The 6th monthly Sparky project and donate report of 2022: – Linux kernel updated up to 5.18.8 & 5.15.51 LTS – Added to repos: NotepadNext text editor, WineZGUI a Zenity based simple GUI for Wine – Created a new community on Mastodon – APTus installs virtualbox-6.1 Oracle deb, instead of Debian Sid debs on Sparky 7 now; it makes less problems with dependencies and building vbox module – Added Sparky Linux kernel LTS to repos (amd64 only) – Removed Sparky Linux kernel RC from repos – Removed Sparky Linux kernel 686pae Latest from repos It means, no more Sparky 686pae in Sparky repos, but, added a new LTS kernel to repos; the Sparky’s Latest and LTS kernels can be installed on amd64 machines only now. There are 2 reasons to make such changes: 1. The 32 bit architecture is not much popular, so the default Debian kernel is perfect to keep your 32bit machine running; anyway, Xanmod still provides i686 kernel, which can be installed via APTus AppCenter; 2. The LTS kernel (now 5.15) is good choice if your machine require newer kernel than 5.10 but older than 5.18 (via backboard) on Sparky Stable 6; it is also good choice on testing line of Sparky 7, if you can not compile some external modules on the latest kernel (now 5.18)

In June I was not assigned additional hours of work by Freexian's Debian LTS initiative, but carried over 16 hours from May and worked all of those hours. I spent some time triaging security issues for Linux. I tested several security fixes for Linux 4.9 and 4.19 and submitted them for inclusion in the upstream stable branches.

Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)!

This paper focuses on one research question: how can Guix and similar systems allow users to securely update their software? Guix source code is distributed using the Git version control system; updating Guix-installed software packages means, first, updating the local copy of the Guix source code. Prior work on secure software updates focuses on systems very different from Guix—systems such as Debian, Fedora, or PyPI where updating consists in fetching metadata about the latest binary artifacts available—and is largely inapplicable in the context of Guix. By contrast, the main threats for Guix are attacks on its source code repository, which could lead users to run inauthentic code or to downgrade their system. Deployment tools that more closely resemble Guix, from Nix to Portage, either lack secure update mechanisms or suffer from shortcomings.

Our main contribution is a model and tool to authenticate new Git revisions. We further show how, building on Git semantics, we build protections against downgrade attacks and related threats. We explain implementation choices. This work has been deployed in production two years ago, giving us insight on its actual use at scale every day. The Git checkout authentication at its core is applicable beyond the specific use case of Guix, and we think it could benefit to developer teams that use Git.

Microsoft SharePoint may be a powerhouse when it comes to project management and collaboration, but the best SharePoint alternatives prove Microsoft is far from the only option. From individuals to large businesses, productivity, collaboration, and project management apps are a must. SharePoint gives you all of this in one convenient platform, but it gets expensive quickly. Free SharePoint alternatives are ideal for saving money without sacrificing features.

The new Wi-Fi 6E network enables download speeds of 500-600 megabits per second even in high-density areas. This is up to three to five times faster than the prior network — enough bandwidth for attendees in the largest lecture halls and auditoriums to simultaneously stream high-definition video.

When it comes to building a mobile robot, often maneuverability is more important than outright speed. The MasterPi robot demonstrates this well, using fancy wheels to help it slide and skate in any direction needed.

Join Editor-in-Chief Elliot Williams and Assignments Editor Kristina Panos as we cuss and discuss all the gnarliest hacks from the past week. We kick off this episode with a gentle reminder that the Odd Inputs and Peculiar Peripherals Contest ends this Monday, July 4th, at 8:30 AM PDT. We’ve seen a ton of cool entries so far, including a new version of [Peter Lyons]’ Squeezebox keyboard that we’re itching to write up for the blog.

The eDM-SBC-iMX8Mm is a Single Board Computer (SBC) which comes in a small Pico-ITX form factor and it’s powered by NXP’s i.MX8M Mini System on Chip (SoC). This compact device was designed to run 24/7 to suit applications such as kiosks , digital signage displays, smart home appliances etc.

DATA MODUL has designed this SBC to be coupled with NXP’s i.MX8M Mini Dual Cortex-A53 (up to 1800 MHz) or its Quad-core version. Both CPU models integrate a GCNanoUltra GPU with a 2D/3D accelerator and they include up to 512KB L2 in Cache memory.

Removing the GPIO pins around the antenna was tempting because it would free up space: “Antennas like space,” explains Dominic while showing us the trapezoidal-shaped feature. “And getting rid of the bottom GPIO pins would have made it easier to connect the wireless chip,” but it would have been a huge change for current users. “I didn’t want to lose any of the peripheral GPIO pins to the end-user,” says Dominic. People can add Pico W to an existing project without having to change anything and gain instant access to wireless technology.

A few days ago, I received an email from someone who appears to be Perl hacker and asked me a question.

In honor of World Give Up GitHub day, here’s a quick guide to how to serve up your own git repos.

For each of these changes, we need to dig into version control history to find why they were needed in the first place, verify if they are still needed, and if so potentially rework them to meet upstream coding standards. This requires an understanding of the problem domain to be able to explain the rationale behind the changes while submitting patches and writing relevant commit messages.

While some of those patches are NetBSD specific, we still need to ensure we are not breaking other operating systems. Ultimately, vanilla binutils should be able to produce working binaries on NetBSD without requiring any local patches. Once this goal is reached, we need to ensure it keeps building, investigate test suite failures, and setup buildbots for continuous builds on key architectures.

Discussion: This configuration provides a decent all-around compromise between complexity and performance. Torque control is available and velocity control is good outside of ultra-slow regimes. The position is absolutely known to within one rotation of the rotor, across power cycles.

In early 2022, we investigated one such IIS backdoor: SessionManager. In late April 2022, most of the samples we identified were still not flagged as malicious in a popular online file scanning service, and SessionManager was still deployed in over 20 organizations.

SessionManager has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East, starting from at least March 2021. Because of the similar victims, and use of a common OwlProxy variant, we believe the malicious IIS module may have been leveraged by the GELSEMIUM threat actor, as part of espionage operations.

This week, Microsoft released an AI-based tool for writing soft­ware called Git­Hub Copilot. As a lawyer and 20+ year partic­i­pant in the world of open-source soft­ware, I agree with those who consider Copilot to be primarily an engine for violating open-source licenses.

The campaign comprises at least four pieces of malware, three of them written from scratch by the threat actor. The first piece is the MIPS-based ZuoRAT, which closely resembles the Mirai internet-of-things malware that achieved record-breaking distributed denial-of-service attacks that crippled some Internet services for days. ZuoRAT often gets installed by exploiting unpatched vulnerabilities in SOHO devices.

Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware. Two of those malware pieces—dubbed CBeacon and GoBeacon—are custom-made, with the first written for Windows in C++ and the latter written in Go for cross-compiling on Linux and macOS devices. For flexibility, ZuoRAT can also infect connected devices with the widely used Cobalt Strike [cracking] tool.