It's Not A VPN-busting Bug, It's A Social Media Enhancer For UNIX Users

Kidding aside, this vulnerability applies to most UNIX based OSes, with most Linux distros, Android, iOS, macOS, FreeBSD, and OpenBSD all affected. The attacker needs to be able to intercept your data, which means they need to already be on the same network span as your machine or by having control of the router or other exit point, but if they do they can use this flaw to determine the exact SEQ and ACK numbers in your encrypted session. That information can be used to successfully inject data, hijack the connection and possibly redirect your VPN session to imposter pages or other places on the web you really don’t want to go to. Not all VPNs are vulnerable, the researches quoted at The Register tested this on OpenVPN, WireGuard, and IKEv2/IPSe.

New GNU/Linux Screencasts and Audiocasts: Ubuntu Cinnamon Remix 19.10, Debian 11 Alpha 1, This Week in Linux and Linux Headlines

• Ubuntu Cinnamon Remix 19.10 | Cinnamon, Ubuntu's new flavor.

  In this video, I am going to show an overview of Ubuntu Cinnamon Remix 19.10 and some of the applications pre-installed.

• Debian 11 Alpha 1 Gnome Run Through

  In this video, we are looking at Debian 11 Alpha 1, the Gnome edition.

• Episode 89 | This Week in Linux

  01:32 = Sponsored by Digital Ocean · [link] 02:30 = elementary OS 5.1 “Hera” Released · [elementary.io] 07:15 = Ubuntu 20.04 LTS Pre-release Survey · [ubuntu.com] 09:36 = Ubuntu Cinnamon – First Release · [Links: ubuntu.com, 13:35 = Tails 4.1 Released · [tails.boum.org] 16:39 = Kali Linux 2019.4 Released · [kali.org] 19:49 = CAINE 11.0 Released · [caine-live.net] 21:13 = DLN + FreeGeek = DLN Charity Drive · link coming soon 23:19 = Firefox 71 Released · [mozilla.org] 25:17 = Timekpr-nExT (Parental Controls) · [launchpad.net/timekpr-next] 29:24 = TWinL Housekeeping 33:21 = KDE Improvements for Plasma 5.18 · [Links: pointieststick.com 36:40 = Lutris 0.5.4 Released · [Links: lutris.net, 39:02 = Humble Choice Replaces Humble Monthly · [tuxdigital.com/go/humble-choice] 41:45 = Indie Hits Sale on Humble Store · [tuxdigital.com/go/humble-indie-hits-sale] 42:13 = Humble Sonic Bundle 2019 · [tuxdigital.com/go/humble-sonic-bundle-2019] 43:27 = Data Science Book Bundle · [tuxdigital.com/go/ 43:56 = Yogscast Jingle Jam · [humblebundle.com] 45:14 = Outro

• 2019-12-09 | Linux Headlines 64

  The Raspberry Pi 4 Ubuntu bugs get sorted out, and Canonical reaffirms its commitment to the platform and all future devices. Plus an approachable way to give back to KDE, and more.

Programming: RcppClassic, LLVM, Rust, Python and Django

• Dirk Eddelbuettel: RcppClassic 0.9.12

  A maintenance release 0.9.12 of the RcppClassic package arrived earlier today on CRAN. This package provides a maintained version of the otherwise deprecated initial Rcpp API which no new projects should use as the normal Rcpp API is so much better. Changes are all internal. Testing is now done via tinytest, vignettes are now pre-built and at the request of CRAN we no longer strip the resulting library. No other changes were made. CRANberries also reports the changes relative to the previous release from July of last year.

• [llvm-dev] [10.0.0 Release] Release schedule

  Hello everyone,
  
  I know 9.0.1 is still in full swing, and 10.0.0 isn't due for some
  time, but I'd like to get the schedule settled well before we start.
  
  Below is my proposed timeline. It's essentially the same as last time.
  
  - 15 January 2020: Create the release branch, Release Candidate 1
  ships soon after
  
  - 5 February 2020: Release Candidate 2
  
  - 26 February 2020: Final (this usually slips a little, but let's try not to).
  
  Please let me know what you think.
  
  Thanks,
  Hans
  

• LLVM / Clang 10.0 Should Be Out In Late February Or Early March

  Google's Hans Wennborg is once again stepping up to manager the next feature release of LLVM and sub-projects like Clang. If all goes well, LLVM 10.0 will be out with Clang 10.0 and friends before the end of February. For the projected release date of 26 February to be realized, Wennborg is aiming to branch the code (and thereby the feature freeze) around 15 January and after that to issue the first release candidate.

• Niko Matsakis: Async Interview #2: cramertj

  For the second async interview, I spoke with Taylor Cramer – or cramertj, as I’ll refer to him. cramertj is a member of the compiler and lang teams and was – until recently – working on Fuchsia at Google. They’ve been a key player in Rust’s Async I/O design and in the discussions around it. They were also responsible for a lot of the implementation work to make async fn a reality.

• More fun with Jinja2 templates

  When last I left this discussion, I was advocating using Python 3 dataclasses to wrap Jinja2 templates. I had another idea and a chance to experiment with it, and I was reasonably happy with the results. Can the dataclass corresponding to the Jinja2 template be used by the test suite to check that all required parameters for a template are present in the dataclass? The answer is mostly yes, although unfortunately there are some substantial caveats because Jinja2 doesn't provide all of the tools that one would like to analyze parsed templates.

• Django Weblog: 2020 DSF Board Election Results

  Our 2020 Django Software Foundation Election results are in. The Top 7 candidates are listed below in order of their ranking: Frank Wiles Anna Makarudze James Bennett William Vincent Kátia Nakamura Aaron Bassett Sayantika Banik

Fedora: rpminspect, Fedora 31 and Fedora 32 Passwords

• rpminspect-0.10 released

  I released rpminspect-0.10 today. There are a lot of bug fixes in this release, but also some new features.

• Fedora 31 : Can be better? part 003.

  Yes! The Fedora distro Linux can be better. One bad problem for most Fedora users is video drivers. I have an old NVIDIA graphic card: NVIDIA Corporation GT218 [GeForce 210] (rev a2).

• Fedora 32 Will Still Allow Empty Passwords By Default

  Last month was a proposal for Fedora 32 to disallow empty passwords for local users by default but at today's Fedora Engineering and Steering Committee (FESCo) they completely shot down that proposal. Fedora has been shipping with the Fedora PAM module parameter that allows for empty/null passwords on local users -- to be clear, root passwords cannot be null and the default OpenSSH server configuration doesn't allow empty passwords either for logging into user accounts. Fedora local accounts can have an empty password for legitimate use-cases like testing environments where security is of little to no importance, throw-away VMs/instances, and some tooling like Fedora Live images relying upon this behavior.

• Quality and Badlisting in Kanidm

  Passwords are still a required part of any IDM system. As much as I wish for Kanidm to only support webauthn and stronger authentication types, at the end of the day devices can be lost, destroyed, some people may not be able to afford them, some clients aren’t compatible with them and more. This means the current state of the art is still multi-factor auth. Something you have and something you know. Despite the presence of the multiple factors, it’s still important to quality check passwords. Microsoft’s Azure security team have written about passwords, and it really drives home the current situation. I would certainly trust these people at Microsoft to know what they are talking about given the scale of what they have to defend daily. The most important take away is that trying to obscure the password from a bruteforce is a pointless exercise because passwords end up in password dumps, they get phished, keylogged, and more. MFA matters! It’s important here to look at the “easily guessed” and “credential stuffing” category. That’s what we really want to defend against with password quality, and MFA protects us against keylogging, phising (only webauthn), and reuse.