepodge of code licenses, seemingly revealed the source code for other non-open software packages, and made a pretty bad impression on the open-source community.
    • Winamp’s code was made available in late September, but not very open. Under the “Winamp Collaborative License (WCL) Version 1.0.1,” you may not “distribute modified versions of the software” in source or binary, and “only the maintainers of the official repository are allowed to distribute the software and its modifications.” Anyone may contribute, in other words, but only to Winamp’s benefit.
    • Justin Frankel, a key developer of the original Winamp and founder of Nullsoft, which also made SHOUTcast streaming software, was asked on his Q&A site about contributing to the code. Frankel responded that, even if he had some desire, the license terms “are completely absurd in the way they are written.” Even taking them “as they are likely intended,” Frankel wrote, “they are terrible. No thank you.”
    • Despite how this license would seem to bar forks, or perhaps because of that, the code has been forked at least 2,600 times as of this writing. In forking and examining the source when first released, coders have noticed some, shall we say, anomalies:
      • Large portions of other projects’ code, offered under other, more robust licenses, were seemingly included (if later deleted) from Winamp’s repository
      • The original Winamp code may have leaked the source code for SHOUTcast server software
      • In seeking to remove offending files with a simple deletion instead of a rebase, Winamp kept it available to those who know Git mechanics
      • Proprietary packages from Intel and Microsoft were also seemingly included in the release’s build tools
    • As people in the many, many busy GitHub issue threads are suggesting, coding has come a long way since the heyday of the Windows-98-era Winamp player, and Winamp seems to have rushed its code onto a platform it does not really understand.
    • Winamp flourished around the same time as illegal MP3 networks such as Napster, Limewire, and Kazaa, providing a more capable means of organizing and playing deeply compressed music with incorrect metadata. After a web shutdown in 2013 that seemed inevitable in hindsight, Winamp’s assets were purchased by a company named Radionomy in 2014, and a new version was due out in 2019, one that aimed to combine local music libraries with web streaming of podcasts and radio.
    • Winamp did get that big update in 2022, though the app was “still in many ways an ancient app,” Ars’ Andrew Cunningham wrote then. There was support for music NFTs added at the end of 2022.
    • In its press release for the code availability, the Brussels-based Llama Group SA, which claims to have roughly 100 employees (with others suggested closer to 30), says that “Tens of millions of users still use Winamp for Windows every month.” It plans to release “two major official versions per year with new features,” as well as offering Winamp for Creators, intended for artists or labels to manage their music, licensing, distribution, and monetization on various platforms.
    • Winamp has not responded to requests for comment, either at the time of source code posting or after its repository deletion.
  • Ubuntu 24.10 Developer Preview Released For Snapdragon X1 Elite Laptops – Joe
    • from Phoronix
    • Following last week’s release of Ubuntu 24.10, today Canonical announced a developer preview of an Ubuntu 24.10 Linux build targeting Qualcomm Snapdragon X1 Elite laptops.
    • As covered last month on Phoronix, Canonical engineers have been working on bringing up Snapdragon X1 Elite hardware with Ubuntu Linux. Now that most elements of the Snapdragon X1 Elite SoC support is upstream and in Linux 6.11~6.12 we have seen various DeviceTree files added for different Snapdragon X1 laptops, the upstream kernel support is coming together and making it easier for Linux distributions to support.
    • This Ubuntu 24.10 developer preview is targeted at early adopters and their ultimate hope is to provide an installation image that will “just work” on as many Snapdragon X1 Elite systems as possible. It may lead to a more generic ARM64 installer in the future but that is still a lofty goal with so many ARM consumer devices still depending upon Device Tree.
    • The Lenovo ThinkPad T14s Gen 6 has been the device seeing the most testing by Canonical and expected to work the best at this stage.
    • While there is now this Ubuntu 24.10 developer preview to ease the process of setting up Ubuntu Linux on modern Qualcomm-powered laptops, there are various feature limitations that remain. Additionally, necessary firmware files still cannot be easily redistributed by Ubuntu or other Linux distributions until they have been relicensed. So for now users need to hoop through the headache of having to fetch the firmware files from their Microsoft Windows installation for use under Linux.
  • Arm cancels Qualcomm’s architecture license Moss
    • From ArsTechnica (via londoner)
    • Any company that makes Arm chips must license technology from Arm Holdings plc, the British company that develops the instruction set. Companies can license the instruction set and create their own CPU designs or license one of Arm’s ready-made Cortex CPU core designs to incorporate into their own chips.
    • Bloomberg reports that Arm is canceling Qualcomm’s license, an escalation of a fight that began in late 2022 when Arm sued Qualcomm over its acquisition of Nuvia in 2021. Arm has given Qualcomm 60 days’ notice of the cancellation, giving the companies two months to come to some kind of agreement before Qualcomm is forced to stop manufacturing and selling its Arm chips.
    • “This is more of the same from ARM—more unfounded threats designed to strongarm a longtime partner, interfere with our performance-leading CPUs, and increase royalty rates regardless of the broad rights under our architecture license,” a Qualcomm spokesperson told Ars. “With a trial fast approaching in December, Arm’s desperate ploy appears to be an attempt to disrupt the legal process, and its claim for termination is completely baseless. We are confident that Qualcomm’s rights under its agreement with Arm will be affirmed. Arm’s anticompetitive conduct will not be tolerated.”
    • Qualcomm bought Nuvia to assist with developing high-performance Arm chips that could compete with x86 chips from Intel and AMD as well as Apple Silicon chips in iPhones and Macs—Nuvia was founded by people who had headed up Apple’s chip design team for years. Arm claimed that the acquisition “caused Nuvia to breach its Arm licenses,” and Arm demanded that Qualcomm and Nuvia destroy any designs that Nuvia had created pre-acquisition.
    • This apparently didn’t happen; Qualcomm’s flagship Oryon CPU cores are at the heart of the just-announced Snapdragon 8 Elite processor for flagship phones and the Snapdragon X Elite and Plus chips that have been shipping in Microsoft’s latest Surface devices and many other Windows PCs that launched this summer.
    • Qualcomm’s shift to using Nuvia’s designs means that Arm could make less money from the partnership than it used to. Since 2015, Qualcomm’s flagship chips had all used versions of a CPU architecture called Kryo, a “semi-custom” design that was largely based on Arm’s Cortex CPU cores. Arm offers multiple licensing programs, but generally companies only pay for “the IP included in the final SoC design,” so a company licensing both the Arm instruction set and Arm CPU designs is obviously more attractive for Arm than a company that simply uses the instruction set in its own custom CPUs.
  • Employees Describe an Environment of Paranoia and Fear Inside Automattic Over WordPress Chaos – Eric
    • from 404Media
    • Employees Describe an Environment of Paranoia and Fear Inside Automattic Over WordPress Chaos
    • Automattic CEO Matt Mullenweg made another buyout offer this week, and threatened employees who speak to the press with termination.
    • After an exodus of employees at Automattic who disagreed with CEO Matt Mullenweg’s recently divisive legal battle with WP Engine, he’s upped the ante with another buyout offer—and a threat that employees speaking to the press should “exit gracefully, or be fired tomorrow with no severance.”
    • Earlier this month, Mullenweg posed an “Alignment Offer” to all of his employees: Stand with him through a messy legal drama that’s still unfolding, or leave.
    • “It became clear a good chunk of my Automattic colleagues disagreed with me and our actions,” he wrote on his personal blog on Oct. 3, referring to the ongoing dispute between himself and website hosting platform WP Engine, which Mullenweg called a “cancer to WordPress” and accusing WP Engine of “strip-mining the WordPress ecosystem. In the last month, he and WP Engine have volleyed cease and desist letters, and WP Engine is now suing Automattic, accusing Mullenweg of extortion and abuse of power.
    • Do you know anything else about the situation inside Automattic, as a former or current employee? I would love to hear from you. Using a non-work device, you can message me securely on Signal at sam.404. Otherwise, send me an email at [email protected].
    • In the “Alignment Offer,” Mullenweg offered Automattic employees six months of pay or $30,000, whichever was higher, with the stipulation that they would lose access to their work logins that same evening and would not be eligible for rehire.
    • One hundred and fifty-nine people took the offer and left. “However now, I feel much lighter,” Mullenweg wrote in his blog.
    • But many stayed at Automattic even though they didn’t agree with Mullenweg’s actions, telling 404 Media they remained due to financial strain or the challenging job market. Several employees who remained at the company describe a culture of paranoia and fear for those still there.
  • Internet Archive breached again through stolen access tokens – Joe
    • from Bleeping Computer
    • The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.
    • Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens.
    • “It’s dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets,” reads an email from the threat actor.
    • “As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to [email protected] since 2018.”
    • “Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine your data is now in the hands of some random guy. If not me, it’d be someone else.”
    • The email headers in these emails also pass all DKIM, DMARC, and SPF authentication checks, proving they were sent by an authorized Zendesk server at 192.161.151.10.
    • After publishing this story, BleepingComputer was told by a recipient of these emails that they had to upload personal identification when requesting a removal of a page from the Wayback Machine.
    • The threat actor may now also have access to these attachments depending on the API access they had to Zendesk and if they used it to download support tickets.
    • These emails come after BleepingComputer repeatedly tried to warn the Internet Archive that their source code was stolen through a GitLab authentication token that was exposed online for almost two years.
    • Exposed GitLab authentication tokens
    • On October 9th, BleepingComputer reported that Internet Archive was hit by two different attacks at once last week—a data breach where the site’s user data for 33 million users was stolen and a DDoS attack by an alleged pro-Palestinian group named SN_BlackMeta.
    • While both attacks occurred over the same period, they were conducted by different threat actors. However, many outlets incorrectly reported that SN_BlackMeta was behind the breach rather than just the DDoS attacks.
    • This misreporting frustrated the threat actor behind the actual data breach, who contacted BleepingComputer through an intermediary to claim credit for the attack and explain how they breached the Internet Archive.
    • The threat actor told BleepingComputer that the initial breach of Internet Archive started with them finding an exposed GitLab configuration file on one of the organization’s development servers, services-hls.dev.archive.org.
    • BleepingComputer was able to confirm that this token has been exposed since at least December 2022, with it rotating multiple times since then.
    • The threat actor says this GitLab configuration file contained an authentication token allowing them to download the Internet Archive source code.
    • The hacker says that this source code contained additional credentials and authentication tokens, including the credentials to Internet Archive’s database management system. This allowed the threat actor to download the organization’s user database, further source code, and modify the site.
    • The threat actor claimed to have stolen 7TB of data from the Internet Archive but would not share any samples as proof.
    • However, now we know that the stolen data also included the API access tokens for Internet Archive’s Zendesk support system.
    • BleepingComputer attempted to contact the Internet Archive numerous times, as recently as on Friday, offering to share what we knew about how the breach occurred and why it was done, but we never received a response.
    • After the Internet Archive was breached, conspiracy theories abounded about why they were attacked.
    • Some said Israel did it, the United States government, or corporations in their ongoing battle with the Internet Archive over copyright infringement.
    • However, the Internet Archive was not breached for political or monetary reasons but simply because the threat actor could.
    • There is a large community of people who traffic in stolen data, whether they do it for money by extorting the victim, selling it to other threat actors, or simply because they are collectors of data breaches.
    • This data is often released for free to gain cyber street cred, increasing their reputation among other threat actors in this community as they all compete for who has the most significant and most publicized attacks.
    • In the case of the Internet Archive, there was no money to be made by trying to extort the organization. However, as a well-known and extremely popular website, it definitely boosted a person’s reputation amongst this community.
    • While no one has publicly claimed this breach, BleepingComputer was told it was done while the threat actor was in a group chat with others, with many receiving some of the stolen data.
    • This database is now likely being traded amongst other people in the data breach community, and we will likely see it leaked for free in the future on hacking forums like Breached.
  • Removal of Russian coders spurs debate about Linux kernel’s politics Moss
    • From ArsTechnica (via londoner)
    • “Remove some entries due to various compliance requirements. They can come back in the future if sufficient documentation is provided.”
    • That two-line comment, submitted by major Linux kernel maintainer Greg Kroah-Hartman, accompanied a patch that removed about a dozen names from the kernle’s MAINTAINERS file. “Some entries” notably had either Russian names or .ru email addresses. “Various compliance requirements” was, in this case, sanctions against Russia and Russian companies, stemming from that country’s invasion of Ukraine.
    • This merge did not go unnoticed. Replies on the kernel mailing list asked about this “very vague” patch. Kernel developer James Bottomley wrote that “we” (seemingly speaking for Linux maintainers) had “actual advice” from Linux Foundation counsel. Employees of companies on the Treasury Department’s Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons (OFAC SDN), or connected to them, will have their collaborations “subject to restrictions,” and “cannot be in the MAINTAINERS file.” “Sufficient documentation” would mean evidence that someone does not work for an OFAC SDN entity, Bottomley wrote.
    • There followed a number of messages questioning the legitimacy, suddenness, potentially US-forced, and non-reviewed nature of the commit, along with broader questions about the separation of open source code from international politics. Linux creator Linus Torvalds entered the thread with, “Ok, lots of Russian trolls out and about.” He wrote: “It’s entirely clear why the change was done” and noted that “Russian troll factories” will not revert it and that “the ‘various compliance requirements’ are not just a US thing.
    • “As to sending me a revert patch – please use whatever mush you call brains. I’m Finnish. Did you think I’d be *supporting* Russian aggression? Apparently it’s not just lack of real news, it’s lack of history knowledge too,” Torvalds wrote before signing off. Torvalds later wrote that he would not go into the details that kernel maintainers “were told by lawyers,” and would not “start discussing legal issues with random internet people,” which he suspected “are paid actors and/or have been riled up by them.”
    • The majority of those dropped from the maintainers file work on drivers for hardware from Acer, Cirrus, and, notably, Baikal, a fabless chipmaker that tried to develop Russian-designed ARM CPUs and declared bankruptcy in 2023. One of the removed Russian developers, Serge Semin, whose GitHub profile indicates having worked for the sanctioned Russian tech firm Baikal, wrote an extensive goodbye note to the kernel list, describing himself as a “volunteer and hobbyist.
    • “Sanctions against Russia and its businesses have come up against Linux kernel maintenance before. Last year, as reported by the Phronix blog, networking patches submitted by developers associated with Baikal were refused by one subsystem maintainer, but other Baikal-sourced patches were accepted upstream elsewhere in the kernel. US sanctions on Russian tech firms have had a drastic effect on the Russian economy overall.
    • For now, prior contributions from those Russian coders removed from the maintainers list remain in the kernel. Ars reached out to the Linux Foundation for comment and will update this post with its response.

— Play Security Transition Bumper —

Security and Privacy

10 minutes

  • Bitwarden Open Source Concerns – Eric
    • from Phoronix
    • Several Phoronix readers have written in this Sunday over concerns of Bitwarden further moving away from open-source. Bitwarden is a password management service that leverages an encrypted vault and supports multiple clients/platforms. Bitwarden operates on a freemium model and has provided some code as open-source while there are new concerns over Bitwarden further pivoting away from open-source.
    • In particular, following a recent pull request to the Bitwarden client that introduces a “bitwarden/sdk-internal” dependency to build the desktop client, there is the following clause on the license statement:
    • “You may not use this SDK to develop applications for use with software other than Bitwarden (including non-compatible implementations of Bitwarden) or to develop another SDK.”
    • The issue of this effectively not making the Bitwarden client free software was raised in this GitHub issue. Other users have chimed in being concerned over this change and the SDK not being legally permitted for use outside of Bitwarden proper.
    • Bitwarden founder and CTO Kyle Spearrin has commented on the ticket this morning:
      • Thanks for sharing your concerns here. We have been progressing use of our SDK in more use cases for our clients. However, our goal is to make sure that the SDK is used in a way that maintains GPL compatibility.
        • 1. the SDK and the client are two separate programs
        • 2. code for each program is in separate repositories
        • 3. the fact that the two programs communicate using standard protocols does not mean they are one program for purposes of GPLv3
      • Being able to build the app as you are trying to do here is an issue we plan to resolve and is merely a bug.
    • The ticket was subsequently locked and limited to collaborators. We’ll see what comes ahead for Bitwarden and open-source.
    • Update: Bitwarden posted to X this evening to reaffirm that it’s a “packaging bug” and that “Bitwarden remains committed to the open source licensing model.”
  • Fortigate Admins Report Active Zero-Day Exploit – Joe
    • from Ars Technica
    • Fortinet, a maker of network security software, has kept a critical vulnerability under wraps for more than a week amid reports that attackers are using it to execute malicious code on servers used by sensitive customer organizations.
    • Fortinet representatives didn’t respond to emailed questions and have yet to release any sort of public advisory detailing the vulnerability or the specific software that’s affected. The lack of transparency is consistent with previous zero-days that have been exploited against Fortinet customers. With no authoritative source for information, customers, reporters, and others have few other avenues for information other than social media posts where the attacks are being discussed.
    • RCE stands for remote code execution
    • According to one Reddit post, the vulnerability affects FortiManager, a software tool for managing all traffic and devices on an organization’s network. Specific versions vulnerable, the post said, include FortiManager versions:
      • 7.6.0 and below
      • 7.4.4 and below
      • 7.2.7 and below
      • 6.4.14 and below
    • Users of these versions can protect themselves by installing versions 7.6.1 or above, 7.4.5 or above, 7.2.8 or above, 7.0.13 or above, or 6.4.15 or above. There are reports that the cloud-based FortiManager Cloud is vulnerable as well.
    • Some administrators of FortiGate-powered networks report receiving emails from the company notifying them of the available updates and advice to install them. Others say they received no such emails. Fortigate hasn’t published any sort of public advisory or a CVE designation for security practitioners to track the zero-day.
    • The vulnerability has been discussed since at least October 13. According to independent researcher Kevin Beaumont, the security bug stems from a default FortiManager setting that allows devices with unknown or unauthorized serial numbers to register themselves into an organization’s FortiManager dashboard. Precise details still aren’t clear, but a now-deleted comment on Reddit indicated that the zero-day allows attackers to “steal a Fortigate certificate from any Fortigate, register to your FortiManager and gain access to it.”
    • Citing the Reddit comment, Beaumont took to Mastodon to explain: “People are quite openly posting what is happening on Reddit now, threat actors are registering rogue FortiGates into FortiManager with hostnames like ‘localhost’ and using them to get RCE.”
    • Beaumont wasn’t immediately available to elaborate. In the same thread, another user said that based on the brief description, it appears attackers are somehow stealing digital certificates authenticating a device to a customer network, loading it onto a FortiGate device they own, and then registering the device into the customer network.
    • The person continued:
      • From there, they can configure their way into your network or possibly take other admin actions (eg. possibly sync configs from trustworthy managed devices to their own?) It’s not super clear from these threads. The mitigation to prevent unknown serial numbers suggests that a speedbump to fast onboarding prevents even a cert-bearing(?) device from being included into the fortimanager.
    • Beaumont went on to say that based on evidence he’s seen, China-state hackers have “been hopping into internal networks using this one since earlier in the year, looks like.”
    • After this post went live on Ars, Beaumont published a post that said the vulnerability likely resides in the FortiGate to FortiManager protocol. FGFM is the language that allows Fortigate firewall devices to communicate with the manager over port 541. As Beaumont pointed out, the Shodan search engine shows more than 60,000 such connections exposed to the Internet.
    • Beaumont wrote:
      • There’s one requirement for an attacker: you need a valid certificate to connect. However, you can just take a certificate from a FortiGate box
      • Once re gistered, there’s a vulnerability which allows remote code execution on the FortiManager itself via the rogue FortiGate connection.
      • From the FortiManager, you can then manage the legit downstream FortiGate firewalls, view config files, take credentials and alter configurations. Because MSPs — Managed Service Providers — often use FortiManager, you can use this to enter internal networks downstream.
      • Because of the way FGFM is designed — NAT traversal situations — it also means if you gain access to a managed FortiGate firewall you then can traverse up to the managing FortiManager device… and then back down to other firewalls and networks.
    • To make matters harder for FortiGate customers and defenders, the company’s support portal was returning connection errors at the time this post went live on Ars that prevented people from accessing the site.
    • FortiGate has a history of silently patching critical security vulnerabilities and disclosing them only after they’re widely exploited. Company representatives have repeatedly opted not to answer Ars’ questions about its policy for disclosing security vulnerabilities, particularly those being exploited by nation-state hackers.
    • FortiGate’s opaqueness in responding to the zero-day comes as Carl Windsor, the company’s chief information security officer, published a post in May affirming what he said was a commitment to “being a role model in ethical and responsible product development and vulnerability disclosure.” He added: “We have a longstanding commitment to responsible radical transparency, which includes proactively upholding the highest standards for responsible disclosure practices, which align with international and industry best practices.”
    • Earlier this month, Fortinet researchers dropped a 4,000-word analysis of zero-days in the products of rival Ivanti that were under exploitation by nation-state actors.
    • With no public advisory from Fortinet, the world at large lacks the same kind of important safety information, including the indicators of compromise, how widely exploited the vulnerability is, and what types of malicious activity occur inside infected networks.

— Play Wanderings Transition Bumper —

Bi-Weekly Wanderings

30 minutes (~5-8 mins each)

  • Joe
    • The 4020 fan on my 3D printer used for cooling the hotend started making a nonstop atrocious noise. I guess it’s not that surprising since I have had it hooked up for a year or two now. It was never all that quiet to start with but I am pretty sure one of the bearings went out. I have 3 more from the same lot that I purchased but I also had a 4010 Noctua that I had purchased just for this reason.
    • I modded the connector from the 2 pin to the barrel connector that I use for quick connections on the 3D printer, removed the old one and put on the new one. It is so much quieter. I don’t think that I even realized how much noise was coming from that one fan. Some of my other fans still make some noise but it is a vast improvement. You can hardly even tell when the thing is printing any more.
    • Now the price for the Noctuas is considerably more than for the other sets of supposedly quiet fans but I might still get some more when I can. One more 4010 for the part cooler and a couple of 80mm case fans for the DAS that I built which is currently the loudest device in my garage.
    • I may also redo the quick connectors on the 3D printer and move from the barrel connectors to some 2-pin JST connectors to save some space. I also need to shorten the Capricorn tubing since it was bumping up against the sides of the printer and was slightly impacting the quality of the prints.
    • I found that out when I was diagnosing why I was having leveling and variable height issues on what should have been some simple prints. Granted this was not the only issue and not even the first one that I found. It took a lot of close watching but I realized that the hot end was moving forward and back a lot.
    • Previously the hotend was shifting left and right which is why I did not find the issue right away since it was along an access that I was not expecting. But it turned out to the same issue that I was fighting before where the mounting screws were not holding it into place as it should. So I took apart the hot end and I am not sure if the mount is stripped or the bolts are slightly stripped.
    • Either way I had previously purchased a new back plate and was going to replace the old one but I could not find the new one. So I ended up finding some bolts that were a few mm longer and using those instead and that seems to have helped. I think that the PTFE tubing that was rubbing the gantry was causing enough motion on the hotend that it was slowly ruining the mounts. So as a short term solution I use a couple of rubber bands to guide the tubing and wires in another direction. I will shorten the tubing and have it not long enough to cause the issue next time I need to unload the filament. That would also be a good time to swap out the connectors which should make the whole assembly lighter and easier to move out of the way. This should help prevent wear and tear.
    • All of this so I can print an oogie boogie candy bowl for the wife. Anyways this was a large print and it has also pointed out another issue to me that I have not yet fixed. I don’t know if it is an issue with my 3D printer or with my slicer but the large base of the print showed me that my prints are not centered on the base and are way off to one side. Causing large prints to fail because one side just prints a straight line but it cant move any further. I had to reduce the print to 80 percent to get it to print. I will have to a lot more research before I can put in a proper fix for that.
    • Ended up printing it at 80 percent size which bypassed the centering issue. It was still a long print and I can see some of the corrections that I need to make in order to improve my prints again. First I do think the part cooling fan will need to be replaced and then I can check bridging and sloped walls again to see how prints come out. I used to have to set the cooling speed to 50 percent in order to get layers to stick together and now it is at 100 and I am having trouble with walls even with print temps turned down
    • I did get Moss’s computer fixed with the new mobo. But the new mobo has a really old bios on it that needs updating. I have to wait for payday to send it back to Moss anyway so I will be giving that a try. The process should not be too hard. I will have to use a USB stick to make a live disk to install the BIOS since I don’t have hard drives floating around with Windows on them.
  • Moss
    • I didn’t do a lot this time around. I got to work one day. Kept the kids mostly quiet.
    • I finally got off my tail and applied to return to college. I have been accepted for the Spring 2025 semester at Eastern Tennessee State University, so I am now legally a Buccaneer. Wonder if I can get that price for new piercings? They waive tuition for older folks, although I’m still trying to find out what fees I will have to pay. If I can complete my degree and get teaching credentials, my daily pay at the school district will rise by about $30. I still don’t know whether I can finish, and for that matter I’m still wondering whether the results of the election which is upon us in the US will even allow me to get started. Keep your fingers crossed.
    • I did just receive a new wireless keyboard. The old Logitech K600r was just too cheaply made, I had worn off the ridge on the On/Off switch and keys kept popping off. So I went to Amazon and tried to find a better-made one. I found a Rii K22 Model SZ1 (although the box says Rii RT721). There were some negative ratings on it, some people thought the keys were wonky, but it is mostly metal with the top of the keyboard and keys being plastic, with a HUGE trackpad. I use this keyboard with my M700 Tiny TV machine, and so far it’s working great. (The reviews were mixed, with many of them stating it was as great as it looks; hope that will be my experience.) It was even cheaper than the Logitech, and is rechargable USB-C in addition to 2.4 GHz wifi and Bluetooth. If it works as well as it looks and feels, this will be a huge upgrade from the Logitech.
    • My wife and I have made the decision to move the Bezos and Walton clans out of our budget. (No other billionaire families have a current impact on our budget, to the best of our knowledge.) It may be more difficult, and it might cost a bit more money, but day after day it gets proven to our satisfaction that billionaires do not support us, so we should end our support of them. Amazon will not be a budget item for us after January 1. I wonder how long we can stick to our lack of guns on this issue? Stay tuned.
  • Eric
    • I continue to use the COSMIC Alpha release on my Dell Latitude tablet PC. COSMIC Alpha 2 was released at the end of September.
      • COSMIC’s Alpha 2 release builds upon that work with functionality built out for Files, additional Settings pages, considerable infrastructure work for screen reader support+, and some highly requested window management features.
      • Even with focused development and regular releases, it seems like it will take quite a while at this pace to hit Beta, let alone a GA release. That said, this is the right way to do it and I’m enjoying seeing the progress. It’s impressive that it’s as usable as it is, which speaks to having a solid base.
      • The team included a statements that there will be monthly releases, although there hasn’t been one yet for October so I have to assume that the goal is monthly releases but that it will be opportunistic with releases coming when it makes sense to do so rather than an arbitrary date-based cycle.
    • PineTime
      • I may have mentioned it here but, in case not, my honeymoon with the PineTime is over and we are breaking up. I suppose the more accurate way of putting it is that the PineTime is breaking up with me. It decided to stop working properly, with the display glitching and the accelerometer ceasing to function.
      • Between Moss and myself, I hesitate to recommend this product, even if it is relatively inexpensive. I actually feel a bit guilty for having done so already and I hope that I haven’t influenced anyone to purchase one who then had a problem with it.
      • The PineTime starts to look like much less of a bargain when you look at what else is available. With shipping from China, I spent $39 on the PineTime. There are comparable products which aren’t running either Google’s Wear OS or Apple’s watchOS, offer the same impressive battery life and all of the features of a PineTime along with a plethora of additional features, including an actual companion app for your smartphone. For example, the brand ‘nothing’ has a subsidiary called CMF which makes the Watch Pro 2. It is $69 and provides ten times the functionality, and still coming in at a reasonably affordable price.
      • I don’t think my experiment with the PineTime was a total loss because I did prove to myself that a smartwatch adds value to my life in several key ways, namely notifications on my wrist and health tracking. I also learned a lot about what I don’t like or find little value in, namely that a smartwatch without a solid companion app is much less useful than it otherwise can be. I wish I hadn’t needed to spend $39 to do it but that seems like a much better option than having went all in on a top-tier watch for hundreds of dollars only to realize it wasn’t worth it.
      • I am currently reviewing options for my next smartwatch.
    • Death of distro hopping as a lifestyle
      • It’s been a long time coming but I think I many have officially lost interest in distro hopping. Perhaps it speaks to the homogenization of Linux distributions as well as things like universal package formats like Flatpak and tools like Distrobox.
      • At this point, it seems like all that matters is a base that’s compatible with your hardware, your preferred desktop, with or without additional theming and customization, and access to software via something like Flathub.
      • The idea of setting up a new distro… reinstalling everything, configuring things like SSH and the like just seem like a pointless waste of time. Me 15 years ago would be offended and accuse my current self of being boring and lazy to which I could only agree. Take that, younger me!
    • On a personal note, I evacuated for Hurricane Milton and, even though it was an opportunity to spend some time with my family in a nice place in Georgia, I am now thoroughly tired of the 2024 storm season and it can’t end soon enough.

— Play Innards Transition Bumper —

Linux Innards

30 minutes (~5-8 minutes each)

  • Digital Hygiene
  • Distrohopping still? Why? Why not?

— Play Vibrations Transition Bumper —

Vibrations from the Ether

20 minutes (~5 minutes each)

  • Dale M
    • Hey guys,
    • First I want to mention Xfce. Yes, Xfce does look like it is from the 1990s. However, it is a familiar interface that many people can use. Even without changing anything.
    • One feature that isn’t mentioned enough about Xfce is the infinite customizations it can do. Xfce can be made to look like any operating systems desktop or anything you can think of doing.
    • I believe it is a better choice compared to KDE Plasma. At least when it comes to customizing. In addition to its built in functionality. You can also edit the GTK settings because they use them for theming. Not being based on GTK is another benefit. They are not controlled by GNOME’s decisions.
    • Now on to Majid’s Plex issue.
    • I experienced this once before. I had forgotten to sign out of my Plex server when I reinstalled my server. Plex showed my server in my account but it wasn’t authorized. Using their website to claim it kept showing a blank page after clicking the link.
    • I searched for a solution and found this one. It allows you submit the Plex token manually. In step one, you copy the claim code and paste it on step 2. Step 2 is all on one line.
      • 1. Grab a claim code from Plex (works on any browser, requires you to login to your Plex account): https://www.plex.tv/claim/ (you have four minutes before the code expires and you will need to refresh the page to grab an active one).
      • 2. Substituting your claim token for {YOUR_CLAIM_TOKEN}, enter the following command: curl -X POST “http://127.0.0.1:32400/myplex/claim?token={YOUR_CLAIM_TOKEN}” .
        • a. If you get an error here, your Remote Access port is probably something other than 32400. I’d try asking your host to see if they can provide it (mine did).
      • 3. Wait 30 seconds or so for the request to complete, and you should see XML (with ‘authToken’ and ‘username’ values near the top) pop up.
      • 4. Your server should now be registered and accessible via app.plex.tv .
    • I know many suggest using Jellyfin. In my opinion, it is missing features that Plex had for several years. I’m also pragmatic. I’ve been using Plex for 14 years and been a Plex Pass member since 2016. It works for me.
    • Majid’s Audi tire pressure issue.
    • My 2017 Audi A4 Quattro doesn’t use TPMS sensors. It uses a different system that doesn’t require replacing the TPMS modules.
    • What I do is measure all the tires and make sure they have the same pressure. Then I go into the vehicle settings via the screen on the dash between the passenger seats.
    • Select “Vehicle” > “Service & checks” > “Tire pressure monitoring”.
    • I select store settings and confirm the tires are matching.
    • There might be differences between the US and the UK models. So he might have TPMS modules. They could have low batteries or failed otherwise. In either case, they would need replaced. The batteries are not individually able to be replaced and why should they? It just means we get to pay more money. <Sarcasm>
    • In closing I wanted to wish Bill continued success with his health improvements. In our industry, it is not easy to eat healthy. The trend of some truck stops is to offer fast food or high sodium prepackaged sandwiches. Though some are starting to offer prepackaged fruit. Which have been good options for snack food.
    • Thanks to everyone for taking the time support and host the podcast.
    • Regards,
    • Dale

— Play Check This Transition Bumper —

Check This Out

10 minutes

  • Gear Leverhttps://github.com/mijorus/gearlever
    • Integrate AppImages into your app menu with just one click
    • Drag and drop files directly from your file manager
    • Keep all the AppImages organized in a custom folder
    • Open new AppImages directly with Gear lever
    • Manage updates: keep older versions installed or replace them with the latest release
    • Save CLI apps with their executable name automatically
    • Modern and Fresh UI

Housekeeping & Announcements

  • Thank you for listening to this episode of mintCast!
  • If you see something that you’d like to hear about, tell us!

Send us email at [email protected]

Join us live on Youtube

Post at the mintCast subreddit

Chat with us on Telegram and Discord,

Or post directly at https://mintcast.org

Wrap-up

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:

  • Bill for our audio editing
  • Archive.org for hosting our audio files
  • Hobstar for our logo, initrd for the animated Discord logo
  • Londoner for our time syncs and various other contributions
  • Bill Houser for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
  • The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>

— Play Closing Music and Standard Outro —

Linux Mint

The distribution that spawned a podcast. Support us by supporting them. Donate here.

Archive.org

We currently host our podcast at archive.org. Support us by supporting them. Donate here.

Audacity

They’ve made post-production of our podcast possible. Support us by supporting them. Contribute here.

mintCast on the Web

This work is licensed under CC BY-SA 4.0

This Website Is Hosted On:

Thank You for Visiting