Long-time Slashdot reader ArchieBunker writes: Slackware, one of oldest Linux distributions, has just announced the long awaited version 15.0 RC1 is available for download from the usual mirrors. Here's the changelog.
Phoronix points out it's been nearly a decade since Slackware 14

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

"One of the oldest and most renowned distributions of Linux has been released!" âwrites Slashdot reader Washuu2. Phoronix reports it took "just over two years in development." Debian 11 brings many new features as outlined this morning with the big upgrade to Linux 5.10 LTS, exFAT file-system support, control groups v2, yescrypt for password hashing, and a plethora of updated packages. GNOME 3.38, KDE Plasma 5.20, and Xfce 4.16 are among the desktop options for Debian 11.
Debian.org adds: Do you want to celebrate the release? We provide some bullseye artwork that you can share or use as base for your own creations. Follow the conversation about bullseye in social media via the #ReleasingDebianBullseye and #Debian11Bullseye hashtags...
Around the world, there were even several in-person and online release parties — with a few more upcoming!

"If you've ever dreamed of living 'a long time ago in a galaxy far, far away,' now is your chance — as long as you've got a spare four to six thousand dollars sitting around," writes SFGate: This week, Walt Disney World announced more details about its new Galactic Starcruiser hotel opening in the spring, an immersive, two-day "Star Wars" experience that evokes the feeling of being in the movies. The tech will be more advanced than any other Disney experience, including Rise of the Resistance at Disneyland and the Star Wars: Galaxy's Edge lands... "Star Wars: Galactic Starcruiser is a revolutionary new 2-night experience where you are the hero," according to Walt Disney World's website. "You and your group will embark on a first-of-its-kind Star Wars adventure that's your own. It's the most immersive Star Wars story ever created — one where you live a bespoke experience and journey further into a Star Wars adventure than you ever dreamed possible."

There are lightsaber experiences, interstellar entertainment, characters hanging around and an overall feeling that you're closer to being in Star Wars than you've ever been in your life. The idea is that you're staying on a luxury space cruise, so immersive that the hotel's windows look out into "space" and you never leave the property unless it's to "board a transport" to Batuu, the land where Star Wars: Galaxy's Edge takes place. Admission to Hollywood Studios is included in the price, as is all of your food and non-alcoholic beverages. But really, for $4,809 for two nights' accommodations for two guests in a studio, they could throw in a space beer or two...

But then again, for some Star Wars fans, you can't put a price on total immersion in the fandom, from cast members acting as though they're really intergalactic travelers to the ability to make infinite Wookee jokes free from the harsh judgements of people who wouldn't spend $4,000 to sleep in a "spaceship."

The Washington Post reports: Human-caused warming has led to an "almost complete loss of stability" in the system that drives Atlantic Ocean currents, a new study has found — raising the worrying prospect that this critical aquatic "conveyer belt" could be close to collapse.

In recent years, scientists have warned about a weakening of the Atlantic Meridional Overturning Circulation (AMOC), which transports warm, salty water from the tropics to northern Europe and then sends colder water back south along the ocean floor. Researchers who study ancient climate change have also uncovered evidence that the AMOC can turn off abruptly, causing wild temperature swings and other dramatic shifts in global weather systems. Scientists haven't directly observed the AMOC slowing down. But the new analysis, published Thursday in the journal Nature Climate Change, draws on more than a century of ocean temperature and salinity data to show significant changes in eight indirect measures of the circulation's strength. These indicators suggest that the AMOC is running out of steam, making it more susceptible to disruptions that might knock it out of equilibrium, says study author Niklas Boers, a researcher at the Potsdam Institute for Climate Impact Science in Germany.

If the circulation shuts down, it could bring extreme cold to Europe and parts of North America, raise sea levels along the east coast of the United States and disrupt seasonal monsoons that provide water to much of the world.

"This is an increase in understanding . . . of how close to a tipping point the AMOC might already be," said Levke Caesar, a climate physicist at Maynooth University who was not involved in the study. Boers' analysis doesn't suggest exactly when the switch might happen. But "the mere possibility that the AMOC tipping point is close should be motivation enough for us to take countermeasures," Caesar said. "The consequences of a collapse would likely be far-reaching..." The new analysis suggests "the critical threshold is most likely much closer than we would have expected," Boers said...

[T]he apparent consequences of the AMOC slowing are already being felt. A persistent "cold blob" in the ocean south of Greenland is thought to result from less warm water reaching that region. The lagging Gulf Stream has caused exceptionally high sea level rise along the east coast of the United States. Key fisheries have been upended by the rapid temperature swings, and beloved species are struggling to cope with the changes. If the AMOC does completely shut down, the change would be irreversible in human lifetimes, Boers said. The "bi-stable" nature of the phenomenon means it will find new equilibrium in its "off" state. Turning it back on would require a shift in the climate far greater than the changes that triggered the shutdown.

"It's one of those events that should not happen, and we should try all that we can to reduce greenhouse gas emissions as quickly as possible," Boers said. "This is a system we don't want to mess with."

According to Steam Survey numbers for July 2021, Steam on Linux hit a 1.0% marketshare, or a +0.14% increase over the month prior. Phoronix reports: This is the highest we have seen the Steam on Linux marketshare in a number of years and well off the lows prior to introducing Steam Play (Proton) since which point there has been the gradual increase in marketshare. Back when Steam on Linux first debuted there was around a 2% marketshare for Linux before gradually declining. Back when Steam first debuted for Linux, the overall Steam customer base was also much smaller than it is today.

While many believe the Steam Survey is inaccurate or biased (or just buggy towards prompting Linux users to participate in the survey), these initial numbers for July are positive in hitting the 1.0% mark after largely floating around the 0.8~0.9% mark for most of the past three years. The Steam Deck isn't shipping until the end of the year so we'll see how the number fluctuates to that point.

Along with other optimizations to benefit the Steam Deck, AMD and Valve have been jointly working on CPU frequency/power scaling improvements to enhance the Steam Play gaming experience on modern AMD platforms running Linux. Phoronix reports: It's no secret that the ACPI CPUFreq driver code has at times been less than ideal on recent AMD processors with delivering less than expected performance/behavior with being slow to ramp up to a higher performance state or otherwise coming up short of disabling the power management functionality outright. AMD hasn't traditionally worked on the Linux CPU frequency scaling code as much as Intel does to their P-State scaling driver and other areas of power management at large. AMD is ramping up efforts in these areas including around the Linux scheduler given their recent hiring spree while it now looks like thanks to the Steam Deck there is renewed interest in better optimizing the CPU frequency scaling under Linux.

AMD and Valve have been working to improve the performance/power efficiency for modern AMD platforms running on Steam Play (Proton / Wine) and have spearheaded "[The ACPI CPUFreq driver] was not very performance/power efficiency for modern AMD platforms...a new CPU performance scaling design for AMD platform which has better performance per watt scaling on such as 3D game like Horizon Zero Dawn with VKD3D-Proton on Steam." AMD will be presenting more about this effort next month at XDC. It's quite possible this new effort is focused on ACPI CPPC support with the previously proposed AMD_CPUFreq. Back when Zen 2 launched in 2019, AMD did post patches for their new CPUFreq driver that leveraged ACPI Collaborative Processor Performance Controls but the driver was never mainlined nor any further iterations of the patches posted. When inquiring about that work a few times since then, AMD has always said it's been basically due to resource constraints that it wasn't a focus at that time. Upstream kernel developers also voiced their preference to seeing AMD work to improve the generic ACPI CPPC CPUFreq driver code rather than having another vendor-specific solution. It's also possible AMD has been working on better improvements around the now-default Schedutil governor for scheduler utilization data in making CPU frequency scaling decisions.

A new $500 million startup is now offering high-end apartments for short- and long-term rentals in America's "most vibrant, walkable neighborhoods". (And long-term renters can also avail themselves of its "turn-key homesharing program" to offset some of their rent.)

The Seattle Post-Intelligencer says it's "aimed mainly at tech workers, nomadic independent contractors and other folks whose work is no longer tied to a specific location." [A]menities might include workspaces offering private and collaborative office space. Inside the units themselves, residents might find work-from-home perks like adjustable height desks and ergonomic chairs. And let's not forget that work-life balance: Sentral buildings offer rooftop pools, outdoor kitchens and fire pits, gyms, photo booths, theaters, and more — as well as offering a plethora of curated events to its residents...

The folks behind the idea are savvy: CEO Jon Slavet is formerly of WeWork and Rodan + Fields. Michael Curtis, formerly VP of Engineering at Airbnb is now a strategy advisor at Sentral...

The price to lease at Sentral, given the amenities, isn't much higher than regular rent prices in the major cities it serves. The LIVE program offers designer-furnished homes for stays over 30 days starting at $2,500 a month. For comparison purposes, a studio in downtown Seattle listed on Craigslist (with none of the bling offered at Sentral) is asking $1,890 a month.

Sentral operates now in seven cities: LA, Austin, Chicago, Seattle, Denver, Chicago, Miami. An Atlanta location is next up, with more growth planned.
Sentral's press release calls them seven "vibrant gateway cities... a launchpad to explore the country's most exciting neighborhoods" (assisted by "a world-class onsite team that fosters a true sense of community"). Sentral enables residents to live or visit stylish buildings in the nation's most coveted cities for any period of time, whether a night, a month, or multiple years. Qualifying residents can also monetize their homes through Sentral's managed homeshare program... From the city registration process to logistical details such as housekeeping, insurance, photography, contactless check-in, and around-the-clock service, Sentral's turn-key platform makes homesharing seamless for hosts, enhancing their financial freedom and fueling their ability to travel and explore.
A recent tweet calls it "the future of living," while the company's new web site promises it offers "The comforts you crave + the freedom to travel."

"There has been a massive shift to a 'work-from-anywhere' culture that is blurring the lines among home, work, and travel," argues CEO Jon Slavet in Sentral's press release. And the lavish press release ends by saying that the company "is creating a global community of modern adventurers with the freedom to monetize their homes, explore their passion for travel, and live life on their own terms."

"Fans of Japanese video games couldn't believe their ears as Olympic athletes paraded into Tokyo's National Stadium during the opening ceremony for the 2020 Games on Friday..." reports the Huffington Post. During the Parade of Nations section of the ceremony, "The orchestra was playing tunes from some of their favorite games." In a celebration of Japanese popular culture that is appreciated worldwide, the entry parade was set to tunes from games developed by Sega, Capcom and Square Enix. It kicked off with "Overture: Roto's Theme" from Dragon Quest. Next up was "Victory Fanfare" from Final Fantasy. The parade featured more tunes from Monster Hunter, Soulcaliber and Sonic the Hedgehog. According to Classic FM, the music from Kingdom Hearts was composed by Yoko Shimomura, who is responsible for the music for some of the biggest video games ever made. Fans were delighted to hear her work being incorporated into the ceremony.

While the list didn't feature widely recognized tunes from cultural juggernauts like Mario Bros. or The Legend of Zelda, the music helped give a sense of atmosphere to the ceremony, which was held in almost an empty stadium due to coronavirus restrictions.
There's even an elaborate doodle at Google.com commemorating the Opening Ceremonies with an anime animation that leads to a multi-level 1980s-style videogame in which Lucky the cat competes in various sporting events. (Though the Huffington Post notes that in the real world, about 1,000 people sat in the 68,000-capacity stadium.)

The Washington Post reports the Japanese public "overwhelmingly opposed hosting the Olympics as a new wave of the pandemic hit the country." But unfortunately, host city Tokyo signed a contract agreeing the event could only be cancelled by the International Olympic Committee, and now "There's the possibility — once utterly remote — that Japanese voters could kick Prime Minister Yoshihide Suga out of power in parliamentary elections later this year."

LG will reportedly start selling iPhones and iPads in its South Korean stores this August -- mere months after the company quit making Android devices. Android Authority reports: According to MacRumors, the Herald Economic Daily claims LG has struck a deal with Apple to sell the iPhone and iPad in 400 stores across South Korea starting in August. LG may have to overcome some hurdles to make this happen. The company reportedly signed a "win-win" agreement with the country's National Mobile Communication Distribution Association that bars it from selling a direct competitor's phones in its stores. That deal was made in 2018, however, or well before LG signaled that it would quit making phones and tablets. LG is supposedly planning to renegotiate the agreement once it officially sells the iPhone and iPad in its shops. The deal unsurprisingly wouldn't include Macs, as systems like the MacBook Air compete directly with the Gram series and other LG computers where the iPhone and iPad are relatively safe.

200 miles east of Silicon Valley, "A disproportionate number of people who purchased homes in Tahoe in 2020 are employees of some of the largest tech companies in the Bay Area," a real estate brokerage firm specializing in data analytics recently told Outside magazine.

Of the 2,280 new-home buyers Atlasa identified throughout the Tahoe region in 2020, roughly 30 percent worked at software companies. The top three employers were Google (54 buyers), Apple (46), and Facebook (34)... There is, however, one glaring issue with all this rapid, high-priced growth: the people who actually make a mountain town run — the ski instructors and patrollers, lift operators and shuttle drivers, housekeepers and snowcat mechanics, cooks and servers — can no longer afford to live there.
Just last year Sierra Sotheby's found more than 2,350 homes were sold across the Tahoe Basin, for a boggling $3.28 billion (up 86% from the $1.76 billion in 2019), according to the article, which calls the popular tele-working destination a "Zoom town."

Now the region's heading into its summer tourist season — but "with a shorthanded workforce, businesses are unraveling," like the restaurant that simply closed for a week because "We literally do not have enough cooks to operate..." The evidence is showing up in the ways businesses are cutting back during the peak of the busiest time of year, a time when small business owners in Tahoe typically are trying to make as much money as possible so they can survive the slower times of year...

While the hiring crisis spans far and wide across the nation, in Tahoe, the linchpin is housing. At Tahoe Dave's, Dave Wilderotter, the owner of Tahoe Dave's Skis and Boards, starts his employees at $20 an hour. Most of his employees make too much money to qualify for affordable housing. But they don't make enough money to pay Tahoe's rent prices, which have risen by 25% to 50% in the past year. Tahoe's workforce is disappearing because many of them cannot afford to live here any more... Making matters worse, Tahoe's already minimal long-term rental housing stock is getting eaten up by the very hot real estate market. Many landlords are selling homes they've been renting to local workers, leaving those tenants without many options...

"This isn't just tourism that's being hit," says Alex Mourelatos, a business owner on Tahoe's North Shore who also serves on multiple boards for the North Tahoe Public Utility District and nonprofit groups. "It's every service industry. Every industry across people, dentistry, legal, everything, Planned Urban Developments, all the special districts, firemen, teachers, all of them." The hiring crisis has even affected critical services like public transportation. Bus drivers are so hard to come by that the Tahoe Transportation District made the unprecedented decision to shut down an entire bus route down the East Shore.

The district had shuttles but no one to steer the wheel.

Slashdot reader Beeftopia writes: Rust has two modes: its default, safe mode, and an unsafe mode. In its default, safe mode, Rust prevents memory errors, such as "use-after-free" errors. It also prevents "data races" which is unsynchronized access to shared memory. In its unsafe mode (via use of the "unsafe" block), in which some of its APIs are written, it allows the use of potentially unsafe C-style features. The key challenge in verifying Rust's safety claims is accounting for the interaction between its safe and unsafe code. This article from April's issue of Communications of the ACM provides an overview of Rust and investigates its safety claims.
The article is co-authored by Ralf Jung, a prominent postdoctoral researcher in the 'Foundations of Programming' research group at the Max Planck Institute for Software Systems. And (spoiler alert) Jung has just received one of two 'Honorable Mentions' for the 'Dissertation Award' of the 'Association for Computing Machinery' (ACM), reports a nonprofit site operated by the American Association for the Advancement of Science: In his dissertation, Ralf Jung now provides the first formal proof that the safety promises of Rust actually hold. "We were able to verify the safety of Rust's type system and thus show how Rust automatically and reliably prevents entire classes of programming errors," says Ralf Jung.

In doing so, he also successfully addressed a special aspect of the programming language: "The so-called 'type safety' goes hand in hand with the fact that Rust imposes restrictions on the programmer and does not allow everything that the programmer wants to do. Sometimes, however, it is necessary to write an operation into the code that Rust would not accept because of its type safety," the computer scientist continues. "This is where a special feature of Rust comes into play: programmers can mark their code as 'unsafe' if they want to achieve something that contradicts the programming language's safety precautions. Together with international collaborators, including my thesis advisor Derek Dreyer, we developed a theoretical framework that allows us to prove that Rust's safety claims hold despite the possibility of writing 'unsafe' code," Jung says.

This proof, called RustBelt, is complemented by Ralf Jung with a tool called Miri, with which 'unsafe' Rust code can be automatically tested for compliance with important rules of the Rust specification - a basic requirement for correctness and safety of this code. "While RustBelt was a great success, especially in academic circles, Miri is already established in industry as a tool for security testing of programs written in Rust," explains Ralf Jung.... The ACM states: "Through Jung's leadership and active engagement with the Rust Unsafe Code Guidelines working group, his work has already had profound impact on the design of Rust and laid essential foundations for its future."

The TIOBE index of programming language popularity celebrates 20 years of continuous publishing this month. Started as a hobbyist project back in 2001, the site estimates each programming language's popularity by counting search engine results for the phrase <language> programming (indirectly counting each listing for developers, courses, and third-party vendors).

When it was started 20 years ago, the top languages were Java, C, and C++.

20 years later, the top languages are now C, Java, Python, and C++

And "The difference between position 1 and position 3 is only 0.67%." This means that the next few months will be exciting. What language is going to win this battle? Python seems to have the best chances to become number 1, thanks to its market leadership in the booming field of data mining and artificial intelligence.
ZDNet also noted the trends: Searches for C were down 4.83 percentage points compared to last July. Java searches were down 3.93% over the period, while Python gained 1.86%.

The top 10 languages behind C, Java and Python are C++, C#, Visual Basic, Javascript, PHP, Assembly Language, and SQL.
But they also have this to say about TIOBE's calculations: It's a different methodology to developer analyst RedMonk, which looks at language usage on software projects hosted on GitHub and discussions on the developer Q&A site, Stack Overflow.

RedMonk's Q1 2021 rankings place JavaScript in top place, followed by Python and Java.

Other interesting moves this month:

• C++ gained more than 0.5% getting closer to the top 3
• Rust rose from #30 to #27
• Go rose from #20 to #13
• TypeScript rose from #45 to #37
• Haskellrose rose from #49 to #39

Charlotte Web shares a report from SFGate: Despite the popular belief that residents are fleeing California, there is not in fact a statewide exodus, new research out of the University of California finds. For one, while residents are moving out of state, they are not doing so at "unusual rates." Similarly, the research found no evidence of "millionaire flight" from California and notes that the state continues to attract as much venture capital as all other U.S. states combined, despite the recent exodus of Hewlett-Packard and Oracle. The report did reveal net migration out of San Francisco during the pandemic. However, about two-thirds of people who left the city remained in the Bay Area, while 80% stayed in California, which is consistent with earlier trends...

A recent survey by UC San Diego, included in the project, found that the percentage of Californians who plan to leave the state has remained static for two years. In fact, only 23% of California voters said they were seriously considering leaving the state, which is lower than the 24% who said the same in a 2019 survey conducted by UC Berkeley. [...] The myth of "millionaire flight" from California, the project also found, is just that -- a myth. Affluent Californians were actually more satisfied with the direction the state is going and very likely to believe it will be better when their children grow up. Likewise, an analysis of almost two decades of Franchise Tax Board data by Stanford University and Cornell University found that there has been no millionaire flight from California, despite recent tax increases levied on higher earners. "From housing affordability to post-pandemic recovery, California is faced with solving a daunting number of existential challenges. To help inform those important public discussions, UC assembled many of the state's top researchers to provide a data-driven understanding of California's population trends," said UC Regent John A. Perez in a press release.

"Sliced and diced by geography, race, income and other demographic factors, our efforts have produced a clearer picture of who perceives California as the Golden State versus a failed state," he continued. "The empirical data will be, at once, disappointing to those who want to write California's obituary, as well as a call to action for policymakers to address the challenges that have caused some to lose faith in the California Dream."

Americans gobbled up fewer fossil fuels in 2020 than they have in three decades, according to the U.S. Energy Information Administration (EIA). The Verge reports: Consumption of petroleum, natural gas, and coal dropped by 9 percent last year compared to 2019, the biggest annual decrease since the EIA started keeping track in 1949. The COVID-19 pandemic was responsible for much of the fall as people stayed home to curb the spread of the virus and used less gas. In April 2020, oil prices nosedived below zero because there was so little demand. The U.S. transportation sector alone used up 15 percent less energy in 2020 compared to the year before. Higher temperatures last winter also helped to cut energy demand for heating, according to the EIA. As a result, greenhouse gas emissions from burning fossil fuels plummeted to a near 40-year low.

That downward trend will have to continue in order to stave off the climate crisis. Upon rejoining the Paris climate agreement, President Joe Biden committed the U.S. to slash its planet-heating pollution in half this decade from near-peak levels it reached in 2005. That's part of a global effort to keep global warming from surpassing a point that life on Earth would struggle to adapt to, a global average temperature that's roughly 1.5 degrees Celsius above preindustrial levels. To hit that goal, there should be no further investments in new fossil fuel projects, according to a recent landmark report from the International Energy Agency. The oil and gas industries are already feeling the crunch from lawsuits and activist investors forcing them to move faster toward more sustainable forms of energy.

The San Francisco Chronicle reports on a startup named Wildtype that hopes to open a unique sushi bar this fall serving salmon grown in a lab: Like other alternative meat companies, Wildtype hopes it can eventually produce enough fish to be sold at grocery stores and to be served in dishes at Bay Area restaurants... Companies like Wildtype fall into the category of what's known as cell-based agriculture, where instead of plant-based alternatives, animal cells are used to create cuts of meat in a lab. In the case of Wildtype, the company is still working with the same salmon cells it acquired a few years ago to create fish in its lab. These salmon cells are then fed nutrients in the tank before they are harvested and affixed to plant-based structures that enable the cells to grow into a particular cut of the fish.

From the cell stage to harvesting, it can take between three weeks to three months, said Elfenbein. Conventional fish farming can often take upwards of a year before the fish can be harvested...

The company is still working to get approval from the U.S. Food and Drug Administration to open its sushi bar to the public, though Kolbeck is hopeful that might happen by the end of this year. Unlike plant-based meat substitutes like Impossible Foods and Beyond Beef, which have skyrocketed in popularity in recent years, cell-based, lab-grown meat products have yet to be approved for mass consumption by the FDA and the U.S. Department of Agriculture. Bay Area companies like Eat Just, Wildtype and Berkeley's Upside Foods are among a growing number of companies nationwide looking to make lab-grown meat go mainstream in an effort to counter the environmental impacts of traditional meat production. In December last year, the Singapore government approved the sale of Eat Just's lab-grown chicken, making it the first country in the world to approve such meat consumption on a commercial scale...

Wildtype hasn't been able to mass-produce quite yet. The Dogpatch production facility is hoping to produce 50,000 pounds per year in the near future, with plans to expand to 200,000 pounds per year in a larger space down the road, Kolbeck said.

An anonymous reader quotes a report from Ars Technica: Google has given the boot to nine Android apps downloaded more than 5.8 million times from the company's Play marketplace after researchers said these apps used a sneaky way to steal users' Facebook login credentials. In a bid to win users' trust and lower their guard, the apps provided fully functioning services for photo editing and framing, exercise and training, horoscopes, and removal of junk files from Android devices, according to a post published by security firm Dr. Web. All of the identified apps offered users an option to disable in-app ads by logging into their Facebook accounts. Users who chose the option saw a genuine Facebook login form containing fields for entering usernames and passwords.

Then, as Dr. Web researchers wrote: "These trojans used a special mechanism to trick their victims. After receiving the necessary settings from one of the C&C servers upon launch, they loaded the legitimate Facebook web page https://www.facebook.com/login... into WebView. Next, they loaded JavaScript received from the C&C server into the same WebView. This script was directly used to hijack the entered login credentials. After that, this JavaScript, using the methods provided through the JavascriptInterface annotation, passed stolen login and password to the trojan applications, which then transferred the data to the attackers' C&C server. After the victim logged into their account, the trojans also stole cookies from the current authorization session. Those cookies were also sent to cybercriminals. Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans' settings and commanded them to load the web page of another legitimate service. They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service."

The majority of the downloads were for an app called PIP Photo, which was accessed more than 5.8 million times. The app with the next greatest reach was Processing Photo, with more than 500,000 downloads. The remaining apps were: Rubbish Cleaner: more than 100,000 downloads; Inwell Fitness: more than 100,000 downloads; Horoscope Daily: more than 100,000 downloads; App Lock Keep: more than 50,000 downloads; Lockit Master: more than 5,000 downloads; Horoscope Pi: 1,000 downloads; and App Lock Manager: 10 downloads. A search of Google Play shows that all apps have been removed from Play.

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Tom's Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file. A statement from Western Digital, updated today, reads: "My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device ... The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability [has] been assigned CVE-2021-35941."

Analysis of WD's firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset. The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another's botnet. Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.

Hmmmmmm shares a report from PC Gamer: Near, also known by their username Byuu, the creator of several groundbreaking videogame emulators and a recent celebrated translation of JRPG Bahamut Lagoon, has died by suicide. Near posted a thread on Twitter explaining how they were affected by a campaign of harassment organized against them on the Kiwi Farms forum. Subsequently, Hector Martin, an IT consultant and Linux hacker, posted a message about Near from a mutual friend (CW: contains explicit details of Near's method of suicide) and said that they had confirmed Near's death with police in a follow-up tweet. The linked document also focuses on the Kiwi Farms forum and the doxing and harassing of Near and their friends.

Near's bsnes was the first Super Nintendo emulator with 100% compatibility, and higan is a multi-system emulator supporting 26 different devices including the NES, SNES, Game Boy and Game Boy Advance, Sega Master System and Genesis/Mega Drive, and PC Engine. If you've played any of the indie games influenced by EarthBound, aka Mother 2, then odds are good that game's designer had a copy of EarthBound open in higan for reference. Parts of the emulator created to keep Stephen Hawking's voice synthesizer working in the final years of the famous physicist's life were even borrowed from higan's open source code.

Intel is going to be disabling Transactional Synchronization Extensions (TSX) by default for various Skylake through Coffee Lake processors with forthcoming microcode updates. Phoronix reports: Transactional Synchronization Extensions (TSX) have been around since Haswell for hardware transactional memory support and going off Intel's own past numbers can be around 40% faster in specific workloads or as much 4~5 times faster in database transaction benchmarks. TSX issues have been found in the past such as a possible side channel timing attack that could lead to KASLR being defeated and CVE-2019-11135 (TSX Async Abort) for an MDS-style flaw. Now in 2021 Intel is disabling TSX by default across multiple families of Intel CPUs from Skylake through Coffee Lake. [...] The Linux kernel is preparing for this microcode change as seen in the flow of new patches this morning for the 5.14 merge window.

A memory ordering issue is what is reportedly leading Intel to now deprecate TSX on various processors. There is this Intel whitepaper (PDF) updated this month that outlines the problem at length. As noted in the revision history, the memory ordering issue has been known to Intel since at least before October 2018 but only now in June 2021 are they pushing out microcode updates to disable TSX by default. With forthcoming microcode updates will effectively deprecate TSX for all Skylake Xeon CPUs prior to Stepping 5 (including Xeon D and 1st Gen Xeon Scalable), all 6th Gen Xeon E3-1500m v5 / E3-1200 v5 Skylake processors, all 7th/8th Gen Core and Pentium Kaby/Coffee/Whiskey CPUs prior to 0x8 stepping, and all 8th/9th Gen Core/Pentium Coffee Lake CPUs prior to 0xC stepping will be affected. That ultimately spans from various Skylake steppings through Coffee Lake; it was with 10th Gen Comet Lake and Ice Lake where TSX/TSX-NI was subsequently removed.

In addition to disabling TSX by default and force-aborting all RTM transactions by default, a new CPUID bit is being enumerated with the new microcode to indicate that the force aborting of RTM transactions. It's due to that new CPUID bit that the Linux kernel is seeing patches. Previously Linux and other operating systems applied a workaround for the TSX memory ordering issue but now when this feature is disabled, the kernel can drop said workaround. These patches are coming with the Linux 5.14 cycle and will likely be back-ported to stable too.