Language Selection

English French German Italian Portuguese Spanish

June 2019

Security Leftovers

Filed under
Security
  • Why cybersecurity has an open-source solution

    SHINN: Yeah. So you know, my colleagues in the open source community may have their own sort of different definitions about what they think open source is. But for me, open source has always been about the fact that if there’s something that I wanted to change in the software, I could do it. And that’s really the core. There are lots of other benefits of open source. It might be free, there might be a lot of people working on it, maybe there’s a community. But for me, it always started with the fact that I had a piece of software that I’m using, and I can make enhancements, changes and fixes

    ABERMAN: True hacker culture.

    SHINN: That’s right. And in cybersecurity, that’s really important. There’s lots of really smart people out there. It’s not possible for any cybersecurity vendor to understand every possible situation in which their product might be used. The people who are going to understand that are the people who are closest to the problem. And it’s great if you can make it possible for them to enhance your software, and hopefully contribute that back to you. All boats rise together. So in the security world, we see some of the more interesting or powerful cybersecurity technologies, like snort, it blew away all of the other network based IDS’s that were out there, all the proprietary ones.

  • The [Microsoft Windows] Worm That Nearly Ate the Internet [iophk: "Windows TCO"]

    Neither theory was correct. While some experts still disagree, most now believe that Conficker was the work of Ukrainian cybercriminals building a platform for global theft who succeeded beyond all expectation, or desire. The last thing a thief wants is to draw attention to himself. Conficker’s unprecedented growth drew the alarmed attention of cybersecurity experts worldwide. It became, simply, too hot to use.

    This explanation was detailed in an article published in December 2015 by The Journal of Sensitive Cyber Research and Engineering, a classified, peer-reviewed publication issued by a federal interagency cybersecurity working group including the Pentagon, Department of Homeland Security and N.S.A. — and distributed to a small number of experts with the appropriate security clearances. The article itself was not classified, but reached only a small readership. I obtained a copy this year.

  • Boeing’s 737 Max Software Outsourced to $9-an-Hour Engineers

    The coders from HCL were typically designing to specifications set by Boeing. Still, “it was controversial because it was far less efficient than Boeing engineers just writing the code,” Rabin said. Frequently, he recalled, “it took many rounds going back and forth because the code was not done correctly.”

  • Hackers Have Been Stealing User Data From Global Cell Networks Since 2012

    We've noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry's treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry's refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signalling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

    This week, carriers were once again exposed for not being the shining beacons of security they tend to advertise themselves as. A new report emerged this week showcasing how, for years, hackers have been exploiting substandard security at more than 10 global wireless carriers to obtain massive troves of data on specific targets of interest. Researchers at Boston-based Cybereason, who first discovered the operation, say the hackers exploited a vulnerability on an internet-connected web server to gain a foothold into each cell providers internal network.

  • Here We Go Again: Trump Administration Considers Outlawing Encryption

    It's unclear what the final decision was, but if it was to back such a law, we'll know about it soon enough. There are some sensible folks on this issue -- including some from the intelligence communities who actually understand the security value of encryption. The State Department and Commerce Departments are both also said to support keeping encryption legal. It's mostly the law enforcement folks who are against encryption: including parts of the DOJ and FBI, ICE and the Secret Service. As if any of those need any more power. Homeland Security (of which ICE is a part) is apparently "internally divided."

    It's been said before, but this is not a debate. There is no debate. There is no "on the one hand, on the other hand." There is no "privacy v. security." This is "no privacy and weakened security v. actual privacy and actual security." There's literally no debate to be had here. If you understand the issues, encryption is essential, and any effort to take away end-to-end encryption is outlawing technology that keeps everyone safe. While Senators Feinstein and Burr released a truly dangerous bill a few years back to outlaw encryption, who knows what sort of nonsense would come out of this and whether or not it could actually get enough support in Congress. Hopefully not.

  • Medtronic recalls some insulin pumps as FDA warns they can be hacked

    Medtronic is recalling some models of insulin pumps that are open to hacks, and the Food and Drug Administration warned consumers on Thursday that they cannot be patched to fix the holes.

    It’s a rare example of a medical device recall over a cybersecurity issue, although security professionals and the FDA have raised numerous concerns over the vulnerability of these devices for years.

    The insulin pumps subject to the recall connect wirelessly to other insulin equipment, including glucose meters, a monitoring system and controls that pump insulin.

    “The FDA is concerned that, due to cybersecurity vulnerabilities identified in the device, someone other than a patient, caregiver or health care provider could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings. This could allow a person to over deliver insulin to a patient, leading to low blood sugar ... or to stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis,” the FDA notice says.

  • EU to stage war games to prepare for hybrid threats

    Hybrid threats can be based on a wide variety of strategies, ranging from the spread of fake news to undermining trust and cyberattacks on energy or communication systems. Russia has often been blamed for using such tactics.

  • America’s Monopoly Crisis Hits the Military

    In historical terms, this is a shocking turnaround. Americans invented the telephone business and until recently dominated production and research. But in the last 20 years, every single American producer of key telecommunication equipment sectors is gone. Today, only two European makers—Ericsson and Nokia—are left to compete with Huawei and another Chinese competitor, ZTE.

    This story of lost American leadership and production is not unique. In fact, the destruction of America’s once vibrant military and commercial industrial capacity in many sectors has become the single biggest unacknowledged threat to our national security. Because of public policies focused on finance instead of production, the United States increasingly cannot produce or maintain vital systems upon which our economy, our military, and our allies rely. Huawei is just a particularly prominent example.

  • Felony Contempt of Business Model: Lexmark's Anti-Competitive Legacy

    Lexmark gave its customers the choice of paying extra for their cartridges (by buying refillable cartridges at a $50 premium), or paying extra for their toner (saving $50 on a cartridge whose "lock-out" chip prevented refilling, so that they would have to buy a whole cartridge when the non-refillable one ran dry). Customers, however, had a counteroffer for Lexmark: they wanted to save $50 on a "non-refillable" cartridge and then go ahead and refill it. After all, carbon is relatively abundant throughout the universe, and more locally, Earth has more carbon that it knows what to do with.

    Various competitors of Lexmark stepped up to help its customers with their counteroffer. One such company was Static Control Components, which reverse-engineered Lexmark's lock-out chip and found that its 55-byte program performed a relatively straightforward function that would be easy to duplicate: when a cartridge was newly filled, this chip signaled to the printer that the cartridge had available toner. Once the cartridge ran out, the chip would tell the printer that it had an empty cartridge. Refilling the cartridge did no good because the chip would still tell the printer that there was no toner available.

    After Static Control performed this bit of reverse engineering, it was able to manufacture its own chips, which it sold to remanufacturers, who would pour in fresh carbon, swap out the chip, and sell the cartridges. Lexmark had a strong objection to this. But like every business, Lexmark’s products should be subject to market pressures, including the possibility that customers will make uses (and re-uses) of your product that aren’t exactly what the manufacturer intended. Lexmark was in a position to create its own refilling business to compete with Static Control, of course. But it didn’t want to. Instead, it wanted to trap purchasers into the lucrative two-tier market it had dreamed up.

Programming Leftovers

Filed under
Development
  • Fedora 30 : The Pythonic tool.

    The tutorial for today is about Pythonic tool.
    Named Pythonic is a graphical programming tool that makes it easy for users to create Python applications using ready-made function modules.
    This tool providing the consistent features and characteristics of a trading bot with just a few clicks.
    The Pythonic tool is currently available in four languages: English, German, Spanish, and Chinese.
    The tool comes with basic functions such as a scheduler, if-branches, connectivity, and logging functions are available out of the box and can be parameterized using a corresponding GUI.
    Each graphical element is functionally processed individually.
    The base idea is: A unique graphical input mask to carry out the

  • Changelog podcast: me, double-dipping

    I had a great conversation with Jerod Santo on the Changelog podcast: The Changelog 351: Maintainer spotlight! Ned Batchelder. We talked about Open edX, and coverage.py, and maintaining open source software.

  • DocKnot 3.00

    This package started as only a documentation generator, but my goal for some time has been to gather together all of the tools and random scripts I use to maintain my web site and free software releases. This release does a bunch of internal restructuring to make it easier to add new commands, and then starts that process by adding a docknot dist command. This performs some (although not all) of the actions I currently use my release script for, and provides a platform for ensuring that the full package test suite is run as part of generating a distribution tarball.

  • Python Data Structures

    This post explains the data structures used in Python. It is essential to understand the data structures in a programming language. In python, there are many data structures available.

  • EuroPython 2019: Social event tickets available

    After the keynotes and talks on Thursday, July 11th, we’ve organized a social event at the workshop venue, the FHNW Muttenz. Starting at 19:00 CEST, you can join us for an evening party with finger food, drinks and music.

  • EuroPython 2019: SIM cards for attendees

    Switzerland is often not included in European cell provider’s roaming packages and also not covered by the EU roaming regulation, so you can potentially incur significant charges when going online with your mobile or notebook.

  • Dependencies between Python Standard Library modules

    Glyph’s post about a “kernel python” from the 13th based on Amber’s presentation at PyCon made me start thinking about how minimal standard library could really be. Christian had previously started by nibbling around the edges, considering which modules are not frequently used, and could be removed. I started thinking about a more extreme change, of leaving in only enough code to successfully download and install other packages. The ensurepip module seemed like a necessary component for that, so I looked at its dependencies, with an eye to cutting everything else.

  • Weekly Python StackOverflow Report: (clxxxiv) stackoverflow python report

KDE Usability & Productivity: Week 77

Filed under
KDE

We’re up to week 77 in KDE’s Usability & Productivity initiative! This week’s report encompasses the latter half of the Usability & Productivity sprint. Quite a lot of great work got done, and two features I’m particularly excited about are in progress with patches submitted and under review: image annotation support in Spectacle, and customizable sort ordering for wallpaper slideshows.

Read more

openSUSE Leap 42.3 Linux OS Reached End of Life, Upgrade to openSUSE Leap 15.1

Filed under
SUSE

Released two years ago, on July 26th, 2017, the OpenSuSE Leap 42.3 operating system was the third maintenance update to the openSUSE Leap 42 series, which is also the last to be based on the SUSE Linux Enterprise (SLE) 12 operating system series.

openSUSE Leap 42.3 was based on the packages from SUSE Linux Enterprise 12 Service Pack 3 and was powered by the long-term supported Linux 4.4 kernel series. It was initially supposed to be supported until January 2019, but the openSUSE and SUSE projects decided to give users more time to upgrade to the major openSUSE Leap 15 series.

Read more

News Sources

As of 2019, some of our news sources are listed below.

Lubuntu 19.04 Disco Dingo - Casus vitae

Filed under
Reviews
Ubuntu

Lubuntu 19.04 Disco Dingo feels ... raw. Unfinished. Half-baked. It has some perfectly decent functionality, like networking, media and phone support, but then it also comes with rudimentary package management, a jumbled arsenal of programs, a desktop that is too difficult to manage and tame, plus identity crisis. The truly redeeming factors are performance and battery life. This is a promise, and one well kept, and indeed, if there's one reason (or rather two reasons) to sample Lubuntu, there you have it.

I struggled with the overall purpose, though. As impressive as the speed and lightness are, they are only small improvements over what Plasma offers. But then, Plasma is much easier to customize and tweak, it offers a coherent, consistent experience, and it feels modern and relevant. With Lubuntu, I had no connection, and using the distro felt like a chore. I had to fight the weird defaults to try to create an efficient setup, and I wasn't able to do achieve that. So I always go back to the question of investment versus benefit. Lubuntu feels too pricey for what it gives. For example, MX Linux delivers wonderfully on my eeePC, and it's quite simple to handle. With Lubuntu, there needs to be more order, more consistency in how it works. At the moment, it's just a collection of ideas mashed together. While perfectly functional, it's not really fun. 6/10. You should test, especially if you have old hardware.

Read more

Games Leftovers

Filed under
Gaming
  • Your weekend look at what good stuff is currently on sale

    Another week is behind us, let's take a look at some seriously good deals that are going on right now across different stores.

  • Oaths, coalitions and betrayal — some thoughts on Total War: THREE KINGDOMS

    Total War: THREE KINGDOMS was released in its all-caps glory about a month ago and saw a same-day Linux release thanks to porters Feral Interactive. The action this time around is centered in China during its fractious Three Kingdoms period of history that saw the end of the Han dynasty and warlords and coalitions battle it out for supremacy. More specifically, this Total War title also takes inspiration from the Romance of the Three Kingdoms novel and its larger-than-life heroes and villains. Developer Creative Assembly has put in plenty of time and effort to capture the feeling of both novel and the historical conflict.

  • Supraland 2, a sequel to the highly rated first-person metroidvania is crowdfunding and coming to Linux

    While the original Supraland isn't on Linux (yet), Supraland 2 is coming and it's currently crowdfunding to make a bigger sequel to the very highly rated first-person metroidvania.

    The campaign doesn't really give the best idea of the actual gameplay, as it seems it's largely assuming you already know the first game. It's basically a big play area, full of puzzles, things to combat and this is going to be more of the same with a brand new area and improved combat.

More in Tux Machines

Intel Announces 12th Gen Core "Alder Lake" CPUs, Linux Tests Forthcoming

Intel is using their inaugural Intel Innovation virtual event today to formally announce the highly-anticipated 12th Gen Core "Alder Lake" processors. These first desktop processors built on their "Intel 7" process and employ a hybrid architecture will be available in retail channels next week. Today we can talk more about Alder Lake specifications and features while our Linux performance benchmarks and support analysis will come once the Alder Lake review embargo expires next week. While there have been many Alder Lake leaks in recent weeks/months and a number of features disclosed back during Architecture Day, today marks the official unveil for the next-gen Intel Core processors. This is a very exciting transition as they have now shifted to their Intel 7 manufacturing process, the hybrid architecture provides a combination of high performance and low power cores depending upon needs, and Intel is at the forefront now in delivering DDR5 memory and PCIe 5.0 to the masses. When it comes to performance, Intel claims Alder Lake can deliver up to two times the performance of prior generation processors for content creation workloads. Meanwhile when it comes to the generational performance uplift for the P (Performance) cores it's said to be around 19%. Read more

Stable Kernels: 5.14.15, 5.10.76, 5.4.156, 4.19.214, 4.14.253, 4.9.288, and 4.4.290

I'm announcing the release of the 5.14.15 kernel.

All users of the 5.14 kernel series must upgrade.

The updated 5.14.y git tree can be found at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.14.y
and can be browsed at the normal kernel.org git web browser:
	https://git.kernel.org/?p=linux/kernel/git/stable/linux-s...

thanks,

greg k-h
Read more Also: Linux 5.10.76 Linux 5.4.156 Linux 4.19.214 Linux 4.14.253 Linux 4.9.288 Linux 4.4.290

Murena smartphones and cloud will protect our privacy

More than ever the market is demanding a new approach for digital products: more and more people around the world want something different, more ethical, more sustainable, with real guarantees about personal data protection. Four years ago, I wanted to break free from Google and Apple, and therefore we created the “eelo” project, with the simple idea that a different mobile operating system and associated cloud services like email or cloud storage could be possible in this world. Followed by an amazing community of supporters, contributors and now users, the project progressed quickly, and became a reality by the end of 2018. The same year, we had to suddenly abandon our initial project name for a temporary name: /e/. Sometimes, temporary things last longer than expected. And despite being hard to pronounce, difficult to search, and largely criticized by many people, /e/ as a brand name had the benefit to be very singular and helped us appear different. In the end it conveyed the idea that we’re doing something special. […] Nevertheless, as we are reaching more and more people and progressively catching interested from a mainstream audience, we have to introduce a new, strong brand, easier to use, easier to refer to and easier to share with people. The goal of this brand is to have a strong name to call our products, intended to be used by a large number of users in many different countries and cultures. It took some time, since we had many different candidates, both from internal suggestions and from our community. We wanted something that would both convey our project’s values, and that could be within the same lineage of our initial project name. We also had to secure this new brand making sure it was not already in use in the same field of activity, and by entering a long trademark registration processes. Read more

Audiocasts/Shows: Linux Action News, mintcast, Audacity, and Starlink

  • Linux Action News 212

    Major performance milestones are being hit with new code inbound for Linux, Plasma and GNOME desktops are set to run Wayland on NVIDIA's binary driver, and why the SFC's new GPL fight could have implications for you.

  • mintcast 372.5 – The Tablet Chronicles

    1:22 Linux Innards 36:00 Vibrations from the Ether 52:41 Announcements & Outro In our Innards section, tablets And finally, the feedback and a couple of suggestions

  • Video Editing with Linux: The Most Important Part of a Video

    Next in our video editing series for the Librem 14, Gardiner Bryant explains why audio is critical in video production, capturing good sound, and post-processing using Audacity, an open source sound editing solution. This video will help those looking to level up their audio and overall production.

  • Starlink's Linux Secrets | LINUX Unplugged 429

    We attempt a live production over Starlink, and dig into the secrets of this giant Linux network in space.