Bitcoin

Ted Cruz Says Bitcoin Mining Can Fix Texas' Crumbling Electric Grid (vice.com) 289

An anonymous reader quotes a report from Motherboard: Texas' energy grid has problems. Those issues were laid bare this past winter when a storm put the state in a deep freeze, causing blackouts for millions and killing hundreds of people. Sen. Ted Cruz told a cryptocurrency conference in Austin last week that he believes the state's Bitcoin mining boom could repair its floundering energy grid. In a fireside chat at the Texas Blockchain Summit on Oct. 8, the Republican senator expressed his faith that the mass buildout of crypto mines in the Lone Star State could add additional energy capacity to the state's grid in the event of blackouts or power shortages. "Because of the ability to Bitcoin mining to turn on or off instantaneously, if you have a moment where you have a power shortage or a power crisis, whether it's a freeze or some other natural disaster where power generation capacity goes down, that creates the capacity to instantaneously shift that energy to put it back on the grid," Cruz told conference attendees.

Bitcoin mines, which typically consist of rooms full of specialized computers that churn numbers all day in search of the answer to a puzzle that creates the next block on the blockchain, are notorious for their energy use. Bitcoin mining is well-known to use more energy than many countries and corporations, and it's designed to become more difficult (and thus use more energy) as more miners plug into the network in search of profits as the price of Bitcoin increases. But in the event that the grid is being overburdened, these mines are essentially industrial energy consumers that can shut down instantaneously, freeing up additional grid space for the heating and cooling of homes, hospitals, and other critical infrastructure. Already, some miners in Texas are making a killing by shutting down during such times and selling their contracted power supply back to the grid. Texas is the perfect candidate for this setup, Cruz said, and Bitcoin mining could play "a significant role [in] strengthening and hardening the resilience of the grid."
Tim De Chant from Ars Technica says the numbers and potential incentives that Sen. Ted Cruz touts "just don't add up." Here's why he thinks Cruz is wrong: First, large bitcoin-mining operations use hundreds or thousands of powerful computers, which create a demand for power. If power plants can profitably mine bitcoin using the electricity they generate -- and there are examples of that already -- it stands to reason that bitcoin mining could create enough demand that investors would be enticed to build new power plants. Those plants could theoretically be tasked with providing power to the grid in cases of emergency. At first glance, the argument holds up. But if you dig into it, even just a bit, things quickly fall apart.

For one, the blackouts during Texas' February cold snap happened because power companies failed to winterize their generators, whether they were natural gas, coal, nuclear, or wind. Lives were at stake, and yet the companies didn't prepare for the worst. Unlike power plants that serve the grid, bitcoin mining isn't critical infrastructure -- no one dies if a crypto data center shuts down. Plus, bitcoin miners are in the game first and foremost for the money, and they would be loath to spend extra cash to winterize their operations. But let's say the power stays on but demand surges. In that case, bitcoin miners would be unlikely to offer their generating capacity to the grid unless they were sufficiently compensated. Texas already has a system like that in place, offering generators a premium for bringing additional power online during shortages. During the February cold snap, wholesale electricity prices surged to $9,000 per MWh, the maximum allowed by law, leading to electricity bills as high as $10,000 for some people.

One bitcoin currently sells for $57,000, and to crunch the numbers to win that one bitcoin, mining rigs draw just under 0.285 MWh, based on Digiconomist estimates. In other words, for bitcoin miners to be willing to contribute to the grid, wholesale electricity prices would have to hit $206,000 per MWh, or nearly 23 times greater than prices during the February cold snap. Those $10,000 bills would turn into $230,000 bills. [...] At today's prices, the power plants that Ted Cruz is imagining would cost over $50 billion to build. At that price, there are probably more effective ways to stabilize Texas' grid.

Ubuntu

Canonical Releases Ubuntu Linux 21.10 Impish Indri 24

Following a brief beta-testing period, Ubuntu 21.10 has finally become available to download in the "final" stable form. BetaNews: Code-named "Impish Indri," this version of Ubuntu is not a Long Term Support (LTS) version, so it is only supported for nine months. Ubuntu 21.10 features Linux kernel 5.13 and a Snap variant of the Mozilla Firefox browser. "Ubuntu 21.10 brings the all-new PHP 8 and GCC 11 including full support for static analysis, greatly improving everyday developer security awareness in low-level programming. With Gnome 40 desktop users gain dynamic workspaces and touchpad gestures. The new Firefox snap, published by Mozilla, improves security and guarantees access to both the latest and the extended support release versions of the browser. The exact same versions of the browser are available on multiple different versions of Ubuntu, simplifying enterprise developer platform management," says Canonical.
Security

New 'FontOnLake' Malware Family Can Target Linux Systems (securityweek.com) 26

Security Week reports: A previously unknown, modular malware family that targets Linux systems has been used in targeted attacks to collect credentials and gain access to victim systems, ESET reported on Thursday. Dubbed FontOnLake, the malware family employs a rootkit to conceal its presence and uses different command and control servers for each sample, which shows how careful its operators are to maintain a low profile.

What's more, the malware developers are constantly modifying the FontOnLake modules, and use three categories of components that have been designed to work together, namely trojanized applications, backdoors, and rootkits.

Evidence suggests that FontOnLake has been used in attacks aimed at organizations in Southeast Asia. The first malware samples related to this family emerged last May. The malware was previously described by Avast and Lacework as the HCRootkit / Sutersu Linux rootkit, as well as by Tencent Security Response Center in a February report.

The various trojanized applications that ESET's researchers have identified during their investigation are used to load custom backdoor or rootkit modules, but also to collect sensitive data when needed. Posing as standard Linux utilities, these files were also designed to achieve persistence on the compromised systems. What the researchers haven't figured out yet is the manner in which the trojanized applications are delivered to the victims. ESET's analysis of FontOnLake has revealed the use of three different backdoors, all written in C++, all using the same Asio library from Boost, and all capable of exfiltrating sshd credentials and bash command history.

The simplest of the three was designed to launch and mediate access to a local SSH server, update itself, and transmit collected credentials. The malware appears to be under development.

The second backdoor was also capable of file manipulation, updating itself, and uploading and downloading files, according to the article, while the third backdoor "accepts remote connections, serves as a proxy and can download and run Python scripts, in addition to exfiltrating credentials."
Python

Beating C and Java, Python Becomes the #1 Most Popular Programming Language, Says TIOBE (zdnet.com) 115

ZDNet reports that Python "is now the most popular language, according to one popularity ranking."

"For the first time in more than 20 years we have a new leader of the pack..." the TIOBE Index announced this month. "The long-standing hegemony of Java and C is over."

When Slashdot reached out to Guido van Rossum for a comment, he replied "I honestly don't know what the appropriate response is...! I am honored, and I want to thank the entire Python community for making Python so successful."

ZDNet reports: [I]t seems that Python is winning these days, in part because of the rise of data science and its ecosystem of machine-learning software libraries like NumPy, Pandas, Google's TensorFlow, and Facebook's PyTorch. Python is also an easy-to-learn language that has found a niche in high-end hardware, although less so mobile devices and the web — an issue that Python creator Guido van Rossum hopes to address through performance upgrades he's working on at Microsoft.

Tiobe, a Dutch software quality assurance company, has been tracking the popularity of programming languages for the past 20 years. Its rankings are based on search terms related to programming and is one measure of languages that developers should consider learning, along with IEEE Spectrum's list and a ranking produced by developer analyst RedMonk. JavaScript, the default for front-end web development, is always at the top of RedMonk's list. For Tiobe, its enterprise focus, has seen Java and C dominate in recent years, but Python has been snapping at the heels of Java, and has now overtaken it...

Python's move to top spot on the Tiobe index was a result of other languages falling in searches rather than Python rising. With an 11.27% share of searches, it was flat, while second place language C fell 5.79% percentage points compared to October last year down to 11.16%. Java made way for Python with a 2.11 percentage point drop to 10.46%.

Other languages that made the top 10 in Tiobe's October 2021 index: C++, C#, Visual Basic, JavaScript,. SQL, PHP, and Assemblyy Language. Also rising on a year-on-year basis and in the top 20 were Google-designed Go, number-crunching favorite MATLAB, and Fortran.

"Python, which started as a simple scripting language, as an alternative to Perl, has become mature," TIOBE says in announcing its new rankings.

"Its ease of learning, its huge amount of libraries, and its widespread use in all kinds of domains, has made it the most popular programming language of today. Congratulations Guido van Rossum!"
Businesses

Africa Internet Riches Plundered, Contested by China Broker (sfgate.com) 55

An anonymous reader shares a report: Outsiders have long profited from Africa's riches of gold, diamonds, and even people. Digital resources have proven no different. Millions of internet addresses assigned to Africa have been waylaid, some fraudulently, including through insider machinations linked to a former top employee of the nonprofit that assigns the continent's addresses. Instead of serving Africa's internet development, many have benefited spammers and scammers, while others satiate Chinese appetites for pornography and gambling. New leadership at the nonprofit, AFRINIC, is working to reclaim the lost addresses. But a legal challenge by a deep-pocketed Chinese businessman is threatening the body's very existence. The businessman is Lu Heng, a Hong Kong-based arbitrage specialist. Under contested circumstances, he obtained 6.2 million African addresses from 2013 to 2016. That's about 5% of the continent's total -- more than Kenya has.

The internet service providers and others to whom AFRINIC assigns IP address blocks aren't purchasing them. They pay membership fees to cover administrative costs that are intentionally kept low. That left lots of room, though, for graft. When AFRINIC revoked Lu's addresses, now worth about $150 million, he fought back. His lawyers in late July persuaded a judge in Mauritius, where AFRICNIC is based, to freeze its bank accounts. His company also filed a $80 million defamation claim against AFRINIC and its new CEO. It's a shock to the global networking community, which has long considered the internet as technological scaffolding for advancing society. Some worry it could undermine the entire numerical address system that makes the internet work.

Earth

UN Report Warns of Global Water Crisis Amid Climate Change (apnews.com) 138

An anonymous reader quotes a report from The Associated Press: Much of the world is unprepared for the floods, hurricanes and droughts expected to worsen with climate change and urgently needs better warning systems to avert water-related disasters, according to a report by the United Nations' weather agency. Global water management is "fragmented and inadequate," the report published Tuesday found, with nearly 60% of 101 countries surveyed needing improved forecasting systems that can help prevent devastation from severe weather. As populations grow, the number of people with inadequate access to water is also expected to rise to more than 5 billion by 2050, up from 3.6 billion in 2018, the report said.

Among the actions recommended by the report were better warning systems for flood- and drought-prone areas that can identify, for example, when a river is expected to swell. Better financing and coordination among countries on water management is also needed, according to the report by the U.N.'s World Meteorological Organization, development agencies and other groups. The report found that since 2000, flood-related disasters globally rose 134% compared with the previous two decades. Most flood-related deaths and economic losses were in Asia, where extreme rainfall caused massive flooding in China, India, Indonesia, Japan, Nepal and Pakistan in the past year. The frequency of drought-related disasters rose 29% over the same period. African countries recorded the most-drought related deaths. The steepest economic losses from drought were in North America, Asia and the Caribbean, the report said. Globally, the report found 25% of all cities are already experiencing regular water shortages. Over the past two decades, it said the planet's combined supplies of surface water, ground water and water found in soil, snow and ice have declined by 0.4 inches (1 centimeter) per year. Despite some progress in recent years, the report found 107 countries would not meet goals to sustainably manage water supplies and access by 2030 at current rates.

Windows

Microsoft Knew of Exchange Autodiscover Flaw Five Years Ago (theregister.com) 22

Thomas Claburn writes via The Register: Microsoft Exchange clients like Outlook have been supplying unprotected user credentials if you ask in a particular way since at least 2016. Though aware of this, Microsoft's advice continues to be that customers should communicate only with servers they trust. On August 10, 2016, Marco van Beek, managing director at UK-based IT consultancy Supporting Role, emailed the Microsoft Security Response Center to disclose an Autodiscover exploit that worked with multiple email clients, including Microsoft Outlook. "Basically, I have discovered that it is extremely easy to get access to Exchange (and therefore Active Directory) user passwords in plain text," he wrote. "It doesn't necessarily require any breach of corporate security, and at its most secure, is only as secure as file level access to the corporate website." His proof-of-concept exploit code, which affected Outlook (both Mac and PC), default email apps for Android and iOS, Apple Mail for Mac OS X, and others, consisted of 11 lines of PHP, though he insisted the exploit probably could have been reduced to three lines.

Microsoft acknowledged on August 11, 2016, that it had reproduced the issue in van Beek's report. Then on August 30, 2016, the Windows titan responded to van Beek by saying the report doesn't describe a genuine vulnerability: "Our security engineers and product team have reviewed this report and determined that it is not a security issue to be serviced as part of our monthly Patch Tuesday process. 'Never accept an SSL certificate without a matching host name' is already recommended for clients in the doc cited by your report: [link]. Before you send a request to a candidate, make sure it is trustworthy. Remember that you're sending the user's credentials, so it's important to make sure that you're only sharing them with a server you can trust. At a minimum, you should verify: That the endpoint is an HTTPS endpoint. Client applications should not authenticate or send data to a non-SSL endpoint. That the SSL certificate presented by the server is valid and from a trusted authority."

"This response casually forgets to consider that a hacked web server still retains a perfectly valid certificate -- it just happens to use that trusted tunnel to serve up problems," said van Beek. "Also, I have only found one Exchange client so far which actually checks the hostname against the certificate, which is Microsoft's own test tool." Van Beek said he thought it was incredible that Microsoft confirmed the behavior he reported within hours but does not consider it to be a problem. He suggested three mitigations: changing the order of operations so that DNS gets checked first; never accepting an SSL certificate without a matching host name; and reviewing why and when clients respond to authentication requests.
When asked if the company plans to take any steps to address credential exposure and whether it believes its guidance adequately addresses the problem, a Microsoft spokesperson said: "We are continuing to investigate the specific scenario shared by the researcher."
Google

Google Finally Shifting To 'Upstream First' Linux Kernel Approach For Android Features (phoronix.com) 9

Phoronix reports: Google's Android had been notorious for all of its downstream patches carried by the mobile operating system as well as various vendor/device kernel trees while in recent years more of that code has been upstreamed. Google has also been shifting to the Android Generic Kernel Image (GKI) as the basis for all their product kernels to further reduce the fragmentation. Looking ahead, Google is now talking of an "upstream first" approach for pushing new kernel features into mainline Linux before deploying them on Android. Google's Todd Kjos talked today during Linux Plumbers Conference (LPC2021) around their Generic Kernel Image initiative. With Android 12 and their Linux 5.10 based GKI image they have further cut down the fragmentation to the extent that it's "nearly eliminated."

With the Android 12 GKI, most of the vendor/OEM kernel features have now either been upstreamed into the Linux kernel, isolated to vendor modules/hooks, or merged into the Android Common Kernel. They are making good progress on the GKI front and also ensuring vendors adapt to the new approach to cut down on the kernel mess. But perhaps most exciting is their outlook for 2023 to 2024 for further reducing technical debt. They are going to pursue an "upstream first development model for new features" in making sure new code first lands into the mainline Linux kernel rather than aiming straight for lodging within the Android source tree.

Python

Is Python About to Become the Most Popular Programming Language? (zdnet.com) 176

"According to one measure, Python is potentially on the verge of becoming the most popular computer programming language," reports ZDNet, joining C and Java as the only other two languages to attain the #1 spot.

Of course, it depends on who's making the list... Python has been snapping at the heels of Java and C for the past few years on the 20-year-old Tiobe index and recently knocked Java off the second spot to rival C. Tiobe, a software testing company, bases its rankings on searches for programming languages on popular websites and search engines.

The Tiobe index is updated monthly, and it doesn't align with other language popularity rankings. For example, the electrical engineering magazine IEEE Spectrum has ranked Python as the most popular language since at least 2020, followed by Java, C, and JavaScript, while developer analyst RedMonk has JavaScript in top place, followed by Python and Java, and places C at tenth...

"Python has never been so close to the number 1 position of the TIOBE index," writes Paul Jansen, chief of Tiobe software. "It only needs to bridge 0.16% to surpass C. This might happen any time now..."

Python is hugely popular because of machine learning, but it has no place in mobile app development or web applications or development on mobile devices. It's also slow. Python's creator, Guido van Rossum, who works at Microsoft, recently conceded Python consumes too much memory and energy from hardware. He's working to improve Python's performance and reckons double is feasible...

Tiobe's top 10 programming languages in September 2021 were C, Python, Java, C++, C#, Visual Basic, JavaScript, Assembly language, PHP, and SQL. The top 20 languages also included Classic Visual Basic, Groovy, Ruby, Go, Swift, MATLAB, Fortran, R, Perl, and Delphi. Fortran's re-emergence as a top 20 language is notable. Just in July 2020, Tiobe ranked it as the 50th most popular language. But earlier this year, Fortran shot up to the 20th spot in Tiobe's index.

Paul Jansen, chief of Tiobe software, also called out some other interesting moves in this month's calculation. "Assembly gained 1 position from #9 to #8, Ruby gained 2 positions from #15 to #13, and Go went up even 4 positions from #18 to #14."
Space

Amateur Astronomer Spots Possible New Impact Flash At Jupiter (skyandtelescope.org) 32

RockDoctor writes: A recent flurry of posts to astronomy news sites points to an amateur astronomer spotting a new impact on Jupiter. Every such case documented improves our estimates of how many bodies are flying around in the (inner) solar system, and improves our estimates of how likely we are to get another hit in a year, a decade, or a century. Sky and Telescope has been pulling in more information. SpaceWeather.com has an image of the impact. (Note: some of these images have been "flipped" to an "on sky" orientation, and others haven't because astronomical telescopes generally produce an inverted image since it requires fewer reflections.) Estimates of the impactor size are unclear, but minimum sizes seem to be in the several kg range. Depending on how long the flash lasted, it could go up into the tons, which is important for estimating the number of potentially hazardous objects in the inner solar system. Space and Telescope's correspondents put the size at "up to" (important words!) the 30m range (100ft in Tudor measure), which would be around 10,000 tons -- a Chelyabinsk 2013-size body.
Medicine

High Ivermectin Overdosages Caused 1,143 Calls to America's Poison Control Centers This Year (npr.org) 440

America's poison control centers are getting more calls this year from people who tried self-medicating with ivermectin, NPR reports — with at least 592 calls coming since July 1: According to the National Poison Data System, which collects information from the nation's 55 poison control centers, there was a 245% jump in reported exposure cases from July to August — from 133 to 459. Meanwhile, emergency rooms across the country are treating more patients who have taken the drug... Most patients are overdosing on a [high-concentration] version of the drug that is formulated to treat parasites in cows and horses... The National Poison Data System says 1,143 ivermectin exposure cases were reported between Jan. 1 and Aug. 31. That marks an increase of 163% over the same period last year...

Minnesota's Poison Control System is dealing with the same problem. According to the department, only one ivermectin exposure case was reported in July, but in August, the figure jumped to nine. Kentucky has seen similar increases. Thirteen misuse calls have been reported this year, Ashley Webb, director of the Kentucky Poison Control Center, told the Louisville Courier-Journal. "Of the calls, 75% were from people who bought ivermectin from a feed store or farm supply store and treated themselves with the animal product," Webb said. The other 25% were people who had a prescription, she added.

"You are not a horse. You are not a cow. Seriously, y'all. Stop it," the FDA said in a renewed warning late last month.

Those with a prescription from a health care provider should only fill it "through a legitimate source such as a pharmacy, and take it exactly as prescribed," the agency instructs. It also cautioned that large doses of the drug are "dangerous and can cause serious harm" and said that doses of ivermectin produced for animals could contain ingredients harmful to humans. The agency added: "Even the levels of ivermectin for approved human uses can interact with other medications, like blood-thinners. You can also overdose on ivermectin, which can cause nausea, vomiting, diarrhea, hypotension (low blood pressure), allergic reactions (itching and hives), dizziness, ataxia (problems with balance), seizures, coma and even death."

At least two more states — Louisiana and Washington — have also "issued alerts after an uptick in calls to poison control centers," according to a health writer for the Associated Press: By mid-August U.S. pharmacies were filling 88,000 weekly prescriptions for the medication, a 24-fold increase from pre-COVID levels, according to the Centers for Disease Control and Prevention.

Meanwhile, U.S. poison control centers have seen a five-fold increase in emergency calls related to the drug, with some incidents requiring hospitalization.

The Internet

The 'Dead Internet' Theory Posits Forums are Now Almost Entirely Overrun By AI (theatlantic.com) 147

Ideas from 4chan (including its paranormal section) have percolated into the "dead internet" theory, writes the Atlantic, with a seminal post on another forum by "IlluminatiPirate" now arguing that the internet is almost entirely overrun by artificial intelligence: Like lots of other online conspiracy theories, the audience for this one is growing because of discussion led by a mix of true believers, sarcastic trolls, and idly curious lovers of chitchat... Peppered with casually offensive language, the post suggests that the internet died in 2016 or early 2017, and that now it is "empty and devoid of people," as well as "entirely sterile." Much of the "supposedly human-produced content" you see online was actually created using AI, IlluminatiPirate claims, and was propagated by bots, possibly aided by a group of "influencers" on the payroll of various corporations that are in cahoots with the government. The conspiring group's intention is, of course, to control our thoughts and get us to purchase stuff... He argues that all modern entertainment is generated and recommended by an algorithm; gestures at the existence of deepfakes, which suggest that anything at all may be an illusion; and links to a New York story from 2018 titled "How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually."

"I think it's entirely obvious what I'm subtly suggesting here given this setup," the post continues. "The U.S. government is engaging in an artificial intelligence powered gaslighting of the entire world population." So far, the original post has been viewed more than 73,000 times...

The theory has become fodder for dramatic YouTube explainers, including one that summarizes the original post in Spanish and has been viewed nearly 260,000 times. Speculation about the theory's validity has started appearing in the widely read Hacker News forum and among fans of the massively popular YouTube channel Linus Tech Tips. In a Reddit forum about the paranormal, the theory is discussed as a possible explanation for why threads about UFOs seem to be "hijacked" by bots so often. The theory's spread hasn't been entirely organic. IlluminatiPirate has posted a link to his manifesto in several Reddit forums that discuss conspiracy theories... Anyway ... dead-internet theory is pretty far out-there. But unlike the internet's many other conspiracy theorists, who are boring or really gullible or motivated by odd politics, the dead-internet people kind of have a point... [Y]ou could even say that the point of the theory is so obvious, it's cliché — people talk about longing for the days of weird web design and personal sites and listservs all the time. Even Facebook employees say they miss the "old" internet. The big platforms do encourage their users to make the same conversations and arcs of feeling and cycles of outrage happen over and over, so much so that people may find themselves acting like bots, responding on impulse in predictable ways to things that were created, in all likelihood, to elicit that very response.

That 2018 article in New York magazine had argued that (at that time) a majority of web traffic was probably coming from bots — including especially high bot traffic on YouTube — while even the engagement metrics for major sites like Facebook had been gamed or inflated.

But whether or not that's changed, the Atlantic shares a compelling argument from a forum poster arguing that their very presence in this discussion proves they must be a bot. "If I was real I'm pretty sure I'd be out there living each day to the fullest and experiencing everything I possibly could with every given moment of the relatively infinitesimal amount of time I'll exist for instead of posting on the internet about nonsense."
Linux

Linus Torvalds Jokes About Celebrations for Linux's 30th Anniversary (zdnet.com) 21

Despite Linux reaching its 30th anniversary, "most outside the tech industry will be unaware that Linux has reached such a milestone," writes ZDNet, "even though the project has had a huge impact on everything from smartphones to cloud computing."

They add that Linus Torvalds "poked fun at that lack of recognition in his usual Sunday release note for a new stable version of the Linux kernel." "So I realize you must all still be busy with all the galas and fancy balls and all the other 30th anniversary events, but at some point you must be getting tired of the constant glitz, the fireworks, and the champagne," Torvalds said. "That ball gown or tailcoat isn't the most comfortable thing, either. The celebrations will go on for a few more weeks yet, but you all may just need a breather from them."

Linux 5.14 includes additional features for Intel's Alder Lake mobile-ready CPUs, extra AMD support and better support for the Raspberry Pi 400 PC. "Because 5.14 is out there, just waiting for you to kick the tires and remind yourself what all the festivities are about," notes Torvalds...

Torvalds is upbeat about Linux's future, predicting decades more work for the kernel's several thousand contributors who help shape the Linux kernel and drivers. "Of course, the poor tireless kernel maintainers won't have time for the festivities, because for them, this just means that the merge window will start tomorrow. We have another 30 years to look forward to, after all. But for the rest of you, take a breather, build a kernel, test it out, and then you can go back to the seemingly endless party that I'm sure you just crawled out of," he wrote.

Bug

Linux Glibc Security Fix Created a Nastier Linux Bug (zdnet.com) 74

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

Debian

Debian 11 'Bullseye' Released As Stable (debian.org) 40

"One of the oldest and most renowned distributions of Linux has been released!" âwrites Slashdot reader Washuu2. Phoronix reports it took "just over two years in development." Debian 11 brings many new features as outlined this morning with the big upgrade to Linux 5.10 LTS, exFAT file-system support, control groups v2, yescrypt for password hashing, and a plethora of updated packages. GNOME 3.38, KDE Plasma 5.20, and Xfce 4.16 are among the desktop options for Debian 11.
Debian.org adds: Do you want to celebrate the release? We provide some bullseye artwork that you can share or use as base for your own creations. Follow the conversation about bullseye in social media via the #ReleasingDebianBullseye and #Debian11Bullseye hashtags...
Around the world, there were even several in-person and online release parties — with a few more upcoming!
Star Wars Prequels

At Disney World's Star Wars-Themed Hotel, a Weekend for Two Costs $4,800 (sfgate.com) 91

"If you've ever dreamed of living 'a long time ago in a galaxy far, far away,' now is your chance — as long as you've got a spare four to six thousand dollars sitting around," writes SFGate: This week, Walt Disney World announced more details about its new Galactic Starcruiser hotel opening in the spring, an immersive, two-day "Star Wars" experience that evokes the feeling of being in the movies. The tech will be more advanced than any other Disney experience, including Rise of the Resistance at Disneyland and the Star Wars: Galaxy's Edge lands... "Star Wars: Galactic Starcruiser is a revolutionary new 2-night experience where you are the hero," according to Walt Disney World's website. "You and your group will embark on a first-of-its-kind Star Wars adventure that's your own. It's the most immersive Star Wars story ever created — one where you live a bespoke experience and journey further into a Star Wars adventure than you ever dreamed possible."

There are lightsaber experiences, interstellar entertainment, characters hanging around and an overall feeling that you're closer to being in Star Wars than you've ever been in your life. The idea is that you're staying on a luxury space cruise, so immersive that the hotel's windows look out into "space" and you never leave the property unless it's to "board a transport" to Batuu, the land where Star Wars: Galaxy's Edge takes place. Admission to Hollywood Studios is included in the price, as is all of your food and non-alcoholic beverages. But really, for $4,809 for two nights' accommodations for two guests in a studio, they could throw in a space beer or two...

But then again, for some Star Wars fans, you can't put a price on total immersion in the fandom, from cast members acting as though they're really intergalactic travelers to the ability to make infinite Wookee jokes free from the harsh judgements of people who wouldn't spend $4,000 to sleep in a "spaceship."

Earth

A Critical Ocean System May Be Heading For Collapse Due to Climate Change (sfgate.com) 110

The Washington Post reports: Human-caused warming has led to an "almost complete loss of stability" in the system that drives Atlantic Ocean currents, a new study has found — raising the worrying prospect that this critical aquatic "conveyer belt" could be close to collapse.

In recent years, scientists have warned about a weakening of the Atlantic Meridional Overturning Circulation (AMOC), which transports warm, salty water from the tropics to northern Europe and then sends colder water back south along the ocean floor. Researchers who study ancient climate change have also uncovered evidence that the AMOC can turn off abruptly, causing wild temperature swings and other dramatic shifts in global weather systems. Scientists haven't directly observed the AMOC slowing down. But the new analysis, published Thursday in the journal Nature Climate Change, draws on more than a century of ocean temperature and salinity data to show significant changes in eight indirect measures of the circulation's strength. These indicators suggest that the AMOC is running out of steam, making it more susceptible to disruptions that might knock it out of equilibrium, says study author Niklas Boers, a researcher at the Potsdam Institute for Climate Impact Science in Germany.

If the circulation shuts down, it could bring extreme cold to Europe and parts of North America, raise sea levels along the east coast of the United States and disrupt seasonal monsoons that provide water to much of the world.

"This is an increase in understanding . . . of how close to a tipping point the AMOC might already be," said Levke Caesar, a climate physicist at Maynooth University who was not involved in the study. Boers' analysis doesn't suggest exactly when the switch might happen. But "the mere possibility that the AMOC tipping point is close should be motivation enough for us to take countermeasures," Caesar said. "The consequences of a collapse would likely be far-reaching..." The new analysis suggests "the critical threshold is most likely much closer than we would have expected," Boers said...

[T]he apparent consequences of the AMOC slowing are already being felt. A persistent "cold blob" in the ocean south of Greenland is thought to result from less warm water reaching that region. The lagging Gulf Stream has caused exceptionally high sea level rise along the east coast of the United States. Key fisheries have been upended by the rapid temperature swings, and beloved species are struggling to cope with the changes. If the AMOC does completely shut down, the change would be irreversible in human lifetimes, Boers said. The "bi-stable" nature of the phenomenon means it will find new equilibrium in its "off" state. Turning it back on would require a shift in the climate far greater than the changes that triggered the shutdown.

"It's one of those events that should not happen, and we should try all that we can to reduce greenhouse gas emissions as quickly as possible," Boers said. "This is a system we don't want to mess with."

Linux

Steam Survey Shows Linux Marketshare Hitting 1.0% (phoronix.com) 73

According to Steam Survey numbers for July 2021, Steam on Linux hit a 1.0% marketshare, or a +0.14% increase over the month prior. Phoronix reports: This is the highest we have seen the Steam on Linux marketshare in a number of years and well off the lows prior to introducing Steam Play (Proton) since which point there has been the gradual increase in marketshare. Back when Steam on Linux first debuted there was around a 2% marketshare for Linux before gradually declining. Back when Steam first debuted for Linux, the overall Steam customer base was also much smaller than it is today.

While many believe the Steam Survey is inaccurate or biased (or just buggy towards prompting Linux users to participate in the survey), these initial numbers for July are positive in hitting the 1.0% mark after largely floating around the 0.8~0.9% mark for most of the past three years. The Steam Deck isn't shipping until the end of the year so we'll see how the number fluctuates to that point.

AMD

AMD and Valve Working On New Linux CPU Performance Scaling Design (phoronix.com) 10

Along with other optimizations to benefit the Steam Deck, AMD and Valve have been jointly working on CPU frequency/power scaling improvements to enhance the Steam Play gaming experience on modern AMD platforms running Linux. Phoronix reports: It's no secret that the ACPI CPUFreq driver code has at times been less than ideal on recent AMD processors with delivering less than expected performance/behavior with being slow to ramp up to a higher performance state or otherwise coming up short of disabling the power management functionality outright. AMD hasn't traditionally worked on the Linux CPU frequency scaling code as much as Intel does to their P-State scaling driver and other areas of power management at large. AMD is ramping up efforts in these areas including around the Linux scheduler given their recent hiring spree while it now looks like thanks to the Steam Deck there is renewed interest in better optimizing the CPU frequency scaling under Linux.

AMD and Valve have been working to improve the performance/power efficiency for modern AMD platforms running on Steam Play (Proton / Wine) and have spearheaded "[The ACPI CPUFreq driver] was not very performance/power efficiency for modern AMD platforms...a new CPU performance scaling design for AMD platform which has better performance per watt scaling on such as 3D game like Horizon Zero Dawn with VKD3D-Proton on Steam." AMD will be presenting more about this effort next month at XDC. It's quite possible this new effort is focused on ACPI CPPC support with the previously proposed AMD_CPUFreq. Back when Zen 2 launched in 2019, AMD did post patches for their new CPUFreq driver that leveraged ACPI Collaborative Processor Performance Controls but the driver was never mainlined nor any further iterations of the patches posted. When inquiring about that work a few times since then, AMD has always said it's been basically due to resource constraints that it wasn't a focus at that time. Upstream kernel developers also voiced their preference to seeing AMD work to improve the generic ACPI CPPC CPUFreq driver code rather than having another vendor-specific solution. It's also possible AMD has been working on better improvements around the now-default Schedutil governor for scheduler utilization data in making CPU frequency scaling decisions.

Slashdot Top Deals