An anonymous reader writes: Alphabet's cybersecurity division Jigsaw has designed a new open source private VPN aimed at journalists and the people sending them data. "Their work makes them more vulnerable to attack," said Santiago Andrigo, Jigsaw's product manager. "It can get really scary when they're outed and you're passing over information."

Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers, says one Jigsaw official. And you can't know for sure whether you can trust them, no matter what they say in the app store. "Journalists should be aware that their online activities might be subject to surveillance either by government agencies, their internet service providers or a hacker with malicious intent," said Laura Tich, technical evangelist for Code for Africa, a resource for African journalists. "As surveillance becomes ubiquitous in today's world, journalists face an increasing challenge in establishing secure communication in the digital space."

The new private VPN, dubbed "Outline", is specifically designed to be resistant to censorship — because it's harder to detect as a VPN (and therefore is less likely to be blocked). Outline uses an encrypted socks5 proxy that looks like normal internet traffic. Once the user chooses a server location, Outline spins up a DigitalOcean server on Ubuntu, installs Docker, and imports an image of the actual server.

It's been named Outline because in places where internet use may be restricted — it gives you a line out.

PHP 7.3 RC6 was released earlier this week. Phoronix ran some benchmarks and compared the performance of v7.3 RC6 with releases going back to the v5.5 series. From the story: I ran some fresh benchmarks over the past day on PHP 5.5.38, PHP 5.6.38, PHP 7.0.32, PHP 7.1.24, PHP 7.2.12, and the PHP 7.3.0-RC6 test release. All of the PHP5/PHP7 builds were configured and built in the same manner. All tests happened from the same Dell PowerEdge R7425 dual EPYC server running Ubuntu 18.10 Linux.

Besides continuing to evolve the performance of PHP7, the PHP 7.3 release is also delivering on FFI (the Foreign Function Interface) to access functions / variables / data structures from the C language, a platform-independent manner for obtaining information on network interfaces, an is_countable() call, WebP support within GD's image create from string, updated SQLite support, improved PHP garbage collection performance, and many other enhancements. PHP 7.3 is just shy of 10% faster than PHP 7.2 in the popular PHPBench. PHP 7.3 is 31% faster than PHP 7.0 or nearly 3x the speed of PHP5.

At the OpenStack Summit in Berlin last week, Ubuntu Linux founder Mark Shuttleworth said in a keynote that Ubuntu 18.04 Long Term Support (LTS) support lifespan would be extended from five years to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," said Shuttleworth, "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IoT where manufacturing lines for example are being deployed that will be in production for at least a decade." ZDNet reports: Ubuntu 18.04 released in April 2018. While the Ubuntu desktop gets most of the ink, most of Canonical's dollars comes from server and cloud customers. It's for these corporate users Canonical first extended Ubuntu 12.04 security support, then Ubuntu 14.04's support, and now, preemptively, Ubuntu 18.04. In an interview after the keynote, Shuttleworth said Ubuntu 16.04, which is scheduled to reach its end of life in April 2021, will also be given a longer support life span.

When it comes to OpenStack, Shuttleworth promised again to support versions of OpenStack dating back to 2014's IceHouse. Shuttleworth said, "What matters isn't day two, what matters is day 1,500." He also doubled-down on Canonical's promise to easily enable OpenStack customers to migrate from one version of OpenStack to another. Generally speaking, upgrading from one version of OpenStack is like a root canal: Long and painful but necessary. With Canonical OpenStack, you can step up all the way from the oldest supported version to the newest one with no more than a second of downtime.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

puddingebola shares a report: WLinux is a $20 open-source, Debian-based distribution, designed to run on Windows 10's Windows Subsystem for Linux (WSL). The WSL allows Windows 10 to run various GNU/Linux distros inside Windows as Microsoft Store apps, providing access to Ubuntu, openSUSE, Debian, Fedora, Kali Linux, and others. The WSL has disadvantages over a running a dedicated GNU/Linux system. For example, there's no official support for desktop environments or graphical applications, and I/O performance bottlenecks, but it is being improved over time. The developers of WLinux describe it as a "fast Linux terminal environment for developers", saying it is the first distribution to be "pre-configured and optimized to run specifically on Windows Subsystem for Linux". Announcing WLinux's availability, Microsoft program manager Tara Raj, called out the wlinux-setup tool, "which allows users to easily set up common developer toolchains, and removes unsupported features like systemd."

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

Canonical is applauding what it calls "exceptional adoption" of snaps -- and has shared some new statistics about its whole "Snappy" software deployment and package management system. Long-time Slashdot reader AmiMoJo shared this article from Neowin: snaps are seeing 100,000 installs every day on cloud, server, container, desktop and on IoT devices, which works out to around three million installs each month. Of course, these statistics don't only take into account snap installs on Ubuntu, but other distributions too. Canonical said that snaps are supported on 41 Linux distributions including Ubuntu, Debian, Linux Mint, Arch Linux, Fedora, and many more...

Snap packages first launched alongside Ubuntu 16.04 which was released in 2016. They have several benefits over typical Linux packages, for example, their dependencies are bundled into the package making them easy to install, they get automatic updates and can be rolled back by the maintainer if issues arise, and they're sandboxed, giving the user more security.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

Ubuntu 18.10 Cosmic Cuttlefish, the latest version of Ubuntu, is now available to download. From a report: Under the hood, the Cosmic Cuttlefish boasts the 4.18 Linux Kernel. This updates comes with better support for for AMD and Nvidia GPU, USB Type-C and Thunderbolt, a way for unprivileged users to mount Filesystem in Userspace (FUSE) can be mounted by, and CPUfreq performance improvements. On top of this, you'll find the freshest version of GNOME 3.30. You can, of course, use other desktops, but GNOME, since Ubuntu 17.10, is Ubuntu's default desktop. You'll be glad to know that GNOME is faster than it has been for a while. That's because some nasty memory leaks have been patched. Canonical has also added some performance tweaks that didn't make it into the GNOME 3.30 upstream. Ubuntu 18.10 also comes with a new desktop theme, the Yaru Community theme installed by default, for your visual enjoyment. Further reading: Ubuntu 18.10: What's New? [Video]; Ubuntu 18.10 Review; and Ubuntu 18.10 Flavors Released, Ready to Download.

An anonymous reader shares a report: Today, a very popular app, Plex Media Server, gets the Snap treatment. In other words, you can install the media server program without any headaches -- right from the Snap store. "In adopting the universal Linux app packaging format, Plex will make its multimedia platform available to an ever-growing community of Linux users, including those on KDE Neon, Debian, Fedora, Manjaro, OpenSUSE, Zorin and Ubuntu. Automatic updates and rollback capabilities are staples of Snap software, meaning Plex users will always have the best and latest version running," says Canonical.

Roughly three weeks ahead of the scheduled release of Ubuntu Linux 18.10 "Cosmic Cuttlefish", the latest major update for the popular Linux distro, beta of all of its flavors -- desktop, cloud and server -- is now available for download. From a report: Codenamed 'Cosmic Cuttlefish,' 18.10 continues Ubuntu's proud tradition of integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution. The team has been hard at work through this cycle, introducing new features and fixing bugs," says Adam Conrad, Software Engineer, Canonical. Conrad further says, "This beta release includes images from not only the Ubuntu Desktop, Server, and Cloud products, but also the Kubuntu, Lubuntu, Ubuntu Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu flavours. The beta images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of 18.10 that should be representative of the features intended to ship with the final release expected on October 18th, 2018." Further reading: Canonical Shares Desktop Plans For Ubuntu 18.10.

Brian Fagioli, writing for BetaNews: When you buy a System76 computer today, you aren't buying a machine manufactured by the company. Instead, the company works with other makers to obtain laptops, which it then loads with a Linux-based operating system -- Ubuntu or its own Pop!_OS. There's nothing really wrong with this practice, but still, System76 wants to do better. The company is currently working to manufacture its own computers ("handcrafted") right here in the USA. By doing this, System76 controls the entire customer experience -- software, service, and hardware.

This week, the company announces that the fruits of its labor -- an "open-source computer" -- will be available to pre-order in October. Now, keep in mind, this does not mean the desktop will be available next month. Hell, it may not even be sold in 2018. With that said, pre-ordering will essentially allow you to reserve your spot. To celebrate the upcoming computer, System76 is launching a clever animated video marketing campaign.

Liam Tung reporting for ZDNet: Ubuntu maintainer Canonical and Microsoft have teamed up to release an optimized Ubuntu Desktop image that's available through Microsoft's Hyper-V gallery. The Ubuntu Desktop image should deliver a better experience when running it as a guest on a Windows 10 Pro host, according to Canonical. The optimized version is Ubuntu Desktop 18.04.1 LTS release, also known as Bionic Beaver. Microsoft's work with Canonical was prompted by its users who wanted a "first-class experience" on Linux virtual machines (VMs) as well as Windows VMs. To achieve this goal, Microsoft worked with the developers of XRDP, an open-source remote-desktop protocol (RDP) for Linux based on Microsoft's RDP for Windows. Thanks to that work, XRDP now supports Microsoft's Enhanced Session Mode, which allows Hyper-V to use the open-source implementation of RDP to connect to Linux VMs. This in turn gives Ubuntu VMs on Windows hosts a better mouse experience, an integrated clipboard, windows resizing, and shared folders for easier file transfers between host and guest. Microsoft's Hyper-V Quick Create VM setup wizard should also help improve the experience. "With the Hyper-V Quick Create feature added in the Windows 10 Fall Creators Update, we have partnered with Ubuntu and added a virtual machine image so in a few quick minutes, you'll be up and developing," said Clint Rutkas, a senior technical product manager on Microsoft's Windows Developer Team. "This is available now -- just type 'Hyper-V Quick Create' in your start menu."

OSNews reports: Terrence Andrew Davis, sole creator and developer of TempleOS (née LoseThos), has passed away at age 48. Davis suffered from mental illness -- schizophrenia -- which had a severe impact on his life. He claimed he created his operating system after having spoken with and receiving instructions from god, and he was a controversial figure, also here on OSNews, for his incomprehensible rants and abrasive style towards OSNews readers and staff. We eventually had to ban him, but our then-editor Kroc Kamen worked with him in 2010 to publish an article about his operating system despite his ban.... I hope he found peace -- wherever he may be.
Davis spent 10 years building "an operating system to talk to God," according to a 2014 profile in Motherboard, which described its welcome screen as "a riot of 16-color, scrolling, blinking text" resembling early DOS-based GUIs. (Wikipedia describes its interface as "a mixture of DOS and Turbo C.") To build his operating system, Terry wrote 121,176 lines of code.

An anonymous reader writes: Davis learned assembly language on a Commodore 64 before he'd graduated from high school. He eventually got a master's degree in electrical engineering from Arizona State University, and as an undergrad he worked briefly at Ticketmaster, programming operating systems. His later life included time in mental hospitals and some homelessness, as well as living at home with his parents after his schizophrenia was diagnosed and treated.

In 2014 Motherboard pieced together his lifestyle from emailed updates Terry sent from his Ubuntu desktop. They concluded he was living on disability, and spent most of his time coding, surfing the web, "or using the output from the National Institute of Standards and Technology randomness beacon to talk to God -- he posts the results on his webpage as 'Terry Davis' Rants.'" Their article describes him as "God's lonely programmer," saying Davis "offered the world a temple to a God who speaks only to him, and is still waiting for everyone else to listen."
Terry's death was confirmed by a local Oregon newspaper, and the official web site for TempleOS now also includes this death notice:

In the wake of Terry A. Davis' passing his family has requested supporters of his donate to "organizations working to ease the pain and suffering caused by mental illness" such as

• The Brain & Behavior Research Foundation
• National Alliance on Mental Illness

Jack Wallen, writing for TechRepublic: For a company to support Linux, they have to consider supporting: Multiple file systems, multiple distributions, multiple desktops, multiple init systems, multiple kernels. If you're an open source developer, focusing on a single distribution, that's not a problem. If you're a company that produces a product (and you stake your living on that product), those multiple points of entry do become a problem. Let's consider Adobe (and Photoshop). If Adobe wanted to port their industry-leading product to Linux, how do they do that? Do they spend the time developing support for ext4, btrfs, Ubuntu, Fedora, GNOME, Mate, KDE, systemd? You see how that might look from the eyes of any given company?

It becomes even more complicated when companies consider how accustomed to the idea of "free" (as in beer) Linux users are. Although I am very willing to pay for software on Linux, it's a rare occasion that I do (mostly because I haven't found a piece of must-have software that has an associated cost). Few companies will support the Linux desktop when the act of supporting means putting that much time and effort into a product that a large cross-section of users might wind up unwilling to pay the price of admission. That's not to say every Linux user is unwilling to shell out the cost for a piece of software. But many won't.

An anonymous reader writes: Current versions of Ubuntu and CentOS are disabling a security feature that was added to the GNOME desktop environment last year. The feature's name is Bubblewrap, which is a sandbox environment that the GNOME Project added to secure GNOME's thumbnail parsers in July 2017, with the release of GNOME 3.26. In recent years, security researchers have proven that thumbnail parses can be an attack vector [1, 2, 3].

Ubuntu Security Tech Lead Alex Murray said the Ubuntu team chose to disable Bubblewrap inside Ubuntu because they did not have the time to perform a security audit. Murray blamed the many CPU bugs (Spectre, Meltdown, etc.), which kept the team busy and prevented them to audit the feature.

BrianFagioli writes: Debian is one of the most important open source projects ever. The Debian Linux operating system is extremely popular in its own right, but also, it is used as the base for countless other distributions. Ubuntu, for instance -- one of the most-used distros -- is Debian-based. Even Linux Mint, which is based on Ubuntu, also has a Debian edition. Not to mention, Raspbian -- the official Raspberry Pi OS -- which is based on Debian too.

Today, Debian is celebrating a very important milestone -- a 25th birthday! Yes, it is seriously that old -- its development was announced on August 16, 1993. When the late Ian Murdock announced 25 years ago in comp.os.linux.development, the imminent completion of a brand-new Linux release, [...] the Debian Linux Release', nobody would have expected the 'Debian Linux Release' would become what's nowadays known as the Debian Project, one of the largest and most influential free software projects. "Its primary product is Debian, a free operating system (OS) for your computer, as well as for plenty of other systems which enhance your life. From the inner workings of your nearby airport to your car entertainment system, and from cloud servers hosting your favorite websites to the IoT devices that communicate with them, Debian can power it all," says Ana Guerrero Lopez of Debian. Further reading: Slackware, Oldest Actively Maintained GNU/Linux Distribution, Turns 25.

New submitter rokahasch writes: Starting today, August 10th, most users of the Dropbox desktop app on Linux have been receiving notifications that their Dropbox will stop syncing starting November. Over at the Dropbox forums, Dropbox have declared that the only Linux filesystem supported for storage of the Dropbox sync folder starting the 7th of November will be on a clean ext4 file system. This basically means Dropbox drops Linux support completely, as almost all Linux distributions have other file systems as their standard installation defaults nowadays -- not to mention encryption running on top of even an ext4 file system, which won't qualify as a clean ext4 file system for Dropbox (such as eCryptfs which is the default in, for example, Ubuntu for encrypted home folders).

The thread is trending heavily on Dropbox' forums with the forum's most views since the thread started earlier today. The cries from a large amount of Linux users have so far remained unanswered from Dropbox, with most users finding the explanation given for this change unconvincing. The explanation given so far is that Dropbox requires a file system with support for Extended attributes/Xattrs. Extended attributes however are supported by all major Linux/Posix complaint file systems. Dropbox has, up until today, supported Linux platforms since their services began back in 2007. A number of users have taken to Twitter to protest the move. Twitter user troyvoy88 tweets: "Well, you just let the shitstorm loose @Dropbox dropping support for some linux FS like XFS and BTRFS. No way in hell im going to reformat my @fedora #development station and removing encryption no way!"

Another user by the name of daltux wrote: "It will be time to say goodbye then, @Dropbox. I won't store any personal files on an unencrypted partition."

An anonymous reader quotes a report from ZDNet: Security researchers are warning Linux system users of a bug in the Linux kernel version 4.9 and up that could be used to hit systems with a denial-of-service attack on networking kit. The warning comes from Carnegie Mellon University's CERT/CC, which notes that newer versions of the Linux kernel can be "forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service (DoS)".

It lists a number of network-equipment vendors, PC and server manufacturers, mobile vendors, and operating-system makers that may be affected but notes that it hasn't confirmed whether any of them actually are. But, given the widespread use of Linux, the bug could affect every vendor from Amazon and Apple through to Ubuntu and ZyXEL. A remote attacker could cause a DoS by sending specially modified packets within ongoing TCP sessions. But sustaining the DoS condition would mean an attacker needs to have continuous two-way TCP sessions to a reachable and open port. The bug, dubbed "SegmentSmack" by Red Hat, has "no effective workaround/mitigation besides a fixed kernel."

Lubuntu, a popular Ubuntu flavor, has gained traction over the years for supporting older hardware. As Brian Fagioli writes at BetaNews, one of the focuses of the Lubuntu developers is to support aging computers. However, that is about to change. He adds: When Lubunu 18.10 is released in October 2018, it will ditch LXDE for the newer LXQt. Despite it also being a desktop environment that is easy on resources, the Lubuntu developers are planning to drop their focus on old hardware after the transition. "[...] Our main focus is shifting from providing a distribution for old hardware to a functional yet modular distribution focused on getting out of the way and letting users use their computer. In essence, this is leveraging something we have always done with Lubuntu; providing an operating system which users can use to revive their old computers, but bringing this to the age of modern computing," says Simon Quigley of Lubuntu team.