Americans concerned about their user data falling into the hands of foreign governments may want to look closer to home.
According to new research by VPN provider SurfShark, the US government makes the most requests for user data from Big Tech companies than any other jurisdiction in the world. The company analyzed data requests to Apple, Google, Meta, and Microsoft by “government agencies of 177 countries between 2013 and 2021.”
The US came in first with 2,451,077 account requests, more than four times the number of Germany, the number two country on the list. In fact, the US made more requests than all of Europe, including the UK, which collectively came in under 2 million.
While the US and EU were responsible for a combined total of 60% of all data requests, the US “made 8 times more requests than the global average (87.9/100k).”
The number of accounts being accessed is also growing, with a five-times increase in requests from 2013 to 2021. The US alone saw a 348% increase during the time frame, and the scope and purpose of the requests are expanding.
“Besides requesting data from technology companies, authorities are now exploring more ways to monitor and tackle crime through online services. For instance, the EU is considering a regulation that would require internet service providers to detect, report, and remove abuse-related content,” says Gabriele Kaveckyte, Privacy Counsel at Surfshark. “On one hand, introducing such new measures could help solve serious criminal cases, but civil society organizations expressed their concerns of encouraging surveillance techniques which may later be used, for example, to track down political rivals.”
The report also sheds light on which companies comply the most versus which ones push back against requests. For all of its privacy-oriented marketing — “what happens on your iPhone stays on your iPhone” — Apple complies with data requests more than any other company, handing it over 82% of the time.
In contrast, Meta complies 72% of the time, and Google does 71% of the time. Microsoft, on the other hand, pushes back the most among Big Tech companies, only handing data over 68% of the time.
The findings may also put a dent in US efforts to ban TikTok and other foreign apps under the guise of protecting user privacy and data.
Gizmodo got a hold of a copy of the survey, and the questions include asking what features people value and what features would convince them to try a new web browser. AI integration is one of the feature choices.
While the web browser market is fairly crowded, it’s dominated by Google Chrome and Apple’s Safari. Firefox brings up a distant third, with everything else fighting for scraps.
Amazon has the brand-name recognition and integration with established services to possibly be the most disruptive entry since Google Chrome.
Users relying on Samsung’s Max VPN should look for other options to keep their data private and safe.
Samsung includes and/or promotes its Max VPN service on its phones. As sharp-eyed Reddit user soboi12345 has pointed out, however, users’ data is not at all private when using Samsung’s VPN. In fact, the company collects unique identifying data and sells it to third parties.
The company describes its practices in its Max Service Description and Privacy Policy:
The Max Service app may log how you use your device, including unique identifiers, information about the software you’ve installed, device characteristics, information about your location and mobile carrier, the type of network you use to access web content, how much data you use, and the URLs you visit. We use this data to debug the Max Service app and to improve the user experience. We anonymize and/or aggregate this data and may allow our business partners access to it.
To be clear, Samsung’s VPN is collecting unique identifiers, location data, the apps users have installed, and the websites they visit — and then selling that data rather than protecting users’ privacy.
This is an appalling breach of trust for any VPN provider, especially since many VPN users are specifically looking to avoid exactly the kind of data collection Samsung is engaging in.
Samsung’s behavior is even more egregious when considering that the company called out people’s data being used as a commodity when it launched Max VPN:
“All over the world, data has become a commodity, but many plans are simply still too expensive for consumers that want to get the most out of the latest technology built into their devices,” said Seounghoon Oh, Vice President Samsung R&D Institute India, at the time. “With Samsung Max, our users in every corner of the globe now have increased autonomy and control over their data usage and privacy in an era of rising security threats, fraudulent apps and user profiling.”
With such a strong statement, Samsung’s users could be forgiven for thinking the company would actually protect their privacy and not use their data as “a commodity.”
As we have stated on WPN, and as The New York Times Wirecutter has recommended, Mullvad is the best VPN for users that truly care about their privacy. The company has a zero-logs policy and doesn’t save identifying information. In fact, users are given a random numeric account number for login purposes rather than using an email address or username.
The company has also had extensive third-party security audits, is transparent about its ownership, has a clear privacy policy, good performance, and is reasonably priced.
Jay from the Learn Linux TV YouTube channel has released an Ubuntu-based distro built around Flatpaks.
Flatpaks and Snaps are two universal packaging formats for Linux, giving developers the ability to build an app that can be run on any distro that has Flatpak support. The format accomplishes this by bundling all necessary dependencies within the package, although Flatpaks can share dependencies between them.
As the maker of the far less popular Snap format and the Ubuntu distro, Canonical recently made the decision to prohibit official Ubuntu flavors from shipping with Flatpak installed and enabled out of the box. Despite the decision, Ubuntu is still a solid distro, one with wide hardware and app support.
Jay has taken Ubuntu and replaced Snap with Flatpak while leaving everything else that makes Ubuntu the world’s leading Linux distro:
The Flatpak Remix of Ubuntu features the awesome GNOME desktop, with Canonical’s attention to detail – unchanged from the standard release.
While the standard release of Ubuntu features support for Snap Packages built-in, with this distribution the focus is on Flatpak instead.
Rural US hospitals are losing the fight against ransomware due to limited resources compared to bigger organizations.
According to Cyberscoop, witnesses testified in a recent Senate Homeland Security and Governmental Affairs Committee meeting that smaller hospitals are struggling to combat ransomware attacks. In most cases, while there is plenty of information available to help organizations, the issue stems from a lack of resources, including qualified cybersecurity personnel.
“We also saw cybercriminals shift their focus to small and rural hospitals with this group lagging behind in strengthening their defenses,” said Kate Pierce, senior virtual information security officer at cybersecurity firm Fortified Health Security. “Our rural hospitals are facing unprecedented budget constraints with up to 30% or more in the red, with the public health emergency scheduled to end in May.”
Unfortunately, the issue is only going to get worse as bad actors exploit small hospitals’ vulnerability. Some are even stepping up the pressure on smaller hospitals specifically, posting patient information — including nude examination photos — online in an effort to force hospitals to pay up.
“In recent years, increasingly sophisticated cyberattacks in the healthcare and public health sectors posed alarming threats to people in Michigan, as well as across the country,” said Committee Chairman Gary Peters, D-Mich.
Google has discovered 0-day vulnerabilities in Samsung’s Exynos modems that impact the most recent Pixel and Samsung devices.
Samsung’s Exynos modem chipsets are used in a variety of devices, including Google’s Pixel 6 and 7 line, as well as a wide range of Samsung’s devices. Unfortunately, Google’s Project Zero has discovered 18 0-day vulnerabilities in the chipset, four which can be executed remotely with no user interaction.
Tests conducted by Project Zero confirm that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely.
While still serious, the remaining 14 vulnerabilities are not as severe, since they require physical access to the device or a malicious network operator.
Google recommends turning off Wi-Fi calling and VoLTE on all impacted devices, including the list below:
Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series;
Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
The Pixel 6 and Pixel 7 series of devices from Google;
any wearables that use the Exynos W920 chipset; and
any vehicles that use the Exynos Auto T5123 chipset.
Google says patches should be issued to address the vulnerabilities permanently, with the March 2023 update for Pixels already including at least one fix:
We expect that patch timelines will vary per manufacturer (for example, affected Pixel devices have already received a fix for CVE-2023-24033 in the March 2023 security update). In the meantime, users with affected devices can protect themselves from the baseband remote code execution vulnerabilities mentioned in this post by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings. As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities.
To be clear, this is about as bad as it gets, in terms of mobile vulnerabilities, and users should take the necessary steps to protect themselves.
openSUSE Tumbleweed is a rolling release Linux distro, one that is something of a two-edged sword in terms of its features and usability.
In Part 1 of this review, we looked at openSUSE’s background, its openQA-provided stability, outstanding installer, choice of desktop environments, and its security. All of these are significant advantages of the distro. Unfortunately, security is also where openSUSE’s disadvantages begin to shine through.
Disclaimer: Some will say the following points are too critical of openSUSE since it’s a more technical distro and not necessarily aimed at desktop users. Nonetheless, openSUSE’s own website says it is: “The makers’ choice for sysadmins, developers and desktop users.” Therefore, my final rating will reflect the distro’s ability to meet the needs of all three of those categories.
Too Much Security?
Security is only a good thing if it’s not so restrictive that people begin disabling features for the sake of convenience, and this is where openSUSE’s disadvantages begin to shine through.
Of all the distros that I have tried to date (Fedora, Manjaro, openSUSE, KDE Neon, Pop!_OS, Kubuntu, and Zorin OS), openSUSE’s security policies are by far the most restrictive. Want to adjust your network settings? You’ll need to enter your password. Want to install a Flatpak app? You’ll need to enter your password. Change your timezone? Enter your password.
What’s more, the default firewall settings are so strict that printer discovery doesn’t work out of the box. To be clear, every single other distro I’ve tried automatically discovers my HP printer on my network and lets me print without installing any additional drivers.
In contrast, openSUSE cannot even discover the printer without changing the firewall profile from the default ‘Public’ to ‘Home,’ or adding the mDNS service to the ‘Public’ profile. Even when making sure mDNS is enabled, openSUSE still requires “hplip” software/driver package installed.
Is it possible to overcome these issues? Yes. But many people, especially less technical users, give up before figuring out how to jump through all these hoops. In fact, a quick look at openSUSE’s Reddit will reveal that two common solutions to printing on openSUSE are a) disable the firewall altogether or b) “don’t print on openSUSE.” Seriously…I have seen that advice multiple times…”don’t print on openSUSE.”
The issues with printing on openSUSE are irritating enough that Linux creator Linus Torvalds famously dumped openSUSE and switched to Fedora because printing was just too hard to bother with. Fans of the distro will point out that it has gotten better since that day…but it’s still not good enough for the average desktop user.
Yast
Yast stands for Yet Another Setup Tool and is one of the defining characteristics of openSUSE. The tool is a throwback to the earlier days of Linux when such setup and configuration tools were more common.
There’s no denying that Yast is a powerful tool, one that is available as both a graphical and command-line package. For system admins, Yast provides a powerful way to administer openSUSE instances. There is almost nothing you can configure via the terminal that can’t be configured via Yast’s GUI, and it’s a tool I miss on other distros.
At the same time, however, like openSUSE’s other hallmark features, Yast is something of a two-edged sword. While it’s undeniably useful — and this is purely subjective — I’m not a fan of how it takes over functions normally handled by a distro’s built-in tools. For example, I run the KDE Plasma desktop, which has excellent built-in tools for printing and firewall management. Yast takes these tasks over, however. Gnome has similarly useful tools as part of the system settings.
As I said, I realize this is very subjective. Some users prefer to have one tool to manage such tasks, regardless of the desktop environment they use. Many users prefer to have one desktop-agnostic tool that never changes. I am not one of those users. I would prefer to use Plasma’s tools when they’re available and fall back to Yast when they’re not.
Btrfs and Snapper
One of openSUSE’s greatest features is its use of the btrfs filesystem and built-in Snapper support. Btrfs is a relatively new filesystem that provides automated system snapshots. This gives users the option to rollback to a previous snapshot from the boot menu in the event something goes wrong.
Tinkering with your system and mess something up? Not a problem, just rollback and it never happened. The same goes for an update that borks something. Just rollback and wait for the issue to be addressed. This is truly a must-have setup for a rolling release distro.
There are two downsides to keep in mind with btrfs (there’s that two-edged sword again):
Btrfs is one of the slower filesystems in use by Linux distros. The excellent DJ Ware, on YouTube, has done extensive benchmarks showing how much slower the filesystem is. While I’ve not done such extensive benchmarks myself, I do have an everyday data point.
When setting up the digiKam photo organizing software for the first time, the app scans your Pictures folder. On any distro using the older ext4 filesystem, it takes digikam anywhere from 4:57 to 5:17 to scan my 49GB of photos. In contrast, digiKam on openSUSE takes more than 7:50 to complete. This result, which I have been able to consistently reproduce, jives with DJ Ware’s benchmarks.
The other potential downside is in regard to data integrity. Given that it’s still a young filesystem, there are still an uncomfortable number of reports about btrfs filesystems becoming hopelessly corrupted. Without a doubt, openSUSE has the most mature implementation of btrfs, but your mileage may vary.
Patterns and Recommendations
One of the things that makes openSUSE so successful at providing stability with a rolling release is its use of Patterns and recommendations.
Patterns are collections of software that are related and share dependencies. For example, there’s a KDE Plasma Pattern, KDE Apps Pattern, Office Suite Pattern, Mobile Pattern, and more.
The power of patterns is that it allows openSUSE developers to update an entire collection of software rather than try to determine what is or is not installed on a machine. Similarly, openSUSE defaults to installing any and all recommended dependencies when installing an application, unlike almost every other distro, in the interest of making sure no app is installed with any missing features.
On paper, both of these seem like good ideas, and, to be clear, they are…to a point. Both of these features contribute greatly to openSUSE Tumbleweed being one of the most stable rolling-release distros.
Unfortunately, Patterns and recommendations also result in some unfortunate side effects. For example, if you delete an application that is included in one of the default Patterns, it will be reinstalled on the next update. You will need to manually block the package, or the entire Pattern, in order to prevent its reinstallation.
Random Papercuts
Slack Issues
In addition to the major things highlighted above, openSUSE running KDE has a bug that makes it almost impossible to add the workspaces I’m subscribed to. I can easily add three of them with no problem, but the fourth one always fails.
The only way I can get it added to the Slack client is to try importing that workspace along with three or four defunct workspaces. After trying this one or three dozen times, the troublesome workspace will finally get imported. From what I’ve been able to tell via research, the workspace string that gets passed from browser to Slack clients gets mangled.
At one point, I thought this was a KDE Plasma bug since it doesn’t happen on Gnome or Xfce. However, this only happens on openSUSE. It doesn’t happen on Manjaro KDE, Kubuntu, or KDE Neon. I have no idea what the problem is but, at least in my experience, it is a uniquely openSUSE issue.
Network Login
On multiple installs of openSUSE, I’ve had issues where I was constantly prompted to enter my root password and network password in order to stay connected. Wake the computer from sleep…enter my passwords. Needless to say, this got old quick.
Conclusion
openSUSE Tumbleweed is one of the most well-engineered distros on the market and offers a tremendous amount of features and abilities. Unfortunately, some of those features are a two-edged sword that cause as many problems as they solve.
openSUSE Tumbleweed is a distro I love to play with and would love to use as my daily driver. Unfortunately, the inconveniences quickly wears on my nerves in daily use, and I end up moving on.
That being said, for the right person, openSUSE is hands-down the best distro available.
Rating
For System Admins: 5 out of 5 stars
The combination of Yast and its enterprise connections makes openSUSE quite possibly the best distro for system admins.
For Developers: 4 out of 5 stars
On the one hand, having the latest and greatest packages can be a big help to developers. On the other hand, the papercuts and irritations may take unnecessary time away from development.
For Desktop Users: 3 out of 5 stars
Before writing about tech, I was a software developer for over a decade. I’ve created software for major universities, companies, and the commercial market. In spite of that high-tech background, openSUSE was just too irritating and difficult for me to use on a daily basis, and I would never recommend it to most everyday users. It would have to be a special breed of desktop user, one that wants to spend as much time managing their computer as using it before I could recommend it to them.
The Cloud Security Alliance (CSA) has bad news for the industry, saying that nearly one-third of organizations struggle with data loss prevention (DLP) systems.
The CSA is an organization dedicated to helping secure cloud computing. A survey the organization conducted with Netskope found that DLP solutions are a critical component used in cloud security.
Unfortunately, that’s where the good news ends. While companies are relying on DLP systems, nearly a third struggle to use them effectively.
Among the top challenges cited by organizations are management difficulties (29%), too many false positives (19%), the need for manual version upgrades (18%), and deployment complexity (15%).
“DLP solutions are an integral part of organizations’ data security strategy, but leaders are still struggling with this strategy and the implementation of solutions, especially for how complicated legacy and on-prem based solutions are to manage and maintain,” said Naveen Palavalli, Vice President of Products, Netskope. “These findings highlight the need for a comprehensive and easy-to-use cloud delivered data protection solution that integrates into their existing security controls and is a key tenant of their Zero Trust security strategy.”
Cloud security is increasingly in the spotlight as more and more organizations experience data breaches at a time when the cloud is becoming integral to more companies and industries.
The Biden administration has signaled it is preparing to regulate cloud security in an effort to better protect organizations. If the CSA’s findings are any indication, it looks like the industry could use the help.
Dish Network customers are still in limbo, with few answers weeks after the company was crippled by ransomware.
Dish began experiencing major issues with its website, internal systems, and customer portal going offline in late February. Roughly a week later, the company admitted to suffering a massive ransomware attack, one that crippled operations and resulted in the theft of customer data.
According to TechCrunch, Dish customers still have no idea what is going on, with many of them unable to access customer support, pay their bills, or get any kind of useful information.
In fact, a number of customers have had their service disconnected because they have been unable to log into the customer portal to pay their bills. Others are already experiencing voice and email phishing attempts as hackers try to exploit the lack of information from Dish to take advantage of customers looking for answers.
Company spokesperson Edward Wietecha told TechCrunch that “customers are having trouble reaching our service desks, accessing their accounts, and making payments.” When asked if the company was disconnecting users, Wietecha added that “customers who had their service temporarily suspended for nonpayment received additional time until our payment systems were restored.”
In addition to the trouble Dish’s own customers are having, there is potential for the problem to be much worse and extend beyond Dish’s roughly 10 million customers. A former Dish retailer told TechCrunch that the company retains a veritable treasure trove of customer data from anyone who has ever signed up for Dish service, including those who never became customers because they didn’t pass the credit check. The information includes “customer names, dates of birth, email addresses, telephone numbers, Social Security numbers, and credit card information.” What’s more, it appears that Dish’s policy is to retain the information indefinitely.
Overall, Dish is providing a case study of how not to handle a ransomware attack for any company that wants to come out the other side still having customers.
We’re now making it possible for Workspace users to harness the power of generative AI to create, connect, and collaborate like never before. To start, we’re introducing a first set of AI-powered writing features in Docs and Gmail to trusted testers.
AI will help users by generating drafts and helping them overcome the dreaded “blank page:”
Blank pages can stump the best of us. That’s why we’re embedding generative AI in Docs and Gmail to help people get started writing. Whether you’re a busy HR professional who needs to create customized job descriptions, or a parent drafting the invitation for your child’s pirate-themed birthday party, Workspace saves you the time and effort of writing that first version. Simply type a topic you’d like to write about, and a draft will instantly be generated for you. With your collaborative AI partner you can continue to refine and edit, getting more suggestions as needed.
The AI will also be able to help users rewrite work to make it more appropriate for the intended purpose:
Finding the right tone and style can also be tricky at times. Perhaps you’re applying for a new job, or writing to a new supplier in a more traditional industry, and you need to adopt a more formal tone in your email. Or you’ve jotted down a few bullets on your phone from a recent meeting and want to transform them into a more polished summary to share with your team. For these common scenarios and many more, we’re adding new generative AI capabilities to help you rewrite. And if you’re in the mood to let AI try out a new playful voice altogether, you’ll be able to hit the “I’m feeling lucky” option in Gmail.
Interestingly, while Google is clearly working to catch up in the AI game, the company is also trying to establish itself as a responsible AI company:
As we’ve experimented with generative AI ourselves, one thing is clear: AI is no replacement for the ingenuity, creativity, and smarts of real people. Sometimes the AI gets things wrong, sometimes it delights you with something offbeat, and oftentimes it requires guidance. With all this in mind, we’re designing our products in accordance with Google’s AI Principles that keep the user in control, letting AI make suggestions that you’re able to accept, edit, and change. We’ll also deliver the corresponding administrative controls so that IT is able to set the right policies for their organization.
The Biden Administration is preparing to regulate cloud security, viewing the industry as too great a security risk to ignore.
Cloud computing has become an increasingly integral part of daily life for companies, government organizations, and individuals alike. There’s hardly any aspect of daily life that isn’t touched by the cloud in some way. That ubiquity is a source of concern, especially with the growing number and scope of cybersecurity threats.
According to Politico, the Biden Administration now views the cloud industry as “too big to fail” and is beginning the process of regulating cloud computing security.
The industry has “become essential to our daily lives,” Kemba Walden, acting national cyber director, told Politico. “If it’s disrupted, it could create large potentially catastrophic disruptions to our economy and to our government.”
Industry veterans echoed those concerns.
“A single cloud provider going down could take down the internet like a stack of dominos,” said Marc Rogers, chief security officer at Q-Net Security and former Cloudflare head of information security.
Unfortunately while companies have raced to deploy cloud platforms and services, cloud security has often lagged behind, leaving organizations and individuals vulnerable. Even worse, critical infrastructure has come under attack as a result of cloud security lapses.
“The reality is that today cloud security is often separate from cloud,” said Anne Neuberger, the deputy national security adviser for cyber and emerging technology. “We need to get to a place where cloud providers have security baked in with that.”
Her sentiments echo those of Google executives, who recently penned a blog post calling for companies to be held accountable for cybersecurity:
“The bottom line: People deserve products that are secure by default and systems that are built to withstand the growing onslaught from attackers,” the executives wrote.
The Biden Administration agrees:
“In the United States, we don’t have a national regulator for cloud. We don’t have a Ministry of Communication. We don’t have anybody who would step up and say, ‘It’s our job to regulate cloud providers,’” said Rob Knake, deputy national cyber director for strategy and budget. The cloud, he said, “needs to have a regulatory structure around it.”
The battle over who will pay for EU infrastructure upgrades is heating up, with the telcos saying Big Tech owes them.
The EU is looking to the future and trying to determine how critical network infrastructure will be funded. One of the leading proposals involves charging Big Tech companies, especially those responsible for the bulk of traffic, to help fund the upgrades. Needless to say, such a proposal is not popular with the tech industry.
In a statement to CNBC, however, Michael Trabbia, chief technology and innovation officer for France’s Orange, makes the case that Big Tech companies wouldn’t enjoy the success they do without the telecom operators.
“Without the telcos, without the network, there is no Netflix, there is no Google,” said Trabbia.
Similarly, Deutsche Telekom CEO Tim Hoettges asked why Big Tech couldn’t “at least a little bit, contribute to the efforts and the infrastructure which we are building here in Europe.”
The proposal is just the latest challenge Big Tech is facing amid growing antitrust scrutiny, privacy, and security concerns.
The FBI has admitted to buying Americans’ location data from advertising companies, raising concerns across the spectrum.
The Supreme Court ruled in 2018 that law enforcement agencies were required to obtain a warrant before tracking Americans’ locations using cell phone data. The case was a major blow to the FBI, and other agencies, many of whom had relied on warrantless location tracking.
It appears the FBI has found a way around the Supreme Court ruling, purchasing location data from advertising companies, according to Wired. The revelation came in the course of a US Senate hearing.
Senator Ron Wyden, a well-known privacy advocate, asked FBI Director Christopher Wray if the agency used commercial location data.
“Does the FBI purchase US phone-geolocation information?” Wyden asked.
“To my knowledge, we do not currently purchase commercial database information that includes location data derived from internet advertising,” Wray responded. “I understand that we previously—as in the past—purchased some such information for a specific national security pilot project. But that’s not been active for some time.”
Director Wray did say the FBI now relies on a “court-authorized process,” but did not go into detail regarding what that meant.
Even so, many were quick to jump on Wray’s admission, pointing out the dangerous precedent it sets.
“The public needs to know who gave the go-ahead for this purchase, why, and what other agencies have done or are trying to do the same,” said Sean Vitka, a policy attorney at Demand Progress. He also said Congress should ban the practice.
Windows 11 users are finally getting a much-needed bug fix, with Windows 11 Moment 2 fixing a bug that made file copying painfully slow.
Windows 11 version 22H2 introduced a bug that made file copying unusually slow, especially with large files. According to Windows Latest, the fix is finally being rolled out:
Naturally, it’s now included in Windows 11 22H2 Moment 2 update (KB5022913 optional update) and will come through to the release version of Windows 11 via March 2023’s Patch Tuesday release.
Users are reporting that file copying speeds have returned to Windows 10 speeds.
United Kingdom users may be out of luck when it comes to messaging clients, with both WhatsApp and Signal prepared to leave.
The UK is currently working to pass its Online Safety Bill, a piece of legislation that virtually all critics say would have a devastating impact on encryption and online security. Proponents of the bill have been accused of “magical thinking,” in which they believe encryption can be selectively weakened to catch bad guys.
The UK’s government is
WhatsApp and Signal have both come out saying they will refuse to weaken their encryption, a decision that would lead to them leaving the UK.
“It’s a remarkable thing to think about,” said Will Cathcart, Meta’s head of WhatsApp, via The Guardian. “There isn’t a way to change it in just one part of the world. Some countries have chosen to block it: that’s the reality of shipping a secure product. We’ve recently been blocked in Iran, for example. But we’ve never seen a liberal democracy do that.
“The reality is, our users all around the world want security,” added Cathcart. “Ninety-eight per cent of our users are outside the UK. They do not want us to lower the security of the product, and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those 98% of users.”
Similarly, Signal President Meredith Whittaker told the BBC: “We would absolutely 100% walk rather than ever undermine the trust that people place in us to provide a truly private means of communication.
“We have never weakened our privacy promises, and we never would.”
For its part, the British Home Office is recycling the age-old argument that there must be some way to protect privacy and simultaneously undermine it for the sake of catching criminals.
“It is important that technology companies make every effort to ensure that their platforms do not become a breeding ground for paedophiles,” the Home Office stated.
“The Online Safety Bill does not represent a ban on end-to-end encryption but makes clear that technological changes should not be implemented in a way that diminishes public safety – especially the safety of children online.
“It is not a choice between privacy or child safety – we can and we must have both.”
Unfortunately, as mathematicians, programmers, computer experts, privacy advocates, and many lawmakers have stated, that’s simply not how encryption works.
“Encryption is either protecting everyone or it is broken for everyone,” Whitaker added.
That fundamental law of mathematics is why Germany has come out opposed to a similar measure making its way through the EU, instead emphasizing the need to bolster traditional investigative methods to compensate.
openSUSE Tumbleweed is a rolling release Linux distro, one that is something of a two-edged sword in terms of its features and usability.
openSUSE Tumbleweed is a well-engineered Linux distro and is often brought up as an alternative to Arch, the best-known rolling distro.
For the uninitiated, a rolling release distro is one that has no major or minor versions but is updated constantly as new packages become available. For example, Ubuntu is currently on version 22.10, with 23.04 right around the corner. Similarly, Fedora is on version 37, with 38 soon to be released. In contrast, a rolling release updates packages as they become available, eliminating the need to do a major upgrade or reinstall every couple of years.
Given how complicated a product openSUSE Tumbleweed is, this review will be broken into two parts. In this first part, we’ll provide an overview of some of openSUSE Tumbleweed’s hallmark features.
Background
openSUSE Tumbleweed is the upstream distro for SUSE Enterprise Linux (SLE), much like Fedora is upstream to Red Hat Enterprise Linux. This means that Tumbleweed essentially serves as a testing ground for what will eventually become SLE.
In contrast, openSUSE Leap is a point-release distro that is functionally identical to SLE, just without the paid support.
microOS, on the other hand, is openSUSE’s equivalent of Fedora Silverblue, an immutable distro where the root file system is protected from tampering.
‘Rolling Done Right,’ Thanks to openQA
One of the most common things said about Tumbleweed is that it’s “rolling done right.” Much of this is the result of openSUSE’s reliance on openQA, an automated quality control tool that runs packages and updates through their paces before pushing them out to users.
openQA allows openSUSE to accomplish one of the most reliable and rock-solid rolling releases with a much smaller team than some other distros have.
Despite the extra QA that goes into Tumbleweed, the distro still manages to roll at an impressive pace. In fact, it usually runs neck-and-neck with Arch. On any given day, Tumbleweed may get a package first, Arch may get it first, or they may get it at the same time.
However, the big difference between Tumbleweed and Arch is that the former generally manages to avoid some of the bigger issues that Arch users sometimes face.
The openSUSE installer is often maligned for being overly complicated, but that is an extremely unfair assessment. Calamares is the installer that most distros use and compared to it, openSUSE’s installer is a lot more complex.
It’s important to note, however, that complex doesn’t equal bad. The openSUSE installer is certainly more complex than Calamares, but it offers a level of control that is unrivaled by virtually any other graphical installer on any platform.
The installer gives you the option of choosing your partitioning scheme, setting up your network, and choosing the individual packages you want installed.
Desktop Environments
While some distributions focus on a single desktop environment (DE), openSUSE has options to install KDE, Gnome, and Xfce. With a little effort, users can install almost any other DE.
What makes openSUSE unique when it comes to DEs is that no single DE ever feels like a second-class citizen. In fact, thanks to the quality of openSUSE and its openQA, every DE is rock-solid and feels like it’s the only DE on the distro.
It should be noted, however, that contrary to popular opinion, KDE is not the default desktop environment. While that certainly may have been the case at one time, when Novell bought openSUSE, the focus for SLE shifted to Gnome, according to Richard Brown, Linux Distribution Engineer at SUSE. Therefore, it can be argued that openSUSE Tumbleweed does not have a default desktop, treating Gnome, KDE, and Xfce equally. If there was such a thing as a default, it would actually be Gnome, not KDE.
Security
Another area where openSUSE shines is in the area of security. Tumbleweed is built with a number of hardening options enabled that are not usually enabled. This results in one of the most secure Linux distros available.
In fact, using the Lynis security auditing tool — where 70 is considered a passing score — Tumbleweed routinely scores in the upper 80s. In contrast, the next best score I’ve gotten out of the-box is Fedora, which only comes in right at 70.
In Part 2 of this review, we’ll look at openSUSE Patterns, Yast, and how everything comes together.
Google is now giving all Google One plans free VPN access and has unveiled a tool to monitor personal data on the dark web.
Google One is the company’s storage plans that give users several tiers to choose from, depending on their needs. The company offered its VPN by Google One for free to its top-tier plans, but is now providing it to all plans, regardless of tier.
VPN by Google One adds more protection to your internet activity no matter what apps or browsers you use, shielding it from hackers or network operators by masking your IP address. Without a VPN, the sites and apps you visit could use your IP address to track your activity or determine your location. Plus, we take several steps to make sure no one can tie your network traffic to your identity.
Starting today, and rolling out over the next few weeks, we’re expanding VPN access to all Google One plans, including the Basic plan that starts at $1.99/mo. The VPN will be available in 22 countries across Android, iOS, Windows and Mac devices. You can also share the VPN with up to five others if they’re on your Google One plan.
The company is also including its dark web report, giving users the ability to see if and when their data is posted on the dark web:
Google One’s dark web report helps you scan the dark web for your personal info — like your name, address, email, phone number and Social Security number — and will notify you if it’s found. When you enable dark web report, you provide and select the information you’d like to keep an eye on within your monitoring profile. And if any matching info is found on the dark web, we’ll notify you and provide guidance on how you might protect that information. For example, if your Social Security number was found on the dark web, we might suggest you report it as stolen to the government or take steps to protect your credit.
As we have pointed out before, there’s still the issue of trusting Google as a VPN provider. The company has a long history of privacy abuses, including ignoring users’ preferences regarding tracking and privacy.
A VPN is only valuable if a user trusts the company providing the service. When the company providing the service primarily makes its money off of user data, it leaves one to wonder just how private their web browsing data will truly be.
As we have said before, most users would be far better off using Mullvad or NordVPN instead.
Google Cloud and MongoDB are expanding their partnership in an effort to better support startups.
Google Cloud is already a popular option among startups and developers. The company is expanding its partnership with MongoDB to provide integrated database and data services.
As partners, Google Cloud and MongoDB co-engineer streamlined integrations between MongoDB Atlas and many Google Cloud services to make it easier to deploy apps (Dataflow, GKE, Cloud Run), pull in data from other sources (Apigee), run in flexible multi cloud environments (Anthos), easy deployment of MEAN stack, and Terraform and analyze data (BigQuery, Vertex AI).
Startups will benefit from Google Cloud’s global reach, giving them the ability to expand and scale as needed.
Signups will also receive significant savings on Google Cloud and Firebase:
If you’re early in your startup journey and not yet backed with equity funding, you’ll have access to $2,000 of Google Cloud credits. If you are, your first year of Cloud and Firebase usage is covered with credits up to $100,000. Plus, in year two get 20% of Google Cloud and Firebase usage covered, up to an additional $100,000 in credits.
Similarly, signups will receive free credits for MongoDB:
Free credits for MongoDB Atlas, including usage of the core Atlas Database, in addition to extended data services for full-text search, data visualization, real-time analytics, building event-driven applications and more to supercharge your data infrastructure
The expanded partnership looks to be a big win for startups.
Following a tech breakdown in December, Southwest Airlines has selected AWS as its preferred cloud provider.
Usually among the best airlines for customer service, Southwest experienced a tech breakdown that led to 16,700 flights cancelled in a span of 10 days. Eager to put the issue behind it, the airline is turning to AWS to help it further its digital transformation.
“As our preferred cloud provider, AWS will offer solutions that are critical in our drive to modernize our operation, equip our employees with the tools they need to serve our customers, and improve our reliability,” said Lauren Woods, senior vice president and chief information officer of Southwest Airlines Co. “With the help of AWS’s leading cloud technology and expertise, we will launch improved digital solutions, responsive customer support, and streamlined operations as we deliver on our digital transformation initiatives.”
In particular, Southwest hopes the nature of cloud deployments will help it better scale in the future, as well as provide effective ways to deliver next-generation services. This is especially critical since 83% of the company’s revenue comes from its website and app.
“Southwest Airlines is one of the world’s largest low-cost carriers, operating 4,000 flights daily during peak travel season,” said Matt Garman, senior vice president of Sales, Marketing, and Global Services at AWS. “AWS’s proven experience in the travel industry, coupled with our vast portfolio of cloud technologies, empowers Southwest to increase operational resiliency, drive cost efficiency, and deliver exceptional experiences for its employees and customers. Our shared culture of customer obsession will help Southwest innovate new travel solutions that will enhance customer touchpoints, flight operations, and airplane and crew scheduling, to keep air travel affordable and enjoyable for passengers.”
A bipartisan bill has been introduced to the Senate, one that would take a comprehensive approach to foreign tech.
Concerns have been growing about TikTok and the threat it poses to privacy and security. In addition to TikTok, US officials remain concerned about Huawei, ZTE, and a host of other companies that could pose a threat to national security.
“Today, the threat that everyone is talking about is TikTok, and how it could enable surveillance by the Chinese Communist Party, or facilitate the spread of malign influence campaigns in the U.S. Before TikTok, however, it was Huawei and ZTE, which threatened our nation’s telecommunications networks. And before that, it was Russia’s Kaspersky Lab, which threatened the security of government and corporate devices,” said Sen. Warner. “We need a comprehensive, risk-based approach that proactively tackles sources of potentially dangerous technology before they gain a foothold in America, so we aren’t playing Whac-A-Mole and scrambling to catch up once they’re already ubiquitous.”
“Congress needs to stop taking a piecemeal approach when it comes to technology from adversarial nations that pose national security risks,” said Sen. Thune. “Our country needs a process in place to address these risks, which is why I’m pleased to work with Senator Warner to establish a holistic, methodical approach to address the threats posed by technology platforms – like TikTok – from foreign adversaries. This bipartisan legislation would take a necessary step to ensure consumers’ information and our communications technology infrastructure is secure.”
The new legislation would give the Secretary of Commerce the authority to crack down on any information or communications tech developed by a foreign company “in which any foreign adversary has any interest and poses undue or unacceptable risk to national security.”
The bill would also prioritize communications and tech that constitutes “critical infrastructure,” as well as enable the Commerce Secretary to take comprehensive action, including educating the public and businesses about potential security threats from foreign tech.
“We need to protect Americans’ data and keep our country safe against today and tomorrow’s threats. While many of these foreign-owned technology products and social media platforms like TikTok are extremely popular, we also know these products can pose a grave danger to Wisconsin’s users and threaten our national security,” said Sen. Baldwin. “This bipartisan legislation will empower us to respond to our fast-changing environment – giving the United States the tools it needs to assess and act on current and future threats that foreign-owned technologies pose to Wisconsinites and our national security.”
“There are a host of dangerous technology platforms – including TikTok – that can be manipulated by China and other foreign adversaries to threaten U.S. national security and abuse Americans’ personal data. I’m proud to join Senator Warner in introducing bipartisan legislation that would put an end to disjointed interagency responses and strengthen the federal government’s ability to counter these digital threats,” said Sen. Fischer.
Acer has confirmed a data breach, one that has resulted in 160GB of data being posted for sale online.
According to BleepingComputer, bad actors compromised “a server hosting private documents used by repair technicians.” The data, some 160GB worth, was allegedly stolen in mid-February and has since been posted for sale on a popular hacking forum.
Acer confirmed the breach in a statement to BleepingComputer:
“We have recently detected an incident of unauthorized access to one of our document servers for repair technicians.
“While our investigation is ongoing, there is currently no indication that any consumer data was stored on that server.” – Acer.
Hopefully, Acer’s initial evaluation will prove true. Unfortunately, not only have major data breaches been on the rise, but it’s becoming far more common for initial investigations to reveal only half the story, with subsequent investigations revealing the scope of the breaches being far more than originally thought.
For now, anyway, customers appear to have dodged the bullet. We will continue to monitor and update as more details become available.
