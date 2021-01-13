Language Selection

Security: ID Theft, Microsoft, Free Software Security and Reproducible Builds/Diffoscope

Saturday 30th of January 2021 06:06:28 PM
Security
  • The Taxman Cometh for ID Theft Victims

    The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.

  • [Cracked] therapy centre Vastaamo goes into liquidation [iophk: Windows TCO]

    The private mental health services company Vastaamo, which has been at the centre of a [cracking] and blackmail scandal since October, has been placed into liquidation.

    The decision was made by the company’s owners, management and board of directors at an emergency general meeting held on Thursday and announced in a Friday morning press release.

  • You cannot manage your supply chain – Open Source Security

    What a year it’s been! I feel like 2021 went by like a … it’s still January???

    So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. Software supply chains. This is probably a dreadful topic to most, but I love software supply chains. I was talking about them before anyone was even thinking about them. I’m not going to pull a “get off my lawn” here, I think it’s cool everyone is starting to care. I want to talk about how to be realistic about your supply chain. Almost all advice I’ve seen of the last month has been terrible, so I’m going to also give some terrible advice.

    I will start with the usual advice for the worst suggestion every time supply chain discussions happen: You cannot remove all the open source from your supply chain. Even suggesting this would be comparable to making your organization build a coal power plant to go off grid for power. Anyone who suggests this should not be taken seriously.

    Now that we have that out of the way, let’s talk about a software supply chain. I wrote a lovely (at least I think it’s lovely) piece about this during Secadvent for DevSecCon. Just go read it, I’m not going to rehash the details here.

  • diffoscope 166 released

    The diffoscope maintainers are pleased to announce the release of diffoscope version 166. This version includes the following changes:

    [ Chris Lamb ]
* New features and bugfixes:
  - Explicitly remove our top-level temporary directory.
    (Closes: #981123, reproducible-builds/diffoscope#234)
  - Increase fuzzy matching threshold to 130 ensure that we show more
    differences. (Closes: reproducible-builds/diffoscope#232)
  - Save our sys.argv in our top-level temporary directory in case it
    helps debug current/errant temporary directories.
  - Prefer to use "magic.Magic" over the "magic.open" compatibility
    interface. (Closes: reproducible-builds/diffoscope#236)
  - Reduce fuzzy threshold to 110 to prevent some test failures.
    (Closes: reproducible-builds/diffoscope#233)

* Output improvements:
  - Show fuzzyness amount in percentage terms, not out of the
    rather-arbitrary "400".
  - Improve the logging of fuzzy matching.
  - Print the free space in our temporary directory when we create it, not
    from within diffoscope.main.

* Codebase improvements:
  - Tidy the diffoscopecomparators.utils.fuzzy module.
  - Update my copyright years.
  - Clarify the grammar of a comment.
  - Clarify in a comment that __del__ is not always called, so temporary
    directories are not neccessary removed the *moment* they go out of scope.

[ Conrad Ratschan ]
* Fix U-Boot Flattened Image Tree ("FIT") image detection for larger image
  files. (MR: reproducible-builds/diffoscope!75)

OnePlus 6 and OnePlus 6T seeing work for mainline Linux kernel support

One of the perks of buying a OnePlus smartphone is the aftermarket development support. The company is generally known for its timely kernel source code releases (they have been slow at publishing sources a couple of times) and promotion of custom ROMs for EOL devices among other things, which makes it a fan favorite in the developer community. We often speak about devices outliving their generation by leaps and bounds, and now it looks like two OnePlus phones are about to achieve a similarly remarkable feat in terms of third-party development. It’s been nearly three years since the launch of the OnePlus 6 series, but if you still have a OnePlus 6 or a OnePlus 6T lying around, it may soon be possible to boot it with the mainline Linux kernel. Read more

Audiocasts/Shows: Reality 2.0, FreeTube and Self-Hosted

Devices/Embedded Leftovers

  • How to blink an LED with Raspberry Pi Pico in C
  • Mini-ITX SBC and embedded PC provide a choice of Ryzen V1000 or R1000

    Portwell announced a Linux-friendly GMS-6310 embedded PC and a GMI-6310 Mini-ITX board that powers it featuring AMD’s Ryzen Embedded V1000 or R1000. Portwell’s new GMI-6310 Mini-ITX board and the GMS-6310 embedded computer based on it are designed for graphics-intensive applications including gaming machines, industrial HMI, surveillance, machine vision, medical imaging, and multimedia imaging processing and control. The products run Linux or Windows on AMD’s Ryzen Embedded V1000 or Ryzen Embedded R1000.

  • Compact gateway combines triple HDMI with triple GbE

    Nexcom’s rugged, Linux-ready “NISE 52” IoT gateway extends an Apollo Lake SoC with an interesting mix of features for a compact: 3x HDMI, 3x GbE, 8x USB, 2x mini-PCIe, and a DB44 serial port. Nexcom has announced a 162 x 150 x 26mm NISE 52 IoT gateway that follows other compact NISE systems including the identically sized and Apollo Lake equipped NISE 51. Yet the NISE 52 plugs more — and more unusual — features into the tiny enclosure.

Free Software and Openwashing

  • The Apache News Round-up: week ending 29 January 2021

    Farewell, January --both the week and month have flown by.

  • How 1000s Of Signal Users Downloaded The App Without Meaning To

    Signal is a free and open-source app that’s available on GitHub, meaning anyone can view, download and edit the source code. As such, anyone can use the Signal code to create an app of their own and some have. Originally spotted by Vice, a Tweet from a user that simply goes by dev, explained how a friend had an account on Signal, but when asked about it they had never heard of the app. Digging into the mystery further, it turned out that an app named Call Chat had been downloaded. Call Chat had over 10,000 downloads on the Google Play Store, but has since been removed. According to Kerala Kaumudi, Call Chat was developed by a clever 12-year-old named Dheerj, as a solution to a ban on Chinese apps in the local area.

  • Why Blobs Are Important, And Why You Should Care

    If there is a price to be paid for this convenience, it comes in the form of the blob. A piece of pre-compiled binary software that does the hard work of talking to the hardware and which presents a unified API to the software. Whether you’re talking to the ESP32 WiFi through an Arduino library or booting a Raspberry Pi with a Linux distribution, while your code may be available or even maybe open source, the blob it relies upon to work is closed source and proprietary. This presents a challenge not only to Software Libre enthusiasts in search of a truly open source computer, but also to the rest of us because we are left reliant upon the willingness of the hardware manufacturer to update and patch their blobs.

    An open-source advocate would say that the solution is easy, the manufacturers should simply make their blobs open-source. And it’s true, were all blobs open-source then the Software Libre crowd would be happy and their open-source nature would ease the generation of those updates and patches. So why don’t manufacturers release their blobs as open-source? In some cases that may well be due to a closed-source mindset of never releasing anything to the world to protect company intellectual property, but to leave it at that is not a full answer. To fully understand why that is the case it’s worth looking at how our multifunctional chips are made.

  • Chrome 89 Beta: Advanced Hardware Interactions, Web Sharing on Desktop, and More

    Unless otherwise noted, changes described below apply to the newest Chrome beta channel release for Android, Chrome OS, Linux, macOS, and Windows. Learn more about the features listed here through the provided links or from the list on ChromeStatus.com. Chrome 89 is beta as of January 28, 2021.

  • Chrome 89 Beta Enables WebHID By Default, Other New Web APIs

    Following last week's release of Google Chrome 88, the Chrome 89 beta is now available for testing.

