OpenSUSE 15 Leap Released, Facebook and Google Already Face GDPR Complaints, GNOME 3.29.2 and More

News briefs for May 25, 2018.

OpenSUSE 15 Leap, the "project's latest non-rolling-release, enterprise-geared distribution", was released today. This new version "brings a new partitioner, makes use of Firewalld for its firewall, a new look, various new enterprise features, support for NextCloud, atomic updates support via Kubic, and much more. The GNOME version of openSUSE Leap 15 is also using Wayland by default while their KDE Plasma 5.12 LTS desktop continues using an X.org session default." For more details on all the new features, visit the OpenSUSE News site.

Facebook and Google are already facing GDPR complaints due to "forced consent". TechCrunch reports that Max Schrems has filed complaints against Facebook, Instagram, WhatsApp and Android. Regarding Facebook, Schrems commented "In the end users only had the choice to delete the account or hit the 'agree'-button—that's not a free choice, it more reminds of a North Korean election process."

If you have a NETGEAR router, see the security advisory for steps you can take to protect yourself against the VPNFilter malware.

GNOME 3.29.2 was released yesterday. This is the second unstable release in the 3.30 cycle and is primarily for testing and hacking.

GamingOnLinux reports that Paradox has confirmed its new game Imperator: Rome! will be supported for Linux.

FOSS as a Part of a Corporate Sustainability Plan

Free and open-source software is a critical part of your company's supply chain. Here's why and how you can include it in your corporate sustainability plan.

In 1983 the United Nations convened a commission of 22 people to investigate the question of the worldwide environmental and social impact of human development. Four years later, in 1987, the commission released Our Common Future, more commonly known as the Brundtland Report in honour of Gro Harlem Brundtland, chairperson of the commission. This report detailed the very real socio-environmental issues facing humanity. One of its recommendations was for governments, organizations and companies to start engaging in what it called sustainable development. That is, "...development that meets the needs of the present without compromising the ability of future generations to meet their own needs".

Since then there's been steep growth in the number of corporations that maintain and operate according to a corporate sustainability plan. These plans encompass environmental as well as social aspects of doing business. They encompass actions within an organization—such as natural resource usage, diversity and inclusion, and fair treatment of employees—as well as those external to the organization—such as the sustainability operations of their entire supply chain as well as the overall impact the corporation has on the Earth and its inhabitants.

The Benefits of Sustainability

A sustainability plan impacts every facet of an organization's operations and can take a fair bit of effort to implement and maintain. If that's the case, why are more corporations putting these plans into action every year? While it would be nice to think that this occurs for entirely altruistic reasons—taking care of the Earth and its inhabitants is simply the right thing to do, after all—the fact of the matter is that studies repeatedly show that properly implemented corporate sustainability plans are very good for the bottom line.

RIP Robin “Roblimo” Miller

Linux Journal has learned fellow journalist and long-time voice of the Linux community Robin "Roblimo" Miller has passed away. Miller was perhaps best known by the community for his role as Editor in Chief of Open Source Technology Group, the company that owned Slashdot, SourceForge.net, freshmeat, Linux.com, NewsForge, and ThinkGeek from 2000 to 2008. He went on to write and do video interviews for FOSS Force, penned articles for several publications, and authored three books, The Online Rules of Successful Companies, Point & Click Linux!, and Point & Click OpenOffice.org, all published by Prentice Hall.

As Marcel Gagne so perfectly summarized, "Robin was one of those people who could make you laugh while teaching you a thing or two."

Roblimo, you will be missed. 

An FUQ for the GDPR

Today is Privmas Eve: the day before Privmas, aka GDPR Day: the one marked red on the calendars of every company in the world holding an asset the GDPR has suddenly made toxic: personal data. The same day—25 May—should be marked green for everyone who has hated the simple fact that harvesting personal data from everybody on the internet has been too damned easy for too damned long for too damned many companies, and governments too.

Whether you like the GDPR or not (and there are reasons for both, which we'll get into shortly), one thing it has done for sure is turn privacy into Very Big Deal. This is good, because we've had damned little of it on the internet and now we're going to get a lot more. That's worth celebrating, everybody. Merry Privmas! 

To help with that, and because 99.99x% of GDPR coverage is about what it means for the fattest regulatory targets (Facebook, Google, et al.), here's an FUQ: Frequently Unasked (or Unanswered) Questions about the GDPR and what it means for you, me and everybody else who wants to keep personal data personal—or to get back personal data those data farmers have already harvested. (The GDPR respects both.)

A note before we begin: this is a work in progress. It's what we know about what's now possible in a world changed by the GDPR. And "we" includes everybody. If you want to help, weigh in. Here goes...

Bottom line, what does the GDPR mean for the "natural persons" it also calls "data subjects"?

It means we're in charge now: at least of ourselves—and of our sides of relationships with the corporate entities we deal with.

No, the GDPR doesn't say that specifically, but both the letter and the spirit of the GDPR respect privacy as a fundamental human right. Since rights are something we exercise as individuals, and not just a something good corporate behavior allows us to enjoy, we should be able to provide it for ourselves as well.

Don't we have enough privacy tools already with crypto, onion routing, VPNs and so on?

No, we don't.

Those are all forms of protection against exploitation by others. We need tools that create private spaces around us on the net, much as clothing (the original privacy tech) does for us in the natural world. We need ways to signal to others what's okay and what's not okay, and to know easily when those signals are being respected and when they are not. We need ways to move about the net anonymously, and to submit identifiers only on a need to know basis, and then in ways we control.

Parrot 4.0 Now Available, Eudora Email Code Open-Sourced, Firefox Now Offers Two-Step Authentication and More

News briefs for May 24, 2018.

Parrot 4.0 is now available for download. Parrot is a "GNU/Linux distribution based on Debian Testing and designed with Security, Development and Privacy in mind. It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net." New features of this "milestone" version include netinstall images, Docker templates, Linux kernel 4.16 and several other bugfixes and changes. See the release notes for more information.

Historic Eudora email code has been open-sourced by the Computer History Museum, The Register reports: "it fell into neglect after Qualcomm stopped selling it in 2006, and a follow-up version was poorly received in 2007. Under this latest deal, Qualcomm is to donate all IP—copyright code, trademarks and domain names—over to the museum."

Mozilla began offering two-step authentication for Firefox this week. If you enable it, you'll need to use an additional security code to log in. Mozilla is using the authentication standard TOTP (Time-based One-Time Password) to implement this feature. If you don't see a "Two-step authentication" panel in your Preferences, see this page for further instructions on how to enable it.

Kata Containers 1.0 was released this week. This first release "completes the merger of Intel's Clear Containers and Hyper's runV technologies, and delivers an OCI compatible runtime with seamless integration for container ecosystem technologies like Docker and Kubernetes." Visit the Kata Containers page for more info and links to the GitHub and install guide.

Visualizing Molecules with EasyChem

Introducing EasyChem, a program that generates publication-quality images of molecular structures.

Chemistry is one of the heavy hitters in computational science. This has been true since the beginning, and it's no less true today. Because of this, several software packages specifically target this user group. Most of these software packages focus on calculating things within chemistry, like bond energies or protein folding structures. But, once you've done the science portion, you need to be able to communicate your results, usually in the form of papers published in journals. And, part of the information you'll need to disseminate is imagery of the molecules from your work. And, that's where EasyChem, this article's subject, comes into play.

EasyChem helps generate publication-quality images of molecular structures. It should be available in the package management repositories for most distributions. In Debian-based distributions, you can install it with the following command:


sudo apt-get installed easychem

Once it's installed, you can start it either from your GUI's menu system or from the command prompt. When it first starts, you get a blank canvas within which to start your project.

Figure 1. You get a blank workspace when you first start EasyChem.

One of the first things you'll want to check is whether the option to have helpful messages is turned on. You can check this by clicking Options→Learning messages. With this selected, you'll get helpful information in the bottom bar of the EasyChem window.

Let's start with a simple molecule like benzene. Benzene is a ring of six carbon atoms, with every other bond a double bond. You can create this structure by using the options at the bottom of the draw window. Making sure that the "Add bonds" option is selected, select the "Simple" bond from the drop-down of "Bond type". If you now place the mouse pointer somewhere in the window and click and drag, you'll get a single bond drawn. To get a ring, you need to hold down the Ctrl key, and then click and drag. This will draw a ring structure for you.

You can set the number of atoms to use in the ring with the "Ring size" option in the bottom left of the window. The default is six, which is what you'll want for your benzene ring.

To get the alternating bond types, select the "Edit" option at the bottom, and then you'll be able to select individual bonds and change their types. When you select one of the bonds, you'll see a new pop-up window where you can change the details, such as the type of bond, along with the color and the relative width if it is a multiple bond.

VPNFilter Malware Attacks Routers, Mitigations for Spectre Variant 4, OnePlus 6 Phone and More

News briefs for May 23, 2018.

There's a new type of malware called VPNFilter, which has "has infected at least half a million home and small business routers including those sold by Netgear, TP-Link, Linksys, MicroTik, and QNAP network storage devices". This code is intended to "serve as a multipurpose spy tool, and also creates a network of hijacked routers that serve as unwitting VPNs, potentially hiding the attackers' origin as they carry out other malicious activities". See the story on Wired for all the details.

Canonical released an update to address 13 security vulnerabilities, including the new Spectre Variant 4, for Ubuntu 18.04 LTS, Ubuntu 17.10, Ubuntu 16.04 LTS, and Ubuntu 14.04 LTS. Canonical notes that "to fully mitigate Spectre Variant 4, users must also update the processor microcode firmware". See the security announcement for more info, and update now.

Also yesterday, Greg Kroah-Hartman released updates for the Linux 4.9.102, 4.14.43, and 4.16.11 kernels for Spectre Variant 4 mitigation. Update now. (Source: Phoronix.)

Mark Shuttleworth created a stir this week with his keynote at the OpenStack Summit in Vancouver due to his competitive comments about VMware and Red Hat. See the ServerWatch story for details.

The OnePlus 6 unlocked phone is now available for $529. See Android Central for specification and a review of the new phone.

Cooking With Linux (without a net): Really tiny Linux distributions, old DOS games, and more

Please support Linux Journal by subscribing or becoming a patron.

It's Tuesday, and it's time for Cooking With Linux (without a net) where I do some live Linuxy and open source stuff, live, on camera, and without the benefit of post video editing therefore providing a high probability of falling flat on my face. Today, it's teeny tiny Linux time where I'll show you some of the smallest fully graphical distributions out there, play some old abandoned games, DOS emulation, and visit browser based Linux. Basically, a grab bag of Linux and open source goodies. Oh, and wine.

Tor Hidden Services

Why should clients get all the privacy? Give your servers some privacy too!

When people write privacy guides, for the most part they are written from the perspective of the client. Whether you are using HTTPS, blocking tracking cookies or going so far as to browse the internet over Tor, those privacy guides focus on helping end users protect themselves from the potentially malicious and spying web. Since many people who read Linux Journal sit on the other side of that equation—they run the servers that host those privacy-defeating services—system administrators also should step up and do their part to help user privacy. Although part of that just means making sure your services support TLS, in this article, I describe how to go one step further and make it possible for your users to use your services completely anonymously via Tor hidden services.

How It Works

I'm not going to dive into the details of how Tor itself works so you can use the web anonymously—for those details, check out https://tor.eff.org. Tor hidden services work within the Tor network and allow you to register an internal, Tor-only service that gets its own .onion hostname. When visitors connect to the Tor network, Tor resolves those .onion addresses and directs you to the anonymous service sitting behind that name. Unlike with other services though, hidden services provide two-way anonymity. The server doesn't know the IP of the client, like with any service you access over Tor, but the client also doesn't know the IP of the server. This provides the ultimate in privacy since it's being protected on both sides.

Warnings and Planning

As with setting up a Tor node itself, some planning is involved if you want to set up a Tor hidden service so you don't defeat Tor's anonymity via some operational mistake. There are a lot of rules both from an operational and security standpoint, so I recommend you read this excellent guide to find the latest best practices all in one place.

Without diving into all of those steps, I do want to list a few general-purpose guidelines here. First, you'll want to make sure that whatever service you are hosting is listening only on localhost (127.0.0.1) and isn't viewable via the regular internet. Otherwise, someone may be able to correlate your hidden service with the public one. Next, go through whatever service you are running and try to scrub specific identifying information from it. That means if you are hosting a web service, modify your web server so it doesn't report its software type or version, and if you are running a dynamic site, make sure whatever web applications you use don't report their versions either.

Examining Data Using Pandas

You don't need to be a data scientist to use Pandas for some basic analysis.

Traditionally, people who program in Python use the data types that come with the language, such as integers, strings, lists, tuples and dictionaries. Sure, you can create objects in Python, but those objects typically are built out of those fundamental data structures.

If you're a data scientist working with Pandas though, most of your time is spent with NumPy. NumPy might feel like a Python data structure, but it acts differently in many ways. That's not just because all of its operations work via vectors, but also because the underlying data is actually a C-style array. This makes NumPy extremely fast and efficient, consuming far less memory for a given array of numbers than traditional Python objects would do.

The thing is, NumPy is designed to be fast, but it's also a bit low level for some people. To get more functionality and a more flexible interface, many people use Pandas, a Python package that provides two basic wrappers around NumPy arrays: one-dimensional Series objects and two-dimensional Data Frame objects.

I often describe Pandas as "Excel within Python", in that you can perform all sorts of calculations as well as sort data, search through it and plot it.

For all of these reasons, it's no surprise that Pandas is a darling of the data science community. But here's the thing: you don't need to be a data scientist to enjoy Pandas. It has a lot of excellent functionality that's good for Python developers who otherwise would spend their time wrestling with lists, tuples and dictionaries.

So in this article, I describe some basic analysis that everyone can do with Pandas, regardless of whether you're a data scientist. If you ever work with CSV files (and you probably do), I definitely recommend thinking about using Pandas to open, read, analyze and even write to them. And although I don't cover it in this article, Pandas handles JSON and Excel very well too.

Creating Data Frames

Although it's possible to create a data frame from scratch using Python data structures or NumPy arrays, it's more common in my experience to do so from a file. Fortunately, Pandas can load data from a variety of file formats.

Before you can do anything with Pandas, you have to load it. In a Jupyter notebook, do:


%pylab inline
import pandas as pd

For example, Python comes with a csv module that knows how to handle files in CSV (comma-separated value) format. But, then you need to iterate over the file and do something with each of those lines/rows. I often find it easier to use Pandas to work with such files. For example, here's a CSV file:


a,b,c,d
e,f,g,h
"i,j",k,l,m
n,o.p,q

You can turn this into a data frame with:

Last Call for Purism’s Librem 5 Dev Kits, Git Protocol Version 2 Released, LXQt Version 0.13.0 Now Available and More

Purism announces last call for its Librem 5 dev kits. If you're interested in the hardware that will be the platform for the Librem 5 privacy-focused phones, place your order by June 1, 2018. The dev kit is $399, and it includes "screen, touchscreen, development mainboard, cabling, power supply and various sensors (free worldwide shipping)".

The Google Open Source Blog recently announced the release of Git protocol version 2. This release brings improvements to server-side reference filtering, easy extensibility for new features and simplified client handling of the http transport. See the full list of changes here.

The LXQt team yesterday announced the release of version 0.13.0 of its Lightweight Qt Desktop Environment. Highlights include "all packages are ready for Qt 5.11, out-of-source builds are now mandatory, libfm-qt is made more self-sufficient" and more.

Red Hat announced this morning its collaboration with Juniper Networks to combine Juniper's Contrail Enterprise Multicloud and Red Hat's OpenShift Container and OpenStack Platforms to "deliver an open-source based, multicloud alternative to proprietary platforms".

The Debian Project announced recently that "regular security support for Debian GNU/Linux 8 (code name "jessie") will be terminated on the 17th of June".

The Khronos Group yesterday announced "its engagement of Au-Zone Technologies to enable the NNEF (Neural Network Exchange Format) standard files to be used with leading machine learning training frameworks". See the Press Release for all the details on the Khronos Group and Au-Zone's development of open-source TensorFlow and Caffe2 Converters for NNEF.

Cookies That Go the Other Way

cookies

The web—or at least the one we know today—got off on the wrong hoofs. Specifically, I mean with client-server, a distributed application structure that shouldn't subordinate one party to an other, but ended up doing exactly that, which is why the web today looks like this:

Clients come to servers for the milk of HTML, and get cookies as well.

The original cookie allowed the server to remember the client when it showed up again. Later the cookie would remember other stuff: for example, that the client was a known customer with a shopping cart.

Cookies also came to remember fancier things, such as that a client has agreed to the server's terms of use.

In the last decade, cookies also arrived from third parties, some for site analytics but mostly so clients could be spied on as they went about their business elsewhere on the web. The original purpose was so those clients could be given "relevant" and "interest-based" advertising. What matters is that it was still spying and a breach of personal privacy, no matter how well its perpetrators rationalize it. Simply put, websites and advertisers' interests end at a browser's front door. (Bonus link: The Castle Doctrine.)

Thanks to the EU's General Data Protection Regulation (GDPR), which comes into full force this Friday, that kind of spying is starting to look illegal. (Though loopholes will be found.) Since there is a world of fear about that, 99.x% of GDPR coverage is about how the new regulation affects the sites and services, and what they can do to avoid risking massive fines for doing what many (or most) of them shouldn't have been doing in the first place.

But the problem remains structural. As long as we're just "users" and "consumers," we're stuck as calves.

But we don't have to be. The web's underlying protocol, HTTP, is distributed and collaborative. It doesn't say we need to be subordinate to websites, always consenting to those sites' terms and policies. It doesn't even say we have to be calves to the websites' cows. Consent can go the other way.

And so can cookies. So let's bake some.

VMware Announces OpenStack 5, Tesla Releases Some Source Code, KDE’s Plasma 5.13 Beta and More

News briefs for May 21, 2018.

VMware today announced its new OpenStack 5. According to the press release, "VMware Integrated OpenStack 5 will be one of the first commercial OpenStack distributions to comply with the OpenStack Foundation's 2018.02 interoperability guidelines. An active member of the OpenStack community, VMware packages, tests, and supports all major components of the distribution, including the full open source OpenStack code in a multi-cloud architecture."

Tesla has released some of the source code for its in-car tech. Engadget reports that the company "has posted the source code for both the material that builds the Autopilot system image as well as the kernels for the Autopilot boards and the NVIDIA Tegra-based infotainment system used in the Model S and Model X."

KDE's Plasma team released Plasma 5.13 beta late last week: "We have spent the last four months optimising startup and minimising memory usage, yielding faster time-to-desktop, better runtime performance and less memory consumption. Basic features like panel popups were optimised to make sure they run smoothly even on the lowest-end hardware. Our design teams have not rested either, producing beautiful new integrated lock and login screen graphics."

The Linux 4.18 kernel will have the Steam Controller driver that will work without needing the Steam client or other third-party applications. Phoronix reports that "HID subsystem maintainer Jiri Kosina has now queued this Valve Steam Controller driver into his HID-next tree for Linux 4.18. This HID driver will expose the Steam Controller as a virtual mouse, virtual keyboard, and custom HID device(s). In turn this should allow the Steam Controller to work happily with any Linux application."

SoftMaker recently released SoftMaker FreeOffice 2018, the newest version of its free software. SoftMaker says "with FreeOffice 2018 you can not only open, but also save documents in the Microsoft file formats DOCX, XLSX and PPTX. Share files directly with Microsoft Office users, without having to export them first!" Note that although it is free to download and use, FreeOffice is not open source.

WordPress recently announced its latest release, 4.9.6, which is a privacy and maintenance release intended to help users be GDPR-compliant. The WordPress blog notes "We're committed to supporting site owners around the world in their work to comply with this important law. As part of that effort, we've added a number of new privacy features in this release."

Nextcloud 13: How to Get Started and Why You Should

Nextcloud could be the first step toward replacing proprietary services like Dropbox and Skype.

In its simplest form, the Nextcloud server is "just" a personal, free software alternative to services like Dropbox or iCloud. You can set it up so your files are always accessible via the internet, from wherever you are, and share them with your friends. However, Nextcloud can do so much more.

In this article, I first describe what the Nextcloud server is and how to install and set it up on GNU/Linux systems. Then I explain how to configure the optional Nextcloud features, which may be the first steps toward making Nextcloud the shell of a complete replacement for many proprietary platforms existing today, such as Dropbox, Facebook and Skype.

Figure 1. A safe home for all your data that all your devices can reach—that's what Nextcloud wants to be.

Why Nextcloud and Not ownCloud?

Nextcloud, whose version 13 was released in February 2018, was spun off the popular ownCloud project in 2016, out of licensing and other disagreements. See the Resources section for some of the most complete feature-by-feature comparisons between Nextcloud and ownCloud. The most basic capabilities are still almost identical, two years after the fork. Some of the functions described here, however, are easier to integrate in Nextcloud than in its ancestor. In addition, my personal reasons for recommending Nextcloud over ownCloud are the following:

  • Licensing and pricing policies: all the official components of Nextcloud are both free as in freedom and as in free beer. You pay only for support and update services. That's not the case with ownCloud.
  • Long-term roadmap: at the moment, ownCloud seems to be more focused on corporate customers and more relevant for investors, while Nextcloud seems to be more focused on extending "direct" user-to-user communication and cooperation features.

Figure 2. The Original Nextcloud/ownCloud Functions: File and Picture Storage, Dropbox-Style

A Word on Security

Several good reasons to choose Nextcloud as the online home for your own files and data are related to security. I don't cover them in detail in this introductory article, but I want to mention at least some of them.

Nextcloud refuses continuous (that is, malicious) attempts to authenticate from any computer, except those whose IP addresses are included in "brute-force IP whitelists". (Of course, the best possible whitelist you can configure is an empty one.)

Weekend Reading: Backups

backup!

Public Service Announcement: please do a backup if you haven't in awhile. This weekend we feature articles varying from scary backup stories to how-to safeguard your data with encrypted backup solutions. 

 

Scary Backup Stories

by Paul Barry

Backups. We all know the importance of making a backup of our most important systems. Unfortunately, some of us also know that realizing the importance of performing backups often is a lesson learned the hard way. Everyone has their scary backup stories. Here are mine.

 

Reliable, Inexpensive RAID Backup

by Brian C. Lane

As a topic, backups is one of those subject likely to elicit as many answers as people you ask about it. It is as personal a choice as your desktop configuration or your operating system. So in this article I am not even going to attempt to cover all the options. Instead I describe the methods I use for building a reliable, useful backup system. This solution is not the right answer for everyone, but it works well for my situation.

 

Encrypted Backup Solution "Home Paranoia Edition"

by Tim Cordova

How to safeguard your personal data with TrueCrypt and SpiderOak.

There are so many cases of personal identifiable information (PII) or any type of data exposed on the Internet today. The details provided in this article may assist in safeguarding your tax information, social security number or password file. The setup this article describes will help keep your personal data at home safe and secure in this "cyber-security"-connected world. This includes virtual/physical security compromises—the only truly secure system is one that is unplugged and locked in a vault. This solution is not all-encompassing and does have limitations, but it is sound enough for safeguarding personal data.

 

LVM and Removable IDE Drives Backup System

by Mike Fogarty

When the company I work for, a civil engineering and surveying firm, decided to move all its AutoCad drawings onto a central fileserver, we were presented with a backup situation orders of magnitude larger than anything we had confronted before. We had at that time (now considerably larger) about 120,000 files, totaling 200GB, that were in active change and needed to be backed up at least daily.

Caption This: May Winner

Drawing of an Alexa plugged in to a hamburger

Winner: Is this what my cardiologist means by I need an echo?

—Tom Dison, twitter.com/fretinator

Second Place: USBurger

—Greg Charnock, twitter.com/gregcharnock7

Third Place: "Alexa, where's the beef?"

—Jack, via comment on https://www.linuxjournal.com

Each month, we provide a cartoon in need of a caption—check https://www.linuxjournal.com for the next one. You submit your caption in the comments on the site or via Twitter, we choose three finalists, and readers vote for their favorite. See the June issue for the next winner.

Purism’s New Purekey OpenPGP Security Token, Windows 10 Now Includes OpenSSH, Vim 8.1 Released and More

News briefs for May 18, 2018.

Purism, maker of the security-focused Librem laptops, announced yesterday it has partnered with Nitrokey to create Purekey, "Purism's own OpenPGP security token designed to integrate with its hardware and software. Purekey embodies Purism's mission to make security and cryptography accessible where its customers hold the keys to their own security." You can purchase a Purekey by itself or as an add-on with a laptop order. According to Purism's CSO Kyle Rankin, "By keeping your encryption keys on a Purekey instead of on a hard drive, your keys never leave the tamper-proof hardware. This not only makes your keys more secure from attackers, it makes using your keys on multiple devices more convenient."

The latest update of Windows 10 includes OpenSSH. ZDNet reports this has been in the works since 2015 due to user requests. Also, third-party SSH clients like Putty no longer will be necessary to connect to a system with SSH.

Vim 8.1 is now available. The major new feature of this release is that you now can run a terminal in a Vim window, which allows you to do things like run a command (like make) while editing in other windows or "use the new terminal debugger plugin for debugging inside Vim".

0 A.D., the "open-source ancient warfare game", has a new release, Alpha 23. Phoronix reports that this "RTS game in its latest alpha release features a new civilization, new models, improved AI behavior, a mod downloader, new random maps, and other changes to enhance the game-play for this game that's been open-source for nearly a decade."

Valve launched the Steam Link App for Android devices yesterday. The app "allows gamers to experience their Steam library of games on their Android (phone, tablet, and TV) devices while connected to the same 5Ghz network or wired Ethernet as their Steam gaming computer (PC, Linux, Mac)". You can get the app here. (Source: Phoronix.)

AsteroidOS 1.0 Released, Net Neutrality Update, Qt 3D Studio 2.0 Beta Now Available and More

News briefs for May 17, 2018.

AsteroidOS 1.0 is now available. Released yesterday, the open-source operating system for smartwatches is finally available after four years in the works. As posted on the AsteroidOS website, "AsteroidOS is built on standard Linux technologies including OpenEmbedded, opkg, Wayland, Qt5, systemd, BlueZ, and PulseAudio. This makes it the ideal platform to build any sort of wearable project you can imagine. Do you want to run Docker on your watch? AsteroidOS can do it. Do you want to run Quake on your watch? AsteroidOS can do that too. The sky is really the limit! Our community welcomes anyone interested in playing with a smartwatch project."

Yesterday the Senate voted to reverse the net neutrality repeal. As reported by Ars Technica and elsewhere, if the Congressional Review Act "is approved by the House and signed by President Trump, Internet service providers would have to continue following rules that prohibit blocking, throttling, and paid prioritization." If Congress doesn't act, the net neutrality rules expire on June 11.

Qt 3D Studio 2.0 beta was released yesterday. This release includes a new runtime and viewer application, improved data input, editor improvements and more.

Have a release party for openSUSE Leap 15. See the openSUSE page for how you can help the community spread the word, and see the Launch Party Wiki to sign up and add your party to the map. openSUSE Leap 15 launches May 25, 2018.

Linspire Server 2018 was released this week. Linspire Server is based on Ubuntu Server 16.04 and is intended for small to medium-size businesses and schools. It is fee to download and use under a self-support license.

Generating Good Passwords, Part I

Dave starts a new method for generating secure passwords with the help of 1Password.

A while back I shared a script concept that would let you enter a proposed password for an account and evaluate whether it was very good (well, maybe "secure" would be a better word to describe the set of tests to ensure that the proposed password included uppercase, lowercase, a digit and a punctuation symbol to make it more unguessable).

Since then, however, I've really been trying personally to move beyond mnemonic passwords of any sort to those that look more like gobbledygook. You know what I mean—passwords like fRz3li,4qDP? that turn out to be essentially random and, therefore, impossible to crack using any sort of dictionary attack.

Aiding me with this is the terrific password manager 1Password. You can learn more about it here, but the key feature I'm using is a combination of having it securely store my passwords for hundreds of websites and having a simple and straightforward password generator feature (Figure 1).

Figure 1. 1Password Password Generation System

If I'm working on the command line, however, why pop out to the program to get a good password? Instead, a script can do the same thing, particularly if I again tap into the useful $RANDOM shortcut for generating random numbers.

Generating Secure Passwords

The easiest way to fulfill this task is to have a general-purpose approach to generating a random element from a specific set of possibilities. So, a random uppercase letter might be generated like this:


uppers="ABCDEFGHIJKLMNOPQRSTUVWXYZ"

letter=${uppers:$(( $RANDOM % 26 )):1}

The basic notational convention used here is the super handy Bash shell variable slicing syntax of:


${variable:startpoint:charcount}

To get the first character only of a variable, for example, you can simply reference it as:


${variable:1:1}

That's easy enough. Instead of a fixed reference number, however, I'm using $(( $RANDOM % 26 )) as a way to generate a value between 0–25 that's different each time.

Add strings that contain all the major character classes you seek and you've got a good start:


lowers="abcdefghijklmnopqrstuvwxyz"
digits="0123456789"
punct="()./?;:[{]}|=+-_*&^%$#@!~"  # skip quotes

To get even fancier, there's another notation ${#variable} that returns the number of characters in a variable, so the following shows that there are 24 characters in that particular string:

Thunderbird and the Recent #EFAIL Vulnerability, Fedora Urges Users to Update DHCP Packages, Kernel Updates and More

News briefs for May 16, 2018.

Mozilla has come out discouraging folks from disabling encryption within the Thunderbird email client regarding the recent #EFAIL vulnerability. Mozilla is also providing notes on how to best protect yourself.

The Fedora team is pushing its users to update their DHCP packages addressing a recently discovered flaw (CVE-2018-1111). Fixes are available for versions 26, 27, 28 and Rawhide.

Yesterday, Canonical released an official statement regarding the malware discovered in the Ubuntu Snap Store, stating how this always was going to be a challenge since launch and how the company is now committing itself to better security and trust of the published applications.

Earlier this morning, the kernel development team pushed the following updates: 4.16.9, 4.14.41, 4.9.100, 4.4.132 and 3.18.109. See the Linux Kernel Archives website for more information.