Bonum Certa Men Certa

Links 19/12/2021: Lots of FUD and Scares



  • GNU/Linux

    • Server

      • 10 popular Open-Source Tools to Secure Your Linux Server in 2022

        Since I started learning about computers I have heard many experienced users saying Linux is impenetrable, Linux offers the best security, and such. It is partly true that Linux offers various security measures which mitigate attacks and stop hackers from breaching your system network. But you should also understand that just by deploying Linux on your server or PC you are not done yet, you have to configure all the necessary tools and apps. As the security features are not enabled by default, and if you are scared of network breaches and security leaks, then this should be the first thing you should be doing after installing the Linux OS.

        Remember your security system always depends on the tools you use, it’s the tools’ features that sniff out any malware in the system, prevent security breaches from happening, and find out vulnerabilities to deploy countermeasures. In short, the cybersecurity for a network or terminal is based on the tools, not on the default security measures of the OS.

        In this article, I am going to discuss the top 10 tools to look at to ensure the safety of your Linux data server and local PCs. The best part is all the tools & apps listed below are 100% free and open-source. To use these tools you just need to be an enthusiast Linux user. However, if you are new to Linux even then also you can set up and configure these tools easily.

    • Applications

      • Blender 3.0: The Most Important Changes

        After over 21 years of 2.x, Blender 3.0 is finally here! Here's what we think stands out among this new version's great changes, and plans for the future.

      • Open source advent calendar: The wiki software MediaWiki - Market Research Telecast

        This is an advent calendar for techies. In the fully commercialized digital world, almost everything belongs to a large Internet corporation. Their software is neither open nor free. As an alternative, there is this small island of the open source world: software whose code is publicly visible and can be independently checked for possible security gaps and backdoors. Software that can be freely used, distributed and improved. Often the drive for work is simply the joy of providing something useful to society.

      • Fans of original gangster editors, look away now: It's Tilde, a text editor that doesn't work like it's 1976

        One type of software where the world of Unix-like OSes has a positive embarrassment of riches is text editors. The problem is that too many of them are weird arcane things from the 1970s, with phenomenal cosmic power, but itty-bitty user interfaces. Sad to say, but even supporting WordStar (1978) keystrokes counts as modern and friendly in this world.

        Of course, hardcore Linux types don't see this as a problem. It's worth learning some Byzantine editor because it gives you a big advantage editing code. It has even become a badge of pride to be proficient in some of the really complicated ones. But what if you don't edit code and don't need syntax highlighting and all that jazz? What if you just need to occasionally tweak a config file?

        [...]

        It's significantly harder to install than Tilde, and it only does a little to tame the beast that is Richard Stallman's personal project. Unfortunately, although its developers occasionally discuss how to modernise the "thermonuclear word processor", the changes are too much for the old school to ever consider. Anyway, if you want something decadent like on-screen help, GNU offers Nano.

        So in the meantime, if you want the mountain to come to you, try Tilde. You might be pleasantly surprised. If you install GPM as well, it even supports a mouse. Luxury.

    • Instructionals/Technical

      • How to install the ConfigServer and Security Firewall combo on Ubuntu Server - TechRepublic

        If you'd like a powerful firewall for your Ubuntu Server, but one that offers a fairly straightforward configuration, Jack Wallen thinks CSF might be the right tool for the job.

      • Run HTTPS on Flask Web Server - TREND OCEANS

        Flask normally has an HTTP protocol while launching the web server. Notification libraries and a few others require to meet HTTPS protocol. Some tweaks and tricks can help us to switch to HTTPS.

        HTTP: Standard protocol to transfer data packets over the internet without any encryption. Tools like Wireshark can easily capture your packets.

        HTTPS: Secure version of the HTTP protocol. It encrypts all of the data packets into cipher, which can be only decrypted using a valid private key.

      • How to Upgrade to Pop!_OS 21.10 from 21.04 - LinuxCapable

        Pop!_OS 21.10 has been released and has seen the introduction of GNOME 40, Linux Kernel 5.15. One of the newest features that the Pop!_OS team has introduced is the Refresh Install Option which will keep user accounts and files but reset the system and applications for a mostly refresh start.

        This release has also seen the inclusion of a New Application Library, and a nicer searchable window has replaced the full-screen application menu.

        In the following tutorial, you will learn how to upgrade your existing Pop!_OS 21.04 system to the latest 21.10 release.

      • How to Install MySQL 8.0 on CentOS 8 Stream - LinuxCapable

        MySQL is a relational database management system based on SQL (Structured Query Language). It is one of the most widely used database software for several well-known applications that utilize it. MySQL is used for data warehousing, e-commerce, and logging applications, but its most used feature is a web database storage and management.

        CentOS 8 Stream comes with MySQL in its AppStream. However, as many know, it is not the latest release. In the following tutorial, you will learn how to install MySQL 8.0 using the AppStream or the latest Community version RPM from MySQL repositories on CentOS 8 Stream.

      • How to Install Brave Browser on CentOS 8 Stream - LinuxCapable

        Brave is a free and open-source web browser developed by Brave Software, Inc. based on the Chromium web browser. Brave is a privacy-focused Internet web browser, which distinguishes itself from other browsers by automatically blocking online advertisements and website trackers in its default settings.

        Brave has claimed its browser puts less strain on your computer’s performance than Google Chrome. Even with multiple tabs open at once, Brave uses less memory than Google Chrome-like, up to 66% less.

        In the following tutorial, you will learn how to install Brave Browser on CentOS 8 Stream.

      • Looking at Linux disk usage with the ncdu command

        The ncdu command provides a useful and convenient way to view disk usage. The name stands for "NCurses disk usage". This means that it's based on ncurses which, like curses, is a terminal control library used on Unix/Linux systems. The curses part of each name is a pun on "cursor" or "cursor optimization" and is unrelated to the use of foul language.

        You can think of ncdu as a disk usage analyzer with an ncurses interface. It can be especially useful when looking for disk-space hogs on a remote server for which you don't have access to a graphical interface.

      • How to install Qubes OS as a virtual machine

        Qubes OS defines itself modestly as "a reasonably secure operating system." It might actually be one of the safest operating systems, often used by pros who are most concerned with computer security.

      • How to Install and Use LightZone, the Underdog Raw Digital Darkroom

        Darktable, RawTherapee, digiKam are undeniably powerful applications for processing RAW files. But while they offer a plethora of advanced editing and processing tools, using them to get the result you want requires and patience and some effort. But who has time for that?

      • How To Install BalenaEtcher on Debian 11 - idroot

        In this tutorial, we will show you how to install BalenaEtcher on Debian 11. For those of you who didn’t know, balenaEtcher is a free and open-source flashing utility tool famous for writing image files such as .iso and .img files and zipped folders onto storage media to create live SD cards and USB flash drives. It is available to run for all mainstream OS such as Linux, Windows, and macOS.

        This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of the BalenaEtcher on a Debian 11 (Bullseye).

    • Desktop Environments/WMs

      • Getting Nostalgic With Common Desktop Environment on a Modern Linux Distro

        CDE was once considered the de-facto standard windowing environment on UNIX systems. Seeing it resurrected as open-source projects was a pleasure and I was able to enjoy reliving a little bit of my early years in UNIX.

        XFCE was an open-source fork of CDE in 1996. It looks, or acts, nothing like CDE today, but it, and other similar projects laid the groundwork for the systems we have today. That’s a good thing.

    • Distributions

      • Debian Family

        • New User Guide for 2022 in The MagPi magazine issue #113

          There’s a brand new version of Raspberry Pi OS, based upon Debian ‘bullseye’. The interface has a fresh look (if your Raspberry Pi has 2GB of RAM or more). The new video driver and updated version of Chromium make video playback better than ever. And Raspberry Pi 4 and Raspberry Pi 400 owners can look forward to a speed boost. There’s a whole bunch of stuff to discover and a few surprises that can trip up regular Raspberry Pi owners. Pick up the new edition to read all about it!

        • You Can Now Install a Legacy Version of the Raspberry Pi OS

          The latest iteration of the official Raspberry Pi OS, based on Debian 11 ‘Bullseye’, adds a lot of new features and improvements. However, some Raspberry Pi users have asked for an option to roll back certain parts of the operating system to restore some functionality required for certain projects.

          Therefore the Raspberry Pi Foundation has made a ‘Legacy’ version of the OS available. Let’s take a look at it and why you might need it.

        • Ben Hutchings: Debian LTS work, November 2021

          In November I was assigned 0.75 hours of work by Freexian's Debian LTS initiative and carried over 15.25 hours from earlier months. I mistakenly worked 20 hours, which we'll try to resolve.

      • Canonical/Ubuntu Family

        • Open source advent calendar: the Ubuntu Linux PC operating system - Market Research Telecast [Ed: Automated translation]

          This is an advent calendar for techies. In the fully commercialized digital world, almost everything belongs to a large Internet corporation. Their software is neither open nor free. As an alternative, there is this small island of the open source world: software whose code is publicly visible and can be independently checked for possible security gaps and backdoors. Software that can be freely used, distributed and improved. Often the drive for work is simply the joy of providing something useful to society.

        • Ubuntu Developers Figuring Out Dual-Boot Changes Ahead Of Ubuntu 22.04 LTS - Phoronix

          Due to changes with the upstream GRUB 2.06 bootloader, Ubuntu developers are figuring out how they are going to be managing dual-boot/multi-boot scenarios moving forward with Ubuntu 22.04 LTS.

          The issue at hand is GRUB 2.06 has disabled os-prober by default as the feature for GRUB to detect other installed operating systems. OS-Prober is disabled by default upstream now due to security issues over it going through and mounting all partitions on the system when checking them for other operating systems and that could be taken advantage of if making use of file-system vulnerabilities.

    • Devices/Embedded

    • Free, Libre, and Open Source Software

      • Web Browsers

        • So-called modern web developers are the culprits

          Google Chrome currently dominates the market share of web browsers. This is a problem because Google, being the advertisement company it is, are planing to implement the deceitful and threatening Manifest V3.

          Some people naively look towards Mozilla Firefox as the "savior" and alternative to the Chrome hegemony. Maybe that's because of the way it previously saved the Internet from the "evil dominance" of Microsoft Explorer. The problem is that Mozilla is extremely mismanaged. In 2018 Mozilla got $435.7 million in revenue from search engines who pay to be the default search option in Firefox in different parts of the world, mainly Google, but also Yandex and Baidu. Still, in 2020 Mozilla cut about 25% (250 people) of its global workforce, blaming the corona virus impact on economies as something that "significantly impacted their revenue". Yet, Mozilla had received more that enough money. In 2018 Mozilla's top executive was paid $2.4 million and his payments has more than doubled the last five years!

          Mozilla is NOT the "trusting" organization it used to be. If Mozilla is going to survive, the management needs to be fired ASAP with no compensation what so ever, products that nobody wants need to be stopped and Mozilla needs to be limited to its core competence, not only so that it can survive on less revenue (perhaps by donations only), but also so focus can be where it needs to be.

          Still, we need to pause here for a second!

          We need to ask ourselves why we are having these problems to begin with? Why do we even need these major browser vendors in the first place?

      • Content Management Systems (CMS)

        • The WordPress file system [Ed: Conflating file structure with file system]

          WordPress is, at its core, a web application, and just like every other web application, it requires and uses a labyrinth of folders and files to work. These files and folders include everything from access controls and WordPress’ core code to the plugins, themes, media you upload, and everything in between.

          Posts and pages are not stored in the file system. These are saved in the SQL database in a table titled wp_posts. Keep this in mind when you’re doing WordPress backups.

      • Education

      • FSF

        • Free Software Foundation Adds a Code of Ethics for Board Members

          The Free Software Foundation (FSF) announced it is implementing a new Board Member Agreement and Code of Ethics that is meant to guide members in their responsibilities, decision-making, and activities. The documents, which FSF says were “designed to help make FSF governance more transparent, accountable, ethical, and responsible,” were created as part of a six-month long consultant-led review.

          In March, FSF founder and GPL author, Richard Stallman, announced that he was returning to the board, after resigning as director of the board and president of the FSF in 2019. His resignation followed a series of controversial remarks on rape, assault, and child sex trafficking, along with two decades of behaviors and statements that many have found to be disturbing and offensive. He was subsequently ousted by GNU project maintainers from his position as head of the project.

          Stallman’s controversial return was supported by the majority of FSF’s board, with the exception of board member Kat Walsh who resigned after voting against his reinstatement. The organization’s executive director, deputy director, and chief technology officer also resigned in protest.

        • GNU Projects

        • Licensing/Legal

      • Programming/Development

        • A Brief Introduction to the C Programming Language

          Coding has become one of the most in-demand skills in the modern world. Different programming languages serve different use cases like web and mobile development, VR engineering, or electronics and firmware. Learning a fundamental programming language like C provides you with a foundation in coding practices and a basic knowledge of the other aspects of software development.

          Ready to start your programming journey with C? Here's what you need to know.

  • Leftovers

    • Opinion | If Our Stories Set Us Apart, We Need to Create New Ones

      According to philosopher - historian Yuval Noah Harari, “Homo sapiens conquered this planet thanks above all to the unique human ability to create and spread fictions. We are the only mammals that can cooperate with numerous strangers because only we can invent fictional stories, spread them around, and convince millions of others to believe in them. As long as everybody believes in the same fictions, we all obey the same laws, and can thereby cooperate effectively.”

    • My 2020s Christmas Gift Pledge

      I do not wish to receive bought gifts. Let's hang out for a bit and do something we both enjoy. If you truly feel an urge to give something tangible, write a poem, make a drawing, bake cookies, print out a picture of us and put it in a (non-plastic) frame.

      Evidently, this isn't always a realistic expectation. So, a few more guidelines: [...]

    • Education

      • Academic Ideologues Are Corrupting STEM. The Silent Liberal Majority Must Fight Back

        I expected to be viciously mobbed, and possibly cancelled, like others before me. Yet the result surprised me. Although some did try to cancel me, I received a flood of encouraging emails from others who share my concern with the process by which radical political doctrines are being injected into STEM pedagogy, and by which objective science is being subjugated to regressive moralization and censorship. The high ratio of positive-to-negative comments (even on Twitter!) gave me hope that the silent liberal majority within STEM may (eventually) prevail over the forces of illiberalism.

    • Hardware

      • Masayuki Uemura, 78, Dies; Designed the First Nintendo Console

        Masayuki Uemura, an engineer who developed the Nintendo Entertainment System, which helped start a global revolution in home gaming and laid the foundation for today’s video game industry, died on Dec. 9. He was 78.

        His death was announced by Ritsumeikan University in Kyoto, Japan, where Mr. Uemura led the Center for Game Studies. No other details were given.

      • USB cable that kills your laptop when removed!

        Available via the crowdsourcing route, BusKill wants to expand the portfolio in the future. The project also plans to release triggers that shut down a computer when the magnetic cable is severed.

      • Kamehameha!! PCB Badge | Hackaday

        PCB Art has surely captivated us over the past few years and we’re ever intrigued with the intricate detail the community puts into their work. We’re no strangers to [Arnov]’s work and he has impressed, yet again, with his Kamehameha PCB badge.

        Unfortunately, no 555 timer was used in the making of this project, but don’t let that turn you away. Instead, we have an ATtiny84 microcontroller for implementing the logic to control the LEDs, a MOSFET-based driver for driving current through the LEDs, and, of course, the LEDs to give the “turtle destruction wave” its devastating glow. Pay really close attention to the detail [Arnov] put into the silkscreen as you can see that’s a pretty crucial part of this build.

      • Be Mesmerized By The Latest Time Twister | Hackaday

        [Hans Andersson] has been creating marvelous twisting timepieces for over a decade, and we’re pleased to be able to share his latest mechanical clock contraption with our readers, the Time Twister 5.

        In contrast to his previous LEGO-based clocks, version five of the Time Twister uses 3D printed segments, undoubtedly providing greater flexibility in terms of aesthetics and function. Each digit is a mechanical display, five layers vertical and three segments horizontal, with a total of three unique faces. Each layer of each display can be individually rotated by a servo, and this arrangement allows for displaying any number between zero and nine. The whole show is controlled by an Arduino MEGA and a DS3231 real-time clock.

    • Health/Nutrition/Agriculture

      • Opinion | The Dangerous Myth That 'Natural Immunity' Is Superior to Covid Vaccination

        One particularly pernicious myth going around in the US is the notion that "natural immunity," gained from contracting Covid-19, the disease caused by the virus SARS-CoV-2, is preferable to getting vaccinated. One prominent politician, Sen. Rand Paul (R.–Ky.), has declared that he refuses to get vaccinated, because of his belief that he has "natural immunity" since he's "already had the disease" (Slate, 5/23/21).

    • Integrity/Availability

      • Proprietary

        • Vivaldi: Microsoft is Up To Its Old Tricks Again

          Indie web browser maker Vivaldi has publicly lashed out at Microsoft’s user-hostile and potentially illegal behavior with Microsoft Edge.

          “Vivaldi is not afraid of competing on a level playing field,” Vivaldi founder and CEO Jon von Tetzchner wrote this past weekend. “Why is Microsoft?”

          Mr. von Tetzchner is referring, of course, to the terrible revelations of the past few months, during which Microsoft made it dramatically harder for users to switch to their preferred web browser, quietly made it impossible in some cases even when the user figured out how, and then pledged to block efforts to bypass its onerous restrictions.

          Von Tetzchner points out that Microsoft is also discouraging users that try to download Vivaldi. “There’s no need to download a new web browser,” a message at the top of the search results in Edge reads. “Microsoft recommends using Microsoft Edge for a fast, secure, and modern web experience that helps you save time and money.” I pointed out this a few weeks back as well.

        • Real Madrid fume at UEFA 'lie' over Champions League redraw - sources

          UEFA blamed the issue on "a technical problem with the software of an external service provider that instructs the officials as to which teams are eligible to play each other."

        • ONLYOFFICE Supplies a Comprehensive Office Suite and Versatile Collaboration Platform for Asia Pacific
        • ONLYOFFICE Supplies a Comprehensive Office Suite and Versatile Collaboration Platform for Asia Pacific

          ONLYOFFICE Docs by Ascensio System SIA offers a powerful office suite that comprises online editors for text documents, spreadsheets and presentations highly compatible with Microsoft Office and OpenDocument file formats. ONLYOFFICE Docs provides users with multiple editing tools and collaborative features ensuring greater team workflow, and seamless work with complex formatting and objects within your web solution.

        • Pseudo-Open Source

        • Security

          • The [Internet] runs on free open-source software. Who pays to fix it?

            The truth is different: Log4J, which has long been a critical piece of core internet infrastructure, was founded as a volunteer project and is still run largely for free, even though many million- and billion-dollar companies rely on it and profit from it every single day. Yazici and his team are trying to fix it for next to nothing.

            This strange situation is routine in the world of open-source software, programs that allow anyone to inspect, modify, and use their code. It’s a decades-old idea that has become critical to the functioning of the internet. When it goes right, open-source is a collaborative triumph. When it goes wrong, it’s a far-reaching danger.

            “Open-source runs the internet and, by extension, the economy,” says Filippo Valsorda, a developer who works on open-source projects at Google. And yet, he explains, “it is extremely common even for core infrastructure projects to have a small team of maintainers, or even a single maintainer that is not paid to work on that project.”

          • VLC and log4j

            Since its very early days in 1996, VideoLAN software is written in programming languages of the C family (mostly plain C with additions in C++ and Objective-C) with the notable exception of its port to Android, which was started in Java and recently transitioned to Kotlin. VLC does not use the log4j library on any platform and is therefore unaffected by any related security implications.

          • The Log4j security flaw could impact the entire internet. Here's what you should know
          • This security flaw could impact the entire internet. Here's what you should know
          • Software Flaw Sparks Global Race to Patch Bug

            Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks.

          • Software vulnerability expected to persist, possibly for months

            A flaw in a widely used piece of free internet software is prompting companies to rush to update their systems and prevent cyberattacks, but the technology’s ubiquity means the threat could affect businesses for months, security researchers say.

          • A software flaw exposes major companies' servers
          • Mars helicopter mission (which Apache says is powered byLog4j) overcomes separate network glitch to confirm new flight record

            NASA has revealed that Ingenuity – the experimental helicopter sent to Mars with the Perseverance Rover – has clocked up a whole half-hour of flight in the Red Planet's meanly thin atmosphere.

            The 'copter passed the thirty-minute mark during its 17th flight, on December 5, which sets a new record for the space agency.

            But NASA was unsure of the craft's status because of what the US agency has described as "an unexpected cutoff to the in-flight data stream as the helicopter descended toward the surface at the conclusion of its flight."

          • Minecraft Log4J bug ‘worst computer vulnerability' in years, experts warn

            People with the popular internet game Minecraft on their computers could be at risk of having data stolen or even erased by hackers.

            The bug in software known as Log4J is a risk to any internet-connected device, including phones and tablets and it is rapidly emerging as a major threat, WalesOnline reported.

            Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike said: “The internet’s on fire right now.

          • Serious Security: OpenSSL fixes “error conflation” bugs – how mixing up mistakes can lead to trouble

            As it happens, the above quote comes from the NSCS’s guide for company boards-of-directors, in a section that warns top management to take steps to avoid burnout in cybersecurity teams.

            But we’ve already needed to write this week about Apple’s latest security updates, which apply to all the company’s products, and include fixes for almost every sort of security risk you can think of.

            [...]

            Apple’s patches don’t deal with Log4Shell, but they do close other holes all the way from kernel compromise (think: spyware implants) to privacy bypasses (think: configuration hacks and data leakage)...

          • US Warns Hundreds of Millions of Devices at Risk Over New Software Vulnerability

            Hundreds of millions of devices around the world could be exposed to a newly revealed software vulnerability, as a senior Biden administration cyber official warned executives from major U.S. industries Monday that they need to take action to address “one of the most serious” flaws she has seen in her career.

            As major tech firms struggle to contain the fallout, U.S. officials held a call with industry executives warning that hackers are actively exploiting the vulnerability.

            For now, cybersecurity analysts told CNN, the pressure is on tech companies to clean up their software code and on big businesses to figure out if they are affected by the flaw. But because the vulnerability is so widespread, and likely present in things like popular apps and websites, consumers could also feel the fallout if those services get hacked.

          • What Is Log4j? The Security Flaw That's Freaking Out the Internet

            Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.

          • Log4j's project sponsorship skyrockets after critical bug exploitation

            Demanding work done for free not sustainable.

            The maintainers of the Java Log4j project had only three sponsors, despite the software being a crucial part of large companies' commercial products and enterprise applications.

            Roger Goers, the intial Log4j coder and member of the Apache Software Foundation now has 58 mostly individual sponsors at the time of publishing.

            Log4j is a popular logging library for Java which, due to insecure handling of directory lookups, allows the remote execution of arbitrary code in its default configuration.

          • Log4j gets a second update as security woes pile up

            Less than a week from the initial disclosure of the high-profile Log4Shell vulnerability, the open source Log4j software has already received a second major update.

            The Apache Software Foundation is now advising organizations running Log4j to update the logging tool to version 2.16.0, rather than last week's 2.15.0 build. Unlike last week's update, which limited functions of the vulnerable JNDI (Java Naming and Directory Interface) component, the 2.16.0 build disables the API entirely.

          • How Apache Raced to Fix a Potentially Disastrous Software Flaw

            At 2:51 p.m. on Nov. 24, members of an open-source software project received an alarming email. The contents threatened to undermine years of programming by a small group of volunteers and unleash massive cyberattacks across the globe.

            “I want to report a security bug,” wrote Chen Zhaojun, an employee on Alibaba Group Holding Ltd.’s cloud-security team, adding “the vulnerability has a major impact.”

            The message went on to describe how a hacker could take advantage of Log4j, a widely used software tool, to achieve what’s known as remote code execution, a hackers’ dream because they can remotely take over a computer.

          • Canadian websites temporarily shut down as world scrambles to mitigate or patch Log4Shell vulnerability

            Federal and provincial departments including the Canada Revenue Agency, Employment and Social Development Canada and the Toronto region transportation system Metrolinx took their websites offline over the weekend to deal with the critical log4j2 Java library vulnerability.

          • EXPLAINER: The security flaw that’s freaked out the internet

            Security pros say it’s one of the worst computer vulnerabilities they’ve ever seen. They say state-backed Chinese and Iranian hackers and rogue cryptocurrency miners have already seized on it.

            The Department of Homeland Security is sounding a dire alarm, ordering federal agencies to urgently eliminate the bug because it’s so easily exploitable — and telling those with public-facing networks to put up firewalls if they can’t be sure. The affected software is small and often undocumented.

          • Log4Shell Exploit, Vulnerability Explained: What to do If You're Hacked

            An urgent warning is being issued about the server-software flaw named "Log4Shell." Experts refer to it as one of the most severe computer-security vulnerabilities ever discovered. Any user exposed to the Log4Shell vulnerability should expect their personal information, credit card number and online identity to be fully exploited.

          • Massive Log4Shell internet security flaw threatens everyone — what you can do

            The very serious server-software flaw named "Log4Shell" that affected many Minecraft players at the end of last week has, as feared, come to affect the entire internet. In terms of potential impact, it's one of the most severe computer-security vulnerabilities the world has ever seen.

            "I cannot overstate the seriousness of this threat," researcher Lotem Finkelstein of Israeli security firm Check Point told ZDNet.

            His firm has seen more than 850,000 attempted attacks on servers since a working exploit for the vulnerability was posted online Thursday (Dec. 9). Antivirus firm ESET said the U.S., U.K., Turkey, Germany and the Netherlands were seeing the most attacks.

          • “Open source” is not broken

            Reading the various hot takes regarding the log4j2 problems has been an exercise in frustration. The fact that the maintainers of this small but important piece of software barely received any donations or other forms of financial support, despite their software being extensively used by some of the largest corporations in the world is not a fault of open source – it’s the fault of garbage corporations only taking, but rarely giving. The issue here is not open source – it’s unchecked capitalism.

            That being said, these maintainers, and other people who contribute to open source projects, know full well it’s most likely not going to make them rich, or even allow them to recoup any investments made. That’s the nature of open source, and it seems like the technology world has become so infested with venture capitalists that even the mere idea of someone working on something not for the money, but for other reasons seems entirely alien to a lot of people, meaning open source must, therefore, be broken.

            Money corrupts anything it touches. I’m insanely grateful for the almost endless number of people contributing to open source projects not because they expect to become rich, but because they enjoy doing it, to show off their skill, for the community of people they love interacting with, for the recognition it sometimes brings, or for the mere secret knowledge that their small project nobody’s ever heard of is a crucial cog in the massive machinery that keeps the technology world spinning.

            Open source isn’t broken. It’s working exactly as intended, and it’s by far the most powerful force in the technology world, and it will outlive any of the corporations so many people bend over backwards to please today.

          • Critical Log4Shell (Apache Log4j) Zero-Day Attack Analysis (CVE-2021-44228)

            An analysis of the Apache Log4j vulnerability and the architecture of zero-day exploits (CVE-2021-44228) from Nozomi Networks Labs.

          • Gumtree users' locations were visible by pressing F12 ● The Register

            UK online used goods bazaar Gumtree exposed its users' home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.

            British company Pen Test Partners (PTP) spotted the data leakage, which meant anyone could view a Gumtree user's name and location (either postcode or GPS coordinates) by pressing F12 in their web browser.

            In both Firefox and Chrome, F12 opens the "view page source" developer tools screen, showing the code that generates the webpage you see. This meant that anyone could view the precise location of any of the site's 1.7 million monthly sellers.

            PTP claimed it encountered a brick wall of indifference in its first attempts to alert Gumtree to the data breach.

          • Attacking Natural Language Processing Systems With Adversarial Examples - Unite.AI

            The paper is titled Bad Characters: Imperceptible NLP Attacks, and comes from three researchers across three departments at the University of Cambridge and the University of Edinburgh, and a researcher from the University of Toronto.

          • How Building a Solid Foundation Will Help Grow Your Cybersecurity Program

            Cybersecurity is such a broad subject that many times, an organization can become stifled when trying to develop a full cybersecurity program. Some organizations that have already put a cybersecurity program in place can also unpleasantly discover gaps in their efforts, making the entire venture seem moot. One way to effectively get started, as well as to prevent gaps, is to build a good foundation upon which a cybersecurity program can grow and mature.

            I recently had the opportunity to speak with David O’Leary, Sr. Director of Security Solutions for SHI/StrataScale. David’s experience dates back to the inception of network and cybersecurity, so he has a lot of real-world experience that can be drawn from to assist any organization in starting, scaling, and maturing their cybersecurity program. David, can you tell us a bit about your history and where your journey to cybersecurity began?

          • Cryptominers aren't just a headache – they're a big neon sign that Bad Things are on your network

            Cryptominer malware removal is a routine piece of the cybersecurity landscape these days. Yet if criminals are hijacking your compute cycles to mine cryptocurrencies, chances are there's something worse lurking on your network too.

            So warned Sophos threat researcher Sean Gallagher, in a recent interview with The Register as the antivirus organisation launches a report into the Tor2Mine cryptominer.

          • In The Lab: 6-port $3,000 pfSense Box - StorageReview.com

            We listened to our social media audience and went ahead and configured pfSense on the ThinkEdge SE50 to act as a firewall for our network.

          • Privacy/Surveillance

            • The Three Laws of Personal Devices

              The Universal Declaration of Cyborg Rights states that we extend our selves using digital and networked technologies and that this extended self must be protected under human rights law.

            • DNA Explainer: What is Personal Data Protection Bill and its impact on social media

              The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill, formed in 2019, presented its report in Rajya Sabha on Thursday paving way for the first data protection law in India. The JPC report recommends wide-ranging changes, including widening the scope of the Bill to include non-personal data and pitches for all social media platforms to be declared 'publishers'.

              India has become one of the biggest internet markets worldwide and so there needs to be clear laws on what's permissible and what's not. Congress MP Jairam Ramesh tabled the report in Rajya Sabha which was a result of nearly two years of deliberations.

              The 542-page JPC report is the clause-by-clause examination of the Personal Data Protection Bill of 2019 and contains 81 recommendations for modifications and over 150 drafting corrections and improvements in various clauses of the Bill.

    • Defence/Aggression

      • NY TIMES: US Hid True Toll of Air Wars; Thousands of Dead Civilians, Many of Them Children

        Thousands of previously hidden Pentagon documents show that the US air wars in the Middle East have been marked by "deeply flawed intelligence" and have killed thousands of civilians, many of them children, according to a shocking new report in the New York Times Saturday afternoon.

        The 5-year Times investigation received more than 1,300 reports examining airstrikes in Iraq and Syria from September 2014 to January 2018, more than 5,400 pages in all. None of these records show any findings of wrongdoing on the actions of the US military.

      • Opinion | Threatening War With Iran Won't Save the Nuclear Deal

        Jeremy Scahill of The Intercept has a good piece responding to a letter published today by Michèle Flournoy, Leon Panetta, General David Petraeus, Dennis Ross and a few others, urging Joe Biden to break the nuclear deadlock with Iran by issuing military threats.€ 

      • Jihadists Decapitate Pastor, Force Wife to Carry His Severed Head

        According to military sources, suspected Islamic extremists decapitated a pastor in Cabo Delgado last Wednesday, and forced his wife to carry his head to the police station.

        Zimbabwe Daily reported the pastor’s wife told police that “suspected Islamic State-linked insurgents intercepted the pastor in a field, decapitated him and then handed over his head to his wife and ordered her to inform the authorities”.

      • HRW: 600 women, girls kidnapped by Mozambique jihadists since 2018

        The group force young women and girls to “marry” their fighters “who enslave and sexually abuse them” while some have been sold off to foreign militants for between $600 and $1,800, it said.

      • Quebec Teacher's Removal Reignites Hijab Debate

        The current focus on the issue erupted this month when schoolteacher Fatemeh Anvari was told that wearing her hijab in the classroom ran afoul of Bill 21 and as such she could no longer teach her grade-three students.

        Bill 21 has wide support in Quebec (polls show two thirds of people support it) and Anvari must have known that she was breaking the law when she decided to wear the hijab before her grade-three students.

    • Environment

      • 2021 Arctic Report Card Tells a Human Story of Cascading Climate Disruption
      • Energy

        • BBC Bitcoin mining report used in [cryptocurrency]-scam

          The B2C Mining channel claimed to be part of a company that owned and operated a Bitcoin mine in Russia.

          At the top of the group, pinned to the channel, was my report… only it wasn't quite my report.

          It had been altered, cutting out anything to do with climate change, and suggesting that the mine I had reported on was in fact the channel's.

        • China Censors [Cryptocurrency]-Themed Short Videos Shared Online

          The China Netcasting Services Association (CNSA) has recently published a blacklist of 100 topics that online videos posted on platforms similar to Tiktok should not feature. Among them are the usual suspects like questioning China’s official history, imitating its political leaders, challenging the country’s guiding ideology of “socialism with Chinese characteristics,” and discussing fascism.

        • Shocking: UK electricity tariffs are among world's most expensive

          In a surprise to no bill-payers in the UK, except perhaps those huddling in homes without power for days on end, Blighty has some of the most expensive electricity in the world.

          The findings, from research undertaken by comparison site cable.co.uk, were pulled from six months of looking at 3,883 energy tariffs over 230 countries. The UK, alas, came in at 190th. It also sits at 24 out of 28 states in Western Europe (Germany was more expensive, while France's average – putting the country into 12th position – was cheaper.)

          Dan Howdle, a consumer research analyst at Cable.co.uk, said: "Almost every European nation is cheaper. Most African nations? Cheaper. There are even island nations where energy production is especially difficult that charge less than we are charged in the UK."

          For the UK, the researchers looked at 60 tariffs, which resulted in an average of $0.251 per kWh. As ever, the devil is in the detail. The cheapest kWh came in at $0.129, which is a little less scary.

      • Wildlife/Nature

        • Monarch butterfly numbers are up this year at Mexico’s largest sanctuary

          The black and gold-winged insects migrate thousands of kilometers from Canada and the United States to overwinter in the oyamel fir forests of Michoacán and México state.

          Marino Argueta told the newspaper El Heraldo de México that 130-150 million butterflies have reached El Rosario, located in the municipality of Ocampo.

    • Finance

    • AstroTurf/Lobbying/Politics

      • US Senate Recesses for the Year Without Build Back Better, Voting Rights

        The US Senate adjourned for the year at 4:02am Saturday morning after Democrats failed to reach agreement on their top legislative priorities: the Build Back Better Bill and voting rights legislation.

        But,€ at 1:30am, with one of the last few votes of the year, former Chicago Mayor Rahm Emanuel was confirmed ambassador to Japan

      • Kshama Sawant Emerges Victorious From Disingenuous Recall Attempt
      • Americans Like What’s In The Build Back Better Act. They’re Lukewarm On The Bill Itself.

        There are certain parts of the bill that are very appealing to Americans, though — namely, expanded health care access. In fact, when Morning Consult/Politico asked respondents to select the five most important provisions in the bill, four of the five top issues were health care-related.1 For instance, the House version of the bill adds $150 billion over 10 years in funding for Medicaid home care for seniors and people with disabilities — the largest increase in funding for this program since its creation. According to Morning Consult/Politico, more registered voters said this funding was an important component of the bill than any other — and a whopping 76 percent of registered voters supported it.

        The second biggest priority in the bill per Morning Consult was allowing Medicare to negotiate prescription drug prices, which 71 percent of registered voters supported. In addition, 65 percent supported more funding for affordable housing, and 75 percent supported the expansion of Medicaid to cover hearing services.

    • Misinformation/Disinformation

      • Facebook bans Delhi-based IT firm for [cracking] accounts of government officials, journalists and others

        Hiding under the radar for some time after its activities were exposed last year, BellTroX InfoTech Services targeted advocacy groups and journalists, elected and senior government officials, hedge funds and multiple industries on the six continents, creating ripples among the powers-that-be.

      • Fox News’ Legal Jeopardy Is Real, but Not for the Most Cited Reasons

        The 52-page opinion from Delaware Superior Court Judge Eric Davis certainly deserves attention, but it’s easy to lose sight of just why it’s important. So before getting to the real issues that should prompt Fox News’ leaders to think long and hard, let’s address a couple of widespread misinterpretations about this latest decision.

      • Govt says has taken several steps to curb harmful content on social media

        Minister of Electronics and IT Ashwini Vaishnaw, in a written reply (starred question) in the Rajya Sabha, also stated the ministry has taken note of reports based on a whistleblower's statements about Facebook and its alleged role in circulation of hate speech, fake news and misinformation.

        [...]

        On Friday, Vaishnaw said the government has taken several steps to address the challenges of user harm and hateful information on social media platforms.

        In order to ensure accountability of social media platforms to users and enhanced user safety, the government in February notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 under the IT Act, 2000.

        These rules require that the intermediaries follow certain due diligence as prescribed, he said.

        "MeitY through a program, namely, Information Security Education and Awareness (ISEA), has been creating awareness among users highlighting the importance of following the ethics while using Internet and advising them not to share rumours/fake news.

        "A dedicated website for information security awareness provides all the relevant awareness material," he added.

      • The war over Chinese Wikipedia is a warning for the open internet

        This past July, before he was banned from Wikipedia, Techyan was one of dozens of volunteers preparing to speak at the free-knowledge movement’s annual conference, Wikimania. Born in China’s northeast, Techyan, as he’s known in the Wikipedia community, had been editing Chinese Wikipedia since his early teens. As one of its three dozen elected administrators, he hoped his presentation would put a more positive spin on what, lately, had become Wikipedia’s ugliest battlefield.

        Rather than the edit wars and personal threats that had come to define some of its hot-button political topics like Hong Kong and Taiwan, Techyan planned to talk about how his three-year-old user group, the Wikipedians of Mainland China, or WMC, had thrived. It had done so in spite of government restrictions, and without official acknowledgment from the Wikimedia Foundation, the nonprofit that hosts the site in over 300 languages and hands out millions in grants.

    • Censorship/Free Speech

      • Indonesian Christian Charged for Blasphemy for Offensive Twitter Post

        On December 15, an Indonesian Christan man was charged with blasphemy for posting a comment on Prophet Muhammad comparing him to a Muslim child rapist.

      • Indonesian Christian in blasphemy storm for Twitter 'insult'

        Indonesian police charged a Christian man with blasphemy on Dec. 15 for allegedly insulting Islam by comparing the Prophet Muhammad with an alleged child rapist in a social media post.

        Joseph Suryadi, 39, from Tangerang, a city near Jakarta, is accused of uploading a caricature of the prophet on Twitter and comparing him with an Islamic boarding school owner called Herry Wirawan.

        Wirawan, from Bandung in West Java, is accused of raping 13 girls at his boarding school.

    • Freedom of Information/Freedom of the Press

      • YouTube TV loses ESPN, other Disney networks after failing to reach new deal

        The announcement follows a notice shared with subscribers earlier this week that the channels could vanish from YouTube TV on Friday, December 17th if a deal was not reached between the two companies. Should negotiations have failed, YouTube TV said it would lower its price by $15 a month from its normal price of $65 per month to compensate for the change.

      • A reporter risked her life to show the world Covid in Wuhan. Now she may not survive jail.

        In the early days of the coronavirus pandemic, when the Chinese government was trying to contain the initial outbreak, reporting by citizen journalists like Zhang questioned the scale of the crisis and the government’s response. But they worried their aggressive reporting wouldn’t be tolerated for long in a country where the news media is strictly controlled.

    • Civil Rights/Policing

    • Digital Restrictions (DRM)

      • Ex-Netflix Exec Sentenced to Prison For 30 Months For Taking Bribes

        A federal judge sentenced a former Netflix executive to 30 months in prison Tuesday after he was convicted on several charges of fraud and money laundering back in April.

        A jury convicted Michael Kail, the former Vice President of IT Operations at Netflix, on 28 charges of wire fraud, mail fraud and money laundering. The 52-year-old Los Gatos resident must also forfeit $700,000, pay a $50,000 fine, and serve a three term of supervision upon release from prison.

      • Former Netflix Executive Sentenced To 30 Months For Bribes And Kickbacks From Netflix Vendors

        Michael Kail, the former Vice President of IT Operations at Netflix, was sentenced today to 30 months in federal prison for his convictions for honest services wire, mail fraud, and money laundering, announced Acting United States Attorney Stephanie M. Hinds, Federal Bureau of Investigation Craig D. Fair, and IRS-Criminal Investigation Special Agent in Charge Mark H. Pearson. Kail was also ordered to forfeit $700,000, pay a $50,000 fine, and serve a three term of supervision upon release from prison. The sentence was handed down by the United States District Judge Beth Labson Freeman.

        Kail was indicted April 26, 2018, and charged with nineteen counts of wire fraud, three counts of mail fraud, and seven counts of money laundering, in violation of 18 U.S.C. ۤۤ 1343 (wire fraud), 1341 (mail fraud), 1346 (honest services fraud), and 1957 (money laundering).

        On April 30, 2021, after a three-week trial, a jury returned guilty verdicts on 28 of the 29 counts charged. The jury also made findings to support the forfeiture of property Kail had purchased with the proceeds of his fraud.

      • Federal Judge Gives Ex-Netflix IT Exec 30 Months in Prison for 'Pay-to-Play' Scheme
    • Monopolies

      • Copyrights

        • Dev loses copyright appeal over forensic software after judges rule suite was owned by his employer

          A Briton has lost an appeal bid to claim copyright over software he wrote for his employer while being handsomely paid for doing so – despite saying he wrote parts of it in his spare time.

          Michael Penhallurick had his case thrown out by Court of Appeal judges in London yesterday following his failed attempt to assert copyright over his Virtual Forensic Computing (VFC) suite in the High Court last year.

          The former South Yorkshire police worker had claimed VFC was licensed to MD5 Ltd and the company infringed that licence when it stopped paying him sums of money he described as licensing fees, two years after he left MD5.

        • YouTube TV Loses ABC, ESPN and Other Disney-Owned Channels After Failed Contract Negotiations

          YouTube TV has lost ABC, ESPN and multiple other Disney-owned channels after the two companies failed to reach a contract on Friday evening.

          As a result, YouTube will be decreasing the monthly price of its TV streaming platform from $64.99 to $49.99 due to the loss of 25 channels, which include the FX networks, Freeform, the Disney channels, the National Geographic channels and eight local ABC stations.

        • Widow Ordered to Pay Thousands for Attempting to Sell Husband’s Eric Clapton Bootleg

          A German woman has been ordered to pay nearly $4,000 after attempting to sell an unauthorized Eric Clapton bootleg on eBay, resulting in legal action from the guitarist.

          Gabriele P., 55, inherited the bootleg Eric Clapton – Live USA from her late husband’s estate; he had purchased the CD decades earlier, around 1987. A day after Gabriele P. listed the item on eBay for €9.95 (or $11) in July 2021, she received a takedown notice from the auction site, and then an affidavit from the Clapton camp, claiming that the recording was illegal and made without his consent.

        • Sci-Hub Founder: Academic Publishers Are the Real Threat to Science, Not Sci-Hub

          Elsevier and other academic publishers see 'pirate' site Sci-Hub as a major threat to science and their own multi-billion-dollar industry. Through a lawsuit in India, the companies hope to have the site blocked but Sci-Hub is actively fighting this request in court. According to the site's founder, the publishers are the real threat to the progress of science.

        • Malaysia Passes Bill to Imprison Illegal Streaming Pirates For Up To 20 Years

          Malaysia's House of Representatives has passed amendments to copyright law that will boost the country's deterrent against those who facilitate access to pirate content via illegal streaming. The amendments, which cover both hardware and software, could see offenders imprisoned for up to 20 years.



Recent Techrights' Posts

Links 25/12/2024: Windows TCO Brought to SSH, Terence Eden 'Retires'
Links for the day
Gemini Links 25/12/2024: Reality Bites and Gopher Thanks
Links for the day
Links 25/12/2024: Latest Report Front Microsoft Splinter Group, War Updates
Links for the day
Links 25/12/2024: Hong Kong Attacks Activists During Holidays, Xerox to Buy Lexmark
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, December 24, 2024
IRC logs for Tuesday, December 24, 2024
Gemini Links 25/12/2024: Open Source Social and No Search
Links for the day
Brittany Day Connects Windows Ransomware to "Linux" Using Microsoft LLMs (FUD Galore, Zero Effort, No Accountability)
FUD and misinformation made by Microsoft LLMs again?
Links 24/12/2024: Labour Strikes and TikTok Scrambling to Prop Up Radical Politicians That Would Protect TikTok
Links for the day
Where the Population is Controlled by Skinnerboxes Inside People's Pockets (or Purses)
A very small fraction of mobile users practise or exercise freedom/control over the skinnerbox
[Meme] Coin-Operated Publishers (Gaming the Message, Buying the Narrative)
Advertise (sponsor) to 'play'
Advertisers and Their Covert Impact on Publications' Output (or Writers' Topics of Choice, as Assigned or Approved by Editors)
It cannot be trivially denied that sponsorship in the form of "advertising" impacts where publishers go (or don't go, won't go)
Terrible Year for Microsoft Windows in Cyprus
down from 86% to 72% since January
[Meme] How to Kill Unions (Staff on Shoestring Budget Cannot Afford Lawyers)
What next for the EPO? "Gig economy"?
The EPO's Staff Union (SUEPO) Takes Legal Action to Rectify the Decrease in Wages (Lessening of Purchasing Power)
here is what the union published
Gemini Links 24/12/2024: Deedum Gemini Client Gets Colour Support, Advent of Code 2024
Links for the day
Microsoft Windows Slides to New Lows in Colombia
Now Windows is at an all-time low
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, December 23, 2024
IRC logs for Monday, December 23, 2024
A Strong and Positive Closing for the Year's Last Week
In a lot of ways this year was a good one for Free software
Feels Too Warm for Christmas
Christmas is here, no snow in sight
Links 23/12/2024: 'Negative Time' and US Arms Taiwan Again
Links for the day
Links 23/12/2024: The Book of Uncommon Beings, Squirrels, and Slop Ruining Workplaces
Links for the day
Links 23/12/2024: North Korean Death Toll in Russia at ~1,100, Oligarch Who Illegally Migrated/Stayed (Musk) Shuts Down US Government
Links for the day
The World's 'Richest Country' Chooses GNU/Linux
This has gone on for quite some time
Richard Stallman on Love
Richard Stallman's personal website includes a section that lists three essays on the subject of love
Apple's LLM Slop Told Us Luigi Mangione Had Shot Himself, BetaNews Used LLMs to Talk About a Dead Linus Torvalds
They can blame it on some bot
Microsoft, Give Me LLM Slop About "Linux" and "Santa", I Need Some Fake Article...
BetaNews is basically an LLM slop site
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, December 22, 2024
IRC logs for Sunday, December 22, 2024