Thursday, 13 December


US bitcoin bomb threat ransom scam looks like a hoax say FBI, cops [The Register]

Extortion scheme gets national attention but not much in the way of funds

Police departments around the US say they've been apprised of emailed bomb threats seeking payment in cryptocurrency or else explosions will ensue.…


Iranian Phishers Bypass 2fa Protections Offered By Yahoo Mail, Gmail [Slashdot]

An anonymous reader quotes a report from Ars Technica: A recent phishing campaign targeting U.S. government officials, activists, and journalists is notable for using a technique that allowed the attackers to bypass two-factor authentication protections offered by services such as Gmail and Yahoo Mail, researchers said Thursday. The event underscores the risks of 2fa that relies on one-tap logins or one-time passwords, particularly if the latter are sent in SMS messages to phones. Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post. The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password. "In other words, they check victims' usernames and passwords in realtime on their own servers, and even if 2 factor authentication such as text message, authenticator app or one-tap login are enabled they can trick targets and steal that information too," Certfa Lab researchers wrote. "We've seen [it] tried to bypass 2fa for Google Authenticator, but we are not sure they've managed to do such a thing or not," the Certfa representative wrote. "For sure, we know hackers have bypassed 2fa via SMS."

Read more of this story at Slashdot.


Astroboffins spy a rare exoplanet evaporating before their eyes [The Register]

*Okay so it will be here for another billion years or so but it's shrinking faster than normal

Somewhere in the Cancer constellation lies a mini-Neptune sized planet that is disappearing at rate faster than ever seen before, according to research published in Astronomy & Astrophysics on Thursday.…


Louisiana Adopts Digital Driver's Licenses [Slashdot]

Louisiana is rolling out a new digital driver's license app, called LA Wallet, that will let retailers digitally verify the age of their customers, if required. "According to IEEE Spectrum, Louisiana's Office of Alcohol and Tobacco Control is expected to announce that bars, restaurants, grocery stores and other retails are allowed to accept LA Wallet as proof of age, according to the app's developer, Envoc." From the report: The Baton Rouge-based company launched LA Wallet in June, after two years of collaboration with state officials. But so far only law enforcement officers making routine traffic stops are required to accept the digital driver's license. Next week's announcement would greatly broaden the scope of the app's use. About 71,000 people have downloaded LA Wallet so far, says Calvin Fabre, founder and president of Envoc. The app costs $5.99 in the Google Play and Apple App stores. Users buy it, create an account with some basic information from their physical driver's license, and create a password. That's it. No biometric security -- like iris scans or facial recognition -- required. The app links back to Louisiana's Office of Motor Vehicles database, which completes the digital license with the user's photo and additional information. Any changes to the license, like a suspension or renewal, are updated immediately in the app with a wireless network connection. To present the license -- say, to a cop during a traffic stop -- the driver (hoping his phone battery isn't dead) opens the app with a password, shows the cop the digital license image, and authenticates it by pressing and holding the screen to reveal a security seal. The license can be flipped over to show a scannable bar code on the back. There's also a handy security feature that allows anyone with the LA Wallet app to authenticate another person's Louisiana digital driver's license. It allows the bar patron to select which information she would like to reveal to the bartender -- in this case, simply the fact that she is over 21. That information is displayed on the phone with a photo and embedded QR code. The bartender scans the code with her app, which tells her that the woman seated on the other side of the bar is indeed over 21. None of the customer's personal information, such as her name, birth date, or address, is displayed or stored on the bartender's phone.

Read more of this story at Slashdot.


US elections watchdog says it's OK to spend surplus campaign cash on cybersecurity gear [The Register]

Congresscritters now have one less excuse for getting pwned

The US Federal Election Commission has officially voted to allow members of Congress to use their campaign funds on cybersecurity protection.…


Google Pledges To Hold Off On Selling Facial Recognition Technology [Slashdot]

In a blog post today, Google detailed how its facial recognition technology will and won't be used. Citing a number of risks associated with the technology, the company vowed to refrain from selling facial recognition products until it can come up with policies that prevent abuse. Engadget reports: "Like many technologies with multiple uses, facial recognition merits careful consideration to ensure its use is aligned with our principles and values, and avoids abuse and harmful outcomes," Google said. "We continue to work with many organizations to identify and address these challenges, and unlike some other companies, Google Cloud has chosen not to offer general-purpose facial recognition APIs before working through important technology and policy questions." "This is a strong first step," the ACLU's Nicole Ozer said in a statement about Google's announcement. "Google today demonstrated that, unlike other companies doubling down on efforts to put dangerous face surveillance technology into the hands of law enforcement and ICE, it has a moral compass and is willing to take action to protect its customers and communities. Google also made clear that all companies must stop ignoring the grave harms these surveillance technologies pose to immigrants and people of color, and to our freedom to live our lives, visit a church, or participate in a protest without being tracked by the government."

Read more of this story at Slashdot.


Dozens of Bomb Threats Reported Across America In Apparent Bitcoin Ransom Scam [Slashdot]

An anonymous reader quotes a report from Gizmodo: On Wednesday afternoon, a wave of bomb threats were reported at various locations across the United States. On social media, numerous law enforcement departments issued alerts notifying citizens that they're looking into bomb threats targeting businesses, schools, government offices and even private residents. It appears the threats are being sent by email. NBC News said "dozens" of threats had been reported, but the full extent of these threats is not yet clear. A number of news organizations and law enforcement agencies report remarkably similar sounding emails mentioning a bitcoin ransom of $20,000. And some Twitter users have shared emails they've received demanding the cryptocurrency and warning that an explosion would only encourage others to pay up. NBC News quoted the NYPD's Counterterrorism Bureau's brief statement on the investigation: "We are currently monitoring multiple bomb threats that have been sent electronically to various locations throughout the city. These threats are also being reported to other locations nationwide and are not considered credible at this time."

Read more of this story at Slashdot.


Sting on Amazon Booksellers Aims To Weed Out Counterfeit Textbooks, But Small Sellers Getting Hurt [Slashdot]

Amazon upended the book industry more than two decades ago by bringing sales onto the web. Now, during the heart of the holiday shopping season, the company is wreaking havoc on used booksellers who have come to rely on Amazon for customers. From a report: In the past two weeks, Amazon has suspended at least 20 used book merchants for allegedly selling one or more counterfeit textbooks. They all received the same generic email from Amazon informing them that their account had been "temporarily deactivated" and reminding them that "the sale of counterfeit products on Amazon is strictly prohibited." [...] The crackdown on textbook sellers stands out at a time when Amazon is dramatically stepping up its broader anti-counterfeiting efforts, suspending third-party sellers across all its popular categories. Unlike most suspensions, which tend to occur after complaints from consumers or from brand owners who are monitoring the site for counterfeits, these booksellers got caught up in what appears to be a coordinated sting operation.

Read more of this story at Slashdot.


Postmates plans rollout of autonomous delivery robots in US [The Register]

Wheeled robo-containers called Serve headed first to LA

Delivery biz Postmates on Tuesday showed off a wheeled robotic box named Serve that should soon start showing up in cities around the US, carrying goods for customers.…


Vulkan Memory Allocator 2.2 Released Along With RGP 1.4 [Phoronix]

In addition to AMD's year-end Radeon driver updates issued today, their GPUOpen crew has also carried out some new open-source software releases...


Windows Server 2019 Officially Supports OpenSSH For the First Time [Slashdot]

Microsoft said in 2015 that it would build OpenSSH, a set of utilities that allow clients and servers to connect securely, into Windows, while also making contributions to its development. Neowin: Since then, the company has delivered on that promise in recent releases of Windows 10, being introduced as a feature-on-demand in version 1803. However, Windows Server hadn't received the feature until now, at least not in an officially supported way -- Windows Server version 1709 included it as a pre-release feature. But that's finally changed, as Microsoft this week revealed that Windows Server 2019, which was made available (again) in November, includes OpenSSH as a supported feature.

Read more of this story at Slashdot.


Fraudster convicted of online banking thefts using… whatever the hell this thing is [The Register]

Ingenious device, or fake bomb from 1980s cop movie?

Police in London have put away a fraudster who was using a bizarre homemade device to con people out of the contents of their bank accounts.…


The fastest, most secure browser? Microsoft Edge apparently [The Register]

Well, in one respect anyway

Microsoft may have taken the decision to ditch the Edge's browser engine for Google's Chromium too soon.…


ASUS CEO Resigns as Company Shifts Mobile Focus To Power Users [Slashdot]

Earlier today, ASUS announced that long-time CEO Jerry Shen is stepping down ahead of "a comprehensive corporate transformation" -- part of which involving a new co-CEO structure, as well as a major shift in mobile strategy to focus on gamers and power users. From a report: In other words, we'll be seeing more ROG Phones and maybe fewer ZenFones, which is a way to admit defeat in what ASUS chairman Jonney Shih described as a "bloody battlefield" in his interview with Business Next. During his 11 years serving as CEO, Shen oversaw the launch of the PadFone series, Transformer series, ZenBook series and ZenFone series. Prior to that, Shen was also credited as the main creator of the Eee PC, the small machine that kickstarted the netbook race in 2006.

Read more of this story at Slashdot.


The Oil Industry's Covert Campaign To Rewrite American Car Emissions Rules [Slashdot]

When the Trump administration laid out a plan this year that would eventually allow cars to emit more pollution, automakers, the obvious winners from the proposal, balked. The changes, they said, went too far even for them. But it turns out that there was a hidden beneficiary of the plan that was pushing for the changes all along: the nation's oil industry. From an investigation by The New York Times: In Congress, on Facebook and in statehouses nationwide, Marathon Petroleum, the country's largest refiner, worked with powerful oil-industry groups and a conservative policy network financed by the billionaire industrialist Charles G. Koch to run a stealth campaign to roll back car emissions standards, a New York Times investigation has found. The campaign's main argument for significantly easing fuel efficiency standards -- that the United States is so awash in oil it no longer needs to worry about energy conservation -- clashed with decades of federal energy and environmental policy. "With oil scarcity no longer a concern," Americans should be given a "choice in vehicles that best fit their needs," read a draft of a letter that Marathon helped to circulate to members of Congress over the summer. Official correspondence later sent to regulators by more than a dozen lawmakers included phrases or sentences from the industry talking points, and the Trump administration's proposed rules incorporate similar logic. The industry had reason to urge the rollback of higher fuel efficiency standards proposed by former President Barack Obama. A quarter of the world's oil is used to power cars, and less-thirsty vehicles mean lower gasoline sales.

Read more of this story at Slashdot.


Data-Wiping Malware Shamoon Destroys Files At Italian Oil and Gas Company; Other Energy Companies Operating in the Middle East Warned of Cyber Attacks [Slashdot]

An anonymous reader writes: A new variant of the Shamoon malware was discovered on the network of an Italian and UAE oil and gas companies. While the damage at the UAE firm is currently unknown, the malware has been confirmed to have destroyed files on about ten percent of the Italian company's PC fleet. Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks. Historically, the malware has been tied to the Iranian regime, but it's unclear if Iranian hackers were behind this latest attacks. This new Shamoon version was revealed to the world when an Italian engineer uploaded the malware on VirusTotal, triggering detections at all major cyber-security firms across the globe.

Read more of this story at Slashdot.


Quantum Network Joins Four People Together For Encrypted Messaging [Slashdot]

An anonymous reader shares a report: The quantum internet is starting small, but growing. Researchers have created a network that lets four users communicate simultaneously through channels secured by the laws of quantum physics, and they say it could easily be scaled up. Soren Wengerowsky at the University of Vienna and his colleagues devised a network that uses quantum key distribution (QKD) to keep messages secure [the link is paywalled]. The general principle of QKD is that two photons are entangled, meaning their quantum properties are linked. Further reading: Nature.

Read more of this story at Slashdot.


Radeon Software Adrenalin 2019 Rolls Out While Linux Users Should Have AMDGPU-PRO 18.50 [Phoronix]

AMD today released their Radeon Software Adrenalin 2019 Edition geared for Windows gamers while Linux users should have AMDGPU-PRO 18.50 available shortly for those wanting to use this hybrid Vulkan/OpenGL driver component that does also feature the AMDGPU-Open components too in their stable but dated composition...


The Painful, Costly Journey of Returned Goods -- and How You End Up Purchasing Some of Them Again [Slashdot]

Buyers return a huge number of packages they buy from Amazon and other e-commerce sites, so much so that retailers are sometimes left with little choice but to get rid of large swaths of inventory at a cost. Last year, customers in the U.S. returned about $351 billion worth of items that they had purchased from brick-and-mortar retailers and online stores, according to estimates by National Retail Federation. CNBC: There's a good chance that the $100 printer, the $300 wide-screen monitor, or the $170 router you recently bought from Amazon weren't supplied to the e-commerce giant by their original manufacturers. In fact, the order may have been fulfilled by someone like Casey Parris, who resells items that customers previously returned to retailers. Based in Florida, Parris spends about five hours each day visiting thrift stores and scanning auction and liquidation websites for interesting items, he told CNBC. Sometimes he finds auto parts, other times it's a pair of sneakers, and occasionally he purchases printer cartridges -- all with the goal of reselling them. Walter Blake, who lives in Michigan, does the same. For years, he's been selling electronic items on Amazon that he acquires from a network of places. Blake and Parris are part of a growing cottage industry where dealers acquire discarded items at very low prices, only to resell some of them back on Amazon and eBay at a premium.

Read more of this story at Slashdot.


Apple to splash $10bn raisin' American bit barns [The Register]

Cupertino pats own back for forking over dollars in home country

Apple has said it will spend $10bn on data centres in the US over the next five years, and will set up a new $1bn campus in Texas.…


Virgin Galactic Successfully Reaches Space [Slashdot]

The latest test flight by Sir Richard Branson's Virgin Galactic successfully rocketed to space and back. From a report: The firm's SpaceShipTwo passenger rocket ship reached a height of 82.7km, beyond the altitude at which space is said to begin. It marked the plane's fourth test flight and followed earlier setbacks in the firm's space programme. Sir Richard is in a race with Elon Musk and Jeff Bezos to send the first fee-paying passengers into space. He founded the commercial spaceflight company in 2004, shortly after Mr Musk started SpaceX and Jeff Bezos established Blue Origin. In 2008, Virgin Galactic first promised sub-orbital spaceflight trips for tourists would be taking place "within 18 months". It has since regularly made similar promises to have space flights airborne in the near future.

Read more of this story at Slashdot.


Ranks of Crypto Users Swelled in 2018 Even as Bitcoin Tumbled [Slashdot]

It turns out that cryptocurrency enthusiasts were committed well beyond the HODL rallying call that urged them to hold on during this year's digital-asset market collapse. From a report: The number of verified users of cryptocurrencies almost doubled in the first three quarters of the year even as the market bellwether Bitcoin tumbled almost 80 percent, according to a study from the Cambridge Centre for Alternative Finance. Users climbed from 18 million to 35 million this year. The figures may provide a silver lining. If user numbers continue to increase even in a deep market downturn, that could signal that an eventual recovery could be coming -- a crucial finding at a time when some critics predict that the value of cryptocurrencies will go down to zero.

Read more of this story at Slashdot.


Virgin Galactic test flight reaches space for the first time, lugging NASA cargo in place of tourists [The Register]

SpaceShipTwo goes faster and higher than ever before

Virgin Galactic's SpaceShipTwo took its first trip into space today as the company launched the reusable rocket-powered craft on its fourth test flight above the Mojave desert in southern California.…


Radeon ROCm 1.9.1 vs. NVIDIA OpenCL Linux Plus RTX 2080 TensorFlow Benchmarks [Phoronix]

Following the GeForce RTX 2080 Linux gaming benchmarks last week with now having that non-Ti variant, I carried out some fresh GPU compute benchmarks of the higher-end NVIDIA GeForce and AMD Radeon graphics cards. Here's a look at the OpenCL performance between the competing vendors plus some fresh CUDA benchmarks as well as NVIDIA GPU Cloud TensorFlow Docker benchmarks.


Telcos enlist Google, Amazon to help protect Europe's data from Big Tech [The Register]

Orange, DT's plan to take on firms that create 'competitive asymmetries'

Comment  Nothing sums up Europe's tech dilemma like the deep and meaningful partnership two of its biggest telcos touted this week. The CEOs of Orange (Stéphane Richard) and Deutsche Telekom (Timotheus Höttges) see more than €120bn a year flow through their combined cash tills. The two were on stage at Orange's innovation showcase in Paris to team up on AI, and they had a mission.…


KDE Applications 18.12 Released With File Manager Improvements, Konsole Emoji [Phoronix]

The KDE community is out with an early holiday presents for its users: KDE Applications 18.12 is shipping today...


Mesa 18.2.7 Released With Several RADV Driver Fixes, Variety Of Other Updates [Phoronix]

For those not yet prepared to move over to the Mesa 18.3 series, Mesa 18.2.7 is out today with the latest batch of fixes...


'Blockchain Developer' is the Fastest-Growing US Job [Slashdot]

"Blockchain developer" is the top emerging job in the U.S. -- according to data published in LinkedIn's 2018 U.S. Emerging Jobs report. From a report: [...] Using data gleaned from the LinkedIn Economic Graph, which serves as a "digital representation of the global economy" by analyzing the skills and job openings from across 590 million members and 30 million companies, LinkedIn found that "blockchain developers" has grown 33-fold in the past four years. In this case, "emerging jobs" refers to the growth of specific job titles on LinkedIn profiles in the period between 2014 and 2018. It's worth noting here that "blockchain" didn't appear anywhere in the top 20 emerging jobs in 2017, while "machine learning engineer" topped the list last year -- it's in second place this year.

Read more of this story at Slashdot.


UK spam-texting tax consultancy slapped with £200k fine [The Register]

Generic privacy policies won't get you valid consent, says ICO

A London firm that sent 14.8 million spam SMSes without consent has been fined £200,000 by the UK’s data protection watchdog.…


Unity 2018.3 With HDR Render Pipeline Preview, Updated PhysX & More [Phoronix]

Unity Tech is ending out the year with their Unity 2018.3 game engine update that brings a number of new features and improvements to its many supported platforms...


Ethereum Thinks it Can Change the World. It's Running Out of Time To Prove It. [Slashdot]

The blockchain system has daunting technical problems to fix. But first, its disciples need to figure out how to govern themselves. From a report: The handful of idealistic researchers, developers, and administrators in charge of maintaining its software are under increasing pressure to overcome technical limitations that stymie the network's growth. At the same time, well-funded competitors have emerged, claiming that their blockchains perform better. Crackdowns by regulators, and a growing understanding of how far most blockchain applications are from ready for prime time, have scared many cryptocurrency investors away: Ethereum's market value in dollars has fallen more than 90% since its peak last January. The reason Devcon (the annual "family reunion" organized by the Ethereum Foundation; this year's edition was held in October) feels so upbeat despite these storm clouds is that the people building Ethereum have something bigger in mind -- something world-changing, in fact. Yet to achieve its goal, this ragtag community needs to crack a problem as complicated as any of the toe-curling technical challenges it faces: how to govern itself. It must find a way to organize a scattered global network of contributors and stakeholders without sacrificing "decentralization" -- the principle, which any cryptocurrency community strives for, that no one entity or group should be in control.

Read more of this story at Slashdot.


'Exclusive swag' up for grabs as GitLab flings bug bounty scheme open to world+dog [The Register]

Don't worry, there are cheques, too

DevOps outfit GitLab has opened its bug bounty scheme to world+dog, having paid out $200,000 last year and fixed "nearly 200 vulnerabilities reported to us".…


In a Test, 3D Model of a Head Was Able To Fool Facial Recognition System of Several Popular Android Smartphones [Slashdot]

Forbes magazine tested four of the most popular handsets running Google's operating systems and Apple's iPhone to see how easy it'd be to break into them with a 3D-printed head. All of the Android handsets opened with the fake. Apple's phone, however, was impenetrable. From the report: For our tests, we used my own real-life head to register for facial recognition across five phones. An iPhone X and four Android devices: an LG G7 Linq, a Samsung S9, a Samsung Note 8 and a OnePlus 6. I then held up my fake head to the devices to see if the device would unlock. For all four Android phones, the spoof face was able to open the phone, though with differing degrees of ease. The iPhone X was the only one to never be fooled. There were some disparities between the Android devices' security against the hack. For instance, when first turning on a brand new G7 Linq, LG actually warns the user against turning facial recognition on at all. No surprise then that, on initial testing, the 3D-printed head opened it straightaway. [...] The OnePlus 6 came with neither the warnings of the other Android phones nor the choice of slower but more secure recognition.

Read more of this story at Slashdot.


Saturday Morning Breakfast Cereal - Skimmed [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

My new website, skimmedit (tm) is just reddit but you can only read headlines and comment on what you think the article is about.

Today's News:


Apple To Build $1B Austin Campus, Add Thousands of Jobs in US Expansion [Slashdot]

Apple said Thursday it plans to invest $1 billion building a new corporate campus in Austin, Texas, that could eventually create 15,000 jobs. From a report: The iPhone maker will also set up new offices in Seattle, San Diego and Culver City, Los Angeles County, as well as expanding operations in Pittsburgh, New York and Boulder, Colorado, according to the press release. The Austin campus will be located less than a mile away from Apple's existing facilities in the Texas city, which already employ 6,200 people (its largest group of employees outside Cupertino). The new area will initially hold 5,000 employees, with capacity to grow to 15,000 over time.

Read more of this story at Slashdot.


Godmother of word processing Evelyn Berezin dies at 93 [The Register]

Office revolutionary developed the hefty Redactron

Obit  The remarkable Evelyn Berezin, founder of Redactron, a company that successfully sold word processing systems in the early 1970s, has died aged 93.…


Home users due for a battering with Microsoft 365 subscription stick [The Register]

Job opening at Redmond points to new consumer services

Fire up the steam-powered speculation machine! A consumer-focused Microsoft 365 subscription is inbound.…


Tesla Is Seeking $167 Million From Former Employee Accused of Sabotage [Slashdot]

An anonymous reader quotes a report from CNBC: Tesla is seeking more than $167 million in a lawsuit against former employee Martin Tripp, recent legal filings revealed. In the lawsuit, which was filed by the electric car maker in June, Tesla alleges that Tripp, a former process engineer, had illegally exported data and made false claims to reporters, among other things. Tripp had earlier claimed in a number of press interviews that Tesla engaged in poor manufacturing practices at its massive battery plant outside of Reno, Nevada, and that it may have used damaged battery modules in its Model 3 vehicles, posing a risk to drivers. An interim case management report published on Nov. 27 reveals that Tripp's attorneys aim to depose Tesla CEO Elon Musk and more than 10 people involved with the company. Tesla has refused to make Musk available and sought to limit the number of people deposed by Tripp's defense team at the law firm Tiffany & Bosco. Tripp's lawyers wrote in that report: "Tesla has objected to Mr. Tripp's desire to take more than ten depositions... In this case, where Mr. Tripp is being sued for more than $167,000,000 and has asserted counterclaims against Tesla, more than ten depositions is certainly reasonable and appropriate." Tripp attorney Robert D. Mitchell said in an email to CNBC: "The purported damage amount claimed by Tesla relates to supposed dips in Tesla's stock price by virtue of the information Mr. Tripp provided to the press last summer." He characterized the damage claims as "absurd."

Read more of this story at Slashdot.


Taylor's gonna spy, spy, spy, spy, spy... fans can't shake cam off, shake cam off [The Register]

Swifties' faces scanned against DB of 'known stalkers' at US gig – reports

Spotify's one-time nemesis Taylor Swift has reportedly used controversial facial recognition tech on fans while they've been getting down to her sick beats.…


AMD Squeezes In Some Final AMDGPU Changes To DRM-Next For Linux 4.21 [Phoronix]

Complementing all of the AMDGPU feature work already staged for the upcoming Linux 4.21 kernel, another (small) batch of material was sent out on Wednesday...


Windows 10 can carry on slurping even when you're sure you yelled STOP! [The Register]

All your activity are belong to us

Updated  A feature introduced in the April 2018 Update of Windows 10 may have set off a privacy landmine within the bowels of Redmond as users have discovered that their data was still flowing into the intestines of the Windows giant, even with the thing apparently turned off.…


CLL '19 to span DevOps, Containers, Continuous Delivery and Serverless [The Register]

Agenda is set, blind bird tickets going soon

Events  We'll be revealing the first tranche of speakers for Continuous Lifecycle 2019 next week, meaning you have just days to save hundreds of pounds with our blind bird ticket offer.…


Ethereum thinks it can change the world. It’s running out of time to prove it. [Top News - MIT Technology Review]

The blockchain system has daunting technical problems to fix. But first, its disciples need to figure out how to govern themselves.


Mesa 19.0 RADV Vulkan Driver Gets New Fixes To Help DXVK Gaming [Phoronix]

Samuel Pitoiset of Valve's Linux graphics driver team has landed some fresh patches in Mesa 19.0 (and also marked for back-porting to the stable branch) to help out the DXVK gaming experience for Windows games using Direct3D 11 that are re-mapped to run on top of the Vulkan graphics API...


The eulogising of The Mother Of All Demos at 50 is Silicon Valley going goo-goo for gurus again [The Register]

Doug Engelbart retrofitted for mystical bullsh!t

Comment  There was a time, happy days, when no one wanted to read about the titans of tech. Or so the editors at the newspapers thought.…


Arctic Posts Second Warmest Year On Record In 2018, NOAA Says [Slashdot]

According to a new report released on Tuesday by the U.S. National Oceanographic and Atmospheric Administration, the Arctic had its second-hottest year on record in 2018. "Arctic air temperatures for the past five years have exceeded all previous records since 1900," according to the annual NOAA study, the 2018 Arctic Report Card, which said the year was second only to 2016 in overall warmth in the region. Reuters reports: The study said the Arctic warming continues at about double the rate of the rest of the planet, and that the trend appears to be altering the shape and strength of the jet stream air current that influences weather in the Northern Hemisphere. "Growing atmospheric warmth in the Arctic results in a sluggish and unusually wavy jet-stream that coincided with abnormal weather events," it said, noting that the changing patterns have often brought unusually frigid temperatures to areas south of the Arctic Circle. Some examples are "a swarm of severe winter storms in the eastern United States in 2018, and the extreme cold outbreak in Europe in March 2018 known as 'the Beast from the East.'"

Read more of this story at Slashdot.


QEMU 3.1 Released For Advancing The Linux Open-Source Virtualization Stack [Phoronix]

The QEMU emulator that is widely used by the open-source Linux virtualization stack is out with its version 3.1 feature release. This is the QEMU update that is adding multi-threaded Tiny Code Generator support, display improvements, adds the Cortex-A72 model and other ARM improvements, and various other enhancements...


Oxford startup magics up metamaterials for next-gen charging [The Register]

It doesn't make you invisible, but it could make powerups less painful

Imagine throwing your phone onto a car dashboard or table, knowing it'll power up. And imagine that tabletop or dashboard powering up several randomly aligned devices at once. Above an unassuming street in Oxford, engineers are ironing out the problems.…


UK white hats blacklisted by Cisco Talos after smart security code stumbles [The Register]

Cisco gracefully says it won't charge for the privilege

UK security training company Hacker House briefly had its site blocked after being mistaken for malware by Cisco's security wing Talos' smart "threat intelligence" software.…


Russian State TV Shows Off 'Robot' That's Actually a Man In a Robot Suit [Slashdot]

A "hi-tech robot" shown on Russian state television turns out to be a man in a suit. While airing footage of a technology forum aimed at kids, a Russian state TV reporter proclaimed that Boris the robot "has already learned to dance and he's not that bad." Gizmodo reports: This "robot" actually retails for 250,000 rubles (about $3,770), as first reported by the Guardian, and is made by a company called Show Robots. "Boris" features glowing eyes, and plastic parts -- and shockingly human-like movements. Probably because he needs a human inside to operate properly. This faux-robot (fauxbot?) mystery was actually first unraveled when some eagled-eyed Russian viewers on the internet noticed that a suspiciously human-like neck was showing in the video. The report notes that "there's no indication" that there was intent to deceive anyone. Instead, it "appears to be a case of a TV presenter getting confused with what he believed to be 'modern robots.'" You can watch the broadcast on Russia-24's YouTube channel.

Read more of this story at Slashdot.

Wednesday, 12 December


Wayland's Weston Switching Over To The Meson Build System [Phoronix]

Complementing the Meson build system support for Wayland itself, the Weston reference compositor now has been Meson-ized...


When it comes to AI research the West is winning, the East is rising and women are being left behind [The Register]

Annual AI Index report shows competitive times ahead

The US and Europe might be top dogs in machine learning at the moment, but the East is catching up fast, helped by massive government spending.…


'Cryptocurrencies Are Like Lottery Tickets That Might Pay Off in Future' [Slashdot]

With the price of bitcoin down 80% from its peak a year ago, and the larger cryptocurrency market in systemic collapse, has "peak crypto" come and gone? From a column: Perhaps, but don't expect to see true believers lining up to have their cryptocurrency tattoos removed just yet. At a recent conference I attended, the overwhelming sentiment was that market capitalisation of cryptocurrencies could explode over the next five years, rising to $5-10tn. For those who watched the price of bitcoin go from $13 in December 2012 to roughly $4,000 today, this year's drop from $20,000 was no reason to panic. It is tempting to say, "Of course the price is collapsing." Regulators are gradually waking up to the fact that they cannot countenance large expensive-to-trace transaction technologies that facilitate tax evasion and criminal activity. At the same time, central banks from Sweden to China are realising that they, too, can issue digital currencies. As I emphasised in my 2016 book on the past, present, and future of currency, when it comes to new forms of money, the private sector may innovate, but in due time the government regulates and appropriates. But as I also pointed out back then, just because the long-term value of bitcoin is more likely to be $100 than $100,000 does not necessarily mean that it definitely should be worth zero. The right way to think about cryptocurrency coins is as lottery tickets that pay off in a dystopian future where they are used in rogue and failed states, or perhaps in countries where citizens have already lost all semblance of privacy. It is no coincidence that dysfunctional Venezuela is the first issuer of a state-backed cryptocurrency (the "petro").

Read more of this story at Slashdot.


AMDGPU DC Gets Polaris Corruption Fix, Some Code Refactoring [Phoronix]

AMD has published their latest batch of "DC" Display Core patches for the AMDGPU Linux kernel driver...


Phew, galactic accident helps boffins explain dark matter riddle [The Register]

Texan-led team find ancient oddity that's full of the stuff

An accidental discovery by a team of astronomers has helped answer one of the burning questions about dark matter and where it came from.…


NVIDIA Now Shipping The Jetson AGX Xavier Module [Phoronix]

NVIDIA has been shipping the Jetson AGX Xavier Developer Kit the past few months while now they are beginning to ship the AGX Xavier Module intended for use in next-generation autonomous machines...


Ships Infected With Ransomware, USB Malware, Worms [Slashdot]

An anonymous reader writes: IT systems on boats aren't as air-gapped as people think and are falling victims to all sorts of cyber-security incidents, such as ransomware, worms, viruses, and other malware -- usually carried on board via USB sticks. These cyber-security incidents have been kept secret until now, and have only been recently revealed as past examples of what could go wrong, in a new "cyber-security guideline" released by 21 international shipping associations and industry groups. One of the many incidents: "A new-build dry bulk ship was delayed from sailing for several days because its ECDIS was infected by a virus. The ship was designed for paperless navigation and was not carrying paper charts. The failure of the ECDIS appeared to be a technical disruption and was not recognized as a cyber issue by the ship's master and officers. A producer technician was required to visit the ship and, after spending a significant time in troubleshooting, discovered that both ECDIS networks were infected with a virus. The virus was quarantined and the ECDIS computers were restored. The source and means of infection in this case are unknown. The delay in sailing and costs in repairs totaled in the hundreds of thousands of dollars (U.S.)." The document also highlights an incident involving ransomware. "For example, a shipowner reported not one, but two ransomware infections, both occurring due to partners, and not necessarily because of the ship's crew," reports ZDNet. Another ransomware incident occurred because the ship failed to set up proper (RDP) passwords: A ransomware infection on the main application server of the ship caused complete disruption of the IT infrastructure. The ransomware encrypted every critical file on the server and as a result, sensitive data were lost, and applications needed for ship's administrative operations were unusable. The incident was reoccurring even after complete restoration of the application server. The root cause of the infection was poor password policy that allowed attackers to brute force remote management services successfully. The company's IT department deactivated the undocumented user and enforced a strong password policy on the ship's systems to remediate the incident.

Read more of this story at Slashdot.


FCC Panel Wants To Tax Internet-Using Businesses, Give the Money To ISPs [Slashdot]

The FCC's Broadband Deployment Advisory Committee (BDAC), which includes members like AT&T, Comcast, Google Fiber, Sprint, and other ISPs and industry representatives, is proposing a tax on websites to pay for rural broadband. Ars Technica reports: If adopted by states, the recommended tax would apply to subscription-based retail services that require Internet access, such as Netflix, and to advertising-supported services that use the Internet, such as Google and Facebook. The tax would also apply to any small- or medium-sized business that charges subscription fees for online services or uses online advertising. The tax would also apply to any provider of broadband access, such as cable or wireless operators. The collected money would go into state rural broadband deployment funds that would help bring faster Internet access to sparsely populated areas. Similar universal service fees are already assessed on landline phone service and mobile phone service nationwide. Those phone fees contribute to federal programs such as the FCC's Connect America Fund, which pays AT&T and other carriers to deploy broadband in rural areas. The BDAC tax proposal is part of a "State Model Code for Accelerating Broadband Infrastructure Deployment and Investment." Once finalized by the BDAC, each state would have the option of adopting the code. An AT&T executive who is on the FCC advisory committee argued that the recommended tax should apply even more broadly, to any business that benefits financially from broadband access in any way. The committee ultimately adopted a slightly more narrow recommendation that would apply the tax to subscription services and advertising-supported services only. The BDAC model code doesn't need approval from FCC commissioners -- "it is adopted by the BDAC as a model code for the states to use, at their discretion," Ajit Pai's spokesperson told Ars. As for how big the proposed taxes would be, the model code says that states "shall determine the appropriate State Universal Service assessment methodology and rate consistent with federal law and FCC policy."

Read more of this story at Slashdot.


Huawei exec out of jail, just as US accuses China of Marriott hack [The Register]

Tensions continue to build between two countries

The trade tensions between the US and China continue to build as American officials have accused Beijing of backing the massive Marriott data breach.…


Google Training Document Reveals How Temps, Vendors, and Contractors Are Treated [Slashdot]

"An internal Google training document exposed by The Guardian reveals how the company instructs employees on how to treat temps, vendors, and contractors (TVCs)," writes Slashdot reader Garabito. "This includes: 'not to reward certain workers with perks like T-shirts, invite them to all-hands meetings, or allow them to engage in professional development training.'" From the report: "Working with TVCs and Googlers is different," the training documentation, titled the The ABCs of TVCs, explains. "Our policies exist because TVC working arrangements can carry significant risks." The risks Google appears to be most concerned about include standard insider threats, like leaks of proprietary information, but also -- and especially -- the risk of being found to be a joint employer, a legal designation which could be exceedingly costly for Google in terms of benefits. Google's treatment of TVCs has come under increased scrutiny by the company's full-time employees (FTEs) amid a nascent labor movement at the company, which has seen workers speak out about both their own working conditions and the morality of the work they perform. American companies have long turned to temps and subcontractors to plug holes and perform specialized tasks, but Google achieved a dubious distinction this year when Bloomberg reported that in early 2018, the company did not directly employ a majority of its own workforce. According to a current employee with access to the figures, of approximately 170,000 people around the world who now work at Google, 50.05% are FTEs. The rest, 49.95%, are TVCs. The report notes that "the two-tier system has complicated labor activism at Google." On November 1st, after 20,000 workers joined a global walkout, "the company quickly gave in to one of the protesters' demands by ending forced arbitration in cases of sexual harassment -- but only for FTEs."

Read more of this story at Slashdot.


President Trump To Use Huawei CFO As a Bargaining Chip [Slashdot]

hackingbear shares a report from Politico, adding: "This fuels the suspicion that the Chinese executive is held as a hostage for the ongoing trade negotiation with China." From the report: President Donald Trump said on Tuesday that he reserved the right to weigh in on the Justice Department's case against the CFO of Huawei, if it would help him close a trade deal with Beijing or would serve other American national security interests. "If I think it's good for what will be certainly the largest trade deal ever made -- which is a very important thing -- what's good for national security -- I would certainly intervene if I thought it was necessary," Trump told Reuters. Trump added that President Xi Jinping of China had not called him about the case, but that the White House had been in touch with both the Justice Department and Chinese officials. Huawei's CFO, Meng Wanzhou, was arrested in Canada earlier this month at the request of American authorities, who allege that she violated U.S. sanctions against Iran. Yesterday, a Vancouver judge ruled that Meng would be released on a $7.5 million bail if she remains in British Columbia.

Read more of this story at Slashdot.


Kubernetes has become 'boring' and that's good, Google tells devs [The Register]

Thrill-seeking infrastructure devs accept end of caffeine-fueled ops frenzy with murmur

Kubernetes "is now very, very boring," declared Janet Kuo, software engineer at Google, at KubeCon + CloudNativeCon North America 2018 in Seattle, Washington, on Wednesday.…


Apple Is Making Its Own Modem To Compete With Qualcomm, Report Says [Slashdot]

An anonymous reader quotes a report from The Verge: Apple is apparently working on its own, in-house developed modem to allow it to better compete with Qualcomm, according to several new Apple job listings that task engineers to design and develop a layer 1 cellular PHY chip -- implying that the company is working on actual, physical networking hardware. Two of the job posts are explicitly to hire a pair of cellular modem systems architects, one in Santa Clara and one in San Diego, home of Qualcomm. That's alongside several other job postings Apple has listed in San Diego for RF design engineers. The Information, which spotted the first job posting, cites sources that go a step further, claiming that Apple is not only potentially working to develop its own modem, but is in fact specifically targeting it for use in future iPhones, with the company looking to leave longtime partner Intel behind in favor of its own, in-house solution. According to The Information's report, the new modem would still be years away, with even Apple's purported 5G iPhone slated for 2020 using Intel's in-development 5G modem instead. It makes sense logically, too -- if Apple is only just starting to hire now, it'll take at least a few years before it'll actually be ready to ship hardware. But the move would have big ramifications for the mobile space, particularly for Qualcomm and Intel, two of the biggest modem suppliers in the world.

Read more of this story at Slashdot.


Small American town rejects Comcast – while ISP reps take issue with your El Reg vultures [The Register]

And the FCC and AT&T claim everything is hunky dory

Just how much do you hate Comcast? Enough to spend $1m of your own money to escape its clutches?…


California Considers Text Messaging Tax To Fund Cell Service For Low-Income Residents [Slashdot]

According to a report from the California Public Utilities Commission (CPUC), California may soon tax text messaging to help fund programs that make phone service available for low-income residents. The report says the tax would likely be a flat fee added to a monthly bill instead of a per text tax. The Hill reports: The report outlines the shrinking revenue coming from a current tax on the telecommunications industry and argues that a new tax on text messaging should be put in place to make up for it. "From a consumer's point of view, surcharges may be a wash, because if more surcharge revenues come from texting services, less would be needed from voice services," CPUC spokeswoman Constance Gordon said in a statement. "Generally, those consumers who create greater texting revenues may pay a bit more, whereas consumers using more voice services may pay less." "Parties supporting the collection of surcharges on text messaging revenue argue that it will help preserve and advance universal service by increasing the revenue base upon which Public Purpose Programs rely. We agree," the report states. The CTIA, a trade association representing major carriers in the wireless industry, says the tax is anti-competitive and would put carriers at a disadvantage against social media messaging apps from tech companies such as Google and Facebook. The CPUC is expected to vote on the proposal in January 2019.

Read more of this story at Slashdot.


AMDGPU For Linux 4.20 Gets The Final Radeon RX 590 Fix, Adds The New Vega PCI IDs [Phoronix]

With just over one week to go until the expected Linux 4.20 kernel release, Alex Deucher of AMD today sent in the latest batch of fixes to the DRM tree for landing at the end of this cycle...


It is with a heavy heart that we must inform you hackers are targeting 'nuclear, defense, energy, financial' biz [The Register]

Sharpshooter takes aim at critical infrastructure

Hackers are targetting critical infrastructure providers, including nuclear power and defense agencies, in what may be a state-sponsored attack that's hiding behind North Korean code.…


Facebook Settles Oculus VR Lawsuit With ZeniMax [Slashdot]

"Gaming giant ZeniMax Media's lawsuit against Facebook over the misuse of intellectual property related to the founding of Oculus VR has finally been settled," reports TechCrunch. In a statement, ZeniMax CEO Robert Altman said, "We are pleased that a settlement has been reached and are fully satisfied by the outcome. While we dislike litigation, we will always vigorously defend against any infringement or misappropriation of our intellectual property by third parties." From the report: At the trial's conclusion, the judge awarded ZeniMax $500 million in damages to be paid by the defendants, including Facebook and some of the Oculus VR co-founders, a figure that Facebook appealed and had reduced to $250 million. Following the initial verdict, ZeniMax sought an injunction on sales of Facebook's Oculus Rift headset, claiming the device violated key IP. Terms of this settlement weren't disclosed. The trial was notable in that it offered a rare moment on the stand for a number of Facebook executives, including CEO Mark Zuckerberg. It also gave rare insight into the details surrounding the company's founding and acquisition.

Read more of this story at Slashdot.


GNOME 3.31.3 Released As Another Step Towards GNOME 3.32 [Phoronix]

GNOME 3.31.3 was released today as the latest development stepping stone towards next March's GNOME 3.32 desktop environment update...


FCC Gives Carriers the Option To Block Text Messages [Slashdot]

An anonymous reader quotes a report from CNET: The Federal Communications Commission said it's getting tough on text message spam by clarifying that phone companies can block unwanted texts. At its monthly meeting Wednesday, the Republican-led agency voted 3-1 to classify SMS text messages as a so-called Title I information service under the Telecom Act. The three Republicans on the FCC, which voted to adopt the classification, said this would allow phone companies to block spam text messages. FCC Chairman Ajit Pai said the new classification would empower wireless providers to stop unwanted text messages. "The FCC shouldn't make it easier for spammers and scammers to bombard consumers with unwanted texts," he said during the meeting. "And we shouldn't allow unwanted messages to plague wireless messaging services in the same way that unwanted robocalls flood voice services." But he said that's what would happen if the FCC were to classify text messages as a Title II telecommunications service under the law. Jessica Rosenworcel, the lone Democrat on the FCC, disagrees with the classification. "Today's decision offers consumers no new ability to prevent robotexts," she said."It simply provides that carriers can block our text messages and censor the very content of those messages themselves." She says the FCC did the same thing to the internet last year when it repealed Obama-era net neutrality rules. "That means on the one-year anniversary of the FCC's misguided net neutrality decision -- which gave your broadband provider the power to block websites and censor online content -- this agency is celebrating by expanding those powers to also include your text messages," she added.

Read more of this story at Slashdot.


Here's 2018 in a nutshell for you... Russian super robot turns out to be man in robot suit [The Register]

State TV can't decide whether it was duped or not

Video  Every year Russia holds – and broadcasts on state television – a tech showcase of its latest products for an audience of hundreds of school kids.…


Linux Is Already In Good Shape For The New Features Of Intel Gen11 Graphics & Icelake [Phoronix]

Besides seeing Icelake demos at the Intel Architecture Day that were running on Ubuntu, with closely tracking the Linux kernel's development most of the new features presented for Sunny Cove and Gen11 graphics have already been merged or at least available in patch form for some months within the Linux ecosystem. Here's a look at the features talked about yesterday and their state on Linux...


New LG Gram is the Lightest 17-inch Laptop Ever at Just 3 Pounds [Slashdot]

LG has unveiled two new laptops in its Gram lineup in advance of CES in Las Vegas next month, and the Gram 17 looks like a stunner. LaptopMag: It weighs just 3 pounds, which is crazy light for a notebook with a 17-inch display. That's the same weight as the 13-inch MacBook Pro with Touch Bar. A typical 17-inch laptop weighs 6 to 6.5 pounds, so getting such a big screen in such a lightweight package is definitely no small feat. Does that mean the specs skimpy? Nope. LG says the 15 x 10.5 x 0.7-inch Gram 17 packs a 8th-generation Intel Core i7-8565U, up to 16GB of RAM and a 512GB SSD. (There's also a slot for an additional SSD). The Gram 17's 72W battery is rated for up to 19.5 hours of usage, which we will obviously put to the test once we get our hands on the laptop. Other highlights include a sharp 2560 x 1600 pixel display with a 16:10 aspect ratio, a fingerprint reader and a chassis that's rated MIL-STD-810G for durability. LG's website lists a suggested price of $1,699.99 for the LG Gram 17.

Read more of this story at Slashdot.


Hole-y ship: ISS 'nauts take a wander to crack Soyuz driller whodunnit [The Register]

In Soviet Russia, comrade find small hole by making much bigger hole

Spacewalking cosmonauts clambered outside the ISS yesterday to get an external view of the mystery hole drilled into the Soyuz, which is due to return three crew members to Earth next week.…


Doubles all round for the server-makers: Market inhales $23.36bn for the quarter [The Register]

Dell EMC, HPE and ODMs frolic as cloud rains cash

The continued data centre refresh cycle and seemingly insatiable demand from the big cloud slingers to bulk out their infrastructure saw server vendors make hay while the sun shone in Q3.…


Europe -- not the US or China -- Publishes the Most AI Research Papers [Slashdot]

The popular narrative around artificial intelligence research is that it's mainly a war between China and the United States. Not so fast, says Europe. From a report: New data released today (Dec. 12; PDF file) by the AI Index, a project to track the advancement of artificial intelligence, shows a trend of Europe releasing more papers than either the US or China. The data was assembled from Scopus, a citation database owned by scientific publishing company Elsevier. If the current trend continues, China will soon overtake Europe in the number of papers published. The number of papers out of China grew 17% in 2017, compared to a 13% increase in the US, and 8% in Europe. Europe boasts top universities doing work in AI, such as Oxford, University College London, and ETH Zurich, in addition to being home to branches of tech companies like Google, Microsoft, and Amazon. Alphabet's DeepMind operates out of London, and French president Emmanuel Macron has been particularly bullish on AI in Europe. Since being elected in 2017, he has already laid out initiatives to bolster the amount of research and corporate AI stationed in France. [...] The AI Index report credits the huge 70% increase in Chinese AI papers in 2008 to a government program promoting long-term research in artificial intelligence through 2020.

Read more of this story at Slashdot.


Thwack... boing: Amazon EFS rival Elastifile flings out multi-cloud file store through Google [The Register]

Ain't no marketplace like a third-party marketplace

Scale-out software filer supplier Elastifile has buddied up with Google to thrust its NAS file system into Mountain View's Cloud Platform.…


AMDVLK 2018.Q4.4 Driver Update Brings Performance Improvements, New Vulkan Bits [Phoronix]

AMD developers today outed their latest "AMDVLK" open-source Vulkan driver code drop dubbed AMDVLK 2018.Q4.4...


Intel Unveils Roadmaps For Core Architecture and Atom Architecture [Slashdot]

Intel on Wednesday surprised a number of people when it shared not one roadmap on CPUs, but two. AnandTech: For the high performance Core architecture, Intel lists three new codenames over the next three years. To be very clear here, these are the codenames for the individual core microarchitecture, not the chip, which is an important departure from how Intel has previously done things. Sunny Cove, built on 10nm, will come to market in 2019 and offer increased single-threaded performance, new instructions, and 'improved scalability'. Willow Cove looks like it will be a 2020 core design, most likely also on 10nm. Intel lists the highlights here as a cache redesign (which might mean L1/L2 adjustments), new transistor optimizations (manufacturing based), and additional security features, likely referring to further enhancements from new classes of side-channel attacks. Golden Cove rounds out the trio, and is firmly in that 2021 segment in the graph. Process node here is a question mark, but we're likely to see it on 10nm and or 7nm. Golden Cove is where Intel adds another slice of the serious pie onto its plate, with an increase in single threaded performance, a focus on AI performance, and potential networking and AI additions to the core design. Security features also look like they get a boost. The lower-powered Atom microarchitecture roadmap is on a slower cadence than the Core microarchitecture, which is not surprising given its history. The upcoming microarchitecture for 2019 is called Tremont, which focuses on single threaded performance increases, battery life increases, and network server performance. Based on some of the designs later in this article, we think that this will be a 10nm design. Following Tremont will be Gracemont, which Intel lists as a 2021 product. Beyond this will be a future 'mont' core (and not month as listed in the image).

Read more of this story at Slashdot.


Bulk surveillance is always bad, say human rights orgs appealing against top Euro court [The Register]

Liberty and pals seek to prove intrusive spy powers can never be justified

A band of human rights organisations have appealed against a top European court's ruling on bulk surveillance, arguing that any form of mass spying breaches rights to privacy and free expression.…


Thanks to UK peers, coming to a laptop near you in 2019: Age checks for online smut [The Register]

Pr0n to be gated despite misgivings, says minister

Age checks for online porn are expected to come into force around Easter 2019, as peers yesterday signed off on the final regulations and guidance despite acknowledging they will not be wholly efficient.…


Intel Reveals 10nm Sunny Cove CPU Cores That Go Deeper, Wider, and Faster [Slashdot]

Long criticized for reusing old cores in its recent CPUs, Intel on Wednesday showed off a new 10nm Sunny Cove core that will bring faster single-threaded and multi-threaded performance along with major speed bumps from new instructions. From a report: Sunny Cove, which many believe will go into Intel's upcoming Ice Lake-U CPUs early next year, will be "deeper, wider, and smarter," said Ronak Singhal, director of Intel's Architecture Cores Group. Singhal said the three approaches should boost the performance of Sunny Cove CPUs. By doing "deeper," Sunny Cove cores find greater opportunities for parallelism by increasing the cache sizes. "Wider" means the new cores will execute more operations in parallel. Compared to the Skylake architecture (which is also the basis of Kaby Lake and Coffee Lake chips), the chip goes from a 4-wide design to 5-wide. Intel says Sunny Cove also increases performance in specialized tasks by adding new instructions that will improve the speed of cryptography and AI and machine learning.

Read more of this story at Slashdot.


NVIDIA 415.23 Driver Fixes Build Issues Against Linux 4.20 Kernel [Phoronix]

It was just last week NVIDIA released the 415.22 driver while out today is the 415.23 update...


Britain approved £2.5m of snooping kit exports to thoroughly snuggly regime in Saudi Arabia [The Register]

Who was Jamal Khashoggi, anyway?

British ministers have approved the export of more than £2.4m worth of telecoms snooping gear to Saudi Arabia, in spite of its very obvious human rights problems, according to a report.…


FreeBSD 12 Released [Slashdot]

New submitter vivekgite writes: The 12th version of the FreeBSD has been released, bringing support for updated hardware. Some of the highlights include: OpenSSL has been updated to version 1.1.1a (LTS). Unbound has been updated to version 1.8.1, and DANE-TA has been enabled by default. OpenSSH has been updated to version 7.8p1. Additonal capsicum(4) support has been added to sshd(8). Clang, LLVM, LLD, LLDB, compiler-rt and libc++ has been updated to version 6.0.1. The vt(4) Terminus BSD Console font has been updated to version 4.46. The bsdinstall(8) utility now supports UEFI+GELI as an installation option. The VIMAGE kernel configuration option has been enabled by default. The NUMA option has been enabled by default in the amd64 GENERIC and MINIMAL kernel configurations. The netdump(4) driver has been added, providing a facility through which kernel crash dumps can be transmitted to a remote host after a system panic. The vt(4) driver has been updated with performance improvements, drawing text at rates ranging from 2- to 6-times faster. Various improvements to graphics support for current generation hardware. Support for capsicum(4) has been enabled on armv6 and armv7 by default. The UFS/FFS filesystem has been updated to consolidate TRIM/BIO_DELETE commands, reducing read/write requests due to fewer TRIM messages being sent simultaneously. The NFS version 4.1 server has been updated to include pNFS server support. The pf(4) packet filter is now usable within a jail(8) using vnet(9). The bhyve(8) utility has been updated to add NVMe device emulation. The bhyve(8) utility is now able to be run within a jail(8). Various Lua loader(8) improvements. KDE has been updated to version 5.12.

Read more of this story at Slashdot.


Webinar: Supermicro and Intel offer a taste of cloud innovations [The Register]

Test your own workload at their Cloud Center of Excellence

Promo  Server giant Supermicro recently teamed up with Intel to set up its Cloud Center of Excellence (CCoE) at its logistics hub and manufacturing facility in the Netherlands.…


JFrog to open freebie central repository for Go fans in the new year [The Register]

Your code is immutable, and always believed in... 'cause you use Go(Center)

Updated  Self-proclaimed "Database of DevOps" JFrog is about to fling open the first central repository for Go modules in the form of GoCenter.…


The Record For High-Temperature Superconductivity Has Been Smashed Again [Slashdot]

Chemists have found a material that can display superconducting behavior at a temperature warmer than it currently is at the North Pole. The work brings room-temperature superconductivity tantalizingly close. From a report: The work comes from the lab of Mikhail Eremets and colleagues at the Max Planck Institute for Chemistry in Mainz, Germany. Eremets and his colleagues say they have observed lanthanum hydride (LaH10) superconducting at the sweltering temperature of 250 K, or -23C. That's warmer than the current temperature at the North Pole. "Our study makes a leap forward on the road to the room-temperature superconductivity," say the team. (The caveat is that the sample has to be under huge pressure: 170 gigapascals, or about half the pressure at the center of the Earth.)

Read more of this story at Slashdot.


Saturday Morning Breakfast Cereal - Gold [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Pyrite is actually much more visually interesting than gold, but after the apocalypse comes, you won't be able to trade it for dune buggies, scimitars, and spiked helmets.

Today's News:


Having swallowed its pride and started again with 10nm chips, Intel teases features in these 2019-ish processors [The Register]

3D stacks of Arm-like core clusters, APIs, and more coming some time soon

"We have humble pie to eat right now, and we're eating it," Murthy Renduchintala, Intel's chief engineering officer, said yesterday. "My view on [Intel's] 10nm is that brilliant engineers took a risk, and now they're retracing their steps and getting it right."…


Intel Working On Open-Sourcing The FSP - Would Be Huge Win For Coreboot & Security [Phoronix]

Intel's Architecture Day on Tuesday was delightfully filled with an overwhelming amount of valuable hardware information, but Intel's software efforts were also briefly touched on too. In fact, Raja Koduri reinforced how software is a big part of Intel technology and goes in-hand with their security, interconnect, memory, architecture, and process pillars and that's where their new oneAPI initiative will fit in. But what learning afterwards was most exciting on the software front...


Intel Developing "oneAPI" For Optimized Code Across CPUs, GPUs, FPGAs & More [Phoronix]

Intel's 2018 Architecture Day was primarily focused on the company's hardware architecture road-map, but one of the software (pre)announcements was their oneAPI software stack...


Linux Kernel Developers Discuss Dropping x32 Support [Slashdot]

An anonymous reader shared a report: It was just several years ago that the open-source ecosystem began supporting the x32 ABI, but already kernel developers are talking of potentially deprecating the support and for it to be ultimately removed.. [...] While the x32 support was plumbed through the Linux landscape, it really hasn't been used much. Kernel developers are now discussing the future of the x32 ABI due to the maintenance cost involved in still supporting this code but with minimal users. Linus Torvalds is in favor of sunsetting x32 and many other upstream contributors in favor of seeing it deprecated and removed.

Read more of this story at Slashdot.

Intel Details Gen11 Graphics & Sunny Cove For Icelake [Phoronix]

At Intel's architecture day, the company finally detailed their "Gen 11" graphics that we've been seeing open-source Linux graphics driver patches for many months (Intel OTC posted their initial open-source display driver code in early January and has continued the enablement work since) albeit elusive in substantive user details and hardware until Icelake. But today at least we can share more about the significant improvements with Gen11 graphics...


Need continuous Kubernetes satisfaction? CloudBees has just the thing [The Register]

DevOps outfit also unleashes commercial support for Jenkins X

The gang at DevOps darlings CloudBees have been busy, er, bees and flung out a new continuous delivery product for Kubernetes development in the form of Core while also kicking off commercial support for Jenkins X.…


Chinese Spies Reportedly Behind Massive Marriott Hack [Slashdot]

An anonymous reader quotes a report from CNET: A Chinese intelligence-gathering effort was behind the massive Marriott hotels data breach that exposed the personal information for up to 500 million people, the New York Times reported Tuesday. The hackers are believed to have been working for China's Ministry of State Security, the Times reported citing sources who had been briefed on the investigation's preliminary results. The revelation emerges as the U.S. Justice Department is preparing to announce new indictments against Chinese hackers working for the intelligence and military services, the Times reported. The hotel chain revealed last month that it had discovered that hackers had compromised the guest reservation database of its Starwood division, whose brands include Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis. Marriott said some of the stolen information also included payment card numbers and expiration dates. Private investigators involved in a probe into the breach had previously discovered hacking tools, techniques and procedures that were used in earlier cyberattacks that have been linked to Chinese hackers.

Read more of this story at Slashdot.


Dixons Carphone smarting from £440m loss as it writes down goodwill on mobile biz [The Register]

No one's buying new friggin' handsets, says retailer

Dixons Carphone today reported a £440m statutory loss at the halfway stage of its fiscal '19 after writing down the goodwill of its mobile division, sending its shares tumbling by almost 12 per cent.…


China’s losing its taste for nuclear power. That’s bad news. [Top News - MIT Technology Review]

Once nuclear’s strongest booster, China is growing wary about its cost and safety.


DXC Technology turns to BT Security to nab its infosec bossman [The Register]

Waves bye to yet ANOTHER HPE exec, internal memo confirms

DXC Technology UK arm has hired former BT Security CEO Mark Hughes to run its global security function, replacing yet another old timer from the Hewlett Packard Enterprise side of the merger.…


Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage [The Register]

Uh, hello? Didn't you put third-party Javascript on a payment page?

Ticketmaster is telling its customers that it wasn't to blame for the infection of its site by a strain of the Magecart cred-stealing malware – despite embedding third-party Javascript into its payments page.…


Qualcomm all ye faithful: 5G's soon triumphant... like 2020 soon. Really [The Register]

We just modem down with that headline (OK maybe not)

As the chip supplier to almost half the phone market, Qualcomm should be able to make a decent guess about when 5G will condense from vapourware into something more solid.…


Btrfs Restoring Support For Swap Files With Linux 4.21 [Phoronix]

The Btrfs file-system hasn't supported Swap files on it in early a decade, but that support will be restored again with the upcoming Linux 4.21 kernel...


How to Build a Netboot Server, Part 2 [Fedora Magazine]

The article How to Build a Netboot Server, Part 1 showed you how to create a netboot image with a “liveuser” account whose home directory lives in volatile memory. Most users probably want to preserve files and settings across reboots, though. So this second part of the netboot series shows how to reconfigure the netboot image from part one so that Active Directory user accounts can log in and their home directories can be automatically mounted from a NFS server.

Part 3 of this series will show how to make an interactive and centrally-configurable iPXE boot menu for the netboot clients.

Setup NFS4 Home Directories with KRB5 Authentication

Follow the directions from the previous post “Share NFS Home Directories Securely with Kerberos,” then return here.

Remove the Liveuser Account

Remove the “liveuser” account created in part one of this series:

$ sudo -i
# sed -i '/automaticlogin/Id' /fc28/etc/gdm/custom.conf
# rm -f /fc28/etc/sudoers.d/liveuser
# for i in passwd shadow group gshadow; do sed -i '/^liveuser:/d' /fc28/etc/$i; done

Configure NTP, KRB5 and SSSD

Next, we will need to duplicate the NTP, KRB5, and SSSD configuration that we set up on the server in the client image so that the same accounts will be available:

# MY_HOSTNAME=$(</etc/hostname)
# dnf -y --installroot=/fc28 install ntp krb5-workstation sssd
# cp /etc/ntp.conf /fc28/etc
# chroot /fc28 systemctl enable ntpd.service
# cp /etc/krb5.conf.d/${MY_DOMAIN%%.*} /fc28/etc/krb5.conf.d
# cp /etc/sssd/sssd.conf /fc28/etc/sssd

Reconfigure sssd to provide authentication services, in addition to the identification service already configured:

# sed -i '/services =/s/$/, pam/' /fc28/etc/sssd/sssd.conf

Also, ensure none of the clients attempt to update the computer account password:

# sed -i '/id_provider/a \ \ ad_maximum_machine_account_password_age = 0' /fc28/etc/sssd/sssd.conf

Also, copy the nfsnobody definitions:

# for i in passwd shadow group gshadow; do grep "^nfsnobody:" /etc/$i >> /fc28/etc/$i; done

Join Active Directory

Next, you’ll perform a chroot to join the client image to Active Directory. Begin by deleting any pre-existing computer account with the same name your netboot image will use:

# MY_USERNAME=jsmith
# MY_CLIENT_HOSTNAME=$(</fc28/etc/hostname)
# adcli delete-computer "${MY_CLIENT_HOSTNAME%%.*}" -U "$MY_USERNAME"

Also delete the krb5.keytab file from the netboot image if it exists:

# rm -f /fc28/etc/krb5.keytab

Perform a chroot into the netboot image:

# for i in dev dev/pts dev/shm proc sys run; do mount -o bind /$i /fc28/$i; done
# chroot /fc28 /usr/bin/bash --login

Perform the join:

# MY_USERNAME=jsmith
# MY_HOSTNAME=$(</etc/hostname)
# MY_OU="cn=computers,dc=${MY_DOMAIN//./,dc=}"
# adcli join $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --domain-ou="$MY_OU"

Now log out of the chroot and clear the root user’s command history:

# logout
# for i in run sys proc dev/shm dev/pts dev; do umount /fc28/$i; done
# > /fc28/root/.bash_history

Install and Configure PAM Mount

We want our clients to automatically mount the user’s home directory when they log in. To accomplish this, we’ll use the “pam_mount” module. Install and configure pam_mount:

# dnf install -y --installroot=/fc28 pam_mount
# cat << END > /fc28/etc/security/pam_mount.conf.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<debug enable="0" />
<volume uid="1400000000-1499999999" fstype="nfs4" server="$MY_HOSTNAME" path="/home/%(USER)" mountpoint="/home/%(USER)" options="sec=krb5" />
<mkmountpoint enable="1" remove="0" />

Reconfigure PAM to use pam_mount:

# dnf install -y patch
# cp -r /fc28/usr/share/authselect/default/sssd /fc28/etc/authselect/custom
# echo 'initgroups: files' >> /fc28/etc/authselect/custom/sssd/nsswitch.conf
# patch /fc28/etc/authselect/custom/sssd/system-auth << END
@@ -12 +12,2 @@
-auth        sufficient                          forward_pass
+auth        requisite                           {include if "with-pammount"}
+auth        sufficient                          {if "with-pammount":use_first_pass|forward_pass}
@@ -35,2 +36,3 @@
 session     required                           
+session     optional                            {include if "with-pammount"}
 session     optional                           
# patch /fc28/etc/authselect/custom/sssd/password-auth << END
@@ -9 +9,2 @@
-auth        sufficient                          forward_pass
+auth        requisite                           {include if "with-pammount"}
+auth        sufficient                          {if "with-pammount":use_first_pass|forward_pass}
@@ -32,2 +33,3 @@
 session     required                           
+session     optional                            {include if "with-pammount"}
 session     optional                           
# chroot /fc28 authselect select custom/sssd with-pammount --force

Also ensure the NFS server’s hostname is always resolvable from the client:

# MY_IP=$(host -t A $MY_HOSTNAME | awk '{print $4}')
# echo "$MY_IP $MY_HOSTNAME ${MY_HOSTNAME%%.*}" >> /fc28/etc/hosts

Optionally, allow all users to run sudo:

# echo '%users ALL=(ALL) NOPASSWD: ALL' > /fc28/etc/sudoers.d/users

Convert the NFS Root to an iSCSI Backing-Store

Current versions of nfs-utils may have difficulty establishing a second connection from the client back to the NFS server for home directories when an nfsroot connection is already established. The client hangs when attempting to access the home directory. So, we will work around the problem by using a different protocol (iSCSI) for sharing our netboot image.

First chroot into the image to reconfigure its initramfs for booting from an iSCSI root:

# for i in dev dev/pts dev/shm proc sys run; do mount -o bind /$i /fc28/$i; done
# chroot /fc28 /usr/bin/bash --login
# dnf install -y iscsi-initiator-utils
# sed -i 's/nfs/iscsi/' /etc/dracut.conf.d/netboot.conf
# echo 'omit_drivers+=" qedi "' > /etc/dracut.conf.d/omit-qedi.conf
# echo 'blacklist qedi' > /etc/modprobe.d/blacklist-qedi.conf
# KERNEL=$(ls -c /lib/modules | head -n 1)
# INITRD=$(find /boot -name 'init*' | grep -m 1 $KERNEL)
# dracut -f $INITRD $KERNEL
# logout
# for i in run sys proc dev/shm dev/pts dev; do umount /fc28/$i; done
# > /fc28/root/.bash_history

The qedi driver broke iscsi during testing, so it’s been disabled here.

Next, create a fc28.img sparse file. This file serves as the iSCSI target’s backing store:

# FC28_SIZE=$(du -ms /fc28 | cut -f 1)
# dd if=/dev/zero of=/fc28.img bs=1MiB count=0 seek=$(($FC28_SIZE*2))

(If you have one available, a separate partition or disk drive can be used instead of creating a file.)

Next, format the image with a filesystem, mount it, and copy the netboot image into it:

# mkfs -t xfs -L NETROOT /fc28.img
# TEMP_MNT=$(mktemp -d)
# mount /fc28.img $TEMP_MNT
# cp -a /fc28/* $TEMP_MNT
# umount $TEMP_MNT

During testing using SquashFS, the client would occasionally stutter. It seems that SquashFS does not perform well when doing random I/O from a multiprocessor client. (See also The curious case of stalled squashfs reads.) If you want to improve throughput performance with filesystem compression, ZFS is probably a better option.

If you need extremely high throughput from the iSCSI server (say, for hundreds of clients), it might be possible to load balance a Ceph cluster. For more information, see Load Balancing Ceph Object Gateway Servers with HAProxy and Keepalived.

Install and Configure iSCSI

Install the scsi-target-utils package which will provide the iSCSI daemon for serving our image out to our clients:

# dnf install -y scsi-target-utils

Configure the iSCSI daemon to serve the fc28.img file:

# MY_REVERSE_HOSTNAME=$(echo $MY_HOSTNAME | tr '.' "\n" | tac | tr "\n" '.' | cut -b -${#MY_HOSTNAME})
# cat << END > /etc/tgt/conf.d/fc28.conf
<target iqn.$MY_REVERSE_HOSTNAME:fc28>
  backing-store /fc28.img
  readonly 1

The leading iqn. is expected by /usr/lib/dracut/modules.d/40network/

Add an exception to the firewall and enable and start the service:

# firewall-cmd --add-service=iscsi-target
# firewall-cmd --runtime-to-permanent
# systemctl enable tgtd.service
# systemctl start tgtd.service

You should now be able to see the image being shared with the tgtadm command:

# tgtadm --mode target --op show

The above command should output something similar to the following:

Target 1:
    System information:
        Driver: iscsi
        State: ready
    I_T nexus information:
    LUN information:
        LUN: 0
            Type: controller
            SCSI ID: IET     00010000
            SCSI SN: beaf10
            Size: 0 MB, Block size: 1
            Online: Yes
            Removable media: No
            Prevent removal: No
            Readonly: No
            SWP: No
            Thin-provisioning: No
            Backing store type: null
            Backing store path: None
            Backing store flags: 
        LUN: 1
            Type: disk
            SCSI ID: IET     00010001
            SCSI SN: beaf11
            Size: 10488 MB, Block size: 512
            Online: Yes
            Removable media: No
            Prevent removal: No
            Readonly: Yes
            SWP: No 
            Thin-provisioning: No
            Backing store type: rdwr
            Backing store path: /fc28.img
            Backing store flags:
    Account information:
    ACL information:

We can now remove the NFS share that we created in part one of this series:

# rm -f /etc/exports.d/fc28.exports
# exportfs -rv
# umount /export/fc28
# rmdir /export/fc28
# sed -i '/^\/fc28 /d' /etc/fstab

You can also delete the /fc28 filesystem, but you may want to keep it for performing future updates.

Update the ESP to use the iSCSI Kernel

Ipdate the ESP to contain the iSCSI-enabled initramfs:

$ rm -vf $HOME/esp/linux/*.fc28.*
$ MY_KRNL=$(ls -c /fc28/lib/modules | head -n 1)
$ cp $(find /fc28/lib/modules -maxdepth 2 -name 'vmlinuz' | grep -m 1 $MY_KRNL) $HOME/esp/linux/vmlinuz-$MY_KRNL
$ cp $(find /fc28/boot -name 'init*' | grep -m 1 $MY_KRNL) $HOME/esp/linux/initramfs-$MY_KRNL.img

Update the boot.cfg file to pass the new root and netroot parameters:

$ MY_EMAN=$(echo $MY_NAME | tr '.' "\n" | tac | tr "\n" '.' | cut -b -${#MY_NAME})
$ MY_ADDR=$(host -t A $MY_NAME | awk '{print $4}')
$ sed -i "s! root=[^ ]*! root=/dev/disk/by-path/ip-$MY_ADDR:3260-iscsi-iqn.$MY_EMAN:fc28-lun-1 netroot=iscsi:$MY_ADDR::::iqn.$MY_EMAN:fc28!" $HOME/esp/linux/boot.cfg

Now you just need to copy the updated files from your $HOME/esp/linux directory out to the ESPs of all your client systems. You should see results similar to what is shown in the below screenshot:

Upgrading the Image

First, make a copy of the current image:

# cp -a /fc28 /fc29

Chroot into the new copy of the image:

# for i in dev dev/pts dev/shm proc sys run; do mount -o bind /$i /fc29/$i; done
# chroot /fc29 /usr/bin/bash --login

Allow updating the kernel:

# sed -i 's/^exclude=kernel-\*$/#exclude=kernel-*/' /etc/dnf/dnf.conf

Perform the upgrade:

# dnf distro-sync -y --releasever=29

Prevent the kernel from being updated:

# sed -i 's/^#exclude=kernel-\*$/exclude=kernel-*/' /etc/dnf/dnf.conf

The above command is optional, but saves you from having to copy a new kernel out to the clients if you add or update a few packages in the image at some future time.

Clean up dnf’s package cache:

# dnf clean all

Exit the chroot and clear root’s command history:

# logout
# for i in run sys proc dev/shm dev/pts dev; do umount /fc29/$i; done
# > /fc29/root/.bash_history

Create the iSCSI image:

# FC29_SIZE=$(du -ms /fc29 | cut -f 1)
# dd if=/dev/zero of=/fc29.img bs=1MiB count=0 seek=$(($FC29_SIZE*2))
# mkfs -t xfs -L NETROOT /fc29.img
# TEMP_MNT=$(mktemp -d)
# mount /fc29.img $TEMP_MNT
# cp -a /fc29/* $TEMP_MNT
# umount $TEMP_MNT

Define a new iSCSI target that points to our new image and export it:

# MY_HOSTNAME=$(</etc/hostname)
# MY_REVERSE_HOSTNAME=$(echo $MY_HOSTNAME | tr '.' "\n" | tac | tr "\n" '.' | cut -b -${#MY_HOSTNAME})
# cat << END > /etc/tgt/conf.d/fc29.conf
<target iqn.$MY_REVERSE_HOSTNAME:fc29>
  backing-store /fc29.img
  readonly 1
# tgt-admin --update ALL

Add the new kernel and initramfs to the ESP:

$ MY_KRNL=$(ls -c /fc29/lib/modules | head -n 1)
$ cp $(find /fc29/lib/modules -maxdepth 2 -name 'vmlinuz' | grep -m 1 $MY_KRNL) $HOME/esp/linux/vmlinuz-$MY_KRNL
$ cp $(find /fc29/boot -name 'init*' | grep -m 1 $MY_KRNL) $HOME/esp/linux/initramfs-$MY_KRNL.img

Update the boot.cfg in the ESP:

$ MY_DNS1=
$ MY_DNS2=
$ MY_EMAN=$(echo $MY_NAME | tr '.' "\n" | tac | tr "\n" '.' | cut -b -${#MY_NAME})
$ MY_ADDR=$(host -t A $MY_NAME | awk '{print $4}')
$ cat << END > $HOME/esp/linux/boot.cfg

kernel --name kernel.efi \${prefix}/vmlinuz-$MY_KRNL initrd=initrd.img ro ip=dhcp rd.peerdns=0 nameserver=$MY_DNS1 nameserver=$MY_DNS2 root=/dev/disk/by-path/ip-$MY_ADDR:3260-iscsi-iqn.$MY_EMAN:fc29-lun-1 netroot=iscsi:$MY_ADDR::::iqn.$MY_EMAN:fc29 console=tty0 console=ttyS0,115200n8 audit=0 selinux=0 quiet
initrd --name initrd.img \${prefix}/initramfs-$MY_KRNL.img
boot || exit

Finally, copy the files from your $HOME/esp/linux directory out to the ESPs of all your client systems and enjoy!


Supernovae may explain mass extinctions of marine animals 2.6 million years ago [The Register]

Deadly radiation bouncing around could have killed off animals in the Pliocene era

A gigantic supernova explosion may have triggered mass extinctions for creatures living in Earth’s prehistoric oceans some 2.6 million years ago, according to new research published in Astrobiology.…

Tuesday, 11 December


Boffins build bugged bees bearing backpacks [The Register]

Bees harvest data, but would be more fun if they had lasers

Boffins at the University of Washington have developed a portable sensor system for bumblebees, an improvement on previous research that saddled bees with GPS tracking chips, if not a prelude to the autonomous drone insects depicted in Black Mirror.…


Mesa 18.3.1 Released To Disable Botched Vulkan Extension [Phoronix]

Mesa 18.3 was released less than a week ago while today Mesa 18.3.1 was issued due to an error in the Vulkan specification...


Intel's IWD Linux Wireless Daemon 0.13 Adds Opportunistic Wireless Encryption [Phoronix]

Intel's promising IWD open-source wireless daemon continues picking up additional functionality in its trek towards potentially replacing wpa_supplicant. Out this week is IWD 0.13...


FreeBSD 12.0 Officially Released [Phoronix]

FreeBSD 12.0 has made its debut as the latest stable version of this popular BSD operating system...


It's December of 2018 and, to hell with it, just patch your stuff [The Register]

Windows, Office, Acrobat, SAP... you know the deal

Microsoft, Adobe, and SAP are finishing up the year with a flurry of activity, combining to patch more than 140 CVE-listed security flaws between them.…


Waymo presents ChauffeurNet, an neural net designed to copy human driving [The Register]

TL;DR: The engineers realize that human data isn't enough to teach robots how to drive

Self-driving cars won’t learn to drive well if they only copy human behaviour, according to Waymo.…


Super Micro says audit found no trace of Chinese spy chips on its boards [The Register]

Vendor opens new investigation to refute bugging claims

Hardware builder Super Micro has delivered another effort to prove to the public its machines were not bugged by the Chinese government.…


Firefox 64.0 Released [Phoronix]

Firefox 64.0 is available today as the last major feature update to Mozilla's web browser for 2018...



Valve Rolls Out New Steam Play Proton 3.16 Beta, 29 More Games Supported [Phoronix]

A new beta relase of Proton 3.16 is now available, the Wine-based software that powers Valve's Steam Play for running many Windows games on Linux...


Google CEO tells US Congress Chocolate Factory will unleash Dragonfly in China [The Register]

Also, none of you have any idea what you are talking about

Google's CEO Sundar Pichai appeared in front of a Congressional hearing this morning in a session that revealed two main things: he is still going to take the company into China, and Congresscritters have absolutely no idea what they are talking about when it comes to technology.…


ODROID-XU4: Much Better Performance Than The Raspberry Pi Plus USB3 & Gigabit Ethernet @ $60 [Phoronix]

Hardkernel recently sent over the ODROUD-XU4 for benchmarking. This ARM SBC that just measures in at about 82 x 58 x 22 mm offers much better performance than many of the sub-$100 ARM SBCs while also featuring dual USB 3.0 ports, Gigabit Ethernet, eMMC storage, and is software compatible with the older XU3 ARM SBCs. Here's a look at the performance of the ODROID-XU4 compared to a variety of other single board computers.


Poor people should get slower internet speeds, American ISPs tell FCC [The Register]

It's just not fair on profit-making companies otherwise

Analysis  ISPs should be paid to provide slower internet speeds to poor people.…


Kubernetes caretaker auditions for Hoarders; takes in another open source project [The Register]

Etcd joins growing collection of code tended by Cloud Native Computing Foundation

At the Cloud Native Computing Foundation's (CNCF) KubeCon + CloudNativeCon North America 2018 meetup on Tuesday, the CNCF revealed it will adopt, shelter and nourish an itinerant jumble of letters known on the street as "etcd."…


Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory [The Register]

'Entirely preventable' theft down to traffic-monitoring certificate left expired for 19 months

Updated  A US Congressional report outlining the breakdowns that led to the 2017 theft of 148 million personal records from Equifax has revealed a stunning catalog of failure.…


25% of NHS trusts have zilch, zip, zero staff who are versed in security [The Register]

Not like there's been a major incident recently to kick them into gear or anything

A quarter of NHS trusts in the UK responding to a Freedom of Information request have no staff with security qualifications, despite some employing up to 16,000 people.…


Linux Kernel Developers Discuss Dropping x32 Support [Phoronix]

It was just several years ago that the open-source ecosystem began supporting the x32 ABI, but already kernel developers are talking of potentially deprecating the support and for it to be ultimately removed...


Salesforce has named a chief ethics officer and yes, the job description is appropriately woolly [The Register]

What's she going to do? 'Engage' with people

Mega-bucks CRM titan Salesforce has appointed a loftily titled "chief ethical and humane use officer" to counteract the problems of being a tech giant in 2019.…


Saturday Morning Breakfast Cereal - Human Jobs [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

In the future, you will only have to work a 4 hour day as a footstool!

Today's News:


Google's rent-a-cloud biz revs Istio for its Kubernetes service [The Register]

K8's kitchen puts self-serve Istio on menu as managed offering takes shape

KubeCon  As a gathering of DevOps types at KubeCon + CloudNativeCon North America 2018 gets under way in Seattle, Washington, Google plans to tell anyone who will listen that its managed Kubernetes service, GKE, now can be ordered with Istio on the side, though you'll have to ladle it on yourself.…


They say software will eat the world. Here are some software bugs that took a stab at it [The Register]

Well, you know what we mean. Variable quality comes with increasing quantity

Analysis  "On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts," said Facebook's Guy Rosen in a security update in September.…


An Initial Look At The Intel Iris Gallium3D Driver Performance [Phoronix]

One of the most exciting developments in the open-source Intel driver space this year was the Iris Gallium3D driver taking shape as what's destined to eventually succeed their "classic" i965 Mesa driver. With Iris Gallium3D maturing, here's a look at how the performance currently stacks up to their mature OpenGL driver.


DAV1D v0.1 AV1 Video Decoder Released [Phoronix]

Out today is DAV1D as the first official (v0.1) release of this leading open-source AV1 video decoder...


They said yes, grins Dell Technologies: Expects to go public this month [The Register]

Class V shareholders agree to sell or swap the stock

Class C shares in Dell Technologies are to start trading on the New York Stock Exchange before the year is out, after it today removed an obstacle that was hindering its ability to do so.…


Microsoft to rule the biz chat roost – survey [The Register]

Slack off, hipsters

Microsoft shows no sign of yielding its enterprise chat and conferencing users to a hipster-friendly upstart like Slack. A snapshot of US businesses who use work chat shows that Microsoft's Teams is taking advantage of Google's enterprise missteps rather than those of Slack.…


Oracle takes its gripes about Pentagon's JEDI contract to federal court [The Register]

Great way to make friends during procurement for a $10bn contract, eh Larry?

Fresh from defeat at the hands of the US Government Accountability Office, Oracle has taken its battle against the single-vendor Pentagon cloud contract to court.…


Nouveau Lands Initial Open-Source NVIDIA Turing Support - But No GPU Acceleration [Phoronix]

Just in time for the upcoming Linux 4.21 kernel, the developers working on the reverse-engineered, open-source support for NVIDIA GeForce RTX "Turing" GPUs have published their preliminary code. But before getting too excited, there isn't GPU hardware acceleration working yet...


IBM is trying to throttle my age-discrimination lawsuit – axed ace cloud salesman [The Register]

Non-millennial claims Big Blue is hiding evidence of anti-greybeard HR policies

A former high-flying IBM salesman yesterday accused the American mainframe megalith of using "obstructionist" legal tactics to block disclosure of incriminating documents that would help him win a landmark age discrimination lawsuit.…


LG's beer-making bot singlehandedly sucks all fun, boffinry from home brewing [The Register]

Water + capsule + 2 weeks = 5 litres of beer

Fan of those trendy coffee machines shilled by George Clooney? Wish there was one that did beer? Of course you don't, but LG has gone and done it anyway.…


Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked [The Register]

That's thousands of employees' names, monthly salaries, bank details

Exclusive  A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal.…


Years before CRISPR babies, this man was the first to edit human embryos [Top News - MIT Technology Review]

In 2015, an unknown Chinese scientist edited the DNA of human embryos. It was a step on an inexorable path to designer babies.


Microsoft, you shouldn't have: Festive Windows 10 Insiders build about as exciting as new socks [The Register]

Fixes aplenty, but not so many shiny baubles – which is great

With less than two weeks to go before Christmas, Microsoft has lobbed a fresh build of next year's Windows 10 down the chimney.…


Fedora Looks To Build Firefox With Clang For Better Performance & Compilation Speed [Phoronix]

Following the move by upstream Mozilla in switching their Linux builds of Firefox from being compiled by GCC to LLVM Clang, Fedora is planning the same transition of compilers in the name of compilation speed and resulting performance...


Texas Instruments flicks Armis' Bluetooth chip vuln off its shoulder [The Register]

Yeah, we've patched that one, adds Cisco

Texas Instruments has rather feebly slapped down infosec researchers' findings on a so-called Bleedingbit Bluetooth Low Energy vulnerability after a more detailed explanation of the chipset's weakness emerged.…


The Linux Direct Rendering Manger Subsystem Poised To Have A Second Maintainer [Phoronix]

For hopefully helping out with code reviews and getting code staged in a timely manner before being upstreamed to the mainline Linux kernel, Daniel Vetter of the Intel Open-Source Technology Center is set to become a co-maintainer...


Register Lecture: Right to strike when your boss sells AI to the military? [The Register]

Principles AND work for Google – it's been known to happen

AI is reported in extreme terms: it's revolutionising our roads, our workplaces and our homes – or it's stealing our jobs and will eradicate humanity. But what about operating in a war zone?…


NASA names the date for the first commercial crew demo flight [The Register]

But will there be any 'nauts left on the ISS after AI bot CIMON has finished with them?

A resumption of crewed flights from US soil has inched closer after NASA named a date for SpaceX's Demo-1. But the latest Delta IV Heavy remains firmly earthbound following the second and latest abort.…


LLVM's OpenMP Runtime Picks Up DragonFlyBSD & OpenBSD Support [Phoronix]

Good news for those using the LLVM Clang compiler on OpenBSD or DragonFlyBSD: the OpenMP run-time should now be supported with the latest development code...


OSIRIS-REx space probe catches a whiff of water on asteroid Bennu [The Register]

But how Earth ended up with all its water is still a mystery

NASA’s OSIRIS-REx spacecraft has discovered water on the asteroid Bennu less than a week after its arrival at the hunk of space rock.…

Monday, 10 December


In 2018, Facebook is the villain and Microsoft the shining light, according to techies [The Register]

How things change

Well, it's official. For years, at El Reg offices we have commented on how Facebook is the new Microsoft – and not in a good way.…


VirtIO-FS: A Proposed Better Approach For Sharing Folders/Files With Guest VMs [Phoronix]

Red Hat developers have proposed a new VirtIO-FS component to provide better support for shared folders/files between the host and guest virtual machines...


GCC 9 Guts Out The PowerPC SPE Support [Phoronix]

It should come as no surprise since it was deprecated in this year's GCC 8 release, but the PowerPC SPE code has been removed...


The internet is going to hell and its creators want your help fixing it [The Register]

Vint Cerf, Tim Berners-Lee and other identify lots of problems, few solutions

If ever there was doubt that 2018 is the year of fear, it was confirmed by a panel discussion involving the two men that are credited with inventing the internet and the world wide web.…


Latest Google+ flaw leads Chocolate Factory to shut down site early [The Register]

52.5 million accounts at risk, tens of people are worried

Google says it will be speeding up the dismantling of its Google+ social network following the discovery of a new security bug that affected 52.5 million users.…


Joinery: A Tale of Un-Windowed Joins [Yelp Engineering and Product Blog]

Summary At Yelp, we generate a wide array of high throughput data streams spanning logs, business data, and application data. These streams need to be joined, filtered, aggregated, and sometimes even quickly transformed. To facilitate this process, the engineering team has invested a significant amount of time analyzing multiple stream processing frameworks, ultimately identifying Apache Flink as the best suited option for these scenarios. We’ve now implemented a join algorithm using Flink, which we’re calling “Joinery.” It is capable of performing un-windowed one-to-one, one-to-many, and many-to-many inner joins across two-or-more keyed data streams. So, how does it work? In the...


Arch Linux Users With Intel Graphics Can Begin Enjoying A Flicker-Free Boot [Phoronix]

It looks like the recent efforts led by Red Hat / Fedora on providing a flicker-free Linux boot experience and thanks to their upstream-focused approach is starting to pay off for the other desktop Linux distributions... A flicker-free boot experience can now be achieved on Arch Linux with the latest packages, assuming you don't have any quirky hardware...


Doom at 25: The FPS that wowed players, gummed up servers, and enraged admins [The Register]

Who cares? Let's whip out the BFG and blow up the boss

On December 10, 1993, after a marathon 30-hour coding session, the developers at id Software uploaded the first finished copy of Doom for download, the game that was to redefine first-person shooter (FPS) genre. Hours later IT admins wanted id's guts for garters.…


China on its way to becoming the first nation to land on the far side of the Moon [The Register]

Chang'e-4 is in the pipe; 5 by 5

China has successfully launched a spacecraft aiming to become the first lander to touch down on the far side of the Moon.…


Did you know that iOS ad clicks cost more than Android? These scammers did [The Register]

Malware hides cheap Android clicks as high-end Apple traffic

An enterprising malware writer has been masquerading infected Android devices as Apple gear in order to make a few extra bucks.…


Nice phone account you have there – shame if something were to happen to it: Samsung fixes ID-theft flaws [The Register]

If Artem Moskowsky owes you money, it's a good time to ask

A recently patched set of flaws in Samsung's mobile site was leaving users open to account theft.…


Linux 4.21 Will Better Protect Against Malicious Thunderbolt Devices [Phoronix]

Linux 4.21 is set to further improve the system security around potentially malicious Thunderbolt devices...


Adobe Customer Care: There Hasn't Been Enough Demand For Linux [Phoronix]

Besides the lack of games, one of the other pressing reasons why some desktop/workstation users haven't migrated full-time to Linux has been over the lack of Adobe's Creative Suite working natively on Linux (and the Wine-based options often only working well for dated versions of Adobe's software). But if you hope to see Adobe Linux software, their customer care recommends you vote...


The Open-Source NVIDIA "Nouveau" Linux Driver Performance At The End Of 2018 [Phoronix]

As it's been a while since last looking at the NVIDIA vs. Nouveau Linux OpenGL driver performance, here's a look at the current performance difference as the end of the year quickly approaches. This benchmarking roundabout features multiple generations of GeForce GPUs while testing with the NVIDIA 415 proprietary driver against the Nouveau stack on Linux 4.19 and Mesa 19.0-devel.


Intel Launches Open-Source Deep Learning Reference Stack Powered By Clear Linux & Kata [Phoronix]

With aiming to improve the deep learning development experience, Intel's Open-Source Technology Center has announced the Deep Learning Reference Stack...


Adiantum File-System Encryption Support Ready For Linux 4.21 [Phoronix]

Adiantum, Google's newly developed crypto algorithm to replace their planned use of the controversial Speck, is ready to begin providing speedy file-system encryption support for low-end devices with the upcoming Linux 4.21 merge window...


Saturday Morning Breakfast Cereal - Space Poop [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Thanks to all the awful people on twitter who told me about the bags and bags of crap we've left on the moon.

Today's News:


AMD Files Trademark For Vega II [Phoronix]

It looks like AMD could be announcing Vega II as new 7nm Vega GPUs soon complementing the recently announced Vega 20 Radeon Instinct MI50 / MI60 accelerators...


Initial i.MX8 SoC Support & Development Board Possibly Ready For Linux 4.21 [Phoronix]

While the i.MX8 series was announced almost two years ago and the open-source developers working on the enablement for these new NXP SoCs hoped for initial support in Linux 4.17, the Linux 4.21 kernel that will be released in the early months of 2019 is slated to possibly have the first i.MX8 support in the form of the i.MX8MQ and also supporting its development/evaluation board...


Try the Dash to Dock extension for Fedora Workstation [Fedora Magazine]

The default desktop of Fedora Workstation — GNOME Shell — is known and loved by many users for its minimal, clutter-free user interface. However, one thing that many users want is an always-visible view of open applications. One simple and effective way to get this is with the awesome Dash to Dock GNOME Shell extension.

Dash to Dock takes the dock that is visible in the GNOME Shell Overview, and places it on the main desktop. This provides a view of open applications at a glance, and provides a quick way to switch windows using the mouse. Additionally, Dash to Dock adds a plethora of additional features and options over the built-in Overview dock, including autohide, panel mode, and window previews.


Dash to Dock adds a bunch of additional features over the dock that usually shows in the GNOME Shell overview.

The extension has an intelligent autohide feature, that hides the dock when it obscures windows. To bring the dock back up, simply move the mouse to the bottom of the screen.

Additionally, panel mode stretches the dock to take up the entire width of the screen. This is a good option for users that want to always have the dock showing, without autohiding it.

Dash to Dock also cleanly handles multiple windows of the same application. It shows small dots under each application icon to show how many windows are open. Additionally, it can be configured to show previews of each window when clicking the icon, allowing the user to choose the window they want.

Installing Dash to Dock

The quickest and easiest way to install the extension is with the Software Application. Check out the previous post here on the Magazine for more details:

How to install extensions via the Software application

Note, however, that Dash to Dock is available in both the Fedora repositories, and via the GNOME Shell extensions repository. Consequently, it will show up twice when browsing for extensions in the Software application:

Typically, the version from GNOME Shell Extensions is kept up-to-date more frequently by the developer, so that version may be the safer bet.

Configuring Dash to Dock

The Dash to Dock extension has a wide range of optional features and tweaks that users can enable and change. Some of the tweakable items include: icon size, where to position the dock (including on multiple monitors), opacity of the dock, and themes.

Accessing the settings dialog for the extension is easy. Simply right-click on the applications icon in the dock, and choose Dash to Dock settings.

Note, however, that the extension allows you to remove the applications icon from the dock. In this case, access the settings dialog via the Software Application:



Sunday, 09 December


Saturday Morning Breakfast Cereal - Cryptography [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

On the plus side, every time there's a cryptography advance I can do a version of this comic.

Today's News:

Saturday, 08 December


Saturday Morning Breakfast Cereal - Staging [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Your mama's stage one is so big they gotta jettison it 10 meters above the launch pad.

Today's News:

Friday, 07 December


Universal income vs. the robots: Meet the presidential candidate fighting automation [Top News - MIT Technology Review]

7 questions for Andrew Yang, the 2020 US presidential candidate pushing for basic income.


Saturday Morning Breakfast Cereal - Fuzzy Borders [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

What if all assassinations are by time travelers who keep trying to fix things, but keep breaking things somewhere else?

Today's News:


The 6 reasons why Huawei gives the US and its allies security nightmares [Top News - MIT Technology Review]

The biggest fear is that China could exploit the telecom giant’s gear to wreak havoc in a crisis.

Thursday, 06 December


Saturday Morning Breakfast Cereal - Absurd [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

The aliens were about to offer immortality, but saw this and changed their minds.

Today's News:

Wednesday, 05 December


Fedora Classroom: Containers 101 with Podman [Fedora Magazine]

Fedora Classroom sessions continue next week with a session on containers with Podman. The general schedule for sessions appears on the wiki. You can also find resources and recordings from previous sessions there. Here are details about this week’s session on Thursday, December 13 at 1600 UTC. That link allows you to convert the time to your timezone.

Topic: Containers 101 with Podman

Containers are becoming the de facto standard for building and distributing applications. Fedora as a modern operating system already supports container use by default. As with every new technology, there are different applications and services available for adopting it. This classroom will explain the basics of containers technology and its implementation in Fedora 29 using new open source tools like podman and buildah.

Here’s the agenda for the Classroom session:

Containers 101 with Podman

  1. What are Linux containers?
  2. Deep dive into container architecture
  3. Container runtimes
  4. Build and run containers
  5. Introduction to container networks, logs, security and persistent storage


Alessandro Arrichiello is a Solution Architect for Red Hat. He has a passion for GNU/Linux systems, which began at age 14 and continues today. He works with tools for automating Enterprise IT, configuration management, and continuous integration through virtual platforms.

He’s now working on distributed cloud environments via PaaS (OpenShift), IaaS (OpenStack) and process management (CloudForms), container building, instance creation, HA services management, and workflow building.

Joining the session

This session takes place on BlueJeans. The following information will help you join the session:

We hope you attend, learn from, and enjoy this session. If you have any feedback about the sessions, have ideas for a new one, or want to host a session, feel free to comment on this post or edit the Classroom wiki page.

Tuesday, 04 December


I am so happy to announce that my latest book “Herding... [Sarah's Scribbles]

I am so happy to announce that my latest book “Herding Cats” won the Goodreads choice award for best graphic novel. An honor especially when I enjoyed so, so many of the comics off the list this year. Thank you! 

Full list here
If you are interested in a copy of “Herding Cats,” you can pick it up here.


Saturday Morning Breakfast Cereal - Neural Networks [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

The deep question of AI is whether we'll *deserve* for it not to kill us.

Today's News:

Monday, 03 December


Saturday Morning Breakfast Cereal - Teleporter [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Like 80% of recent comics have been inspired by a thing Scott Aaronson wrote.

Today's News:


Share NFS Home Directories Securely with Kerberos [Fedora Magazine]

You can share NFS home directories without enabling Kerberos for more secure authentication. But with the standard system authentication, it’s trivial for a remote user to change the UID of a local account on their PC and gain access to someone else’s home directory. Kerberos adds a requirement that the end user have a special security token to access the home directory. You can only acquire that security token from the designated key server by providing the correct password.

This guide shows you how to integrate a Fedora server with Active Directory so you can share user home directories over NFS more securely. This guide assumes you already have an Active Directory domain.

Install and configure NTP

The Kerberos protocol requires all the computers participating in cryptographic communication to have clocks synchronized to within five minutes.

First, synchronize the NFS server’s clock with the ntpdate command and then commit the change to the hardware clock with the hwclock command:

$ sudo -i
# MY_HOSTNAME=$(</etc/hostname)
# dnf install -y ntpdate
# ntpdate $MY_DOMAIN
# hwclock -u -w

The # prompt shows commands that need to be run as root. The $ prompt shows commands that can be run as an unprivileged user. The sudo -i command allows you to become root to issue necessary commands.

This guide is meant to be copy-and-paste friendly. Any value you might need to customize appears as a MY_* variable you can tweak before running the remaining commands. Note that if you log out, these variable assignments are cleared.

The above commands assume the domain name part of your server’s hostname matches the domain name of your Active Directory. Unless you set special configuration options in Active Directory, you’ll probably need to set your hostname so the domain part matches your Active Directory domain name.

Now, install the ntp package:

# dnf install -y ntp

Next, configure the NTP service:

# cat << END > /etc/ntp.conf
tinker panic 0
interface ignore ipv6

driftfile /var/lib/ntp/drift
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

restrict default ignore
restrict $MY_NETWORK mask $MY_NETMASK

server $MY_ADSERVER1
server $MY_ADSERVER2

If you need to quickly look up the IP addresses of your Active Directory servers, run this command:

# nslookup $MY_DOMAIN

Finally, add an exception to the firewall and start the service:

# firewall-cmd --add-service ntp
# firewall-cmd --runtime-to-permanent
# systemctl enable ntpd.service
# systemctl start ntpd.service

To verify that NTP is working, run this command:

ntpq -4 -p

Install and configure Kerberos

To enable Kerberos authentication on our server, install the krb5-workstation package:

# dnf install -y krb5-workstation

Then configure your default realm:

# cat << END > /etc/krb5.conf.d/${MY_DOMAIN%%.*}
  default_realm = $MY_REALM
  dns_lookup_kdc = true


The default realm is your Active Directory domain name in all upper-case letters.

Install and configure SSSD

The next thing you need for KRB5 authenticated home directories is user IDs. You could create them manually on the NFS server. But if you have more than a few users, you’ll want to get the list of usernames and their associated UIDs from Active Directory. Use sssd to fetch the user IDs from Active Directory.

Begin by installing the sssd package:

# dnf install -y sssd

Now configure SSSD to use Active Directory as an ID provider:

# cat << END > /etc/sssd/sssd.conf
  services = nss
  config_file_version = 2
  domains = $MY_DOMAIN

  id_provider = ad
  ldap_idmap_range_min = 0
  ldap_idmap_range_max = 2100000000
  ldap_idmap_range_size = 100000000
  ldap_idmap_default_domain_sid = S-1-5-21-0-0-0
  krb5_store_password_if_offline = true
  cache_credentials = true
  ignore_group_members = true
  override_gid = 100
  override_shell = /bin/bash
  override_homedir = /home/%u
# chmod 600 /etc/sssd/sssd.conf

The ldap_idmap* values are important to ensure the UIDs Active Directory reports are consistent between the NFS server and all of its clients. Here’s a reference on how SID to uid/gid mapping works in sssd.

Even though you didn’t configure SSSD for authentication by including pam in the services list, end users may still be able to log in to the netboot server over SSH using PubkeyAuthentication or GSSAPIAuthentication methods. You may want to set an explicit limit for who can log in to your netboot server over SSH. For example:

# echo DenyGroups users >> /etc/ssh/sshd_config && systemctl restart sshd.service

Join Active Directory

Next, join the server to the Active Directory domain. Before performing the join, delete any computer accounts by the same name in the domain. This helps ensure you don’t carry over any incorrect settings from a previous join attempt:

# MY_USERNAME=jsmith
# adcli delete-computer "${MY_HOSTNAME%%.*}" -U "$MY_USERNAME"

Also, delete any previous version of the system keytab, to avoid carrying over any incorrect settings from a previous join attempt:

# rm -f /etc/krb5.keytab

Now you should be able to join the Active Directory domain:

# MY_OU="cn=computers,dc=${MY_DOMAIN//./,dc=}"
# adcli join $MY_DOMAIN --login-user="$MY_USERNAME" --computer-name="${MY_HOSTNAME%%.*}" --host-fqdn="$MY_HOSTNAME" --user-principal="host/$MY_HOSTNAME@$MY_REALM" --service-name="host" --service-name="nfs" --domain-ou="$MY_OU"

By default, Active Directory only allows normal users to join up to 10 computers to its domain (KB243327).

If adcli warns you about DNS not updating, your primary DNS servers may not be forwarding queries properly to the Active Directory domain controllers. Set your network configuration to reference the Active Directory servers directly for DNS.

The –service-name=”nfs” flag in the above command is important. The NFS service cannot serve Kerberized home directories without the nfs “serviceprincipalname”.

If the join succeeded, you should be able to start the SSSD service:

# systemctl start sssd.service

Configure PAM

Once sssd is running, configure the NFS server to resolve UIDs using it:

# cp -r /usr/share/authselect/default/sssd /etc/authselect/custom
# echo 'initgroups: files' >> /etc/authselect/custom/sssd/nsswitch.conf
# authselect select custom/sssd --force

Set initgroups to files as a performance optimization to prevent group information from being fetched from Active Directory. You can omit that line. If you do, though, you may see delays when you list files or perform other actions that try to look up UID and GID information.

At this point, you should be able to look up a user’s UID:


You may find it necessary to run systemctl restart sssd.service before the above command works.

Create the home directories

Now that the ID provider is working, create the home directories by cloning the /etc/skel directory and setting permissions:

# cp -a /etc/skel /home/$MY_USERNAME
# chown -R $MY_USERNAME:users /home/$MY_USERNAME
# chmod -R go-rwx /home/$MY_USERNAME

Configure NFS ID mapping

Before you can export the home directories, you must configure NFS’s idmap service:

# cat << END > /etc/idmapd.conf
  Domain = $MY_DOMAIN
  Local-Realms = $MY_REALM

  Nobody-User = nfsnobody
  Nobody-Group = nfsnobody

  Method = static,nsswitch
  GSS-Methods = static,nsswitch


You must also define the special nfsnobody user for cases where a UID might not resolve to a username:

# echo 'nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin' >> /etc/passwd
# echo 'nfsnobody:!!:::::::' >> /etc/shadow
# echo 'nfsnobody:x:65534:' >> /etc/group
# echo 'nfsnobody:!::' >> /etc/gshadow

Enable Kerberos and share the home directories

Enable KRB5 authentication on the NFS pseudo filesystem:

# echo "/export -fsid=0,ro,sec=sys:krb5,root_squash $MY_SUBNET/$MY_PREFIX" > /etc/exports

Now create and mount the home filesystem:

# mkdir /export/home
# echo '/home /export/home none bind 0 0' >> /etc/fstab
# mount /export/home

Last, we define the home export and restart the NFS server to ensure all configuration changes are registered:

# echo "/export/home -rw,sec=krb5,root_squash $MY_SUBNET/$MY_PREFIX" > /etc/exports.d/home.exports
# systemctl restart nfs-server.service

Make sure everything looks right on the export. In particular, make sure the krb5 flag is set on both the root export and the home sub-filesystem:

# exportfs -v

The output from the above command should include at least the following two lines (emphasis added):


The Kerberos protocol can also provide encryption (krb5p) or integrity (krb5i) for the NFS export, but these variants of the krb5 option will cause a significant reduction in performance. You probably don’t want to use them unless you really need them.

Photo by Pietro Jeng on Unsplash.

Sunday, 02 December


Saturday Morning Breakfast Cereal - Theorem [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Anyone NOT taking this too seriously will be docked 10 Internet Points.

Today's News:

Saturday, 01 December


Saturday Morning Breakfast Cereal - Secrets [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

Maybe we can fix conspiracies with The Blockchain.

Today's News:

Friday, 30 November


Saturday Morning Breakfast Cereal - Clock Speed [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

It's too bad cyborg technology hasn't gotten beyond fork-shaped hands, though.

Today's News:


Fedora 27 End of Life [Fedora Magazine]

With the recent release of Fedora 29, Fedora 27 officially enters End Of Life (EOL) status on November 30, 2018. This impacts any systems still on Fedora 27. If you’re not sure what that means to you, read more below.

At this point, packages in the Fedora 27 repositories no longer receive security, bugfix, or enhancement updates. Furthermore, the community adds no new packages to the Fedora 27 collection starting at End of Life. Essentially, the Fedora 27 release will not change again, meaning users no longer receive the normal benefits of this leading-edge operating system.

There’s an easy, free way to keep those benefits. If you’re still running an End of Life version such as Fedora 27, now is the perfect time to upgrade to Fedora 28 or to Fedora 29. Upgrading gives you access to all the community-provided software in Fedora.

Looking back at Fedora 27

Fedora 27 was released on November 14, 2017. As part of their commitment to users, Fedora community members released about 9,500 updates.

This release featured, among many other improvements and upgrades:

  • GNOME 3.26
  • LibreOffice 5.4
  • Simpler container storage setup in the Fedora Atomic Host
  • The new Modular Server, where you could choose from different versions of software stacks

Fedora 27 screenshot

Of course, the Project also offered numerous alternative spins of Fedora, and support for multiple architectures.

About the Fedora release cycle

The Fedora Project offers updates for a Fedora release until a month after the second subsequent version releases. For example, updates for Fedora 28 continue until one month after the release of Fedora 30. Fedora 29 continues to be supported up until one month after the release of Fedora 31.

The Fedora Project wiki contains more detailed information about the entire Fedora Release Life Cycle. The lifecycle includes milestones from development to release, and the post-release support period.


Thursday, 29 November


Saturday Morning Breakfast Cereal - Rehash [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

'God is dead' would be a great slogan for any new Taco Bell products.

Today's News:

Submissions are open for both BAHFest MIT and BAHFest London. You know those terrible ideas you've been saving all this time? We need them.

Wednesday, 28 November


Fedora 29 on ARM on AWS [Fedora Magazine]

This week Amazon announced their new A1 arm64 EC2 Instances powered by their arm64 based Graviton Processors. With a minor delay, the shiny new Fedora 29 for aarch64 (arm64) is now available to run there too!

Details on getting running on AWS is in this good article on using AWS tools on Fedora article. In general, using Fedora on the AWS arm64 EC2 is the same as x86_64.

So while a new architecture on AWS is exciting, it’s at the same time old and boring. You’ll get the same versions of kernel, the same features like SELinux and the same versions of the toolchain stacks, like the latest gcc, golang, rust, and so on in Fedora 29 just like all other architectures. You’ll also get all the usual container tools like podman, buildah, skopeo and kubernetes, and orchestration tools like ansible. Basically, if you’re using Fedora on AWS you can use it in the same way on arm64.

Getting started

The initial launch of A1 aarch64 instances are available in the following four regions: US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland). Direct links to launch the Fedora aarch64 AMIs directly are available here on the Fedora Cloud site.

Getting help

The Fedora support for aarch64 is robust. It’s been widely used and tested across a number of platforms. Of course, new users and new use cases will pick up issues that we’ve yet to encounter. So what is the best way to get help? If you have a crash in a particular application, report it in the usual way through RH Bugzilla. Set that bug to block the ARMTracker tracker alias to help identify Arm issues.

For assistance with Arm specific queries and issues the Fedora Arm mailing list. There is also the #fedora-arm IRC channel on Freenode.

Known issues

There is one known issue. The instance takes a while to get started — up to 5 minutes. This is due to entropy, and is a general problem in virtual environments, across all architectures. We’re working to speed this up and it should be fixed soon. Once things are up and running, though, everything works as expected.

Upcoming features

There will be Fedora 29 Atomic host coming in the next Two Week Atomic release. We unfortunately missed their release this time by a small window. It’ll be available in about two weeks with their next release, and will appear on the site once released. We can’t let you have all the fun at once. 😉


Saturday Morning Breakfast Cereal - Antimatter [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

I've started some research projects lately, so let me apologize in advance for the forthcoming redorkulation of the comics.

Today's News:


Standalone web applications with GNOME Web [Fedora Magazine]

Do you regularly use a single-page web application, but miss some of the benefits of a full-fledged desktop application? The GNOME Web browser, simply named Web (aka Epiphany)  has an awesome feature that allows you to ‘install’ a web application. By doing this, the web application is then presented in the applications menus, GNOME shell search, and is a separate item when switching windows. This short tutorial walks you through the steps of ‘installing’ a web application with GNOME Web.

Install GNOME Web

GNOME Web is not included in the default Fedora install. To install, search in the Software application for ‘web’, and install.

Alternatively, use the following command in the terminal:

sudo dnf install epiphany

Install as Web Application

Next, launch GNOME Web, and browse to the web application you wish to install. Connect to the application using the browser, and choose ‘Install site as Web Application’ from the menu:

GNOME Web next presents a dialog to edit the name of the application. Either leave it as the default (the URL) or change to something more descriptive:

Finally, press Create to ‘install’ your new web application. After creating the web application, close GNOME Web.

Using the new web application

Launch the web application as you would with any typical desktop application. Search for it in the GNOME Shell Overview:

Additionally, the web application will appear as a separate application in the alt-tab application switcher:

One additional feature this adds is that all web notifications from the ‘installed’ web application are presented as regular GNOME notifications.


Tuesday, 27 November



Saturday Morning Breakfast Cereal - Fear [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

As I upload this, I realize I'm implying we're preloaded with clown-fearing software. I'm prepared to stand by that.

Today's News:


Happy Birthday Jolla Phone [Jolla Blog]

Jolla phone is now 5 years old!! We write this blog post while remembering all the emotions and hard work from the year 2013 when we launched the device to the public. We made it, we made an iconic Finnish product with a small but passionate team of engineers and designers. Despite the fact that half way through the development we had to redesign the hardware due to a new chipset and adapt Sailfish OS to it, we made it, we brought the first Jolla smartphone with blood, sweat and passion in it to the market. We saw room for another player, to come and disrupt the business of mobile operating systems. We showed the world that against all odds, it can be done, and it can be done with class!


The launch

On November 27th 2013, after a year of longing and hype in the Sailfish community, the Jolla phone was launched in Helsinki, in the middle of Narinkkatori. Together with our dear partner DNA and almost 500 people queueing, we launched the first ever Jolla branded smartphone. Everything went smoothly, we were exteremly pleased that our hard work had paid off when we saw happy people with glowy eyes holding the first batch of Jolla phones in their hands!

Queue Henri The First One The moment of truth Group photo with Henri Inside the tent The First One Jolle phone Jolla

Being the first one that gets to own the brand new smartphone, risen from the ashes of Nokia and MeeGo, was indeed a big deal. There he was, Henri Huttunen, who became the very first person to purchase the Jolla phone and made it to the headlines! Henri and many others queued up many hours before the launch at Narinkkatori just to get their hands on the long awaited Jolla phone. That’s the Sailfish community, and that’s the passion that came with it! ❤️

Henri the first one

The Other Half

A bold and innovative idea, which was The Other Half, was launched with the Jolla phone. It was a protocol that brought endless possibilities to hardware developers to add new and unique features to the Jolla phone. Jolla developed an Open HW Developer Kit, a number of simple Other Halves, and made them available for sale at the Jolla webshop. Encouraged and empowered with these, it was the community who took the idea and ran with it to great lengths and developed so many useful The Other Half ideas and turned them into reality.



There were Other Halves with OLED panels on them, a sliding/magnetic QWERTY keyboard, a solar panel, extra battery, and many more, that came out of our active community. Our friends at Pocketnow produced a video back in 2015 and showed off some of the brilliant community developed Other Halves.

There may have been more to the story than the eye can meet however. There were several different TOH ideas developed by Jolla that didn’t get to see the light of day for various reasons, but we have the sketches and mockups still handy to show our community!


Keyboard Other Half Concept Battery The Other Half Concept Keyboard Other Half Concept

Jolla phone, after 5 years

In this day and age, the average Android flagship smartphone’s lifespan is 2 years at best. However, at approximately 10,000 active users of the original Jolla phone, we are proud to still support this iconic smartphone after 5 years of its life. Users of Jolla phone can download the latest Sailfish OS update just like any other Sailfish user with a newer device.

jolla 1 sailfish 3

Happy birthday Jolla phone! #StillUsingJolla

We made the Jolla phone with our community, and we would love to celebrate its 5th birthday with YOU! You can participate in this celebratin by posting a photo of your Jolla phone on your preferred social media platform, using the hashtag #StillUsingJolla, and tag a couple of your Jolla friends too!

We will then pick the most interesting ones and will present a small reward to selected contributions.

On behalf of the Jolla team,

The post Happy Birthday Jolla Phone appeared first on Jolla Blog.

Monday, 26 November


Hello friends, happy Monday! It’s time for my annual... [Sarah's Scribbles]

Hello friends, happy Monday! It’s time for my annual please-buy-my-stuff for the holidays post.
The main place for signed books, prints, plushes, and this exclusive Holiday bundle you see above is my new merch shop!
I also have 2019 wall calendars and planners. They would make great gifts.

Miss you all, I’ll be back soon I promise <3 Stay sane during the holidays!


Saturday Morning Breakfast Cereal - Cross [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

My wife doesn't find this sort of thing particularly funny, but I WILL NOT BE CRUCIFIED ON THIS CROSS OF WIFE

Today's News:


C# Fundamentals: Hello World [Fedora Magazine]

C# is a general purpose, type safe programming language implemented with the Object Oriented Paradigm in mind, The following tutorial is aimed at users that already know the basics of programming and are looking for a fast guide to get started with C# and .NET Core on Linux. The whole tutorial is divided into different posts, each containing new topics.

.NET Core is the free and open-source implementation of the .NET Framework. It includes the CoreCLR, CoreFX, CoreRT and a compiler. Have in mind that unlike Microsoft’s dotNET Framework, .NET Core is cross-platform and supports ASP.NET Core apps, command line apps , libraries and Universal Windows apps, but lacks support for WinForms and WPF which leaves us without GUIs. By 2019 Microsoft is planning on porting WinForms to .NET Core but this will only be for Microsoft Windows OS, leaving behind Linux and MacOS. It is important to note to not confuse .NET Core with the Mono framework which are two different things.

What is the CLR

The Common Language Runtime (CLR) is the environment that allows .NET programs to run. The CLR gives us additional services including memory management, remoting, type safety, exception handling, garbage collection, security and thread management.

Installation & Tools

This tutorial series uses Visual Studio Code, which is a free and open source code editor by Microsoft. You may use any other editor or IDE of your liking as long as it supports C# syntax.

DotNet Core Installation

It is suggested using the Fedora .NET SIG copr repository as a way to install .NET Core. Note that software in COPR isn’t supported by Fedora infrastructure or signed by the project.

First, enable the COPR repository:

$ sudo dnf copr enable @dotnet-sig/dotnet

Next, install .NET Core:

$ sudo dnf install dotnet

Alternatively, install from the Microsoft repos, however, these sources are typically  a few versions of Fedora behind.

Visual Studio Code Installation

Check out our previous post here on the Fedora Magazine for details on installing Visual Studio Code:

Using Visual Studio Code on Fedora

C# extension for VS Code

Next, to install the C# extension for Visual Studio Code, press  CTRL + P, and enter the following command:

ext install ms-vscode.csharp

Hello World!

It is now time to start the journey into C# with a traditional Hello World program.

Open up a terminal window and  type:

$ dotnet new console -o Hello

$ cd Hello

Now open the Program.cs file with your editor and you should see something like this:

using System;

namespace Hello
    class Program
        public static void Main (string[] args)
            Console.WriteLine (Hello World!);

Next in your terminal window type:

$ dotnet run

And if you did everything right you should see a Hello World! display at your screen.

Sunday, 25 November



Saturday Morning Breakfast Cereal - Daily Grind [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

If you share this comic, you will receive 10 SMBC coins immediately in your mind.

Today's News:

Saturday, 24 November


Saturday Morning Breakfast Cereal - Together [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

If I ever do get a divorce, the quantity of evidence against me is going to be shocking.

Today's News:

Friday, 23 November


Saturday Morning Breakfast Cereal - Exposure [Saturday Morning Breakfast Cereal]

Click here to go see the bonus panel!

I support all public funding for research which benefits me directly.

Today's News:


How to Build a Netboot Server, Part 1 [Fedora Magazine]

Some computer networks need to maintain identical software installations and configurations on several physical machines. One such environment would be a school computer lab. A netboot server can be set up to serve an entire operating system over a network so that the client computers can be configured from one central location. This tutorial will show one method of building a netboot server.

Part 1 of this tutorial will cover creating a netboot server and image. Part 2 will show how to add Kerberos-authenticated home directories to the netboot configuration.

Initial Configuration

Start by downloading one of Fedora Server’s netinst images, burning it to a CD, and booting the server that will be reformatted from it. We just need a typical “Minimal Install” of Fedora Server for our starting point and we will use the command line to add any additional packages that are needed after the installation is finished.

NOTE: For this tutorial we will be using Fedora 28. Other versions may include a slightly different set of packages in their “Minimal Install”. If you start with a different version of Fedora, then you may need to do some troubleshooting if an expected file or command is not available.

Once you have your minimal installation of Fedora Server up and running, log in and then become root using this command:

$ sudo -i

Set the hostname:

# hostnamectl set-hostname $MY_HOSTNAME

NOTE: Red Hat recommends that both static and transient names match the fully-qualified domain name (FQDN) used for the machine in DNS, such as (Understanding Host Names).

NOTE: This guide is meant to be copy-and-paste friendly. Any value that you might need to customize will be stated as a MY_* variable that you can tweak before running the remaining commands. Beware that if you log out, the variable assignments will be cleared.

NOTE: Fedora 28 Server tends to dump a lot of logging output to the console by default. You may want to disable the console logging temporarily by running: sysctl -w kernel.printk=0

Next, we need a static network address on our server. The following sequence of commands should find and reconfigure your default network connection appropriately:

# MY_DNS1=
# MY_DNS2=
# MY_IP=
# DEFAULT_DEV=$(ip route show default | awk '{print $5}')
# DEFAULT_CON=$(nmcli d show $DEFAULT_DEV | sed -n '/^GENERAL.CONNECTION:/s!.*:\s*!! p')
# nohup bash << END
nmcli con mod "$DEFAULT_CON" "$DEFAULT_DEV"
nmcli con mod "$DEFAULT_DEV" connection.interface-name "$DEFAULT_DEV"
nmcli con mod "$DEFAULT_DEV" ipv4.method disabled
nmcli con up "$DEFAULT_DEV"
nmcli con add con-name br0 ifname br0 type bridge
nmcli con mod br0 bridge.stp no
nmcli con mod br0 ipv4.dns $MY_DNS1,$MY_DNS2
nmcli con mod br0 ipv4.addresses $MY_IP/$MY_PREFIX
nmcli con mod br0 ipv4.gateway $MY_GATEWAY
nmcli con mod br0 ipv4.method manual
nmcli con up br0
nmcli con add con-name br0-slave0 ifname "$DEFAULT_DEV" type bridge-slave master br0
nmcli con up br0-slave0

NOTE: The last set of commands above is wrapped in a “nohup” script because it will disable networking temporarily. The nohup command should allow the nmcli commands to finish running even while your ssh connection is down. Beware that it may take 10 or so seconds for the connection to come back up and that you will have to start a new ssh connection if you changed the server’s IP address.

NOTE: The above network configuration creates a network bridge on top of the default connection so that we can run a virtual machine instance directly on the server for testing later. If you do not want to test the netboot image directly on the server, you can skip creating the bridge and set the static IP address directly on your default network connection.

Install and Configure NFS4

Start by installing the nfs-utils package:

# dnf install -y nfs-utils

Create a top-level pseudo filesystem for the NFS exports and share it out to your network:

# mkdir /export
# echo "/export -fsid=0,ro,sec=sys,root_squash $MY_SUBNET/$MY_PREFIX" > /etc/exports

SELinux will interfere with the netboot server’s operation. Configuring exceptions for it is beyond the scope of this tutorial, so we will disable it:

# sed -i '/GRUB_CMDLINE_LINUX/s/"$/ audit=0 selinux=0"/' /etc/default/grub
# grub2-mkconfig -o /boot/grub2/grub.cfg
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
# setenforce 0

NOTE: Editing the grub command line should not be necessary, but simply editing /etc/sysconfig/selinux proved ineffective across reboots of Fedora Server 28 during testing, so the “selinux=0” flag has been set here to be doubly sure.

Now, add an exception for the NFS service to the local firewall and start the NFS service:

# firewall-cmd --add-service nfs
# firewall-cmd --runtime-to-permanent
# systemctl enable nfs-server.service
# systemctl start nfs-server.service

Create the Netboot Image

Now that our NFS server is up and running, we need to supply it with an operating system image to serve to the client computers. We will start with a very minimal image and add to it after everything is working.

First, create a new directory where our image will be stored:

# mkdir /fc28

Use the “dnf” command to build the image under the new directory with only a few base packages:

# dnf -y --releasever=28 --installroot=/fc28 install fedora-release systemd passwd rootfiles sudo dracut dracut-network nfs-utils vim-minimal dnf

It is important that the “kernel” packages were omitted from the above command. Before they are installed, we need to tweak the set of drivers that will be included in the “initramfs” image that is built automatically when the kernel is first installed. In particular, we need to disable “hostonly” mode so that the initramfs image will work on a wider set of hardware platforms and we need to add support for networking and NFS:

# echo 'hostonly=no' > /fc28/etc/dracut.conf.d/hostonly.conf
# echo 'add_dracutmodules+=" network nfs "' > /fc28/etc/dracut.conf.d/netboot.conf

Now, install the kernel:

# dnf -y --installroot=/fc28 install kernel

Set a rule to prevent the kernel from being updated:

# echo 'exclude=kernel-*' >> /fc28/etc/dnf/dnf.conf

Set the locale:

# echo 'LANG="en_US.UTF-8"' > /fc28/etc/locale.conf

NOTE: Some programs (e.g. GNOME Terminal) will not function if the locale is not properly configured.

Set the client’s hostname:

# echo $MY_CLIENT_HOSTNAME > /fc28/etc/hostname

Disable logging to the console:

# echo 'kernel.printk = 0 4 1 7' > /fc28/etc/sysctl.d/00-printk.conf

Define a local “liveuser” in the netboot image:

# echo 'liveuser:x:1000:1000::/home/liveuser:/bin/bash' >> /fc28/etc/passwd
# echo 'liveuser::::::::' >> /fc28/etc/shadow
# echo 'liveuser:x:1000:' >> /fc28/etc/group
# echo 'liveuser:!::' >> /fc28/etc/gshadow

Allow “liveuser” to sudo:

# echo 'liveuser ALL=(ALL) NOPASSWD: ALL' > /fc28/etc/sudoers.d/liveuser

Enable automatic home directory creation:

# dnf install -y --installroot=/fc28 authselect oddjob-mkhomedir
# echo 'dirs /home' > /fc28/etc/rwtab.d/home
# chroot /fc28 authselect select sssd with-mkhomedir --force
# chroot /fc28 systemctl enable oddjobd.service

Since multiple clients will be mounting our image concurrently, we need to configure the image so that it will operate in read-only mode:

# sed -i 's/^READONLY=no$/READONLY=yes/' /fc28/etc/sysconfig/readonly-root

Configure logging to go to RAM rather than permanent storage:

# sed -i 's/^#Storage=auto$/Storage=volatile/' /fc28/etc/systemd/journald.conf

Configure DNS:

# MY_DNS1=
# MY_DNS2=
# cat << END > /fc28/etc/resolv.conf
nameserver $MY_DNS1
nameserver $MY_DNS2

Work-around a few bugs that exist for read-only root mounts at the time this tutorial is being written (BZ1542567):

# echo 'dirs /var/lib/gssproxy' > /fc28/etc/rwtab.d/gssproxy
# cat << END > /fc28/etc/rwtab.d/systemd
dirs /var/lib/systemd/catalog
dirs /var/lib/systemd/coredump

Finally, we can create the NFS filesystem for our image and share it out to our subnet:

# mkdir /export/fc28
# echo '/fc28 /export/fc28 none bind 0 0' >> /etc/fstab
# mount /export/fc28
# echo "/export/fc28 -ro,sec=sys,no_root_squash $MY_SUBNET/$MY_PREFIX" > /etc/exports.d/fc28.exports
# exportfs -vr

Create the Boot Loader

Now that we have an operating system available to netboot, we need a boot loader to kickstart it on the client systems. For this setup, we will be using iPXE. Note you should be logged in to your user account here, not root.

NOTE: This section and the following section — Testing with QEMU — can be done on a separate computer; they do not have to be run on the netboot server.

Install git and use it to download iPXE:

$ sudo dnf install -y git
$ git clone $HOME/ipxe

Now we need to create a special startup script for our bootloader:

$ cat << 'END' > $HOME/ipxe/init.ipxe

prompt --key 0x02 --timeout 2000 Press Ctrl-B for the iPXE command line... && shell ||

dhcp || exit
set prefix file:///linux
chain ${prefix}/boot.cfg || exit

Enable the “file” download protocol:

$ echo '#define DOWNLOAD_PROTO_FILE' > $HOME/ipxe/src/config/local/general.h

Install the C compiler and related tools and libraries:

$ sudo dnf groupinstall -y "C Development Tools and Libraries"

Build the boot loader:

$ cd $HOME/ipxe/src
$ make clean
$ make bin-x86_64-efi/ipxe.efi EMBED=../init.ipxe

Make note of where the where the newly-compiled boot loader is. We will need it for the next section:

$ IPXE_FILE="$HOME/ipxe/src/bin-x86_64-efi/ipxe.efi"

Testing with QEMU

This section is optional, but you will need to duplicate the file layout of the EFI system partition that is shown below on your physical machines to configure them for netbooting.

NOTE: You could also copy the files to a TFTP server and reference that server from DHCP if you wanted a fully diskless system.

In order to test our boot loader with QEMU, we are going to create a small disk image containing only an EFI system partition and our startup files.

Start by creating the required directory layout for the EFI system partition and copying the boot loader that we created in the previous section to it:

$ mkdir -p $HOME/esp/efi/boot
$ mkdir $HOME/esp/linux
$ cp $IPXE_FILE $HOME/esp/efi/boot/bootx64.efi

The below command should identify the kernel version that our netboot image is using and store it in a variable for use in the remaining configuration directives:

$ DEFAULT_VER=$(ls -c /fc28/lib/modules | head -n 1)

Define the boot configuration that our client computers will be using:

$ MY_DNS1=
$ MY_DNS2=
$ cat << END > $HOME/esp/linux/boot.cfg

kernel --name kernel.efi \${prefix}/vmlinuz-$DEFAULT_VER initrd=initrd.img ro ip=dhcp rd.peerdns=0 nameserver=$MY_DNS1 nameserver=$MY_DNS2 root=nfs4:$MY_NFS4:/fc28 console=tty0 console=ttyS0,115200n8 audit=0 selinux=0 quiet
initrd --name initrd.img \${prefix}/initramfs-$DEFAULT_VER.img
boot || exit

NOTE: The above boot script shows a minimal example of how to get iPXE to netboot Linux. Much more complex configurations are possible. Most notably, iPXE has support for interactive boot menus which can be configured with a default selection and a timeout. A more advanced iPXE script could, for example, default to booting an operation system from the local disk and only go to the netboot operation if a user pressed a key before a countdown timer reached zero.

Copy the Linux kernel and its associated initramfs to the EFI system partition:

$ cp $(find /fc28/lib/modules -maxdepth 2 -name 'vmlinuz' | grep -m 1 $DEFAULT_VER) $HOME/esp/linux/vmlinuz-$DEFAULT_VER
$ cp $(find /fc28/boot -name 'init*' | grep -m 1 $DEFAULT_VER) $HOME/esp/linux/initramfs-$DEFAULT_VER.img

Our resulting directory layout should look like this:

├── efi
│   └── boot
│       └── bootx64.efi
└── linux
    ├── boot.cfg
    ├── initramfs-4.18.18-200.fc28.x86_64.img
    └── vmlinuz-4.18.18-200.fc28.x86_64

To use our EFI system partition with QEMU, we need to create a small “uefi.img” disk image containing it and then connect that to QEMU as the primary boot drive.

Begin by installing the necessary tools:

$ sudo dnf install -y parted dosfstools

Now create the “uefi.img” file and copy the files from the “esp” directory into it:

$ ESP_SIZE=$(du -ks $HOME/esp | cut -f 1)
$ dd if=/dev/zero of=$HOME/uefi.img count=$((${ESP_SIZE}+5000)) bs=1KiB
$ UEFI_DEV=$(sudo losetup --show -f $HOME/uefi.img)
$ sudo parted ${UEFI_DEV} -s mklabel gpt mkpart EFI FAT16 1MiB 100% toggle 1 boot
$ mkfs -t msdos ${UEFI_DEV}p1
$ mkdir -p $HOME/mnt
$ sudo mount ${UEFI_DEV}p1 $HOME/mnt
$ cp -r $HOME/esp/* $HOME/mnt
$ sudo umount $HOME/mnt
$ sudo losetup -d ${UEFI_DEV}

NOTE: On a physical computer, you need only copy the files from the “esp” directory to the computer’s existing EFI system partition. You do not need the “uefi.img” file to boot a physical computer.

NOTE: On a physical computer you can rename the “bootx64.efi” file if a file by that name already exists, but if you do so, you will probably have to edit the computer’s BIOS settings and add the renamed efi file to the boot list.

Next we need to install the qemu package:

$ sudo dnf install -y qemu-system-x86

Allow QEMU to access the bridge that we created in the “Initial Configuration” section of this tutorial:

$ sudo su -
# echo 'allow br0' > /etc/qemu/bridge.conf
# exit

Create a copy of the “OVMF_VARS.fd” image to store our virtual machine’s persistent BIOS settings:

$ cp /usr/share/edk2/ovmf/OVMF_VARS.fd $HOME

Now, start the virtual machine:

$ qemu-system-x86_64 -machine accel=kvm -nographic -m 1024 -drive if=pflash,format=raw,unit=0,file=/usr/share/edk2/ovmf/OVMF_CODE.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=$HOME/OVMF_VARS.fd -drive if=ide,format=raw,file=$HOME/uefi.img -net bridge,br=br0 -net nic,model=virtio

If all goes well, you should see results similar to what is shown in the below image:

You can use the “shutdown” command to get out of the virtual machine and back to the server:

$ sudo shutdown -h now

NOTE: If something goes wrong and the virtual machine hangs, you may need to start a new ssh session to the server and use the “kill” command to terminate the “qemu-system-x86_64” process.

Adding to the Image

Adding to the image should be a simple matter of chroot’ing into the image on the server and running “dnf install <package_name>”.

There is no limit to what can be installed on the netboot image. A full graphical installation should function perfectly.

Here is an example of how to bring our minimal netboot image up to a complete graphical installation:

# for i in dev dev/pts dev/shm proc sys run; do mount -o bind /$i /fc28/$i; done
# chroot /fc28 /usr/bin/bash --login
# dnf -y groupinstall "Fedora Workstation"
# dnf -y remove gnome-initial-setup
# systemctl disable sshd.service
# systemctl enable gdm.service
# systemctl set-default
# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
# logout
# for i in run sys proc dev/shm dev/pts dev; do umount /fc28/$i; done

Optionally, you may want to enable automatic login for the “liveuser” account:

# sed -i '/daemon/a AutomaticLoginEnable=true' /fc28/etc/gdm/custom.conf
# sed -i '/daemon/a AutomaticLogin=liveuser' /fc28/etc/gdm/custom.conf


Thursday, 22 November