wlug June 2019

wlug@list.waikato.ac.nz

7 participants
58 discussions

by Lawrence D'Oliveiro

For quite a while now, I’ve been annoyed by the system notification volume going to 100% on my Debian systems, regardless of my attempts to set it to a lower level. For example, when I open the KDE System Settings app, change something, then try to close the window, the sound that accompanies the save/discard/cancel alert is always startlingly loud. I think I have finally found a fix: in your /etc/pulse/daemon.conf, put in a line saying flat-volumes = no (You should find an existing comment “; flat-volumes = yes” that indicates the default.) You can make this new setting take effect in the current session immediately without having to logout or reboot, by executing the following as the currently-logged-in user: pulseaudio -k (This kills and restarts the PulseAudio daemon for your user session.) There are several discussions of the pros and cons of this issue online, going back some years. For example, here <https://bugzilla.redhat.com/show_bug.cgi?id=1265267>. Also a mention about the “flat-volumes” setting in the ever-reliable Arch Linux Wiki here <https://wiki.archlinux.org/index.php/PulseAudio>.

6 months, 1 week

How Qualcomm Shook Down The Cell Phone Industry For Almost 20 Years

by Lawrence D'Oliveiro

A pretty sobering read <https://arstechnica.com/tech-policy/2019/05/how-qualcomm-shook-down-the-cel…>: Qualcomm's first weapon against competitors: patent licensing terms requiring customers to pay a royalty on every phone sold—not just phones that contained Qualcomm's wireless chips. Sound familiar? Judge Koh draws a direct parallel to licensing behavior that got Microsoft in legal trouble in the 1990s. Microsoft would offer PC makers a discount if they agreed to pay Microsoft a licensing fee for every PC sold—whether or not the PC shipped with a copy of MS-DOS. This effectively meant that a PC maker had to pay twice if it shipped a PC running a non-Microsoft operating system. There’s a lot more--the article reads like a catalogue of gangster-like tactics. All of which is perfectly all right under the US interpretation of “Free Enterprise”, of course ... Also, reading the details of how Qualcomm managed to sabotage Intel’s efforts to develop 5G chips, it seems to me that Qualcomm is directly responsible for the situation today where US companies are lagging behind Chinese ones like Huawei in 5G capability.

11 months, 2 weeks

Ask Slashdot: What's Your 'Backup' Browser?

by Peter Reutemann

'Slashdot's gotten over 17,000 votes in its poll about which web browser people use on their desktop. (The current leader? Firefox, with 53% of the vote, followed by Chrome with 30%.) But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?"' -- source: https://news.slashdot.org/story/19/06/30/2220257 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

Linus Torvalds Sees Lots of Hardware Headaches Ahead

by Peter Reutemann

'Linux founder Linus Torvalds "warns that managing software is about to become a lot more challenging, largely because of two hardware issues that are beyond the control of DevOps teams," reports DevOps.com. An anonymous reader shares their report about Torvalds remarks at the KubeCon + CloudNative + Open Source Summit China conference: The first, Torvalds said, is the steady stream of patches being generated for new cybersecurity issues related to the speculative execution model that Intel and other processor vendors rely on to accelerate performance... Each of those bugs requires another patch to the Linux kernel that, depending on when they arrive, can require painful updates to the kernel, Torvalds told conference attendees. Short of disabling hyperthreading altogether to eliminate reliance on speculative execution, each patch requires organizations to update both the Linux kernel and the BIOS to ensure security. Turning off hyperthreading eliminates the patch management issue, but also reduces application performance by about 15 percent. The second major issue hardware issue looms a little further over the horizon, Torvalds said. Moore's Law has guaranteed a doubling of hardware performance every 18 months for decades. But as processor vendors approach the limits of Moore's Law, many developers will need to reoptimize their code to continue achieving increased performance. In many cases, that requirement will be a shock to many development teams that have counted on those performance improvements to make up for inefficient coding processes, he said.' -- source: https://news.slashdot.org/story/19/06/28/2245250 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

Tech Press Rushes To Cover New Linus Torvalds Mailing List Outburst

by Peter Reutemann

'"Linux frontman Linus Torvalds thinks he's 'more self-aware' these days and is 'trying to be less forceful' after his brief absence from directing Linux kernel developers because of his abusive language on the Linux kernel mailing list," reports ZDNet. "But true to his word, he's still not necessarily diplomatic in his communications with maintainers..." Torvalds' post-hiatus outburst was directed at Dave Chinner, an Australian programmer who maintains the Silicon Graphics (SGI)-created XFS file system supported by many Linux distros. "Bullshit, Dave," Torvalds told Chinner on a mailing list. The comment from Chinner that triggered Torvalds' rebuke was that "the page cache is still far, far slower than direct IO" -- a problem Chinner thinks will become more apparent with the arrival of the newish storage-motherboard interface specification known as Peripheral Express Interconnect Express (PCIe) version 4.0. Chinner believes page cache might be necessary to support disk-based storage, but that it has a performance cost.... "You've made that claim before, and it's been complete bullshit before too, and I've called you out on it then too," wrote Torvalds. "Why do you continue to make this obviously garbage argument?" According to Torvalds, the page cache serves its correct purpose as a cache. "The key word in the 'page cache' name is 'cache'," wrote Torvalds.... "Caches work, Dave. Anybody who thinks caches don't work is incompetent. 99 percent of all filesystem accesses are cached, and they never do any IO at all, and the page cache handles them beautifully," Torvalds wrote. "When you say the page cache is slower than direct IO, it's because you don't even see or care about the *fast* case. You only get involved once there is actual IO to be done." "The thing is," reports the Register, "crucially, Chinner was talking in the context of specific IO requests that just don't cache well, and noted that these inefficiencies could become more obvious as the deployment of PCIe 4.0-connected non-volatile storage memory spreads." Here's how Chinner responded to Torvalds on the mailing list. "You've taken one single statement I made from a huge email about complexities in dealing with IO concurrency, the page cache and architectural flaws in the existing code, quoted it out of context, fabricated a completely new context and started ranting about how I know nothing about how caches or the page cache work." The Register notes their conversation also illustrates a crucial difference from closed-source software development. "[D]ue to the open nature of the Linux kernel, Linus's rows and spats play out in public for everyone to see, and vultures like us to write up about."' -- source: https://news.slashdot.org/story/19/06/28/2339245 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

Google's New ReCAPTCHA Has a Dark Side

by Peter Reutemann

'We've all tried to log into a website or submit a form only to be stuck clicking boxes of traffic lights or storefronts or bridges in a desperate attempt to finally convince the computer that we're not actually a bot. For many years, this has been one of the predominant ways that reCaptcha -- the Google-run internet bot detector -- has determined whether a user is a bot or not. But last fall, Google launched a new version of the tool, with the goal of eliminating that annoying user experience entirely. Now, when you enter a form on a website that's using reCaptcha V3, you won't see the "I'm not a robot" checkbox, nor will you have to prove you know what a cat looks like. Instead, you won't see anything at all. Google is also now testing an enterprise version of reCaptcha v3, where Google creates a customized reCaptcha for enterprises that are looking for more granular data about users' risk levels to protect their site algorithms from malicious users and bots. But this new, risk-score based system comes with a serious trade-off: users' privacy. According to two security researchers who've studied reCaptcha, one of the ways that Google determines whether you're a malicious user or not is whether you already have a Google cookie installed on your browser. It's the same cookie that allows you to open new tabs in your browser and not have to re-log in to your Google account every time. But according to Mohamed Akrout, a computer science PhD student at the University of Toronto who has studied reCaptcha, it appears that Google is also using its cookies to determine whether someone is a human in reCaptcha v3 tests. Akrout wrote in an April paper about how reCaptcha v3 simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account. "Because reCaptcha v3 is likely to be on every page of a website, if you're signed into your Google account there's a chance Google is getting data about every single webpage you go to that is embedded with reCaptcha v3 -- and there many be no visual indication on the site that it's happening, beyond a small reCaptcha logo hidden in the corner," the report adds.' -- source: https://tech.slashdot.org/story/19/06/27/2139219 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

WireGuard on Windows early preview

by Peter Reutemann

'WireGuard is a new peer-to-peer VPN technology that has the potential for greater speed, smaller attack surface, and easier configuration than commonly used and better-established VPN platforms such as OpenVPN and IPSec. It has been available on Linux, FreeBSD, macOS, Android, and even iOS for quite some time now, with Windows being the one platform frustratingly missing. There are good reasons for that—lead developer Jason Donenfeld didn't want to inherit the problems of OpenVPN's OpenTAP adapter code, and when he investigated Microsoft's built-in VPN API, he didn't like that either. So his first move was to take a giant step backward on the Windows platform and develop an extremely simple virtual adapter that could be used not only for WireGuard, but also for other projects that might need the same kind of very basic, socket-and-tunnel functionality. This became Wintun. For the moment, WireGuard for Windows is still in what creator Jason Donenfeld refers to as "pre-alpha," with an alpha build due out sometime in the next week or two. The good news is that it's an easy install now, with no dev-fu required to get it running happily on a Windows 10 (or Server 2016, as seen below) system. There are self-contained, signed MSI installers for both 64-bit and 32-bit builds there; downloading and running them just works, with no complaints from Defender about unsigned or untrusted anything. I was curious about what makes v0.0.14 "pre-alpha" rather than merely "alpha." Donenfeld told me one reason he called it pre-alpha was to keep journalists like me (as well as the generally unadventurous) from writing about it before it's ready.' -- source: https://arstechnica.com/information-technology/2019/06/taking-a-spin-on-wir… Here's the link the article covering the Linux version: https://arstechnica.com/gadgets/2018/08/wireguard-vpn-review-fast-connectio… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

Mozilla Launches GeckoView-Powered Firefox Preview For Android

by Peter Reutemann

'Mozilla today announced Firefox Preview, a pilot of its new Android browser. Firefox Preview, which is powered by Mozilla's own GeckoView engine, will ultimately replace the current Firefox for Android mobile app "this fall." At the same time, Mozilla has put Firefox Focus for Android development on hold. If you're a developer or just an early adopter, you can download Firefox Preview from Google Play. On desktop, Firefox is the second most popular browser after Chrome. Firefox holds about 10% desktop market share, according to Net Applications. On mobile, however, Firefox has less than 0.5% share. Despite regular releases alongside the desktop browser over the years, Firefox's mobile share has not improved.' -- source: https://news.slashdot.org/story/19/06/27/1720215 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years

Researchers Demonstrate How US Emergency Alert System Can Be Hijacked and Weaponized

by Peter Reutemann

'After an emergency alert was accidentally sent to Hawaii residents last year, warning of an impending nuclear ballistic missile attack, researchers at the University of Colorado Boulder were prompted to ask the question: How easy would it be to exploit the nation's emergency alert systems, wreaking havoc on the American public via fake or misleading alerts? In short, they found that it wasn't very difficult at all. Motherboard reports: Their full study was recently unveiled at the 2019 International Conference on Mobile Systems, Applications and Services (MobiSys) in Seoul, South Korea. It documents how spoofing the Wireless Emergency Alert (WEA) program to trick cellular users wasn't all that difficult. To prove it, researchers built a mini "pirate" cell tower using easily-available hardware and open source software. Using isolated RF shield boxes to mitigate any real-world harm, they then simulated attacks in the 50,000 seat Folsom Field at the University. 90 percent of the time, the researchers say they were able to pass bogus alerts on to cell phones within range. The transmission of these messages from the government to the cellular tower is secure. It's the transmission from the cellular tower to the end user that's open to manipulation and interference, the researchers found. The vulnerability potentially impacts not just US LTE networks, but LTE networks from Europe to South Korea. ' -- source: https://tech.slashdot.org/story/19/06/26/2347257 Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years, 1 month

Security firms demonstrate subdomain hijack exploit vs. EA/Origin

by Peter Reutemann

'Israeli security firms Check Point and CyberInt partnered up this week to find, exploit, and demonstrate a nasty security flaw that allows attackers to hijack player accounts in EA/Origin's online games. The exploit chains together several classic types of attacks—phishing, session hijacking, and cross-site scripting—but the key flaw that makes the entire attack work is poorly maintained DNS.' -- source: https://arstechnica.com/information-technology/2019/06/security-firms-demon… Cheers, Peter -- Peter Reutemann Dept. of Computer Science University of Waikato, NZ +64 (7) 858-5174 http://www.cms.waikato.ac.nz/~fracpete/ http://www.data-mining.co.nz/

2 years, 1 month

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

wlug June 2019