The 2020 spring edition of the Pwn2Own hacking contest has come to a close today. This year's winner is Team Fluoroacetate -- made up of security researchers Amat Cama and Richard Zhu -- who won the contest after accumulating nine points across the two-day competition, which was just enough to extend their dominance and win their fourth tournament in a row. From a report: But this year's edition was a notable event for another reason. While the spring edition of the Pwn2Own hacking contest takes place at the CanSecWest cyber-security conference, held each spring in Vancouver, Canada, this year was different. Due to the ongoing coronavirus (COVID-19) outbreak and travel restrictions imposed in many countries around the globe, many security researchers couldn't attend or weren't willing to travel to Vancouver and potentially put their health at risk. Instead, this year's Pwn2Own edition has become the first-ever hacking contest that has been hosted in a virtual setting. Participants sent exploits to Pwn2Own organizers in advance, who ran the code during a live stream with all participants present. During the competition's two-day schedule, six teams managed to hack apps and operating systems like Windows, macOS, Ubuntu, Safari, Adobe Reader, and Oracle VirtualBox. All bugs exploited during the contest were immediately reported to their respective companies.

Microsoft has announced that its cross-platform automation tool and configuration framework PowerShell 7 is now generally available. From a report: Available for Windows, macOS and Linux, PowerShell 7 sees Microsoft moving from .NET Core 2.x to 3.1 which enables greater backwards compatibility with existing Windows PowerShell modules thanks to the resurrection of numerous .NET Framework APIs. The cross-platform nature of PowerShell 7 means that Ubuntu, openSUSE, Fedora, Debian and other Linux distro are embraced. Joey Aiello, product manager of PowerShell, says: "If you weren't able to use PowerShell Core 6.x in the past because of module compatibility issues, this might be the first time you get to take advantage of some of the awesome features we already delivered since we started the Core project!"

"Now budding Python developers can read up on the National Security Agency's own Python training materials," reports ZDNet: Software engineer Chris Swenson filed a Freedom of Information Act request with the NSA for access to its Python training materials and received a lightly redacted 400-page printout of the agency's COMP 3321 Python training course. Swenson has since scanned the documents, ran OCR on the text to make it searchable, and hosted it on Digital Oceans Spaces. The material has also been uploaded to the Internet Archive...

"If you don't know any programming languages yet, Python is a good place to start. If you already know a different language, it's easy to pick Python on the side. Python isn't entirely free of frustration and confusion, but hopefully you can avoid those parts until long after you get some good use out of Python," writes the NSA...

Swenson told ZDNet that it was "mostly just curiosity" that motivated him to ask the NSA about its Python training material. He also said the NSA had excluded some course material, but that he'll keep trying to get more from the agency... Python developer Kushal Das has pulled out some interesting details from the material. He found that the NSA has an internal Python package index, that its GitLab instance is gitlab.coi.nsa.ic.gov, and that it has a Jupyter gallery that runs over HTTPS. NSA also offers git installation instructions for CentOS, Red Hat Enterprise Linux, Ubuntu, and Windows, but not Debian.

An anonymous reader quotes a report from ZDNet: In May 2019, South Korea's Interior Ministry announced plans to look into switching to the Linux desktop from Windows. It must have liked what it saw. According to the Korean news site Newsis, the South Korean Ministry of Strategy and Planning has announced the government is exploring moving most of its approximately 3.3 million Windows computers to Linux. The reason for this is simple. It's to reduce software licensing costs and the government's reliance on Windows. As Choi Jang-hyuk, the head of the Ministry of Strategy and Finance, said, "We will resolve our dependency on a single company while reducing the budget by introducing an open-source operating system."

How much? South Korean officials said it would cost 780 billion won (about $655 million) to move government PCs from Windows 7 to Windows 10. [...] Windows will still have a role to play for now on South Korean government computers. As the Aju Business Daily, a South Korean business news site, explained: Government officials currently use two physical, air-gapped PCs. One is external for internet use, and the other is internal for intranet tasks. Only the external one will use a Linux-based distro. Eventually, by 2026, most civil servants will use a single Windows-powered laptop. On that system, Windows will continue to be used for internal work, while Linux will be used as a virtual desktop via a Linux-powered cloud server. This looks to eventually end up as a Desktop-as-a-Service (DaaS) model. The report notes that the Ministry of National Defense and National Police Agency are already using the Ubuntu Linux 18.04 LTS-based Harmonica OS 3.0.

"Meanwhile, the Korean Postal Service division is moving to TMaxOS," reports ZDNet. "The Debian Linux-based South Korean Gooroom Cloud OS is also being used by Defense and the Ministry of Public Administration and Security."

An anonymous reader quotes TechRadar: Intel's Clear Linux distribution looks like it could be the best operating system to run on cheap AMD hardware, with benchmarks showing it outperforms Windows 10 and Ubuntu on a $199 laptop with a budget AMD Ryzen 3200U processor. The Phoronix website ran a series of benchmarks on a super-cheap AMD laptop from Walmart, and found that Intel Clear Linux beat popular Linux distros Fedora and Ubuntu for 78% of the tests.

Not only is it remarkable that a relatively unknown Linux distro is so easily outperforming established operating systems, the fact that Intel is the company behind the distro is particularly ironic. As you can imagine, Clear Linux is optimized for Intel processors, but it seems like it works brilliantly on AMD hardware as well.

In 2017 Elementary OS built a pay-what-you-want app store -- funded with $10,000 raised on IndieGogo. Now they're trying to raise another $10,000 for a one-week, in-person sprint in Denver, Colorado, Forbes reports, to upgrade the store while bringing an even grander concept to reality: That concept comprises 4 main goals:

- Enable open source developers to monetize their apps on every other Linux distribution

- Empower developers to ship apps with cutting-edge technologies

- Improve privacy, security, and stability

- Streamline the payments process

On the technical side of things, the team plans to rebuild AppCenter's backend from the ground up to enable newer technologies developers are asking for, and they're rallying behind the Flatpak packaging format to get it done. They've already been collaborating with the FlatHub team, and plan to bring in developers from Endless and GNOME to ensure that "our solution can be reused and improved by other Flatpak stores and the greater open source desktop ecosystem."
For a donation of $10, "you'll have your name immortalized in the AppCenter code on GitHub," explains a promotional video. (There's already 70 backers who have claimed this perk.) In fact, "Less than 8 hours ago we launched #AppCenterForEveryone, and we're 50% funded," announced an update Friday on Twitter. The campaign's web page shared this note of appreciation.

"With your support, we'll be able to accelerate the timeline on adopting cutting edge technology and making an even more competitive Open Source operating system and a compelling foundation for all Flatpak stores."

Phoronix's Michael Larabel is doing some performance testing on Walmart's $199 Motile-branded M141 laptop (which has an AMD Ryzen 3 3200U processor, Vega 3 graphics, 4GB of RAM, and a 14-inch 1080p display).

But first he compared the performance of its pre-installed Windows 10 OS against the forthcoming Ubuntu 20.04 LTS Linux distribution.

Some highlights: - Java text rendering performance did come out much faster on Ubuntu 20.04 with this Ryzen 3 3200U laptop...

- The GraphicsMagick imaging program tended to run much better on Linux, which we've seen on other systems in the past as well.

- Intel's Embree path-tracer was running faster on Ubuntu...

- Various video benchmarks were generally favoring Ubuntu for better performance though I wouldn't recommend much in the way of video encoding from such a low-end device...

- The GIMP image editing software was running much faster on Ubuntu 20.04 in its development state than GIMP 2.10 on Windows 10...

- Python 3 performance is still much faster on Linux than Windows.

- If planning to do any web/LAMP development from the budget laptop and testing PHP scripts locally, Ubuntu's PHP7 performance continues running much stronger than Windows 10. - Git also continues running much faster on Linux.
Their conclusion? "Out of 63 tests ran on both operating systems, Ubuntu 20.04 was the fastest... coming in front 60% of the time." (This sounds like 38 wins for Ubuntu versus 25 wins for Windows 10.)

"If taking the geometric mean of all 63 tests, the Motile $199 laptop with Ryzen 3 3200U was 15% faster on Ubuntu Linux over Windows 10."

You can buy an official Kubuntu laptop. Called "Focus". It is an absolutely powerhouse with top specs. From a report: Here's the specs list:
CPU: Core i7-9750H 6c/12t 4.5GHz Turbo
GPU: 6GB GTX-2060
RAM: 32GB Dual Channel DDR4 2666 RAM
Storage: 1TB Samsung 970 EVO Plus NVMe
Display: 16.1" matte 1080p IPS
Keyboard: LED backlit, 3-4mm travel
User expandable SDD, NVMe, and RAM
Superior cooling
The starting price for the Kubuntu Focus Laptop is $2395.

Ars Technica recently ran a rebuttal by author, podcaster, coder, and "mercenary sysadmin" Jim Salter to some comments Linus Torvalds made last week about ZFS.

While it's reasonable for Torvalds to oppose integrating the CDDL-licensed ZFS into the kernel, Salter argues, he believes Torvalds' characterization of the filesystem was "inaccurate and damaging."
Torvalds dips into his own impressions of ZFS itself, both as a project and a filesystem. This is where things go badly off the rails, as Torvalds states, "Don't use ZFS. It's that simple. It was always more of a buzzword than anything else, I feel... [the] benchmarks I've seen do not make ZFS look all that great. And as far as I can tell, it has no real maintenance behind it any more..."

This jaw-dropping statement makes me wonder whether Torvalds has ever actually used or seriously investigated ZFS. Keep in mind, he's not merely making this statement about ZFS now, he's making it about ZFS for the last 15 years -- and is relegating everything from atomic snapshots to rapid replication to on-disk compression to per-block checksumming to automatic data repair and more to the status of "just buzzwords."

[The 2,300-word article goes on to describe ZFS features like per-block checksumming, automatic data repair, rapid replication and atomic snapshots -- as well as "performance wins" including its Adaptive Replacement caching algorithm and its inline compression (which allows datasets to be live-compressed with algorithms.]

The TL;DR here is that it's not really accurate to make blanket statements about ZFS performance, absent a very particular, well-understood workload to measure that performance on. But more importantly, quibbling about the fastest possible benchmark rather loses the main point of ZFS. This filesystem is meant to provide an eminently scalable filesystem that's extremely resistant to data loss; those are points Torvalds notably never so much as touches on....

Meanwhile, OpenZFS is actively consumed, developed, and in some cases commercially supported by organizations ranging from the Lawrence Livermore National Laboratory (where OpenZFS is the underpinning of some of the world's largest supercomputers) through Datto, Delphix, Joyent, ixSystems, Proxmox, Canonical, and more...

It's possible to not have a personal need for ZFS. But to write it off as "more of a buzzword than anything else" seems to expose massive ignorance on the subject... Torvalds' status within the Linux community grants his words an impact that can be entirely out of proportion to Torvalds' own knowledge of a given topic -- and this was clearly one of those topics.

"I've grown quite fond of the docker container runtime. It's easy to install and use, and many of the technologies I write about depend upon this software," writes TechRepublic/Linux.com contributor Jack Wallen.

"But Red Hat has other plans." The company decided -- seemingly out of the blue -- to drop support for the docker runtime engine. In place of docker came Podman. When trying to ascertain why Red Hat split with Docker, nothing came clear. Sure, I could easily draw the conclusion that Red Hat had grown tired of the security issues surrounding Docker and wanted to take matters in their own hands. There was also Red Hat's issue with "no big fat daemons." If that's the case, how do they justify their stance on systemd?

Here's where my tinfoil hat comes into play. Understand this is pure conjecture here and I have zero facts to back these claims up... Red Hat is now owned by IBM. IBM was desperate to gain serious traction within the cloud. To do that, IBM needed Red Hat, so they purchased the company. Next, IBM had to score a bit of vendor lock-in. Using a tool like docker wouldn't give them that lock-in. However, if Red Hat developed and depended on their own container runtime, vendor lock-in was attainable....

Red Hat has jettisoned a mature, known commodity for a less-mature, relatively unknown piece of software -- without offering justification for the migration.... Until Red Hat offers up a sound justification for migrating from the docker container engine to Podman, there's going to be a lot of people sporting tinfoil hats. It comes with the territory of an always-connected world. And if it does turn out to be an IBM grab for vendor lock-in, there'll be a lot of admins migrating away from RHEL/CentOS to the likes of Ubuntu Server, SUSE/openSUSE, Debian, and more.
Red Hat's product manager of containers later touted Podman's ability to deploy containers without root access privileges in an interview with eWeek. "We felt the sum total of its features, as well as the project's performance, security and stability, made it reasonable to move to 1.0. Since Podman is set to be the default container engine for the single-node use case in Red Hat Enterprise Linux 8, we wanted to make some pledges about its supportability."

And a Red Hat spokesperson also shared their position with The New Stack. "We saw our customer base wanting the container runtime lifecycle baked-in to the OS or in delivered tandem with OpenShift."

Pine64 will finally start shipping the pre-order units of PinePhone Braveheart Edition on January 17, 2020. Fossbytes reports: A year ago, PinePhone was made available only to developers and hackers. After getting better responses and suggestions, the Pine64 developers planned to bring Pinephone for everyone. In November last year, pre-orders for PinePhone Braveheart Edition commenced for everyone. But due to manufacturing issues coming in the way, the shipment date slipped for weeks, which was scheduled in December last year.

PinePhone Braveheart Edition is an affordable, open source Linux-based operating system smartphone preloaded with factory test image running on Linux OS (postmarketOS) on inbuilt storage. You can check on PinePhone Wiki to find the PinePhone compatible operating system such as Ubuntu Touch, postmarketOS, or Sailfish OS, which you can boot either from internal storage or an SD card.

An anonymous reader quotes Forbes: If you've been following the steady march of progress from Dell's Linux-first Project Sputnik team, you're no doubt aware that the "Developer Edition" variant of the XPS 13 is one of the finest Linux-ready ultrabooks you can buy. Just ahead of CES 2020, Dell is pushing out a few more improvements including a feature that's been hotly requested: fingerprint-reader support. It's one of several enhancements Dell is promising to Linux users for its 10th-generation XPS 13, including a new maximum of 32GB RAM and a redesigned "InfinityEdge" display that adds even more screen real estate, resulting in an adjusted 16:10 aspect ratio to match... Details on fingerprint-reader support are still a bit vague, but Dell says it will be released shortly after the system's February 2020 launch as an OTA (over-the-air) update, and then as part of the preloaded Ubuntu Developer Edition image it ships with the system.
Dell's lead on Project Sputnik developer systems, Barton George, also blogged about Dell's new 86-inch 4K interactive touch monitor, as well as their upcoming Latitude 9510 notebook and 2-in-1 laptops, promising "a new ultra-premium class of products" offering 5G mobile broadband capabilities, AI-based productivity capabilities, and 30-plus hours of battery life.

The blog post ends by noting that "While project Sputnik is the most visible Linux-based offerings from Dell, it is only a small fraction of the over 150 systems that make up Dell's Linux portfolio."

Zack Whittaker, writing for TechCrunch: Last week, Spotify sent a number of USB drives to reporters with a note: "Play me." It's not uncommon for reporters to receive USB drives in the post. Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as videos that would otherwise be difficult to get into as many hands as possible. But anyone with basic security training under their hat will know to never plug in a USB drive without taking some precautions first.

Concerned but undeterred, we safely examined the contents of the drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. We examined the drive and found it was benign. On the drive was a single audio file. "This is Alex Goldman, and you've just been hacked," the file played. The drive was just a promotion for a new Spotify podcast. Because of course it was. Jake Williams, a former NSA hacker and founder of Rendition Infosec, called the move "amazingly tone deaf" to encourage reporters into plugging in the drives to their computers.

An anonymous reader writes: Security researchers found a new vulnerability allowing potential attackers to hijack VPN connections on affected *NIX devices and inject arbitrary data payloads into IPv4 and IPv6 TCP streams. They disclosed the security flaw tracked as CVE-2019-14899 to distros and the Linux kernel security team, as well as to others impacted such as Systemd, Google, Apple, OpenVPN, and WireGuard. The vulnerability is known to impact most Linux distributions and Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android. A currently incomplete list of vulnerable operating systems and the init systems they came with is available below, with more to be added once they are tested and found to be affected: Ubuntu 19.10 (systemd), Fedora (systemd), Debian 10.2 (systemd), Arch 2019.05 (systemd), Manjaro 18.1.1 (systemd), Devuan (sysV init), MX Linux 19 (Mepis+antiX), Void Linux (runit), Slackware 14.2 (rc.d), Deepin (rc.d), FreeBSD (rc.d), and OpenBSD (rc.d).

This security flaw "allows a network adjacent attacker to determine if another user is connected to a VPN, the virtual IP address they have been assigned by the VPN server, and whether or not there is an active connection to a given website," according to William J. Tolley, Beau Kujath, and Jedidiah R. Crandall, Breakpointing Bad researchers at University of New Mexico. "Additionally, we are able to determine the exact seq and ack numbers by counting encrypted packets and/or examining their size. This allows us to inject data into the TCP stream and hijack connections," the researchers said.

An anonymous reader shares a report: elementary OS has long been viewed by many as the future of Linux on the PC thanks to its beautiful desktop environment and overall polished experience. Development of the Ubuntu-based operating system has been frustratingly slow, however. This shouldn't be surprising, really, as the team of developers is rather small, and its resources are likely much less than those of larger distributions such as the IBM-backed Fedora or Canonical's Ubuntu. And that is what makes elementary OS so remarkable -- its developers can make magic on a smaller budget. Today, the latest version of the operating system is released. Code-named "Hera," elementary OS 5.1 is now available for download. Support for Flatpak is now baked in -- this is significant, as the developers explain it is "the first non-deb packaging format we've supported out of the box." The Linux kernel now sits at a very modern 5.0. One of the most important aspects of elementary OS, the AppCenter, is now an insane 10 times faster than its predecessor.

An anonymous reader writes: Called "Zorin OS 15 Lite," it is not only lightweight, but thanks to the Xfce desktop environment and integrated Flatpak support, it should be quite familiar to those switching from Windows. In fact, the developers are intentionally targeting existing Windows 7 users, as Microsoft's operating system will be unsupported beginning January 2020. Zorin OS 15 Lite, in comparison, is based on Ubuntu 18.04 LTS and supported until 2023! It even comes with the very modern Linux kernel 5.0. "With Zorin OS 15 Lite, we've condensed the full Zorin OS experience into a streamlined operating system, designed to run fast on computers as old as 15 years. With version 15, we've gone the extra mile to make the XFCE 4.14-based desktop feel familiar and user-friendly to new users, especially those moving away from Windows 7 leading up to the end of its support in January 2020. By pairing the most advanced and efficient software with a user-friendly experience, we've made it possible for anyone to extend the lifespan of their computers for years to come," explains the Zorin OS developers.

An anonymous reader quotes the International Business Times: At the recent Tianfu cup held in Chengdu, China, Chinese China's top white-hat hackers have converged to test zero-days against top software available in the market today. During the first day of the event, Chinese security researchers were able to break into major browsers such as Safari, Microsoft Edge, and Google Chrome.

Since March 2018, the Chinese government has officially discouraged security researchers from joining hacking competitions outside the county. The recent Tianfu Cup is the venue for hackers to showcase their skills and even earn six-figure bounties for successful exploits. Former Pwn2Own winner Team 360 Vulcan took home $382,500 for successfully hacking the old version of Office 365, Microsoft Edge, Adobe PDF Reader, VMWare Workstation, and gemu+ Ubuntu during the two days event, reports ZDNet... Search engine giant Google has a representative in the event with some members of the Google Chrome security team present on site. Organizers plan to submit a report of all bugs uncovered during the event to all vendors when the competition concludes, says ZDNet.

"Researchers have discovered a new multi-platform backdoor that infects Windows and Linux systems allowing the attackers to run malicious code and binaries on the compromised machines," reports Bleeping Computer: The malware dubbed ACBackdoor is developed by a threat group with experience in developing malicious tools for the Linux platform based on the higher complexity of the Linux variant as Intezer security researcher Ignacio Sanmillan found. "ACBackdoor provides arbitrary execution of shell commands, arbitrary binary execution, persistence, and update capabilities," the Intezer researcher found.

Both variants share the same command and control (C2) server but the infection vectors they use to infect their victims are different: the Windows version is being pushed through malvertising with the help of the Fallout Exploit Kit while the Linux payload is dropped via a yet unknown delivery system... Besides infecting victims via an unknown vector, the Linux malicious binary is detected by only one of the anti-malware scanning engines on VirusTotal at the time this article was published, while the Windows one is detected by 37 out of 70 engines. The Linux binary is also more complex and has extra malicious capabilities, although it shares a similar control flow and logic with the Windows version...

ACBackdoor can receive the info, run, execute, and update commands from the C2 server, allowing its operators to run shell commands, to execute a binary, and to update the malware on the infected system.
The article warns that the Linux version will disguise itself as the Ubuntu UpdateNotifier utility, renaming its process as the Linux kernel thread [kworker/u8:7-ev].

Following the beta period, one of the best and most popular Linux-based desktop operating systems reaches a major milestone -- you can now download Ubuntu 19.10! Code-named "Eoan Ermine", the distro is better and faster then ever. From a report: By default, Ubuntu 19.10 comes with one of the greatest desktop environments -- GNOME 3.34. In addition, users will be delighted by an all-new optional Yaru light theme. There is even baked-in support for the Raspberry Pi 4. The kernel is based on Linux 5.3 and comes with support for AMD Navi GPUs. There are plenty of excellent pre-installed programs too, such as LibreOffice 6.3, Firefox 69, and Thunderbird 68. While many users will be quick to install Google Chrome, I would suggest giving Firefox a try -- it has improved immensely lately. "With GNOME 3.34, Ubuntu 19.10 is the fastest release yet with significant performance improvements delivering a more responsive and smooth experience, even on older hardware. App organization is easier with the ability to drag and drop icons into categorized folders, while users can select light or dark Yaru theme variants depending on their preference or for improved viewing accessibility. Native support for ZFS on the root partition is introduced as an experimental desktop installer option. Coupled with the new zsys package, benefits include automated snapshots of file system states, allowing users to boot to a previous update and easily roll forwards and backwards in case of failure," says Canonical.

It's been five years since the release of CentOS 7, but Indy1 (Slashdot reader #99,447) reminded us that CentOS 8 finally arrived this week -- along with a big new plan for rolling releases.

It Pro Today points out that CentOS already runs on about 16% of all servers, "a number that's only bested by Ubuntu with an estimated 28%," and says that this move "points to CentOS taking a more important role within Red Hat [and] indicates a sea change not only for CentOS, but for the Red Hat Enterprise Linux (RHEL) development pipeline." According to Karanbir Singh, CentOS project lead and Red Hat engineer, Stream will contain the code under development for the next minor RHEL release, which will allow the developer community to discuss, suggest, and contribute features and fixes into RHEL more quickly. "To do this, Red Hat Engineering is planning to move parts of RHEL development into the CentOS Project in order to collaborate with everyone on updates to RHEL," he said.

This would seem to mean that not only will CentOS remain under Red Hat's care and protection, but that CentOS will play a more important role within Red Hat going forward.