today's leftovers

• Running MS OFFICE on Linux - Is it enough to justify paying for Wine?

• FOSS Projects Live Off Community Support

  If there's a project you like you don't just have to be a developer to help support and help that project grow, there are plenty of other ways in which a regular person can help out a FOSS project.

• Routing and Firewalling VLANS with FreeBSD

  When first experimenting, it is important to start with something simple. It can sometimes be far too easy to model very complex setups and then have to spend a lot of time debugging to understand what is not configured correctly.

  These example networks offer both an introduction on how to set up VNET jails with VLANs and show some of the power of their use. A production network built from this would want to give each jail its own file system, this step was skipped to make it easier to follow along.

  The BSD Router project has an example VLAN and VNET multi-tennant set up on their website that includes multiple different virtual machine frameworks. This example is well worth study and this article has hopefully provided the background to help you understand how this network is set up.

• [Old] FreeBSD On A Raspberry Pi 4 With 4GB Of RAM

  This is the story of how I managed to get FreeBSD running on a Raspberry Pi 4 with 4GB of RAM, though I think the setup story is pretty similar for those with 2GB and 8GB.1

  I also managed to get Rust built from source, (kind of) which is nice because the default Rust installer doesn’t seem to work for FreeBSD running on a Raspberry Pi.

  If there’s anything awry with these steps, please contact me so I can fix it.

• GNU Linux – how to mount single disk failed RAID1

• Sylvain Beucler: Android Emulator Rebuild

  Android Rebuilds provides freely-licensed builds of Android development tools from a Mountain View-based company. The Emulator package moved to a separate component and build system.

• The Surprising Power of Business Experimentation

  We’ve long associated innovation breakthroughs with science and technology coming out of R&D labs, e.g., the transistor, penicillin, DNA sequencing, TCP/IP protocols, and so on. Such major lab-based breakthroughs are at one end of the innovation spectrum. At the other end are market-facing innovations, whose purpose is to create appealing and intuitive user experiences, new business models, and compelling market-based strategies. Lab-based innovations were generally born when scientists, mathematicians or engineers developed new theories, technologies, algorithms or programs in an R&D lab. Over time, often years, the innovations found their way to the marketplace. Since technology and markets advanced at a relatively slow pace, there was little pressure to reduce the transition times from lab to market. This was the prevailing innovation model through most of the 20th century. It all started to change in the 1980s as the rate and pace of technology advances significantly accelerated. The hand-offs and elapsed times to take an innovation from lab to market were no longer competitive, especially with products based on fast changing digital technologies. Start-up companies significantly shortened the time-to-market for new products and services, putting huge pressure on companies still operating under the old rules. These competitive pressures, were further exacerbated by the explosive growth of the Internet in the 1990s, as I personally learned when becoming general manager of the newly established IBM Internet Division in December of 1995. A lot was starting to happen around the Internet, but it was not clear where things were heading, and in particular what the implications would be to the world of business. With the Internet, there was no one technology or product you could work on in the labs that would make you a success in the marketplace. This time around, the strategy itself had to come from the marketplace, not the labs.

• SeaMonkey on Pi4 no longer freezes

  Ans now SM is behaving nicely, no appreciable freezing. I am testing version 2.6.1, and playing around on youtube.com do get a segmentation fault sometimes. I can live with that, better than freezing. Running SM 2.53.5.1. One other thing: The SM cache is in /root/.mozilla, not happy with this, as always trying to reduce writes to the drive. So have changed it to /tmp. SM creates a folder named /tmp/Cache2. In EasyOS, /tmp is a tmpfs, in RAM. The downside of this is the cache will be lost at shutdown. Probably an upside is a possible security benefit.

• Cameron Kaiser: TenFourFox FPR30 SPR1 available

  With the Quad G5 now back in working order after the Floodgap Power Supply Kablooey of 2020, TenFourFox Feature Parity Release "30.1" (SPR 1) is now available for testing (downloads, hashes, release notes).

New in Linux 5.12

• Linux 5.12 To Allow Voltage/Temperature Reporting On Some ASRock Motherboards - Phoronix

  Voltage, temperature, and fan speed reporting among desktop motherboards under Linux remains one of the unfortunate areas even in 2021... Many SIO ICs remain publicly undocumented and the Linux driver support is often left up to the community and usually through reverse-engineering. Thus the mainline Linux kernel support is left to suffer especially among newer desktop motherboards.

• [Older] F2FS With Linux 5.12 To Allow Configuring Compression Level

  While the Flash-Friendly File-System (F2FS) allows selecting between your choice of optional compression algorithms like LZO, LZ4, and Zstd -- plus even specifying specific file extensions to optionally limit the transparent file-system compression to -- it doesn't allow easily specifying a compression level. That is fortunately set to change with the Linux 5.12 kernel this spring. Queued now into the F2FS "dev" tree ahead of the Linux 5.12 merge window is a patch that's been floating around for some weeks to allow easily configuring the compression level. The compress_algorithm mount option is expanded to allow also specifying a level, such that the format supported is [algorithm]:[level] should you want to override any level preference like with the LZ4 and Zstd compression algorithms.

Security and Proprietary Software

• diffoscope 165 released

  The diffoscope maintainers are pleased to announce the release of diffoscope version 165. This version includes the following changes:

  [ Dimitrios Apostolou ]
  * Introduce the --no-acl and --no-xattr arguments [later collapsed to
    --extended-filesystem-attributes] to improve performance.
  * Avoid calling the external stat command.
  
  [ Chris Lamb ]
  * Collapse --acl and --xattr into --extended-filesystem-attributes to cover
    all of these extended attributes, defaulting the new option to false (ie.
    to not check these very expensive external calls).
  
  [ Mattia Rizzolo ]
  * Override several lintian warnings regarding prebuilt binaries in the
  * source.
  * Add a pytest.ini file to explicitly use Junit's xunit2 format.
  * Ignore the Python DeprecationWarning message regarding the `imp` module
    deprecation as it comes from a third-party library.
  * debian/rules: filter the content of the d/*.substvars files

• SonicWall hardware VPNs hit by worst-case 0-zero-day-exploit attacks

  “…have information about hacking of a well-known firewall vendor and other security products by this they are silent and do not release press releases for their clients who are under attack due to several 0 days in particular very large companies are vulnerable technology companies,” BleepingComputer was told via email.

• Cyber Firm SonicWall Says It Was Victim of ‘Sophisticated’ Hack

  The Silicon Valley-based company said in a statement that the two products compromised provide users with remote access to internal resources.

  The attackers exploited so-called “zero days” -- a newly discovered software flaw -- on certain SonicWall remote access products, the company said in a statement.

• Former manager of Microsoft Taiwan investigated for fraud

  A former manager at the Taiwanese branch of software giant Microsoft was questioned Friday (Jan. 22) about an alleged fraud scam directed against the company.

  In 2016 and 2017, Chang Ming-fang (張銘芳) allegedly colluded with managers of other companies to forge orders to obtain discounts and products at lower prices, UDN reported.

• School laptops sent by government arrive loaded with malware [iophk: Windows TCO]

  A number of the devices were found to be infected with a "self-propagating network worm", according to the forum, and they also appeared to be contacting Russian servers, one teacher wrote. The Windows-based laptops were specifically infected with Gamarue.1, a worm Microsoft identified in 2012.

• Ransomware provides the perfect cover

  Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes.

  Attackers are using the noise of ransomware to their advantage as it provides the perfect cover to distract attention so they can take aim at their real target: exfiltrating IP [sic], research, and other valuable data from the corporate network.

• Global ransom DDoS extortionists are retargeting companies

  According to Radware, companies that received this letter also received threats in August and September 2020. Security researchers’ analysis of this new wave of ransom letters suggested that the same threat actors from the middle of 2020 are behind these malicious communications.

  When the DDoS extortion campaign started in August of 2020, a single Bitcoin was worth approximately $10,000. It’s now worth roughly $30,000. The attackers cited this in the latest round of ransom letters, and it represents the impact the rising price of Bitcoin is having on the threat landscape.

  A few hours after receiving the message, organizations were hit by DDoS attacks that exceeded 200 Gbps and lasted over nine hours without slowdown or interruption. A maximum attack size of 237 Gbps was reached with a total duration of nearly 10 hours, the alert warned.

• Boeing 737 MAX is a reminder of the REAL problem with software | Stop at Zona-M

  And that problem almost never is software.